| draft-ietf-pana-statemachine-05.txt | draft-ietf-pana-statemachine-06.txt | |||
|---|---|---|---|---|
| PANA Working Group V. Fajardo, Ed. | PANA Working Group V. Fajardo, Ed. | |||
| Internet-Draft Y. Ohba | Internet-Draft Y. Ohba | |||
| Expires: January 5, 2008 TARI | Expires: April 3, 2008 TARI | |||
| R. Lopez | R. Lopez | |||
| Univ. of Murcia | Univ. of Murcia | |||
| July 4, 2007 | October 1, 2007 | |||
| State Machines for Protocol for Carrying Authentication for Network | State Machines for Protocol for Carrying Authentication for Network | |||
| Access (PANA) | Access (PANA) | |||
| draft-ietf-pana-statemachine-05 | draft-ietf-pana-statemachine-06 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 37 | skipping to change at page 1, line 37 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January 5, 2008. | This Internet-Draft will expire on April 3, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| Abstract | Abstract | |||
| This document defines the conceptual state machines for the Protocol | This document defines the conceptual state machines for the Protocol | |||
| for Carrying Authentication for Network Access (PANA). The state | for Carrying Authentication for Network Access (PANA). The state | |||
| machines consist of the PANA Client (PaC) state machine and the PANA | machines consist of the PANA Client (PaC) state machine and the PANA | |||
| skipping to change at page 3, line 14 | skipping to change at page 3, line 14 | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 | 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 | |||
| 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 | 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 | 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 | 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 5.4. Common Message Initialization Rules . . . . . . . . . . . 14 | 5.4. Common Message Initialization Rules . . . . . . . . . . . 14 | |||
| 5.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 14 | 5.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 14 | |||
| 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 | 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 | |||
| 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 | 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 | 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 | |||
| 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 | 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 | |||
| 6.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 16 | 6.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 16 | |||
| 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 | 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 | |||
| 6.1.4. EAP Authentication Result Notification from EAP | 6.1.4. EAP Authentication Result Notification from EAP | |||
| Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 | Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 | |||
| skipping to change at page 10, line 31 | skipping to change at page 10, line 31 | |||
| void Disconnect() | void Disconnect() | |||
| A procedure to delete the PANA session as well as the | A procedure to delete the PANA session as well as the | |||
| corresponding EAP session and authorization state. | corresponding EAP session and authorization state. | |||
| boolean Authorize() | boolean Authorize() | |||
| A procedure to create or modify authorization state. It returns | A procedure to create or modify authorization state. It returns | |||
| TRUE if authorization is successful. Otherwise, it returns FALSE. | TRUE if authorization is successful. Otherwise, it returns FALSE. | |||
| It is assumed that Authorize() procedure of PaC state machine | It is assumed that Authorize() procedure of PaC state machine | |||
