Mercurial > hg > ietf
annotate draft-ietf-dime-erp-05.xml @ 55:4890fc91096d
Updates Seb.
| author | Sebastien Decugis <sdecugis@nict.go.jp> |
|---|---|
| date | Fri, 22 Oct 2010 15:46:32 +0900 |
| parents | b817687af36c |
| children | 067a0092bb64 |
| rev | line source |
|---|---|
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
1 <?xml version="1.0" encoding="US-ASCII"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
2 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
3 <!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
4 <!ENTITY RFC3748 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
5 <!ENTITY RFC3588 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
6 <!ENTITY RFC4072 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4072.xml"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
7 <!ENTITY RFC5247 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5247.xml"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
8 <!ENTITY RFC5295 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5295.xml"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
9 <!ENTITY RFC5296 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5296.xml"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
10 <!ENTITY I-D.ietf-dime-local-keytran SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-dime-local-keytran-07.xml"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
11 ]> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
12 <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
13 <?rfc strict="yes"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
14 <?rfc comments="no"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
15 <?rfc inline="yes"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
16 <?rfc editing="no"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
17 <?rfc toc="yes"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
18 <?rfc tocompact="yes"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
19 <?rfc tocdepth="3"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
20 <?rfc symrefs="yes"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
21 <?rfc sortrefs="yes"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
22 <?rfc compact="yes"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
23 <?rfc subcompact="no"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
24 <?rfc rfcedstyle="yes"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
25 <?rfc rfcprocack="no"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
26 <?rfc tocindent="yes"?> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
27 <rfc category="std" docName="draft-ietf-dime-erp-04.txt" ipr="trust200902"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
28 <front> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
29 <title abbrev="Diameter ERP Application">Diameter Support for the EAP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
30 Re-authentication Protocol (ERP)</title> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
31 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
32 <author fullname="Julien Bournelle" initials="J." surname="Bournelle"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
33 <organization abbrev="Orange Labs">Orange Labs</organization> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
34 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
35 <address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
36 <postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
37 <street>38-40 rue du general Leclerc</street> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
38 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
39 <city>Issy-Les-Moulineaux</city> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
40 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
41 <code>92794</code> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
42 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
43 <country>France</country> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
44 </postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
45 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
46 <email>julien.bournelle@orange-ftgroup.com</email> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
47 </address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
48 </author> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
49 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
50 <author fullname="Lionel Morand" initials="L." surname="Morand"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
51 <organization abbrev="Orange Labs">Orange Labs</organization> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
52 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
53 <address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
54 <postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
55 <street>38-40 rue du general Leclerc</street> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
56 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
57 <city>Issy-Les-Moulineaux</city> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
58 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
59 <code>92794</code> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
60 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
61 <country>France</country> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
62 </postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
63 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
64 <email>lionel.morand@orange-ftgroup.com</email> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
65 </address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
66 </author> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
67 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
68 <author fullname="Sebastien Decugis" initials="S." role="editor" |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
69 surname="Decugis"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
70 <organization abbrev="NICT">NICT</organization> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
71 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
72 <address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
73 <postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
74 <street>4-2-1 Nukui-Kitamachi</street> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
75 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
76 <city>Tokyo</city> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
77 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
78 <code>184-8795</code> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
79 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
80 <country>Koganei, Japan</country> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
81 </postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
82 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
83 <email>sdecugis@nict.go.jp</email> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
84 </address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
85 </author> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
86 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
87 <author fullname="Qin Wu" initials="Q." surname="Wu"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
88 <organization abbrev="Huawei">Huawei Technologies Co., |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
89 Ltd</organization> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
90 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
91 <address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
92 <postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
93 <street>Site B, Floor 12F, Huihong Mansion, No.91 Baixia |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
94 Rd.</street> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
