Mercurial > hg > ietf
annotate draft-ietf-dime-erp-01.xml @ 37:a22fb485486b
Removed the 'Differences with previous version' section (Comment from Hannes)
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Fri, 28 Aug 2009 17:53:44 +0900 |
parents | a127a7d7850d |
children | 45f0d51961cf |
rev | line source |
---|---|
34
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
1 <?xml version="1.0" encoding="US-ASCII"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
2 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
3 <!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
4 <!ENTITY RFC3748 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
5 <!ENTITY RFC3588 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
6 <!ENTITY RFC4072 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4072.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
7 <!ENTITY RFC4187 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4187.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
8 <!ENTITY RFC5247 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5247.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
9 <!ENTITY RFC5295 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5295.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
10 <!ENTITY RFC5296 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5296.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
11 <!ENTITY I-D.ietf-hokey-key-mgm SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-hokey-key-mgm-06.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
12 <!ENTITY I-D.ietf-dime-app-design-guide SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-dime-app-design-guide-08.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
13 <!ENTITY I-D.gaonkar-radext-erp-attrs SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-gaonkar-radext-erp-attrs-03.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
14 <!ENTITY I-D.ietf-dime-erp SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-dime-erp-00.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
15 <!ENTITY I-D.wu-dime-local-keytran SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-wu-dime-local-keytran-00.xml"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
16 <!ENTITY nbsp " "> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
17 ]> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
18 <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
19 <?rfc strict="yes"?> |
37
a22fb485486b
Removed the 'Differences with previous version' section (Comment from Hannes)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
36
diff
changeset
|
20 <?rfc comments="no"?> |
34
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
21 <?rfc inline="yes"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
22 <?rfc editing="no"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
23 <?rfc toc="yes"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
24 <?rfc tocompact="yes"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
25 <?rfc tocdepth="3"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
26 <?rfc symrefs="yes"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
27 <?rfc sortrefs="yes"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
28 <?rfc compact="yes"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
29 <?rfc subcompact="no"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
30 <?rfc rfcedstyle="yes"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
31 <?rfc rfcprocack="no"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
32 <?rfc tocindent="yes"?> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
33 <rfc category="std" docName="draft-ietf-dime-erp-01.txt" ipr="trust200902"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
34 <front> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
35 <title abbrev="Diameter support for ERP">Diameter support for EAP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
36 Re-authentication Protocol (ERP)</title> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
37 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
38 <author fullname="Lakshminath Dondeti" initials="L" surname="Dondeti"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
39 <organization>QUALCOMM, Inc.</organization> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
40 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
41 <address> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
42 <postal> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
43 <street>5775 Morehouse Dr</street> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
44 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
45 <city>San Diego</city> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
46 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
47 <region>CA</region> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
48 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
49 <country>USA</country> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
50 </postal> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
51 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
52 <phone>+1 858-845-1267</phone> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
53 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
54 <email>ldondeti@qualcomm.com</email> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
55 </address> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
56 </author> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
57 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
58 <author fullname="Julien Bournelle" initials="J." surname="Bournelle"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
59 <organization abbrev="Orange Labs">Orange Labs</organization> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
60 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
61 <address> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
62 <postal> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
63 <street>38-40 rue du general Leclerc</street> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
64 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
65 <city>Issy-Les-Moulineaux</city> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
66 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
67 <code>92794</code> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
68 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
69 <country>France</country> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
70 </postal> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
71 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
72 <email>julien.bournelle@orange-ftgroup.com</email> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
73 </address> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
74 </author> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
75 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
76 <author fullname="Lionel Morand" initials="L." surname="Morand"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
77 <organization abbrev="Orange Labs">Orange Labs</organization> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
78 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
79 <address> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
80 <postal> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
81 <street>38-40 rue du general Leclerc</street> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
82 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
83 <city>Issy-Les-Moulineaux</city> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
84 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
85 <code>92794</code> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
86 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
87 <country>France</country> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
88 </postal> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
89 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
90 <email>lionel.morand@orange-ftgroup.com</email> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
91 </address> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
92 </author> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
93 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
94 <author fullname="Sebastien Decugis" initials="S." role="editor" |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
95 surname="Decugis"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
96 <organization abbrev="NICT">NICT</organization> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
97 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
98 <address> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
99 <postal> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
100 <street>4-2-1 Nukui-Kitamachi</street> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
101 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
102 <city>Tokyo</city> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
103 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
104 <code>184-8795</code> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
105 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
106 <country>Koganei, Japan</country> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
107 </postal> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
108 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
109 <email>sdecugis@nict.go.jp</email> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
110 </address> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
111 </author> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
112 |
35
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
113 <author fullname="Qin Wu" initials="Q." surname="Wu"> |
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
114 <organization abbrev="Huawei">Huawei Technologies Co., |
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
115 Ltd</organization> |
36
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
116 |
35
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
117 <address> |
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
118 <postal> |
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
119 <street>Site B, Floor 12F, Huihong Mansion, No.91 Baixia |
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
120 Rd.</street> |
36
