--- 1/draft-ietf-pana-statemachine-05.txt 2007-10-15 18:12:07.000000000 +0200 +++ 2/draft-ietf-pana-statemachine-06.txt 2007-10-15 18:12:07.000000000 +0200 @@ -1,21 +1,21 @@ PANA Working Group V. Fajardo, Ed. Internet-Draft Y. Ohba -Expires: January 5, 2008 TARI +Expires: April 3, 2008 TARI R. Lopez Univ. of Murcia - July 4, 2007 + October 1, 2007 State Machines for Protocol for Carrying Authentication for Network Access (PANA) - draft-ietf-pana-statemachine-05 + draft-ietf-pana-statemachine-06 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -26,21 +26,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on January 5, 2008. + This Internet-Draft will expire on April 3, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document defines the conceptual state machines for the Protocol for Carrying Authentication for Network Access (PANA). The state machines consist of the PANA Client (PaC) state machine and the PANA @@ -51,21 +51,21 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 - 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 + 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 14 5.4. Common Message Initialization Rules . . . . . . . . . . . 14 5.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 14 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 6.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 16 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 @@ -270,21 +270,24 @@ void Disconnect() A procedure to delete the PANA session as well as the corresponding EAP session and authorization state. boolean Authorize() A procedure to create or modify authorization state. It returns TRUE if authorization is successful. Otherwise, it returns FALSE. It is assumed that Authorize() procedure of PaC state machine - always returns TRUE. + always returns TRUE. In the case that a non-key-generating EAP + method is used but a PANA SA is required after successful + authentication (generate_pana_sa() returns TRUE), Authorize() + procedure must return FALSE. void Tx:PANA_MESSAGE_NAME[flag](AVPs) A procedure to send a PANA message to its peering PANA entity. The "flag" argment contains a flag (e.g., Tx:PAR[C]) to be set to the message, except for 'R' (Request) flag. The "AVPs" contains a list of names of optional AVPs to be inserted in the message, except for AUTH AVP. This procedure includes the following action before actual @@ -343,20 +346,31 @@ of AVP names in the PANA message. When an AVP name ends with "*", zero, one or more AVPs are inserted, otherwise one AVP is inserted. boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") A procedure that checks whether an AVP of the specified AVP name exists in the specified PANA message and returns TRUE if the specified AVP is found, otherwise returns FALSE. + boolean generate_pana_sa() + + A procedure to check whether the EAP method being used generates + keys and that a PANA SA will be established on successful + authentication. For the PaC, the procedure is also used to check + and match the PRF and Integrity algorithm AVPs advertised by the + PAA in PAR[S] message. For the PAA, it is used to indicate + whether a PRF and Integrity algorithm AVPs will be sent in the + PAR[S]. This procedure will return true if a PANA SA will be + generated. Otherwise, it returns FALSE. + boolean key_available() A procedure to check whether the PANA session has a PANA_AUTH_KEY. If the state machine already has a PANA_AUTH_KEY, it returns TRUE. If the state machine does not have a PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity. If a AAA-Key is retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and returns TRUE. Otherwise, it returns FALSE. 