draft-ietf-pana-statemachine-04.txt   draft-ietf-pana-statemachine-05.txt 
PANA Working Group V. Fajardo PANA Working Group V. Fajardo, Ed.
Internet-Draft Y. Ohba Internet-Draft Y. Ohba
Expires: December 1, 2006 TARI Expires: January 5, 2008 TARI
R. Lopez R. Lopez
Univ. of Murcia Univ. of Murcia
May 30, 2006 July 4, 2007
State Machines for Protocol for Carrying Authentication for Network State Machines for Protocol for Carrying Authentication for Network
Access (PANA) Access (PANA)
draft-ietf-pana-statemachine-04 draft-ietf-pana-statemachine-05
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 1, 2006. This Internet-Draft will expire on January 5, 2008.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document defines the conceptual state machines for the Protocol This document defines the conceptual state machines for the Protocol
for Carrying Authentication for Network Access (PANA). The state for Carrying Authentication for Network Access (PANA). The state
machines consist of the PANA Client (PaC) state machine and the PANA machines consist of the PANA Client (PaC) state machine and the PANA
Authentication Agent (PAA) state machine. The two state machines Authentication Agent (PAA) state machine. The two state machines
show how PANA can interface to EAP state machines and can be show how PANA can interface with the EAP state machines. The state
implemented with supporting various features including separate NAP machines and associated model are informative only. Implementations
and ISP authentications, ISP selection and mobility optimization. may achieve the same results using different methods.
The state machines and associated model are informative only.
Implementations may achieve the same results using different methods.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5
3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7
4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10
5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12
5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13
5.4. Common Message Initialization Rules . . . . . . . . . . . 13 5.4. Common Message Initialization Rules . . . . . . . . . . . 14
5.5. Common Error Handling Rules . . . . . . . . . . . . . . . 14 5.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 14
5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14
6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16
6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16
6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16
6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16 6.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 16
6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16
6.1.4. EAP Authentication Result Notification from EAP 6.1.4. EAP Authentication Result Notification from EAP
Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17
6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17
6.1.6. EAP Invalid Message Notification from EAP Peer to 6.2. Constants . . . . . . . . . . . . . . . . . . . . . . . . 17
PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 6.3. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17
6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 6.4. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18
6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 6.5. PaC State Transition Table . . . . . . . . . . . . . . . . 18
6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 24
7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 33 7.1. Interface between PAA and EAP Authenticator . . . . . . . 24
7.1. Interface between PAA and EAP Authenticator . . . . . . . 33
7.1.1. EAP Restart Notification from PAA to EAP 7.1.1. EAP Restart Notification from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 33 Authenticator . . . . . . . . . . . . . . . . . . . . 24
7.1.2. Delivering EAP Responses from PAA to EAP 7.1.2. Delivering EAP Responses from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 33 Authenticator . . . . . . . . . . . . . . . . . . . . 24
7.1.3. Delivering EAP Messages from EAP Authenticator to 7.1.3. Delivering EAP Messages from EAP Authenticator to
PAA . . . . . . . . . . . . . . . . . . . . . . . . . 33 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 24
7.1.4. EAP Authentication Result Notification from EAP 7.1.4. EAP Authentication Result Notification from EAP
Authenticator to PAA . . . . . . . . . . . . . . . . . 33 Authenticator to PAA . . . . . . . . . . . . . . . . . 24
7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 34 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 25
7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 36 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 26
7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 37 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 26
8. Mobility Optimization Support . . . . . . . . . . . . . . . . 52 8. Implementation Considerations . . . . . . . . . . . . . . . . 31
8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 52 8.1. PAA and PaC Interface to Service Management Entity . . . . 31
8.2. PaC Mobility Optimization State Machine . . . . . . . . . 53 9. Security Considerations . . . . . . . . . . . . . . . . . . . 32
8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 53 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33
8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 53 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34
8.2.3. PaC Mobility Optimization State Transition Table 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 12.1. Normative References . . . . . . . . . . . . . . . . . . . 35
8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 56 12.2. Informative References . . . . . . . . . . . . . . . . . . 35
8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 56 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36
8.3.2. PAA Mobility Optimization State Transition Table Intellectual Property and Copyright Statements . . . . . . . . . . 37
Addendum . . . . . . . . . . . . . . . . . . . . . . . 56
9. Implementation Considerations . . . . . . . . . . . . . . . . 58
9.1. PAA and PaC Interface to Service Management Entity . . . . 58
9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 58
10. Security Considerations . . . . . . . . . . . . . . . . . . . 59
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 61
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62
13.1. Normative References . . . . . . . . . . . . . . . . . . . 62
13.2. Informative References . . . . . . . . . . . . . . . . . . 62
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 63
Intellectual Property and Copyright Statements . . . . . . . . . . 64
1. Introduction 1. Introduction
This document defines the state machines for Protocol Carrying This document defines the state machines for Protocol Carrying
Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There
are state machines for the PANA client (PaC) and for the PANA are state machines for the PANA client (PaC) and for the PANA
Authentication Agent (PAA). Each state machine is specified through Authentication Agent (PAA). Each state machine is specified through
a set of variables, procedures and a state transition table. a set of variables, procedures and a state transition table.
A PANA protocol execution consists of several exchanges to carry A PANA protocol execution consists of several exchanges to carry
skipping to change at page 5, line 8 skipping to change at page 5, line 8
with state machines shown by [RFC4137]. with state machines shown by [RFC4137].
This document, apart from defining PaC and PAA state machines and This document, apart from defining PaC and PAA state machines and
their interfaces to EAP state machines (running on top of PANA), their interfaces to EAP state machines (running on top of PANA),
provides some implementation considerations, taking into account that provides some implementation considerations, taking into account that
it is not a specification but an implementation guideline. it is not a specification but an implementation guideline.
2. Interface Between PANA and EAP 2. Interface Between PANA and EAP
PANA carries EAP messages exchanged between an EAP peer and an EAP PANA carries EAP messages exchanged between an EAP peer and an EAP
authenticator (see Figure 1). Thus a PANA state machine must authenticator (see Figure 1). Thus a PANA state machine interacts
interact with an EAP state machine. with an EAP state machine.
Two state machines are defined in this document : the PaC state Two state machines are defined in this document : the PaC state
machine (see Section 6) and the PAA state machine (see Section 7). machine (see Section 6) and the PAA state machine (see Section 7).
The definition of each state machine consists of a set of variables, The definition of each state machine consists of a set of variables,
procedures and a state transition table. A subset of these variables procedures and a state transition table. A subset of these variables
and procedures defines the interface between a PANA state machine and and procedures defines the interface between a PANA state machine and
an EAP state machine and the state transition table defines the PANA an EAP state machine and the state transition table defines the PANA
state machine behavior based on results obtained through them. state machine behavior based on results obtained through them.
On the one hand, the PaC state machine interacts with an EAP peer On the one hand, the PaC state machine interacts with an EAP peer
state machine in order to carry out the PANA protocol on the PaC state machine in order to carry out the PANA protocol on the PaC
side. On the other hand, the PAA state machine interacts with an EAP side. On the other hand, the PAA state machine interacts with an EAP
authenticator state machine to run the PANA protocol on the PAA side. authenticator state machine to run the PANA protocol on the PAA side.
Peer |EAP Auth Peer |EAP Auth
EAP <---------|------------> EAP EAP <---------|------------> EAP
^ | | ^ | ^ | | ^ |
EAP-Request | | | EAP-Response | | EAP-Request | | | EAP-Message | | EAP-Message
EAP-Success | |EAP-Response | | |EAP-Success EAP-Message | |EAP-Message | | |
EAP-Failure | v |PANA | vEAP-Failure | v |PANA | v
PaC <---------|------------> PAA PaC <---------|------------> PAA
Figure 1: Interface between PANA and EAP Figure 1: Interface between PANA and EAP
Thus two interfaces are needed between PANA state machines and EAP Thus two interfaces are needed between PANA state machines and EAP
state machines, namely: state machines, namely:
o Interface between the PaC state machine and the EAP peer state o Interface between the PaC state machine and the EAP peer state
machine machine
o Interface between the PAA state machine and the EAP authenticator o Interface between the PAA state machine and the EAP authenticator
state machine state machine
In general, the PaC state machine presents EAP messages (EAP-Request, In general, the PaC and PAA state machines present EAP messages to
EAP-Success and EAP-Failure messages) to the EAP peer state machine the EAP peer and authenticator state machines through the interface,
through the interface. The EAP peer state machine processes these respectively. The EAP peer and authenticator state machines process
messages and sends EAP messages (EAP-Response messages) through the these messages and sends EAP messages through the PaC and PAA state
PaC state machine that is responsible for actually transmitting this machines that is responsible for actually transmitting this message,
message. respectively.
On the other hand, the PAA state machine presents response messages
(EAP-Response messages) to the EAP authenticator state machine
through interface defined between them. The EAP authenticator
processes these messages and generate EAP messages (EAP-Request, EAP-
Success and EAP-Failure messages) that are send to the PAA state
machine to be sent.
For example, [RFC4137] specifies four interfaces to lower layers: (i) For example, [RFC4137] specifies four interfaces to lower layers: (i)
an interface between the EAP peer state machine and a lower layer, an interface between the EAP peer state machine and a lower layer,
(ii) an interface between the EAP standalone authenticator state (ii) an interface between the EAP standalone authenticator state
machine and a lower layer, (iii) an interface between the EAP full machine and a lower layer, (iii) an interface between the EAP full
authenticator state machine and a lower layer and (iv) an interface authenticator state machine and a lower layer and (iv) an interface
between the EAP backend authenticator state machine and a lower between the EAP backend authenticator state machine and a lower
layer. In this document, the PANA protocol is the lower layer of EAP layer. In this document, the PANA protocol is the lower layer of EAP
and only the first three interfaces are of interest to PANA. The and only the first three interfaces are of interest to PANA. The
second and third interfaces are the same. In this regard, the EAP second and third interfaces are the same. In this regard, the EAP
skipping to change at page 7, line 8 skipping to change at page 7, line 8
machine in [RFC4137] are referred to as the EAP authenticator and the machine in [RFC4137] are referred to as the EAP authenticator and the
EAP authenticator state machine, respectively, in this document. If EAP authenticator state machine, respectively, in this document. If
an EAP peer and an EAP authenticator follow the state machines an EAP peer and an EAP authenticator follow the state machines
defined in [RFC4137], the interfaces between PANA and EAP could be defined in [RFC4137], the interfaces between PANA and EAP could be
based on that document. Detailed definition of interfaces between based on that document. Detailed definition of interfaces between
PANA and EAP are described in the subsequent sections. PANA and EAP are described in the subsequent sections.
3. Document Authority 3. Document Authority
When a discrepancy occurs between any part of this document and any When a discrepancy occurs between any part of this document and any
of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-pana- of the related documents ([I-D.ietf-pana-pana],
mobopts], [RFC4137] the latter (the other documents) are considered [I-D.ietf-pana-mobopts], [RFC4137] the latter (the other documents)
authoritative and takes precedence. are considered authoritative and takes precedence.
4. Notations 4. Notations
The following state transition tables are completed mostly based on The following state transition tables are completed mostly based on
the conventions specified in [RFC4137]. The complete text is the conventions specified in [RFC4137]. The complete text is
described below. described below.
