Mercurial > hg > ietf

annotate HOKEY/drafts/draft-ietf-hokey-arch-design.xml @ 61:c9fdb3e03342

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added a recent source
author Sebastien Decugis <sdecugis@nict.go.jp>
date Fri, 05 Nov 2010 14:21:19 +0900
parents
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
61
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
1 <?xml version="1.0" encoding="UTF-8"?>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
2 <?xml-stylesheet type='text/xsl'
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
3 href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
4 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
5 <!ENTITY rfc2119 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
6 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
7 <!ENTITY rfc2828 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
8 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2828.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
9 <!ENTITY rfc2865 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
10 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2865.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
11 <!ENTITY rfc3588 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
12 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
13 <!ENTITY rfc3748 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
14 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
15 <!ENTITY rfc4306 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
16 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4306.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
17 <!ENTITY rfc4962 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
18 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4962.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
19 <!ENTITY rfc5169 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
20 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5169.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
21 <!ENTITY rfc5295 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
22 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5295.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
23 <!ENTITY rfc5296 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
24 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5296.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
25 <!ENTITY rfc5749 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
26 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5749.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
27 <!ENTITY rfc5836 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
28 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5836.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
29 <!ENTITY rfc5873 PUBLIC ""
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
30 "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5873.xml">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
31 ]>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
32 <?rfc toc="yes"?>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
33 <?rfc symrefs="yes"?>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
34 <?rfc compact="yes"?>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
35 <?rfc subcompact="no"?>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
36 <rfc category="info" docName="draft-ietf-hokey-arch-design-01"
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
37 ipr="trust200902">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
38 <front>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
39 <title abbrev="Architecture Design">Handover Keying (HOKEY) Architecture
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
40 Design</title>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
41
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
42 <author fullname="Katrin Hoeper" initials="K." surname="Hoeper">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
43 <organization abbrev="Motorola">Motorola, Inc.</organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
44
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
45 <address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
46 <postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
47 <street>1301 E. Algonquin Road</street>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
48
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
49 <city>Schaumburg</city>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
50
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
51 <region>IL</region>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
52
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
53 <code>60196</code>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
54
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
55 <country>USA</country>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
56 </postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
57
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
58 <email>khoeper@motorola.com</email>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
59 </address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
60 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
61
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
62 <author fullname="Sebastien Decugis" initials="S." surname="Decugis">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
63 <organization abbrev="NICT">NICT</organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
64
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
65 <address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
66 <postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
67 <street>4-2-1 Nukui-Kitamachi</street>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
68
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
69 <city>Tokyo</city>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
70
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
71 <region>Koganei</region>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
72
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
73 <code>184-8795</code>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
74
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
75 <country>Japan</country>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
76 </postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
77
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
78 <email>sdecugis@nict.go.jp</email>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
79 </address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
80 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
81
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
82 <author fullname="Glen Zorn" initials="G." surname="Zorn">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
83 <organization abbrev="Network Zen">Network Zen</organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
84
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
85 <address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
86 <postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
87 <street>1310 East Thomas Street</street>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
88
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
89 <city>Seattle</city>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
90
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
91 <region>Washington</region>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
92
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
93 <code>98102</code>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
94
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
95 <country>USA</country>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
96 </postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
97
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
98 <email>gwz@net-zen.net</email>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
99 </address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
100 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
101
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
102 <author fullname="Qin Wu" initials="Q." surname="Wu">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
103 <organization abbrev="Huawei">Huawei Technologies Co.,Ltd</organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
104
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
105 <address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
106 <postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
107 <street>Site B, Floor 12F, Huihong Mansion, No.91 Baixia
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
108 Rd.</street>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
109
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
110 <city>Nanjing</city>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
111
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
112 <region>JiangSu</region>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
113
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
114 <code>210001</code>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
115
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
116 <country>China</country>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
117 </postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
118
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
119 <phone>+86-25-84565892</phone>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
120
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
121 <email>sunseawq@huawei.com</email>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
122 </address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