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
121 |
35
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
122 <city>Nanjing</city> |
36
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
123 |
35
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
124 <code>210001</code> |
36
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
125 |
35
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
126 <country>China</country> |
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
127 </postal> |
36
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
128 |
35
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
129 <email>sunseawq@huawei.com</email> |
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
130 </address> |
fa5b03196871
Added Qin's author information
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
34
diff
changeset
|
131 </author> |
36
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
132 |
34
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
133 <date year="2009" /> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
134 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
135 <area>Operations & Management</area> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
136 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
137 <workgroup>Diameter Maintenance and Extensions (DIME)</workgroup> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
138 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
139 <keyword>Internet-Draft</keyword> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
140 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
141 <keyword>EAP</keyword> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
142 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
143 <keyword>Diameter</keyword> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
144 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
145 <keyword>Re-authentication</keyword> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
146 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
147 <keyword>inter-authenticator roaming</keyword> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
148 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
149 <abstract> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
150 <t>EAP Re-authentication Protocol (ERP) defines extensions to the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
151 Extensible Authentication Protocol (EAP) to support efficient |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
152 re-authentication between the EAP peer and an EAP re-authentication |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
153 server through an EAP/ERP authenticator. This document specifies |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
154 Diameter support for ERP. It defines a new Diameter ERP application to |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
155 transport ERP messages between authenticator and ERP server, and a set |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
156 of new AVPs that can be used to transport the cryptographic material |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
157 needed by ERP server.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
158 </abstract> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
159 </front> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
160 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
161 <middle> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
162 <section anchor="Introduction" title="Introduction"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
163 <t><xref target="RFC5296"></xref> defines the EAP Re-authentication |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
164 Protocol (ERP). It consists in the following steps:<list style="numbers"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
165 <t>Bootstrapping: a root key for re-authentication is derived from |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
166 the Extended Master Session Key (EMSK) created during EAP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
167 authentication <xref target="RFC5295"></xref>. This root key is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
168 transported from the EAP server to the ER server.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
169 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
170 <t>Re-authentication: a one-round-trip exchange between the peer and |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
171 the ER server, resulting in mutual authentication. To accomplish the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
172 EAP reauthentication functionality, ERP defines two new EAP codes - |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
173 EAP-Initiate and EAP-Finish.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
174 </list></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
175 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
176 <t>This document defines how Diameter transports the ERP messages |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
177 (Re-authentication step). For this purpose, we define a new Application |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
178 Id for ERP, and re-use the Diameter EAP commands (DER/DEA).</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
179 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
180 <t>This document also discusses the distribution of the root key |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
181 (bootstrapping step), either during the initial EAP authentication |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
182 (implicit bootstrapping) or during the first ERP exchange (explicit |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
183 bootstrapping). Security considerations for this key distribution are |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
184 detailed in <xref target="RFC5295"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
185 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
186 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
187 <section title="Terminology"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
188 <t>This document uses terminology defined in <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
189 target="RFC3748"></xref>, <xref target="RFC5295"></xref>, <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
190 target="RFC5296"></xref>, and <xref target="RFC4072"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
191 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
192 <t>"Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
193 derived from an EMSK, depending on the location of the ER server in home |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
194 or foreign domain.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
195 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
196 <t>We note in this document ERP/DER a Diameter-EAP-Request command with |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
197 the Application Id set to Diameter ERP application. On the same model, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
198 we use ERP/DEA, EAP/DER and EAP/DEA.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
199 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
200 <section title="Requirements Language"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
201 <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
202 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
203 document are to be interpreted as described in <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
204 target="RFC2119"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
205 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
206 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
207 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
208 <section title="Assumptions"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
209 <t>This document makes the following assumptions.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
210 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
211 <t>The Home EAP server of a peer that wants to use ERP is extended to |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
212 support:<list> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
213 <t>Cryptographic operations needed to derive the ERP root key from |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
214 the EMSK. By deriving the ERP root key for a specific domain, the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
215 home EAP server implicitly authorizes the use of ERP within this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
216 domain.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
217 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
218 <t>Diameter operations to include this root key inside an |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
219 appropriate AVP as defined in this document, in an answer message |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
220 corresponding to a request that contained a request for this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
221 material (AVP for the request also defined in this document).</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
222 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
223 <t>(recommanded) Ability to answer a DER message with EAP-Payload |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
224 containing an explicit bootstrapping ERP message.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
225 </list></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
226 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
227 <t>The Authenticator (NAS) is extended to support:<list> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
228 <t>Allow the new ERP command codes (EAP-Initiate and EAP-Finish) in |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
229 its EAP pass-through mode.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
230 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
231 <t>(optional) Send the EAP-Initiate/Re-Auth-Start message</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
232 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
233 <t>(optional) Provide the local domain name via lower layer specific |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
