--- 1/draft-ietf-pana-statemachine-04.txt 2007-07-06 01:12:10.000000000 +0200 +++ 2/draft-ietf-pana-statemachine-05.txt 2007-07-06 01:12:10.000000000 +0200 @@ -1,21 +1,21 @@ -PANA Working Group V. Fajardo +PANA Working Group V. Fajardo, Ed. Internet-Draft Y. Ohba -Expires: December 1, 2006 TARI +Expires: January 5, 2008 TARI R. Lopez Univ. of Murcia - May 30, 2006 + July 4, 2007 State Machines for Protocol for Carrying Authentication for Network Access (PANA) - draft-ietf-pana-statemachine-04 + draft-ietf-pana-statemachine-05 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -26,99 +26,84 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on December 1, 2006. + This Internet-Draft will expire on January 5, 2008. Copyright Notice - Copyright (C) The Internet Society (2006). + Copyright (C) The IETF Trust (2007). Abstract This document defines the conceptual state machines for the Protocol for Carrying Authentication for Network Access (PANA). The state machines consist of the PANA Client (PaC) state machine and the PANA Authentication Agent (PAA) state machine. The two state machines - show how PANA can interface to EAP state machines and can be - implemented with supporting various features including separate NAP - and ISP authentications, ISP selection and mobility optimization. - The state machines and associated model are informative only. - Implementations may achieve the same results using different methods. + show how PANA can interface with the EAP state machines. The state + machines and associated model are informative only. Implementations + may achieve the same results using different methods. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 - 5.4. Common Message Initialization Rules . . . . . . . . . . . 13 - 5.5. Common Error Handling Rules . . . . . . . . . . . . . . . 14 + 5.4. Common Message Initialization Rules . . . . . . . . . . . 14 + 5.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 14 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 - 6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16 + 6.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 16 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17 - 6.1.6. EAP Invalid Message Notification from EAP Peer to - PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 - 6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 - 6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 - 6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19 - 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 33 - 7.1. Interface between PAA and EAP Authenticator . . . . . . . 33 + 6.2. Constants . . . . . . . . . . . . . . . . . . . . . . . . 17 + 6.3. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 + 6.4. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 + 6.5. PaC State Transition Table . . . . . . . . . . . . . . . . 18 + 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 24 + 7.1. Interface between PAA and EAP Authenticator . . . . . . . 24 7.1.1. EAP Restart Notification from PAA to EAP - Authenticator . . . . . . . . . . . . . . . . . . . . 33 + Authenticator . . . . . . . . . . . . . . . . . . . . 24 7.1.2. Delivering EAP Responses from PAA to EAP - Authenticator . . . . . . . . . . . . . . . . . . . . 33 + Authenticator . . . . . . . . . . . . . . . . . . . . 24 7.1.3. Delivering EAP Messages from EAP Authenticator to - PAA . . . . . . . . . . . . . . . . . . . . . . . . . 33 + PAA . . . . . . . . . . . . . . . . . . . . . . . . . 24 7.1.4. EAP Authentication Result Notification from EAP - Authenticator to PAA . . . . . . . . . . . . . . . . . 33 - 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 34 - 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 36 - 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 37 - 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 52 - 8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 52 - 8.2. PaC Mobility Optimization State Machine . . . . . . . . . 53 - 8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 53 - 8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 53 - 8.2.3. PaC Mobility Optimization State Transition Table - Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 - 8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 56 - 8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 56 - 8.3.2. PAA Mobility Optimization State Transition Table - Addendum . . . . . . . . . . . . . . . . . . . . . . . 56 - 9. Implementation Considerations . . . . . . . . . . . . . . . . 58 - 9.1. PAA and PaC Interface to Service Management Entity . . . . 58 - 9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 58 - 10. Security Considerations . . . . . . . . . . . . . . . . . . . 59 - 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 - 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 61 - 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 - 13.1. Normative References . . . . . . . . . . . . . . . . . . . 62 - 13.2. Informative References . . . . . . . . . . . . . . . . . . 62 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 63 - Intellectual Property and Copyright Statements . . . . . . . . . . 64 + Authenticator to PAA . . . . . . . . . . . . . . . . . 24 + 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 25 + 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 26 + 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 26 + 8. Implementation Considerations . . . . . . . . . . . . . . . . 31 + 8.1. PAA and PaC Interface to Service Management Entity . . . . 31 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 32 + 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 + 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34 + 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35 + 12.1. Normative References . . . . . . . . . . . . . . . . . . . 35 + 12.2. Informative References . . . . . . . . . . . . . . . . . . 35 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36 + Intellectual Property and Copyright Statements . . . . . . . . . . 37 1. Introduction This document defines the state machines for Protocol Carrying Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There are state machines for the PANA client (PaC) and for the PANA Authentication Agent (PAA). Each state machine is specified through a set of variables, procedures and a state transition table. A PANA protocol execution consists of several exchanges to carry @@ -139,68 +124,61 @@ with state machines shown by [RFC4137]. This document, apart from defining PaC and PAA state machines and their interfaces to EAP state machines (running on top of PANA), provides some implementation considerations, taking into account that it is not a specification but an implementation guideline. 2. Interface Between PANA and EAP PANA carries EAP messages exchanged between an EAP peer and an EAP - authenticator (see Figure 1). Thus a PANA state machine must - interact with an EAP state machine. + authenticator (see Figure 1). Thus a PANA state machine interacts + with an EAP state machine. Two state machines are defined in this document : the PaC state machine (see Section 6) and the PAA state machine (see Section 7). The definition of each state machine consists of a set of variables, procedures and a state transition table. A subset of these variables and procedures defines the interface between a PANA state machine and an EAP state machine and the state transition table defines the PANA state machine behavior based on results obtained through them. On the one hand, the PaC state machine interacts with an EAP peer state machine in order to carry out the PANA protocol on the PaC side. On the other hand, the PAA state machine interacts with an EAP authenticator state machine to run the PANA protocol on the PAA side. Peer |EAP Auth EAP <---------|------------> EAP ^ | | ^ | - EAP-Request | | | EAP-Response | | EAP-Request - EAP-Success | |EAP-Response | | |EAP-Success - EAP-Failure | v |PANA | vEAP-Failure + | | | EAP-Message | | EAP-Message + EAP-Message | |EAP-Message | | | + | v |PANA | v PaC <---------|------------> PAA Figure 1: Interface between PANA and EAP Thus two interfaces are needed between PANA state machines and EAP state machines, namely: o Interface between the PaC state machine and the EAP peer state machine o Interface between the PAA state machine and the EAP authenticator state machine - In general, the PaC state machine presents EAP messages (EAP-Request, - EAP-Success and EAP-Failure messages) to the EAP peer state machine - through the interface. The EAP peer state machine processes these - messages and sends EAP messages (EAP-Response messages) through the - PaC state machine that is responsible for actually transmitting this - message. - - On the other hand, the PAA state machine presents response messages - (EAP-Response messages) to the EAP authenticator state machine - through interface defined between them. The EAP authenticator - processes these messages and generate EAP messages (EAP-Request, EAP- - Success and EAP-Failure messages) that are send to the PAA state - machine to be sent. + In general, the PaC and PAA state machines present EAP messages to + the EAP peer and authenticator state machines through the interface, + respectively. The EAP peer and authenticator state machines process + these messages and sends EAP messages through the PaC and PAA state + machines that is responsible for actually transmitting this message, + respectively. For example, [RFC4137] specifies four interfaces to lower layers: (i) an interface between the EAP peer state machine and a lower layer, (ii) an interface between the EAP standalone authenticator state machine and a lower layer, (iii) an interface between the EAP full authenticator state machine and a lower layer and (iv) an interface between the EAP backend authenticator state machine and a lower layer. In this document, the PANA protocol is the lower layer of EAP and only the first three interfaces are of interest to PANA. The second and third interfaces are the same. In this regard, the EAP @@ -208,23 +186,23 @@ machine in [RFC4137] are referred to as the EAP authenticator and the EAP authenticator state machine, respectively, in this document. If an EAP peer and an EAP authenticator follow the state machines defined in [RFC4137], the interfaces between PANA and EAP could be based on that document. Detailed definition of interfaces between PANA and EAP are described in the subsequent sections. 