ietf: draft-ietf-dime-erp-01.xml annotate

annotate draft-ietf-dime-erp-01.xml @ 37:a22fb485486b

Removed the 'Differences with previous version' section (Comment from Hannes)

author	Sebastien Decugis <sdecugis@nict.go.jp>
date	Fri, 28 Aug 2009 17:53:44 +0900
parents	a127a7d7850d
children	45f0d51961cf

rev	line source
34 e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	1 <?xml version="1.0" encoding="US-ASCII"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	2 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	3 <!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	4 <!ENTITY RFC3748 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	5 <!ENTITY RFC3588 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	6 <!ENTITY RFC4072 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4072.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	7 <!ENTITY RFC4187 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4187.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	8 <!ENTITY RFC5247 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5247.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	9 <!ENTITY RFC5295 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5295.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	10 <!ENTITY RFC5296 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5296.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	11 <!ENTITY I-D.ietf-hokey-key-mgm SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-hokey-key-mgm-06.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	12 <!ENTITY I-D.ietf-dime-app-design-guide SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-dime-app-design-guide-08.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	13 <!ENTITY I-D.gaonkar-radext-erp-attrs SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-gaonkar-radext-erp-attrs-03.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	14 <!ENTITY I-D.ietf-dime-erp SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-dime-erp-00.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	15 <!ENTITY I-D.wu-dime-local-keytran SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-wu-dime-local-keytran-00.xml">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	16 <!ENTITY nbsp " ">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	17 ]>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	18 <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	19 <?rfc strict="yes"?>
37 a22fb485486b Removed the 'Differences with previous version' section (Comment from Hannes) Sebastien Decugis <sdecugis@nict.go.jp> parents: 36 diff changeset	20 <?rfc comments="no"?>
34 e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	21 <?rfc inline="yes"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	22 <?rfc editing="no"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	23 <?rfc toc="yes"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	24 <?rfc tocompact="yes"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	25 <?rfc tocdepth="3"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	26 <?rfc symrefs="yes"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	27 <?rfc sortrefs="yes"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	28 <?rfc compact="yes"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	29 <?rfc subcompact="no"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	30 <?rfc rfcedstyle="yes"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	31 <?rfc rfcprocack="no"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	32 <?rfc tocindent="yes"?>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	33 <rfc category="std" docName="draft-ietf-dime-erp-01.txt" ipr="trust200902">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	34 <front>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	35 <title abbrev="Diameter support for ERP">Diameter support for EAP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	36 Re-authentication Protocol (ERP)</title>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	37
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	38 <author fullname="Lakshminath Dondeti" initials="L" surname="Dondeti">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	39 <organization>QUALCOMM, Inc.</organization>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	40
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	41 <address>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	42 <postal>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	43 <street>5775 Morehouse Dr</street>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	44
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	45 <city>San Diego</city>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	46
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	47 <region>CA</region>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	48
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	49 <country>USA</country>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	50 </postal>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	51
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	52 <phone>+1 858-845-1267</phone>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	53
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	54 <email>ldondeti@qualcomm.com</email>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	55 </address>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	56 </author>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	57
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	58 <author fullname="Julien Bournelle" initials="J." surname="Bournelle">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	59 <organization abbrev="Orange Labs">Orange Labs</organization>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	60
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	61 <address>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	62 <postal>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	63 <street>38-40 rue du general Leclerc</street>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	64
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	65 <city>Issy-Les-Moulineaux</city>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	66
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	67 <code>92794</code>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	68
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	69 <country>France</country>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	70 </postal>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	71
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	72 <email>julien.bournelle@orange-ftgroup.com</email>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	73 </address>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	74 </author>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	75
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	76 <author fullname="Lionel Morand" initials="L." surname="Morand">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	77 <organization abbrev="Orange Labs">Orange Labs</organization>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	78
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	79 <address>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	80 <postal>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	81 <street>38-40 rue du general Leclerc</street>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	82
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	83 <city>Issy-Les-Moulineaux</city>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	84
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	85 <code>92794</code>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	86
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	87 <country>France</country>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	88 </postal>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	89
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	90 <email>lionel.morand@orange-ftgroup.com</email>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	91 </address>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	92 </author>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	93
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	94 <author fullname="Sebastien Decugis" initials="S." role="editor"
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	95 surname="Decugis">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	96 <organization abbrev="NICT">NICT</organization>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	97
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	98 <address>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	99 <postal>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	100 <street>4-2-1 Nukui-Kitamachi</street>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	101
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	102 <city>Tokyo</city>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	103
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	104 <code>184-8795</code>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	105
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	106 <country>Koganei, Japan</country>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	107 </postal>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	108
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	109 <email>sdecugis@nict.go.jp</email>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	110 </address>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	111 </author>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	112
35 fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	113 <author fullname="Qin Wu" initials="Q." surname="Wu">
fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	114 <organization abbrev="Huawei">Huawei Technologies Co.,
fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	115 Ltd</organization>
36 a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	116
35 fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	117 <address>
fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	118 <postal>
fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	119 <street>Site B, Floor 12F, Huihong Mansion, No.91 Baixia
fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	120 Rd.</street>
36 a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	121
35 fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	122 <city>Nanjing</city>
36 a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	123
35 fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	124 <code>210001</code>
36 a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	125
35 fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	126 <country>China</country>
fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	127 </postal>
36 a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	128
35 fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	129 <email>sunseawq@huawei.com</email>
fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	130 </address>
fa5b03196871 Added Qin's author information Sebastien Decugis <sdecugis@nict.go.jp> parents: 34 diff changeset	131 </author>
36 a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	132
34 e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	133 <date year="2009" />
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	134
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	135 <area>Operations & Management</area>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	136
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	137 <workgroup>Diameter Maintenance and Extensions (DIME)</workgroup>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	138
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	139 <keyword>Internet-Draft</keyword>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	140
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	141 <keyword>EAP</keyword>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	142
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	143 <keyword>Diameter</keyword>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	144
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	145 <keyword>Re-authentication</keyword>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	146
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	147 <keyword>inter-authenticator roaming</keyword>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	148
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	149 <abstract>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	150 <t>EAP Re-authentication Protocol (ERP) defines extensions to the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	151 Extensible Authentication Protocol (EAP) to support efficient
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	152 re-authentication between the EAP peer and an EAP re-authentication
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	153 server through an EAP/ERP authenticator. This document specifies
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	154 Diameter support for ERP. It defines a new Diameter ERP application to
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	155 transport ERP messages between authenticator and ERP server, and a set
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	156 of new AVPs that can be used to transport the cryptographic material
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	157 needed by ERP server.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	158 </abstract>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	159 </front>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	160
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	161 <middle>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	162 <section anchor="Introduction" title="Introduction">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	163 <t><xref target="RFC5296"></xref> defines the EAP Re-authentication
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	164 Protocol (ERP). It consists in the following steps:<list style="numbers">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	165 <t>Bootstrapping: a root key for re-authentication is derived from
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	166 the Extended Master Session Key (EMSK) created during EAP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	167 authentication <xref target="RFC5295"></xref>. This root key is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	168 transported from the EAP server to the ER server.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	169
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	170 <t>Re-authentication: a one-round-trip exchange between the peer and
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	171 the ER server, resulting in mutual authentication. To accomplish the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	172 EAP reauthentication functionality, ERP defines two new EAP codes -
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	173 EAP-Initiate and EAP-Finish.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	174 </list></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	175
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	176 <t>This document defines how Diameter transports the ERP messages
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	177 (Re-authentication step). For this purpose, we define a new Application
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	178 Id for ERP, and re-use the Diameter EAP commands (DER/DEA).</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	179
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	180 <t>This document also discusses the distribution of the root key
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	181 (bootstrapping step), either during the initial EAP authentication
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	182 (implicit bootstrapping) or during the first ERP exchange (explicit
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	183 bootstrapping). Security considerations for this key distribution are
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	184 detailed in <xref target="RFC5295"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	185 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	186
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	187 <section title="Terminology">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	188 <t>This document uses terminology defined in <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	189 target="RFC3748"></xref>, <xref target="RFC5295"></xref>, <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	190 target="RFC5296"></xref>, and <xref target="RFC4072"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	191
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	192 <t>"Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	193 derived from an EMSK, depending on the location of the ER server in home
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	194 or foreign domain.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	195
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	196 <t>We note in this document ERP/DER a Diameter-EAP-Request command with
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	197 the Application Id set to Diameter ERP application. On the same model,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	198 we use ERP/DEA, EAP/DER and EAP/DEA.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	199
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	200 <section title="Requirements Language">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	201 <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	202 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	203 document are to be interpreted as described in <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	204 target="RFC2119"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	205 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	206 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	207
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	208 <section title="Assumptions">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	209 <t>This document makes the following assumptions.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	210
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	211 <t>The Home EAP server of a peer that wants to use ERP is extended to
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	212 support:<list>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	213 <t>Cryptographic operations needed to derive the ERP root key from
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	214 the EMSK. By deriving the ERP root key for a specific domain, the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	215 home EAP server implicitly authorizes the use of ERP within this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	216 domain.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	217
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	218 <t>Diameter operations to include this root key inside an
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	219 appropriate AVP as defined in this document, in an answer message
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	220 corresponding to a request that contained a request for this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	221 material (AVP for the request also defined in this document).</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	222
