Mercurial > hg > ietf
annotate New_ERP_draft_src.txt @ 17:8b6e98eec7ef
Added copyright and status before publishing.
| author | Sebastien Decugis <sdecugis@nict.go.jp> |
|---|---|
| date | Thu, 19 Mar 2009 10:46:29 +0900 |
| parents | aa31cf892b1b |
| children | 05b38ab642bc |
| rev | line source |
|---|---|
|
17
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
1 *Status of this Memo* |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
2 |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
3 This is a work document intended to present ideas for a possible future Internet-Draft in the DIME working-group. |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
4 The copyright for this memo is writen by the end of the document (same as Internet-Drafts) |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
5 |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
6 |
| 11 | 7 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
8 *Abstract* |
|
3
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
9 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
10 The EAP Re-authentication Protocol [RFC5296] provides an optimization for EAP authentication when a peer moves from an authenticator to another. This protocol assumes that a AAA protocol is available to transport the ERP messages between authenticator and ER server. [draft-gaonkar-radext-erp-attrs-03] specifies the transport of ERP using RADIUS. This document specifies the transport of ERP using Diameter [RFC3588]. |
|
3
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
11 |
|
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
12 |
|
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
13 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
14 *Differences with [draft-ietf-dime-erp-00]* |
|
3
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
15 |
| 9 | 16 In this document, we specify a new Diameter application ID for Diameter messages transporting ERP exchanges between authenticator and ER server. We re-use the mechanism described in [draft-ietf-dime-erp-00] as an option available to provide implicit bootstrapping to the ER server. |
|
3
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
17 |
|
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
18 |
|
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
19 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
20 *Introduction.* |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
21 |
| 9 | 22 During full EAP authentication, both the peer and the home EAP server derive EMSK material in addition to MSK. The EMSK can be used to derive a re-authentication root key (rRK or rDSRK) as described in [RFC5296]. This root key is transported to an ER server, this is called bootstrapping the ER server. When the peer re-authenticates using ERP, a one round-trip exchange occurs between the authenticator and the ER server, where new rMSK material is derived. The ER server may be located in the visited domain or home domain. |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
23 |
| 9 | 24 There are two types of exchanges between AAA entities in the Re-authentication mechanism: transport of the re-authentication root key between the home EAP server and the ER server to bootstrap the mechanism, and transport of ERP messages and rMSK material between ER server and authenticator. This document specifies how the re-authentication exchange is transported using Diameter. It also provides information on how bootstrapping can be achieved in several situations. |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
25 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
26 Diameter +--------+ |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
27 +-------------+ ERP +-----------+ (*) | Home | |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
28 Peer <->|Authenticator|<=======>| ER server | <---> | EAP | |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
29 +-------------+ +-----------+ | server | |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
30 +--------+ |
| 9 | 31 (*) Several protocols can be used between ER server and home EAP server to transport bootstrapping material. Diameter EAP is one of the possibilities. |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
32 |
| 9 | 33 Figure 1. Diameter applications used in the ERP mechanism. |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
34 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
35 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
36 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
37 *Assumptions.* |
|
3
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
38 |
| 9 | 39 For the peer to start an ERP exchange when attaching to a new authenticator, the following assumptions must be verified. Note that the peer can always fall back to full EAP authentication if one of these conditions is not met. These assumptions are implicit from [RFC5296]. |
|
3
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
40 |
|
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
41 The peer must have non-expired keying material (EMSK) derived from a previous full EAP authentication. |
|
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
42 |
| 9 | 43 The peer must learn the realm of the new authenticator before starting the exchange, for example using L2-dependent mechanism. If this condition is not met, the peer cannot assume that an ER server is available and bootstrapped in the realm of this authenticator. It should start an ERP bootstrapping exchange as described in [RFC5296]. In addition, if the peer is attaching to this realm for the first time since the EMSK was derived (inter-domain handover), an ERP bootstrapping exchange must be initiated. |
|
3
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
44 |
|
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
45 The authenticator must support ERP extensions. If this condition is not met, the ERP messages will be dropped by the authenticator conforming to [RFC4072] and ERP will fail. |
|
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
46 |
|
e7bcb9ee39b5
Document to present alternative design for Diameter ERP, initial commit (incomplete work)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
47 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
48 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
49 *Overview* |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
50 |
| 9 | 51 We define a new Diameter Application ID for ERP. When the authenticator receives an EAP-Initiate/Re-auth message, it encapsulates it in a DER message following the rules described in [RFC4072]. The application id of the DER message is set to the Diameter ERP application ID. The User-Name and Destination-Realm AVPs are extracted from the keyName-NAI included in the ERP message, as described in [RFC5296]. In the case were ERP is already bootstrapped in this domain, and the peer knows it, the Destination-Realm of the message is the local domain. In other cases, the peer is initiating a bootstrapping ERP exchange, and the Destination-Realm is the home domain. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
52 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
53 When ERP is already bootstrapped, the message is routed to the bootstrapped ER server. This server processes the ERP message as described in [RFC5296] then derives a new rMSK and answers a DEA encapsulating the EAP-Finish/Re-auth answer and the rMSK for the authenticator. Re-authentication is complete {see pending question in the end of this document}. This exchange is described in Figure 2 bellow. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
54 |
| 9 | 55 There are several options to bootstrap the ER server. This document discusses some of the options, but a different mechanism not described here may be deployed as well. See the following sections for more details about bootstrapping scenarii. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
56 |
| 11 | 57 ER server |
| 58 (bootstrapped) | |
|
13
aa31cf892b1b
Yet more cleanups...