3. Document Authority When a discrepancy occurs between any part of this document and any - of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-pana- - mobopts], [RFC4137] the latter (the other documents) are considered - authoritative and takes precedence. + of the related documents ([I-D.ietf-pana-pana], + [I-D.ietf-pana-mobopts], [RFC4137] the latter (the other documents) + are considered authoritative and takes precedence. 4. Notations The following state transition tables are completed mostly based on the conventions specified in [RFC4137]. The complete text is described below. State transition tables are used to represent the operation of the protocol by a number of cooperating state machines each comprising a group of connected, mutually exclusive states. Only one state of @@ -273,45 +251,63 @@ The interpretation of the special symbols and operators used is defined in [RFC4137]. 5. Common Rules There are following procedures, variables, message initializing rules and state transitions that are common to both the PaC and PAA state machines. Throughout this document, the character string "PANA_MESSAGE_NAME" - matches any one of the abbreviated PANA message names, i.e., "PDI", - "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", - "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA". + matches any one of the abbreviated PANA message names, i.e., "PCI", + "PAR", "PAN", "PTR", "PTA", "PNR", "PNA". 5.1. Common Procedures void None() A null procedure, i.e., nothing is done. void Disconnect() A procedure to delete the PANA session as well as the corresponding EAP session and authorization state. boolean Authorize() A procedure to create or modify authorization state. It returns TRUE if authorization is successful. Otherwise, it returns FALSE. It is assumed that Authorize() procedure of PaC state machine always returns TRUE. - void Tx:PANA_MESSAGE_NAME() + void Tx:PANA_MESSAGE_NAME[flag](AVPs) A procedure to send a PANA message to its peering PANA entity. + The "flag" argment contains a flag (e.g., Tx:PAR[C]) to be set to + the message, except for 'R' (Request) flag. The "AVPs" contains a + list of names of optional AVPs to be inserted in the message, + except for AUTH AVP. + + This procedure includes the following action before actual + transmission: + + if (flag==S) + PANA_MESSAGE_NAME.S_flag=Set; + if (flag==C) + PANA_MESSAGE_NAME.C_flag=Set; + if (flag==A) + PANA_MESSAGE_NAME.A_flag=Set; + if (flag==P) + PANA_MESSAGE_NAME.P_flag=Set; + PANA_MESSAGE_NAME.insert_avp(AVPs); + if (key_availble()) + PANA_MESSAGE_NANE.insert_avp("AUTH"); void TxEAP() A procedure to send an EAP message to the EAP state machine it interfaces to. void RtxTimerStart() A procedure to start the retransmission timer, reset RTX_COUNTER variable to zero and set an appropriate value to RTX_MAX_NUM @@ -311,230 +307,204 @@ A procedure to send an EAP message to the EAP state machine it interfaces to. void RtxTimerStart() A procedure to start the retransmission timer, reset RTX_COUNTER variable to zero and set an appropriate value to RTX_MAX_NUM variable. void RtxTimerStop() + A procedure to stop the retransmission timer. - void SessionTimerStart() + void SessionTimerReStart(TIMEOUT) - A procedure to start PANA session timer. + A procedure to (re)start PANA session timer. TIMEOUT specifies + the expiration time associated of the session timer. Expiration + of TIMEOUT will trigger a SESS_TIMEOUT event. void SessionTimerStop() - A procedure to stop the PANA session timer. + A procedure to stop the current PANA session timer. void Retransmit() A procedure to retransmit a PANA message and increment RTX_COUNTER by one(1). void EAP_Restart() A procedure to (re)start an EAP conversation resulting in the re- initialization of an existing EAP session. - void PANA_MESSAGE_NAME.insert_avp("AVP_NAME") + void PANA_MESSAGE_NAME.insert_avp("AVP_NAME1", "AVP_NAME2",...) - A procedure to insert an AVP of the specified AVP name in the - specified PANA message. + A procedure to insert AVPs for each specified AVP name in the list + of AVP names in the PANA message. When an AVP name ends with "*", + zero, one or more AVPs are inserted, otherwise one AVP is + inserted. boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") A procedure that checks whether an AVP of the specified AVP name exists in the specified PANA message and returns TRUE if the specified AVP is found, otherwise returns FALSE. boolean key_available() A procedure to check whether the PANA session has a PANA_AUTH_KEY. If the state machine already has a PANA_AUTH_KEY, it returns TRUE. If the state machine does not have a PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity. If a AAA-Key is retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and returns TRUE. Otherwise, it returns FALSE. - boolean fatal(int) - - A procedure to check whether an integer result code value - indicates a fatal error. If the result code indicates a fatal - error, the procedure returns TRUE, otherwise, it return FALSE. A - fatal error would also result in the termination of the session - and release of all resources related to that session. - 5.2. Common Variables - PANA_MESSAGE_NAME.S_flag - - This variable contains the S-Flag value of the specified PANA - message. - - PBR.RESULT_CODE + PAR.RESULT_CODE - This variable contains the Result-Code AVP value in the PANA-Bind- + This variable contains the Result-Code AVP value in the PANA-Auth- Request message in process. When this variable carries - PANA_SUCCESS when there is only once EAP run in the authentication - and authorization phase, it is assumed that the PBR message always - contains an EAP-Payload AVP which carries an EAP-Success message. - - PFER.RESULT_CODE - - This variable contains the Result-Code AVP value in the PANA- - FirstAuth-End-Request message in process. When this variable - carries PANA_SUCCESS, it is assumed that the PFER message always - contains an EAP-Payload AVP which carries an EAP-Success message. + PANA_SUCCESS it is assumed that the PAR message always contains an + EAP-Payload AVP which carries an EAP-Success message. - PER.RESULT_CODE + NONCE_SENT - This variable contains the Result-Code AVP value in the PANA- - Error-Request message in process. + This variable is set to TRUE to indicate that a Nonce-AVP has + already been sent. Otherwise it is set to FALSE. RTX_COUNTER This variable contains the current number of retransmissions of the outstanding PANA message. - Rx:PANA_MESSAGE_NAME + Rx:PANA_MESSAGE_NAME[flag] This event variable is set to TRUE when the specified PANA message - is received from its peering PANA entity. + is received from its peering PANA entity. The "flag" contains a + flag (e.g., Rx:PAR[C]), except for 'R' (Request) flag. RTX_TIMEOUT This event variable is set to TRUE when the retransmission timer is expired. REAUTH This event variable is set to TRUE when an initiation of re- authentication phase is triggered. TERMINATE This event variable is set to TRUE when initiation of PANA session termination is triggered. PANA_PING This event variable is set to TRUE when initiation of liveness - test based on PPR-PPA exchange is triggered. - - NOTIFY - - This event variable is set to TRUE if the PaC or PAA wants to send - attribute updates or notifications. + test based on PANA-Notification exchange is triggered. SESS_TIMEOUT - This event is variable is set to TRUE when the session timer is + This event is variable is set to TRUE when the session timer has expired. - ABORT_ON_1ST_EAP_FAILURE - - This variable indicates whether the PANA session is immediately - terminated when the 1st EAP authentication fails. - - CARRY_DEVICE_ID + LIFETIME_SESS_TIMEOUT - This variable indicates whether a Device-Id AVP is carried in a - PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this - variable must be set when a link-layer or IP address is used as - the device identifier of the PaC and a Protection-Capability AVP - is included in the PANA-Bind-Request message. + Configurable value used by the PaC and PAA to close or disconnect + an established session in the access phase. This variable + indicates the expiration of the session and is set to the value of + Session-Lifetime AVP if present in the last PANA-Auth-Request + message in the case of the PaC. Otherwise, it is assumed that the + value is infinite and therefore has no expiration. Expiration of + LIFETIME_SESS_TIMEOUT will cause the event variable SESS_TIMEOUT + to be set. ANY This event variable is set to TRUE when any event occurs. 5.3. Constants RTX_MAX_NUM Configurable maximum for how many retransmissions should be attempted before aborting. 5.4. Common Message Initialization Rules When a message is prepared for sending, it is initialized as follows: o For a request message, R-flag of the header is set. Otherwise, R-flag is not set. - o S-flag and N-flag of the header are not set. + o Other message header flags are not set. They are set explicitly + by specific state machine actions. o AVPs that are mandatory included in a message are inserted with appropriate values set. - o A Notification AVP is inserted if there is some notification - string to send to the communicating peer. - -5.5. Common Error Handling Rules +5.5. Common Retransmition Rules - For simplicity, the PANA state machines defined in this document do - not support an optional feature of sending a PER message when an - invalid PANA message is received [I-D.ietf-pana-pana], while the - state machines support sending a PER message generated in other cases - as well as receiving and processing a PER message. It is left to - implementations as to whether they provide a means to send a PER - message when an invalid PANA message is received. + The state machines defined in this document assumes that the PaC and + the PAA caches the last transmitted answer message. This scheme is + described in Sec 5.2 of [I-D.ietf-pana-pana]. When the PaC or PAA + receives a re-transmitted or duplicate request, it would be able to + re-send the corresponding answer without any aid from the EAP layer. + However, to simplify the state machine description, this caching + scheme is omitted in the state machines below. In the case that + there is not corresponding answer to a re-transmitted request, the + request will be handled by the corresponding statemachine. 