234 mechanism or via TLV in the EAP-Initiate/Re-Auth-Start message.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
235 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
236 <t>Encapsulate ERP message and receive corresponding Diameter |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
237 answer, as described in this document.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
238 </list></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
239 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
240 <t>If one of the components does not match these assumptions, the ERP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
241 mechanism will fail. In such situation, a full EAP authentication may be |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
242 attempted as a fallback mechanism.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
243 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
244 <t>We consider at most one logical ER server entity in a domain. If |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
245 several physical servers are deployed for robustness, a replication |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
246 mechanism must be deployed to synchronize the ERP states (root keys, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
247 <cref>FFS: authorization attributes</cref> ) between these servers. This |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
248 replication mechanism is out of the scope of this document. If several |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
249 ER servers are deployed in the domain, we assume that they can be used |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
250 interchangeably.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
251 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
252 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
253 <section anchor="Overview" title="Protocol Overview"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
254 <t>The following figure shows the components involved in ERP, and their |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
255 interactions.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
256 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
257 <figure title="Figure. Diameter ERP overview."> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
258 <artwork><![CDATA[ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
259 Diameter +--------+ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
260 +-------------+ ERP +-----------+ (*) | Home | |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
261 Peer <->|Authenticator|<=======>| ER server | <---> | EAP | |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
262 +-------------+ +-----------+ | server | |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
263 +--------+ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
264 (*) Diameter EAP application, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
265 explicit bootstraping scenario only.]]></artwork> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
266 </figure> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
267 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
268 <t>The ER server is located either in the home domain (same as EAP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
269 server) or in the visited domain (same as authenticator, when it differs |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
270 from the home domain). <cref>Can the ER server be located in a third |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
271 domain (ex: broker's) according to ERP mechanism?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
272 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
273 <t>When the peer initiates an ERP exchange, the authenticator creates a |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
274 Diameter-EAP-Request message, as described in Diameter EAP application |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
275 <xref target="RFC4072"></xref>. The Application Id of the message is set |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
276 to Diameter ERP application (code: <cref>TBD IANA</cref>) in the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
277 message. The exact processing to generate the ERP/DER message is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
278 detailed in section <xref target="Re-authentication"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
279 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
280 <t>If there is an ER server in the same domain as the authenticator |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
281 (local domain), Diameter routing MUST <cref>SHOULD ? FFS...</cref> be |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
282 configured so that this ERP/DER message reachs this server, even if the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
283 Destination-Realm is not the local domain.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
284 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
285 <t>If there is no local ER server, the message is routed according to |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
286 its Destination-Realm AVP content, extracted from the realm component of |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
287 the keyName-NAI attribute. As specified in <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
288 target="RFC5296"></xref>, this realm is the home domain of the peer in |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
289 case of bootstrapping exchange ('B' flag is set in ERP message) or the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
290 domain of the bootstrapped ER server otherwise <cref>This actually might |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
291 allow the ER server to be in a third party realm</cref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
292 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
293 <t>If no ER server is available in the home domain either, the ERP/DER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
294 message cannot be delivered, and an error DIAMETER_UNABLE_TO_DELIVER is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
295 generated as specified in <xref target="RFC3588"></xref> and returned to |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
296 the authenticator. The authenticator may cache this information (with |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
297 limited duration) to avoid further attempts for ERP with this realm. It |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
298 may also fallback to full EAP authentication to authenticate the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
299 peer.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
300 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
301 <t>When an ER server receives the ERP/DER message, it searches its local |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
302 database for a root key <cref>and authorization state ?</cref> matching |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
303 the keyName part of the User-Name AVP. If such key is found, the ER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
304 server processes the ERP message as described in <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
305 target="RFC5296"></xref> then creates the ERP/DEA answer as described in |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
306 <xref target="Re-authentication"></xref>. The rMSK is included in this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
307 answer.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
308 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
309 <t>Finally, the authenticator extracts the rMSK from the ERP/DEA as |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
310 described in <xref target="RFC5296"></xref>, and forwards the content of |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
311 the EAP-Payload AVP, the EAP-Finish/Re-Auth message, to the peer.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
312 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
313 <t>If the EAP-Initiate/Re-Auth message has its 'B' flag set |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
314 (Bootstrapping exchange), the ER server should not possess the root key |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
315 in its local database <cref>This may not be true in future RFC5296bis |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
316 ?</cref>. In this case, the ER server acts as a proxy, and forwards the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
317 message to the home EAP server after changing its Application Id to |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
318 Diameter EAP and adding an AVP to request the root key. See section |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
319 <xref target="Bootstrapping"></xref> for more detail on this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
320 process.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
321 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
322 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
323 <section anchor="Bootstrapping" title="Bootstrapping the ER server"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
324 <t>The bootstrapping process involves the home EAP server and the ER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
325 server, but also impacts the peer and the authenticator. In ERP, the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
326 peer must derive the same keying material as the ER server. To achieve |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
327 this, it must learn the domain name of the ER server. How this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
328 information is acquired is outside the scope of this specification, but |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
329 it may involves that the authenticator is configured to advertize this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
330 domain name, especially in the case of re-authentication after a |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
