Mercurial > hg > ietf
annotate New_ERP_draft.txt @ 15:a55830de00df
Update to latest
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Wed, 18 Mar 2009 14:20:14 +0900 |
parents | ece18f20b72c |
children | 258e3618b438 |
rev | line source |
---|---|
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
1 ===================== |
15 | 2 changeset: 13:aa31cf892b1b |
3 parent: 11:c8dd0bdbd9e6 | |
4 user: Sebastien Decugis <sdecugis@nict.go.jp> | |
5 date: Wed Mar 18 14:21:19 2009 +0900 | |
6 summary: Yet more cleanups... | |
7 | |
12 | 8 changeset: 11:c8dd0bdbd9e6 |
9 user: Sebastien Decugis <sdecugis@nict.go.jp> | |
10 date: Wed Mar 18 14:16:22 2009 +0900 | |
11 summary: More cleanups. | |
12 | |
10 | 13 changeset: 9:5fdd3345477f |
14 user: Sebastien Decugis <sdecugis@nict.go.jp> | |
15 date: Wed Mar 18 14:06:05 2009 +0900 | |
16 summary: Cleanups. | |
17 | |
18 changeset: 8:45a13fe6e0be | |
19 user: Sebastien Decugis <sdecugis@nict.go.jp> | |
20 date: Wed Mar 18 13:21:39 2009 +0900 | |
21 summary: Completed initial description of the mechanism for explicit bootstrapping and implicit during Diameter EAP authentication. | |
22 | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
23 changeset: 5:5fc766d71da4 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
24 parent: 3:e7bcb9ee39b5 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
25 user: Sebastien Decugis <sdecugis@nict.go.jp> |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
26 date: Tue Mar 17 17:22:52 2009 +0900 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
27 summary: Temporary status, scenarios must be developped a little more. The basic ideas are present already. For early comments. |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
28 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
29 changeset: 3:e7bcb9ee39b5 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
30 user: Sebastien Decugis <sdecugis@nict.go.jp> |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
31 date: Tue Mar 17 14:20:38 2009 +0900 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
32 summary: Document to present alternative design for Diameter ERP, initial commit (incomplete work) |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
33 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
34 ===================== |
12 | 35 |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
36 *Abstract* |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
37 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
38 The EAP Re-authentication Protocol [RFC5296] provides an optimization for EAP |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
39 authentication when a peer moves from an authenticator to another. This |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
40 protocol assumes that a AAA protocol is available to transport the ERP messages |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
41 between authenticator and ER server. [draft-gaonkar-radext-erp-attrs-03] |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
42 specifies the transport of ERP using RADIUS. This document specifies the |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
43 transport of ERP using Diameter [RFC3588]. |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
44 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
45 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
46 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
47 *Differences with [draft-ietf-dime-erp-00]* |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
48 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
49 In this document, we specify a new Diameter application ID for Diameter |
10 | 50 messages transporting ERP exchanges between authenticator and ER server. We |
51 re-use the mechanism described in [draft-ietf-dime-erp-00] as an option | |
52 available to provide implicit bootstrapping to the ER server. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
53 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
54 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
55 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
56 *Introduction.* |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
57 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
58 During full EAP authentication, both the peer and the home EAP server derive |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
59 EMSK material in addition to MSK. The EMSK can be used to derive a |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
60 re-authentication root key (rRK or rDSRK) as described in [RFC5296]. This root |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
61 key is transported to an ER server, this is called bootstrapping the ER server. |
10 | 62 When the peer re-authenticates using ERP, a one round-trip exchange occurs |
63 between the authenticator and the ER server, where new rMSK material is | |
64 derived. The ER server may be located in the visited domain or home domain. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
65 |
10 | 66 There are two types of exchanges between AAA entities in the Re-authentication |
67 mechanism: transport of the re-authentication root key between the home EAP | |
68 server and the ER server to bootstrap the mechanism, and transport of ERP | |
69 messages and rMSK material between ER server and authenticator. This document | |
70 specifies how the re-authentication exchange is transported using Diameter. It | |
71 also provides information on how bootstrapping can be achieved in several | |
72 situations. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
73 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
74 Diameter +--------+ |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