123 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
124
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
125 <author fullname="Tom Taylor" initials="T." surname="Taylor">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
126 <organization abbrev="Huawei">Huawei Technologies Co., Ltd</organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
127
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
128 <address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
129 <postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
130
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
131 <street></street>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
132
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
133 <city>Ottawa </city>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
134
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
135 <country>Canada</country>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
136 </postal>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
137
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
138 <email>tom111.taylor@bell.net </email>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
139 </address>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
140 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
141
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
142 <date year="2010" />
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
143
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
144 <workgroup>Network Working Group</workgroup>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
145
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
146 <abstract>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
147 <t>The Handover Keying (HOKEY) Working Group seeks to minimize handover delay
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
148 due to authentication when a peer moves from one point of attachment to another.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
149 Work has progressed on two different approaches to reduce handover delay:
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
150 early authentication (so that authentication does not need to be performed
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
151 during handover), and reuse of cryptographic material generated during an
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
152 initial authentication to save time during re-authentication. A starting
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
153 assumption is that the mobile host or "peer" is initially authenticated using
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
154 the Extensible Authentication Protocol (EAP), executed between the peer and an
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
155 EAP server as defined in RFC 3748.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
156
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
157 <t>This document documents the HOKEY architecture. Specifically, it describes
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
158 design objectives, the functional environment within which handover keying
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
159 operates, the functions to be performed by the HOKEY architecture itself, and
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
160 the assignment of those functions to architectural components. It goes on to
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
161 illustrate the operation of the architecture within various deployment
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
162 scenarios that are described more fully in other
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
163 documents produced by the HOKEY Working Group. </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
164 </abstract>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
165 </front>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
166
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
167 <middle>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
168 <section title="Introduction">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
169
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
170 <t>The Extensible Authentication Protocol (EAP) <xref
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
171 target="RFC3748"></xref> is an authentication framework that supports different
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
172 types of authentication methods. Originally designed for dial-up connections,
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
173 EAP is now commonly used for authentication in wireless access networks.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
174
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
175 <t>When a host (or "peer", the term used from this point onward) changes its
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
176 point of attachment to the network, it must be re-authenticated. If a full EAP
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
177 authentication must be repeated, several message round-trips between the peer
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
178 and the home EAP server may be involved. The resulting delay will result in
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
179 degradation or in the worst case loss of any service session in progress if
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
180 communication is suspended while re-authentication is carried out. The delay is
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
181 worse if the new point of attachment is in a visited network rather than the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
182 peer's home network, because of the extra procedural steps involved as well as
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
183 because of the probable increase in round-trip time. </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
184
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
185 <t><xref target="RFC5169"/> describes this problem more fully and establishes
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
186 design goals for solutions to reduce re-authentication delay for transfers
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
187 within a single administrative domain. <xref target="RFC5169"/> also suggests a
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
188 number of ways to achieve a solution:
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
189 <list style="symbols">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
190 <t>specification of a method-independent, efficient, re-authentication
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
191 protocol;</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
192
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
193 <t>reuse of keying material from the initial authentication;</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
194
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
195 <t>deployment of re-authentication servers local to the peer to reduce
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
196 round-trip delay; and</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
197
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
198 <t>specification of the additional protocol needed to allow the EAP
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
199 server to pass authentication information to the local re-authentication
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
200 servers.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
201 </list>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
202 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
203 <t><xref target="RFC5295"/> tackles the problem of reuse of keying material
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
204 by specifying how to derive a hierarchy of cryptographically independent
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
205 purpose-specific keys from the results of the original EAP authentication.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
206 <xref target="RFC5296"/> specifies a method-independent re-authentication
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
207 protocol (ERP) applicable to two specific deployment scenarios:
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
208 <list style="symbols">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
209 <t>where the peer's home EAP server also performs re-authentication;
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
210 and</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
211 <t>where a local re-authentication server exists but is collocated with a
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
212 AAA proxy within the domain.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
213 </list>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
214 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
215
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
216 <t>Other work provides further pieces of the solution or insight
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
217 into the problem. For the purpose of this draft, <xref target="RFC5749"/> provides an abstract mechanism
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
218 for distribution of keying material from the EAP server to re-authentication servers. <xref target="RFC5836"/>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
219 contrasts the EAP re-authentication (ER) strategy provided by <xref target="RFC5296"/> with an alternative strategy called "early authentication".