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
11
diff
changeset
|
59 Peer Authenticator (local or home domain) |
|
aa31cf892b1b
Yet more cleanups...
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
11
diff
changeset
|
60 ==== ============= ====================== |
| 11 | 61 [ <------------------------ ] |
| 62 [optional EAP-Initiate/Re-auth-start] | |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
63 |
| 9 | 64 -----------------------> |
| 65 EAP-Initiate/Re-auth | |
| 66 =====================================> | |
| 67 Diameter ERP, cmd code DER | |
| 68 User-Name: Keyname-NAI | |
| 69 EAP-Payload: EAP-Initiate/Re-auth | |
| 70 | |
| 71 <===================================== | |
| 72 Diameter ERP, cmd code DEA | |
| 73 EAP-Payload: EAP-Finish/Re-auth | |
| 74 EAP-Master-Session-Key: rMSK | |
| 75 <---------------------- | |
| 76 EAP-Finish/Re-auth | |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
77 |
| 9 | 78 Figure 2. Diameter ERP exchange. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
79 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
80 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
81 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
82 *Bootstrapping* |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
83 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
84 The purpose of bootstrapping is to provide the keying material to the ER server. This keying material is rRK (directly derived from EMSK) when the ER server is in the peer's home domain. The keying material is rDSRK (derived from DSRK, itself derived from EMSK) when the ER server is in the visited domain. |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
85 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
86 |
| 11 | 87 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
88 *Scenario 1: explicit bootstrapping* |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
89 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
90 As described in [RFC5296], an explicit bootstrapping exchange can be initiated by the peer. In this case, the realm part of the Keyname-NAI is the home domain of the peer. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
91 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
92 The authenticator processes the ERP as described in the overview: encapsulate the ERP message in a DER command with application-id set to Diameter ERP. The Destination-Realm extracted from Keyname-NAI is the home domain. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
93 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
94 If an ER server is located in the local domain, it should proxy the request and process as described bellow. Otherwise the request is sent to the ER server in the home domain. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
95 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
96 When the ER server (in local or home domain) receives the ERP/DER request, it must process as follow: |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
97 - Check in the local key store if a key with same name is available. If such key is found, process the request locally and answer. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
98 - Check if the EAP-Initiate/Re-auth message has the [B] (bootstrapping) flag set. If this flag is not set, relay the message without altering it (except adding the Route-Record information) or reply with an error if no other Diameter node is available to handle the request, following the rules of Diameter Base Protocol. |
| 9 | 99 - If the [B] flag was set, the message is proxied locally and modified as follow: |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
100 * Change the application-id of the message from Diameter ERP to Diameter EAP (so that the message will reach the Home EAP server). |
| 9 | 101 * Add the ERP-RK-Request AVP, defined in this document. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
102 * Send the new message. It will reach the Home EAP server. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
103 |
| 9 | 104 If the home EAP server does not support ERP extensions, it replies with an error since encapsulated EAP-Initiate/Re-auth command is not understood. Otherwise, it processes the EAP-Initiate/Re-auth message as described in [RFC5296] and derives the requested rDSRK or rRK, and new rMSK. It sends this material using the new ERP-RK-Answer AVP described in this document. It also includes the realm of the ER server in the EAP-Finish/Re-auth message to inform the peer of the location of the ER server. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
105 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
106 The ER server receives this DEA, extracts and cache the rRK or rDSRK material, restores the application-id to Diameter ERP and forwards the message to the authenticator. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
107 |
| 9 | 108 This flow is captured figure 3. |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
109 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
110 Authenticator ER server Home EAP server |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