95 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
96 <city>Nanjing</city> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
97 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
98 <code>210001</code> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
99 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
100 <country>China</country> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
101 </postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
102 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
103 <email>sunseawq@huawei.com</email> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
104 </address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
105 </author> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
106 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
107 <author fullname="Glen Zorn" initials="G." role="editor" surname="Zorn"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
108 <organization>Network Zen</organization> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
109 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
110 <address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
111 <postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
112 <street>1463 East Republican Street</street> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
113 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
114 <city>Seattle</city> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
115 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
116 <region>Washington</region> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
117 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
118 <code>98112</code> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
119 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
120 <country>USA</country> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
121 </postal> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
122 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
123 <phone>+1 206 931 0768</phone> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
124 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
125 <email>gwz@net-zen.net</email> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
126 </address> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
127 </author> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
128 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
129 <date year="2010" /> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
130 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
131 <area>Operations & Management</area> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
132 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
133 <keyword>Internet-Draft</keyword> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
134 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
135 <keyword>EAP</keyword> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
136 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
137 <keyword>Diameter</keyword> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
138 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
139 <keyword>Re-authentication</keyword> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
140 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
141 <keyword>AAA</keyword> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
142 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
143 <keyword>inter-authenticator roaming</keyword> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
144 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
145 <abstract> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
146 <t>The EAP Re-authentication Protocol (ERP) defines extensions to the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
147 Extensible Authentication Protocol (EAP) to support efficient |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
148 re-authentication between the peer and an EAP Re-authentication (ER) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
149 server through a compatible authenticator. This document specifies |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
150 Diameter support for ERP. It defines a new Diameter ERP application to |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
151 transport ERP messages between an ER authenticator and the ER server, |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
152 and a set of new AVPs that can be used to transport the cryptographic |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
153 material needed by the re-authentication server.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
154 </abstract> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
155 </front> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
156 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
157 <middle> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
158 <section anchor="Introduction" title="Introduction"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
159 <t><xref target="RFC5296">RFC 5296</xref> defines the EAP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
160 Re-authentication Protocol (ERP). It consists of the following steps: |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
161 <list style="hanging"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
162 <t hangText="Bootstrapping"><vspace blankLines="0" /> A root key for |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
163 re-authentication is derived from the Extended Master Session Key |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
164 (EMSK) created during EAP authentication <xref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
165 target="RFC5295"></xref>. This root key is transported from the EAP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
166 server to the ER server.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
167 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
168 <t hangText="Re-authentication"><vspace blankLines="0" /> A |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
169 one-round-trip exchange between the peer and the ER server, |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
170 resulting in mutual authentication. To support the EAP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
171 reauthentication functionality, ERP defines two new EAP codes - |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
172 EAP-Initiate and EAP-Finish.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
173 </list> This document defines how Diameter transports the ERP messages |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
174 during the re-authentication process. For this purpose, we define a new |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
175 Application Identifier for ERP, and re-use the Diameter EAP commands |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
176 (DER/DEA). <vspace blankLines="1" /> This document also discusses the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
177 distribution of the root key during bootstrapping, in conjunction with |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
178 either the initial EAP authentication (implicit bootstrapping) or the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
179 first ERP exchange (explicit bootstrapping). Security considerations for |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
180 this key distribution are detailed in <xref target="RFC5295">RFC |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
181 5295</xref>.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
182 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
183 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
184 <section title="Terminology"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