State transition tables are used to represent the operation of the State transition tables are used to represent the operation of the
protocol by a number of cooperating state machines each comprising a protocol by a number of cooperating state machines each comprising a
group of connected, mutually exclusive states. Only one state of group of connected, mutually exclusive states. Only one state of
skipping to change at page 10, line 12 skipping to change at page 10, line 12
The interpretation of the special symbols and operators used is The interpretation of the special symbols and operators used is
defined in [RFC4137]. defined in [RFC4137].
5. Common Rules 5. Common Rules
There are following procedures, variables, message initializing rules There are following procedures, variables, message initializing rules
and state transitions that are common to both the PaC and PAA state and state transitions that are common to both the PaC and PAA state
machines. machines.
Throughout this document, the character string "PANA_MESSAGE_NAME" Throughout this document, the character string "PANA_MESSAGE_NAME"
matches any one of the abbreviated PANA message names, i.e., "PDI", matches any one of the abbreviated PANA message names, i.e., "PCI",
"PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", "PAR", "PAN", "PTR", "PTA", "PNR", "PNA".
"PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA".
5.1. Common Procedures 5.1. Common Procedures
void None() void None()
A null procedure, i.e., nothing is done. A null procedure, i.e., nothing is done.
void Disconnect() void Disconnect()
A procedure to delete the PANA session as well as the A procedure to delete the PANA session as well as the
corresponding EAP session and authorization state. corresponding EAP session and authorization state.
boolean Authorize() boolean Authorize()
A procedure to create or modify authorization state. It returns A procedure to create or modify authorization state. It returns
TRUE if authorization is successful. Otherwise, it returns FALSE. TRUE if authorization is successful. Otherwise, it returns FALSE.
It is assumed that Authorize() procedure of PaC state machine It is assumed that Authorize() procedure of PaC state machine
always returns TRUE. always returns TRUE.
void Tx:PANA_MESSAGE_NAME() void Tx:PANA_MESSAGE_NAME[flag](AVPs)
A procedure to send a PANA message to its peering PANA entity. A procedure to send a PANA message to its peering PANA entity.
The "flag" argment contains a flag (e.g., Tx:PAR[C]) to be set to
the message, except for 'R' (Request) flag. The "AVPs" contains a
list of names of optional AVPs to be inserted in the message,
except for AUTH AVP.
This procedure includes the following action before actual
transmission:
if (flag==S)
PANA_MESSAGE_NAME.S_flag=Set;
if (flag==C)
PANA_MESSAGE_NAME.C_flag=Set;
if (flag==A)
PANA_MESSAGE_NAME.A_flag=Set;
if (flag==P)
PANA_MESSAGE_NAME.P_flag=Set;
PANA_MESSAGE_NAME.insert_avp(AVPs);
if (key_availble())
PANA_MESSAGE_NANE.insert_avp("AUTH");
void TxEAP() void TxEAP()
A procedure to send an EAP message to the EAP state machine it A procedure to send an EAP message to the EAP state machine it
interfaces to. interfaces to.
void RtxTimerStart() void RtxTimerStart()
A procedure to start the retransmission timer, reset RTX_COUNTER A procedure to start the retransmission timer, reset RTX_COUNTER
variable to zero and set an appropriate value to RTX_MAX_NUM variable to zero and set an appropriate value to RTX_MAX_NUM
skipping to change at page 11, line 4 skipping to change at page 11, line 29
A procedure to send an EAP message to the EAP state machine it A procedure to send an EAP message to the EAP state machine it
interfaces to. interfaces to.
void RtxTimerStart() void RtxTimerStart()
A procedure to start the retransmission timer, reset RTX_COUNTER A procedure to start the retransmission timer, reset RTX_COUNTER
variable to zero and set an appropriate value to RTX_MAX_NUM variable to zero and set an appropriate value to RTX_MAX_NUM
variable. variable.
void RtxTimerStop() void RtxTimerStop()
A procedure to stop the retransmission timer. A procedure to stop the retransmission timer.
void SessionTimerStart() void SessionTimerReStart(TIMEOUT)
A procedure to start PANA session timer. A procedure to (re)start PANA session timer. TIMEOUT specifies
the expiration time associated of the session timer. Expiration
of TIMEOUT will trigger a SESS_TIMEOUT event.
void SessionTimerStop() void SessionTimerStop()
A procedure to stop the PANA session timer. A procedure to stop the current PANA session timer.
void Retransmit() void Retransmit()
A procedure to retransmit a PANA message and increment RTX_COUNTER A procedure to retransmit a PANA message and increment RTX_COUNTER
by one(1). by one(1).
void EAP_Restart() void EAP_Restart()
A procedure to (re)start an EAP conversation resulting in the re- A procedure to (re)start an EAP conversation resulting in the re-
initialization of an existing EAP session. initialization of an existing EAP session.
void PANA_MESSAGE_NAME.insert_avp("AVP_NAME") void PANA_MESSAGE_NAME.insert_avp("AVP_NAME1", "AVP_NAME2",...)
A procedure to insert an AVP of the specified AVP name in the A procedure to insert AVPs for each specified AVP name in the list
specified PANA message. of AVP names in the PANA message. When an AVP name ends with "*",
zero, one or more AVPs are inserted, otherwise one AVP is
inserted.
boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME")
A procedure that checks whether an AVP of the specified AVP name A procedure that checks whether an AVP of the specified AVP name
exists in the specified PANA message and returns TRUE if the exists in the specified PANA message and returns TRUE if the
specified AVP is found, otherwise returns FALSE. specified AVP is found, otherwise returns FALSE.
boolean key_available() boolean key_available()
A procedure to check whether the PANA session has a PANA_AUTH_KEY. A procedure to check whether the PANA session has a PANA_AUTH_KEY.
If the state machine already has a PANA_AUTH_KEY, it returns TRUE. If the state machine already has a PANA_AUTH_KEY, it returns TRUE.
If the state machine does not have a PANA_AUTH_KEY, it tries to If the state machine does not have a PANA_AUTH_KEY, it tries to
retrieve a AAA-Key from the EAP entity. If a AAA-Key is retrieve a AAA-Key from the EAP entity. If a AAA-Key is
retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and
returns TRUE. Otherwise, it returns FALSE. returns TRUE. Otherwise, it returns FALSE.
boolean fatal(int)
A procedure to check whether an integer result code value
indicates a fatal error. If the result code indicates a fatal
error, the procedure returns TRUE, otherwise, it return FALSE. A
fatal error would also result in the termination of the session
and release of all resources related to that session.
5.2. Common Variables 5.2. Common Variables
PANA_MESSAGE_NAME.S_flag PAR.RESULT_CODE
This variable contains the S-Flag value of the specified PANA
message.
PBR.RESULT_CODE
This variable contains the Result-Code AVP value in the PANA-Bind- This variable contains the Result-Code AVP value in the PANA-Auth-
Request message in process. When this variable carries Request message in process. When this variable carries
PANA_SUCCESS when there is only once EAP run in the authentication PANA_SUCCESS it is assumed that the PAR message always contains an
and authorization phase, it is assumed that the PBR message always EAP-Payload AVP which carries an EAP-Success message.
contains an EAP-Payload AVP which carries an EAP-Success message.
PFER.RESULT_CODE
This variable contains the Result-Code AVP value in the PANA-
FirstAuth-End-Request message in process. When this variable
carries PANA_SUCCESS, it is assumed that the PFER message always
contains an EAP-Payload AVP which carries an EAP-Success message.
PER.RESULT_CODE NONCE_SENT
This variable contains the Result-Code AVP value in the PANA- This variable is set to TRUE to indicate that a Nonce-AVP has
Error-Request message in process. already been sent. Otherwise it is set to FALSE.
RTX_COUNTER RTX_COUNTER
This variable contains the current number of retransmissions of This variable contains the current number of retransmissions of
the outstanding PANA message. the outstanding PANA message.
Rx:PANA_MESSAGE_NAME Rx:PANA_MESSAGE_NAME[flag]
This event variable is set to TRUE when the specified PANA message This event variable is set to TRUE when the specified PANA message
is received from its peering PANA entity. is received from its peering PANA entity. The "flag" contains a
flag (e.g., Rx:PAR[C]), except for 'R' (Request) flag.
RTX_TIMEOUT RTX_TIMEOUT
This event variable is set to TRUE when the retransmission timer This event variable is set to TRUE when the retransmission timer
is expired. is expired.
REAUTH REAUTH
This event variable is set to TRUE when an initiation of re- This event variable is set to TRUE when an initiation of re-
authentication phase is triggered. authentication phase is triggered.
TERMINATE TERMINATE
This event variable is set to TRUE when initiation of PANA session This event variable is set to TRUE when initiation of PANA session
termination is triggered. termination is triggered.
PANA_PING PANA_PING
This event variable is set to TRUE when initiation of liveness This event variable is set to TRUE when initiation of liveness
test based on PPR-PPA exchange is triggered. test based on PANA-Notification exchange is triggered.
NOTIFY
This event variable is set to TRUE if the PaC or PAA wants to send
attribute updates or notifications.
SESS_TIMEOUT SESS_TIMEOUT
This event is variable is set to TRUE when the session timer is This event is variable is set to TRUE when the session timer has
expired. expired.
ABORT_ON_1ST_EAP_FAILURE LIFETIME_SESS_TIMEOUT
This variable indicates whether the PANA session is immediately
terminated when the 1st EAP authentication fails.
CARRY_DEVICE_ID
This variable indicates whether a Device-Id AVP is carried in a Configurable value used by the PaC and PAA to close or disconnect
PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this an established session in the access phase. This variable
variable must be set when a link-layer or IP address is used as indicates the expiration of the session and is set to the value of
the device identifier of the PaC and a Protection-Capability AVP Session-Lifetime AVP if present in the last PANA-Auth-Request
is included in the PANA-Bind-Request message. message in the case of the PaC. Otherwise, it is assumed that the
value is infinite and therefore has no expiration. Expiration of
LIFETIME_SESS_TIMEOUT will cause the event variable SESS_TIMEOUT
to be set.
ANY ANY
This event variable is set to TRUE when any event occurs. This event variable is set to TRUE when any event occurs.
5.3. Constants 5.3. Constants
RTX_MAX_NUM RTX_MAX_NUM
Configurable maximum for how many retransmissions should be Configurable maximum for how many retransmissions should be
attempted before aborting. attempted before aborting.
5.4. Common Message Initialization Rules 5.4. Common Message Initialization Rules
When a message is prepared for sending, it is initialized as follows: When a message is prepared for sending, it is initialized as follows:
o For a request message, R-flag of the header is set. Otherwise, o For a request message, R-flag of the header is set. Otherwise,
R-flag is not set. R-flag is not set.
o S-flag and N-flag of the header are not set. o Other message header flags are not set. They are set explicitly
by specific state machine actions.
o AVPs that are mandatory included in a message are inserted with o AVPs that are mandatory included in a message are inserted with
appropriate values set. appropriate values set.
o A Notification AVP is inserted if there is some notification 5.5. Common Retransmition Rules
string to send to the communicating peer.