| always returns TRUE. | always returns TRUE. In the case that a non-key-generating EAP | |||
| method is used but a PANA SA is required after successful | ||||
| authentication (generate_pana_sa() returns TRUE), Authorize() | ||||
| procedure must return FALSE. | ||||
| void Tx:PANA_MESSAGE_NAME[flag](AVPs) | void Tx:PANA_MESSAGE_NAME[flag](AVPs) | |||
| A procedure to send a PANA message to its peering PANA entity. | A procedure to send a PANA message to its peering PANA entity. | |||
| The "flag" argment contains a flag (e.g., Tx:PAR[C]) to be set to | The "flag" argment contains a flag (e.g., Tx:PAR[C]) to be set to | |||
| the message, except for 'R' (Request) flag. The "AVPs" contains a | the message, except for 'R' (Request) flag. The "AVPs" contains a | |||
| list of names of optional AVPs to be inserted in the message, | list of names of optional AVPs to be inserted in the message, | |||
| except for AUTH AVP. | except for AUTH AVP. | |||
| This procedure includes the following action before actual | This procedure includes the following action before actual | |||
| skipping to change at page 12, line 18 | skipping to change at page 12, line 18 | |||
| of AVP names in the PANA message. When an AVP name ends with "*", | of AVP names in the PANA message. When an AVP name ends with "*", | |||
| zero, one or more AVPs are inserted, otherwise one AVP is | zero, one or more AVPs are inserted, otherwise one AVP is | |||
| inserted. | inserted. | |||
| boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") | boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") | |||
| A procedure that checks whether an AVP of the specified AVP name | A procedure that checks whether an AVP of the specified AVP name | |||
| exists in the specified PANA message and returns TRUE if the | exists in the specified PANA message and returns TRUE if the | |||
| specified AVP is found, otherwise returns FALSE. | specified AVP is found, otherwise returns FALSE. | |||
| boolean generate_pana_sa() | ||||
| A procedure to check whether the EAP method being used generates | ||||
| keys and that a PANA SA will be established on successful | ||||
| authentication. For the PaC, the procedure is also used to check | ||||
| and match the PRF and Integrity algorithm AVPs advertised by the | ||||
| PAA in PAR[S] message. For the PAA, it is used to indicate | ||||
| whether a PRF and Integrity algorithm AVPs will be sent in the | ||||
| PAR[S]. This procedure will return true if a PANA SA will be | ||||
| generated. Otherwise, it returns FALSE. | ||||
| boolean key_available() | boolean key_available() | |||
| A procedure to check whether the PANA session has a PANA_AUTH_KEY. | A procedure to check whether the PANA session has a PANA_AUTH_KEY. | |||
| If the state machine already has a PANA_AUTH_KEY, it returns TRUE. | If the state machine already has a PANA_AUTH_KEY, it returns TRUE. | |||
| If the state machine does not have a PANA_AUTH_KEY, it tries to | If the state machine does not have a PANA_AUTH_KEY, it tries to | |||
| retrieve a AAA-Key from the EAP entity. If a AAA-Key is | retrieve a AAA-Key from the EAP entity. If a AAA-Key is | |||
| retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and | retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and | |||
| returns TRUE. Otherwise, it returns FALSE. | returns TRUE. Otherwise, it returns FALSE. | |||
| 5.2. Common Variables | 5.2. Common Variables | |||
| skipping to change at page 19, line 20 | skipping to change at page 19, line 20 | |||
| Exit Condition Exit Action Exit State | Exit Condition Exit Action Exit State | |||
| ------------------------+--------------------------+----------- | ------------------------+--------------------------+----------- | |||
| - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - - | - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - - | |||
| AUTH_USER Tx:PCI[](); INITIAL | AUTH_USER Tx:PCI[](); INITIAL | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| SessionTimerReStart | SessionTimerReStart | |||
| (FAILED_SESS_TIMEOUT); | (FAILED_SESS_TIMEOUT); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| - - - - - - -(PAA-initiated Handshake, not optimized) - - - - - | - - - - - - -(PAA-initiated Handshake, not optimized) - - - - - | |||
| Rx:PAR[S] && Tx:PAN[S](); WAIT_PAA | Rx:PAR[S] && EAP_Restart(); WAIT_PAA | |||
| !PAR.exist_avp EAP_Restart(); | !PAR.exist_avp SessionTimerReStart | |||
| ("EAP-Payload") SessionTimerReStart | ("EAP-Payload") (FAILED_SESS_TIMEOUT); | |||
| (FAILED_SESS_TIMEOUT); | if (generate_pana_sa()) | |||
| Tx:PAN[S]("PRF-Algorithm", | ||||
| "Integrity-Algorithm"); | ||||
| else | ||||
| Tx:PAN[S](); | ||||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - - | - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - - | |||
| Rx:PAR[S] && EAP_Restart(); INITIAL | Rx:PAR[S] && EAP_Restart(); INITIAL | |||
| PAR.exist_avp TxEAP(); | PAR.exist_avp TxEAP(); | |||
| ("EAP-Payload") && SessionTimerReStart | ("EAP-Payload") && SessionTimerReStart | |||
| eap_piggyback() (FAILED_SESS_TIMEOUT); | eap_piggyback() (FAILED_SESS_TIMEOUT); | |||
| Rx:PAR[S] && EAP_Restart(); WAIT_EAP_MSG | Rx:PAR[S] && EAP_Restart(); WAIT_EAP_MSG | |||
| PAR.exist_avp TxEAP(); | PAR.exist_avp TxEAP(); | |||
| ("EAP-Payload") && SessionTimerReStart | ("EAP-Payload") && SessionTimerReStart | |||
| !eap_piggyback() (FAILED_SESS_TIMEOUT); | !eap_piggyback() (FAILED_SESS_TIMEOUT); | |||
| TxPAN[S](); | if (generate_pana_sa()) | |||
| Tx:PAN[S]("PRF-Algorithm", | ||||
| "Integrity-Algorithm"); | ||||
| else | ||||
| Tx:PAN[S](); | ||||
| EAP_RESPONSE Tx:PAN[S]("EAP-Payload"); WAIT_PAA | EAP_RESPONSE if (generate_pana_sa()) WAIT_PAA | |||
| Tx:PAN[S]("EAP-Payload", | ||||
| "PRF-Algorithm", | ||||
| "Integrity-Algorithm"); | ||||
| else | ||||
| Tx:PAN[S]("EAP-Payload"); | ||||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| --------------- | --------------- | |||
| State: WAIT_PAA | State: WAIT_PAA | |||
| --------------- | --------------- | |||
| Exit Condition Exit Action Exit State | Exit Condition Exit Action Exit State | |||
| ------------------------+--------------------------+------------ | ------------------------+--------------------------+------------ | |||
| - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - | - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - | |||
| Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG | Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG | |||
| skipping to change at page 26, line 50 | skipping to change at page 26, line 50 | |||
| Exit Condition Exit Action Exit State | Exit Condition Exit Action Exit State | |||
| ------------------------+--------------------------+------------ | ------------------------+--------------------------+------------ | |||
| - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - - | - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - - | |||
| (Rx:PCI[] || if (OPTIMIZED_INIT == INITIAL | (Rx:PCI[] || if (OPTIMIZED_INIT == INITIAL | |||
| PAC_FOUND) Set) { | PAC_FOUND) Set) { | |||
| EAP_Restart(); | EAP_Restart(); | |||
| SessionTimerReStart | SessionTimerReStart | |||
| (FAILED_SESS_TIMEOUT); | (FAILED_SESS_TIMEOUT); | |||
| } | } | |||
| else { | ||||
| if (generate_pana_sa()) | ||||
| Tx:PAR[S]("PRF-Algorithm", | ||||
| "Integrity-Algorithm"); | ||||
| else | else | |||
| Tx:PAR[S](); | Tx:PAR[S](); | |||
| EAP_REQUEST Tx:PAR[S]("EAP-Payload"); INITIAL | } | |||
| EAP_REQUEST if (generate_pana_sa()) INITIAL | ||||
| Tx:PAR[S]("EAP-Payload", | ||||
| "PRF-Algorithm", | ||||
| "Integrity-Algorithm"); | ||||
| else | ||||
| Tx:PAR[S]("EAP-Payload"); | ||||