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	223 <t>(recommanded) Ability to answer a DER message with EAP-Payload
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	224 containing an explicit bootstrapping ERP message.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	225 </list></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	226
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	227 <t>The Authenticator (NAS) is extended to support:<list>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	228 <t>Allow the new ERP command codes (EAP-Initiate and EAP-Finish) in
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	229 its EAP pass-through mode.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	230
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	231 <t>(optional) Send the EAP-Initiate/Re-Auth-Start message</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	232
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	233 <t>(optional) Provide the local domain name via lower layer specific
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	234 mechanism or via TLV in the EAP-Initiate/Re-Auth-Start message.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	235
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	236 <t>Encapsulate ERP message and receive corresponding Diameter
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	237 answer, as described in this document.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	238 </list></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	239
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	240 <t>If one of the components does not match these assumptions, the ERP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	241 mechanism will fail. In such situation, a full EAP authentication may be
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	242 attempted as a fallback mechanism.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	243
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	244 <t>We consider at most one logical ER server entity in a domain. If
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	245 several physical servers are deployed for robustness, a replication
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	246 mechanism must be deployed to synchronize the ERP states (root keys,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	247 <cref>FFS: authorization attributes</cref> ) between these servers. This
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	248 replication mechanism is out of the scope of this document. If several
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	249 ER servers are deployed in the domain, we assume that they can be used
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	250 interchangeably.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	251 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	252
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	253 <section anchor="Overview" title="Protocol Overview">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	254 <t>The following figure shows the components involved in ERP, and their
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	255 interactions.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	256
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	257 <figure title="Figure. Diameter ERP overview.">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	258 <artwork><![CDATA[
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	259 Diameter +--------+
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	260 +-------------+ ERP +-----------+ (*) \| Home \|
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	261 Peer <->\|Authenticator\|<=======>\| ER server \| <---> \| EAP \|
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	262 +-------------+ +-----------+ \| server \|
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	263 +--------+
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	264 (*) Diameter EAP application,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	265 explicit bootstraping scenario only.]]></artwork>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	266 </figure>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	267
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	268 <t>The ER server is located either in the home domain (same as EAP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	269 server) or in the visited domain (same as authenticator, when it differs
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	270 from the home domain). <cref>Can the ER server be located in a third
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	271 domain (ex: broker's) according to ERP mechanism?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	272
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	273 <t>When the peer initiates an ERP exchange, the authenticator creates a
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	274 Diameter-EAP-Request message, as described in Diameter EAP application
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	275 <xref target="RFC4072"></xref>. The Application Id of the message is set
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	276 to Diameter ERP application (code: <cref>TBD IANA</cref>) in the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	277 message. The exact processing to generate the ERP/DER message is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	278 detailed in section <xref target="Re-authentication"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	279
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	280 <t>If there is an ER server in the same domain as the authenticator
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	281 (local domain), Diameter routing MUST <cref>SHOULD ? FFS...</cref> be
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	282 configured so that this ERP/DER message reachs this server, even if the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	283 Destination-Realm is not the local domain.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	284
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	285 <t>If there is no local ER server, the message is routed according to
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	286 its Destination-Realm AVP content, extracted from the realm component of
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	287 the keyName-NAI attribute. As specified in <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	288 target="RFC5296"></xref>, this realm is the home domain of the peer in
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	289 case of bootstrapping exchange ('B' flag is set in ERP message) or the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	290 domain of the bootstrapped ER server otherwise <cref>This actually might
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	291 allow the ER server to be in a third party realm</cref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	292
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	293 <t>If no ER server is available in the home domain either, the ERP/DER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	294 message cannot be delivered, and an error DIAMETER_UNABLE_TO_DELIVER is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	295 generated as specified in <xref target="RFC3588"></xref> and returned to
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	296 the authenticator. The authenticator may cache this information (with
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	297 limited duration) to avoid further attempts for ERP with this realm. It
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	298 may also fallback to full EAP authentication to authenticate the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	299 peer.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	300
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	301 <t>When an ER server receives the ERP/DER message, it searches its local
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	302 database for a root key <cref>and authorization state ?</cref> matching
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	303 the keyName part of the User-Name AVP. If such key is found, the ER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	304 server processes the ERP message as described in <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	305 target="RFC5296"></xref> then creates the ERP/DEA answer as described in
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	306 <xref target="Re-authentication"></xref>. The rMSK is included in this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	307 answer.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	308
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	309 <t>Finally, the authenticator extracts the rMSK from the ERP/DEA as
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	310 described in <xref target="RFC5296"></xref>, and forwards the content of
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	311 the EAP-Payload AVP, the EAP-Finish/Re-Auth message, to the peer.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	312
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	313 <t>If the EAP-Initiate/Re-Auth message has its 'B' flag set
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	314 (Bootstrapping exchange), the ER server should not possess the root key
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	315 in its local database <cref>This may not be true in future RFC5296bis