5.5. Common Error Handling Rules
For simplicity, the PANA state machines defined in this document do The state machines defined in this document assumes that the PaC and
not support an optional feature of sending a PER message when an the PAA caches the last transmitted answer message. This scheme is
invalid PANA message is received [I-D.ietf-pana-pana], while the described in Sec 5.2 of [I-D.ietf-pana-pana]. When the PaC or PAA
state machines support sending a PER message generated in other cases receives a re-transmitted or duplicate request, it would be able to
as well as receiving and processing a PER message. It is left to re-send the corresponding answer without any aid from the EAP layer.
implementations as to whether they provide a means to send a PER However, to simplify the state machine description, this caching
message when an invalid PANA message is received. scheme is omitted in the state machines below. In the case that
there is not corresponding answer to a re-transmitted request, the
request will be handled by the corresponding statemachine.
5.6. Common State Transitions 5.6. Common State Transitions
The following transitions can occur at any state. The following transitions can occur at any state with exemptions
explicitly noted.
---------- ----------
State: ANY State: ANY
---------- ----------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - -
RTX_TIMEOUT && Retransmit(); (no change) RTX_TIMEOUT && Retransmit(); (no change)
RTX_COUNTER< RTX_COUNTER<
RTX_MAX_NUM RTX_MAX_NUM
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - (Reach maximum number of transmissions)- - - - - - - - - - - - - (Reach maximum number of transmissions)- - - - - -
RTX_TIMEOUT && Disconnect(); CLOSED (RTX_TIMEOUT && Disconnect(); CLOSED
RTX_COUNTER>= RTX_COUNTER>=
RTX_MAX_NUM RTX_MAX_NUM) ||
SESS_TIMEOUT
SESS_TIMEOUT Disconnect(); CLOSED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - -
Rx:PER && PEA.insert_avp("AUTH"); CLOSED
fatal Tx:PEA();
(PER.RESULT_CODE) && Disconnect();
PER.exist_avp("AUTH") &&
key_available()
Rx:PER && Tx:PEA(); (no change) -------------------------
!fatal State: ANY except INITIAL
(PER.RESULT_CODE) || -------------------------
!PER.exist_avp("AUTH") ||
!key_available() Exit Condition Exit Action Exit State
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------------+--------------------------+------------
- - - - - - - - - - (liveness test initiated by peer)- - - - - -
Rx:PNR[P] Tx:PNA[P](); (no change)
The following transitions can occur on any exit condition within the The following transitions can occur on any exit condition within the
specified state. specified state.
------------- -------------
State: CLOSED State: CLOSED
------------- -------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - -(Catch all event on closed state) - - - - - - - -
ANY None(); CLOSED ANY None(); CLOSED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6. PaC State Machine 6. PaC State Machine
6.1. Interface between PaC and EAP Peer 6.1. Interface between PaC and EAP Peer
This interface defines the interactions between a PaC and an EAP This interface defines the interactions between a PaC and an EAP
peer. The interface serves as a mechanism to deliver EAP messages peer. The interface serves as a mechanism to deliver EAP messages
for the EAP peer. It allows the EAP peer to receive EAP requests and for the EAP peer. It allows the EAP peer to receive EAP requests and
skipping to change at page 16, line 23 skipping to change at page 16, line 23
notify the EAP peer of PaC events and a mechanism to receive notify the EAP peer of PaC events and a mechanism to receive
notification of EAP peer events. The EAP message delivery mechanism notification of EAP peer events. The EAP message delivery mechanism
as well as the event notification mechanism in this interface have as well as the event notification mechanism in this interface have
direct correlation with the PaC state transition table entries. direct correlation with the PaC state transition table entries.
These message delivery and event notifications mechanisms occur only These message delivery and event notifications mechanisms occur only
within the context of their associated states or exit actions. within the context of their associated states or exit actions.
6.1.1. Delivering EAP Messages from PaC to EAP Peer 6.1.1. Delivering EAP Messages from PaC to EAP Peer
TxEAP() procedure in the PaC state machine serves as the mechanism to TxEAP() procedure in the PaC state machine serves as the mechanism to
deliver EAP request, EAP success and EAP failure messages contained deliver EAP messages contained in PANA-Auth-Request messages to the
in PANA-Auth-Request messages to the EAP peer. This procedure is EAP peer. This procedure is enabled only after an EAP restart event
enabled only after an EAP restart event is notified to the EAP peer is notified to the EAP peer and before any event resulting in a
and before any event resulting in a termination of the EAP peer termination of the EAP peer session. In the case where the EAP peer
session. In the case where the EAP peer follows the EAP peer state follows the EAP peer state machine defined in [RFC4137], TxEAP()
machine defined in [RFC4137], TxEAP() procedure sets eapReq variable procedure sets eapReq variable of the EAP peer state machine and puts
of the EAP peer state machine and puts the EAP request in eapReqData the EAP request in eapReqData variable of the EAP peer state machine.
variable of the EAP peer state machine.
6.1.2. Delivering EAP Responses from EAP Peer to PaC 6.1.2. Delivering EAP Messages from EAP Peer to PaC
An EAP response is delivered from the EAP peer to the PaC via An EAP message is delivered from the EAP peer to the PaC via
EAP_RESPONSE event variable. The event variable is set when the EAP EAP_RESPONSE event variable. The event variable is set when the EAP
peer passes the EAP response to its lower-layer. In the case where peer passes the EAP message to its lower-layer. In the case where
the EAP peer follows the EAP peer state machine defined in [RFC4137], the EAP peer follows the EAP peer state machine defined in [RFC4137],
EAP_RESPONSE event variable refers to eapResp variable of the EAP EAP_RESPONSE event variable refers to eapResp variable of the EAP
peer state machine and the EAP response is contained in eapRespData peer state machine and the EAP message is contained in eapRespData
variable of the EAP peer state machine. variable of the EAP peer state machine.
6.1.3. EAP Restart Notification from PaC to EAP Peer 6.1.3. EAP Restart Notification from PaC to EAP Peer
The EAP peer state machine defined in [RFC4137] has an initialization The EAP peer state machine defined in [RFC4137] has an initialization
procedure before receiving an EAP request. To initialize the EAP procedure before receiving an EAP message. To initialize the EAP
state machine, the PaC state machine defines an event notification state machine, the PaC state machine defines an event notification
mechanism to send an EAP (re)start event to the EAP peer. The event mechanism to send an EAP (re)start event to the EAP peer. The event
notification is done via EAP_Restart() procedure in the notification is done via EAP_Restart() procedure in the
initialization action of the PaC state machine. initialization action of the PaC state machine.
6.1.4. EAP Authentication Result Notification from EAP Peer to PaC 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC
In order for the EAP peer to notify the PaC of an EAP authentication In order for the EAP peer to notify the PaC of an EAP authentication
result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In
the case where the EAP peer follows the EAP peer state machine the case where the EAP peer follows the EAP peer state machine
defined in [RFC4137], EAP_SUCCESS and EAP_FAILURE event variables defined in [RFC4137], EAP_SUCCESS and EAP_FAILURE event variables
refer to eapSuccess and eapFail variables of the EAP peer state refer to eapSuccess and eapFail variables of the EAP peer state
machine, respectively. In this case, if EAP_SUCCESS event variable machine, respectively. In this case, if EAP_SUCCESS event variable
is set to TRUE and a AAA-Key is generated by the EAP authentication is set to TRUE and a AAA-Key is generated by the EAP authentication
method in use, eapKeyAvailable variable is set to TRUE and eapKeyData method in use, eapKeyAvailable variable is set to TRUE and eapKeyData
variable contains the AAA-Key. Note that EAP_SUCCESS and EAP_FAILURE variable contains the AAA-Key. Note that EAP_SUCCESS and EAP_FAILURE
event variables may be set to TRUE even before the PaC receives a PBR event variables may be set to TRUE even before the PaC receives a PAR
or a PFER from the PAA. with a 'Complete' flag set from the PAA.
6.1.5. Alternate Failure Notification from PaC to EAP Peer 6.1.5. Alternate Failure Notification from PaC to EAP Peer
alt_reject() procedure in the PaC state machine serves as the alt_reject() procedure in the PaC state machine serves as the
mechanism to deliver an authentication failure event to the EAP peer mechanism to deliver an authentication failure event to the EAP peer
without accompanying an EAP message. In the case where the EAP peer without accompanying an EAP message. In the case where the EAP peer
follows the EAP peer state machine defined in [RFC4137], alt_reject() follows the EAP peer state machine defined in [RFC4137], alt_reject()
procedure sets altReject variable of the EAP peer state machine. procedure sets altReject variable of the EAP peer state machine.
Note that the EAP peer state machine in [RFC4137] also defines Note that the EAP peer state machine in [RFC4137] also defines
altAccept variable, however, it is never used in PANA in which EAP- altAccept variable, however, it is never used in PANA in which EAP-
Success messages are reliably delivered by PANA-Bind exchange. Success messages are reliably delivered by the last PANA-Auth
exchange.
6.1.6. EAP Invalid Message Notification from EAP Peer to PaC
In order for the EAP peer to notify the PaC of a receipt of an
invalid EAP message, EAP_INVALID_MSG event variable is defined. In
the case where the EAP peer follows the EAP peer state machine
defined in [RFC4137], EAP_INVALID_MSG event variable refers to
eapNoResp variable of the EAP peer state machine.
6.2. Variables
SEPARATE 6.2. Constants
This variable indicates whether the PaC desires NAP/ISP separate FAILED_SESS_TIMEOUT
authentication.
1ST_EAP Configurable value that allows the PaC to determine whether a PaC
authentication and authorization phase has stalled without an
explicit EAP success or failure notification.
This variable indicates whether the 1st EAP authentication is 6.3. Variables
success, failure or yet completed.
AUTH_USER AUTH_USER
This event variable is set to TRUE when initiation of EAP-based This event variable is set to TRUE when initiation of EAP-based
(re-)authentication is triggered by the application. (re-)authentication is triggered by the application.
EAP_SUCCESS EAP_SUCCESS
This event variable is set to TRUE when the EAP peer determines This event variable is set to TRUE when the EAP peer determines
that EAP conversation completes with success. that EAP conversation completes with success.
EAP_FAILURE EAP_FAILURE
This event variable is set to TRUE when the EAP peer determines This event variable is set to TRUE when the EAP peer determines
that EAP conversation completes with failure. that EAP conversation completes with failure.
EAP_RESPONSE EAP_RESPONSE
This event variable is set to TRUE when the EAP peer delivers an This event variable is set to TRUE when the EAP peer delivers an
EAP Response to the PaC. This event accompanies an EAP-Response EAP message to the PaC. This event accompanies an EAP message
message received from the EAP peer. received from the EAP peer.
EAP_INVALID_MSG
This event variable is set to TRUE when the EAP peer silently
discards an EAP message. This event does not accompany any EAP
message.
