draft-ietf-pana-statemachine-11.txt   draft-ietf-pana-statemachine-12.txt 
PANA Working Group V. Fajardo, Ed. PANA Working Group V. Fajardo, Ed.
Internet-Draft Y. Ohba Internet-Draft Y. Ohba
Intended status: Informational TARI Intended status: Informational TARI
Expires: October 22, 2009 R. Lopez Expires: October 25, 2009 R. Lopez
Univ. of Murcia Univ. of Murcia
April 20, 2009 April 23, 2009
State Machines for Protocol for Carrying Authentication for Network State Machines for Protocol for Carrying Authentication for Network
Access (PANA) Access (PANA)
draft-ietf-pana-statemachine-11 draft-ietf-pana-statemachine-12
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 22, 2009. This Internet-Draft will expire on October 25, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 30 skipping to change at page 3, line 30
7.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 18 7.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 18
7.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 18 7.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 18
7.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 18 7.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 18
7.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 18 7.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 18
7.1.4. EAP Authentication Result Notification from EAP 7.1.4. EAP Authentication Result Notification from EAP
Peer to PaC . . . . . . . . . . . . . . . . . . . . . 19 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 19
7.1.5. Alternate Failure Notification from PaC to EAP Peer . 19 7.1.5. Alternate Failure Notification from PaC to EAP Peer . 19
7.2. Configurable Values . . . . . . . . . . . . . . . . . . . 19 7.2. Configurable Values . . . . . . . . . . . . . . . . . . . 19
7.3. Variables . . . . . . . . . . . . . . . . . . . . . . . . 19 7.3. Variables . . . . . . . . . . . . . . . . . . . . . . . . 19
7.4. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 20 7.4. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 20
7.5. PaC State Transition Table . . . . . . . . . . . . . . . . 20 7.5. PaC State Transition Table . . . . . . . . . . . . . . . . 21
8. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 26 8. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 27
8.1. Interface between PAA and EAP Authenticator . . . . . . . 26 8.1. Interface between PAA and EAP Authenticator . . . . . . . 27
8.1.1. EAP Restart Notification from PAA to EAP 8.1.1. EAP Restart Notification from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 26 Authenticator . . . . . . . . . . . . . . . . . . . . 27
8.1.2. Delivering EAP Responses from PAA to EAP 8.1.2. Delivering EAP Responses from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 26 Authenticator . . . . . . . . . . . . . . . . . . . . 27
8.1.3. Delivering EAP Messages from EAP Authenticator to 8.1.3. Delivering EAP Messages from EAP Authenticator to
PAA . . . . . . . . . . . . . . . . . . . . . . . . . 26 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 27
8.1.4. EAP Authentication Result Notification from EAP 8.1.4. EAP Authentication Result Notification from EAP
Authenticator to PAA . . . . . . . . . . . . . . . . . 26 Authenticator to PAA . . . . . . . . . . . . . . . . . 27
8.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 27 8.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 28
8.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 28 8.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 29
8.4. PAA State Transition Table . . . . . . . . . . . . . . . . 28 8.4. PAA State Transition Table . . . . . . . . . . . . . . . . 29
9. Implementation Considerations . . . . . . . . . . . . . . . . 34 9. Implementation Considerations . . . . . . . . . . . . . . . . 35
9.1. PAA and PaC Interface to Service Management Entity . . . . 34 9.1. PAA and PaC Interface to Service Management Entity . . . . 35
10. Security Considerations . . . . . . . . . . . . . . . . . . . 35 10. Security Considerations . . . . . . . . . . . . . . . . . . . 36
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 38
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39
13.1. Normative References . . . . . . . . . . . . . . . . . . . 38 13.1. Normative References . . . . . . . . . . . . . . . . . . . 39
13.2. Informative References . . . . . . . . . . . . . . . . . . 38 13.2. Informative References . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40
1. Introduction 1. Introduction
This document defines the state machines for Protocol Carrying This document defines the state machines for Protocol Carrying
Authentication for Network Access (PANA) [RFC5191]. There are state Authentication for Network Access (PANA) [RFC5191]. There are state
machines for the PANA client (PaC) and for the PANA Authentication machines for the PANA client (PaC) and for the PANA Authentication
Agent (PAA). Each state machine is specified through a set of Agent (PAA). Each state machine is specified through a set of
variables, procedures and a state transition table. The state variables, procedures and a state transition table. The state
machines and associated models described in this document are machines and associated models described in this document are
informative only. Implementations may achieve similar results using informative only. Implementations may achieve similar results using
skipping to change at page 20, line 24 skipping to change at page 20, line 24
received from the EAP peer. received from the EAP peer.