5.2. Common Variables @@ -648,39 +662,52 @@ Exit Condition Exit Action Exit State ------------------------+--------------------------+----------- - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - - AUTH_USER Tx:PCI[](); INITIAL RtxTimerStart(); SessionTimerReStart (FAILED_SESS_TIMEOUT); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(PAA-initiated Handshake, not optimized) - - - - - - Rx:PAR[S] && Tx:PAN[S](); WAIT_PAA - !PAR.exist_avp EAP_Restart(); - ("EAP-Payload") SessionTimerReStart - (FAILED_SESS_TIMEOUT); + Rx:PAR[S] && EAP_Restart(); WAIT_PAA + !PAR.exist_avp SessionTimerReStart + ("EAP-Payload") (FAILED_SESS_TIMEOUT); + if (generate_pana_sa()) + Tx:PAN[S]("PRF-Algorithm", + "Integrity-Algorithm"); + else + Tx:PAN[S](); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - - Rx:PAR[S] && EAP_Restart(); INITIAL PAR.exist_avp TxEAP(); ("EAP-Payload") && SessionTimerReStart eap_piggyback() (FAILED_SESS_TIMEOUT); Rx:PAR[S] && EAP_Restart(); WAIT_EAP_MSG PAR.exist_avp TxEAP(); ("EAP-Payload") && SessionTimerReStart !eap_piggyback() (FAILED_SESS_TIMEOUT); - TxPAN[S](); + if (generate_pana_sa()) + Tx:PAN[S]("PRF-Algorithm", + "Integrity-Algorithm"); + else + Tx:PAN[S](); - EAP_RESPONSE Tx:PAN[S]("EAP-Payload"); WAIT_PAA + EAP_RESPONSE if (generate_pana_sa()) WAIT_PAA + Tx:PAN[S]("EAP-Payload", + "PRF-Algorithm", + "Integrity-Algorithm"); + else + Tx:PAN[S]("EAP-Payload"); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- State: WAIT_PAA --------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG @@ -970,23 +999,34 @@ Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - - (Rx:PCI[] || if (OPTIMIZED_INIT == INITIAL PAC_FOUND) Set) { EAP_Restart(); SessionTimerReStart (FAILED_SESS_TIMEOUT); } + else { + if (generate_pana_sa()) + Tx:PAR[S]("PRF-Algorithm", + "Integrity-Algorithm"); else Tx:PAR[S](); - EAP_REQUEST Tx:PAR[S]("EAP-Payload"); INITIAL + } + + EAP_REQUEST if (generate_pana_sa()) INITIAL + Tx:PAR[S]("EAP-Payload", + "PRF-Algorithm", + "Integrity-Algorithm"); + else + Tx:PAR[S]("EAP-Payload"); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PAN Handling) - - - - - - - - - - Rx:PAN[S] && if (PAN.exist_avp WAIT_EAP_MSG ((OPTIMIZED_INIT == ("EAP-Payload")) Unset) || TxEAP(); PAN.exist_avp else { ("EAP-Payload")) EAP_Restart(); SessionTimerReStart @@ -1022,31 +1062,31 @@ PANA_AUTHENTICATION_ REJECTED; Tx:PAR[C]("EAP-Payload"); RtxTimerStart(); SessionTimerStop(); EAP_SUCCESS && PAR.RESULT_CODE = WAIT_SUCC_PAN Authorize() PANA_SUCCESS; if (new_key_available()) Tx:PAR[C]("EAP-Payload", - "Key-Id", "Algorithm"); + "Key-Id"); else Tx:PAR[C]("EAP-Payload"); RtxTimerStart(); EAP_SUCCESS && PAR.RESULT_CODE = WAIT_FAIL_PAN !Authorize() PANA_AUTHORIZATION_ REJECTED; if (new_key_available()) Tx:PAR[C]("EAP-Payload", - "Key-Id", "Algorithm"); + "Key-Id"); else Tx:PAR[C]("EAP-Payload"); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Receiving EAP-Timeout or invalid message) - - - - - EAP_TIMEOUT SessionTimerStop(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------- @@ -1188,23 +1227,24 @@ 11. Acknowledgments This work was started from state machines originally made by Dan Forsberg. 12. References 12.1. Normative References [I-D.ietf-pana-pana] - Forsberg, D., "Protocol for Carrying Authentication for - Network Access (PANA)", draft-ietf-pana-pana-17 (work in - progress), June 2007. + Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. + Yegin, "Protocol for Carrying Authentication for Network + Access (PANA)", draft-ietf-pana-pana-18 (work in + progress), September 2007. [I-D.ietf-pana-mobopts] Forsberg, D., "PANA Mobility Optimizations", draft-ietf-pana-mobopts-01 (work in progress), October 2005. 12.2. Informative References [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, "State Machines for Extensible Authentication Protocol