111 ============= ========= =============== |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
112 -----------------------> |
| 11 | 113 Diameter ERP/DER |
| 114 (EAP-Initiate) | |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
115 ------------------------> |
| 11 | 116 Diameter EAP/DER |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
117 (EAP-Initiate) |
| 9 | 118 (ERP-RK-Request) |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
119 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
120 <------------------------ |
| 11 | 121 Diameter EAP/DEA |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
122 (EAP-Finish) |
| 9 | 123 (ERP-RK-Answer) |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
124 (rMSK) |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
125 <---------------------- |
| 11 | 126 Diameter ERP/DEA |
| 127 (EAP-Finish) | |
| 128 (rMSK) | |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
129 |
| 9 | 130 Figure 3. ERP explicit bootstrapping message flow. |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
131 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
132 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
133 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
134 *Scenario 2: implicit bootstrapping during full EAP authentication* |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
135 |
| 9 | 136 In some deployment scenarii, the ER server may be collocated with an EAP proxy or server. In that case, the optional ERP AVPs defined in this document may be used during initial full EAP authentication to provide implicit bootstrapping (section 5.1 of [RFC5296]) as described bellow. |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
137 |
| 9 | 138 In this scenario, the ERP key material is derived and cached regardless of the peer support and willingness for ERP. This may lead to scalability and other issues. Implementors may provide other ways to select which sessions should use implicit bootstrapping. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
139 |
| 9 | 140 In the first round of full EAP exchange, the ER server adds the ERP-RK-Request AVP to the DER message. |
| 141 If the home EAP server supports ERP extensions, it caches this request and continues the normal EAP authentication until completion. Otherwise, the optional AVP is simply ignored. | |
| 142 When the authentication is successful and EMSK is generated, the home EAP server derives the rRK or rDSRK as requested, and adds this material to the last DEA in the ERP-RK-Answer AVP defined in this document. The server may check that the ER server that requested the material is in the Route-Record list of the last DER, but this is not mandatory. | |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
143 |
| 9 | 144 When the ER server collocated with EAP proxy receives the DEA containing ERP-RK-Answer AVP, it extracts this AVP and saves the rRK or rDSRK material for later use. |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
145 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
146 EAP Proxy / |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
147 Authenticator ER server Home EAP server |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
148 ============= =========== =============== |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
149 -------------------------> |
| 11 | 150 Diameter EAP/DER |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
151 (EAP-Response) |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
152 -------------------------> |
| 11 | 153 Diameter EAP/DER |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
154 (EAP-Response) |
| 9 | 155 (ERP-RK-Request) |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
156 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
157 <==================================================> |
| 11 | 158 Multi-round Diameter EAP exchanges, unmodified |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
159 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
160 <------------------------- |
| 11 | 161 Diameter EAP/DEA |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
162 (EAP-Success) |
| 9 | 163 (MSK) |
| 164 (ERP-RK-Answer) | |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
165 <------------------------- |
| 11 | 166 Diameter EAP/DEA |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
167 (EAP-Success) |
| 9 | 168 (MSK) |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
169 |
| 9 | 170 Figure 4. Implicit ERP bootstrapping during full EAP authentication. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
171 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
172 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
173 |
|
13
aa31cf892b1b
Yet more cleanups...
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
11
diff
changeset
|
174 *Scenario 3: Case of MIP6* |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
175 |
| 9 | 176 {TODO: study this case ?} |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
177 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
178 |
| 11 | 179 |
|
13
aa31cf892b1b
Yet more cleanups...
