draft-ietf-pana-statemachine-09.txt   draft-ietf-pana-statemachine-10.txt 
PANA Working Group V. Fajardo, Ed. PANA Working Group V. Fajardo, Ed.
Internet-Draft Y. Ohba Internet-Draft Y. Ohba
Intended status: Informational TARI Intended status: Informational TARI
Expires: July 24, 2009 R. Lopez Expires: October 4, 2009 R. Lopez
Univ. of Murcia Univ. of Murcia
January 20, 2009 April 2, 2009
State Machines for Protocol for Carrying Authentication for Network State Machines for Protocol for Carrying Authentication for Network
Access (PANA) Access (PANA)
draft-ietf-pana-statemachine-09 draft-ietf-pana-statemachine-10
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 24, 2009. This Internet-Draft will expire on October 4, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents in effect on the date of
(http://trustee.ietf.org/license-info) in effect on the date of publication of this document (http://trustee.ietf.org/license-info).
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document.
to this document.
Abstract Abstract
This document defines the conceptual state machines for the Protocol This document defines the conceptual state machines for the Protocol
for Carrying Authentication for Network Access (PANA). The state for Carrying Authentication for Network Access (PANA). The state
machines consist of the PANA Client (PaC) state machine and the PANA machines consist of the PANA Client (PaC) state machine and the PANA
Authentication Agent (PAA) state machine. The two state machines Authentication Agent (PAA) state machine. The two state machines
show how PANA can interface with the EAP state machines. The state show how PANA can interface with the EAP state machines. The state
machines and associated model are informative only. Implementations machines and associated model are informative only. Implementations
may achieve the same results using different methods. may achieve the same results using different methods.
skipping to change at page 3, line 15 skipping to change at page 3, line 15
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 6 3. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 6
4. Document Authority . . . . . . . . . . . . . . . . . . . . . . 8 4. Document Authority . . . . . . . . . . . . . . . . . . . . . . 8
5. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 11 6. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 11 6.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 11
6.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 13 6.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 13
6.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 15 6.3. Configurable Values . . . . . . . . . . . . . . . . . . . 15
6.4. Common Message Initialization Rules . . . . . . . . . . . 15 6.4. Common Message Initialization Rules . . . . . . . . . . . 15
6.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 15 6.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 15
6.6. Common State Transitions . . . . . . . . . . . . . . . . . 15 6.6. Common State Transitions . . . . . . . . . . . . . . . . . 15
7. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 17 7. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 18
7.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 17 7.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 18
7.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 17 7.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 18
7.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 17 7.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 18
7.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 17 7.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 18
7.1.4. EAP Authentication Result Notification from EAP 7.1.4. EAP Authentication Result Notification from EAP
Peer to PaC . . . . . . . . . . . . . . . . . . . . . 18 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 19
7.1.5. Alternate Failure Notification from PaC to EAP Peer . 18 7.1.5. Alternate Failure Notification from PaC to EAP Peer . 19
7.2. Constants . . . . . . . . . . . . . . . . . . . . . . . . 18 7.2. Configurable Values . . . . . . . . . . . . . . . . . . . 19
7.3. Variables . . . . . . . . . . . . . . . . . . . . . . . . 18 7.3. Variables . . . . . . . . . . . . . . . . . . . . . . . . 19
7.4. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 19 7.4. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 20
7.5. PaC State Transition Table . . . . . . . . . . . . . . . . 19 7.5. PaC State Transition Table . . . . . . . . . . . . . . . . 20
8. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 25 8. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 26
8.1. Interface between PAA and EAP Authenticator . . . . . . . 25 8.1. Interface between PAA and EAP Authenticator . . . . . . . 26
8.1.1. EAP Restart Notification from PAA to EAP 8.1.1. EAP Restart Notification from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 25 Authenticator . . . . . . . . . . . . . . . . . . . . 26