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
220 <xref target="RFC5836"></xref> defines EAP early
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
221 authentication as the use of EAP by a mobile peer to establish authenticated
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
222 keying material on a target attachment point prior to its arrival. Here, a full
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
223 EAP execution occurs before the handover of the peer takes place. Hence, the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
224 goal of EAP early authentication is to complete all EAP-related communications,
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
225 including AAA signaling, in preparation for the handover, before the mobile
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
226 device actually moves. Early authentication includes direct and indirect pre-authentication as well as Authenticated Anticipatory Keying (AKK).
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
227 All three mechanims provide means to execute a full EAP authentication with a Candidate Access Point (CAP) while still being connected to the Serving
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
228 Access Point (SAP) but vary in their
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
229 respective system assumptions and communication paths. In particular, direct pre-authentication assumes that clients are capable of discovering candidate
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
230 access points and all communications are routed through the serving access point. On the other hand, indirect pre-authentication assumes an
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
231 existing relationship betweem SAP and CAP, whereas in AAK the client interacts with the AAA to discover and connect to CAPs.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
232
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
233
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
234
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
235
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
236 <t>Both EAP re-authentication and early authentication enable faster
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
237 inter-authenticator handovers. However, it is currently unclear how the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
238 necessary handover infrastructure is deployed and can be integrated into existing
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
239 EAP infrastructures. In particular, previous work has not described how ER
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
240 servers that act as endpoints in the re-authentication process should be integrated into local and home domain
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
241 networks. Furthermore, it is currently unspecified how EAP infrastructure can
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
242 support the timely triggering of early authentications and aid with the selection of candidate access points.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
243
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
244 <t>This document proposes a general HOKEY architecture and demonstrates
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
245 how it can be adapted to different deployment scenarios. To begin with, <xref
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
246 target="goals"/> recalls the design objectives for the HOKEY architecture. <xref
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
247 target="fncns"/> reviews the functions that must be supported within the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
248 architecture. <xref target="compon"/> describes the components of the HOKEY
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
249 architecture. Finally, <xref target="scen"/> describes the different deployment
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
250 scenarios that the HOKEY Working Group has addressed and the information flows
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
251 that must occur within those scenarios, by reference to the documents
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
252 summarized above where possible and otherwise within this document itself.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
253
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
254 </section><!-- Introduction -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
255
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
256 <section anchor="terms" title="Terminology">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
257
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
258 <t>This document contains no normative language, hence
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
259 <xref target="RFC2119"/> language does not apply.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
260
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
261 <t>This document reuses most of the terms defined in Section 2.2 of
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
262 <xref target="RFC5836"/>. In addition, it defines the following:
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
263
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
264 <list style="hanging">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
265 <t hangText="EAP Early Authentication"><vspace blankLines="0" />
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
266 The use of EAP by a mobile peer to establish authenticated keying material on a target attachment point prior to its arrival,
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
267 see <xref target="RFC5836"></xref>.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
268 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
269
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
270 <t hangText="EAP Re-authentication (ER)"><vspace blankLines="0" />
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
271 The use of keying material derived from an initial EAP authentication
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
272 to enable single-roundtrip re-authentication of a mobile peer. For a
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
273 detailed description of the keying material see Section 3 of
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
274 <xref target="RFC5296"/>.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
275 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
276
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
277 <t hangText="ER Server"><vspace blankLines="0" />
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
278 A component of the HOKEY architecture that terminates the EAP
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
279 re-authentication exchange with the peer.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
280 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
281
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
282 <t hangText="ER Key Management"><vspace blankLines="0" />
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
283 An instantiation of the mechanism provided by <xref target="RFC5749"/> for
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
284 creating and delivering root keys from an EAP server to an ER server.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
285 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
286
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
287 </list>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
288 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
289 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
290
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
291 <section anchor="goals" title="Design Goals">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
292
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
293 <t>This section investigates the design goals for the HOKEY
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
294 architecture. These include reducing the signaling overhead for re-
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
295 authentication and early authentication, integrating local domain name
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
296 discovery,
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
297 and improving deployment scalability.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
298 These goals supplement the discussion in <xref target="RFC5169"/>.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
299
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
300 <section anchor="sigOvhd" title="Reducing Signalling Overhead">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
301
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
302 <section title="Minimized Communications with Home Servers">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
303
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
304 <t>ERP requires only one round trip, however, this roundtrip may
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
305 require communications between a peer and its home ER and/or home AAA server
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
306 even if the peer is currently attached to a visited (local) network. As a
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
307 result, even this one round trip may introduce long delays because home ER and
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
308 home AAA servers may be distant from the peer. To lower the signaling overhead,
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
309 communication with the home ER server and home AAA server should be minimized.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
310 Ideally, a peer should only need to communicate with local servers and other
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
311 local entities.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
312
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
313 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
314
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
315 <section title="Integrated Local Domain Name (LDN) Discovery">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