EAP_RESP_TIMEOUT EAP_RESP_TIMEOUT
This event variable is set to TRUE when the PaC that has passed an This event variable is set to TRUE when the PaC that has passed an
EAP-Request to the EAP-layer does not receive a corresponding EAP- EAP message to the EAP-layer does not receive a subsequent EAP
Response from the the EAP-layer in a given period. message from the the EAP-layer in a given period. This provides a
time limit for certain EAP methods where user interaction maybe
6.3. Procedures required.
boolean choose_isp()
This procedure returns TRUE when the PaC chooses one ISP,
otherwise returns FALSE.
boolean ppac_available()
This procedure returns TRUE when the Post-PANA-Address-
Configuration method specified by the PAA is available in the PaC
and that the PaC will be able to comply.
boolean pcap_supported()
This procedure returns TRUE when the cryptographic data protection
supplied in the Protection-Capability AVP can be supported by the
PaC.
boolean algorithm_supported()
This procedure returns TRUE when the integrity algorithm supplied 6.4. Procedures
in the Algorithm AVP can be supported by the PaC.
boolean eap_piggyback() boolean eap_piggyback()
This procedures returns TRUE to indicate whether the next EAP This procedures returns TRUE to indicate whether the next EAP
response will be carried in the pending PAN message for response will be carried in the pending PAN message for
optimization. optimization.
void alt_reject() void alt_reject()
This procedure informs the EAP peer of an authentication failure This procedure informs the EAP peer of an authentication failure
skipping to change at page 19, line 37 skipping to change at page 18, line 47
void EAP_RespTimerStart() void EAP_RespTimerStart()
A procedure to start a timer to receive an EAP-Response from the A procedure to start a timer to receive an EAP-Response from the
EAP peer. EAP peer.
void EAP_RespTimerStop() void EAP_RespTimerStop()
A procedure to stop a timer to receive an EAP-Response from the A procedure to stop a timer to receive an EAP-Response from the
EAP peer. EAP peer.
6.4. PaC State Transition Table 6.5. PaC State Transition Table
------------------------------ ------------------------------
State: OFFLINE (Initial State) State: INITIAL (Initial State)
------------------------------ ------------------------------
Initialization Action: Initialization Action:
SEPARATE=Set|Unset; NONCE_SENT=Unset;
CARRY_DEVICE_ID=Unset; RTX_COUNTER=0;
1ST_EAP=Unset;
RtxTimerStop(); RtxTimerStop();
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+-------------- ------------------------+--------------------------+-----------
- - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - -
Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ AUTH_USER Tx:PCI[](); INITIAL
PSR.exist_avp EAP_Restart(); IN_DISC
("EAP-Payload") && TxEAP();
(!PSR.exist_avp SEPARATE=Unset;
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP");
PSR.S_flag==1 && PSA.S_flag=1;
SEPARATE==Set && PSA.insert_avp("Cookie");
PSR.exist_avp Tx:PSA();
("Cookie") && RtxTimerStart();
(!PSR.exist_avp EAP_Restart();
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP");
PSR.S_flag==1 && PSA.S_flag=1;
SEPARATE==Set && Tx:PSA();
!PSR.exist_avp EAP_Restart();
("Cookie") &&
(!PSR.exist_avp
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP");
(PSR.S_flag!=1 || PSA.insert_avp("Cookie");
SEPARATE==Unset) && Tx:PSA();
PSR.exist_avp RtxTimerStart();
("Cookie") && SEPARATE=Unset;
(!PSR.exist_avp EAP_Restart();
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP");
(PSR.S_flag!=1 || Tx:PSA();
SEPARATE==Unset) && SEPARATE=Unset;
!PSR.exist_avp EAP_Restart();
("Cookie") &&
(!PSR.exist_avp
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && None(); OFFLINE
(PSR.exist_avp
("Protection-Cap.") &&
!pcap_supported()) ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported())
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -(Authentication trigger from application) - - -
AUTH_USER Tx:PDI(); OFFLINE
RtxTimerStart(); RtxTimerStart();
SessionTimerReStart
(FAILED_SESS_TIMEOUT);
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------------------- - - - - - - -(PAA-initiated Handshake, not optimized) - - - - -
State: WAIT_EAP_MSG_IN_DISC Rx:PAR[S] && Tx:PAN[S](); WAIT_PAA
--------------------------- !PAR.exist_avp EAP_Restart();
("EAP-Payload") SessionTimerReStart
(FAILED_SESS_TIMEOUT);
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exit Condition Exit Action Exit State - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - -
------------------------+--------------------------+------------ Rx:PAR[S] && EAP_Restart(); INITIAL
- - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - PAR.exist_avp TxEAP();
EAP_RESPONSE PSA.insert_avp WAIT_PAA ("EAP-Payload") && SessionTimerReStart
("EAP-Payload") eap_piggyback() (FAILED_SESS_TIMEOUT);
if (choose_isp())
PSA.insert_avp("ISP");
Tx:PSA();
EAP_RESP_TIMEOUT || None(); OFFLINE Rx:PAR[S] && EAP_Restart(); WAIT_EAP_MSG
EAP_INVALID_MSG PAR.exist_avp TxEAP();
("EAP-Payload") && SessionTimerReStart
!eap_piggyback() (FAILED_SESS_TIMEOUT);
TxPAN[S]();
EAP_RESPONSE Tx:PAN[S]("EAP-Payload"); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- ---------------
State: WAIT_PAA State: WAIT_PAA
--------------- ---------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - -
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG
!eap_piggyback() TxEAP(); !eap_piggyback() TxEAP();
EAP_RespTimerStart(); EAP_RespTimerStart();
if (key_available()) if (NONCE_SENT==Unset) {
PAN.insert_avp("AUTH"); NONCE_SENT=Set;
PAN.S_flag=PAR.S_flag; Tx:PAN[]("Nonce");
PAN.N_flag=PAR.N_flag; }
Tx:PAN(); else
Tx:PAN[]();
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG
eap_piggyback() TxEAP(); eap_piggyback() TxEAP();
EAP_RespTimerStart(); EAP_RespTimerStart();
Rx:PAN RtxTimerStop(); WAIT_PAA Rx:PAN[] RtxTimerStop(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - -
Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_
1ST_EAP==Unset && TxEAP(); RESULT
SEPARATE==Set &&
PFER.RESULT_CODE==
PANA_SUCCESS &&
PFER.S_flag==1 &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_
1ST_EAP==Unset && TxEAP(); RESULT
SEPARATE==Set &&
PFER.RESULT_CODE!=
PANA_SUCCESS &&
PFER.S_flag==1 &&
ABORT_ON_1ST_EAP_FAILURE
==Unset &&
PFER.exist_avp
("EAP-Payload")
Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_
1ST_EAP==Unset && alt_reject(); RESULT
SEPARATE==Set &&
PFER.RESULT_CODE!=
PANA_SUCCESS &&
PFER.S_flag==1 &&
ABORT_ON_1ST_EAP_FAILURE
==Unset &&
!PFER.exist_avp
("EAP-Payload")
Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_
1ST_EAP==Unset && TxEAP(); RESULT_CLOSED
SEPARATE==Set &&
PFER.RESULT_CODE!=
PANA_SUCCESS &&
(PFER.S_flag==0 ||
ABORT_ON_1ST_EAP_FAILURE
==Set) &&
PFER.exist_avp
("EAP-Payload")
Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_
1ST_EAP==Unset && alt_reject(); RESULT_CLOSED
SEPARATE==Set &&
PFER.RESULT_CODE!=
PANA_SUCCESS &&
(PFER.S_flag==0 ||
ABORT_ON_1ST_EAP_FAILURE
==Set) &&
!PFER.exist_avp
("EAP-Payload")
Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Unset && if (PBR.exist_avp
SEPARATE==Unset && ("Device-Id"))
PBR.RESULT_CODE== CARRY_DEVICE_ID=Set;
PANA_SUCCESS &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PBR && TxEAP(); WAIT_EAP_RESULT_
1ST_EAP==Unset && CLOSE
SEPARATE==Unset &&
PBR.RESULT_CODE!=
PANA_SUCCESS &&
PBR.exist_avp
("EAP-Payload")
Rx:PBR && alt_reject(); WAIT_EAP_RESULT_
1ST_EAP==Unset && CLOSE
SEPARATE==Unset &&
PBR.RESULT_CODE!=
PANA_SUCCESS &&
!PBR.exist_avp
("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - - - - - - - - - - - - - - - -(PANA result) - - - - - - - - - -
Rx:PBR && TxEAP(); WAIT_EAP_RESULT Rx:PAR[C] && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Success && if (PBR.exist_avp PAR.RESULT_CODE==
PBR.RESULT_CODE== ("Device-Id")) PANA_SUCCESS
PANA_SUCCESS && CARRY_DEVICE_ID=Set;
PBR.exist_avp
("EAP-Payload") &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PBR && alt_reject(); WAIT_EAP_RESULT
1ST_EAP==Success && if (PBR.exist_avp
PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && CARRY_DEVICE_ID=Set;
!PBR.exist_avp
("EAP-Payload") &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PBR && TxEAP(); WAIT_EAP_RESULT_
1ST_EAP==Success && CLOSE
PBR.RESULT_CODE!=
PANA_SUCCESS &&
PBR.exist_avp
("EAP-Payload")
Rx:PBR && alt_reject(); WAIT_EAP_RESULT_
1ST_EAP==Success && CLOSE
PBR.RESULT_CODE!=
PANA_SUCCESS &&
!PBR.exist_avp
("EAP-Payload")
Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Failure && if (PBR.exist_avp
PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && CARRY_DEVICE_ID=Set;
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PBR && TxEAP(); WAIT_EAP_RESULT_
1ST_EAP==Failure && CLOSE
PBR.RESULT_CODE!=
PANA_SUCCESS &&
PBR.exist_avp
("EAP-Payload")
Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ Rx:PAR[C] && if (PAR.exist_avp WAIT_EAP_RESULT_
1ST_EAP==Failure && CLOSE PAR.RESULT_CODE!= ("EAP-Payload")) CLOSE
PBR.RESULT_CODE!= PANA_SUCCESS TxEAP();
PANA_SUCCESS && else
!PBR.exist_avp alt_reject();
("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
------------------- -------------------
State: WAIT_EAP_MSG State: WAIT_EAP_MSG
------------------- -------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - - - - - - - - - - - - (Return PAN/PAR from EAP) - - - - - - - - -
EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA
eap_piggyback() PAN.insert_avp eap_piggyback() if (NONCE_SENT==Unset) {
("EAP-Payload"); Tx:PAN[]("EAP-Payload",
if (key_available()) "Nonce");
PAN.insert_avp("AUTH"); NONCE_SENT=Set;
PAN.S_flag=PAR.S_flag; }
PAN.N_flag=PAR.N_flag; else
Tx:PAN(); Tx:PAN[]("EAP-Payload");
EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA
!eap_piggyback() PAR.insert_avp !eap_piggyback() Tx:PAR[]("EAP-Payload");
("EAP-Payload");
if (key_available())
PAR.insert_avp("AUTH");
PAR.S_flag=PAN.S_flag;
PAR.N_flag=PAN.N_flag;
Tx:PAR();
RtxTimerStart(); RtxTimerStart();
EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA EAP_RESP_TIMEOUT && Tx:PAN[](); WAIT_PAA
PAN.insert_avp("AUTH"); eap_piggyback()
PAN.S_flag=PAR.S_flag; EAP_FAILURE SessionTimerStop(); CLOSED
PAN.N_flag=PAR.N_flag; Disconnect();
Tx:PAN();
EAP_INVALID_MSG || None(); WAIT_PAA
EAP_SUCCESS ||
EAP_FAILURE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------- ----------------------
State: WAIT_EAP_RESULT State: WAIT_EAP_RESULT