331 handover.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
332 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
333 <t>The bootstrapping of an ER server with a given root key happens |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
334 either during the initial EAP authentication of the peer when the EMSK |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
335 -- from which the root key is derived -- is created, during the first |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
336 re-authentication, or sometime between those events. We only consider |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
337 the first two possibilities in this specification, in the following |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
338 subsections.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
339 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
340 <section title="Bootstrapping during initial EAP authentication"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
341 <t>Bootstrapping the ER server during the initial EAP authentication |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
342 (also known as implicit bootstrapping) offers the advantage that the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
343 server is immediatly available for re-authentication of the peer, thus |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
344 minimizing the re-authentication delay. On the other hand, it is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
345 possible that only a small number of peers will use re-authentication |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
346 in the visited domain. Deriving and caching key material for all the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
347 peers (for example, for the peers that do not support ERP) is a waste |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
348 of resources and SHOULD be avoided.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
349 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
350 <t>To achieve implicit bootstrapping, the ER server must act as a |
36
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
351 Diameter EAP Proxy as defined in Diameter Base Protocol <xref |
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
352 target="RFC3588"></xref>, and routing must be configured so that |
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
353 Diameter messages of a full EAP authentication are routed through this |
a127a7d7850d
Addressed a comment from Qin about definition of Diameter EAP proxy meaning.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
35
diff
changeset
|
354 proxy. The figure bellow captures this mechanism.</t> |
34
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
355 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
356 <figure title="Figure. ERP bootstrapping during full EAP authentication"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
357 <artwork><![CDATA[ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
358 ER server & |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
359 Authenticator EAP Proxy Home EAP server |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
360 ============= =========== =============== |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
361 -------------------------> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
362 Diameter EAP/DER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
363 (EAP-Response) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
364 -------------------------> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
365 Diameter EAP/DER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
366 (EAP-Response) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
367 (ERP-RK-Request) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
368 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
369 <==================================================> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
370 Multi-round Diameter EAP exchanges, unmodified |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
371 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
372 <------------------------- |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
373 Diameter EAP/DEA |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
374 (EAP-Success) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
375 (MSK) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
376 (ERP-RK-Answer) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
377 <------------------------- |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
378 Diameter EAP/DEA |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
379 (EAP-Success) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
380 (MSK) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
381 [ERP-Realm] |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
382 ]]></artwork> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
383 </figure> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
384 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
385 <t>The ER server proxies the first DER of the full EAP authentication |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
386 and adds the ERP-RK-Request AVP inside, if this AVP is not already in |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
387 the message (which might happen if there are ER servers in the visited |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
388 and the home domains), then forwards the request.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
389 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
390 <t>If the EAP server does not support ERP extensions, it will simply |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
391 ignore this grouped AVP and continue as specified in <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
392 target="RFC4072"></xref>. If the server supports the ERP extensions, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
393 it caches the ERP-Realm value with the session, and continues the EAP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
394 authentication. When the authentication is complete, if it is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
395 successful and the EAP method generated an EMSK, the server MUST |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
396 compute the rRK or rDSRK (depending on the value of ERP-Realm) as |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
397 specified in <xref target="RFC5296"></xref>, and add an ERP-RK-Answer |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
398 AVP in the Diameter-EAP-Request message, in addition to the MSK and |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
399 EAP-Success payloads.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
400 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
401 <t>When the ER server proxies a Diameter-EAP-Answer message with a |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
402 Session-Id corresponding to a message to which it added an |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
403 ERP-RK-Answer, and the Result-Code is DIAMETER_SUCCESS, it MUST |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
404 examine the message, extract and remove any ERP-RK-Answer AVP from the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
405 message, and save its content. If the message does not contain an |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
406 ERP-RK-Answer AVP, the ER server MAY save this information to avoid |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
407 possible subsequent re-authentication attempts for this session. In |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
408 any case, the information stored SHOULD NOT have a lifetime greater |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
409 than the EMSK lifetime <cref>how does the ER server knows the EMSK |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
410 lifetime, if there is no ERP-RK-Answer? What is the lifetime of the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
411 MSK for example?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
412 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
413 <t>If the ER server is successfully bootstrapped, it MAY also add the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
414 ERP-Realm AVP after removing the ERP-RK-Answer AVP in the EAP/DEA |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
415 message. This could be used by the authenticator to notify the peer |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
416 that ERP is bootstrapped, with the ER domain information. How this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
417 information can be transmitted to the peer is outside the scope of |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
418 this document. <cref>Is it possible? It would be useful...</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
419 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
420 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
421 <section title="Bootstrapping during first re-authentication"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
422 <t>Bootstrapping the ER server during the first re-authentication |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
423 (also known as explicit bootstrapping) offers several advantages: it |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
424 saves resources, since we generate and cache only root key that we |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
425 actually need, and it can accomodate inter-domain handovers or ER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
426 servers that loose their state (for example after reboot) <cref>This |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
427 last point might not be true currently, since the peer would not issue |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
428 a bootstrapping exchange... But this might change also with RFC5296bis |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
429 AFAIU</cref>. On the other hand, the first re-authentication with the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