316
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
317 <t> ERP bootstrapping must occur before (implicit) or during (explicit) a
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
318 handover to transport the necessary re-authentication root keys to the local ER
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
319 server involved. Implicit bootstrapping is preferable because it does not
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
320 require communication with the home ER server during handover (see previous
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
321 section), but it requires the peer to know the domain name of the ER server in
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
322 order to derive the necessary re-authentication keying material. <xref
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
323 target="RFC5296"></xref> does not specify such a domain name discovery
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
324 mechanism and suggests that the peer may learn the domain name through the EAP-
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
325 Initiate/Re-auth-Start message or via lower layer announcements. To allow more
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
326 efficient handovers, a HOKEY architecture should support an efficient domain
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
327 name discovery mechanism and allow its integration with ERP implicit
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
328 bootstrapping. Even in the case of explicit bootstrapping, local domain name
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
329 discovery should be optimized such that it does not require contacting the home
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
330 AAA server, as is currently the case.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
331
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
332 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
333
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
334 </section><!-- sigOvhd -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
335
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
336 <section title="Better Deployment Scalability">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
337
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
338 <t>To provide better deployment scalability, it should not be required
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
339 that the HOKEY server and AAA servers or proxies are collocated. Separation of
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
340 these entities may cause problems with routing, but allows flexibility in
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
341 deployment and implementation.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
342
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
343 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
344
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
345 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
346
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
347 <section anchor="fncns" title="Functions That Must Be Supported">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
348 <section title="System Overview">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
349
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
350 <t>This section views the HOKEY architecture as the implementation of a
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
351 subsystem providing authentication services to AAA. Not only does AAA depend on
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
352 the authentication subsystem, but the latter also depends on AAA as a means for
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
353 the routing and secure transport of messages internal to the operation of
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
354 network access authentication.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
355
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
356 <t>The operation of the authentication subsystem also depends on the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
357 availability of a number of discovery functions:
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
358 <list style="symbols">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
359 <t>discovery of candidate access points, by the peer, by the serving attachment
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
360 point, or by some other entity;</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
361 <t>discovery of the authentication services supported at a given candidate
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
362 access
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
363 point;</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
364 <t>discovery of the required server in the home domain when a candidate
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
365 access point is not in the same domain as the serving attachment point, or
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
366 no local server is available;</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
367 <t>peer discovery of the local domain name (LDN) when EAP re-authentication
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
368 is used with a local server. </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
369 </list>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
370 It is assumed that
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
371 these functions are provided by the environment within which the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
372 authentication subsystem operates, and are outside the scope of the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
373 authentication subsystem itself. Local domain name discovery is
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
374 a possible exception. </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
375
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
376 <t><xref target="fig_fctlOver"/> shows the major functions comprising
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
377 the authentication subsystem and their interdependencies. These functions
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
378 are described below.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
379 [EDITOR'S NOTE: These probably need refinement. The relationship
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
380 of pre-authentication to EAP authentication, for instance, is
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
381 currently not totally correct, when one takes account of the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
382 roles described in <xref target="compon"/>. AAK also needs
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
383 an extension of ER key management.]</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
384
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
385 <figure anchor="fig_fctlOver" title="Authentication Subsystem
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
386 Functional Overview">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
387 <artwork>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
388 +------------------------------------------------------------+
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
389 | AAA Network Access Authentication and Authorization |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
390 +---+-------------.----------------------------+-------------+
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
391 | /|\ |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
392 | | Authentication subsystem |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
393 +===|=============|============================|=============+
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
394 | | +---------+----------+ +-------------V---------+ |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
395 | | | Direct and | | EAP Re-authentication | |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
396 | | | Indirect | +--+------+-------------+ |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
397 | | | Pre-Authentication | / / |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
398 | | +--------------------+ / / |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
399 | | / / +---------------+ |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
400 | | / | | Authenticated | |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
401 | | / | | Anticipatory | |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
402 | | / | | Keying (AAK) | |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
403 | | / | +-------+-------+ |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
404 | | / | | |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
405 | +-V------------------+ / +---------V----------V--------+ |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
406 | | EAP Authentication | | | ER Key Management | |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
407 | +---------+----------+ | |+------------+ +------------+| |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
408 | | | ||Handover Key| |Handover Key|| |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
409 | | | || Derivation | |Distribution|| |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
410 | | | |+------------+ +------+-----+| |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
411 | | | +----------------------|------+ |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
412 +===========|=============|=========================|========+
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
413 | | |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
414 +-----------V-------------V-------------------------V--------+
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
415 | AAA routing and secure transport |
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
416 +------------------------------------------------------------+
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
417 </artwork>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