---------------------- ----------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
EAP_SUCCESS && PBA.insert_avp("AUTH"); OPEN EAP_SUCCESS if (PAR.exist_avp OPEN
PBR.exist_avp PBA.insert_avp("Key-Id"); ("Key-Id"))
("Key-Id") && if (CARRY_DEVICE_ID) Tx:PAN[C]("Key-Id");
ppac_available() && PBA.insert_avp else
(!PBR.exist_avp ("Device-Id"); Tx:PAN[C]();
("Protection- PBA.insert_avp("PPAC"); Authorize();
Capability") || Tx:PBA(); SessionTimerReStart
(PBR.exist_avp Authorize(); (LIFETIME_SESS_TIMEOUT);
("Protection- SessionTimerStart();
Capability") &&
pcap_supported()))
EAP_SUCCESS && if (key_available()) OPEN
!PBR.exist_avp PBA.insert_avp("AUTH");
("Key-Id") && if (CARRY_DEVICE_ID)
ppac_available() && PBA.insert_avp
(!PBR.exist_avp ("Device-Id");
("Protection- PBA.insert_avp("PPAC");
Capability") || Tx:PBA();
(PBR.exist_avp Authorize();
("Protection- SessionTimerStart();
Capability") &&
pcap_supported()))
EAP_SUCCESS && if (key_available()) WAIT_PEA
!ppac_available() PER.insert_avp("AUTH");
PER.RESULT_CODE=
PANA_PPAC_CAPABILITY_
UNSUPPORTED
Tx:PER();
RtxTimerStart();
EAP_SUCCESS && if (key_available()) WAIT_PEA
(PBR.exist_avp PER.insert_avp("AUTH");
("Protection- PER.RESULT_CODE=
Capability") && PANA_PROTECTION_
!pcap_supported()) CAPABILITY_UNSUPPORTED
Tx:PER();
RtxTimerStart();
EAP_FAILURE && if (key_available()) OPEN
(SEPARATE==Set) && PBA.insert_avp("AUTH");
ppac_available() && if (CARRY_DEVICE_ID)
(!PBR.exist_avp PBA.insert_avp
("Protection- ("Device-Id");
Capability") || PBA.insert_avp("PPAC");
(PBR.exist_avp Tx:PBA();
("Protection- Authorize();
Capability") && SessionTimerStart();
pcap_supported()))
EAP_FAILURE && if (key_available()) WAIT_PEA
(SEPARATE==Set) && PER.insert_avp("AUTH");
!ppac_available() PER.RESULT_CODE=
PANA_PPAC_CAPABILITY_
UNSUPPORTED
Tx:PER();
RtxTimerStart();
EAP_FAILURE && if (key_available()) WAIT_PEA
(SEPARATE==Set) && PER.insert_avp("AUTH");
(PBR.exist_avp PER.RESULT_CODE=
("Protection- PANA_PROTECTION_
Capability") && CAPABILITY_UNSUPPORTED
!pcap_supported()) Tx:PER();
RtxTimerStart();
EAP_INVALID_MSG None(); WAIT_PAA EAP_FAILURE Tx:PAN[C](); CLOSED
SessionTimerStop();
Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------- ----------------------------
State: WAIT_EAP_RESULT_CLOSE State: WAIT_EAP_RESULT_CLOSE
---------------------------- ----------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
EAP_SUCCESS && PBA.insert_avp("AUTH"); CLOSED EAP_SUCCESS || if (EAP_SUCCESS && CLOSED
PBR.exist_avp PBA.insert_avp("Key-Id"); EAP_FAILURE PAR.exist_avp("Key-Id"))
("Key-Id") Tx:PBA(); Tx:PAN[C]("Key-Id");
Disconnect(); else
Tx:PAN[C]();
EAP_SUCCESS && if (key_available()) CLOSED SessionTimerStop();
!PBR.exist_avp PBA.insert_avp("AUTH");
("Key-Id") Tx:PBA();
Disconnect();
EAP_FAILURE Tx:PBA(); CLOSED
Disconnect();
EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------------------
State: WAIT_1ST_EAP_RESULT
--------------------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - -
EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA
PFER.exist_avp PFEA.S_flag=1;
("Key-Id") PFEA.N_flag=PFER.N_flag;
PFEA.insert_avp("AUTH");
Tx:PFEA();
EAP_Restart();
(EAP_SUCCESS && if (key_available()) WAIT_PAA
!PFER.exist_avp PFEA.insert_avp("AUTH");
("Key-Id")) || PFEA.S_flag=1;
EAP_FAILURE PFEA.N_flag=PFER.N_flag;
Tx:PFEA();
EAP_Restart();
EAP_INVALID_MSG EAP_Restart(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------------------------
State: WAIT_1ST_EAP_RESULT_CLOSE
--------------------------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - -
EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED
PFER.exist_avp PFEA.S_flag=0;
("Key-Id") PFEA.N_flag=0;
PFEA.insert_avp("AUTH");
Tx:PFEA();
Disconnect();
(EAP_SUCCESS && if (key_available()) CLOSED
!PFER.exist_avp PFEA.insert_avp("AUTH");
("Key-Id")) || PFEA.S_flag=0;
EAP_FAILURE PFEA.N_flag=0;
Tx:PFEA();
Disconnect(); Disconnect();
EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------- -----------
State: OPEN State: OPEN
----------- -----------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - (liveness test initiated by PAA)- - - - - -
Rx:PPR if (key_available()) OPEN
PPA.insert_avp("AUTH");
Tx:PPA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - (liveness test initiated by PaC)- - - - - - - - - - - - - - - - (liveness test initiated by PaC)- - - - - -
PANA_PING if (key_available()) WAIT_PPA PANA_PING Tx:PNR[P](); WAIT_PNA
PPR.insert_avp("AUTH");
Tx:PPR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PaC)- - - - - - - - - - - - - - - (re-authentication initiated by PaC)- - - - - -
REAUTH SEPARATE=Set|Unset; WAIT_PRAA REAUTH NONCE_SENT=Unset; WAIT_PNA
1ST_EAP=Unset; Tx:PNR[A]();
if (key_available())
PRAR.insert_avp("AUTH");
Tx:PRAR();
RtxTimerStart(); RtxTimerStart();
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PAA)- - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR[] EAP_RespTimerStart(); WAIT_EAP_MSG
!eap_piggyback() 1ST_EAP=Unset;
EAP_RespTimerStart();
TxEAP();
if (key_available())
PAN.insert_avp("AUTH");
PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag;
Tx:PAN();
SessionTimerStop();
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
eap_piggyback() 1ST_EAP=Unset;
EAP_RespTimerStart();
TxEAP(); TxEAP();
SessionTimerStop(); if (!eap_piggyback())
Tx:PAN[]("Nonce");
else
NONCE_SENT=Unset;
SessionTimerReStart
(FAILED_SESS_TIMEOUT);
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PAA) - - - - - - - - - - - - - -(Session termination initiated by PAA) - - - - - -
Rx:PTR if (key_available()) CLOSED Rx:PTR[] Tx:PTA[](); CLOSED
PTA.insert_avp("AUTH"); SessionTimerStop();
Tx:PTA();
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - -
TERMINATE if (key_available()) SESS_TERM TERMINATE Tx:PTR[](); SESS_TERM
PTR.insert_avp("AUTH");
Tx:PTR();
RtxTimerStart(); RtxTimerStart();
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - -(Address update) - - - - - - - - - - - -
NOTIFY if (key_available()) WAIT_PUA
PUR.insert_avp("AUTH");
Tx:PUR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - -(Notification update)- - - - - - - - - - -
Rx:PUR if (key_available()) OPEN
PUA.insert_avp("AUTH");
Tx:PUA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------------
State: WAIT_PRAA
----------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - -(re-authentication initiated by PaC) - - - - -
Rx:PRAA RtxTimerStop(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- ---------------
State: WAIT_PPA State: WAIT_PNA
--------------- ---------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - -(liveness test initiated by PAA) - - - - - - - - - - - - - - - -(re-authentication initiated by PaC) - - - - -
Rx:PPA RtxTimerStop(); OPEN Rx:PNA[A] RtxTimerStop(); WAIT_PAA
SessionTimerReStart
(FAILED_SESS_TIMEOUT);
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -(liveness test initiated by PaC) - - - - - - -
--------------- Rx:PNA[P] RtxTimerStop(); OPEN
State: WAIT_PUA
---------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - (PUA processing)- - - - - - - - - - -
Rx:PUA RtxTimerStop(); OPEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: SESS_TERM State: SESS_TERM
---------------- ----------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - -
Rx:PTA Disconnect(); CLOSED Rx:PTA[] Disconnect(); CLOSED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------
State: WAIT_PEA
---------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PEA processing) - - - - - - - - - -
Rx:PEA RtxTimerStop(); CLOSED
Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7. PAA State Machine 7. PAA State Machine
7.1. Interface between PAA and EAP Authenticator 7.1. Interface between PAA and EAP Authenticator
The interface between a PAA and an EAP authenticator provides a The interface between a PAA and an EAP authenticator provides a
mechanism to deliver EAP messages for the EAP authenticator as well mechanism to deliver EAP messages for the EAP authenticator as well
as a mechanism to notify the EAP authenticator of PAA events and to as a mechanism to notify the EAP authenticator of PAA events and to
receive notification of EAP authenticator events. These message receive notification of EAP authenticator events. These message
skipping to change at page 34, line 18 skipping to change at page 25, line 18
eapSuccess, eapFail and eapTimeout variables of the EAP authenticator eapSuccess, eapFail and eapTimeout variables of the EAP authenticator
state machine, respectively. In this case, if EAP_SUCCESS event state machine, respectively. In this case, if EAP_SUCCESS event
variable is set to TRUE, an EAP-Success message is contained in variable is set to TRUE, an EAP-Success message is contained in
eapReqData variable of the EAP authenticator state machine, and eapReqData variable of the EAP authenticator state machine, and
additionally, eapKeyAvailable variable is set to TRUE and eapKeyData additionally, eapKeyAvailable variable is set to TRUE and eapKeyData
variable contains a AAA-Key if the AAA-Key is generated as a result variable contains a AAA-Key if the AAA-Key is generated as a result
of successful authentication by the EAP authentication method in use. of successful authentication by the EAP authentication method in use.
Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP- Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP-
Failure message is contained in eapReqData variable of the EAP Failure message is contained in eapReqData variable of the EAP
authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE
and EAP_TIMEOUT event variables as a trigger to send a PBR or a PFER and EAP_TIMEOUT event variables as a trigger to send a PAR message to
message to the PaC. the PaC.
7.2. Variables 7.2. Variables
USE_COOKIE OPTIMIZED_INIT
This variable indicates whether the PAA uses Cookie.
EAP_PIGGYBACK
This variable indicates whether the PAA is able to piggyback an This variable indicates whether the PAA is able to piggyback an
EAP-Request in PANA-Start-Request. EAP-Request in the initial PANA-Auth-Request. Otherwise it is set
to FALSE.
SEPARATE
This variable indicates whether the PAA provides NAP/ISP separate
authentication.
1ST_EAP
This variable indicates whether the 1st EAP authentication is a
success, failure or yet completed.
PSA.SESSION_ID
This variable contains the Session-Id AVP value in the PANA-Start-
Answer message in process.