75 +-------------+ ERP +-----------+ (*) | Home | |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
76 Peer <->|Authenticator|<=======>| ER server | <---> | EAP | |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
77 +-------------+ +-----------+ | server | |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
78 +--------+ |
10 | 79 (*) Several protocols can be used between ER server and home EAP server to |
80 transport bootstrapping material. Diameter EAP is one of the possibilities. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
81 |
10 | 82 Figure 1. Diameter applications used in the ERP mechanism. |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
83 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
84 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
85 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
86 *Assumptions.* |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
87 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
88 For the peer to start an ERP exchange when attaching to a new authenticator, |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
89 the following assumptions must be verified. Note that the peer can always fall |
10 | 90 back to full EAP authentication if one of these conditions is not met. These |
91 assumptions are implicit from [RFC5296]. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
92 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
93 The peer must have non-expired keying material (EMSK) derived from a previous |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
94 full EAP authentication. |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
95 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
96 The peer must learn the realm of the new authenticator before starting the |
10 | 97 exchange, for example using L2-dependent mechanism. If this condition is not |
98 met, the peer cannot assume that an ER server is available and bootstrapped in | |
99 the realm of this authenticator. It should start an ERP bootstrapping exchange | |
100 as described in [RFC5296]. In addition, if the peer is attaching to this realm | |
101 for the first time since the EMSK was derived (inter-domain handover), an ERP | |
102 bootstrapping exchange must be initiated. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
103 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
104 The authenticator must support ERP extensions. If this condition is not met, |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
105 the ERP messages will be dropped by the authenticator conforming to [RFC4072] |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
106 and ERP will fail. |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
107 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
108 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
109 |
10 | 110 *Overview* |
111 | |
112 We define a new Diameter Application ID for ERP. When the authenticator | |
113 receives an EAP-Initiate/Re-auth message, it encapsulates it in a DER message | |
114 following the rules described in [RFC4072]. The application id of the DER | |
115 message is set to the Diameter ERP application ID. The User-Name and | |
116 Destination-Realm AVPs are extracted from the keyName-NAI included in the ERP | |
117 message, as described in [RFC5296]. In the case were ERP is already | |
118 bootstrapped in this domain, and the peer knows it, the Destination-Realm of | |
119 the message is the local domain. In other cases, the peer is initiating a | |
120 bootstrapping ERP exchange, and the Destination-Realm is the home domain. | |
121 | |
122 When ERP is already bootstrapped, the message is routed to the bootstrapped ER | |
123 server. This server processes the ERP message as described in [RFC5296] then | |
124 derives a new rMSK and answers a DEA encapsulating the EAP-Finish/Re-auth | |
125 answer and the rMSK for the authenticator. Re-authentication is complete {see | |
126 pending question in the end of this document}. This exchange is described in | |
127 Figure 2 bellow. | |
128 | |
129 There are several options to bootstrap the ER server. This document discusses | |
130 some of the options, but a different mechanism not described here may be | |
131 deployed as well. See the following sections for more details about | |
132 bootstrapping scenarii. | |
133 | |
12 | 134 ER server |
135 (bootstrapped) | |
15 | 136 Peer Authenticator (local or home domain) |
137 ==== ============= ====================== | |
12 | 138 [ <------------------------ ] |
139 [optional EAP-Initiate/Re-auth-start] | |
10 | 140 |
141 -----------------------> | |
142 EAP-Initiate/Re-auth | |
143 =====================================> | |
144 Diameter ERP, cmd code DER | |
145 User-Name: Keyname-NAI | |
146 EAP-Payload: EAP-Initiate/Re-auth | |
147 | |
148 <===================================== | |
149 Diameter ERP, cmd code DEA | |
150 EAP-Payload: EAP-Finish/Re-auth | |
151 EAP-Master-Session-Key: rMSK | |
152 <---------------------- | |
153 EAP-Finish/Re-auth | |
154 | |
155 Figure 2. Diameter ERP exchange. | |
156 | |
157 | |
158 | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
159 *Bootstrapping* |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
160 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
161 The purpose of bootstrapping is to provide the keying material to the ER |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
162 server. This keying material is rRK (directly derived from EMSK) when the ER |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
163 server is in the peer's home domain. The keying material is rDSRK (derived from |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
164 DSRK, itself derived from EMSK) when the ER server is in the visited domain. |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