418 <postamble>Arrows show the direction of functional dependency.</postamble>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
419 </figure>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
420
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
421 <t><xref target="fig_fctlOver"/> shows the following dependencies:
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
422 <list style="symbols">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
423 <t>When AAA is invoked to authenticate and authorize network access, it uses one
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
424 of two services offered by the authentication subsystem: full EAP
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
425 authentication, or EAP re-authentication.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
426
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
427 <t>Pre-authentication triggers AAA network access authentication and
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
428 authorization at each candidate access point, which in turn causes full EAP
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
429 authentication to be invoked. </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
430
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
431 <t> EAP re-authentication invokes ER key management at the time of
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
432 authentication to create and distribute keying material to ER servers.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
433
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
434 <t>Authenticated anticipatory keying (AAK) relies on ER key management to
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
435 establish keying material on ER/AAK servers, but uses an extension
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
436 to ER key management to derive and establish keying material on
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
437 candidate authenticators.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
438 </list>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
439 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
440
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
441 <t>EAP authentication, EAP re-authentication, and handover key distribution
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
442 depend on the routing and secure transport service
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
443 provided by AAA. Discovery functions and the function of authentication and
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
444 authorization of network entities (access points, ER servers)
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
445 are not shown. As stated above, these are external to the authentication
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
446 subsystem.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
447
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
448 </section><!-- System Overview -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
449
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
450 <section anchor="preauth" title="Pre-Authentication Function (Direct or
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
451 Indirect)">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
452
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
453 <t>The pre-authentication function is responsible for discovery of candidate
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
454 access points and completion of network access authentication and
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
455 authorization at each candidate access point in advance of handover. The operation of this function
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
456 is described in general terms in <xref target="RFC5836"/>. No document is
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
457 yet available to describe the implementation of pre-authentication
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
458 in terms of specific protocols. <xref target="RFC5873"/>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
459 could be part of the solution, but is Experimental rather
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
460 than Standards Track.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
461
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
462 </section><!-- preauth -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
463
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
464 <section anchor="reauth" title="EAP Re-authentication Function">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
465
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
466 <t>The EAP re-authentication function is responsible for authenticating
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
467 the peer at a specific access point using keying material
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
468 derived from a prior full EAP authentication. <xref target="RFC5169"/>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
469 provides the design objectives for an implementation of this function.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
470 <xref target="RFC5296"/> describes a protocol to implement EAP
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
471 re-authentication subject to the architectural restrictions noted
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
472 above. Work is in progress to relax those restrictions.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
473
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
474 </section><!-- reauth -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
475
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
476 <section anchor="EAPauthen" title="EAP Authentication Function">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
477
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
478 <t>The EAP authentication function is responsible for authenticating
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
479 the peer at a specific access point using a full EAP exchange.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
480 <xref target="RFC3748"/> defines the associated protocol.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
481 <xref target="RFC5836"/> shows the use of EAP as part of
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
482 pre-authentication. Note that the HOKEY Working Group has not specified
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
483 the non-AAA protocol required
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
484 to transport EAP frames over IP that is shown in Figures 3 and 5
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
485 of <xref target="RFC5836"/>, although <xref target="RFC5873"/>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
486 is a candidate.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
487 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
488
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
489 </section><!-- EAPauthen -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
490
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
491 <section anchor="AAKfcn" title="Authenticated Anticipatory Keying (AAK)
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
492 Function">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
493
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
494 <t>The authenticated anticipatory keying function is responsible for
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
495 pre-placing keying material derived from an initial full EAP authentication
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
496 on candidate access points. The operation is carried out in two steps:
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
497 ER key management (with trigger not currently specified) places root
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
498 keys derived from initial EAP authentication onto an ER/AAK server
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
499 associated with the peer. When requested by the peer, the ER/AAK server
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
500 derives and pushes predefined master session keys to a list of
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
501 candidate access points. The operation
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
502 of the authenticated anticipatory keying function is described in very
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
503 general terms in <xref target="RFC5836"/>.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
504 A protocol implementation is being specified
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
505 in <xref target="I-D.ietf-hokey-erp-aak"/>.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
506
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
507 </section><!-- AAKfcn -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
508
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
509 <section anchor="keyMgmt" title="EAP-Based Handover Key Management">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
510
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
511 <t>EAP-based handover key management consists of EAP method
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
512 independent key derivation and distribution and comprises the following
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
513 specific functions:
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
514 <list style="symbols">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
515 <t>handover key derivation; and</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
516 <t>handover key distribution.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
517 </list>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
518 The derivation of handover keys is specified in <xref
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
519 target="RFC5295"></xref>, and key distribution is specified in <xref
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
520 target="RFC5749"></xref>.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
521
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