5.6. Common State Transitions - The following transitions can occur at any state. + The following transitions can occur at any state with exemptions + explicitly noted. ---------- State: ANY ---------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - RTX_TIMEOUT && Retransmit(); (no change) RTX_COUNTER< RTX_MAX_NUM - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Reach maximum number of transmissions)- - - - - - - RTX_TIMEOUT && Disconnect(); CLOSED + (RTX_TIMEOUT && Disconnect(); CLOSED RTX_COUNTER>= - RTX_MAX_NUM - - SESS_TIMEOUT Disconnect(); CLOSED + RTX_MAX_NUM) || + SESS_TIMEOUT - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - - - Rx:PER && PEA.insert_avp("AUTH"); CLOSED - fatal Tx:PEA(); - (PER.RESULT_CODE) && Disconnect(); - PER.exist_avp("AUTH") && - key_available() - Rx:PER && Tx:PEA(); (no change) - !fatal - (PER.RESULT_CODE) || - !PER.exist_avp("AUTH") || - !key_available() - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------- + State: ANY except INITIAL + ------------------------- + + Exit Condition Exit Action Exit State + ------------------------+--------------------------+------------ + - - - - - - - - - - (liveness test initiated by peer)- - - - - - + Rx:PNR[P] Tx:PNA[P](); (no change) The following transitions can occur on any exit condition within the specified state. ------------- State: CLOSED ------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - -(Session termination initiated by PaC) - - - - - + - - - - - - - -(Catch all event on closed state) - - - - - - - - ANY None(); CLOSED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6. PaC State Machine 6.1. Interface between PaC and EAP Peer This interface defines the interactions between a PaC and an EAP peer. The interface serves as a mechanism to deliver EAP messages for the EAP peer. It allows the EAP peer to receive EAP requests and @@ -542,149 +512,113 @@ notify the EAP peer of PaC events and a mechanism to receive notification of EAP peer events. The EAP message delivery mechanism as well as the event notification mechanism in this interface have direct correlation with the PaC state transition table entries. These message delivery and event notifications mechanisms occur only within the context of their associated states or exit actions. 6.1.1. Delivering EAP Messages from PaC to EAP Peer TxEAP() procedure in the PaC state machine serves as the mechanism to - deliver EAP request, EAP success and EAP failure messages contained - in PANA-Auth-Request messages to the EAP peer. This procedure is - enabled only after an EAP restart event is notified to the EAP peer - and before any event resulting in a termination of the EAP peer - session. In the case where the EAP peer follows the EAP peer state - machine defined in [RFC4137], TxEAP() procedure sets eapReq variable - of the EAP peer state machine and puts the EAP request in eapReqData - variable of the EAP peer state machine. + deliver EAP messages contained in PANA-Auth-Request messages to the + EAP peer. This procedure is enabled only after an EAP restart event + is notified to the EAP peer and before any event resulting in a + termination of the EAP peer session. In the case where the EAP peer + follows the EAP peer state machine defined in [RFC4137], TxEAP() + procedure sets eapReq variable of the EAP peer state machine and puts + the EAP request in eapReqData variable of the EAP peer state machine. -6.1.2. Delivering EAP Responses from EAP Peer to PaC +6.1.2. Delivering EAP Messages from EAP Peer to PaC - An EAP response is delivered from the EAP peer to the PaC via + An EAP message is delivered from the EAP peer to the PaC via EAP_RESPONSE event variable. The event variable is set when the EAP - peer passes the EAP response to its lower-layer. In the case where + peer passes the EAP message to its lower-layer. In the case where the EAP peer follows the EAP peer state machine defined in [RFC4137], EAP_RESPONSE event variable refers to eapResp variable of the EAP - peer state machine and the EAP response is contained in eapRespData + peer state machine and the EAP message is contained in eapRespData variable of the EAP peer state machine. 6.1.3. EAP Restart Notification from PaC to EAP Peer The EAP peer state machine defined in [RFC4137] has an initialization - procedure before receiving an EAP request. To initialize the EAP + procedure before receiving an EAP message. To initialize the EAP state machine, the PaC state machine defines an event notification mechanism to send an EAP (re)start event to the EAP peer. The event notification is done via EAP_Restart() procedure in the initialization action of the PaC state machine. 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC In order for the EAP peer to notify the PaC of an EAP authentication result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In the case where the EAP peer follows the EAP peer state machine defined in [RFC4137], EAP_SUCCESS and EAP_FAILURE event variables refer to eapSuccess and eapFail variables of the EAP peer state machine, respectively. In this case, if EAP_SUCCESS event variable is set to TRUE and a AAA-Key is generated by the EAP authentication method in use, eapKeyAvailable variable is set to TRUE and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS and EAP_FAILURE - event variables may be set to TRUE even before the PaC receives a PBR - or a PFER from the PAA. + event variables may be set to TRUE even before the PaC receives a PAR + with a 'Complete' flag set from the PAA. 6.1.5. Alternate Failure Notification from PaC to EAP Peer alt_reject() procedure in the PaC state machine serves as the mechanism to deliver an authentication failure event to the EAP peer without accompanying an EAP message. In the case where the EAP peer follows the EAP peer state machine defined in [RFC4137], alt_reject() procedure sets altReject variable of the EAP peer state machine. Note that the EAP peer state machine in [RFC4137] also defines altAccept variable, however, it is never used in PANA in which EAP- - Success messages are reliably delivered by PANA-Bind exchange. - -6.1.6. EAP Invalid Message Notification from EAP Peer to PaC - - In order for the EAP peer to notify the PaC of a receipt of an - invalid EAP message, EAP_INVALID_MSG event variable is defined. In - the case where the EAP peer follows the EAP peer state machine - defined in [RFC4137], EAP_INVALID_MSG event variable refers to - eapNoResp variable of the EAP peer state machine. - -6.2. Variables + Success messages are reliably delivered by the last PANA-Auth + exchange. - SEPARATE +6.2. Constants - This variable indicates whether the PaC desires NAP/ISP separate - authentication. + FAILED_SESS_TIMEOUT - 1ST_EAP + Configurable value that allows the PaC to determine whether a PaC + authentication and authorization phase has stalled without an + explicit EAP success or failure notification. - This variable indicates whether the 1st EAP authentication is - success, failure or yet completed. +6.3. Variables AUTH_USER This event variable is set to TRUE when initiation of EAP-based (re-)authentication is triggered by the application. EAP_SUCCESS This event variable is set to TRUE when the EAP peer determines that EAP conversation completes with success. EAP_FAILURE This event variable is set to TRUE when the EAP peer determines that EAP conversation completes with failure. EAP_RESPONSE This event variable is set to TRUE when the EAP peer delivers an - EAP Response to the PaC. This event accompanies an EAP-Response - message received from the EAP peer. - - EAP_INVALID_MSG - - This event variable is set to TRUE when the EAP peer silently - discards an EAP message. This event does not accompany any EAP - message. + EAP message to the PaC. This event accompanies an EAP message + received from the EAP peer. EAP_RESP_TIMEOUT This event variable is set to TRUE when the PaC that has passed an - EAP-Request to the EAP-layer does not receive a corresponding EAP- - Response from the the EAP-layer in a given period. - -6.3. Procedures - - boolean choose_isp() - - This procedure returns TRUE when the PaC chooses one ISP, - otherwise returns FALSE. - - boolean ppac_available() - - This procedure returns TRUE when the Post-PANA-Address- - Configuration method specified by the PAA is available in the PaC - and that the PaC will be able to comply. - - boolean pcap_supported() - - This procedure returns TRUE when the cryptographic data protection - supplied in the Protection-Capability AVP can be supported by the - PaC. - - boolean algorithm_supported() + EAP message to the EAP-layer does not receive a subsequent EAP + message from the the EAP-layer in a given period. This provides a + time limit for certain EAP methods where user interaction maybe + required. - This procedure returns TRUE when the integrity algorithm supplied - in the Algorithm AVP can be supported by the PaC. +6.4. Procedures boolean eap_piggyback() This procedures returns TRUE to indicate whether the next EAP response will be carried in the pending PAN message for optimization. void alt_reject() This procedure informs the EAP peer of an authentication failure @@ -693,624 +627,219 @@ void EAP_RespTimerStart() A procedure to start a timer to receive an EAP-Response from the EAP peer. void EAP_RespTimerStop() A procedure to stop a timer to receive an EAP-Response from the EAP peer. -6.4. PaC State Transition Table +6.5. PaC State Transition Table ------------------------------ - State: OFFLINE (Initial State) + State: INITIAL (Initial State) ------------------------------ - Initialization Action: - SEPARATE=Set|Unset; - CARRY_DEVICE_ID=Unset; - 1ST_EAP=Unset; + NONCE_SENT=Unset; + RTX_COUNTER=0; RtxTimerStop(); Exit Condition Exit Action Exit State - ------------------------+--------------------------+-------------- - - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - - Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ - PSR.exist_avp EAP_Restart(); IN_DISC - ("EAP-Payload") && TxEAP(); - (!PSR.exist_avp SEPARATE=Unset; - ("Protection-Cap.") || - (PSR.exist_avp - ("Protection-Cap.") && - pcap_supported())) && - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PSR && RtxTimerStop(); WAIT_PAA - !PSR.exist_avp if (choose_isp()) - ("EAP-Payload") && PSA.insert_avp("ISP"); - PSR.S_flag==1 && PSA.S_flag=1; - SEPARATE==Set && PSA.insert_avp("Cookie"); - PSR.exist_avp Tx:PSA(); - ("Cookie") && RtxTimerStart(); - (!PSR.exist_avp EAP_Restart(); - ("Protection-Cap.") || - (PSR.exist_avp - ("Protection-Cap.") && - pcap_supported())) && - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PSR && RtxTimerStop(); WAIT_PAA - !PSR.exist_avp if (choose_isp()) - ("EAP-Payload") && PSA.insert_avp("ISP"); - PSR.S_flag==1 && PSA.S_flag=1; - SEPARATE==Set && Tx:PSA(); - !PSR.exist_avp EAP_Restart(); - ("Cookie") && - (!PSR.exist_avp - ("Protection-Cap.") || - (PSR.exist_avp - ("Protection-Cap.") && - pcap_supported())) && - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PSR && RtxTimerStop(); WAIT_PAA - !PSR.exist_avp if (choose_isp()) - ("EAP-Payload") && PSA.insert_avp("ISP"); - (PSR.S_flag!