165 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
166 |
12 | 167 |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
168 *Scenario 1: explicit bootstrapping* |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
169 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
170 As described in [RFC5296], an explicit bootstrapping exchange can be initiated |
10 | 171 by the peer. In this case, the realm part of the Keyname-NAI is the home domain |
172 of the peer. | |
173 | |
174 The authenticator processes the ERP as described in the overview: encapsulate | |
175 the ERP message in a DER command with application-id set to Diameter ERP. The | |
176 Destination-Realm extracted from Keyname-NAI is the home domain. | |
177 | |
178 If an ER server is located in the local domain, it should proxy the request and | |
179 process as described bellow. Otherwise the request is sent to the ER server in | |
180 the home domain. | |
181 | |
182 When the ER server (in local or home domain) receives the ERP/DER request, it | |
183 must process as follow: | |
184 - Check in the local key store if a key with same name is available. If such | |
185 key is found, process the request locally and answer. | |
186 - Check if the EAP-Initiate/Re-auth message has the [B] (bootstrapping) flag | |
187 set. If this flag is not set, relay the message without altering it (except | |
188 adding the Route-Record information) or reply with an error if no other | |
189 Diameter node is available to handle the request, following the rules of | |
190 Diameter Base Protocol. | |
191 - If the [B] flag was set, the message is proxied locally and modified as | |
192 follow: | |
193 * Change the application-id of the message from Diameter ERP to Diameter EAP | |
194 (so that the message will reach the Home EAP server). | |
195 * Add the ERP-RK-Request AVP, defined in this document. | |
196 * Send the new message. It will reach the Home EAP server. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
197 |
10 | 198 If the home EAP server does not support ERP extensions, it replies with an |
199 error since encapsulated EAP-Initiate/Re-auth command is not understood. | |
200 Otherwise, it processes the EAP-Initiate/Re-auth message as described in | |
201 [RFC5296] and derives the requested rDSRK or rRK, and new rMSK. It sends this | |
202 material using the new ERP-RK-Answer AVP described in this document. It also | |
203 includes the realm of the ER server in the EAP-Finish/Re-auth message to inform | |
204 the peer of the location of the ER server. | |
205 | |
206 The ER server receives this DEA, extracts and cache the rRK or rDSRK material, | |
207 restores the application-id to Diameter ERP and forwards the message to the | |
208 authenticator. | |
209 | |
210 This flow is captured figure 3. | |
211 | |
212 Authenticator ER server Home EAP server | |
213 ============= ========= =============== | |
214 -----------------------> | |
12 | 215 Diameter ERP/DER |
216 (EAP-Initiate) | |
10 | 217 ------------------------> |
12 | 218 Diameter EAP/DER |
10 | 219 (EAP-Initiate) |
220 (ERP-RK-Request) | |
221 | |
222 <------------------------ | |
12 | 223 Diameter EAP/DEA |
10 | 224 (EAP-Finish) |
225 (ERP-RK-Answer) | |
226 (rMSK) | |
227 <---------------------- | |
12 | 228 Diameter ERP/DEA |
229 (EAP-Finish) | |
230 (rMSK) | |
10 | 231 |
232 Figure 3. ERP explicit bootstrapping message flow. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
233 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
234 |
10 | 235 |
236 *Scenario 2: implicit bootstrapping during full EAP authentication* | |
237 | |
238 In some deployment scenarii, the ER server may be collocated with an EAP proxy | |
239 or server. In that case, the optional ERP AVPs defined in this document may be | |
240 used during initial full EAP authentication to provide implicit bootstrapping | |
241 (section 5.1 of [RFC5296]) as described bellow. | |
242 | |
243 In this scenario, the ERP key material is derived and cached regardless of the | |
244 peer support and willingness for ERP. This may lead to scalability and other | |
245 issues. Implementors may provide other ways to select which sessions should use | |
246 implicit bootstrapping. | |
247 | |
248 In the first round of full EAP exchange, the ER server adds the ERP-RK-Request | |
249 AVP to the DER message. | |
250 If the home EAP server supports ERP extensions, it caches this request and | |
251 continues the normal EAP authentication until completion. Otherwise, the | |
252 optional AVP is simply ignored. | |
253 When the authentication is successful and EMSK is generated, the home EAP | |
254 server derives the rRK or rDSRK as requested, and adds this material to the | |
255 last DEA in the ERP-RK-Answer AVP defined in this document. The server may | |
256 check that the ER server that requested the material is in the Route-Record | |
257 list of the last DER, but this is not mandatory. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
258 |
10 | 259 When the ER server collocated with EAP proxy receives the DEA containing |
260 ERP-RK-Answer AVP, it extracts this AVP and saves the rRK or rDSRK material for | |
261 later use. | |
262 | |
263 EAP Proxy / | |
264 Authenticator ER server Home EAP server | |
265 ============= =========== =============== | |
266 -------------------------> | |
12 | 267 Diameter EAP/DER |
10 | 268 (EAP-Response) |
269 -------------------------> | |
12 | 270 Diameter EAP/DER |
10 | 271 (EAP-Response) |
272 (ERP-RK-Request) | |
273 | |
274 <==================================================> | |
12 | 275 Multi-round Diameter EAP exchanges, unmodified |
10 | 276 |
277 <------------------------- | |
12 | 278 Diameter EAP/DEA |
10 | 279 (EAP-Success) |
280 (MSK) | |