EAP_RESP_TIMEOUT EAP_RESP_TIMEOUT
This event variable is set to TRUE when the PaC that has passed an This event variable is set to TRUE when the PaC that has passed an
EAP message to the EAP-layer does not receive a subsequent EAP EAP message to the EAP-layer does not receive a subsequent EAP
message from the the EAP-layer in a given period. This provides a message from the the EAP-layer in a given period. This provides a
time limit for certain EAP methods where user interaction maybe time limit for certain EAP methods where user interaction maybe
required. required.
EAP_DISCARD
This event variable is set to TRUE when the EAP peer indicates
that it has silently discarded the last received EAP-Request.
This event does not accompany any EAP message. In the case where
the EAP peer follows the EAP peer state machine defined in
[RFC4137], this event variable refers to eapNoResp.
7.4. Procedures 7.4. Procedures
boolean eap_piggyback() boolean eap_piggyback()
This procedures returns TRUE to indicate whether the next EAP This procedures returns TRUE to indicate whether the next EAP
response will be carried in the pending PAN message for response will be carried in the pending PAN message for
optimization. optimization.
void alt_reject() void alt_reject()
skipping to change at page 23, line 17 skipping to change at page 23, line 29
else else
Tx:PAN[]("EAP-Payload"); Tx:PAN[]("EAP-Payload");
EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA
!eap_piggyback() Tx:PAR[]("EAP-Payload"); !eap_piggyback() Tx:PAR[]("EAP-Payload");
RtxTimerStart(); RtxTimerStart();
EAP_RESP_TIMEOUT && Tx:PAN[](); WAIT_PAA EAP_RESP_TIMEOUT && Tx:PAN[](); WAIT_PAA
eap_piggyback() eap_piggyback()
EAP_FAILURE SessionTimerStop(); CLOSED EAP_DISCARD && Tx:PAN[](); CLOSED
eap_piggyback() SessionTimerStop();
Disconnect(); Disconnect();
EAP_FAILURE || SessionTimerStop(); CLOSED
(EAP_DISCARD && Disconnect();
!eap_piggyback())
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------- ----------------------
State: WAIT_EAP_RESULT State: WAIT_EAP_RESULT
---------------------- ----------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
EAP_SUCCESS if (PAR.exist_avp OPEN EAP_SUCCESS if (PAR.exist_avp OPEN
skipping to change at page 27, line 17 skipping to change at page 28, line 17
EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables refer to EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables refer to
eapSuccess, eapFail and eapTimeout variables of the EAP authenticator eapSuccess, eapFail and eapTimeout variables of the EAP authenticator
state machine, respectively. In this case, if EAP_SUCCESS event state machine, respectively. In this case, if EAP_SUCCESS event
variable is set to TRUE, an EAP-Success message is contained in variable is set to TRUE, an EAP-Success message is contained in
eapReqData variable of the EAP authenticator state machine, and eapReqData variable of the EAP authenticator state machine, and
additionally, eapKeyAvailable variable is set to TRUE and eapKeyData additionally, eapKeyAvailable variable is set to TRUE and eapKeyData
variable contains an MSK if the MSK is generated as a result of variable contains an MSK if the MSK is generated as a result of
successful authentication by the EAP authentication method in use. successful authentication by the EAP authentication method in use.
Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP- Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP-
Failure message is contained in eapReqData variable of the EAP Failure message is contained in eapReqData variable of the EAP
authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE authenticator state machine. The PAA uses EAP_SUCCESS and
and EAP_TIMEOUT event variables as a trigger to send a PAR message to EAP_FAILURE event variables as a trigger to send a PAR message to the
the PaC. PaC.
8.2. Variables 8.2. Variables
OPTIMIZED_INIT OPTIMIZED_INIT
This variable indicates whether the PAA is able to piggyback an This variable indicates whether the PAA is able to piggyback an
EAP-Request in the initial PANA-Auth-Request. Otherwise it is set EAP-Request in the initial PANA-Auth-Request. Otherwise it is set
to FALSE. to FALSE.
