Mercurial > hg > ietf
annotate New_ERP_draft.txt @ 15:a55830de00df
Update to latest
| author | Sebastien Decugis <sdecugis@nict.go.jp> |
|---|---|
| date | Wed, 18 Mar 2009 14:20:14 +0900 |
| parents | ece18f20b72c |
| children | 258e3618b438 |
| rev | line source |
|---|---|
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
1 ===================== |
| 15 | 2 changeset: 13:aa31cf892b1b |
| 3 parent: 11:c8dd0bdbd9e6 | |
| 4 user: Sebastien Decugis <sdecugis@nict.go.jp> | |
| 5 date: Wed Mar 18 14:21:19 2009 +0900 | |
| 6 summary: Yet more cleanups... | |
| 7 | |
| 12 | 8 changeset: 11:c8dd0bdbd9e6 |
| 9 user: Sebastien Decugis <sdecugis@nict.go.jp> | |
| 10 date: Wed Mar 18 14:16:22 2009 +0900 | |
| 11 summary: More cleanups. | |
| 12 | |
| 10 | 13 changeset: 9:5fdd3345477f |
| 14 user: Sebastien Decugis <sdecugis@nict.go.jp> | |
| 15 date: Wed Mar 18 14:06:05 2009 +0900 | |
| 16 summary: Cleanups. | |
| 17 | |
| 18 changeset: 8:45a13fe6e0be | |
| 19 user: Sebastien Decugis <sdecugis@nict.go.jp> | |
| 20 date: Wed Mar 18 13:21:39 2009 +0900 | |
| 21 summary: Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication. | |
| 22 | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
23 changeset: 5:5fc766d71da4 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
24 parent: 3:e7bcb9ee39b5 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
25 user: Sebastien Decugis <sdecugis@nict.go.jp> |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
26 date: Tue Mar 17 17:22:52 2009 +0900 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
27 summary: Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments. |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
28 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
29 changeset: 3:e7bcb9ee39b5 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
30 user: Sebastien Decugis <sdecugis@nict.go.jp> |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
31 date: Tue Mar 17 14:20:38 2009 +0900 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
32 summary: Document to present alternative design for Diameter ERP, initial commit (incomplete work) |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
33 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
34 ===================== |
| 12 | 35 |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
36 *Abstract* |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
37 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
38 The EAP Re-authentication Protocol [RFC5296] provides an optimization for EAP |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
39 authentication when a peer moves from an authenticator to another. This |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
40 protocol assumes that a AAA protocol is available to transport the ERP messages |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
41 between authenticator and ER server. [draft-gaonkar-radext-erp-attrs-03] |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
42 specifies the transport of ERP using RADIUS. This document specifies the |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
43 transport of ERP using Diameter [RFC3588]. |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
44 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
45 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
46 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
47 *Differences with [draft-ietf-dime-erp-00]* |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
48 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
49 In this document, we specify a new Diameter application ID for Diameter |
| 10 | 50 messages transporting ERP exchanges between authenticator and ER server. We |
| 51 re-use the mechanism described in [draft-ietf-dime-erp-00] as an option | |
| 52 available to provide implicit bootstrapping to the ER server. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
53 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
54 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
55 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
56 *Introduction.* |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
57 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
58 During full EAP authentication, both the peer and the home EAP server derive |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
59 EMSK material in addition to MSK. The EMSK can be used to derive a |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
60 re-authentication root key (rRK or rDSRK) as described in [RFC5296]. This root |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
61 key is transported to an ER server, this is called bootstrapping the ER server. |