281 (ERP-RK-Answer) | |
282 <------------------------- | |
12 | 283 Diameter EAP/DEA |
10 | 284 (EAP-Success) |
285 (MSK) | |
286 | |
287 Figure 4. Implicit ERP bootstrapping during full EAP authentication. | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
288 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
289 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
290 |
15 | 291 *Scenario 3: Case of MIP6* |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
292 |
10 | 293 {TODO: study this case ?} |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
294 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
295 |
12 | 296 |
15 | 297 *Scenario 4: Other possibilities* |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
298 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
299 {In case implementation-specific solution is retained, list here the |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
300 constraints?} |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
301 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
302 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
303 |
10 | 304 *Commands and AVPs* |
305 | |
306 This document does not define a new command. It reuses the Diameter-EAP-Request | |
307 and Diameter-EAP-Answer as defined in [RFC4072]. It is also compatible with | |
308 extensions defined in [draft-ietf-dime-mip6-split-16]. | |
309 | |
310 Command-Name Abbrev. Code Reference Application | |
311 --------------------------------------------------------- | |
312 Diameter-EAP-Request DER 268 RFC 4072 Diameter ERP | |
313 Diameter-EAP-Answer DEA 268 RFC 4072 Diameter ERP | |
314 | |
315 Figure 5: Command Codes | |
316 The following new AVPs are defined in this document. | |
317 | |
318 | |
319 | |
320 *ERP-RK-Request AVP* | |
321 | |
322 The ERP-RK-Request AVP (AVP Code TBD) is of type grouped AVP. It is used by the | |
323 ER server to request root key material used in ERP. | |
324 | |
325 This AVP has the M and V bits cleared. | |
326 | |
327 ERP-RK-Request ::= < AVP Header: TBD > | |
328 { ERP-Realm } | |
329 * [ AVP ] | |
330 | |
331 | |
332 | |
333 *ERP-Realm AVP* | |
334 | |
335 The ERP-Realm AVP (AVP Code TBD) is of type {DiameterIdentity? OctetString?}. | |
336 It contains the name of the realm in which the ER server is located. | |
337 {FFS: We may re-use Origin-Realm here instead?} | |
338 | |
339 | |
340 | |
341 *ERP-RK-Answer AVP* | |
342 | |
343 The ERP-RK-Answer AVP (AVP Code TBD) is of type grouped AVP. It is used by the | |
344 home EAP server to provide ERP root key material to the ER server. | |
345 | |
346 This AVP has the M and V bits cleared. | |
347 | |
348 ERP-RK-Answer ::= < AVP Header: TBD > | |
349 { ERP-RK } | |
350 { ERP-RK-Name } | |
351 { ERP-RK-Lifetime } | |
352 * [ AVP ] | |
353 | |
354 | |
15 | 355 |
10 | 356 *ERP-RK AVP* |
357 | |
358 The ERP-RK AVP (AVP Code TBD) is of type OctetString. It contains the root key | |
359 (either rRK or rDSRK) to be used for ERP with the peer to which this session | |
360 belongs. How this material is derived and used is specified in [RFC5296]. | |
361 | |
362 | |
363 | |
364 *ERP-RK-Name AVP* | |
365 | |
366 The ERP-RK AVP (AVP Code TBD) is of type OctetString. This AVP contains the | |
367 EMSKname which identifies the keying material. How this name is derived is | |
368 beyond the scope of this document and defined in [RFC5296]. | |
369 | |
370 | |
371 | |
372 *ERP-RK-Lifetime AVP* | |
373 | |
374 The ERP-RK-Lifetime AVP (AVP Code TBD) is of type {Unsigned64? 32?} and | |
375 contains the root key material lifetime in seconds. | |
376 | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
377 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
378 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
379 *Pending question on accounting and sessions.* |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
380 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
381 During initial full EAP authentication, the identity of the peer is used to |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
382 create the Session-Id AVP, which is then used during accounting. |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
383 When the peer attaches to a new authenticator and performs ERP, its identity is |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
384 not disclosed to the authenticator. Instead, the peer presents the Keyname-NAI. |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
385 This identifiers contains the EMSKName as user part. |
10 | 386 |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
387 The new authenticator will therefore derive the new Session-Id from this |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
388 EMSKName and use this for accounting purpose. |
10 | 389 |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
390 Although the home EAP server is able to link EMSKName with the peer's identity, |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
391 the other Diameter entities do not have this mapping. In particular, the realm |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
392 part of Keyname-NAI is the visited network. How does the authenticator figures |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
393 out that the account records must be sent to the home domain of the peer? |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
394 |
10 | 395 It is possible to cache the necessary information at the ER server level. Is it |
396 useful to specify this mechanism in this document? | |
7
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
397 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
398 |
9ffe45ad7651
Add temporary formated document
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
399 |
10 | 400 |