8.1.2. Delivering EAP Responses from PAA to EAP 8.1.2. Delivering EAP Responses from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 25 Authenticator . . . . . . . . . . . . . . . . . . . . 26
8.1.3. Delivering EAP Messages from EAP Authenticator to 8.1.3. Delivering EAP Messages from EAP Authenticator to
PAA . . . . . . . . . . . . . . . . . . . . . . . . . 25 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 26
8.1.4. EAP Authentication Result Notification from EAP 8.1.4. EAP Authentication Result Notification from EAP
Authenticator to PAA . . . . . . . . . . . . . . . . . 25 Authenticator to PAA . . . . . . . . . . . . . . . . . 26
8.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 26 8.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 27
8.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 27 8.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 28
8.4. PAA State Transition Table . . . . . . . . . . . . . . . . 27 8.4. PAA State Transition Table . . . . . . . . . . . . . . . . 28
9. Implementation Considerations . . . . . . . . . . . . . . . . 32 9. Implementation Considerations . . . . . . . . . . . . . . . . 34
9.1. PAA and PaC Interface to Service Management Entity . . . . 32 9.1. PAA and PaC Interface to Service Management Entity . . . . 34
10. Security Considerations . . . . . . . . . . . . . . . . . . . 33 10. Security Considerations . . . . . . . . . . . . . . . . . . . 35
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 36 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38
13.1. Normative References . . . . . . . . . . . . . . . . . . . 36 13.1. Normative References . . . . . . . . . . . . . . . . . . . 38
13.2. Informative References . . . . . . . . . . . . . . . . . . 36 13.2. Informative References . . . . . . . . . . . . . . . . . . 38
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
This document defines the state machines for Protocol Carrying This document defines the state machines for Protocol Carrying
Authentication for Network Access (PANA) [RFC5191]. There are state Authentication for Network Access (PANA) [RFC5191]. There are state
machines for the PANA client (PaC) and for the PANA Authentication machines for the PANA client (PaC) and for the PANA Authentication
Agent (PAA). Each state machine is specified through a set of Agent (PAA). Each state machine is specified through a set of
variables, procedures and a state transition table. variables, procedures and a state transition table.
A PANA protocol execution consists of several exchanges to carry A PANA protocol execution consists of several exchanges to carry
skipping to change at page 14, line 29 skipping to change at page 14, line 29
flag (e.g., Rx:PAR[C]), except for 'R' (Request) flag. flag (e.g., Rx:PAR[C]), except for 'R' (Request) flag.
RTX_TIMEOUT RTX_TIMEOUT
This event variable is set to TRUE when the retransmission timer This event variable is set to TRUE when the retransmission timer
is expired. is expired.
REAUTH REAUTH
This event variable is set to TRUE when an initiation of re- This event variable is set to TRUE when an initiation of re-
authentication phase is triggered. authentication phase is triggered. This event variable can only
be set while in the OPEN state.
TERMINATE TERMINATE
This event variable is set to TRUE when initiation of PANA session This event variable is set to TRUE when initiation of PANA session
termination is triggered. termination is triggered. This event variable can only be set
while in the OPEN state.
PANA_PING PANA_PING
This event variable is set to TRUE when initiation of liveness This event variable is set to TRUE when initiation of liveness
test based on PANA-Notification exchange is triggered. test based on PANA-Notification exchange is triggered. This event
variable can only be set while in the OPEN state.
SESS_TIMEOUT SESS_TIMEOUT
This event is variable is set to TRUE when the session timer has This event is variable is set to TRUE when the session timer has
expired. expired.
LIFETIME_SESS_TIMEOUT LIFETIME_SESS_TIMEOUT
Configurable value used by the PaC and PAA to close or disconnect Configurable value used by the PaC and PAA to close or disconnect
an established session in the access phase. This variable an established session in the access phase. This variable
skipping to change at page 15, line 12 skipping to change at page 15, line 15
Session-Lifetime AVP if present in the last PANA-Auth-Request Session-Lifetime AVP if present in the last PANA-Auth-Request
message in the case of the PaC. Otherwise, it is assumed that the message in the case of the PaC. Otherwise, it is assumed that the
value is infinite and therefore has no expiration. Expiration of value is infinite and therefore has no expiration. Expiration of
LIFETIME_SESS_TIMEOUT will cause the event variable SESS_TIMEOUT LIFETIME_SESS_TIMEOUT will cause the event variable SESS_TIMEOUT
to be set. to be set.