185 <t>This document uses terminology defined in <xref target="RFC3748">RFC |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
186 3748</xref>, <xref target="RFC5295">RFC 5295</xref>, <xref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
187 target="RFC5296">RFC 5296</xref>, and <xref target="RFC4072">RFC |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
188 4072</xref>. <vspace blankLines="1" /> "Root key" (RK) or "bootstrapping |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
189 material" refer to the rRK or rDSRK derived from an EMSK, depending on |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
190 the location of the ER server in home or foreign domain. <vspace |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
191 blankLines="1" /> We use the notation "ERP/DER" and "ERP/DEA" in this |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
192 document to refer to Diameter-EAP-Request and Diameter-EAP-Answer |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
193 commands with the Application Id set to "Diameter ERP Application" <xref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
194 target="IANA_AppId"></xref>; the same commands are denoted "EAP/DER" and |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
195 "EAP/DEA" when the Application Id in the message is set to "Diameter EAP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
196 Application" <xref target="RFC4072"></xref>.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
197 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
198 <section title="Requirements Language"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
199 <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
200 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
201 document are to be interpreted as described in <xref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
202 target="RFC2119"></xref>.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
203 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
204 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
205 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
206 <section title="Assumptions"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
207 <t>This document assumes the existence of at most one logical ER server |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
208 entity in a domain. If several physical servers are deployed for |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
209 robustness, a replication mechanism must be deployed to synchronize the |
| 55 | 210 ERP states (root keys) between these servers. This replication mechanism |
| 211 is out of the scope of this document. If multiple ER servers are | |
| 212 deployed in the domain, we assume that they can be used | |
| 213 interchangeably.</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
214 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
215 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
216 <section anchor="Overview" title="Protocol Overview"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
217 <t>The following figure shows the components involved in ERP, and their |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
218 interactions. <figure align="center" anchor="Fig-Overview" |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
219 title="Diameter ERP Overview"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
220 <artwork><![CDATA[ |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
221 Diameter +--------+ |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
222 +-------------+ ERP +-----------+ (*) | Home | |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
223 Peer <->|Authenticator|<=======>| ER server | <---> | EAP | |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
224 +-------------+ +-----------+ | server | |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
225 +--------+ |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
226 (*) Diameter EAP application, explicit bootstrapping scenario only. |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
227 ]]></artwork> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
228 </figure> The ER server is located either in the home domain (same as |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
229 EAP server) or in the visited domain (same as authenticator, when it |
| 55 | 230 differs from the home domain). <vspace blankLines="1" /> When the peer |
| 231 initiates an ERP exchange, the authenticator creates a | |
| 232 Diameter-EAP-Request message <xref target="RFC4072"></xref>. The | |
| 233 Application Id of the message is set to that of the Diameter ERP | |
| 234 application (code: TBD) in the message. The generation of the ERP/DER | |
| 235 message is detailed in <xref target="Re-authentication"></xref>. <vspace | |
| 236 blankLines="1" /> If there is an ER server in the same domain as the | |
| 237 authenticator (local domain), Diameter routing must be configured so | |
| 238 that this ERP/DER message reachs this server, even if the | |
| 239 Destination-Realm is not the local domain. <vspace blankLines="1" /> If | |
| 240 there is no local ER server, the message is routed according to its | |
| 241 Destination-Realm AVP content, extracted from the realm component of the | |
| 242 keyName-NAI attribute. As specified in <xref target="RFC5296">RFC | |
| 243 5296</xref>, this realm is the home domain of the peer in case of a | |
| 244 bootstrapping exchange (the 'B' flag is set in the ERP message) or the | |
| 245 domain of the bootstrapped ER server otherwise. <vspace | |
| 246 blankLines="1" /> If no ER server is available in the home domain | |
| 247 either, the ERP/DER message cannot be delivered, and an error | |
| 248 DIAMETER_UNABLE_TO_DELIVER is generated <xref target="RFC3588"></xref> | |
| 249 and returned to the authenticator. The authenticator may cache this | |
| 250 information (with limited duration) to avoid further attempts for ERP | |
| 251 with this realm. It may also fallback to full EAP authentication to | |
| 252 authenticate the peer. <vspace blankLines="1" /> When an ER server | |
| 253 receives the ERP/DER message, it searches its local database for a root | |
| 254 key matching the keyName part of the User-Name AVP. If such key is | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
255 found, the ER server processes the ERP message as described in <xref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
256 target="RFC5296">RFC 5296</xref> then creates the ERP/DEA answer as |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
257 described in <xref target="Re-authentication"></xref>. The rMSK is |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
258 included in this answer. <vspace blankLines="1" /> Finally, the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
259 authenticator extracts the rMSK from the ERP/DEA as described in <xref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
260 target="RFC5296">RFC 5296</xref>, and forwards the content of the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
261 EAP-Payload AVP, the EAP-Finish/Re-Auth message, to the peer. <vspace |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
262 blankLines="1" /> If the EAP-Initiate/Re-Auth message has its 'B' flag |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
263 set (Bootstrapping exchange), the ER server should not possess the root |
| 55 | 264 key in its local database. In this case, the ER server acts as a proxy, |
| 265 and forwards the message to the home EAP server after changing its | |
| 266 Application Id to Diameter EAP and adding the ERP-RK-Request AVP to | |
| 267 request the root key. See <xref target="Bootstrapping"></xref> for more | |
| 268 detail on this process.</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