430 ER server requires a one-round-trip exchange with the home EAP server, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
431 which adds some delay to the process (but it is more efficient than a |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
432 full EAP authentication in any case). It also requires some |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
433 synchronization between the peer and the visited domain: since the ERP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
434 message is different<cref>and the root key used also ?</cref> for |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
435 explicit bootstrapping exchange and for normal re-authentication, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
436 explicit bootstrapping should not be used if implicit bootstrapping |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
437 was already performed.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
438 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
439 <t><cref>What should we do if the ER server receives an explicit |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
440 bootstrapping request but already possess the rDSRK? Can it answer |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
441 without going to the home server? That would be simpler -- planned in |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
442 rfc5296bis ?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
443 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
444 <t>The ER server receives the ERP/DER message containing the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
445 EAP-Initiate/Re-Auth message with the 'B' flag set. It proxies this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
446 message, and do the following processing in addition to standard proxy |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
447 operations:<list> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
448 <t>Change the Application Id in the header of the message to |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
449 Diameter EAP Application (code 5). <cref>What about the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
450 Application-Auth-Id AVP?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
451 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
452 <t>Add the ERP-RK-Request AVP, which contains the name of the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
453 domain where the ER server is located.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
454 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
455 <t><cref>Add the Destination-Host to reach the appropriate EAP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
456 server, the one with the EMSK. How does the ER server know this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
457 information ?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
458 </list>Then the server forwards the EAP/DER request, which is routed |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
459 to the home EAP server.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
460 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
461 <t>If the home EAP server does not support ERP extensions, it replies |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
462 with an error since the encapsulated EAP-Initiate/Re-auth command is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
463 not understood. Otherwise, it processes the ERP request as described |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
464 in <xref target="RFC5296"></xref>. In particular, it includes the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
465 Domain-Name TLV attribute with the content from the ERP-Realm AVP. It |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
466 creates the EAP/DEA reply message following standard processing from |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
467 <xref target="RFC4072"></xref> (in particular EAP-Master-Session-Key |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
468 AVP is used to transport the rMSK), and includes the ERP-RK-Answer |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
469 AVP. <cref>What about authorization AVPs ?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
470 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
471 <t>The ER server receives this EAP/DEA and proxies it as follow, in |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
472 addition to standard proxy operations:<list> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
473 <t>Set the Application Id back to Diameter ERP (code <cref>TBD |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
474 IANA</cref>)</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
475 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
476 <t>Extract and cache the content of the ERP-RK-Answer. <cref>And |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
477 authorization AVPs ?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
478 </list>The DEA is then forwarded to the authenticator, that can use |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
479 the rMSK as described in <xref target="RFC5296"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
480 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
481 <t>The figure below captures this proxy behavior:</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
482 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
483 <figure title="Figure. ERP explicit bootstrapping message flow"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
484 <artwork><![CDATA[ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
485 Authenticator ER server Home EAP server |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
486 ============= ========= =============== |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
487 -----------------------> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
488 Diameter ERP/DER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
489 (EAP-Initiate) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
490 ------------------------> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
491 Diameter EAP/DER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
492 (EAP-Initiate) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
493 (ERP-RK-Request) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
494 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
495 <------------------------ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
496 Diameter EAP/DEA |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
497 (EAP-Finish) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
498 (ERP-RK-Answer) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
499 (rMSK) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
500 <---------------------- |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
501 Diameter ERP/DEA |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
502 (EAP-Finish) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
503 (rMSK) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
504 ]]></artwork> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
505 </figure> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
506 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
507 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
508 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
509 <section anchor="Re-authentication" title="Re-Authentication"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
510 <t>This section describes in detail a re-authentication exchange with a |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
511 (bootstrapped) ER server. The following figure summarizes the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
512 re-authentication exchange.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
513 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
514 <figure title="Figure. Diameter ERP exchange. "> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
515 <artwork><![CDATA[ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
516 ER server |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
517 (bootstrapped) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
518 Peer Authenticator (local or home domain) |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
519 ==== ============= ====================== |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
520 [ <------------------------ ] |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
521 [optional EAP-Initiate/Re-auth-start] |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
522 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
523 -----------------------> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
524 EAP-Initiate/Re-auth |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
525 ==================================> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
526 Diameter ERP, cmd code DER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
527 User-Name: Keyname-NAI |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
528 EAP-Payload: EAP-Initiate/Re-auth |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
529 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
530 <================================== |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
531 Diameter ERP, cmd code DEA |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
532 EAP-Payload: EAP-Finish/Re-auth |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
533 EAP-Master-Session-Key: rMSK |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
534 <---------------------- |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
535 EAP-Finish/Re-auth |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
536 ]]></artwork> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
537 </figure> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
538 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
539 <t>In ERP, the peer sends an EAP-Initiate/Re-auth message to the ER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
540 server via the authenticator. Alternatively, the NAS may send an |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
541 EAP-Initiate/Re-auth-Start message to the peer to trigger the start of |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