| 10 | 62 When the peer re-authenticates using ERP, a one round-trip exchange occurs |
| 63 between the authenticator and the ER server, where new rMSK material is | |
| 64 derived. The ER server may be located in the visited domain or home domain. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
65 |
| 10 | 66 There are two types of exchanges between AAA entities in the Re-authentication |
| 67 mechanism: transport of the re-authentication root key between the home EAP | |
| 68 server and the ER server to bootstrap the mechanism, and transport of ERP | |
| 69 messages and rMSK material between ER server and authenticator. This document | |
| 70 specifies how the re-authentication exchange is transported using Diameter. It | |
| 71 also provides information on how bootstrapping can be achieved in several | |
| 72 situations. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
73 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
74 Diameter +--------+ |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
75 +-------------+ ERP +-----------+ (*) | Home | |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
76 Peer <->|Authenticator|<=======>| ER server | <---> | EAP | |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
77 +-------------+ +-----------+ | server | |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
78 +--------+ |
| 10 | 79 (*) Several protocols can be used between ER server and home EAP server to |
| 80 transport bootstrapping material. Diameter EAP is one of the possibilities. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
81 |
| 10 | 82 Figure 1. Diameter applications used in the ERP mechanism. |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
83 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
84 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
85 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
86 *Assumptions.* |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
87 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
88 For the peer to start an ERP exchange when attaching to a new authenticator, |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
89 the following assumptions must be verified. Note that the peer can always fall |
| 10 | 90 back to full EAP authentication if one of these conditions is not met. These |
| 91 assumptions are implicit from [RFC5296]. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
92 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
93 The peer must have non-expired keying material (EMSK) derived from a previous |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
94 full EAP authentication. |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
95 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
96 The peer must learn the realm of the new authenticator before starting the |
| 10 | 97 exchange, for example using L2-dependent mechanism. If this condition is not |
| 98 met, the peer cannot assume that an ER server is available and bootstrapped in | |
| 99 the realm of this authenticator. It should start an ERP bootstrapping exchange | |
| 100 as described in [RFC5296]. In addition, if the peer is attaching to this realm | |
| 101 for the first time since the EMSK was derived (inter-domain handover), an ERP | |
| 102 bootstrapping exchange must be initiated. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
103 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
104 The authenticator must support ERP extensions. If this condition is not met, |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
105 the ERP messages will be dropped by the authenticator conforming to [RFC4072] |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
106 and ERP will fail. |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
107 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
108 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
109 |
| 10 | 110 *Overview* |
| 111 | |
| 112 We define a new Diameter Application ID for ERP. When the authenticator | |
| 113 receives an EAP-Initiate/Re-auth message, it encapsulates it in a DER message | |
| 114 following the rules described in [RFC4072]. The application id of the DER | |
| 115 message is set to the Diameter ERP application ID. The User-Name and | |
| 116 Destination-Realm AVPs are extracted from the keyName-NAI included in the ERP | |
| 117 message, as described in [RFC5296]. In the case were ERP is already | |
| 118 bootstrapped in this domain, and the peer knows it, the Destination-Realm of | |
| 119 the message is the local domain. In other cases, the peer is initiating a | |
| 120 bootstrapping ERP exchange, and the Destination-Realm is the home domain. | |
| 121 | |