CARRY_LIFETIME
This variable indicates whether a Session-Lifetime AVP is carried
in PANA-Bind-Request message.
PROTECTION_CAP_IN_PSR
This variable indicates whether a Protection-Capability AVP is
carried in a PANA-Start-Request message.
AUTH_ALGORITHM_IN_PSR
This variable indicates whether a Algorithm AVP is carried in a
PANA-Start-Request message.
PROTECTION_CAP_IN_PBR
This variable indicates whether a Protection-Capability AVP is
carried in a PANA-Bind-Request message.
CARRY_NAP_INFO
This variable indicates whether a NAP-Information AVP is carried
in PANA-Start-Request message.
CARRY_ISP_INFO
This variable indicates whether an ISP-Information AVP is carried
in PANA-Start-Request message.
NAP_AUTH
This variable indicates whether a NAP authentication is being
performed or not.
CARRY_PPAC PAC_FOUND
This variable indicates whether a Post-PANA-Address-Configuration This variable is set to TRUE as a result of a PAA initiated
AVP is carried in PANA-Start-Request message. handshake.
PAC_FOUND REAUTH_TIMEOUT
This variable is set to TRUE during the EP-to-PAA notification as This event variable is set to TRUE to indicate that the PAA
a result of a traffic-driven PAA discovery or link-up event initiates a re-authentication with the PaC. The re-authentication
notification by the EP as a result of the presence of a new PaC. timeout should be set to a value less than the session timeout
carried in the Session-Lifetime AVP if present.
EAP_SUCCESS EAP_SUCCESS
This event variable is set to TRUE when EAP conversation completes This event variable is set to TRUE when EAP conversation completes
with success. This event accompanies an EAP- Success message with success. This event accompanies an EAP- Success message
passed from the EAP authenticator. passed from the EAP authenticator.
EAP_FAILURE EAP_FAILURE
This event variable is set to TRUE when EAP conversation completes This event variable is set to TRUE when EAP conversation completes
with failure. This event accompanies an EAP- Failure message with failure. This event accompanies an EAP- Failure message
passed from the EAP authenticator. passed from the EAP authenticator.
skipping to change at page 36, line 37 skipping to change at page 26, line 28
boolean new_key_available() boolean new_key_available()
A procedure to check whether the PANA session has a new A procedure to check whether the PANA session has a new
PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY, PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY,
it returns FALSE. If the state machine does not have a it returns FALSE. If the state machine does not have a
PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity. PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity.
If a AAA-Key has been retrieved, it computes a PANA_AUTH_KEY from If a AAA-Key has been retrieved, it computes a PANA_AUTH_KEY from
the AAA-Key and returns TRUE. Otherwise, it returns FALSE. the AAA-Key and returns TRUE. Otherwise, it returns FALSE.
boolean new_source_address()
A procedure to check the PaC's source IP address from the current
PUR message. If the source IP address of the message is different
from the last known IP address stored in the PANA session, this
procedure returns TRUE. Otherwise, it returns FALSE.
void update_popa()
A procedure to extract the PaC's source IP address from the
current PUR message and update the PANA session with this new IP
address.
7.4. PAA State Transition Table 7.4. PAA State Transition Table
------------------------------ ------------------------------
State: OFFLINE (Initial State) State: INITIAL (Initial State)
------------------------------ ------------------------------
Initialization Action: Initialization Action:
USE_COOKIE=Set|Unset; OPTIMIZED_INIT=Set|Unset;
EAP_PIGGYBACK=Set|Unset; NONCE_SENT=Unset;
SEPARATE=Set|Unset;
if (EAP_PIGGYBACK==Set)
SEPARATE=Unset;
1ST_EAP=Unset;
ABORT_ON_1ST_EAP_FAILURE=Set|Unset;
CARRY_LIFETIME=Set|Unset;
CARRY_DEVICE_ID=Set|Unset;
CARRY_NAP_INFO=Set|Unset;
CARRY_ISP_INFO=Set|Unset;
CARRY_PPAC=Set|Unset;
PROTECTION_CAP_IN_PSR=Set|Unset;
PROTECTION_CAP_IN_PBR=Set|Unset;
if (PROTECTION_CAP_IN_PBR=Unset)
PROTECTION_CAP_IN_PSR=Unset;
else
CARRY_DEVICE_ID=Set;
NAP_AUTH=Unset;
RTX_COUNTER=0; RTX_COUNTER=0;
RtxTimerStop(); RtxTimerStop();
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - -
(Rx:PDI || EAP_Restart(); WAIT_EAP_MSG_ (Rx:PCI[] || if (OPTIMIZED_INIT == INITIAL
PAC_FOUND) && IN_DISC PAC_FOUND) Set) {
USE_COOKIE==Unset &&
EAP_PIGGYBACK==Set
(Rx:PDI || if (SEPARATE==Set) STATEFUL_DISC
PAC_FOUND) && PSR.S_flag=1;
USE_COOKIE==Unset && if (CARRY_NAP_INFO==Set)
EAP_PIGGYBACK==Unset PSR.insert_avp
("NAP-Information");
if (CARRY_ISP_INFO==Set)
PSR.insert_avp
("ISP-Information");
if (CARRY_PPAC==Set)
PSR.insert_avp
("Post-PANA-Address-
Configuration");
if (PROTECTION_CAP_IN_PSR
==Set)
PSR.insert_avp
("Protection-Cap.");
if (AUTH_ALGORITHM_IN_PSR
==Set)
PSR.insert_avp
("Algorithm");
Tx:PSR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - (Stateless discovery) - - - - - - - -
(Rx:PDI || if (SEPARATE==Set) OFFLINE
PAC_FOUND) && PSR.S_flag=1;
USE_COOKIE==Set PSR.insert_avp
("Cookie");
if (CARRY_NAP_INFO==Set)
PSR.insert_avp
("NAP-Information");
if (CARRY_ISP_INFO==Set)
PSR.insert_avp
("ISP-Information");
if (CARRY_PPAC==Set)
PSR.insert_avp
("Post-PANA-Address-
Configuration");
if (PROTECTION_CAP_IN_PSR
==Set)
PSR.insert_avp
("Protection-Cap.");
Tx:PSR();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - (PSA processing) - - - - - - - - -
Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG
USE_COOKIE==Set PSA.S_flag==0)
SEPARATE=Unset;
if (SEPARATE==Set)
NAP_AUTH=Set|Unset;
EAP_Restart(); EAP_Restart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SessionTimerReStart
(FAILED_SESS_TIMEOUT);
--------------------------- }
State: WAIT_EAP_MSG_IN_DISC else
--------------------------- Tx:PAR[S]();
EAP_REQUEST Tx:PAR[S]("EAP-Payload"); INITIAL
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - (Send PSR with EAP-Request) - - - - - - -
EAP_REQUEST PSR.insert_avp STATEFUL_DISC
("EAP-Payload");
if (CARRY_NAP_INFO==Set)
PSR.insert_avp
("NAP-Information");
if (CARRY_ISP_INFO==Set)
PSR.insert_avp
("ISP-Information");
if (CARRY_PPAC==Set)
PSR.insert_avp
("Post-PANA-Address-
Configuration");
Tx:PSR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT None(); OFFLINE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------- - - - - - - - - - - - - - - (PAN Handling) - - - - - - - - - -
State: STATEFUL_DISC Rx:PAN[S] && if (PAN.exist_avp WAIT_EAP_MSG
-------------------- ((OPTIMIZED_INIT == ("EAP-Payload"))
Unset) || TxEAP();
Exit Condition Action Exit State PAN.exist_avp else {
------------------------+--------------------------+------------ ("EAP-Payload")) EAP_Restart();
- - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - SessionTimerReStart
Rx:PSA if (SEPARATE==Set && WAIT_EAP_MSG (FAILED_SESS_TIMEOUT);
PSA.S_flag==0)
SEPARATE=Unset;
if (PSA.exist_avp
("EAP-Payload"))
TxEAP();
else {
if (SEPARATE==Set)
NAP_AUTH=Set|Unset;
EAP_Restart();
} }
RtxTimerStop();
EAP_TIMEOUT if (key_available()) WAIT_PEA Rx:PAN[S] && None(); WAIT_PAN_OR_PAR
PER.insert_avp("AUTH"); (OPTIMIZED_INIT ==
Tx:PER(); Set) &&
RtxTimerStart(); ! PAN.exist_avp
("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
------------------- -------------------
State: WAIT_EAP_MSG State: WAIT_EAP_MSG
------------------- -------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - -
EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR EAP_REQUEST if (NONCE_SENT==Unset) { WAIT_PAN_OR_PAR
PAR.insert_avp("AUTH"); Tx:PAR[]("Nonce",
if (SEPARATE==Set) { "EAP-Payload");
PAR.S_flag=1; NONCE_SENT=Set;
if (NAP_AUTH==Set)
PAR.N_flag=1;
} }
Tx:PAR(); else
RtxTimerStart(); Tx:PAR[]("EAP-Payload");
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(Receiving EAP-Success/Failure single EAP)- - - -
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Unset && ("EAP-Payload");
SEPARATE==Unset if (key_available())
PBR.insert_avp("AUTH");
Tx:PBR();
RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Unset && ("EAP-Payload");
SEPARATE==Unset && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp
("Device-Id");
if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (new_key_available())
PBR.insert_avp
("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available())
PBR.insert_avp("AUTH");
Tx:PBR();
RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Unset && ("EAP-Payload");
SEPARATE==Unset && if (new_key_available())
!Authorize() PBR.insert_avp
("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available())
PBR.insert_avp("AUTH");
Tx:PBR();
RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_PEA
1ST_EAP==Unset && PER.insert_avp("AUTH");
SEPARATE==Unset Tx:PER();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - -
EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && PFER.insert_avp
SEPARATE==Set && ("EAP-Payload");
ABORT_ON_1ST_EAP_FAILURE if (key_available())
==Unset PFER.insert_avp("AUTH");
PFER.S_flag=1;
if (NAP_AUTH)
PFER.N_flag=1;
Tx:PFER();
RtxTimerStart();
EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA
1ST_EAP==Unset && PFER.insert_avp
SEPARATE==Set && ("EAP-Payload");
ABORT_ON_1ST_EAP_FAILURE if (key_available())
==Set PFER.insert_avp("AUTH");
PFER.S_flag=0;
Tx:PFER();
RtxTimerStart();
EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA
1ST_EAP==Unset && PFER.insert_avp
SEPARATE==Set ("EAP-Payload");
if (new_key_available())
PFER.insert_avp
("Key-Id");
PFER.insert_avp
("Algorithm");
if (key_available())
PFER.insert_avp("AUTH");
PFER.S_flag=1;
if (NAP_AUTH)
PFER.N_flag=1;
Tx:PFER();
RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("AUTH");
ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1;
==Unset if (NAP_AUTH)
PFER.N_flag=1;
Tx:PFER();
RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA
1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("AUTH");
ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset;
==Set PFER.S_flag=0;
Tx:PFER();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - - - - - - - - - - - -(Receiving EAP-Success/Failure) - - - - -
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA EAP_FAILURE PAR.RESULT_CODE = WAIT_FAIL_PAN
1ST_EAP==Failure && ("EAP-Payload"); PANA_AUTHENTICATION_
SEPARATE==Set if (key_available()) REJECTED;
PBR.insert_avp("AUTH"); Tx:PAR[C]("EAP-Payload");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Success && ("EAP-Payload");
SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp
("Device-Id");
if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (key_available())
PBR.insert_avp("AUTH");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Success && ("EAP-Payload");
SEPARATE==Set && if (key_available())
!Authorize() PBR.insert_avp("AUTH");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Success && ("EAP-Payload");
SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp
("Device-Id");
if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (new_key_available())
PBR.insert_avp
("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available())
PBR.insert_avp("AUTH");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Success && ("EAP-Payload");
SEPARATE==Set && if (new_key_available())
!Authorize() PBR.insert_avp