ANY ANY
This event variable is set to TRUE when any event occurs. This event variable is set to TRUE when any event occurs.
6.3. Constants 6.3. Configurable Values
RTX_MAX_NUM RTX_MAX_NUM
Configurable maximum for how many retransmissions should be Configurable maximum for how many retransmissions should be
attempted before aborting. attempted before aborting.
6.4. Common Message Initialization Rules 6.4. Common Message Initialization Rules
When a message is prepared for sending, it is initialized as follows: When a message is prepared for sending, it is initialized as follows:
skipping to change at page 16, line 32 skipping to change at page 16, line 32
------------------------- -------------------------
State: ANY except INITIAL State: ANY except INITIAL
------------------------- -------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - (liveness test initiated by peer)- - - - - - - - - - - - - - - - (liveness test initiated by peer)- - - - - -
Rx:PNR[P] Tx:PNA[P](); (no change) Rx:PNR[P] Tx:PNA[P](); (no change)
-------------------------------
State: ANY except WAIT_PNA_PING
-------------------------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - (liveness test response) - - - - - - - -
Rx:PNA[P] None(); (no change)
The following transitions can occur on any exit condition within the The following transitions can occur on any exit condition within the
specified state. specified state.
------------- -------------
State: CLOSED State: CLOSED
------------- -------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - -(Catch all event on closed state) - - - - - - - - - - - - - - - -(Catch all event on closed state) - - - - - - - -
skipping to change at page 18, line 31 skipping to change at page 19, line 31
alt_reject() procedure in the PaC state machine serves as the alt_reject() procedure in the PaC state machine serves as the
mechanism to deliver an authentication failure event to the EAP peer mechanism to deliver an authentication failure event to the EAP peer
without accompanying an EAP message. In the case where the EAP peer without accompanying an EAP message. In the case where the EAP peer
follows the EAP peer state machine defined in [RFC4137], alt_reject() follows the EAP peer state machine defined in [RFC4137], alt_reject()
procedure sets altReject variable of the EAP peer state machine. procedure sets altReject variable of the EAP peer state machine.
Note that the EAP peer state machine in [RFC4137] also defines Note that the EAP peer state machine in [RFC4137] also defines
altAccept variable, however, it is never used in PANA in which EAP- altAccept variable, however, it is never used in PANA in which EAP-
Success messages are reliably delivered by the last PANA-Auth Success messages are reliably delivered by the last PANA-Auth
exchange. exchange.
7.2. Constants 7.2. Configurable Values
FAILED_SESS_TIMEOUT FAILED_SESS_TIMEOUT
Configurable value that allows the PaC to determine whether a PaC Configurable value that allows the PaC to determine whether a PaC
authentication and authorization phase has stalled without an authentication and authorization phase has stalled without an
explicit EAP success or failure notification. explicit EAP success or failure notification.