| 122 When ERP is already bootstrapped, the message is routed to the bootstrapped ER | |
| 123 server. This server processes the ERP message as described in [RFC5296] then | |
| 124 derives a new rMSK and answers a DEA encapsulating the EAP-Finish/Re-auth | |
| 125 answer and the rMSK for the authenticator. Re-authentication is complete {see | |
| 126 pending question in the end of this document}. This exchange is described in | |
| 127 Figure 2 bellow. | |
| 128 | |
| 129 There are several options to bootstrap the ER server. This document discusses | |
| 130 some of the options, but a different mechanism not described here may be | |
| 131 deployed as well. See the following sections for more details about | |
| 132 bootstrapping scenarii. | |
| 133 | |
| 12 | 134 ER server |
| 135 (bootstrapped) | |
| 15 | 136 Peer Authenticator (local or home domain) |
| 137 ==== ============= ====================== | |
| 12 | 138 [ <------------------------ ] |
| 139 [optional EAP-Initiate/Re-auth-start] | |
| 10 | 140 |
| 141 -----------------------> | |
| 142 EAP-Initiate/Re-auth | |
| 143 =====================================> | |
| 144 Diameter ERP, cmd code DER | |
| 145 User-Name: Keyname-NAI | |
| 146 EAP-Payload: EAP-Initiate/Re-auth | |
| 147 | |
| 148 <===================================== | |
| 149 Diameter ERP, cmd code DEA | |
| 150 EAP-Payload: EAP-Finish/Re-auth | |
| 151 EAP-Master-Session-Key: rMSK | |
| 152 <---------------------- | |
| 153 EAP-Finish/Re-auth | |
| 154 | |
| 155 Figure 2. Diameter ERP exchange. | |
| 156 | |
| 157 | |
| 158 | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
159 *Bootstrapping* |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
160 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
161 The purpose of bootstrapping is to provide the keying material to the ER |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
162 server. This keying material is rRK (directly derived from EMSK) when the ER |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
163 server is in the peer's home domain. The keying material is rDSRK (derived from |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
164 DSRK, itself derived from EMSK) when the ER server is in the visited domain. |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
165 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
166 |
| 12 | 167 |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
168 *Scenario 1: explicit bootstrapping* |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
169 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
170 As described in [RFC5296], an explicit bootstrapping exchange can be initiated |
| 10 | 171 by the peer. In this case, the realm part of the Keyname-NAI is the home domain |
| 172 of the peer. | |
| 173 | |
| 174 The authenticator processes the ERP as described in the overview: encapsulate | |
| 175 the ERP message in a DER command with application-id set to Diameter ERP. The | |
| 176 Destination-Realm extracted from Keyname-NAI is the home domain. | |
| 177 | |
| 178 If an ER server is located in the local domain, it should proxy the request and | |
| 179 process as described bellow. Otherwise the request is sent to the ER server in | |
| 180 the home domain. | |
| 181 | |
| 182 When the ER server (in local or home domain) receives the ERP/DER request, it | |
| 183 must process as follow: | |
| 184 - Check in the local key store if a key with same name is available. If such | |
| 185 key is found, process the request locally and answer. | |
| 186 - Check if the EAP-Initiate/Re-auth message has the [B] (bootstrapping) flag | |
| 187 set. If this flag is not set, relay the message without altering it (except | |
| 188 adding the Route-Record information) or reply with an error if no other | |
| 189 Diameter node is available to handle the request, following the rules of | |
| 190 Diameter Base Protocol. | |
| 191 - If the [B] flag was set, the message is proxied locally and modified as | |
| 192 follow: | |
| 193 * Change the application-id of the message from Diameter ERP to Diameter EAP | |
| 194 (so that the message will reach the Home EAP server). | |
| 195 * Add the ERP-RK-Request AVP, defined in this document. | |
| 196 * Send the new message. It will reach the Home EAP server. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
197 |
| 10 | 198 If the home EAP server does not support ERP extensions, it replies with an |
| 199 error since encapsulated EAP-Initiate/Re-auth command is not understood. | |
| 200 Otherwise, it processes the EAP-Initiate/Re-auth message as described in | |
| 201 [RFC5296] and derives the requested rDSRK or rRK, and new rMSK. It sends this | |
| 202 material using the new ERP-RK-Answer AVP described in this document. It also | |