269 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
270 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
271 <section anchor="Bootstrapping" title="Bootstrapping the ER Server"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
272 <t>The bootstrapping process involves the home EAP server and the ER |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
273 server, but also impacts the peer and the authenticator. In ERP, the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
274 peer must derive the same keying material as the ER server. To achieve |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
275 this, it must learn the domain name of the ER server. How this |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
276 information is acquired is outside the scope of this specification, but |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
277 it may involves that the authenticator is configured to advertize this |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
278 domain name, especially in the case of re-authentication after a |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
279 handover. <vspace blankLines="1" /> The bootstrapping of an ER server |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
280 with a given root key happens either during the initial EAP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
281 authentication of the peer when the EMSK -- from which the root key is |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
282 derived -- is created, during the first re-authentication, or sometime |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
283 between those events. We only consider the first two possibilities in |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
284 this specification, in the following sub-sections.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
285 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
286 <section title="Bootstrapping During the Initial EAP authentication"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
287 <t>Bootstrapping the ER server during the initial EAP authentication |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
288 (also known as implicit bootstrapping) offers the advantage that the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
289 server is immediatly available for re-authentication of the peer, thus |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
290 minimizing re-authentication delay. On the other hand, it is possible |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
291 that only a small number of peers will use re-authentication in the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
292 visited domain. Deriving and caching key material for all the peers |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
293 (for example, for the peers that do not support ERP) is a waste of |
| 55 | 294 resources and should be avoided. <vspace blankLines="1" /> To achieve |
| 295 implicit bootstrapping, the ER server acts as a Diameter EAP Proxy, | |
| 296 and Diameter routing must be configured so that Diameter EAP | |
| 297 application messages are routed through this proxy. The figure bellow | |
| 298 illustrates this mechanism. <figure align="center" anchor="Implict" | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
299 title="ERP Bootstrapping During Full EAP Authentication"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
300 <artwork><![CDATA[ |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
301 ER server & |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
302 Authenticator EAP Proxy Home EAP server |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
303 ============= =========== =============== |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
304 -------------------------> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
305 Diameter EAP/DER |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
306 (EAP-Response) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
307 -------------------------> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
308 Diameter EAP/DER |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
309 (EAP-Response) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
310 (ERP-RK-Request) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
311 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
312 <==================================================> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
313 Multi-round Diameter EAP exchanges, unmodified |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
314 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
315 <------------------------- |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
316 Diameter EAP/DEA |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
317 (EAP-Success) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
318 (MSK) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
319 (Key AVP (rRK)) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
320 <------------------------- |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
321 Diameter EAP/DEA |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
322 (EAP-Success) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
323 (MSK) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
324 [ERP-Realm] |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
325 ]]></artwork> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
326 </figure> The ER server proxies the first DER of the full EAP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
327 authentication and adds the ERP-RK-Request AVP inside, if this AVP is |
| 55 | 328 not already in the message (which might happen if there are several ER |
| 329 servers on the path), then forwards the request. <vspace | |
| 330 blankLines="1" /> If the EAP server does not support the ERP | |
| 331 extensions, it simply ignores the ERP-RK-Request AVP and continues as | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
332 specified in <xref target="RFC4072">RFC 4072</xref>. If the server |
| 55 | 333 supports the ERP extensions, it saves the value of the ERP-Realm AVP |
| 334 found inside the ERP-RK-Request AVP, and continues with the EAP | |
| 335 authentication. When the authentication completes, if it is successful | |
| 336 and the EAP method has generated an EMSK, the server MUST derive the | |
| 337 rRK as specified in <xref target="RFC5296">RFC 5296</xref>, using the | |
| 338 saved domain name. It then includes the rRK inside a Key AVP <xref | |
| 339 target="KAVP"></xref> with the Key-Type AVP set to rRK, before sending | |
| 340 the DEA as usual.<vspace blankLines="1" /> When the ER server proxies | |
| 341 a Diameter-EAP-Answer message with a Session-Id corresponding to a | |
| 342 message to which it added an ERP-RK-Request AVP, and the Result-Code | |
| 343 is DIAMETER_SUCCESS, it MUST examine the message and save and remove | |
| 344 any Key AVP <xref target="KAVP"></xref> with Key-Type AVP set to rRK. | |
| 345 If the message does not contain such Key AVP, the ER server may cache | |
| 346 the information that ERP is not possible for this session to avoid | |
| 347 possible subsequent attempts. In any case, the information stored in | |
| 348 ER server concerning a session should not have a lifetime greater than | |
| 349 the EMSK for this session. <vspace blankLines="1" /> If the ER server | |
| 350 is successfully bootstrapped, it should also add the ERP-Realm AVP | |
| 351 after removing the Key AVP with Key-Type of rRK in the EAP/DEA | |
| 352 message. This ERP-Realm information can be used by the authenticator | |
| 353 to notify the peer that ER server is bootstrapped, and for which | |
| 354 domain. How this information can be transmitted to the peer is outside | |