7.3. Variables 7.3. Variables
AUTH_USER AUTH_USER
skipping to change at page 23, line 17 skipping to change at page 24, line 17
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------- -----------
State: OPEN State: OPEN
----------- -----------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - (liveness test initiated by PaC)- - - - - - - - - - - - - - - - (liveness test initiated by PaC)- - - - - -
PANA_PING Tx:PNR[P](); WAIT_PNA PANA_PING Tx:PNR[P](); WAIT_PNA_PING
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PaC)- - - - - - - - - - - - - - - (re-authentication initiated by PaC)- - - - - -
REAUTH NONCE_SENT=Unset; WAIT_PNA REAUTH NONCE_SENT=Unset; WAIT_PNA_REAUTH
Tx:PNR[A](); Tx:PNR[A]();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PAA)- - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
Rx:PAR[] EAP_RespTimerStart(); WAIT_EAP_MSG Rx:PAR[] EAP_RespTimerStart(); WAIT_EAP_MSG
TxEAP(); TxEAP();
if (!eap_piggyback()) if (!eap_piggyback())
Tx:PAN[]("Nonce"); Tx:PAN[]("Nonce");
else else
NONCE_SENT=Unset; NONCE_SENT=Unset;
skipping to change at page 23, line 46 skipping to change at page 24, line 46
Rx:PTR[] Tx:PTA[](); CLOSED Rx:PTR[] Tx:PTA[](); CLOSED
SessionTimerStop(); SessionTimerStop();
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - -
TERMINATE Tx:PTR[](); SESS_TERM TERMINATE Tx:PTR[](); SESS_TERM
RtxTimerStart(); RtxTimerStart();
SessionTimerStop(); SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- ----------------------
State: WAIT_PNA State: WAIT_PNA_REAUTH
--------------- ----------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - -(re-authentication initiated by PaC) - - - - - - - - - - - - - -(re-authentication initiated by PaC) - - - - -
Rx:PNA[A] RtxTimerStop(); WAIT_PAA Rx:PNA[A] RtxTimerStop(); WAIT_PAA
SessionTimerReStart SessionTimerReStart
(FAILED_SESS_TIMEOUT); (FAILED_SESS_TIMEOUT);
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PAA) - - - - - -
Rx:PTR[] RtxTimerStop(); CLOSED
Tx:PTA[]();
SessionTimerStop();
Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------------
State: WAIT_PNA_PING
--------------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - -(liveness test initiated by PaC) - - - - - - - - - - - - - - - -(liveness test initiated by PaC) - - - - - - -
Rx:PNA[P] RtxTimerStop(); OPEN Rx:PNA[P] RtxTimerStop(); OPEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PAA)- - - - -
Rx:PAR[] RtxTimerStop(); WAIT_EAP_MSG
EAP_RespTimerStart();
TxEAP();
if (!eap_piggyback())
Tx:PAN[]("Nonce");
else
NONCE_SENT=Unset;
SessionTimerReStart
(FAILED_SESS_TIMEOUT);
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PAA) - - - - - -
Rx:PTR[] RtxTimerStop(); CLOSED
Tx:PTA[]();
SessionTimerStop();
Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: SESS_TERM State: SESS_TERM
---------------- ----------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - -
Rx:PTA[] Disconnect(); CLOSED Rx:PTA[] Disconnect(); CLOSED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
skipping to change at page 31, line 4 skipping to change at page 31, line 51
-------------------- --------------------
State: WAIT_PNA_PING State: WAIT_PNA_PING
-------------------- --------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PNA processing) - - - - - - - - - - - - - - - - - - - - - - - -(PNA processing) - - - - - - - - - -
Rx:PNA[P] RtxTimerStop(); OPEN Rx:PNA[P] RtxTimerStop(); OPEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (re-authentication initiated by PaC) - - - - - -
Rx:PNR[A] RtxTimerStop(); WAIT_EAP_MSG
NONCE_SENT=Unset;
EAP_Restart();
Tx:PNA[A]();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (Session termination initated from PaC) - - - -
Rx:PTR[] RtxTimerStop(); CLOSED
Tx:PTA[]();
SessionTimerStop();
Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------- ----------------------
State: WAIT_PAN_OR_PAR State: WAIT_PAN_OR_PAR
---------------------- ----------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (PAR Processing)- - - - - - - - - - - - - - - - - - - - - - - - (PAR Processing)- - - - - - - - - - -
Rx:PAR[] TxEAP(); WAIT_EAP_MSG Rx:PAR[] TxEAP(); WAIT_EAP_MSG
RtxTimerStop(); RtxTimerStop();
Tx:PAN[](); Tx:PAN[]();
 End of changes. 24 change blocks. 
49 lines changed or deleted 103 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/