("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available())
PBR.insert_avp("AUTH");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart(); RtxTimerStart();
SessionTimerStop();
EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA EAP_SUCCESS && PAR.RESULT_CODE = WAIT_SUCC_PAN
1ST_EAP==Failure && ("EAP-Payload"); Authorize() PANA_SUCCESS;
SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp
("Device-Id");
if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (new_key_available()) if (new_key_available())
PBR.insert_avp Tx:PAR[C]("EAP-Payload",
("Key-Id"); "Key-Id", "Algorithm");
PBR.insert_avp else
("Algorithm"); Tx:PAR[C]("EAP-Payload");
if (key_available())
PBR.insert_avp("AUTH");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Failure && ("EAP-Payload");
SEPARATE==Set && if (new_key_available())
!Authorize() PBR.insert_avp
("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available())
PBR.insert_avp("AUTH");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Failure && PBR.insert_avp("AUTH");
SEPARATE==Set PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA EAP_SUCCESS && PAR.RESULT_CODE = WAIT_FAIL_PAN
1ST_EAP==Success && PBR.insert_avp !Authorize() PANA_AUTHORIZATION_
SEPARATE==Set && ("Device-Id"); REJECTED;
Authorize() if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (new_key_available()) if (new_key_available())
PBR.insert_avp Tx:PAR[C]("EAP-Payload",
("Key-Id"); "Key-Id", "Algorithm");
PBR.insert_avp
("Algorithm");
if (key_available())
PBR.insert_avp("AUTH");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Success && PBR.insert_avp("AUTH");
SEPARATE==Set && PBR.S_flag=1;
!Authorize() if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------------
State: WAIT_PFEA
----------------
Event/Condition Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - -
Rx:PFEA && RtxTimerStop(); WAIT_EAP_MSG
(1ST_EAP==Success || EAP_Restart();
(PFEA.S_flag==1 && if (NAP_AUTH==Set)
1ST_EAP==Failure)) NAP_AUTH=Unset;
else else
NAP_AUTH=Set; Tx:PAR[C]("EAP-Payload");
RtxTimerStart();
Rx:PFEA && RtxTimerStop(); CLOSED
PFEA.S_flag==0 && Disconnect();
1ST_EAP==Failure
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - (Receiving EAP-Timeout or invalid message) - - - - -
--------------------- EAP_TIMEOUT SessionTimerStop(); CLOSED
State: WAIT_FAIL_PFEA
---------------------
Event/Condition Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - -
Rx:PFEA RtxTimerStop(); CLOSED
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------- --------------------
State: WAIT_SUCC_PBA State: WAIT_SUCC_PAN
-------------------- --------------------
Event/Condition Action Exit State Event/Condition Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - -
Rx:PBA && SessionTimerStart(); OPEN Rx:PAN[C] RtxTimerStop(); OPEN
(CARRY_DEVICE_ID==Unset || SessionTimerReStart
(CARRY_DEVICE_ID==Set && (LIFETIME_SESS_TIMEOUT);
PBA.exit_avp("Device-Id")))
Rx:PBA && PER.RESULT_CODE= WAIT_PEA
CARRY_DEVICE_ID==Set && PANA_MISSING_AVP
!PBA.exit_avp Tx:PER();
("Device-Id") RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------- --------------------
State: WAIT_FAIL_PBA State: WAIT_FAIL_PAN
-------------------- --------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - -
Rx:PBA RtxTimerStop(); CLOSED Rx:PAN[C] RtxTimerStop(); CLOSED
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------- -----------
State: OPEN State: OPEN
----------- -----------
Event/Condition Action Exit State Event/Condition Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - (re-authentication initiated by PaC) - - - - - - - - - - - - - - (re-authentication initiated by PaC) - - - - - -
Rx:PRAR if (key_available()) WAIT_EAP_MSG Rx:PNR[A] NONCE_SENT=Unset; WAIT_EAP_MSG
PRAA.insert_avp("AUTH");
EAP_Restart(); EAP_Restart();
1ST_EAP=Unset; Tx:PNA[A]();
NAP_AUTH=Set|Unset;
Tx:PRAA();
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (re-authentication initiated by PAA)- - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
REAUTH EAP_Restart(); WAIT_EAP_MSG REAUTH || NONCE_SENT=Unset; WAIT_EAP_MSG
1ST_EAP=Unset; REAUTH_TIMEOUT EAP_Restart();
NAP_AUTH=Set|Unset;
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - (liveness test based on PPR-PPA exchange initiated by PAA)- - - (liveness test based on PNR-PNA exchange initiated by PAA)-
PANA_PING Tx:PPR(); WAIT_PPA PANA_PING Tx:PNR[P](); WAIT_PNA_PING
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - (liveness test based on PPR-PPA exchange initiated by PaC)-
Rx:PPR if (key_available()) OPEN
PPA.insert_avp("AUTH");
Tx:PPA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (Session termination initated from PAA) - - - - - - - - - - - - (Session termination initated from PAA) - - - -
TERMINATE if (key_available()) SESS_TERM TERMINATE Tx:PTR[](); SESS_TERM
PTR.insert_avp("AUTH"); SessionTimerStop();
Tx:PTR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (Session termination initated from PaC) - - - - - - - - - - - - (Session termination initated from PaC) - - - -
Rx:PTR if (key_available()) CLOSED Rx:PTR[] Tx:PTA[](); CLOSED
PTA.insert_avp("AUTH"); SessionTimerStop();
Tx:PTA();
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - -(Notification message) - - - - - - - - - - -
NOTIFY if (key_available()) WAIT_PUA
PUR.insert_avp("AUTH");
Tx:PUR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Notification/Address update) - - - - - - - - -
Rx:PUR If (key_avaialble()) OPEN
PUA.insert_avp("AUTH");
Tx:PUA();
if (new_source_address())
update_popa();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- --------------------
State: WAIT_PPA State: WAIT_PNA_PING
--------------- --------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PPA processing) - - - - - - - - - - - - - - - - - - - - - - - -(PNA processing) - - - - - - - - - -
Rx:PPA RtxTimerStop(); OPEN Rx:PNA[P] RtxTimerStop(); OPEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------- ----------------------
State: WAIT_PAN_OR_PAR State: WAIT_PAN_OR_PAR
---------------------- ----------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (PAR Processing)- - - - - - - - - - -
Rx:PAR[] TxEAP(); WAIT_EAP_MSG
RtxTimerStop();
Tx:PAN[]();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - (Pass EAP Response to the EAP authenticator)- - - - - - - - - - (Pass EAP Response to the EAP authenticator)- - - -
Rx:PAN && TxEAP(); WAIT_EAP_MSG Rx:PAN[] && TxEAP(); WAIT_EAP_MSG
PAN.exist_avp PAN.exist_avp RtxTimerStop();
("EAP-Payload") ("EAP-Payload")
Rx:PAR TxEAP(); WAIT_EAP_MSG
if (key_available())
PAN.insert_avp("AUTH");
if (SEPARATE==Set) {
PAN.S_flag=1;
if (NAP_AUTH==Set)
PAN.N_flag=1;
}
RtxTimerStop();
Tx:PAN();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - (PAN without an EAP response) - - - - - - - - - - - - - - - - - (PAN without an EAP response) - - - - - - -
Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR Rx:PAN[] && RtxTimerStop(); WAIT_PAN_OR_PAR
!PAN.exist_avp !PAN.exist_avp
("EAP-Payload") ("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - -
EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR EAP_REQUEST RtxTimerStop(); WAIT_PAN_OR_PAR
PAR.insert_avp("AUTH"); Tx:PAR[]("EAP-Payload");
if (SEPARATE==Set) {
PAR.S_flag=1;
if (NAP_AUTH==Set)
PAR.N_flag=1;
}
Tx:PAR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -(EAP authentication timeout)- - - - - - - - -
EAP_TIMEOUT && if (key_available()) WAIT_PEA
1ST_EAP==Unset && PER.insert_avp("AUTH");
SEPARATE==Unset Tx:PER();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - -(EAP authentication timeout for 1st EAP)- - - - - -
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("AUTH");
ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1;
==Unset if (NAP_AUTH)
PFER.N_flag=1;
Tx:PFER();
RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA
1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("AUTH");
ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset;
==Set PFER.S_flag=0;
Tx:PFER();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - -(EAP authentication timeout for 2nd EAP)- - - - - -
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Failure && PBR.insert_avp("AUTH");
SEPARATE==Set PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA
1ST_EAP==Success && PBR.insert_avp
SEPARATE==Set && ("Device-Id");
Authorize() if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (new_key_available())
PBR.insert_avp
("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available())
PBR.insert_avp("AUTH");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Success && PBR.insert_avp("AUTH");
SEPARATE==Set && PBR.S_flag=1;
!Authorize() if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - (EAP authentication timeout or failure)- - - - -
--------------- EAP_FAILURE || RtxTimerStop(); CLOSED
State: WAIT_PUA EAP_TIMEOUT SessionTimerStop();
--------------- Disconnect();
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - (PUA processing)- - - - - - - - - - -
Rx:PUA RtxTimerStop(); OPEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: SESS_TERM State: SESS_TERM
---------------- ----------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - -
Rx:PTA RtxTimerStop(); CLOSED Rx:PTA[] RtxTimerStop(); CLOSED
Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------
State: WAIT_PEA
---------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PEA processing) - - - - - - - - - -
Rx:PEA RtxTimerStop(); CLOSED
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8. Mobility Optimization Support 8. Implementation Considerations
The state machines outlined in preceeding sections provide only PANA
base protocol functionality. In order to support PANA mobility
optimization outlined in [I-D.ietf-pana-mobopts], additions and
changes to the PaC and PAA state machines is required. The additions
and changes provides only basic mobility optimization and is not
explicit on integration of other mobility functionality such as
context-transfer mechanisms. However, it does provide enough
flexibility to accomodate future inclusion of such mechanisms.
The model depicted by [I-D.ietf-pana-mobopts] generally involves the
PaC changing its point of attachment during an active PANA session.
Mobility optimization is achieved by avoiding a full EAP
authentication sequence during this change. To support this, state
transitions described in this section assume that the PaC state
machine reverts to the OFFLINE state but maintains the session
information including security association from the previous active
session. It is also assumed that the PAA state machine initializes
to the OFFLINE state as normal but must also have access to session
information and security association from the previous active
session. A method of how a PAA session context is transferred can be
found in [I-D.ietf-pana-cxtp].
The variables, procedures and state transition described in this
section is designed to be seamlessly integrated into the appropriate
base protocol state machines. They should be treated as a mobility
optimization addendum to the base protocol state machine. In this
addendum, no additional states has been defined but some
modifications to the base protocol state machine is required. The
modifications are to accomodate the mobility variables and procedures
as they relate to existing state transition actions and events.