| 355 the scope of this document. This information needs to be sent to the | |
| 356 peer if both implicit and explicit bootstrapping mechanisms are | |
| 357 possible, because the ERP message and the root key used for protecting | |
| 358 this message are different in bootstrapping exchanges and | |
| 359 non-bootstrapping exchanges.</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
360 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
361 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
362 <section title="Bootstrapping During the First Re-authentication"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
363 <t>Bootstrapping the ER server during the first re-authentication |
| 55 | 364 (also known as explicit bootstrapping) is less resource-consuming, |
| 365 since root keys are generated and cached only when needed. On the | |
| 366 other hand, in that case first re-authentication requires a | |
| 367 one-round-trip exchange with the home EAP server, which is less | |
| 368 efficient than the implicit bootstrapping scenario. <vspace | |
| 369 blankLines="1" /> The ER server receives the ERP/DER message | |
| 370 containing the EAP-Initiate/Re-Auth message with the 'B' flag set. It | |
| 371 proxies this message, and performs the following processing in | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
372 addition to standard proxy operations: <list> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
373 <t>Changes the Application Id in the header of the message to |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
374 Diameter EAP Application (code 5).</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
375 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
376 <t>Change the content of Application-Auth-Id accordingly. <list |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
377 style="hanging"> |
| 55 | 378 <t hangText="QUESTION:"><vspace blankLines="0" /> Is it better |
| 379 to leave it unmodified, so that the server can easily | |
| 380 differenciate between ERP and standard EAP message ?</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
381 </list></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
382 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
383 <t>Add the ERP-RK-Request AVP, which contains the name of the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
384 domain where the ER server is located.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
385 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
386 <t><list style="hanging"> |
| 55 | 387 <t hangText="PROBLEM:"><vspace blankLines="0" /> Add the |
| 388 Destination-Host AVP to reach the appropriate Diameter EAP | |
| 389 server in case there is more than one in destination domain, | |
| 390 the one with the EMSK. How does the ER server know this | |
| 391 information? Or can we require that all Diameter EAP servers | |
| 392 can be used interchangeably for this purpose?</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
393 </list></t> |
| 55 | 394 </list> Then the proxied EAP/DER request is sent and routed to the |
| 395 home Diameter EAP server. <vspace blankLines="1" /> If the home EAP | |
| 396 server does not support the ERP extensions, it replies with an error | |
| 397 since the encapsulated EAP-Initiate/Re-auth command is not understood. | |
| 398 Otherwise, it processes the ERP request as described in <xref | |
| 399 target="RFC5296"></xref>. In particular, it includes the Domain-Name | |
| 400 TLV attribute with the content from the ERP-Realm AVP. It creates the | |
| 401 EAP/DEA reply message <xref target="RFC4072"></xref>. including an | |
| 402 instance of the Key AVP <xref target="KAVP"></xref> with Key-Type AVP | |
| 403 set to rRK. <vspace blankLines="1" /> The ER server receives this | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
404 EAP/DEA and proxies it as follows, in addition to standard proxy |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
405 operations: <list> |
| 55 | 406 <t>Set the Application Id back to Diameter ERP application Id |
| 407 (code TBD)</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
408 |
| 55 | 409 <t>Extract and cache the content of the Key AVP with Key-Type set |
| 410 to rRK, as described in implicit scenario. </t> | |
| 411 </list> The ERP/DEA message is then forwarded to the authenticator, | |
| 412 that can use the rMSK as described in <xref target="RFC5296">RFC | |
| 413 5296</xref>. <vspace blankLines="1" /> The figure below captures this | |
| 414 proxy behavior: <figure align="center" anchor="FigExplicit" | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
415 title="ERP Explicit Bootstrapping Message Flow"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
416 <artwork><![CDATA[ |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
417 Authenticator ER server Home EAP server |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
418 ============= ========= =============== |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
419 -----------------------> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
420 Diameter ERP/DER |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
421 (EAP-Initiate) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
422 ------------------------> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
423 Diameter EAP/DER |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
424 (EAP-Initiate) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
425 (ERP-RK-Request) |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
426 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
427 <------------------------ |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
428 Diameter EAP/DEA |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
429 (EAP-Finish) |
| 55 | 430 (Key AVP (rRK)) |
| 431 (Key AVP (rMSK)) | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
432 <---------------------- |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
433 Diameter ERP/DEA |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
434 (EAP-Finish) |
| 55 | 435 (Key AVP (rMSK)) |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
436 ]]></artwork> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
437 </figure></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
438 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
439 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
440 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
441 <section anchor="Re-authentication" title="Re-Authentication"> |
| 55 | 442 <t>This section describes in detail a re-authentication exchange with an |
| 443 ER server that was previously bootstrapped. The following figure | |
| 444 summarizes the re-authentication exchange. <figure align="center" | |
| 445 anchor="FigReauth" title="Diameter ERP Re-authentication Exchange"> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
446 <artwork><![CDATA[ |
| 55 | 447 ER server |
| 448 Peer Authenticator (bootstrapped) | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
449 ==== ============= ====================== |
| 55 | 450 [ <------------------------ ] |
| 451 [optional EAP-Initiate/Re-auth-start,] | |
| 452 [ possibly with ERP domain name ] | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
453 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
454 -----------------------> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
455 EAP-Initiate/Re-auth |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
456 ===============================> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
457 Diameter ERP, cmd code DER |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
458 User-Name: Keyname-NAI |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
459 EAP-Payload: EAP-Initiate/Re-auth |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