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	316 ?</cref>. In this case, the ER server acts as a proxy, and forwards the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	317 message to the home EAP server after changing its Application Id to
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	318 Diameter EAP and adding an AVP to request the root key. See section
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	319 <xref target="Bootstrapping"></xref> for more detail on this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	320 process.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	321 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	322
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	323 <section anchor="Bootstrapping" title="Bootstrapping the ER server">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	324 <t>The bootstrapping process involves the home EAP server and the ER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	325 server, but also impacts the peer and the authenticator. In ERP, the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	326 peer must derive the same keying material as the ER server. To achieve
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	327 this, it must learn the domain name of the ER server. How this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	328 information is acquired is outside the scope of this specification, but
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	329 it may involves that the authenticator is configured to advertize this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	330 domain name, especially in the case of re-authentication after a
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	331 handover.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	332
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	333 <t>The bootstrapping of an ER server with a given root key happens
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	334 either during the initial EAP authentication of the peer when the EMSK
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	335 -- from which the root key is derived -- is created, during the first
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	336 re-authentication, or sometime between those events. We only consider
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	337 the first two possibilities in this specification, in the following
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	338 subsections.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	339
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	340 <section title="Bootstrapping during initial EAP authentication">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	341 <t>Bootstrapping the ER server during the initial EAP authentication
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	342 (also known as implicit bootstrapping) offers the advantage that the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	343 server is immediatly available for re-authentication of the peer, thus
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	344 minimizing the re-authentication delay. On the other hand, it is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	345 possible that only a small number of peers will use re-authentication
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	346 in the visited domain. Deriving and caching key material for all the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	347 peers (for example, for the peers that do not support ERP) is a waste
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	348 of resources and SHOULD be avoided.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	349
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	350 <t>To achieve implicit bootstrapping, the ER server must act as a
36 a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	351 Diameter EAP Proxy as defined in Diameter Base Protocol <xref
a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	352 target="RFC3588"></xref>, and routing must be configured so that
a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	353 Diameter messages of a full EAP authentication are routed through this
a127a7d7850d Addressed a comment from Qin about definition of Diameter EAP proxy meaning. Sebastien Decugis <sdecugis@nict.go.jp> parents: 35 diff changeset	354 proxy. The figure bellow captures this mechanism.</t>
34 e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	355
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	356 <figure title="Figure. ERP bootstrapping during full EAP authentication">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	357 <artwork><![CDATA[
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	358 ER server &
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	359 Authenticator EAP Proxy Home EAP server
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	360 ============= =========== ===============
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	361 ------------------------->
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	362 Diameter EAP/DER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	363 (EAP-Response)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	364 ------------------------->
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	365 Diameter EAP/DER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	366 (EAP-Response)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	367 (ERP-RK-Request)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	368
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	369 <==================================================>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	370 Multi-round Diameter EAP exchanges, unmodified
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	371
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	372 <-------------------------
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	373 Diameter EAP/DEA
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	374 (EAP-Success)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	375 (MSK)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	376 (ERP-RK-Answer)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	377 <-------------------------
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	378 Diameter EAP/DEA
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	379 (EAP-Success)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	380 (MSK)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	381 [ERP-Realm]
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	382 ]]></artwork>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	383 </figure>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	384
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	385 <t>The ER server proxies the first DER of the full EAP authentication
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	386 and adds the ERP-RK-Request AVP inside, if this AVP is not already in
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	387 the message (which might happen if there are ER servers in the visited
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	388 and the home domains), then forwards the request.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	389
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	390 <t>If the EAP server does not support ERP extensions, it will simply
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	391 ignore this grouped AVP and continue as specified in <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	392 target="RFC4072"></xref>. If the server supports the ERP extensions,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	393 it caches the ERP-Realm value with the session, and continues the EAP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	394 authentication. When the authentication is complete, if it is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	395 successful and the EAP method generated an EMSK, the server MUST
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	396 compute the rRK or rDSRK (depending on the value of ERP-Realm) as
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	397 specified in <xref target="RFC5296"></xref>, and add an ERP-RK-Answer
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	398 AVP in the Diameter-EAP-Request message, in addition to the MSK and
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	399 EAP-Success payloads.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	400
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	401 <t>When the ER server proxies a Diameter-EAP-Answer message with a
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	402 Session-Id corresponding to a message to which it added an
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	403 ERP-RK-Answer, and the Result-Code is DIAMETER_SUCCESS, it MUST
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	404 examine the message, extract and remove any ERP-RK-Answer AVP from the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	405 message, and save its content. If the message does not contain an
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	406 ERP-RK-Answer AVP, the ER server MAY save this information to avoid
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	407 possible subsequent re-authentication attempts for this session. In
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	408 any case, the information stored SHOULD NOT have a lifetime greater
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	409 than the EMSK lifetime <cref>how does the ER server knows the EMSK
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	410 lifetime, if there is no ERP-RK-Answer? What is the lifetime of the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	411 MSK for example?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	412