| 203 includes the realm of the ER server in the EAP-Finish/Re-auth message to inform | |
| 204 the peer of the location of the ER server. | |
| 205 | |
| 206 The ER server receives this DEA, extracts and cache the rRK or rDSRK material, | |
| 207 restores the application-id to Diameter ERP and forwards the message to the | |
| 208 authenticator. | |
| 209 | |
| 210 This flow is captured figure 3. | |
| 211 | |
| 212 Authenticator ER server Home EAP server | |
| 213 ============= ========= =============== | |
| 214 -----------------------> | |
| 12 | 215 Diameter ERP/DER |
| 216 (EAP-Initiate) | |
| 10 | 217 ------------------------> |
| 12 | 218 Diameter EAP/DER |
| 10 | 219 (EAP-Initiate) |
| 220 (ERP-RK-Request) | |
| 221 | |
| 222 <------------------------ | |
| 12 | 223 Diameter EAP/DEA |
| 10 | 224 (EAP-Finish) |
| 225 (ERP-RK-Answer) | |
| 226 (rMSK) | |
| 227 <---------------------- | |
| 12 | 228 Diameter ERP/DEA |
| 229 (EAP-Finish) | |
| 230 (rMSK) | |
| 10 | 231 |
| 232 Figure 3. ERP explicit bootstrapping message flow. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
233 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
234 |
| 10 | 235 |
| 236 *Scenario 2: implicit bootstrapping during full EAP authentication* | |
| 237 | |
| 238 In some deployment scenarii, the ER server may be collocated with an EAP proxy | |
| 239 or server. In that case, the optional ERP AVPs defined in this document may be | |
| 240 used during initial full EAP authentication to provide implicit bootstrapping | |
| 241 (section 5.1 of [RFC5296]) as described bellow. | |
| 242 | |
| 243 In this scenario, the ERP key material is derived and cached regardless of the | |
| 244 peer support and willingness for ERP. This may lead to scalability and other | |
| 245 issues. Implementors may provide other ways to select which sessions should use | |
| 246 implicit bootstrapping. | |
| 247 | |
| 248 In the first round of full EAP exchange, the ER server adds the ERP-RK-Request | |
| 249 AVP to the DER message. | |
| 250 If the home EAP server supports ERP extensions, it caches this request and | |
| 251 continues the normal EAP authentication until completion. Otherwise, the | |
| 252 optional AVP is simply ignored. | |
| 253 When the authentication is successful and EMSK is generated, the home EAP | |
| 254 server derives the rRK or rDSRK as requested, and adds this material to the | |
| 255 last DEA in the ERP-RK-Answer AVP defined in this document. The server may | |
| 256 check that the ER server that requested the material is in the Route-Record | |
| 257 list of the last DER, but this is not mandatory. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
258 |
| 10 | 259 When the ER server collocated with EAP proxy receives the DEA containing |
| 260 ERP-RK-Answer AVP, it extracts this AVP and saves the rRK or rDSRK material for | |
| 261 later use. | |
| 262 | |
| 263 EAP Proxy / | |
| 264 Authenticator ER server Home EAP server | |
| 265 ============= =========== =============== | |
| 266 -------------------------> | |
| 12 | 267 Diameter EAP/DER |
| 10 | 268 (EAP-Response) |
| 269 -------------------------> | |
| 12 | 270 Diameter EAP/DER |
| 10 | 271 (EAP-Response) |
| 272 (ERP-RK-Request) | |
| 273 | |
| 274 <==================================================> | |
| 12 | 275 Multi-round Diameter EAP exchanges, unmodified |
| 10 | 276 |
| 277 <------------------------- | |
| 12 | 278 Diameter EAP/DEA |
| 10 | 279 (EAP-Success) |
| 280 (MSK) | |
| 281 (ERP-RK-Answer) | |
| 282 <------------------------- | |
| 12 | 283 Diameter EAP/DEA |
| 10 | 284 (EAP-Success) |
| 285 (MSK) | |
| 286 | |
| 287 Figure 4. Implicit ERP bootstrapping during full EAP authentication. | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
288 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
289 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
290 |
| 15 | 291 *Scenario 3: Case of MIP6* |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
292 |
| 10 | 293 {TODO: study this case ?} |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
294 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
295 |
| 12 | 296 |
| 15 | 297 *Scenario 4: Other possibilities* |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
298 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
299 {In case implementation-specific solution is retained, list here the |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
300 constraints?} |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
301 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
302 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
303 |
| 10 | 304 *Commands and AVPs* |
| 305 | |