PAC_FOUND PAC_FOUND
skipping to change at page 28, line 17 skipping to change at page 29, line 17
This event variable is set to TRUE when the EAP authenticator This event variable is set to TRUE when the EAP authenticator
delivers an EAP Request to the PAA. This event accompanies an delivers an EAP Request to the PAA. This event accompanies an
EAP-Request message received from the EAP authenticator. EAP-Request message received from the EAP authenticator.
EAP_TIMEOUT EAP_TIMEOUT
This event variable is set to TRUE when EAP conversation times out This event variable is set to TRUE when EAP conversation times out
without generating an EAP-Success or an EAP-Failure message. This without generating an EAP-Success or an EAP-Failure message. This
event does not accompany any EAP message. event does not accompany any EAP message.
EAP_DISCARD
This event variable is set to TRUE when EAP authenticator
indicates that it has silently discarded the last received EAP-
Response message. This event does not accompany any EAP message.
In the case where the EAP authenticator follows the EAP
authenticator state machines defined in [RFC4137], this event
variable refers to eapNoReq.
8.3. Procedures 8.3. Procedures
boolean new_key_available() boolean new_key_available()
A procedure to check whether the PANA session has a new A procedure to check whether the PANA session has a new
PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY, PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY,
it returns FALSE. If the state machine does not have a it returns FALSE. If the state machine does not have a
PANA_AUTH_KEY, it tries to retrieve an MSK from the EAP entity. PANA_AUTH_KEY, it tries to retrieve an MSK from the EAP entity.
If an MSK has been retrieved, it computes a PANA_AUTH_KEY from the If an MSK has been retrieved, it computes a PANA_AUTH_KEY from the
MSK and returns TRUE. Otherwise, it returns FALSE. MSK and returns TRUE. Otherwise, it returns FALSE.
skipping to change at page 30, line 32 skipping to change at page 31, line 41
!Authorize() PANA_AUTHORIZATION_ !Authorize() PANA_AUTHORIZATION_
REJECTED; REJECTED;
if (new_key_available()) if (new_key_available())
Tx:PAR[C]("EAP-Payload", Tx:PAR[C]("EAP-Payload",
"Key-Id"); "Key-Id");
else else
Tx:PAR[C]("EAP-Payload"); Tx:PAR[C]("EAP-Payload");
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - (Receiving EAP-Timeout or invalid message) - - - - - - - - - - (Receiving EAP-Timeout or invalid message) - - - - -
EAP_TIMEOUT SessionTimerStop(); CLOSED EAP_TIMEOUT || SessionTimerStop(); CLOSED
Disconnect(); EAP_DISCARD Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------- --------------------
State: WAIT_SUCC_PAN State: WAIT_SUCC_PAN
-------------------- --------------------
Event/Condition Action Exit State Event/Condition Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - - - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - -
Rx:PAN[C] RtxTimerStop(); OPEN Rx:PAN[C] RtxTimerStop(); OPEN
skipping to change at page 32, line 44 skipping to change at page 34, line 5
!PAN.exist_avp !PAN.exist_avp
("EAP-Payload") ("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - -
EAP_REQUEST RtxTimerStop(); WAIT_PAN_OR_PAR EAP_REQUEST RtxTimerStop(); WAIT_PAN_OR_PAR
Tx:PAR[]("EAP-Payload"); Tx:PAR[]("EAP-Payload");
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - (EAP authentication timeout or failure)- - - - - - - - - - - - (EAP authentication timeout or failure)- - - - -
EAP_FAILURE || RtxTimerStop(); CLOSED EAP_FAILURE || RtxTimerStop(); CLOSED
EAP_TIMEOUT SessionTimerStop(); EAP_TIMEOUT || SessionTimerStop();
Disconnect(); EAP_DISCARD Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: SESS_TERM State: SESS_TERM
---------------- ----------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - -
Rx:PTA[] RtxTimerStop(); CLOSED Rx:PTA[] RtxTimerStop(); CLOSED
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9. Implementation Considerations 9. Implementation Considerations
9.1. PAA and PaC Interface to Service Management Entity 9.1. PAA and PaC Interface to Service Management Entity
 End of changes. 17 change blocks. 
31 lines changed or deleted 54 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/