| RtxTimerStart(); | RtxTimerStart(); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| - - - - - - - - - - - - - - (PAN Handling) - - - - - - - - - - | - - - - - - - - - - - - - - (PAN Handling) - - - - - - - - - - | |||
| Rx:PAN[S] && if (PAN.exist_avp WAIT_EAP_MSG | Rx:PAN[S] && if (PAN.exist_avp WAIT_EAP_MSG | |||
| ((OPTIMIZED_INIT == ("EAP-Payload")) | ((OPTIMIZED_INIT == ("EAP-Payload")) | |||
| Unset) || TxEAP(); | Unset) || TxEAP(); | |||
| PAN.exist_avp else { | PAN.exist_avp else { | |||
| ("EAP-Payload")) EAP_Restart(); | ("EAP-Payload")) EAP_Restart(); | |||
| SessionTimerReStart | SessionTimerReStart | |||
| skipping to change at page 28, line 6 | skipping to change at page 28, line 16 | |||
| PANA_AUTHENTICATION_ | PANA_AUTHENTICATION_ | |||
| REJECTED; | REJECTED; | |||
| Tx:PAR[C]("EAP-Payload"); | Tx:PAR[C]("EAP-Payload"); | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| SessionTimerStop(); | SessionTimerStop(); | |||
| EAP_SUCCESS && PAR.RESULT_CODE = WAIT_SUCC_PAN | EAP_SUCCESS && PAR.RESULT_CODE = WAIT_SUCC_PAN | |||
| Authorize() PANA_SUCCESS; | Authorize() PANA_SUCCESS; | |||
| if (new_key_available()) | if (new_key_available()) | |||
| Tx:PAR[C]("EAP-Payload", | Tx:PAR[C]("EAP-Payload", | |||
| "Key-Id", "Algorithm"); | "Key-Id"); | |||
| else | else | |||
| Tx:PAR[C]("EAP-Payload"); | Tx:PAR[C]("EAP-Payload"); | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| EAP_SUCCESS && PAR.RESULT_CODE = WAIT_FAIL_PAN | EAP_SUCCESS && PAR.RESULT_CODE = WAIT_FAIL_PAN | |||
| !Authorize() PANA_AUTHORIZATION_ | !Authorize() PANA_AUTHORIZATION_ | |||
| REJECTED; | REJECTED; | |||
| if (new_key_available()) | if (new_key_available()) | |||
| Tx:PAR[C]("EAP-Payload", | Tx:PAR[C]("EAP-Payload", | |||
| "Key-Id", "Algorithm"); | "Key-Id"); | |||
| else | else | |||
| Tx:PAR[C]("EAP-Payload"); | Tx:PAR[C]("EAP-Payload"); | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| - - - - - (Receiving EAP-Timeout or invalid message) - - - - - | - - - - - (Receiving EAP-Timeout or invalid message) - - - - - | |||
| EAP_TIMEOUT SessionTimerStop(); CLOSED | EAP_TIMEOUT SessionTimerStop(); CLOSED | |||
| Disconnect(); | Disconnect(); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| -------------------- | -------------------- | |||
| skipping to change at page 35, line 10 | skipping to change at page 35, line 10 | |||
| 11. Acknowledgments | 11. Acknowledgments | |||
| This work was started from state machines originally made by Dan | This work was started from state machines originally made by Dan | |||
| Forsberg. | Forsberg. | |||
| 12. References | 12. References | |||
| 12.1. Normative References | 12.1. Normative References | |||
| [I-D.ietf-pana-pana] | [I-D.ietf-pana-pana] | |||
| Forsberg, D., "Protocol for Carrying Authentication for | Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. | |||
| Network Access (PANA)", draft-ietf-pana-pana-17 (work in | Yegin, "Protocol for Carrying Authentication for Network | |||
| progress), June 2007. | Access (PANA)", draft-ietf-pana-pana-18 (work in | |||
| progress), September 2007. | ||||
| [I-D.ietf-pana-mobopts] | [I-D.ietf-pana-mobopts] | |||
| Forsberg, D., "PANA Mobility Optimizations", | Forsberg, D., "PANA Mobility Optimizations", | |||
| draft-ietf-pana-mobopts-01 (work in progress), | draft-ietf-pana-mobopts-01 (work in progress), | |||
| October 2005. | October 2005. | |||
| 12.2. Informative References | 12.2. Informative References | |||
| [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, | [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, | |||
| "State Machines for Extensible Authentication Protocol | "State Machines for Extensible Authentication Protocol | |||
| End of changes. 15 change blocks. | ||||
| 18 lines changed or deleted | 57 lines changed or added | |||
This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||