=1 || PSA.insert_avp("Cookie"); - SEPARATE==Unset) && Tx:PSA(); - PSR.exist_avp RtxTimerStart(); - ("Cookie") && SEPARATE=Unset; - (!PSR.exist_avp EAP_Restart(); - ("Protection-Cap.") || - (PSR.exist_avp - ("Protection-Cap.") && - pcap_supported())) && - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PSR && RtxTimerStop(); WAIT_PAA - !PSR.exist_avp if (choose_isp()) - ("EAP-Payload") && PSA.insert_avp("ISP"); - (PSR.S_flag!=1 || Tx:PSA(); - SEPARATE==Unset) && SEPARATE=Unset; - !PSR.exist_avp EAP_Restart(); - ("Cookie") && - (!PSR.exist_avp - ("Protection-Cap.") || - (PSR.exist_avp - ("Protection-Cap.") && - pcap_supported())) && - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PSR && None(); OFFLINE - (PSR.exist_avp - ("Protection-Cap.") && - !pcap_supported()) || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported()) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Authentication trigger from application) - - - - AUTH_USER Tx:PDI(); OFFLINE + ------------------------+--------------------------+----------- + - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - - + AUTH_USER Tx:PCI[](); INITIAL RtxTimerStart(); + SessionTimerReStart + (FAILED_SESS_TIMEOUT); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------------------- - State: WAIT_EAP_MSG_IN_DISC - --------------------------- + - - - - - - -(PAA-initiated Handshake, not optimized) - - - - - + Rx:PAR[S] && Tx:PAN[S](); WAIT_PAA + !PAR.exist_avp EAP_Restart(); + ("EAP-Payload") SessionTimerReStart + (FAILED_SESS_TIMEOUT); + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - - EAP_RESPONSE PSA.insert_avp WAIT_PAA - ("EAP-Payload") - if (choose_isp()) - PSA.insert_avp("ISP"); - Tx:PSA(); + - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - - + Rx:PAR[S] && EAP_Restart(); INITIAL + PAR.exist_avp TxEAP(); + ("EAP-Payload") && SessionTimerReStart + eap_piggyback() (FAILED_SESS_TIMEOUT); - EAP_RESP_TIMEOUT || None(); OFFLINE - EAP_INVALID_MSG + Rx:PAR[S] && EAP_Restart(); WAIT_EAP_MSG + PAR.exist_avp TxEAP(); + ("EAP-Payload") && SessionTimerReStart + !eap_piggyback() (FAILED_SESS_TIMEOUT); + TxPAN[S](); + + EAP_RESPONSE Tx:PAN[S]("EAP-Payload"); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- State: WAIT_PAA --------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - - Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG + Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG !eap_piggyback() TxEAP(); EAP_RespTimerStart(); - if (key_available()) - PAN.insert_avp("AUTH"); - PAN.S_flag=PAR.S_flag; - PAN.N_flag=PAR.N_flag; - Tx:PAN(); + if (NONCE_SENT==Unset) { + NONCE_SENT=Set; + Tx:PAN[]("Nonce"); + } + else + Tx:PAN[](); - Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG + Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG eap_piggyback() TxEAP(); EAP_RespTimerStart(); - Rx:PAN RtxTimerStop(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - - Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_ - 1ST_EAP==Unset && TxEAP(); RESULT - SEPARATE==Set && - PFER.RESULT_CODE== - PANA_SUCCESS && - PFER.S_flag==1 && - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ - 1ST_EAP==Unset && TxEAP(); RESULT - SEPARATE==Set && - PFER.RESULT_CODE!= - PANA_SUCCESS && - PFER.S_flag==1 && - ABORT_ON_1ST_EAP_FAILURE - ==Unset && - PFER.exist_avp - ("EAP-Payload") - - Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ - 1ST_EAP==Unset && alt_reject(); RESULT - SEPARATE==Set && - PFER.RESULT_CODE!= - PANA_SUCCESS && - PFER.S_flag==1 && - ABORT_ON_1ST_EAP_FAILURE - ==Unset && - !PFER.exist_avp - ("EAP-Payload") - - Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ - 1ST_EAP==Unset && TxEAP(); RESULT_CLOSED - SEPARATE==Set && - PFER.RESULT_CODE!= - PANA_SUCCESS && - (PFER.S_flag==0 || - ABORT_ON_1ST_EAP_FAILURE - ==Set) && - PFER.exist_avp - ("EAP-Payload") - - Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ - 1ST_EAP==Unset && alt_reject(); RESULT_CLOSED - SEPARATE==Set && - PFER.RESULT_CODE!= - PANA_SUCCESS && - (PFER.S_flag==0 || - ABORT_ON_1ST_EAP_FAILURE - ==Set) && - !PFER.exist_avp - ("EAP-Payload") - - Rx:PBR && TxEAP(); WAIT_EAP_RESULT - 1ST_EAP==Unset && if (PBR.exist_avp - SEPARATE==Unset && ("Device-Id")) - PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; - PANA_SUCCESS && - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ - 1ST_EAP==Unset && CLOSE - SEPARATE==Unset && - PBR.RESULT_CODE!= - PANA_SUCCESS && - PBR.exist_avp - ("EAP-Payload") + Rx:PAN[] RtxTimerStop(); WAIT_PAA - Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ - 1ST_EAP==Unset && CLOSE - SEPARATE==Unset && - PBR.RESULT_CODE!= - PANA_SUCCESS && - !PBR.exist_avp - ("EAP-Payload") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - - Rx:PBR && TxEAP(); WAIT_EAP_RESULT - 1ST_EAP==Success && if (PBR.exist_avp - PBR.RESULT_CODE== ("Device-Id")) - PANA_SUCCESS && CARRY_DEVICE_ID=Set; - PBR.exist_avp - ("EAP-Payload") && - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PBR && alt_reject(); WAIT_EAP_RESULT - 1ST_EAP==Success && if (PBR.exist_avp - PBR.RESULT_CODE== ("Device-Id")) - PANA_SUCCESS && CARRY_DEVICE_ID=Set; - !PBR.exist_avp - ("EAP-Payload") && - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ - 1ST_EAP==Success && CLOSE - PBR.RESULT_CODE!= - PANA_SUCCESS && - PBR.exist_avp - ("EAP-Payload") - - Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ - 1ST_EAP==Success && CLOSE - PBR.RESULT_CODE!= - PANA_SUCCESS && - !PBR.exist_avp - ("EAP-Payload") - - Rx:PBR && TxEAP(); WAIT_EAP_RESULT - 1ST_EAP==Failure && if (PBR.exist_avp - PBR.RESULT_CODE== ("Device-Id")) - PANA_SUCCESS && CARRY_DEVICE_ID=Set; - (!PSR.exist_avp - ("Algorithm") || - (PSR.exist_avp - ("Algorithm") && - algorithm_supported())) - - Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ - 1ST_EAP==Failure && CLOSE - PBR.RESULT_CODE!= - PANA_SUCCESS && - PBR.exist_avp - ("EAP-Payload") + - - - - - - - - - - - - - - -(PANA result) - - - - - - - - - - + Rx:PAR[C] && TxEAP(); WAIT_EAP_RESULT + PAR.RESULT_CODE== + PANA_SUCCESS - Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ - 1ST_EAP==Failure && CLOSE - PBR.RESULT_CODE!= - PANA_SUCCESS && - !PBR.exist_avp - ("EAP-Payload") + Rx:PAR[C] && if (PAR.exist_avp WAIT_EAP_RESULT_ + PAR.RESULT_CODE!= ("EAP-Payload")) CLOSE + PANA_SUCCESS TxEAP(); + else + alt_reject(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------- State: WAIT_EAP_MSG ------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - - + - - - - - - - - - - (Return PAN/PAR from EAP) - - - - - - - - - EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA - eap_piggyback() PAN.insert_avp - ("EAP-Payload"); - if (key_available()) - PAN.insert_avp("AUTH"); - PAN.S_flag=PAR.S_flag; - PAN.N_flag=PAR.N_flag; - Tx:PAN(); + eap_piggyback() if (NONCE_SENT==Unset) { + Tx:PAN[]("EAP-Payload", + "Nonce"); + NONCE_SENT=Set; + } + else + Tx:PAN[]("EAP-Payload"); EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA - !eap_piggyback() PAR.insert_avp - ("EAP-Payload"); - if (key_available()) - PAR.insert_avp("AUTH"); - PAR.S_flag=PAN.S_flag; - PAR.N_flag=PAN.N_flag; - Tx:PAR(); + !eap_piggyback() Tx:PAR[]("EAP-Payload"); RtxTimerStart(); - EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA - PAN.insert_avp("AUTH"); - PAN.S_flag=PAR.S_flag; - PAN.N_flag=PAR.N_flag; - Tx:PAN(); - - EAP_INVALID_MSG || None(); WAIT_PAA - EAP_SUCCESS || - EAP_FAILURE + EAP_RESP_TIMEOUT && Tx:PAN[](); WAIT_PAA + eap_piggyback() + EAP_FAILURE SessionTimerStop(); CLOSED + Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------------- State: WAIT_EAP_RESULT ---------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - - EAP_SUCCESS && PBA.insert_avp("AUTH"); OPEN - PBR.exist_avp PBA.insert_avp("Key-Id"); - ("Key-Id") && if (CARRY_DEVICE_ID) - ppac_available() && PBA.insert_avp - (!PBR.exist_avp ("Device-Id"); - ("Protection- PBA.insert_avp("PPAC"); - Capability") || Tx:PBA(); - (PBR.exist_avp Authorize(); - ("Protection- SessionTimerStart(); - Capability") && - pcap_supported())) - - EAP_SUCCESS && if (key_available()) OPEN - !PBR.exist_avp PBA.insert_avp("AUTH"); - ("Key-Id") && if (CARRY_DEVICE_ID) - ppac_available() && PBA.insert_avp - (!PBR.exist_avp ("Device-Id"); - ("Protection- PBA.insert_avp("PPAC"); - Capability") || Tx:PBA(); - (PBR.exist_avp Authorize(); - ("Protection- SessionTimerStart(); - Capability") && - pcap_supported())) - - EAP_SUCCESS && if (key_available()) WAIT_PEA - !ppac_available() PER.insert_avp("AUTH"); - PER.RESULT_CODE= - PANA_PPAC_CAPABILITY_ - UNSUPPORTED - Tx:PER(); - RtxTimerStart(); - - EAP_SUCCESS && if (key_available()) WAIT_PEA - (PBR.exist_avp PER.insert_avp("AUTH"); - ("Protection- PER.RESULT_CODE= - Capability") && PANA_PROTECTION_ - !pcap_supported()) CAPABILITY_UNSUPPORTED - Tx:PER(); - RtxTimerStart(); - - EAP_FAILURE && if (key_available()) OPEN - (SEPARATE==Set) && PBA.insert_avp("AUTH"); - ppac_available() && if (CARRY_DEVICE_ID) - (!PBR.exist_avp PBA.insert_avp - ("Protection- ("Device-Id"); - Capability") || PBA.insert_avp("PPAC"); - (PBR.exist_avp Tx:PBA(); - ("Protection- Authorize(); - Capability") && SessionTimerStart(); - pcap_supported())) - - EAP_FAILURE && if (key_available()) WAIT_PEA - (SEPARATE==Set) && PER.insert_avp("AUTH"); - !ppac_available() PER.RESULT_CODE= - PANA_PPAC_CAPABILITY_ - UNSUPPORTED - Tx:PER(); - RtxTimerStart(); - - EAP_FAILURE && if (key_available()) WAIT_PEA - (SEPARATE==Set) && PER.insert_avp("AUTH"); - (PBR.exist_avp PER.RESULT_CODE= - ("Protection- PANA_PROTECTION_ - Capability") && CAPABILITY_UNSUPPORTED - !pcap_supported()) Tx:PER(); - RtxTimerStart(); + EAP_SUCCESS if (PAR.exist_avp OPEN + ("Key-Id")) + Tx:PAN[C]("Key-Id"); + else + Tx:PAN[C](); + Authorize(); + SessionTimerReStart + (LIFETIME_SESS_TIMEOUT); - EAP_INVALID_MSG None(); WAIT_PAA + EAP_FAILURE Tx:PAN[C](); CLOSED + SessionTimerStop(); + Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------------------- State: WAIT_EAP_RESULT_CLOSE ---------------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - - EAP_SUCCESS && PBA.insert_avp("AUTH"); CLOSED - PBR.exist_avp PBA.insert_avp("Key-Id"); - ("Key-Id") Tx:PBA(); - Disconnect(); - - EAP_SUCCESS && if (key_available()) CLOSED - !PBR.exist_avp PBA.insert_avp("AUTH"); - ("Key-Id") Tx:PBA(); - Disconnect(); - - EAP_FAILURE