542 ERP. In this case, the peer responds with an EAP-Initiate/Re-auth |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
543 message to the NAS.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
544 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
545 <t>If the authenticator does not support ERP (pure <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
546 target="RFC4072"></xref> support), it discards the EAP packets with |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
547 unknown ERP-specific code (EAP-Initiate). The peer may fallback to full |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
548 EAP authentication in such case.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
549 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
550 <t>When the authenticator receives an EAP-Initiate/Re-auth message from |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
551 the peer, it process as described in <xref target="RFC5296"></xref> with |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
552 regards to the EAP state machine. It creates a Diameter EAP Request |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
553 message following the general process of <xref target="RFC4072">Diameter |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
554 EAP</xref>, with the following differences:<list> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
555 <t>The Application Id in the header is set to Diameter ERP (code |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
556 <cref>TBD IANA</cref>).</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
557 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
558 <t>The value in Auth-Application-Id AVP is also set to Diameter ERP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
559 Application.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
560 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
561 <t>The keyName-NAI attribute from ERP message is used to create the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
562 content of User-Name AVP and Destination-Realm AVP.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
563 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
564 <t><cref>FFS: What about Session-ID AVP -- in case of re-auth at the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
565 same place, and in case of handover?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
566 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
567 <t>The Auth-Request-Type AVP content is set to <cref>FFS -- Do we |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
568 really do authorization with Diameter ERP ? -- need to pass the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
569 authorization attrs to the ER server in that case. Idea FFS: we do |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
570 authorization only for explicit bootstrapping |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
571 exchanges...</cref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
572 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
573 <t>The EAP-Payload AVP contains the ERP message, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
574 EAP-Initiate/Re-Auth.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
575 </list>Then this ERP/DER message is sent as described in <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
576 target="Overview"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
577 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
578 <t>The ER server receives and processes this request as described in |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
579 <xref target="Overview"></xref>. It then creates a Diameter answer |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
580 ERP/DEA, following the general processing described in <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
581 target="RFC4072"></xref>, with the following differences:<list> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
582 <t>The Application Id in the header is set to Diameter ERP (code |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
583 <cref>TBD IANA</cref>).</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
584 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
585 <t>The value in Auth-Application-Id AVP is also set to Diameter ERP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
586 Application.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
587 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
588 <t>The Result-Code AVP is set to <cref>version -00 stated a SHOULD |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
589 here, not sure why ?</cref> an error value in case ERP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
590 authentication fails, or to DIAMETER_SUCCESS if ERP is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
591 successful.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
592 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
593 <t>The EAP-Payload AVP contains the ERP message, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
594 EAP-Finish/Re-auth.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
595 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
596 <t>In case of successful authentication, the EAP-Master-Session-Key |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
597 AVP contains the Re-authentication Master Session Key (rMSK) derived |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
598 by ERP.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
599 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
600 <t><cref>What about all the authorization attributes? If we want to |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
601 include them, they have to be present on the ER server...</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
602 </list></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
603 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
604 <t>When the authenticator receives this ERP/DEA answer, it processes it |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
605 as described in <xref target="RFC4072">Diameter EAP</xref> and <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
606 target="RFC5296"></xref>: the content of EAP-Payload AVP content is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
607 forwarded to the peer, and the content of EAP-Master-Session-Key AVP is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
608 used as a shared secret for Secure Association Protocol.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
609 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
610 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
611 <section anchor="ApplicationId" title="Application Id"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
612 <t>We define a new Diameter application in this document, Diameter ERP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
613 Application, with an Application Id value of <cref>TBD IANA</cref>. |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
614 Diameter nodes conforming to this specification in the role of ER server |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
615 MUST advertise support by including an Auth-Application-Id AVP with a |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
616 value of Diameter ERP Application in the of the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
617 Capabilities-Exchange-Request and Capabilities-Exchange-Answer commands, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
618 as described in <xref target="RFC3588"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
619 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
620 <t>The primary use of the Diameter ERP Application Id is to ensure |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
621 proper routing of the messages, and that the nodes that advertise the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
622 support for this application do understand the new AVPs defined in |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
623 section <xref target="AVPs"></xref> , although these AVP have the 'M' |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
624 flag cleared.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
625 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
626 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
627 <section anchor="AVPs" title="AVPs"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
628 <t>This specification defines the following new AVPs. <cref>FFS: to |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
629 align with draft-wu-dime-local-keytran-02 if it becomes a WG |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
630 item</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
631 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
632 <section title="ERP-RK-Request AVP"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
633 <t>The ERP-RK-Request AVP (AVP Code <cref>TBD IANA</cref>) is of type |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
634 grouped AVP. This AVP is used by the ER server to indicate its |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
635 willingness to act as ER server for a particular session.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
636 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
637 <t>This AVP has the M and V bits cleared.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
638 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
639 <figure title="Figure. ERP-RK-Request ABNF"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
640 <artwork><![CDATA[ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
641 ERP-RK-Request ::= < AVP Header: TBD > |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
642 { ERP-Realm } |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
643 * [ AVP ] |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
644 ]]></artwork> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
645 </figure> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
646 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
647 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
648 <section title="ERP-Realm AVP"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