| 306 This document does not define a new command. It reuses the Diameter-EAP-Request | |
| 307 and Diameter-EAP-Answer as defined in [RFC4072]. It is also compatible with | |
| 308 extensions defined in [draft-ietf-dime-mip6-split-16]. | |
| 309 | |
| 310 Command-Name Abbrev. Code Reference Application | |
| 311 --------------------------------------------------------- | |
| 312 Diameter-EAP-Request DER 268 RFC 4072 Diameter ERP | |
| 313 Diameter-EAP-Answer DEA 268 RFC 4072 Diameter ERP | |
| 314 | |
| 315 Figure 5: Command Codes | |
| 316 The following new AVPs are defined in this document. | |
| 317 | |
| 318 | |
| 319 | |
| 320 *ERP-RK-Request AVP* | |
| 321 | |
| 322 The ERP-RK-Request AVP (AVP Code TBD) is of type grouped AVP. It is used by the | |
| 323 ER server to request root key material used in ERP. | |
| 324 | |
| 325 This AVP has the M and V bits cleared. | |
| 326 | |
| 327 ERP-RK-Request ::= < AVP Header: TBD > | |
| 328 { ERP-Realm } | |
| 329 * [ AVP ] | |
| 330 | |
| 331 | |
| 332 | |
| 333 *ERP-Realm AVP* | |
| 334 | |
| 335 The ERP-Realm AVP (AVP Code TBD) is of type {DiameterIdentity? OctetString?}. | |
| 336 It contains the name of the realm in which the ER server is located. | |
| 337 {FFS: We may re-use Origin-Realm here instead?} | |
| 338 | |
| 339 | |
| 340 | |
| 341 *ERP-RK-Answer AVP* | |
| 342 | |
| 343 The ERP-RK-Answer AVP (AVP Code TBD) is of type grouped AVP. It is used by the | |
| 344 home EAP server to provide ERP root key material to the ER server. | |
| 345 | |
| 346 This AVP has the M and V bits cleared. | |
| 347 | |
| 348 ERP-RK-Answer ::= < AVP Header: TBD > | |
| 349 { ERP-RK } | |
| 350 { ERP-RK-Name } | |
| 351 { ERP-RK-Lifetime } | |
| 352 * [ AVP ] | |
| 353 | |
| 354 | |
| 15 | 355 |
| 10 | 356 *ERP-RK AVP* |
| 357 | |
| 358 The ERP-RK AVP (AVP Code TBD) is of type OctetString. It contains the root key | |
| 359 (either rRK or rDSRK) to be used for ERP with the peer to which this session | |
| 360 belongs. How this material is derived and used is specified in [RFC5296]. | |
| 361 | |
| 362 | |
| 363 | |
| 364 *ERP-RK-Name AVP* | |
| 365 | |
| 366 The ERP-RK AVP (AVP Code TBD) is of type OctetString. This AVP contains the | |
| 367 EMSKname which identifies the keying material. How this name is derived is | |
| 368 beyond the scope of this document and defined in [RFC5296]. | |
| 369 | |
| 370 | |
| 371 | |
| 372 *ERP-RK-Lifetime AVP* | |
| 373 | |
| 374 The ERP-RK-Lifetime AVP (AVP Code TBD) is of type {Unsigned64? 32?} and | |
| 375 contains the root key material lifetime in seconds. | |
| 376 | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
377 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
378 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
379 *Pending question on accounting and sessions.* |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
380 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
381 During initial full EAP authentication, the identity of the peer is used to |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
382 create the Session-Id AVP, which is then used during accounting. |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
383 When the peer attaches to a new authenticator and performs ERP, its identity is |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
384 not disclosed to the authenticator. Instead, the peer presents the Keyname-NAI. |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
385 This identifiers contains the EMSKName as user part. |
| 10 | 386 |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
387 The new authenticator will therefore derive the new Session-Id from this |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
388 EMSKName and use this for accounting purpose. |
| 10 | 389 |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
390 Although the home EAP server is able to link EMSKName with the peer's identity, |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
391 the other Diameter entities do not have this mapping. In particular, the realm |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
392 part of Keyname-NAI is the visited network. How does the authenticator figures |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
393 out that the account records must be sent to the home domain of the peer? |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
394 |
| 10 | 395 It is possible to cache the necessary information at the ER server level. Is it |
| 396 useful to specify this mechanism in this document? | |
|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
397 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
398 |
|
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
399 |
| 10 | 400 |