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	413 <t>If the ER server is successfully bootstrapped, it MAY also add the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	414 ERP-Realm AVP after removing the ERP-RK-Answer AVP in the EAP/DEA
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	415 message. This could be used by the authenticator to notify the peer
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	416 that ERP is bootstrapped, with the ER domain information. How this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	417 information can be transmitted to the peer is outside the scope of
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	418 this document. <cref>Is it possible? It would be useful...</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	419 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	420
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	421 <section title="Bootstrapping during first re-authentication">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	422 <t>Bootstrapping the ER server during the first re-authentication
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	423 (also known as explicit bootstrapping) offers several advantages: it
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	424 saves resources, since we generate and cache only root key that we
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	425 actually need, and it can accomodate inter-domain handovers or ER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	426 servers that loose their state (for example after reboot) <cref>This
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	427 last point might not be true currently, since the peer would not issue
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	428 a bootstrapping exchange... But this might change also with RFC5296bis
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	429 AFAIU</cref>. On the other hand, the first re-authentication with the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	430 ER server requires a one-round-trip exchange with the home EAP server,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	431 which adds some delay to the process (but it is more efficient than a
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	432 full EAP authentication in any case). It also requires some
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	433 synchronization between the peer and the visited domain: since the ERP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	434 message is different<cref>and the root key used also ?</cref> for
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	435 explicit bootstrapping exchange and for normal re-authentication,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	436 explicit bootstrapping should not be used if implicit bootstrapping
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	437 was already performed.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	438
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	439 <t><cref>What should we do if the ER server receives an explicit
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	440 bootstrapping request but already possess the rDSRK? Can it answer
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	441 without going to the home server? That would be simpler -- planned in
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	442 rfc5296bis ?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	443
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	444 <t>The ER server receives the ERP/DER message containing the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	445 EAP-Initiate/Re-Auth message with the 'B' flag set. It proxies this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	446 message, and do the following processing in addition to standard proxy
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	447 operations:<list>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	448 <t>Change the Application Id in the header of the message to
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	449 Diameter EAP Application (code 5). <cref>What about the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	450 Application-Auth-Id AVP?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	451
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	452 <t>Add the ERP-RK-Request AVP, which contains the name of the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	453 domain where the ER server is located.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	454
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	455 <t><cref>Add the Destination-Host to reach the appropriate EAP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	456 server, the one with the EMSK. How does the ER server know this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	457 information ?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	458 </list>Then the server forwards the EAP/DER request, which is routed
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	459 to the home EAP server.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	460
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	461 <t>If the home EAP server does not support ERP extensions, it replies
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	462 with an error since the encapsulated EAP-Initiate/Re-auth command is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	463 not understood. Otherwise, it processes the ERP request as described
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	464 in <xref target="RFC5296"></xref>. In particular, it includes the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	465 Domain-Name TLV attribute with the content from the ERP-Realm AVP. It
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	466 creates the EAP/DEA reply message following standard processing from
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	467 <xref target="RFC4072"></xref> (in particular EAP-Master-Session-Key
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	468 AVP is used to transport the rMSK), and includes the ERP-RK-Answer
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	469 AVP. <cref>What about authorization AVPs ?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	470
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	471 <t>The ER server receives this EAP/DEA and proxies it as follow, in
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	472 addition to standard proxy operations:<list>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	473 <t>Set the Application Id back to Diameter ERP (code <cref>TBD
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	474 IANA</cref>)</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	475
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	476 <t>Extract and cache the content of the ERP-RK-Answer. <cref>And
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	477 authorization AVPs ?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	478 </list>The DEA is then forwarded to the authenticator, that can use
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	479 the rMSK as described in <xref target="RFC5296"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	480
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	481 <t>The figure below captures this proxy behavior:</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	482
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	483 <figure title="Figure. ERP explicit bootstrapping message flow">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	484 <artwork><![CDATA[
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	485 Authenticator ER server Home EAP server
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	486 ============= ========= ===============
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	487 ----------------------->
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	488 Diameter ERP/DER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	489 (EAP-Initiate)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	490 ------------------------>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	491 Diameter EAP/DER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	492 (EAP-Initiate)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	493 (ERP-RK-Request)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	494
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	495 <------------------------
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	496 Diameter EAP/DEA
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	497 (EAP-Finish)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	498 (ERP-RK-Answer)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	499 (rMSK)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	500 <----------------------
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	501 Diameter ERP/DEA
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	502 (EAP-Finish)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	503 (rMSK)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	504 ]]></artwork>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	505 </figure>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	506 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	507 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	508
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	509 <section anchor="Re-authentication" title="Re-Authentication">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	510 <t>This section describes in detail a re-authentication exchange with a