Tx:PBA(); CLOSED - Disconnect(); - - EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------------- - State: WAIT_1ST_EAP_RESULT - -------------------------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - - EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA - PFER.exist_avp PFEA.S_flag=1; - ("Key-Id") PFEA.N_flag=PFER.N_flag; - PFEA.insert_avp("AUTH"); - Tx:PFEA(); - EAP_Restart(); - - (EAP_SUCCESS && if (key_available()) WAIT_PAA - !PFER.exist_avp PFEA.insert_avp("AUTH"); - ("Key-Id")) || PFEA.S_flag=1; - EAP_FAILURE PFEA.N_flag=PFER.N_flag; - Tx:PFEA(); - EAP_Restart(); - - EAP_INVALID_MSG EAP_Restart(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------------------- - State: WAIT_1ST_EAP_RESULT_CLOSE - -------------------------------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - - EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED - PFER.exist_avp PFEA.S_flag=0; - ("Key-Id") PFEA.N_flag=0; - PFEA.insert_avp("AUTH"); - Tx:PFEA(); - Disconnect(); - - (EAP_SUCCESS && if (key_available()) CLOSED - !PFER.exist_avp PFEA.insert_avp("AUTH"); - ("Key-Id")) || PFEA.S_flag=0; - EAP_FAILURE PFEA.N_flag=0; - Tx:PFEA(); + EAP_SUCCESS || if (EAP_SUCCESS && CLOSED + EAP_FAILURE PAR.exist_avp("Key-Id")) + Tx:PAN[C]("Key-Id"); + else + Tx:PAN[C](); + SessionTimerStop(); Disconnect(); - - EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ----------- State: OPEN ----------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - (liveness test initiated by PAA)- - - - - - - Rx:PPR if (key_available()) OPEN - PPA.insert_avp("AUTH"); - Tx:PPA(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (liveness test initiated by PaC)- - - - - - - PANA_PING if (key_available()) WAIT_PPA - PPR.insert_avp("AUTH"); - Tx:PPR(); + PANA_PING Tx:PNR[P](); WAIT_PNA RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PaC)- - - - - - - REAUTH SEPARATE=Set|Unset; WAIT_PRAA - 1ST_EAP=Unset; - if (key_available()) - PRAR.insert_avp("AUTH"); - Tx:PRAR(); + REAUTH NONCE_SENT=Unset; WAIT_PNA + Tx:PNR[A](); RtxTimerStart(); - SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - - - Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG - !eap_piggyback() 1ST_EAP=Unset; - EAP_RespTimerStart(); - TxEAP(); - if (key_available()) - PAN.insert_avp("AUTH"); - PAN.S_flag=PAR.S_flag; - PAN.N_flag=PAR.N_flag; - Tx:PAN(); - SessionTimerStop(); - - Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG - eap_piggyback() 1ST_EAP=Unset; - EAP_RespTimerStart(); + Rx:PAR[] EAP_RespTimerStart(); WAIT_EAP_MSG TxEAP(); - SessionTimerStop(); + if (!eap_piggyback()) + Tx:PAN[]("Nonce"); + else + NONCE_SENT=Unset; + SessionTimerReStart + (FAILED_SESS_TIMEOUT); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Session termination initiated by PAA) - - - - - - - Rx:PTR if (key_available()) CLOSED - PTA.insert_avp("AUTH"); - Tx:PTA(); + Rx:PTR[] Tx:PTA[](); CLOSED + SessionTimerStop(); Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - - - TERMINATE if (key_available()) SESS_TERM - PTR.insert_avp("AUTH"); - Tx:PTR(); + TERMINATE Tx:PTR[](); SESS_TERM RtxTimerStart(); + SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Address update) - - - - - - - - - - - - - NOTIFY if (key_available()) WAIT_PUA - PUR.insert_avp("AUTH"); - Tx:PUR(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Notification update)- - - - - - - - - - - - Rx:PUR if (key_available()) OPEN - PUA.insert_avp("AUTH"); - Tx:PUA(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- - State: WAIT_PRAA - ---------------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - -(re-authentication initiated by PaC) - - - - - - Rx:PRAA RtxTimerStop(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- - State: WAIT_PPA + State: WAIT_PNA --------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - -(liveness test initiated by PAA) - - - - - - - - Rx:PPA RtxTimerStop(); OPEN + - - - - - - - - -(re-authentication initiated by PaC) - - - - - + Rx:PNA[A] RtxTimerStop(); WAIT_PAA + SessionTimerReStart + (FAILED_SESS_TIMEOUT); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- - State: WAIT_PUA - --------------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - - Rx:PUA RtxTimerStop(); OPEN + - - - - - - - - -(liveness test initiated by PaC) - - - - - - - + Rx:PNA[P] RtxTimerStop(); OPEN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: SESS_TERM ---------------- - Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - -(Session termination initiated by PaC) - - - - - - Rx:PTA Disconnect(); CLOSED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- - State: WAIT_PEA - --------------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - - Rx:PEA RtxTimerStop(); CLOSED - Disconnect(); + Rx:PTA[] Disconnect(); CLOSED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7. PAA State Machine 7.1. Interface between PAA and EAP Authenticator The interface between a PAA and an EAP authenticator provides a mechanism to deliver EAP messages for the EAP authenticator as well as a mechanism to notify the EAP authenticator of PAA events and to receive notification of EAP authenticator events. These message @@ -1361,95 +890,45 @@ eapSuccess, eapFail and eapTimeout variables of the EAP authenticator state machine, respectively. In this case, if EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is contained in eapReqData variable of the EAP authenticator state machine, and additionally, eapKeyAvailable variable is set to TRUE and eapKeyData variable contains a AAA-Key if the AAA-Key is generated as a result of successful authentication by the EAP authentication method in use. Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP- Failure message is contained in eapReqData variable of the EAP authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE - and EAP_TIMEOUT event variables as a trigger to send a PBR or a PFER - message to the PaC. + and EAP_TIMEOUT event variables as a trigger to send a PAR message to + the PaC. 7.2. Variables - USE_COOKIE - - This variable indicates whether the PAA uses Cookie. - - EAP_PIGGYBACK + OPTIMIZED_INIT This variable indicates whether the PAA is able to piggyback an - EAP-Request in PANA-Start-Request. - - SEPARATE - - This variable indicates whether the PAA provides NAP/ISP separate - authentication. - - 1ST_EAP - - This variable indicates whether the 1st EAP authentication is a - success, failure or yet completed. - - PSA.SESSION_ID - - This variable contains the Session-Id AVP value in the PANA-Start- - Answer message in process. - - CARRY_LIFETIME - This variable indicates whether a Session-Lifetime AVP is carried - in PANA-Bind-Request message. - - PROTECTION_CAP_IN_PSR - - This variable indicates whether a Protection-Capability AVP is - carried in a PANA-Start-Request message. - - AUTH_ALGORITHM_IN_PSR - - This variable indicates whether a Algorithm AVP is carried in a - PANA-Start-Request message. - - PROTECTION_CAP_IN_PBR - - This variable indicates whether a Protection-Capability AVP is - carried in a PANA-Bind-Request message. - - CARRY_NAP_INFO - - This variable indicates whether a NAP-Information AVP is carried - in PANA-Start-Request message. - - CARRY_ISP_INFO - - This variable indicates whether an ISP-Information AVP is carried - in PANA-Start-Request message. - - NAP_AUTH - - This variable indicates whether a NAP authentication is being - performed or not. + EAP-Request in the initial PANA-Auth-Request. Otherwise it is set + to FALSE. - CARRY_PPAC + PAC_FOUND - This variable indicates whether a Post-PANA-Address-Configuration - AVP is carried in PANA-Start-Request message. + This variable is set to TRUE as a result of a PAA initiated + handshake. - PAC_FOUND + REAUTH_TIMEOUT - This variable is set to TRUE during the EP-to-PAA notification as - a result of a traffic-driven PAA discovery or link-up event - notification by the EP as a result of the presence of a new PaC. + This event variable is set to TRUE to indicate that the PAA + initiates a re-authentication with the PaC. The re-authentication + timeout should be set to a value less than the session timeout + carried in the Session-Lifetime AVP if present. EAP_SUCCESS + This event variable is set to TRUE when EAP conversation completes with success. This event accompanies an EAP- Success message passed from the EAP authenticator. EAP_FAILURE This event variable is set to TRUE when EAP conversation completes with failure. This event accompanies an EAP- Failure message passed from the EAP authenticator. @@ -1469,1055 +948,278 @@ boolean new_key_available() A procedure to check whether the PANA session has a new PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY, it returns FALSE. If the state machine does not have a PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity. If a AAA-Key has been retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and returns TRUE. Otherwise, it returns FALSE. - boolean new_source_address() - - A procedure to check the PaC's source IP address from the current - PUR message. If the source IP address of the message is different - from the last known IP address stored in the PANA session, this - procedure returns TRUE. Otherwise, it returns FALSE. - - void update_popa() - - A procedure to extract the PaC's source IP address from the - current PUR message and update the PANA session with this new IP - address. - 7.4. PAA State Transition Table ------------------------------ - State: OFFLINE (Initial State) + State: INITIAL (Initial State) ------------------------------ Initialization Action: - USE_COOKIE=Set|Unset; - EAP_PIGGYBACK=Set|Unset; - SEPARATE=Set|Unset; - if (EAP_PIGGYBACK==Set) - SEPARATE=Unset; - 1ST_EAP=Unset; - ABORT_ON_1ST_EAP_FAILURE=Set|Unset; - CARRY_LIFETIME=Set|Unset; - CARRY_DEVICE_ID=Set|Unset; - CARRY_NAP_INFO=Set|Unset; - CARRY_ISP_INFO=Set|Unset; - CARRY_PPAC=Set|Unset; - PROTECTION_CAP_IN_PSR=Set|Unset; - PROTECTION_CAP_IN_PBR=Set|Unset; - if (PROTECTION_CAP_IN_PBR=Unset) - PROTECTION_CAP_IN_PSR=Unset; - else - CARRY_DEVICE_ID=Set; - NAP_AUTH=Unset; + OPTIMIZED_INIT=Set|Unset; + NONCE_SENT=Unset; RTX_COUNTER=0; RtxTimerStop(); Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - - (Rx:PDI || EAP_Restart(); WAIT_EAP_MSG_ - PAC_FOUND) && IN_DISC - USE_COOKIE==Unset && - EAP_PIGGYBACK==Set - - (Rx:PDI || if (SEPARATE==Set) STATEFUL_DISC - PAC_FOUND) && PSR.S_flag=1; - USE_COOKIE==Unset && if (CARRY_NAP_INFO==Set) - EAP_PIGGYBACK==Unset PSR.insert_avp - ("NAP-Information"); - if (CARRY_ISP_INFO==Set) - PSR.insert_avp - ("ISP-Information"); - if (CARRY_PPAC==Set) - PSR.insert_avp - ("Post-PANA-Address- - Configuration"); - if (PROTECTION_CAP_IN_PSR - ==Set) - PSR.insert_avp - ("Protection-Cap."); - if (AUTH_ALGORITHM_IN_PSR - ==Set) - PSR.insert_avp - ("Algorithm"); - Tx:PSR(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Stateless discovery) - - - - - - - - - (Rx:PDI || if (SEPARATE==Set) OFFLINE - PAC_FOUND) && PSR.S_flag=1; - USE_COOKIE==Set PSR.insert_avp - ("Cookie"); - if (CARRY_NAP_INFO==Set) - PSR.insert_avp - ("NAP-Information"); - if (CARRY_ISP_INFO==Set) - PSR.insert_avp - ("ISP-Information"); - if (CARRY_PPAC==Set) - PSR.insert_avp - ("Post-PANA-Address- - Configuration"); - if (PROTECTION_CAP_IN_PSR - ==Set) - PSR.insert_avp - ("Protection-Cap."); - Tx:PSR(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PSA processing) - - - - - - - - - - Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG - USE_COOKIE==Set PSA.S_flag==0) - SEPARATE=Unset; - if (SEPARATE==Set) - NAP_AUTH=Set|Unset; + - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - - + (Rx:PCI[] || if (OPTIMIZED_INIT == INITIAL + PAC_FOUND) Set) { EAP_Restart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------------------- - State: WAIT_EAP_MSG_IN_DISC - --------------------------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - (Send PSR with EAP-Request) - - - - - - - - EAP_REQUEST PSR.insert_avp STATEFUL_DISC - ("EAP-Payload"); - if (CARRY_NAP_INFO==Set) - PSR.insert_avp - ("NAP-Information"); - if (CARRY_ISP_INFO==Set) - PSR.insert_avp - ("ISP-Information"); - if (CARRY_PPAC==Set) - PSR.insert_avp - ("Post-PANA-Address- - Configuration"); - Tx:PSR(); + SessionTimerReStart + (FAILED_SESS_TIMEOUT); + } + else + Tx:PAR[S](); + EAP_REQUEST Tx:PAR[S]("EAP-Payload"); INITIAL RtxTimerStart(); - - EAP_TIMEOUT None(); OFFLINE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------- - State: STATEFUL_DISC - -------------------- - - Exit Condition Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - - Rx:PSA if (SEPARATE==Set && WAIT_EAP_MSG - PSA.S_flag==0) - SEPARATE=Unset; - if (PSA.exist_avp - ("EAP-Payload")) - TxEAP(); - else { - if (SEPARATE==Set) - NAP_AUTH=Set|Unset; - EAP_Restart(); + - - - - - - - - - - - - - - (PAN Handling) - - - - - - - - - - + Rx:PAN[S] && if (PAN.exist_avp WAIT_EAP_MSG + ((OPTIMIZED_INIT == ("EAP-Payload")) + Unset) || TxEAP(); + PAN.exist_avp else { + ("EAP-Payload")) EAP_Restart(); + SessionTimerReStart + (FAILED_SESS_TIMEOUT); } - RtxTimerStop(); - EAP_TIMEOUT if (key_available()) WAIT_PEA - PER.insert_avp("AUTH"); - Tx:PER(); - RtxTimerStart(); + Rx:PAN[S] && None(); WAIT_PAN_OR_PAR + (OPTIMIZED_INIT == + Set) && + ! PAN.exist_avp + ("EAP-Payload") + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------- State: WAIT_EAP_MSG ------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - - EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR - PAR.insert_avp("AUTH"); - if (SEPARATE==Set) { - PAR.S_flag=1; - if (NAP_AUTH==Set) - PAR.N_flag=1; + EAP_REQUEST if (NONCE_SENT==Unset) { WAIT_PAN_OR_PAR + Tx:PAR[]("Nonce", + "EAP-Payload"); + NONCE_SENT=Set; } - Tx:PAR(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Success/Failure single EAP)- - - - - EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA - 1ST_EAP==Unset && ("EAP-Payload"); - SEPARATE==Unset if (key_available()) - PBR.insert_avp("AUTH"); - Tx:PBR(); - RtxTimerStart(); - - EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA - 1ST_EAP==Unset && ("EAP-Payload"); - SEPARATE==Unset && if (CARRY_DEVICE_ID==Set) - Authorize() PBR.insert_avp - ("Device-Id"); - if (CARRY_LIFETIME==Set) - PBR.insert_avp - ("Session-Lifetime"); - if (PROTECTION_CAP_IN_PBR - ==Set) - PBR.insert_avp - ("Protection-Cap."); - if (new_key_available()) - PBR.insert_avp - ("Key-Id"); - PBR.insert_avp - ("Algorithm"); - if (key_available()) - PBR.insert_avp("AUTH"); - Tx:PBR(); - RtxTimerStart(); - - EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA - 1ST_EAP==Unset && ("EAP-Payload"); - SEPARATE==Unset && if (new_key_available()) - !Authorize() PBR.insert_avp - ("Key-Id"); - PBR.insert_avp - ("Algorithm"); - if (key_available()) - PBR.insert_avp("AUTH"); - Tx:PBR(); - RtxTimerStart(); - - EAP_TIMEOUT && if (key_available()) WAIT_PEA - 1ST_EAP==Unset && PER.insert_avp("AUTH"); - SEPARATE==Unset Tx:PER(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - - - EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA - 1ST_EAP==Unset && PFER.insert_avp - SEPARATE==Set && ("EAP-Payload"); - ABORT_ON_1ST_EAP_FAILURE if (key_available()) - ==Unset PFER.insert_avp("AUTH"); - PFER.S_flag=1; - if (NAP_AUTH) - PFER.N_flag=1; - Tx:PFER(); - RtxTimerStart(); - - EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA - 1ST_EAP==Unset && PFER.insert_avp - SEPARATE==Set && ("EAP-Payload"); - ABORT_ON_1ST_EAP_FAILURE if (key_available()) - ==Set PFER.insert_avp("AUTH"); - PFER.S_flag=0; - Tx:PFER(); - RtxTimerStart(); - - EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA - 1ST_EAP==Unset && PFER.insert_avp - SEPARATE==Set ("EAP-Payload"); - if (new_key_available()) - PFER.insert_avp - ("Key-Id"); - PFER.insert_avp - ("Algorithm"); - if (key_available()) - PFER.insert_avp("AUTH"); - PFER.S_flag=1; - if (NAP_AUTH) - PFER.N_flag=1; - Tx:PFER(); - RtxTimerStart(); - - EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA - 1ST_EAP==Unset && if (key_available()) - SEPARATE==Set && PFER.insert_avp("AUTH"); - ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; - ==Unset if (NAP_AUTH) - PFER.N_flag=1; - Tx:PFER(); - RtxTimerStart(); - - EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA - 1ST_EAP==Unset && if (key_available()) - SEPARATE==Set && PFER.insert_avp("AUTH"); - ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; - ==Set PFER.S_flag=0; - Tx:PFER(); + else + Tx:PAR[]("EAP-Payload"); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - - EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA - 1ST_EAP==Failure && ("EAP-Payload"); - SEPARATE==Set if (key_available()) - PBR.insert_avp("AUTH"); - PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - - EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA - 1ST_EAP==Success && ("EAP-Payload"); - SEPARATE==Set && if (CARRY_DEVICE_ID==Set) - Authorize() PBR.insert_avp - ("Device-Id"); - if (CARRY_LIFETIME==Set) - PBR.insert_avp - ("Session-Lifetime"); - if (PROTECTION_CAP_IN_PBR - ==Set) - PBR.insert_avp - ("Protection-Cap."); - if (key_available()) - PBR.insert_avp("AUTH"); - PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - - EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA - 1ST_EAP==Success && ("EAP-Payload"); - SEPARATE==Set && if (key_available()) - !Authorize() PBR.insert_avp("AUTH"); - PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - - EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA - 1ST_EAP==Success && ("EAP-Payload"); - SEPARATE==Set && if (CARRY_DEVICE_ID==Set) - Authorize() PBR.insert_avp - ("Device-Id"); - if (CARRY_LIFETIME==Set) - PBR.insert_avp - ("Session-Lifetime"); - if (PROTECTION_CAP_IN_PBR - ==Set) - PBR.insert_avp - ("Protection-Cap."); - if (new_key_available()) - PBR.insert_avp - ("Key-Id"); - PBR.insert_avp - ("Algorithm"); - if (key_available()) - PBR.insert_avp("AUTH"); - PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - - EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA - 1ST_EAP==Success && ("EAP-Payload"); - SEPARATE==Set && if (new_key_available()) - !Authorize() PBR.insert_avp - ("Key-Id"); - PBR.insert_avp - ("Algorithm"); - if (key_available()) - PBR.insert_avp("AUTH"); - PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); + - - - - - - - - - - -(Receiving EAP-Success/Failure) - - - - - + EAP_FAILURE PAR.RESULT_CODE = WAIT_FAIL_PAN + PANA_AUTHENTICATION_ + REJECTED; + Tx:PAR[C]("EAP-Payload"); RtxTimerStart(); + SessionTimerStop(); - EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA - 1ST_EAP==Failure && ("EAP-Payload"); - SEPARATE==Set && if (CARRY_DEVICE_ID==Set) - Authorize() PBR.insert_avp - ("Device-Id"); - if (CARRY_LIFETIME==Set) - PBR.insert_avp - ("Session-Lifetime"); - if (PROTECTION_CAP_IN_PBR - ==Set) - PBR.insert_avp - ("Protection-Cap."); + EAP_SUCCESS && PAR.RESULT_CODE = WAIT_SUCC_PAN + Authorize() PANA_SUCCESS; if (new_key_available()) - PBR.insert_avp - ("Key-Id"); - PBR.insert_avp - ("Algorithm"); - if (key_available()) - PBR.insert_avp("AUTH"); - PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - - EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA - 1ST_EAP==Failure && ("EAP-Payload"); - SEPARATE==Set && if (new_key_available()) - !Authorize() PBR.insert_avp - ("Key-Id"); - PBR.insert_avp - ("Algorithm"); - if (key_available()) - PBR.insert_avp("AUTH"); - PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA - 1ST_EAP==Failure && PBR.insert_avp("AUTH"); - SEPARATE==Set PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); + Tx:PAR[C]("EAP-Payload", + "Key-Id", "Algorithm"); + else + Tx:PAR[C]("EAP-Payload"); RtxTimerStart(); - EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA - 1ST_EAP==Success && PBR.insert_avp - SEPARATE==Set && ("Device-Id"); - Authorize() if (CARRY_LIFETIME==Set) - PBR.insert_avp - ("Session-Lifetime"); - if (PROTECTION_CAP_IN_PBR - ==Set) - PBR.insert_avp - ("Protection-Cap."); + EAP_SUCCESS && PAR.RESULT_CODE = WAIT_FAIL_PAN + !Authorize() PANA_AUTHORIZATION_ + REJECTED; if (new_key_available()) - PBR.insert_avp - ("Key-Id"); - PBR.insert_avp - ("Algorithm"); - if (key_available()) - PBR.insert_avp("AUTH"); - PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - - EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA - 1ST_EAP==Success && PBR.insert_avp("AUTH"); - SEPARATE==Set && PBR.S_flag=1; - !Authorize() if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- - State: WAIT_PFEA - ---------------- - - Event/Condition Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - - - Rx:PFEA && RtxTimerStop(); WAIT_EAP_MSG - (1ST_EAP==Success || EAP_Restart(); - (PFEA.S_flag==1 && if (NAP_AUTH==Set) - 1ST_EAP==Failure)) NAP_AUTH=Unset; + Tx:PAR[C]("EAP-Payload", + "Key-Id", "Algorithm"); else - NAP_AUTH=Set; - - Rx:PFEA && RtxTimerStop(); CLOSED - PFEA.S_flag==0 && Disconnect(); - 1ST_EAP==Failure + Tx:PAR[C]("EAP-Payload"); + RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------------- - State: WAIT_FAIL_PFEA - --------------------- - - Event/Condition Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - Rx:PFEA RtxTimerStop(); CLOSED + - - - - - (Receiving EAP-Timeout or invalid