460 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
461 <=============================== |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
462 Diameter ERP, cmd code DEA |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
463 EAP-Payload: EAP-Finish/Re-auth |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
464 Key AVP: rMSK |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
465 <---------------------- |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
466 EAP-Finish/Re-auth |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
467 ]]></artwork> |
| 55 | 468 </figure> The peer sends an EAP-Initiate/Re-auth message to the ER |
| 469 server via the authenticator. Alternatively, the authenticator may send | |
| 470 an EAP-Initiate/Re-auth-Start message to the peer to trigger the | |
| 471 mechanism. In this case, the peer responds with an EAP-Initiate/Re-auth | |
| 472 message. <vspace blankLines="1" /> If the authenticator does not support | |
| 473 ERP (pure <xref target="RFC4072">Diameter EAP</xref> support), it | |
| 474 discards the EAP packets with an unknown ERP-specific code | |
| 475 (EAP-Initiate). The peer should fallback to full EAP authentication in | |
| 476 this case. <vspace blankLines="1" /> When the authenticator receives an | |
| 477 EAP-Initiate/Re-auth message from the peer, it processes as described in | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
478 <xref target="RFC5296"></xref> with regards to the EAP state machine. It |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
479 creates a Diameter EAP Request message following the general process of |
| 55 | 480 <xref target="RFC4072">Diameter EAP</xref>, with the following |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
481 differences: <list> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
482 <t>The Application Id in the header is set to Diameter ERP (code |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
483 TBD).</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
484 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
485 <t>The value in Auth-Application-Id AVP is also set to Diameter ERP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
486 Application.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
487 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
488 <t>The keyName-NAI attribute from ERP message is used to create the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
489 content of User-Name AVP and Destination-Realm AVP.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
490 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
491 <t><list style="hanging"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
492 <t hangText="FFS:"><vspace blankLines="0" /> What about |
| 55 | 493 Session-ID AVP ?</t> |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
494 </list></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
495 |
| 55 | 496 <t>The Auth-Request-Type AVP content is set to [Editor's note: FFS |
| 497 -- cf. open issues]. </t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
498 |
| 55 | 499 <t>The EAP-Payload AVP contains the EAP-Initiate/Re-Auth |
| 500 message.</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
501 </list> Then this ERP/DER message is sent as described in <xref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
502 target="Overview"></xref>. <vspace blankLines="1" /> The ER server |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
503 receives and processes this request as described in <xref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
504 target="Overview"></xref>. It then creates an ERP/DEA message following |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
505 the general processing described in <xref target="RFC4072">RFC |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
506 4072</xref>, with the following differences: <list> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
507 <t>The Application Id in the header is set to Diameter ERP (code |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
508 TBD).</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
509 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
510 <t>The value of the Auth-Application-Id AVP is also set to Diameter |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
511 ERP Application.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
512 |
| 55 | 513 <t>The EAP-Payload AVP contains the EAP-Finish/Re-auth message.</t> |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
514 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
515 <t>In case of successful authentication, an instance of the Key AVP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
516 containing the Re-authentication Master Session Key (rMSK) derived |
| 55 | 517 by ERP is included.</t> |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
518 </list> When the authenticator receives this ERP/DEA answer, it |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
519 processes it as described in <xref target="RFC4072">Diameter EAP</xref> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
520 and <xref target="RFC5296">RFC 5296</xref>: the content of EAP-Payload |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
521 AVP content is forwarded to the peer, and the contents of the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
522 Keying-Material AVP <xref target="I-D.ietf-dime-local-keytran"></xref> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
523 is used as a shared secret for Secure Association Protocol.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
524 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
525 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
526 <section anchor="ApplicationId" title="Application Id"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
527 <t>We define a new Diameter application in this document, Diameter ERP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
528 Application, with an Application Id value of TBD. Diameter nodes |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
529 conforming to this specification in the role of ER server MUST advertise |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
530 support by including an Auth-Application-Id AVP with a value of Diameter |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
531 ERP Application in the of the Capabilities-Exchange-Request and |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
532 Capabilities-Exchange-Answer commands <xref target="RFC3588"></xref>. |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
533 <vspace blankLines="1" /> The primary use of the Diameter ERP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
534 Application Id is to ensure proper routing of the messages, and that the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
535 nodes that advertise the support for this application do understand the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
536 new AVPs defined in <xref target="AVPs"></xref>, although these AVP have |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
537 the 'M' flag cleared.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
538 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
539 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
540 <section anchor="AVPs" title="AVPs"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
541 <t>This section discusses the AVPs used by the Diameter ERP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
542 application.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
543 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
544 <section title="ERP-RK-Request AVP"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
545 <t>The ERP-RK-Request AVP (AVP Code TBD) is of type grouped AVP. This |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
546 AVP is used by the ER server to indicate its willingness to act as ER |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
547 server for a particular session. <vspace blankLines="1" /> This AVP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
548 has the M and V bits cleared. <figure align="center" anchor="ERRABNF" |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
549 title="ERP-RK-Request ABNF"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
550 <artwork><![CDATA[ |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
551 ERP-RK-Request ::= < AVP Header: TBD > |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
552 { ERP-Realm } |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
553 * [ AVP ] |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
554 ]]></artwork> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
555 </figure></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
556 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
557 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
558 <section title="ERP-Realm AVP"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
559 <t>The ERP-Realm AVP (AVP Code TBD) is of type DiameterIdentity. It |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
560 contains the name of the realm in which the ER server is located. |
| 55 | 561 <vspace blankLines="1" /> This AVP has the M and V bits cleared.</t> |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
562 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
563 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
564 <section anchor="KAVP" title="Key AVP"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
565 <t>The Key AVP <xref target="I-D.ietf-dime-local-keytran"></xref> is |
| 55 | 566 of type "Grouped" and is used to carry the rRK or rMSK and associated |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
567 attributes. The usage of the Key AVP and its constituent AVPs in this |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
568 application is specified in the following sub-sections.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
569 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
570 <section title="Key-Type AVP"> |
| 55 | 571 <t>The value of the Key-Type AVP MUST be set to 2 for rRK or 3 for |
| 572 rMSK.</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
573 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
574 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
575 <section title="Keying-Material AVP"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
576 <t>The Keying-Material AVP contains rRK sent by the home EAP server |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
577 to the ER server, in answer to a request containing an |
| 55 | 578 ERP-RK-Request AVP, or the rMSK sent by ER server to authenticator. |
| 579 How this material is derived and used is specified in <xref | |
| 580 target="RFC5296">RFC 5296</xref>.</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
581 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
582 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
583 <section title="Key-Name AVP"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
584 <t>This AVP contains the EMSKname which identifies the keying |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
585 material. The derivation of this name is specified in <xref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
586 target="RFC5296">RGC 5296</xref>.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
587 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
588 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
589 <section title="Key-Lifetime AVP"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
590 <t>The Key-Lifetime AVP contains the lifetime of the keying material |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
591 in seconds. It MUST NOT be greater than the remaining lifetime of |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
592 the EMSK from which the material was derived.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
593 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
594 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
595 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
596 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
597 <section anchor="Issues" title="Open issues"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
598 <t>This document does not address some known issues in Diameter ERP |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
599 mechanism. The authors would like to hear ideas about how to address |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
600 them. <vspace blankLines="1" /> The main issue is the use of ERP for |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
601 authentication after a handover of the peer to a new authenticator (or |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
602 different authenticator port). Diameter ERP is not meant to be a |
| 55 | 603 mobility application. A number of issues appear when we try to do |
| 604 handover while using Diameter ERP:<list> | |
| 605 <t>how to manage the Session-Id AVP -- is it a new session each | |
| 606 time, or do we try to reuse the same Diameter session?;</t> | |
| 607 | |
| 608 <t>how does the ER authenticator acquire the Authorization AVPs? Is | |
| 609 it cached in the Diameter ER server (received during bootstrapping) | |
| 610 or do we use first Authenticate-Only with ER server, then | |
| 611 Authorize-Only with home domain (and in that case how does the ER | |
| 612 authenticator learn what the home domain is?)</t> | |
| 613 | |
| 614 <t>how does the peer learn the ERP domain of the new authenticator | |
| 615 -- this is being addressed in HOKEY architecture draft; </t> | |
| 616 | |
| 617 <t>how does the home server reachs the peer to for example terminate | |
| 618 the session if there is no notification sent to the home domain;</t> | |
| 619 </list><vspace blankLines="1" /> Another issue concerns the case where | |
| 620 the home realm contains several EAP servers. In multi rounds full EAP | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
621 authentication, the Destination-Host AVP provides the solution to reach |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
622 the same server across the exchanges. Only this server possess the EMSK |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
623 for the session. In case of explicit bootstrapping, the ER server must |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
624 therefore be able to reach the correct server to request the DSRK. A |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
625 solution might consist in saving the Origin-Host AVP of all successful |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
626 EAP/DEA in the ER server, which is a bit similar to the implicit |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
627 bootstrapping scenario described here -- only we save the server name |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
628 instead of the root key, and we must then be able to match the DSRK with |
| 55 | 629 the user name. <vspace blankLines="1" />In roaming environments, it |
| 630 might be useful that a broker provides ERP services. The security | |
| 631 implications of storing the DSRK generated for the visited domain into | |
| 632 the broker's server should be studied.<vspace blankLines="1" /> Finally, | |
| 633 this document currently lacks a description of what happens when a | |
| 634 Re-Auth-Request is received for a peer on the authenticator.</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
635 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
636 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
637 <section anchor="Acknowledgements" title="Acknowledgements"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
638 <t>Hannes Tschofenig wrote the initial draft for this document and |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
639 provided useful reviews. <vspace blankLines="1" /> Vidya Narayanan |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
640 reviewed a rough draft version of the document and found some errors. |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
641 <vspace blankLines="1" /> Lakshminath Dondeti contributed to the early |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
642 versions of the document. <vspace blankLines="1" /> Many thanks to these |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
643 people!</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
644 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
645 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
646 <section anchor="IANA" title="IANA Considerations"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
647 <t>This document requires IANA registration of the following new |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
648 elements in the <eref |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
649 target="http://www.iana.org/assignments/aaa-parameters/">Authentication, |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
650 Authorization, and Accounting (AAA) Parameters</eref> registries.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
651 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
652 <section anchor="IANA_AppId" title="Diameter Application Identifier"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
653 <t>This specification requires IANA to allocate a new value "Diameter |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
654 ERP" in the "Application IDs" registry <xref target="RFC3588"> using |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
655 the policy specified in Section 11.3 of RFC 3588</xref>.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
656 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
657 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
658 <section anchor="IANA_AVP" title="New AVPs"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
659 <t>This specification requires IANA to allocate new values from the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
660 "AVP Codes" registry <xref target="RFC3588">according to the policy |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
661 specified in Section 11.1 of RFC 3588</xref> for the following AVPs: |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
662 <list> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
663 <t>ERP-RK-Request</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
664 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
665 <t>ERP-Realm</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
666 </list>These AVPs are defined in <xref target="AVPs"></xref>.</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
667 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
668 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
669 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
670 <section anchor="Security" title="Security Considerations"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
671 <t>The security considerations from the following documents also apply |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
672 here: <list style="symbols"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
673 <t><xref target="RFC3588">RFC 3588</xref></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
674 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
675 <t><xref target="RFC4072">RFC 4072</xref></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
676 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
677 <t><xref target="RFC5247">RFC 5247</xref></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
678 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
679 <t><xref target="RFC5295">RFC 5295</xref></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
680 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
681 <t><xref target="RFC5296"></xref></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
682 </list> <list style="hanging"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
683 <t hangText="FFS:"><vspace blankLines="0" /> Do we really respect |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
684 these security considerations with the mechanism we describe here? |
| 55 | 685 Is it safe to use ERP-RK-Request & Key AVPs? What is the worst |
| 686 case? For example if a domain tricks the peer into beliving it is | |
| 687 located in a different domain?</t> | |
|
54
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
688 </list> EAP channel bindings may be necessary to ensure that the |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
689 Diameter client and the server are in sync regarding the key Requesting |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
690 Entity's Identity. Specifically, the Requesting Entity advertises its |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
691 identity through the EAP lower layer, and the user or the EAP peer |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
692 communicates that identity to the EAP server (and the EAP server |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
693 communicates that identity to the Diameter server) via the EAP method |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
694 for user/peer to server verification of the Requesting Entity's |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
695 Identity. <list style="hanging"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
696 <t hangText="QUESTION:"><vspace blankLines="0" /> What does this |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
697 paragraph actually mean?</t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
698 </list></t> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
699 </section> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
700 </middle> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
701 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
702 <back> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
703 <references title="Normative References"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
704 &RFC2119; |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
705 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
706 &RFC3588; |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
707 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
708 &RFC4072; |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
709 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
710 &RFC5295; |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
711 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
712 &RFC5296; |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
713 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
714 &I-D.ietf-dime-local-keytran; |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
715 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
716 &RFC3748; |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
717 </references> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
718 |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
719 <references title="Informative References"> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
720 &RFC5247; |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
721 </references> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
722 </back> |
|
b817687af36c
Initial version: based on -04 as found in tools.ietf.org
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
723 </rfc> |