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	511 (bootstrapped) ER server. The following figure summarizes the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	512 re-authentication exchange.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	513
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	514 <figure title="Figure. Diameter ERP exchange. ">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	515 <artwork><![CDATA[
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	516 ER server
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	517 (bootstrapped)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	518 Peer Authenticator (local or home domain)
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	519 ==== ============= ======================
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	520 [ <------------------------ ]
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	521 [optional EAP-Initiate/Re-auth-start]
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	522
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	523 ----------------------->
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	524 EAP-Initiate/Re-auth
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	525 ==================================>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	526 Diameter ERP, cmd code DER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	527 User-Name: Keyname-NAI
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	528 EAP-Payload: EAP-Initiate/Re-auth
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	529
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	530 <==================================
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	531 Diameter ERP, cmd code DEA
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	532 EAP-Payload: EAP-Finish/Re-auth
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	533 EAP-Master-Session-Key: rMSK
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	534 <----------------------
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	535 EAP-Finish/Re-auth
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	536 ]]></artwork>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	537 </figure>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	538
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	539 <t>In ERP, the peer sends an EAP-Initiate/Re-auth message to the ER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	540 server via the authenticator. Alternatively, the NAS may send an
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	541 EAP-Initiate/Re-auth-Start message to the peer to trigger the start of
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	542 ERP. In this case, the peer responds with an EAP-Initiate/Re-auth
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	543 message to the NAS.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	544
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	545 <t>If the authenticator does not support ERP (pure <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	546 target="RFC4072"></xref> support), it discards the EAP packets with
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	547 unknown ERP-specific code (EAP-Initiate). The peer may fallback to full
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	548 EAP authentication in such case.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	549
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	550 <t>When the authenticator receives an EAP-Initiate/Re-auth message from
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	551 the peer, it process as described in <xref target="RFC5296"></xref> with
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	552 regards to the EAP state machine. It creates a Diameter EAP Request
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	553 message following the general process of <xref target="RFC4072">Diameter
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	554 EAP</xref>, with the following differences:<list>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	555 <t>The Application Id in the header is set to Diameter ERP (code
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	556 <cref>TBD IANA</cref>).</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	557
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	558 <t>The value in Auth-Application-Id AVP is also set to Diameter ERP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	559 Application.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	560
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	561 <t>The keyName-NAI attribute from ERP message is used to create the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	562 content of User-Name AVP and Destination-Realm AVP.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	563
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	564 <t><cref>FFS: What about Session-ID AVP -- in case of re-auth at the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	565 same place, and in case of handover?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	566
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	567 <t>The Auth-Request-Type AVP content is set to <cref>FFS -- Do we
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	568 really do authorization with Diameter ERP ? -- need to pass the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	569 authorization attrs to the ER server in that case. Idea FFS: we do
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	570 authorization only for explicit bootstrapping
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	571 exchanges...</cref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	572
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	573 <t>The EAP-Payload AVP contains the ERP message,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	574 EAP-Initiate/Re-Auth.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	575 </list>Then this ERP/DER message is sent as described in <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	576 target="Overview"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	577
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	578 <t>The ER server receives and processes this request as described in
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	579 <xref target="Overview"></xref>. It then creates a Diameter answer
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	580 ERP/DEA, following the general processing described in <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	581 target="RFC4072"></xref>, with the following differences:<list>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	582 <t>The Application Id in the header is set to Diameter ERP (code
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	583 <cref>TBD IANA</cref>).</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	584
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	585 <t>The value in Auth-Application-Id AVP is also set to Diameter ERP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	586 Application.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	587
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	588 <t>The Result-Code AVP is set to <cref>version -00 stated a SHOULD
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	589 here, not sure why ?</cref> an error value in case ERP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	590 authentication fails, or to DIAMETER_SUCCESS if ERP is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	591 successful.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	592
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	593 <t>The EAP-Payload AVP contains the ERP message,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	594 EAP-Finish/Re-auth.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	595
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	596 <t>In case of successful authentication, the EAP-Master-Session-Key
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	597 AVP contains the Re-authentication Master Session Key (rMSK) derived
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	598 by ERP.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	599
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	600 <t><cref>What about all the authorization attributes? If we want to
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	601 include them, they have to be present on the ER server...</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	602 </list></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	603
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	604 <t>When the authenticator receives this ERP/DEA answer, it processes it
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	605 as described in <xref target="RFC4072">Diameter EAP</xref> and <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	606 target="RFC5296"></xref>: the content of EAP-Payload AVP content is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	607 forwarded to the peer, and the content of EAP-Master-Session-Key AVP is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	608 used as a shared secret for Secure Association Protocol.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	609 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	610
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	611 <section anchor="ApplicationId" title="Application Id">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	612 <t>We define a new Diameter application in this document, Diameter ERP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	613 Application, with an Application Id value of <cref>TBD IANA</cref>.