These modifications to existing state transition are noted in state
transition tables in this section. These modified state transitions
are intended to replace thier base protocol counterpart. Addition of
new state transitions specific to mobility optimization is also
present. Variable initialization also need to be added to the
appropriate base protocol state to complete the mobility optimization
support.
8.1. Common Variables
MOBILITY
This variable indicates whether the mobility handling feature
described in [I-D.ietf-pana-mobopts] is supported. This should be
present in both PaC and PAA state machine. Existing state
transitions in the base protocol state machine that can be
affected by mobility optimization must treat this variable as
being Unset unless the state transitions is explicitly redefined
in this section.
8.2. PaC Mobility Optimization State Machine
8.2.1. Variables
PANA_SA_RESUMED
This variable indicates whether the PANA SA of a previous PANA
session was resumed during the discovery and initial handshake.
8.2.2. Procedures
boolean resume_pana_sa()
This procedure returns TRUE when a PANA SA for a previously
established PANA Session is resumed, otherwise returns FALSE.
Once a PANA SA is resumed, key_available() procedure must return
TRUE. Existing state transitions in the base protocol state
machine that can be affected by mobility optimization must assume
that this procedure always returns FALSE unless the state
transition is explicitly redefined in this section.
8.2.3. PaC Mobility Optimization State Transition Table Addendum
------------------------------
State: OFFLINE (Initial State)
------------------------------
Initialization Action:
MOBILITY=Set|Unset;
PANA_SA_RESUMED=Unset;
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - (PSR processing with mobility support)- - - - -
- The following state transitions are intended to be added -
- to the OFFLINE state of the PaC base protocol state -
- machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id");
MOBILITY==Set && SEPARATE=Unset;
resume_pana_sa() && PANA_SA_RESUMED=Set;
PSR.exist_avp PSA.insert_avp("Cookie");
("Cookie") PSA.insert_avp("AUTH");
Tx:PSA();
RtxTimerStart();
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id");
MOBILITY==Set && PSA.insert_avp("AUTH");
resume_pana_sa() && Tx:PSA();
!PSR.exist_avp PANA_SA_RESUMED=Set;
("Cookie")
---------------
State: WAIT_PAA
---------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - -
- The following state transitions are intended to replace -
- existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by the same -
- exit conditions that exist in the WAIT_PAA state of the PaC -
- base protocol state machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
!eap_piggyback() TxEAP();
PANA_SA_RESUMED=Unset;
EAP_RespTimerStart();
if (key_available())
PAN.insert_avp("AUTH");
PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag;
Tx:PAN();
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
eap_piggyback() TxEAP();
PANA_SA_RESUMED=Unset;
EAP_RespTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - -
- The following state transitions are intended to replace -
- existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by exit -
- conditions that excludes PANA_SA_RESUMED variable checks. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Unset && if (PBR.exist_avp
SEPARATE==Unset && ("Device-Id"))
PBR.RESULT_CODE== CARRY_DEVICE_ID=Set;
PANA_SUCCESS &&
PANA_SA_RESUMED!=Set
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (PBR processing with mobility support)- - - - -
- The following state transitions are intended to be added -
- to the WAIT_PAA state of the PaC base protocol state -
- machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PBR && PBA.insert_avp("Key-Id"); OPEN
1ST_EAP==Unset && PBA.insert_avp("AUTH");
SEPARATE==Unset && if (PBR.exist_avp
PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && PBA.insert("Device-Id");
PANA_SA_RESUMED==Set && Tx:PBA();
PBR.exist_avp Authorize();
("Key-Id") && SessionTimerStart();
PBR.exist_avp
("AUTH")
-----------
State: OPEN
-----------
Exit Condition Exit Action Exit State
------------------------+--------------------------+-------------
- - - - - - - - - (re-authentication initiated by PaC)- - - - - -
- The following state transitions are intended to replace -
- existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by the same -
- exit conditions that exist in the OPEN state of the PaC -
- base protocol state machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
REAUTH SEPARATE=Set|Unset; WAIT_PRAA
1ST_EAP=Unset;
PANA_SA_RESUMED=Unset;
if (key_available())
PRAR.insert_avp("AUTH");
Tx:PRAR();
RtxTimerStart();
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PAA)- - - - - -
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
!eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset;
EAP_RespTimerStart();
TxEAP();
if (key_available())
PAN.insert_avp("AUTH");
PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag;
Tx:PAN();
SessionTimerStop();
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset;
EAP_RespTimerStart();
TxEAP();
SessionTimerStop();
8.3. PAA Mobility Optimization
8.3.1. Procedures
boolean retrieve_pana_sa(Session-Id)
This procedure returns TRUE when a PANA SA for the PANA Session
corresponds to the specified Session-Id has been retrieved,
otherwise returns FALSE.
8.3.2. PAA Mobility Optimization State Transition Table Addendum
------------------------------
State: OFFLINE (Initial State)
------------------------------
Initialization Action:
MOBILITY=Set|Unset;
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - (PSA processing with mobility support) - - - - - -
- The following state transitions are intended to replace -
- existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by exit -
- conditions that excludes MOBILITY variable checks and -
- retrieve_pana_sa() procedure calls. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG
(!PSA.exist_avp PSA.S_flag==0)
("Session-Id") || SEPARATE=Unset;
MOBILITY==Unset || if (SEPARATE==Set)
(MOBILITY==Set && NAP_AUTH=Set|Unset;
!retrieve_pana_sa EAP_Restart();
(PSA.SESSION_ID)))
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (PSA processing with mobility support)- - - - -
Rx:PSA && PBR.insert_avp("AUTH"); WAIT_SUCC_PBA
PSA.exist_avp PBR.insert_avp("Key-Id");
("Session-Id") && if (CARRY_DEVICE_ID==Set)
MOBILITY==Set && PBR.insert_avp
retrieve_pana_sa ("Device-Id");
(PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
Tx:PBR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9. Implementation Considerations
9.1. PAA and PaC Interface to Service Management Entity 8.1. PAA and PaC Interface to Service Management Entity
In general, it is assumed in each device that has a PANA protocol In general, it is assumed in each device that has a PANA protocol
stack that there is a Service Management Entity (SME) that manages stack that there is a Service Management Entity (SME) that manages
the PANA protocol stack. It is recommended that a generic interface the PANA protocol stack. It is recommended that a generic interface
(i.e., the SME-PANA interface) between the SME and the PANA protocol (i.e., the SME-PANA interface) between the SME and the PANA protocol
stack be provided by the implementation. Especially, common stack be provided by the implementation. Especially, common
procedures such as startup, shutdown, re-authenticate signals and procedures such as startup, shutdown, re-authenticate signals and
provisions for extracting keying material should be provided by such provisions for extracting keying material should be provided by such
an interface. The SME-PANA interface in a PAA device should also an interface. The SME-PANA interface in a PAA device should also
provide a method for communicating filtering parameters to the EP(s). provide a method for communicating filtering parameters to the EP(s).
When cryptographic filtering is used, the filtering parameters When cryptographic filtering is used, the filtering parameters
include keying material used for bootstrapping per-packet ciphering. include keying material used for bootstrapping per-packet ciphering.
When a PAA device interacts with the backend authentication server When a PAA device interacts with the backend authentication server
using a AAA protocol, its SME may also have an interface to the AAA using a AAA protocol, its SME may also have an interface to the AAA
protocol to obtain authorization parameters such as the authorization protocol to obtain authorization parameters such as the authorization
lifetime and additional filtering parameters. lifetime and additional filtering parameters.
9.2. Multicast Traffic 9. Security Considerations
In general, binding a UDP socket to a multicast address and/or port
is system dependent. In most systems, a socket can be bound to any
address and a specific port. This allows the socket to receive all
packets destined for the local host (on all it's local addresses) for
that port. If the host subscribes to a multicast addresses then this
socket will also receive multicast traffic as well. In some systems,
this would also result in the socket receiving all multicast traffic
even though it has subscribed to only one multicast address. This is
because most physical interfaces has either multicast traffic enabled
or disabled and does not provide specific address filtering.
Normally, it is not possible to filter out specific traffic on a
socket from the user level. Most environments provides lower layer
filtering that allows the use of only one socket to receive both
unicast and specific multicast address. However it might introduce
portability problems.
10. Security Considerations
This document's intent is to describe the PANA state machines fully. This document's intent is to describe the PANA state machines fully.
To this end, any security concerns with this document are likely a To this end, any security concerns with this document are likely a
reflection of security concerns with PANA itself. reflection of security concerns with PANA itself.
11. IANA Considerations 10. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
12. Acknowledgments 11. Acknowledgments
This work was started from state machines originally made by Dan This work was started from state machines originally made by Dan
Forsberg. Forsberg.
13. References 12. References
13.1. Normative References 12.1. Normative References
[I-D.ietf-pana-pana] [I-D.ietf-pana-pana]
Forsberg, D., "Protocol for Carrying Authentication for Forsberg, D., "Protocol for Carrying Authentication for
Network Access (PANA)", draft-ietf-pana-pana-11 (work in Network Access (PANA)", draft-ietf-pana-pana-17 (work in
progress), March 2006. progress), June 2007.
[I-D.ietf-pana-mobopts] [I-D.ietf-pana-mobopts]
Forsberg, D., "PANA Mobility Optimizations", Forsberg, D., "PANA Mobility Optimizations",
draft-ietf-pana-mobopts-01 (work in progress), draft-ietf-pana-mobopts-01 (work in progress),
October 2005. October 2005.
13.2. Informative References 12.2. Informative References
[RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba,
"State Machines for Extensible Authentication Protocol "State Machines for Extensible Authentication Protocol
(EAP) Peer and Authenticator", RFC 4137, August 2005. (EAP) Peer and Authenticator", RFC 4137, August 2005.
[I-D.ietf-pana-cxtp]
Bournelle, J., "Use of Context Transfer Protocol (CXTP)
for PANA", draft-ietf-pana-cxtp-01 (work in progress),
March 2006.
Authors' Addresses Authors' Addresses
Victor Fajardo Victor Fajardo (editor)
Toshiba America Research, Inc. Toshiba America Research, Inc.
1 Telcordia Drive 1 Telcordia Drive
Piscataway, NJ 08854 Piscataway, NJ 08854
USA USA
Phone: +1 732 699 5368 Phone: +1 732 699 5368
Email: vfajardo@tari.toshiba.com Email: vfajardo@tari.toshiba.com
Yoshihiro Ohba Yoshihiro Ohba
Toshiba America Research, Inc. Toshiba America Research, Inc.
skipping to change at page 64, line 5 skipping to change at page 37, line 5
Phone: +1 732 699 5305 Phone: +1 732 699 5305
Email: yohba@tari.toshiba.com Email: yohba@tari.toshiba.com
Rafa Marin Lopez Rafa Marin Lopez
University of Murcia University of Murcia
30071 Murcia 30071 Murcia
Spain Spain
Email: rafa@dif.um.es Email: rafa@dif.um.es
Intellectual Property Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 64, line 29 skipping to change at page 37, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 168 change blocks. 
1689 lines changed or deleted 391 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/