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
11
diff
changeset
|
180 *Scenario 4: Other possibilities* |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
181 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
182 {In case implementation-specific solution is retained, list here the constraints?} |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
183 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
184 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
185 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
186 *Commands and AVPs* |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
187 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
188 This document does not define a new command. It reuses the Diameter-EAP-Request and Diameter-EAP-Answer as defined in [RFC4072]. It is also compatible with extensions defined in [draft-ietf-dime-mip6-split-16]. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
189 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
190 Command-Name Abbrev. Code Reference Application |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
191 --------------------------------------------------------- |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
192 Diameter-EAP-Request DER 268 RFC 4072 Diameter ERP |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
193 Diameter-EAP-Answer DEA 268 RFC 4072 Diameter ERP |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
194 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
195 Figure 5: Command Codes |
| 9 | 196 The following new AVPs are defined in this document. |
| 197 | |
| 198 | |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
199 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
200 *ERP-RK-Request AVP* |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
201 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
202 The ERP-RK-Request AVP (AVP Code TBD) is of type grouped AVP. It is used by the ER server to request root key material used in ERP. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
203 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
204 This AVP has the M and V bits cleared. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
205 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
206 ERP-RK-Request ::= < AVP Header: TBD > |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
207 { ERP-Realm } |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
208 * [ AVP ] |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
209 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
210 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
211 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
212 *ERP-Realm AVP* |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
213 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
214 The ERP-Realm AVP (AVP Code TBD) is of type {DiameterIdentity? OctetString?}. It contains the name of the realm in which the ER server is located. |
| 9 | 215 {FFS: We may re-use Origin-Realm here instead?} |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
216 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
217 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
218 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
219 *ERP-RK-Answer AVP* |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
220 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
221 The ERP-RK-Answer AVP (AVP Code TBD) is of type grouped AVP. It is used by the home EAP server to provide ERP root key material to the ER server. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
222 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
223 This AVP has the M and V bits cleared. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
224 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
225 ERP-RK-Answer ::= < AVP Header: TBD > |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
226 { ERP-RK } |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
227 { ERP-RK-Name } |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
228 { ERP-RK-Lifetime } |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
229 * [ AVP ] |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
230 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
231 |
|
13
aa31cf892b1b
Yet more cleanups...
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
11
diff
changeset
|
232 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
233 *ERP-RK AVP* |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
234 |
| 9 | 235 The ERP-RK AVP (AVP Code TBD) is of type OctetString. It contains the root key (either rRK or rDSRK) to be used for ERP with the peer to which this session belongs. How this material is derived and used is specified in [RFC5296]. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
236 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
237 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
238 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
239 *ERP-RK-Name AVP* |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
240 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
241 The ERP-RK AVP (AVP Code TBD) is of type OctetString. This AVP contains the EMSKname which identifies the keying material. How this name is derived is beyond the scope of this document and defined in [RFC5296]. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
242 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
243 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
244 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
245 *ERP-RK-Lifetime AVP* |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
246 |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
247 The ERP-RK-Lifetime AVP (AVP Code TBD) is of type {Unsigned64? 32?} and contains the root key material lifetime in seconds. |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
248 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
249 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
250 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
251 *Pending question on accounting and sessions.* |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
252 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
253 During initial full EAP authentication, the identity of the peer is used to create the Session-Id AVP, which is then used during accounting. |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
254 When the peer attaches to a new authenticator and performs ERP, its identity is not disclosed to the authenticator. Instead, the peer presents the Keyname-NAI. This identifiers contains the EMSKName as user part. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
255 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
256 The new authenticator will therefore derive the new Session-Id from this EMSKName and use this for accounting purpose. |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
257 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
258 Although the home EAP server is able to link EMSKName with the peer's identity, the other Diameter entities do not have this mapping. In particular, the realm part of Keyname-NAI is the visited network. How does the authenticator figures out that the account records must be sent to the home domain of the peer? |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
259 |
|
8
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
260 It is possible to cache the necessary information at the ER server level. Is it useful to specify this mechanism in this document? |
|
45a13fe6e0be
Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
4
diff
changeset
|
261 |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
262 |
|
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
263 |
|
17
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
264 *Full Copyright Statement* |
|
4
5fc766d71da4
Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
3
diff
changeset
|
265 |
|
17
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
266 Copyright (C) The IETF Trust (2008). |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
267 |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
268 This document is subject to the rights, licenses and restrictions |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
269 contained in BCP 78, and except as set forth therein, the authors |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
270 retain all their rights. |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
271 |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
272 This document and the information contained herein are provided on an |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
273 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
274 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
275 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
276 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
277 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
278 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
279 |
|
8b6e98eec7ef
Added copyright and status before publishing.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
13
diff
changeset
|
280 |