message) - - - - - + EAP_TIMEOUT SessionTimerStop(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------- - State: WAIT_SUCC_PBA + State: WAIT_SUCC_PAN -------------------- Event/Condition Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - - Rx:PBA && SessionTimerStart(); OPEN - (CARRY_DEVICE_ID==Unset || - (CARRY_DEVICE_ID==Set && - PBA.exit_avp("Device-Id"))) - - Rx:PBA && PER.RESULT_CODE= WAIT_PEA - CARRY_DEVICE_ID==Set && PANA_MISSING_AVP - !PBA.exit_avp Tx:PER(); - ("Device-Id") RtxTimerStart(); + - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - - + Rx:PAN[C] RtxTimerStop(); OPEN + SessionTimerReStart + (LIFETIME_SESS_TIMEOUT); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------- - State: WAIT_FAIL_PBA + State: WAIT_FAIL_PAN -------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - Rx:PBA RtxTimerStop(); CLOSED + - - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - + Rx:PAN[C] RtxTimerStop(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ----------- State: OPEN ----------- - Event/Condition Action Exit State ------------------------+--------------------------+------------ - - - - - - - - (re-authentication initiated by PaC) - - - - - - - Rx:PRAR if (key_available()) WAIT_EAP_MSG - PRAA.insert_avp("AUTH"); + Rx:PNR[A] NONCE_SENT=Unset; WAIT_EAP_MSG EAP_Restart(); - 1ST_EAP=Unset; - NAP_AUTH=Set|Unset; - Tx:PRAA(); - SessionTimerStop(); + Tx:PNA[A](); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - - - REAUTH EAP_Restart(); WAIT_EAP_MSG - 1ST_EAP=Unset; - NAP_AUTH=Set|Unset; - SessionTimerStop(); + REAUTH || NONCE_SENT=Unset; WAIT_EAP_MSG + REAUTH_TIMEOUT EAP_Restart(); + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (liveness test based on PPR-PPA exchange initiated by PAA)- - PANA_PING Tx:PPR(); WAIT_PPA + - - (liveness test based on PNR-PNA exchange initiated by PAA)- + PANA_PING Tx:PNR[P](); WAIT_PNA_PING RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (liveness test based on PPR-PPA exchange initiated by PaC)- - Rx:PPR if (key_available()) OPEN - PPA.insert_avp("AUTH"); - Tx:PPA(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Session termination initated from PAA) - - - - - TERMINATE if (key_available()) SESS_TERM - PTR.insert_avp("AUTH"); - Tx:PTR(); + TERMINATE Tx:PTR[](); SESS_TERM + SessionTimerStop(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Session termination initated from PaC) - - - - - Rx:PTR if (key_available()) CLOSED - PTA.insert_avp("AUTH"); - Tx:PTA(); + Rx:PTR[] Tx:PTA[](); CLOSED + SessionTimerStop(); Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Notification message) - - - - - - - - - - - - NOTIFY if (key_available()) WAIT_PUA - PUR.insert_avp("AUTH"); - Tx:PUR(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Notification/Address update) - - - - - - - - - - Rx:PUR If (key_avaialble()) OPEN - PUA.insert_avp("AUTH"); - Tx:PUA(); - if (new_source_address()) - update_popa(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- - State: WAIT_PPA - --------------- + -------------------- + State: WAIT_PNA_PING + -------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - -(PPA processing) - - - - - - - - - - - Rx:PPA RtxTimerStop(); OPEN + - - - - - - - - - - - - - -(PNA processing) - - - - - - - - - - + Rx:PNA[P] RtxTimerStop(); OPEN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------------- State: WAIT_PAN_OR_PAR ---------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ + - - - - - - - - - - - - - (PAR Processing)- - - - - - - - - - - + Rx:PAR[] TxEAP(); WAIT_EAP_MSG + RtxTimerStop(); + Tx:PAN[](); + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Pass EAP Response to the EAP authenticator)- - - - - Rx:PAN && TxEAP(); WAIT_EAP_MSG - PAN.exist_avp + Rx:PAN[] && TxEAP(); WAIT_EAP_MSG + PAN.exist_avp RtxTimerStop(); ("EAP-Payload") - - Rx:PAR TxEAP(); WAIT_EAP_MSG - if (key_available()) - PAN.insert_avp("AUTH"); - if (SEPARATE==Set) { - PAN.S_flag=1; - if (NAP_AUTH==Set) - PAN.N_flag=1; - } - RtxTimerStop(); - Tx:PAN(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PAN without an EAP response) - - - - - - - - Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR + Rx:PAN[] && RtxTimerStop(); WAIT_PAN_OR_PAR !PAN.exist_avp ("EAP-Payload") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - - EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR - PAR.insert_avp("AUTH"); - if (SEPARATE==Set) { - PAR.S_flag=1; - if (NAP_AUTH==Set) - PAR.N_flag=1; - } - Tx:PAR(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP authentication timeout)- - - - - - - - - - EAP_TIMEOUT && if (key_available()) WAIT_PEA - 1ST_EAP==Unset && PER.insert_avp("AUTH"); - SEPARATE==Unset Tx:PER(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP authentication timeout for 1st EAP)- - - - - - - EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA - 1ST_EAP==Unset && if (key_available()) - SEPARATE==Set && PFER.insert_avp("AUTH"); - ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; - ==Unset if (NAP_AUTH) - PFER.N_flag=1; - Tx:PFER(); - RtxTimerStart(); - - EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA - 1ST_EAP==Unset && if (key_available()) - SEPARATE==Set && PFER.insert_avp("AUTH"); - ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; - ==Set PFER.S_flag=0; - Tx:PFER(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP authentication timeout for 2nd EAP)- - - - - - - EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA - 1ST_EAP==Failure && PBR.insert_avp("AUTH"); - SEPARATE==Set PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - - EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA - 1ST_EAP==Success && PBR.insert_avp - SEPARATE==Set && ("Device-Id"); - Authorize() if (CARRY_LIFETIME==Set) - PBR.insert_avp - ("Session-Lifetime"); - if (PROTECTION_CAP_IN_PBR - ==Set) - PBR.insert_avp - ("Protection-Cap."); - if (new_key_available()) - PBR.insert_avp - ("Key-Id"); - PBR.insert_avp - ("Algorithm"); - if (key_available()) - PBR.insert_avp("AUTH"); - PBR.S_flag=1; - if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); - RtxTimerStart(); - - EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA - 1ST_EAP==Success && PBR.insert_avp("AUTH"); - SEPARATE==Set && PBR.S_flag=1; - !Authorize() if (NAP_AUTH) - PBR.N_flag=1; - Tx:PBR(); + EAP_REQUEST RtxTimerStop(); WAIT_PAN_OR_PAR + Tx:PAR[]("EAP-Payload"); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- - State: WAIT_PUA - --------------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - - Rx:PUA RtxTimerStop(); OPEN + - - - - - - - (EAP authentication timeout or failure)- - - - - + EAP_FAILURE || RtxTimerStop(); CLOSED + EAP_TIMEOUT SessionTimerStop(); + Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: SESS_TERM ---------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - - Rx:PTA RtxTimerStop(); CLOSED - Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- - State: WAIT_PEA - --------------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - - Rx:PEA RtxTimerStop(); CLOSED + Rx:PTA[] RtxTimerStop(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -8. Mobility Optimization Support - - The state machines outlined in preceeding sections provide only PANA - base protocol functionality. In order to support PANA mobility - optimization outlined in [I-D.ietf-pana-mobopts], additions and - changes to the PaC and PAA state machines is required. The additions - and changes provides only basic mobility optimization and is not - explicit on integration of other mobility functionality such as - context-transfer mechanisms. However, it does provide enough - flexibility to accomodate future inclusion of such mechanisms. - - The model depicted by [I-D.ietf-pana-mobopts] generally involves the - PaC changing its point of attachment during an active PANA session. - Mobility optimization is achieved by avoiding a full EAP - authentication sequence during this change. To support this, state - transitions described in this section assume that the PaC state - machine reverts to the OFFLINE state but maintains the session - information including security association from the previous active - session. It is also assumed that the PAA state machine initializes - to the OFFLINE state as normal but must also have access to session - information and security association from the previous active - session. A method of how a PAA session context is transferred can be - found in [I-D.ietf-pana-cxtp]. - - The variables, procedures and state transition described in this - section is designed to be seamlessly integrated into the appropriate - base protocol state machines. They should be treated as a mobility - optimization addendum to the base protocol state machine. In this - addendum, no additional states has been defined but some - modifications to the base protocol state machine is required. The - modifications are to accomodate the mobility variables and procedures - as they relate to existing state transition actions and events. - These modifications to existing state transition are noted in state - transition tables in this section. These modified state transitions - are intended to replace thier base protocol counterpart. Addition of - new state transitions specific to mobility optimization is also - present. Variable initialization also need to be added to the - appropriate base protocol state to complete the mobility optimization - support. - -8.1. Common Variables - - MOBILITY - - This variable indicates whether the mobility handling feature - described in [I-D.ietf-pana-mobopts] is supported. This should be - present in both PaC and PAA state machine. Existing state - transitions in the base protocol state machine that can be - affected by mobility optimization must treat this variable as - being Unset unless the state transitions is explicitly redefined - in this section. - -8.2. PaC Mobility Optimization State Machine - -8.2.1. Variables - - PANA_SA_RESUMED - - This variable indicates whether the PANA SA of a previous PANA - session was resumed during the discovery and initial handshake. - -8.2.2. Procedures - - boolean resume_pana_sa() - - This procedure returns TRUE when a PANA SA for a previously - established PANA Session is resumed, otherwise returns FALSE. - Once a PANA SA is resumed, key_available() procedure must return - TRUE. Existing state transitions in the base protocol state - machine that can be affected by mobility optimization must assume - that this procedure always returns FALSE unless the state - transition is explicitly redefined in this section. - -8.2.3. PaC Mobility Optimization State Transition Table Addendum - - ------------------------------ - State: OFFLINE (Initial State) - ------------------------------ - - Initialization Action: - - MOBILITY=Set|Unset; - PANA_SA_RESUMED=Unset; - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - (PSR processing with mobility support)- - - - - - - The following state transitions are intended to be added - - - to the OFFLINE state of the PaC base protocol state - - - machine. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PSR && RtxTimerStop(); WAIT_PAA - !PSR.exist_avp PSA.insert_avp - ("EAP-Payload") && ("Session-Id"); - MOBILITY==Set && SEPARATE=Unset; - resume_pana_sa() && PANA_SA_RESUMED=Set; - PSR.exist_avp PSA.insert_avp("Cookie"); - ("Cookie") PSA.insert_avp("AUTH"); - Tx:PSA(); - RtxTimerStart(); - - Rx:PSR && RtxTimerStop(); WAIT_PAA - !PSR.exist_avp PSA.insert_avp - ("EAP-Payload") && ("Session-Id"); - MOBILITY==Set && PSA.insert_avp("AUTH"); - resume_pana_sa() && Tx:PSA(); - !PSR.exist_avp PANA_SA_RESUMED=Set; - ("Cookie") - - --------------- - State: WAIT_PAA - --------------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - - - The following state transitions are intended to replace - - - existing base protocol state transitions. Original base - - - protocol state transitions can be referenced by the same - - - exit conditions that exist in the WAIT_PAA state of the PaC - - - base protocol state machine. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG - !eap_piggyback() TxEAP(); - PANA_SA_RESUMED=Unset; - EAP_RespTimerStart(); - if (key_available()) - PAN.insert_avp("AUTH"); - PAN.S_flag=PAR.S_flag; - PAN.N_flag=PAR.N_flag; - Tx:PAN(); - - Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG - eap_piggyback() TxEAP(); - PANA_SA_RESUMED=Unset; - EAP_RespTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - - - The following state transitions are intended to replace - - - existing base protocol state transitions. Original base - - - protocol state transitions can be referenced by exit - - - conditions that excludes PANA_SA_RESUMED variable checks. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PBR && TxEAP(); WAIT_EAP_RESULT - 1ST_EAP==Unset && if (PBR.exist_avp - SEPARATE==Unset && ("Device-Id")) - PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; - PANA_SUCCESS && - PANA_SA_RESUMED!=Set - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PBR processing with mobility support)- - - - - - - The following state transitions are intended to be added - - - to the WAIT_PAA state of the PaC base protocol state - - - machine. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PBR && PBA.insert_avp("Key-Id"); OPEN - 1ST_EAP==Unset && PBA.insert_avp("AUTH"); - SEPARATE==Unset && if (PBR.exist_avp - PBR.RESULT_CODE== ("Device-Id")) - PANA_SUCCESS && PBA.insert("Device-Id"); - PANA_SA_RESUMED==Set && Tx:PBA(); - PBR.exist_avp Authorize(); - ("Key-Id") && SessionTimerStart(); - PBR.exist_avp - ("AUTH") - - ----------- - State: OPEN - ----------- - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------- - - - - - - - - - - (re-authentication initiated by PaC)- - - - - - - - The following state transitions are intended to replace - - - existing base protocol state transitions. Original base - - - protocol state transitions can be referenced by the same - - - exit conditions that exist in the OPEN state of the PaC - - - base protocol state machine. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - REAUTH SEPARATE=Set|Unset; WAIT_PRAA - 1ST_EAP=Unset; - PANA_SA_RESUMED=Unset; - if (key_available()) - PRAR.insert_avp("AUTH"); - Tx:PRAR(); - RtxTimerStart(); - SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - - - Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG - !eap_piggyback() 1ST_EAP=Unset; - PANA_SA_RESUMED=Unset; - EAP_RespTimerStart(); - TxEAP(); - if (key_available()) - PAN.insert_avp("AUTH"); - PAN.S_flag=PAR.S_flag; - PAN.N_flag=PAR.N_flag; - Tx:PAN(); - SessionTimerStop(); - - Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG - eap_piggyback() 1ST_EAP=Unset; - PANA_SA_RESUMED=Unset; - EAP_RespTimerStart(); - TxEAP(); - SessionTimerStop(); - -8.3. PAA Mobility Optimization - -8.3.1. Procedures - - boolean retrieve_pana_sa(Session-Id) - - This procedure returns TRUE when a PANA SA for the PANA Session - corresponds to the specified Session-Id has been retrieved, - otherwise returns FALSE. - -8.3.2. PAA Mobility Optimization State Transition Table Addendum - ------------------------------ - State: OFFLINE (Initial State) - ------------------------------ - - Initialization Action: - - MOBILITY=Set|Unset; - - Exit Condition Exit Action Exit State - ------------------------+--------------------------+------------ - - - - - - - - (PSA processing with mobility support) - - - - - - - - The following state transitions are intended to replace - - - existing base protocol state transitions. Original base - - - protocol state transitions can be referenced by exit - - - conditions that excludes MOBILITY variable checks and - - - retrieve_pana_sa() procedure calls. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG - (!PSA.exist_avp PSA.S_flag==0) - ("Session-Id") || SEPARATE=Unset; - MOBILITY==Unset || if (SEPARATE==Set) - (MOBILITY==Set && NAP_AUTH=Set|Unset; - !retrieve_pana_sa EAP_Restart(); - (PSA.SESSION_ID))) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PSA processing with mobility support)- - - - - - Rx:PSA && PBR.insert_avp("AUTH"); WAIT_SUCC_PBA - PSA.exist_avp PBR.insert_avp("Key-Id"); - ("Session-Id") && if (CARRY_DEVICE_ID==Set) - MOBILITY==Set && PBR.insert_avp - retrieve_pana_sa ("Device-Id"); - (PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR - ==Set) - PBR.insert_avp - ("Protection-Cap."); - Tx:PBR(); - RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -9. Implementation Considerations +8. Implementation Considerations -9.1. PAA and PaC Interface to Service Management Entity +8.1. PAA and PaC Interface to Service Management Entity In general, it is assumed in each device that has a PANA protocol stack that there is a Service Management Entity (SME) that manages the PANA protocol stack. It is recommended that a generic interface (i.e., the SME-PANA interface) between the SME and the PANA protocol stack be provided by the implementation. Especially, common procedures such as startup, shutdown, re-authenticate signals and provisions for extracting keying material should be provided by such an interface. The SME-PANA interface in a PAA device should also provide a method for communicating filtering parameters to the EP(s). When cryptographic filtering is used, the filtering parameters include keying material used for bootstrapping per-packet ciphering. When a PAA device interacts with the backend authentication server using a AAA protocol, its SME may also have an interface to the AAA protocol to obtain authorization parameters such as the authorization lifetime and additional filtering parameters. -9.2. Multicast Traffic - - In general, binding a UDP socket to a multicast address and/or port - is system dependent. In most systems, a socket can be bound to any - address and a specific port. This allows the socket to receive all - packets destined for the local host (on all it's local addresses) for - that port. If the host subscribes to a multicast addresses then this - socket will also receive multicast traffic as well. In some systems, - this would also result in the socket receiving all multicast traffic - even though it has subscribed to only one multicast address. This is - because most physical interfaces has either multicast traffic enabled - or disabled and does not provide specific address filtering. - Normally, it is not possible to filter out specific traffic on a - socket from the user level. Most environments provides lower layer - filtering that allows the use of only one socket to receive both - unicast and specific multicast address. However it might introduce - portability problems. - -10. Security Considerations +9. Security Considerations This document's intent is to describe the PANA state machines fully. To this end, any security concerns with this document are likely a reflection of security concerns with PANA itself. -11. IANA Considerations +10. IANA Considerations This document has no actions for IANA. -12. Acknowledgments +11. Acknowledgments This work was started from state machines originally made by Dan Forsberg. -13. References +12. References -13.1. Normative References +12.1. Normative References [I-D.ietf-pana-pana] Forsberg, D., "Protocol for Carrying Authentication for - Network Access (PANA)", draft-ietf-pana-pana-11 (work in - progress), March 2006. + Network Access (PANA)", draft-ietf-pana-pana-17 (work in + progress), June 2007. [I-D.ietf-pana-mobopts] Forsberg, D., "PANA Mobility Optimizations", draft-ietf-pana-mobopts-01 (work in progress), October 2005. -13.2. Informative References +12.2. Informative References [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, "State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator", RFC 4137, August 2005. - [I-D.ietf-pana-cxtp] - Bournelle, J., "Use of Context Transfer Protocol (CXTP) - for PANA", draft-ietf-pana-cxtp-01 (work in progress), - March 2006. - Authors' Addresses - Victor Fajardo + Victor Fajardo (editor) Toshiba America Research, Inc. 1 Telcordia Drive Piscataway, NJ 08854 USA Phone: +1 732 699 5368 Email: vfajardo@tari.toshiba.com Yoshihiro Ohba Toshiba America Research, Inc. @@ -2528,21 +1230,37 @@ Phone: +1 732 699 5305 Email: yohba@tari.toshiba.com Rafa Marin Lopez University of Murcia 30071 Murcia Spain Email: rafa@dif.um.es -Intellectual Property Statement +Full Copyright Statement + + Copyright (C) The IETF Trust (2007). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. @@ -2552,30 +1270,14 @@ such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. -Disclaimer of Validity - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS - OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, - INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE - INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Copyright Statement - - Copyright (C) The Internet Society (2006). This document is subject - to the rights, licenses and restrictions contained in BCP 78, and - except as set forth therein, the authors retain all their rights. - Acknowledgment - Funding for the RFC Editor function is currently provided by the - Internet Society. + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA).