draft-ietf-pana-statemachine-05.txt   draft-ietf-pana-statemachine-06.txt 
PANA Working Group V. Fajardo, Ed. PANA Working Group V. Fajardo, Ed.
Internet-Draft Y. Ohba Internet-Draft Y. Ohba
Expires: January 5, 2008 TARI Expires: April 3, 2008 TARI
R. Lopez R. Lopez
Univ. of Murcia Univ. of Murcia
July 4, 2007 October 1, 2007
State Machines for Protocol for Carrying Authentication for Network State Machines for Protocol for Carrying Authentication for Network
Access (PANA) Access (PANA)
draft-ietf-pana-statemachine-05 draft-ietf-pana-statemachine-06
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 5, 2008. This Internet-Draft will expire on April 3, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document defines the conceptual state machines for the Protocol This document defines the conceptual state machines for the Protocol
for Carrying Authentication for Network Access (PANA). The state for Carrying Authentication for Network Access (PANA). The state
machines consist of the PANA Client (PaC) state machine and the PANA machines consist of the PANA Client (PaC) state machine and the PANA
skipping to change at page 3, line 14 skipping to change at page 3, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5
3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7
4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10
5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12
5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 14
5.4. Common Message Initialization Rules . . . . . . . . . . . 14 5.4. Common Message Initialization Rules . . . . . . . . . . . 14
5.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 14 5.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 14
5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14
6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16
6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16
6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16
6.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 16 6.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 16
6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16
6.1.4. EAP Authentication Result Notification from EAP 6.1.4. EAP Authentication Result Notification from EAP
Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17
skipping to change at page 10, line 31 skipping to change at page 10, line 31
void Disconnect() void Disconnect()
A procedure to delete the PANA session as well as the A procedure to delete the PANA session as well as the
corresponding EAP session and authorization state. corresponding EAP session and authorization state.
boolean Authorize() boolean Authorize()
A procedure to create or modify authorization state. It returns A procedure to create or modify authorization state. It returns
TRUE if authorization is successful. Otherwise, it returns FALSE. TRUE if authorization is successful. Otherwise, it returns FALSE.
It is assumed that Authorize() procedure of PaC state machine It is assumed that Authorize() procedure of PaC state machine
always returns TRUE. always returns TRUE. In the case that a non-key-generating EAP
method is used but a PANA SA is required after successful
authentication (generate_pana_sa() returns TRUE), Authorize()
procedure must return FALSE.
void Tx:PANA_MESSAGE_NAME[flag](AVPs) void Tx:PANA_MESSAGE_NAME[flag](AVPs)
A procedure to send a PANA message to its peering PANA entity. A procedure to send a PANA message to its peering PANA entity.
The "flag" argment contains a flag (e.g., Tx:PAR[C]) to be set to The "flag" argment contains a flag (e.g., Tx:PAR[C]) to be set to
the message, except for 'R' (Request) flag. The "AVPs" contains a the message, except for 'R' (Request) flag. The "AVPs" contains a
list of names of optional AVPs to be inserted in the message, list of names of optional AVPs to be inserted in the message,
except for AUTH AVP. except for AUTH AVP.
This procedure includes the following action before actual This procedure includes the following action before actual
skipping to change at page 12, line 18 skipping to change at page 12, line 18
of AVP names in the PANA message. When an AVP name ends with "*", of AVP names in the PANA message. When an AVP name ends with "*",
zero, one or more AVPs are inserted, otherwise one AVP is zero, one or more AVPs are inserted, otherwise one AVP is
inserted. inserted.
boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME")
A procedure that checks whether an AVP of the specified AVP name A procedure that checks whether an AVP of the specified AVP name
exists in the specified PANA message and returns TRUE if the exists in the specified PANA message and returns TRUE if the
specified AVP is found, otherwise returns FALSE. specified AVP is found, otherwise returns FALSE.
boolean generate_pana_sa()
A procedure to check whether the EAP method being used generates
keys and that a PANA SA will be established on successful
authentication. For the PaC, the procedure is also used to check
and match the PRF and Integrity algorithm AVPs advertised by the
PAA in PAR[S] message. For the PAA, it is used to indicate
whether a PRF and Integrity algorithm AVPs will be sent in the
PAR[S]. This procedure will return true if a PANA SA will be
generated. Otherwise, it returns FALSE.
boolean key_available() boolean key_available()
A procedure to check whether the PANA session has a PANA_AUTH_KEY. A procedure to check whether the PANA session has a PANA_AUTH_KEY.
If the state machine already has a PANA_AUTH_KEY, it returns TRUE. If the state machine already has a PANA_AUTH_KEY, it returns TRUE.
If the state machine does not have a PANA_AUTH_KEY, it tries to If the state machine does not have a PANA_AUTH_KEY, it tries to
retrieve a AAA-Key from the EAP entity. If a AAA-Key is retrieve a AAA-Key from the EAP entity. If a AAA-Key is
retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and
returns TRUE. Otherwise, it returns FALSE. returns TRUE. Otherwise, it returns FALSE.
5.2. Common Variables 5.2. Common Variables
skipping to change at page 19, line 20 skipping to change at page 19, line 20
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+----------- ------------------------+--------------------------+-----------
- - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - - - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - -
AUTH_USER Tx:PCI[](); INITIAL AUTH_USER Tx:PCI[](); INITIAL
RtxTimerStart(); RtxTimerStart();
SessionTimerReStart SessionTimerReStart
(FAILED_SESS_TIMEOUT); (FAILED_SESS_TIMEOUT);
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(PAA-initiated Handshake, not optimized) - - - - - - - - - - - -(PAA-initiated Handshake, not optimized) - - - - -
Rx:PAR[S] && Tx:PAN[S](); WAIT_PAA Rx:PAR[S] && EAP_Restart(); WAIT_PAA
!PAR.exist_avp EAP_Restart(); !PAR.exist_avp SessionTimerReStart
("EAP-Payload") SessionTimerReStart ("EAP-Payload") (FAILED_SESS_TIMEOUT);
(FAILED_SESS_TIMEOUT); if (generate_pana_sa())
Tx:PAN[S]("PRF-Algorithm",
"Integrity-Algorithm");
else
Tx:PAN[S]();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(PAA-initiated Handshake, optimized) - - - - - - - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - -
Rx:PAR[S] && EAP_Restart(); INITIAL Rx:PAR[S] && EAP_Restart(); INITIAL
PAR.exist_avp TxEAP(); PAR.exist_avp TxEAP();
("EAP-Payload") && SessionTimerReStart ("EAP-Payload") && SessionTimerReStart
eap_piggyback() (FAILED_SESS_TIMEOUT); eap_piggyback() (FAILED_SESS_TIMEOUT);
Rx:PAR[S] && EAP_Restart(); WAIT_EAP_MSG Rx:PAR[S] && EAP_Restart(); WAIT_EAP_MSG
PAR.exist_avp TxEAP(); PAR.exist_avp TxEAP();
("EAP-Payload") && SessionTimerReStart ("EAP-Payload") && SessionTimerReStart
!eap_piggyback() (FAILED_SESS_TIMEOUT); !eap_piggyback() (FAILED_SESS_TIMEOUT);
TxPAN[S](); if (generate_pana_sa())
Tx:PAN[S]("PRF-Algorithm",
"Integrity-Algorithm");
else
Tx:PAN[S]();
EAP_RESPONSE Tx:PAN[S]("EAP-Payload"); WAIT_PAA EAP_RESPONSE if (generate_pana_sa()) WAIT_PAA
Tx:PAN[S]("EAP-Payload",
"PRF-Algorithm",
"Integrity-Algorithm");
else
Tx:PAN[S]("EAP-Payload");
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- ---------------
State: WAIT_PAA State: WAIT_PAA
--------------- ---------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - -
Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG
skipping to change at page 26, line 50 skipping to change at page 26, line 50
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - - - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - -
(Rx:PCI[] || if (OPTIMIZED_INIT == INITIAL (Rx:PCI[] || if (OPTIMIZED_INIT == INITIAL
PAC_FOUND) Set) { PAC_FOUND) Set) {
EAP_Restart(); EAP_Restart();
SessionTimerReStart SessionTimerReStart
(FAILED_SESS_TIMEOUT); (FAILED_SESS_TIMEOUT);
} }
else {
if (generate_pana_sa())
Tx:PAR[S]("PRF-Algorithm",
"Integrity-Algorithm");
else else
Tx:PAR[S](); Tx:PAR[S]();