522 </section><!-- keyMgmt -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
523
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
524 </section><!-- fncns -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
525
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
526 <section anchor="compon" title="Components of the HOKEY Architecture">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
527
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
528 <t>This section describes the components of the HOKEY architecture, in terms
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
529 of the functions they perform. The components cooperate as described in
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
530 this section to carry out the functions described in the previous section.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
531 <xref target="scen"/> describes the different
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
532 deployment scenarios that are possible using these functions.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
533
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
534 <t>The components of the HOKEY architecture are as follows:
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
535 <list style="symbols">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
536 <t>the peer;</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
537 <t>the authenticator, which is a part of the serving access point
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
538 and candidate access points;</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
539 <t>the EAP server; and</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
540 <t>the ER server, either in the home domain or local to the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
541 authenticator.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
542 </list>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
543 [EDITOR'S NOTE: probably have to add the ER/AAK server named
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
544 in <xref target="I-D.ietf-hokey-erp-aak"/> to this list.]
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
545 </t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
546
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
547 <section anchor="peerFnc" title="Functions of the Peer">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
548
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
549 <t>The peer participates in the functions described in <xref target="fncns"/>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
550 as shown in <xref target="tab_peerFnc"/>.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
551
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
552 <texttable anchor="tab_peerFnc" title="Functions of the Peer">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
553 <ttcol>Function</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
554 <ttcol>Peer Role</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
555
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
556 <c>EAP authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
557 <c>Determines that full EAP authentication is needed based on context
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
558 (e.g., initial authentication), prompting from the authenticator, or
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
559 discovery that only EAP authentication is supported. Participates
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
560 in the EAP exchange with the EAP server.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
561 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
562 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
563
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
564 <c>Direct pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
565 <c>Discovers candidate access points. Initiates pre-authentication
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
566 with each, followed by EAP authentication as above, but using IP
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
567 rather than L2 transport for the EAP frames.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
568 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
569 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
570
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
571 <c>Indirect pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
572 <c>Enters into a full EAP exchange when triggered, using either L2
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
573 or L3 transport for the frames. </c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
574 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
575 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
576
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
577 <c>EAP re-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
578 <c>Determines that EAP re-authentication is possible based on
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
579 discovery or authenticator prompting. Discovers ER server.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
580 Participates in ERP exchange with ER server.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
581 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
582 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
583
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
584 <c>Authenticated anticipatory keying</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
585 <c>Determines that AAK is possible based on discovery or
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
586 serving authenticator prompting. Discovers candidate access points.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
587 Sends request to serving authenticator to distribute keying
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
588 material to the candidate access points.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
589 </c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
590 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
591 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
592
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
593 <c>ER key management</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
594 <c>No role.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
595 </texttable>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
596
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
597
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
598 </section><!-- peerFnc -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
599
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
600 <section anchor="saFnc" title="Functions of the Serving Authenticator">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
601
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
602 <t>The serving authenticator participates in the functions described
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
603 in <xref target="fncns"/>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
604 as shown in <xref target="tab_saFnc"/>.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
605
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
606 <texttable anchor="tab_saFnc" title="Functions of the Serving Authenticator">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
607 <ttcol>Function</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
608 <ttcol>Serving Authenticator Role</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
609
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
610 <c>EAP authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
611 <c>No role. </c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
612 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
613 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
614
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
615 <c>Direct pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
616 <c>No role.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
617 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
618 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
619
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
620 <c>Indirect pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
621 <c>Discovers candidate access points. Initiates an EAP exchange
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
622 between the peer and the EAP server through each candidate
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
623 authenticator. Mediates between L2 transport of EAP frames on the peer
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
624 side and a non-AAA protocol over IP toward the candidate access point.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
625 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
626 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
627
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
628 <c>EAP re-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
629 <c>No role.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
630 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
631 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
632
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
633 <c>Authenticated anticipatory keying</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
634 <c>Mediates between L2 transport of AAK frames on the peer side
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
635 and AAA transport toward the ER/AAK server.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
636 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
637 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
638
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
639 <c>ER key management</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
640 <c>No role.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
641 </texttable>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
642
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
643 </section><!-- saFnc -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
644
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
645 <section anchor="caFnc" title="Functions of the Candidate Authenticator">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
646