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	614 Diameter nodes conforming to this specification in the role of ER server
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	615 MUST advertise support by including an Auth-Application-Id AVP with a
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	616 value of Diameter ERP Application in the of the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	617 Capabilities-Exchange-Request and Capabilities-Exchange-Answer commands,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	618 as described in <xref target="RFC3588"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	619
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	620 <t>The primary use of the Diameter ERP Application Id is to ensure
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	621 proper routing of the messages, and that the nodes that advertise the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	622 support for this application do understand the new AVPs defined in
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	623 section <xref target="AVPs"></xref> , although these AVP have the 'M'
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	624 flag cleared.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	625 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	626
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	627 <section anchor="AVPs" title="AVPs">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	628 <t>This specification defines the following new AVPs. <cref>FFS: to
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	629 align with draft-wu-dime-local-keytran-02 if it becomes a WG
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	630 item</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	631
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	632 <section title="ERP-RK-Request AVP">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	633 <t>The ERP-RK-Request AVP (AVP Code <cref>TBD IANA</cref>) is of type
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	634 grouped AVP. This AVP is used by the ER server to indicate its
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	635 willingness to act as ER server for a particular session.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	636
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	637 <t>This AVP has the M and V bits cleared.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	638
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	639 <figure title="Figure. ERP-RK-Request ABNF">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	640 <artwork><![CDATA[
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	641 ERP-RK-Request ::= < AVP Header: TBD >
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	642 { ERP-Realm }
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	643 * [ AVP ]
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	644 ]]></artwork>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	645 </figure>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	646 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	647
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	648 <section title="ERP-Realm AVP">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	649 <t>The ERP-Realm AVP (AVP Code <cref>TBD IANA</cref>) is of type
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	650 DiameterIdentity. It contains the name of the realm in which the ER
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	651 server is located.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	652
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	653 <t><cref>FFS: We may re-use Origin-Realm here instead? On the other
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	654 hand, ERP-Realm may be useful if the ER server is not in a third-party
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	655 realm, if this is possible.</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	656
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	657 <t>This AVP has the M and V bits cleared.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	658 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	659
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	660 <section title="ERP-RK-Answer AVP">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	661 <t>The ERP-RK-Answer AVP (AVP Code <cref>TBD IANA</cref>) is of type
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	662 grouped AVP. It is used by the home EAP server to provide ERP root key
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	663 material to the ER server.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	664
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	665 <t>This AVP has the M and V bits cleared.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	666
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	667 <figure title="Figure. ERP-RK-Answer ABNF">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	668 <artwork><![CDATA[
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	669 ERP-RK-Answer ::= < AVP Header: TBD >
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	670 { ERP-RK }
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	671 { ERP-RK-Name }
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	672 { ERP-RK-Lifetime }
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	673 * [ AVP ]
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	674 ]]></artwork>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	675 </figure>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	676 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	677
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	678 <section title="ERP-RK AVP">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	679 <t>The ERP-RK AVP (AVP Code <cref>TBD IANA</cref>) is of type
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	680 OctetString. It contains the root key (either rRK or rDSRK) sent by
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	681 the home EAP server to the ER server, in answer to request containing
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	682 an ERP-RK-Request AVP. How this material is derived and used is
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	683 specified in <xref target="RFC5296"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	684
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	685 <t><cref>Can we re-use EAP-Master-Session-Key here instead? Must check
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	686 the exact definition...</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	687
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	688 <t>This AVP has the M and V bits cleared.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	689 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	690
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	691 <section title="ERP-RK-Name AVP">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	692 <t>The ERP-RK-Name AVP (AVP Code <cref>TBD IANA</cref>) is of type
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	693 OctetString. This AVP contains the EMSKname which identifies the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	694 keying material. How this name is derived is beyond the scope of this
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	695 document and defined in <xref target="RFC5296"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	696
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	697 <t><cref>Can we re-use EAP-Key-Name here instead ?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	698
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	699 <t>This AVP has the M and V bits cleared.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	700 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	701
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	702 <section title="ERP-RK-Lifetime AVP">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	703 <t>The ERP-RK-Lifetime AVP (AVP Code <cref>TBD IANA</cref>) is of type
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	704 Unsigned32 <cref>do we really need 64 as in -00 ? 2^32 secs is already
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	705 more than 100 years, which is too long for a key lifetime !</cref> and
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	706 contains the root key material remaining lifetime in seconds. It MUST
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	707 not be greater than the remaining lifetime of the EMSK it is derived
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	708 from. <cref>FFS: is it better to pass an absolute value here, for
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	709 example expiration date? How to express it then (TZ, ...)?
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	710 Synchronization problems?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	711
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	712 <t>This AVP has the M and V bits cleared.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	713 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	714 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	715
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	716 <section anchor="Commands" title="Commands">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	717 <t>We do not define any new command in this specification. We reuse the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	718 Diameter-EAP-Request and Diameter-EAP-Answer commands defined in <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	719 target="RFC4072"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	720
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	721 <t>Since the original ABNF of these commands allow other optional AVPs
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	722 ("* [ AVP ]"), and the new AVPs defined in this specification do not
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	723 have the 'M' flag set, the ABNF does not need any change. Anyway, a
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	724 Diameter node that advertizes support for the Diameter ERP application
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	725 MUST support the new AVPs defined in this specification.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	726
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	727 <figure title="Figure. Command Codes">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	728 <artwork><![CDATA[
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	729 Command-Name Abbrev. Code Reference Application
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	730 ---------------------------------------------------------
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	731 Diameter-EAP-Request DER 268 RFC 4072 Diameter ERP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	732 Diameter-EAP-Answer DEA 268 RFC 4072 Diameter ERP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	733 ]]></artwork>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	734 </figure>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	735 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	736
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	737 <section anchor="Issues" title="Open issues">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	738 <t>This document does not address some known issues in Diameter ERP
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	739 mechanism. The authors would like to hear ideas about how to address
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	740 them.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	741
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	742 <t>The main issue is the use of ERP for authentication after a handover
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	743 of the peer to a new authenticator (or different authenticator port).
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	744 Diameter ERP is not meant to be a mobility protocol. A number of issues
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	745 appear when we try to do handover in Diameter ERP (alone): how to manage
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	746 the Session-Id AVP; how does the ER server provide the Authorization
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	747 AVPs; how does the peer learn the ERP domain of the new authenticator;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	748 how does the home server reachs the peer to for example terminate the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	749 session; and so on... Therefore, the management of the session for a
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	750 mobile peer is not (yet) addressed in this document. It must be studied
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	751 how Diameter ERP can be for example used in conjunction with a mobility
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	752 application (Diameter MIP4, Diameter MIP6) to support the optimized
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	753 re-authentication in such situation.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	754
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	755 <t>Another issue concerns the case where the home realm contains several
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	756 EAP servers. In multi rounds full EAP authentication, the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	757 Destination-Host AVP provides the solution to reach the same server
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	758 across the exchanges. Only this server possess the EMSK for the session.
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	759 In case of explicit bootstrapping, the ER server must therefore be able
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	760 to reach the correct server to request the DSRK. A solution might
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	761 consist in saving the Origin-Host AVP of all successful EAP/DEA in the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	762 ER server, which is a bit similar to the implicit bootstrapping scenario
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	763 described here -- only we save the server name instead of the root key,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	764 and we must then be able to match the DSRK with the user name.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	765
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	766 <t>Finally, this document currently lacks a description of what happens
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	767 when a Re-Auth-Request is received for a peer on the authenticator.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	768 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	769
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	770 <section anchor="Acknowledgements" title="Acknowledgements">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	771 <t>Hannes Tschofenig wrote the initial draft for this document and
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	772 provided useful reviews.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	773
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	774 <t>Vidya Narayanan reviewed a rough draft version of the document and
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	775 found some errors.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	776
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	777 <t>Glen Zorn actively participated in the discussions on the design for
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	778 Diameter ERP, providing the point of view and experience from HOKEY
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	779 workgroup.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	780
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	781 <t>Many thanks to these people!</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	782 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	783
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	784 <section anchor="IANA" title="IANA Considerations">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	785 <t>This document requires IANA registration of the following new
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	786 elements in the <eref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	787 target="http://www.iana.org/assignments/aaa-parameters/">Authentication,
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	788 Authorization, and Accounting (AAA) Parameters</eref> registries.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	789
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	790 <section title="Diameter ERP application">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	791 <t>This specification requires IANA to allocate a new value "Diameter
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	792 ERP" in the "Application IDs" registry created by in <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	793 target="RFC3588"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	794
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	795 <figure title="IANA consideration for Diameter ERP application">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	796 <artwork><![CDATA[
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	797 Application Identifier \| Value
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	798 -----------------------------------+------
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	799 Diameter ERP \| TBD
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	800 ]]></artwork>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	801 </figure>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	802 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	803
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	804 <section title="New AVPs">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	805 <t>This specification requires IANA to allocate new values from the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	806 "AVP Codes" registry defined in <xref target="RFC3588"></xref> for the
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	807 following AVPs:<list>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	808 <t>ERP-RK-Request</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	809
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	810 <t>ERP-Realm</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	811
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	812 <t>ERP-RK-Answer</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	813
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	814 <t>ERP-RK</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	815
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	816 <t>ERP-RK-Name</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	817
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	818 <t>ERP-RK-Lifetime</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	819 </list>These AVPs are defined in section <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	820 target="AVPs"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	821 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	822 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	823
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	824 <section anchor="Security" title="Security Considerations">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	825 <t>The security considerations from the following RFC apply here: <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	826 target="RFC3588"></xref>, <xref target="RFC4072"></xref>, <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	827 target="RFC5247"></xref>, <xref target="RFC5295"></xref>, and <xref
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	828 target="RFC5296"></xref>.</t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	829
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	830 <t><cref>FFS: Do we really respect these security considerations with
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	831 the mechanism we describe here? Is it safe to use ERP-RK-Request /
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	832 Answer AVPs? What is the worst case?</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	833
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	834 <t>EAP channel bindings may be necessary to ensure that the Diameter
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	835 client and the server are in sync regarding the key Requesting Entity's
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	836 Identity. Specifically, the Requesting Entity advertises its identity
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	837 through the EAP lower layer, and the user or the EAP peer communicates
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	838 that identity to the EAP server (and the EAP server communicates that
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	839 identity to the Diameter server) via the EAP method for user/peer to
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	840 server verification of the Requesting Entity's Identity.<cref>Editor: I
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	841 really don't understand this paragraph ^^'...</cref></t>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	842 </section>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	843 </middle>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	844
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	845 <back>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	846 <references title="Normative References">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	847 &RFC2119;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	848
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	849 &RFC3588;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	850
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	851 &RFC4072;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	852
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	853 &RFC5295;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	854
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	855 &RFC5296;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	856
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	857 &RFC3748;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	858 </references>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	859
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	860 <references title="Informative References">
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	861 &RFC4187;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	862
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	863 &RFC5247;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	864
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	865 &I-D.ietf-hokey-key-mgm;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	866
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	867 &I-D.ietf-dime-erp;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	868
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	869 &I-D.wu-dime-local-keytran;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	870
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	871 &I-D.ietf-dime-app-design-guide;
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	872 </references>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	873 </back>
e34f7869b4a1 Initial revision submitted for comments to other authors Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	874 </rfc>

Mercurial > hg > ietf

annotate draft-ietf-dime-erp-01.xml @ 37:a22fb485486b