EAP_REQUEST Tx:PAR[S]("EAP-Payload"); INITIAL }
EAP_REQUEST if (generate_pana_sa()) INITIAL
Tx:PAR[S]("EAP-Payload",
"PRF-Algorithm",
"Integrity-Algorithm");
else
Tx:PAR[S]("EAP-Payload");
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - (PAN Handling) - - - - - - - - - - - - - - - - - - - - - - - - (PAN Handling) - - - - - - - - - -
Rx:PAN[S] && if (PAN.exist_avp WAIT_EAP_MSG Rx:PAN[S] && if (PAN.exist_avp WAIT_EAP_MSG
((OPTIMIZED_INIT == ("EAP-Payload")) ((OPTIMIZED_INIT == ("EAP-Payload"))
Unset) || TxEAP(); Unset) || TxEAP();
PAN.exist_avp else { PAN.exist_avp else {
("EAP-Payload")) EAP_Restart(); ("EAP-Payload")) EAP_Restart();
SessionTimerReStart SessionTimerReStart
skipping to change at page 28, line 6 skipping to change at page 28, line 16
PANA_AUTHENTICATION_ PANA_AUTHENTICATION_
REJECTED; REJECTED;
Tx:PAR[C]("EAP-Payload"); Tx:PAR[C]("EAP-Payload");
RtxTimerStart(); RtxTimerStart();
SessionTimerStop(); SessionTimerStop();
EAP_SUCCESS && PAR.RESULT_CODE = WAIT_SUCC_PAN EAP_SUCCESS && PAR.RESULT_CODE = WAIT_SUCC_PAN
Authorize() PANA_SUCCESS; Authorize() PANA_SUCCESS;
if (new_key_available()) if (new_key_available())
Tx:PAR[C]("EAP-Payload", Tx:PAR[C]("EAP-Payload",
"Key-Id", "Algorithm"); "Key-Id");
else else
Tx:PAR[C]("EAP-Payload"); Tx:PAR[C]("EAP-Payload");
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PAR.RESULT_CODE = WAIT_FAIL_PAN EAP_SUCCESS && PAR.RESULT_CODE = WAIT_FAIL_PAN
!Authorize() PANA_AUTHORIZATION_ !Authorize() PANA_AUTHORIZATION_
REJECTED; REJECTED;
if (new_key_available()) if (new_key_available())
Tx:PAR[C]("EAP-Payload", Tx:PAR[C]("EAP-Payload",
"Key-Id", "Algorithm"); "Key-Id");
else else
Tx:PAR[C]("EAP-Payload"); Tx:PAR[C]("EAP-Payload");
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - (Receiving EAP-Timeout or invalid message) - - - - - - - - - - (Receiving EAP-Timeout or invalid message) - - - - -
EAP_TIMEOUT SessionTimerStop(); CLOSED EAP_TIMEOUT SessionTimerStop(); CLOSED
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------- --------------------
skipping to change at page 35, line 10 skipping to change at page 35, line 10
11. Acknowledgments 11. Acknowledgments
This work was started from state machines originally made by Dan This work was started from state machines originally made by Dan
Forsberg. Forsberg.
12. References 12. References
12.1. Normative References 12.1. Normative References
[I-D.ietf-pana-pana] [I-D.ietf-pana-pana]
Forsberg, D., "Protocol for Carrying Authentication for Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A.
Network Access (PANA)", draft-ietf-pana-pana-17 (work in Yegin, "Protocol for Carrying Authentication for Network
progress), June 2007. Access (PANA)", draft-ietf-pana-pana-18 (work in
progress), September 2007.
[I-D.ietf-pana-mobopts] [I-D.ietf-pana-mobopts]
Forsberg, D., "PANA Mobility Optimizations", Forsberg, D., "PANA Mobility Optimizations",
draft-ietf-pana-mobopts-01 (work in progress), draft-ietf-pana-mobopts-01 (work in progress),
October 2005. October 2005.
12.2. Informative References 12.2. Informative References
[RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba,
"State Machines for Extensible Authentication Protocol "State Machines for Extensible Authentication Protocol
 End of changes. 15 change blocks. 
18 lines changed or deleted 57 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/