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
647 <t>The candidate authenticator participates in the functions described
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
648 in <xref target="fncns"/>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
649 as shown in <xref target="tab_caFnc"/>.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
650
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
651 <texttable anchor="tab_caFnc" title="Functions of the Candidate Authenticator">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
652 <ttcol>Function</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
653 <ttcol>Candidate Authenticator Role</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
654
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
655 <c>EAP authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
656 <c>Invokes AAA network access authentication and authorization
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
657 upon handover/initial attachment.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
658 Mediates between L2 transport of EAP frames on the peer link and AAA
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
659 transport toward the EAP server.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
660 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
661 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
662
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
663 <c>Direct pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
664 <c>Invokes AAA network access authentication and authorization
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
665 when the peer initiates authentication.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
666 Mediates between non-AAA L3 transport of EAP frames on the peer side and AAA
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
667 transport toward the EAP server. </c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
668 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
669 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
670
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
671 <c>Indirect pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
672 <c>Same as direct pre-authentication, except that it communicates with
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
673 the serving authenticator rather than the peer.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
674 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
675 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
676
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
677 <c>EAP re-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
678 <c>Invokes AAA network access authentication and authorization upon handover.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
679 Discovers or is configured with the address of the ER server.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
680 Mediates between L2 transport of a ERP frames on the peer side
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
681 and AAA transport toward the ER server.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
682 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
683 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
684
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
685 <c>Authenticated anticipatory keying</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
686 <c>Receives and saves pMSK.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
687 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
688 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
689
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
690 <c>ER key management</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
691 <c>No role.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
692 </texttable>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
693
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
694 </section><!-- caFnc -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
695
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
696 <section anchor="EAPsrvFnc" title="Functions of the EAP Server">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
697
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
698 <t>The EAP server participates in the functions described in
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
699 <xref target="fncns"/>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
700 as shown in <xref target="tab_EAPsrvFnc"/>.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
701
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
702 <texttable anchor="tab_EAPsrvFnc" title="Functions of the EAP Server">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
703 <ttcol>Function</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
704 <ttcol>EAP Server Role</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
705
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
706 <c>EAP authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
707 <c>Authenticates and authorizes the candidate access point to act as
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
708 authenticator.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
709 Terminates EAP signalling between it and the peer via the candidate
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
710 authenticator. Determines whether
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
711 network access authentication succeeds or fails. Provides MSK
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
712 to authenticator.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
713 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
714 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
715
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
716 <c>Direct pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
717 <c>As for EAP authentication.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
718 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
719 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
720
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
721 <c>Indirect pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
722 <c>As for EAP authentication.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
723 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
724 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
725
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
726 <c>EAP re-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
727 <c>Mutually authenticates with the ER server and authorizes it for
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
728 receiving keying amterial. Provides rRK or DSrRK to the ER server.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
729 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
730 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
731
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
732 <c>Authenticated anticipatory keying</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
733 <c>As for EAP re-authentication.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
734 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
735 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
736
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
737 <c>ER key management</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
738 <c>Creates rRK or DSrRK and distributes it to ER server requesting the
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
739 information.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
740 </texttable>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
741
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
742 </section><!-- EAPsrvFnc -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
743
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
744 <section anchor="ERsrvFnc" title="Functions of the ER Server">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
745
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
746 <t>The ER server participates in the functions described in
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
747 <xref target="fncns"/>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
748 as shown in <xref target="tab_ERsrvFnc"/>. [EDITOR'S NOTE: Need discussion of
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
749 respective roles of local and home ER server, or whether there should even be
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
750 such a distinction.]</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
751
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
752 <texttable anchor="tab_ERsrvFnc" title="Functions of the ER Server">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
753 <ttcol>Function</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
754 <ttcol>ER Server Role</ttcol>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
755
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
756 <c>EAP authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
757 <c>No role.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
758 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
759 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
760
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
761 <c>Direct pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
762 <c>No role.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
763 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
764 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
765
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
766 <c>Indirect pre-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
767 <c>No role.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
768 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
769 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
770
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
771 <c>EAP re-authentication</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
772 <c>Authenticates and authorizes the candidate access point to act as
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
773 authenticator. Authenticates itself to the EAP server and acquires
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
774 rRK or DSrRK as applicable when necessary.