649 <t>The ERP-Realm AVP (AVP Code <cref>TBD IANA</cref>) is of type |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
650 DiameterIdentity. It contains the name of the realm in which the ER |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
651 server is located.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
652 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
653 <t><cref>FFS: We may re-use Origin-Realm here instead? On the other |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
654 hand, ERP-Realm may be useful if the ER server is not in a third-party |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
655 realm, if this is possible.</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
656 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
657 <t>This AVP has the M and V bits cleared.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
658 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
659 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
660 <section title="ERP-RK-Answer AVP"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
661 <t>The ERP-RK-Answer AVP (AVP Code <cref>TBD IANA</cref>) is of type |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
662 grouped AVP. It is used by the home EAP server to provide ERP root key |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
663 material to the ER server.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
664 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
665 <t>This AVP has the M and V bits cleared.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
666 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
667 <figure title="Figure. ERP-RK-Answer ABNF"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
668 <artwork><![CDATA[ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
669 ERP-RK-Answer ::= < AVP Header: TBD > |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
670 { ERP-RK } |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
671 { ERP-RK-Name } |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
672 { ERP-RK-Lifetime } |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
673 * [ AVP ] |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
674 ]]></artwork> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
675 </figure> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
676 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
677 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
678 <section title="ERP-RK AVP"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
679 <t>The ERP-RK AVP (AVP Code <cref>TBD IANA</cref>) is of type |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
680 OctetString. It contains the root key (either rRK or rDSRK) sent by |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
681 the home EAP server to the ER server, in answer to request containing |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
682 an ERP-RK-Request AVP. How this material is derived and used is |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
683 specified in <xref target="RFC5296"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
684 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
685 <t><cref>Can we re-use EAP-Master-Session-Key here instead? Must check |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
686 the exact definition...</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
687 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
688 <t>This AVP has the M and V bits cleared.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
689 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
690 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
691 <section title="ERP-RK-Name AVP"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
692 <t>The ERP-RK-Name AVP (AVP Code <cref>TBD IANA</cref>) is of type |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
693 OctetString. This AVP contains the EMSKname which identifies the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
694 keying material. How this name is derived is beyond the scope of this |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
695 document and defined in <xref target="RFC5296"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
696 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
697 <t><cref>Can we re-use EAP-Key-Name here instead ?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
698 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
699 <t>This AVP has the M and V bits cleared.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
700 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
701 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
702 <section title="ERP-RK-Lifetime AVP"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
703 <t>The ERP-RK-Lifetime AVP (AVP Code <cref>TBD IANA</cref>) is of type |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
704 Unsigned32 <cref>do we really need 64 as in -00 ? 2^32 secs is already |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
705 more than 100 years, which is too long for a key lifetime !</cref> and |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
706 contains the root key material remaining lifetime in seconds. It MUST |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
707 not be greater than the remaining lifetime of the EMSK it is derived |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
708 from. <cref>FFS: is it better to pass an absolute value here, for |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
709 example expiration date? How to express it then (TZ, ...)? |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
710 Synchronization problems?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
711 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
712 <t>This AVP has the M and V bits cleared.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
713 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
714 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
715 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
716 <section anchor="Commands" title="Commands"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
717 <t>We do not define any new command in this specification. We reuse the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
718 Diameter-EAP-Request and Diameter-EAP-Answer commands defined in <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
719 target="RFC4072"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
720 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
721 <t>Since the original ABNF of these commands allow other optional AVPs |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
722 ("* [ AVP ]"), and the new AVPs defined in this specification do not |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
723 have the 'M' flag set, the ABNF does not need any change. Anyway, a |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
724 Diameter node that advertizes support for the Diameter ERP application |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
725 MUST support the new AVPs defined in this specification.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
726 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
727 <figure title="Figure. Command Codes"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
728 <artwork><![CDATA[ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
729 Command-Name Abbrev. Code Reference Application |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
730 --------------------------------------------------------- |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
731 Diameter-EAP-Request DER 268 RFC 4072 Diameter ERP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
732 Diameter-EAP-Answer DEA 268 RFC 4072 Diameter ERP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
733 ]]></artwork> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
734 </figure> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
735 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
736 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
737 <section anchor="Issues" title="Open issues"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
738 <t>This document does not address some known issues in Diameter ERP |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
739 mechanism. The authors would like to hear ideas about how to address |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
740 them.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
741 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
742 <t>The main issue is the use of ERP for authentication after a handover |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
743 of the peer to a new authenticator (or different authenticator port). |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
744 Diameter ERP is not meant to be a mobility protocol. A number of issues |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
745 appear when we try to do handover in Diameter ERP (alone): how to manage |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
746 the Session-Id AVP; how does the ER server provide the Authorization |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
747 AVPs; how does the peer learn the ERP domain of the new authenticator; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
748 how does the home server reachs the peer to for example terminate the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
749 session; and so on... Therefore, the management of the session for a |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
750 mobile peer is not (yet) addressed in this document. It must be studied |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
751 how Diameter ERP can be for example used in conjunction with a mobility |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
752 application (Diameter MIP4, Diameter MIP6) to support the optimized |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
753 re-authentication in such situation.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
754 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
755 <t>Another issue concerns the case where the home realm contains several |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
756 EAP servers. In multi rounds full EAP authentication, the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