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
775 Terminates ERP signalling between it and the peer via the candidate
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
776 authenticator. Determines whether
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
777 network access authentication succeeds or fails. Provides MSK
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
778 to authenticator.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
779 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
780 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
781
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
782 <c>Authenticated anticipatory keying</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
783 <c>Authenticates itself to the EAP server and acquires
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
784 rRK or DSrRK as applicable when necessary. Authenticates and authorizes
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
785 the candidate access points to act as authenticator. Derives pMSKs and
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
786 passes them to the candidate access points.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
787 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
788 <c>-</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
789
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
790 <c>ER key management</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
791 <c>Receives and saves rRK or DSrRK as applicable.</c>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
792 </texttable>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
793
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
794 </section><!-- ERsrvFnc -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
795
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
796 </section><!-- compon -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
797
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
798
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
799 <section anchor="scen" title="Deployment Scenarios">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
800
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
801 <t>The necessity for this section and its contents are TBD.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
802
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
803 </section><!-- scen -->
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
804
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
805
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
806 <section title="AAA Consideration">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
807 <section title="Standalone HOKEY server">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
808 <t>TBD.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
809 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
810 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
811
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
812 <section title="Security Considerations">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
813 <t>TBD</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
814 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
815
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
816 <section title="IANA Considerations">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
817 <t>This document has no actions for IANA.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
818 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
819
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
820 <section title="Acknowledgments">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
821 <t>The authors would like to thank Mark Jones and Zhen Cao
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
822 for their reviews of previous versions of this draft.</t>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
823 </section>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
824 </middle>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
825
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
826 <back>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
827 <references title="Informative References">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
828 &rfc2119;
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
829 &rfc3748;
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
830 &rfc5169;
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
831 &rfc5295;
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
832 &rfc5296;
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
833 &rfc5749;
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
834 &rfc5836;
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
835 &rfc5873;
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
836
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
837 <reference anchor="I-D.ietf-hokey-erp-aak">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
838 <front>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
839 <title>EAP Re-authentication Protocol Extensions for Authenticated Anticipatory
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
840 Keying (ERP/AAK)</title>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
841 <author fullname="Zhen Cao" initials="Z." surname="Cao">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
842 <organization>China Mobile
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
843 </organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
844 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
845 <author fullname="Hui Deng" initials="H." surname="Deng">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
846 <organization>China Mobile
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
847 </organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
848 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
849 <author fullname="Yungui Wang" initials="Y." surname="Wang">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
850 <organization>Huawei Technologies</organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
851 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
852 <author fullname="Qin Wu" initials="Q." surname="Wu">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
853 <organization>Huawei technologies</organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
854 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
855 <author fullname="Glen Zorn" initials="G." surname="Zorn">
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
856 <organization>Network Zen</organization>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
857 </author>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
858 <date month="May" year="2010" />
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
859 </front><seriesInfo name="Internet Draft" value="draft-ietf-hokey-erp-aak-02" />
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
860
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
861 </reference>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
862
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
863
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
864 </references>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
865
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
866 </back>
c9fdb3e03342 Added a recent source
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff changeset
867 </rfc>
"Welcome to our mercurial repository"