757 Destination-Host AVP provides the solution to reach the same server |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
758 across the exchanges. Only this server possess the EMSK for the session. |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
759 In case of explicit bootstrapping, the ER server must therefore be able |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
760 to reach the correct server to request the DSRK. A solution might |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
761 consist in saving the Origin-Host AVP of all successful EAP/DEA in the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
762 ER server, which is a bit similar to the implicit bootstrapping scenario |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
763 described here -- only we save the server name instead of the root key, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
764 and we must then be able to match the DSRK with the user name.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
765 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
766 <t>Finally, this document currently lacks a description of what happens |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
767 when a Re-Auth-Request is received for a peer on the authenticator.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
768 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
769 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
770 <section anchor="Acknowledgements" title="Acknowledgements"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
771 <t>Hannes Tschofenig wrote the initial draft for this document and |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
772 provided useful reviews.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
773 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
774 <t>Vidya Narayanan reviewed a rough draft version of the document and |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
775 found some errors.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
776 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
777 <t>Glen Zorn actively participated in the discussions on the design for |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
778 Diameter ERP, providing the point of view and experience from HOKEY |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
779 workgroup.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
780 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
781 <t>Many thanks to these people!</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
782 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
783 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
784 <section anchor="IANA" title="IANA Considerations"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
785 <t>This document requires IANA registration of the following new |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
786 elements in the <eref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
787 target="http://www.iana.org/assignments/aaa-parameters/">Authentication, |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
788 Authorization, and Accounting (AAA) Parameters</eref> registries.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
789 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
790 <section title="Diameter ERP application"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
791 <t>This specification requires IANA to allocate a new value "Diameter |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
792 ERP" in the "Application IDs" registry created by in <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
793 target="RFC3588"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
794 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
795 <figure title="IANA consideration for Diameter ERP application"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
796 <artwork><![CDATA[ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
797 Application Identifier | Value |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
798 -----------------------------------+------ |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
799 Diameter ERP | TBD |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
800 ]]></artwork> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
801 </figure> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
802 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
803 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
804 <section title="New AVPs"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
805 <t>This specification requires IANA to allocate new values from the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
806 "AVP Codes" registry defined in <xref target="RFC3588"></xref> for the |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
807 following AVPs:<list> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
808 <t>ERP-RK-Request</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
809 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
810 <t>ERP-Realm</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
811 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
812 <t>ERP-RK-Answer</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
813 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
814 <t>ERP-RK</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
815 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
816 <t>ERP-RK-Name</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
817 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
818 <t>ERP-RK-Lifetime</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
819 </list>These AVPs are defined in section <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
820 target="AVPs"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
821 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
822 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
823 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
824 <section anchor="Security" title="Security Considerations"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
825 <t>The security considerations from the following RFC apply here: <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
826 target="RFC3588"></xref>, <xref target="RFC4072"></xref>, <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
827 target="RFC5247"></xref>, <xref target="RFC5295"></xref>, and <xref |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
828 target="RFC5296"></xref>.</t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
829 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
830 <t><cref>FFS: Do we really respect these security considerations with |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
831 the mechanism we describe here? Is it safe to use ERP-RK-Request / |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
832 Answer AVPs? What is the worst case?</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
833 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
834 <t>EAP channel bindings may be necessary to ensure that the Diameter |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
835 client and the server are in sync regarding the key Requesting Entity's |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
836 Identity. Specifically, the Requesting Entity advertises its identity |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
837 through the EAP lower layer, and the user or the EAP peer communicates |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
838 that identity to the EAP server (and the EAP server communicates that |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
839 identity to the Diameter server) via the EAP method for user/peer to |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
840 server verification of the Requesting Entity's Identity.<cref>Editor: I |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
841 really don't understand this paragraph ^^'...</cref></t> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
842 </section> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
843 </middle> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
844 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
845 <back> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
846 <references title="Normative References"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
847 &RFC2119; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
848 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
849 &RFC3588; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
850 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
851 &RFC4072; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
852 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
853 &RFC5295; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
854 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
855 &RFC5296; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
856 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
857 &RFC3748; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
858 </references> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
859 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
860 <references title="Informative References"> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
861 &RFC4187; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
862 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
863 &RFC5247; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
864 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
865 &I-D.ietf-hokey-key-mgm; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
866 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
867 &I-D.ietf-dime-erp; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
868 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
869 &I-D.wu-dime-local-keytran; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
870 |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
871 &I-D.ietf-dime-app-design-guide; |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
872 </references> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
873 </back> |
e34f7869b4a1
Initial revision submitted for comments to other authors
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
874 </rfc> |