# HG changeset patch # User Sebastien Decugis # Date 1251450057 -32400 # Node ID 45f0d51961cfcf197fc8e59690318947f1cb4b66 # Parent a22fb485486b4ee0c7c0fccc85f778731e2da4b4 Cleanup text when comments are not rendered. diff -r a22fb485486b -r 45f0d51961cf draft-ietf-dime-erp-01.xml --- a/draft-ietf-dime-erp-01.xml Fri Aug 28 17:53:44 2009 +0900 +++ b/draft-ietf-dime-erp-01.xml Fri Aug 28 18:00:57 2009 +0900 @@ -243,7 +243,7 @@ We consider at most one logical ER server entity in a domain. If several physical servers are deployed for robustness, a replication - mechanism must be deployed to synchronize the ERP states (root keys, + mechanism must be deployed to synchronize the ERP states (root keys FFS: authorization attributes ) between these servers. This replication mechanism is out of the scope of this document. If several ER servers are deployed in the domain, we assume that they can be used @@ -273,7 +273,7 @@ When the peer initiates an ERP exchange, the authenticator creates a Diameter-EAP-Request message, as described in Diameter EAP application . The Application Id of the message is set - to Diameter ERP application (code: TBD IANA) in the + to Diameter ERP application (code: TBD TBD IANA) in the message. The exact processing to generate the ERP/DER message is detailed in section . @@ -446,8 +446,10 @@ message, and do the following processing in addition to standard proxy operations: Change the Application Id in the header of the message to - Diameter EAP Application (code 5). What about the - Application-Auth-Id AVP? + Diameter EAP Application (code 5). + + Change the content of Application-Auth-Id accordingly. Is + it better to leave it unmodified? Add the ERP-RK-Request AVP, which contains the name of the domain where the ER server is located. @@ -470,7 +472,7 @@ The ER server receives this EAP/DEA and proxies it as follow, in addition to standard proxy operations: - Set the Application Id back to Diameter ERP (code TBD + Set the Application Id back to Diameter ERP (code TBDTBD IANA) Extract and cache the content of the ERP-RK-Answer. And @@ -552,7 +554,7 @@ regards to the EAP state machine. It creates a Diameter EAP Request message following the general process of Diameter EAP, with the following differences: - The Application Id in the header is set to Diameter ERP (code + The Application Id in the header is set to Diameter ERP (code TBD TBD IANA). The value in Auth-Application-Id AVP is also set to Diameter ERP @@ -564,10 +566,10 @@ FFS: What about Session-ID AVP -- in case of re-auth at the same place, and in case of handover? - The Auth-Request-Type AVP content is set to FFS -- Do we - really do authorization with Diameter ERP ? -- need to pass the - authorization attrs to the ER server in that case. Idea FFS: we do - authorization only for explicit bootstrapping + The Auth-Request-Type AVP content is set to [Editor's note: + FFS]Do we really do authorization with Diameter ERP ? -- need + to pass the authorization attrs to the ER server in that case. Idea + FFS: we do authorization only for explicit bootstrapping exchanges.... The EAP-Payload AVP contains the ERP message, @@ -580,7 +582,7 @@ ERP/DEA, following the general processing described in , with the following differences: The Application Id in the header is set to Diameter ERP (code - TBD IANA). + TBDTBD IANA). The value in Auth-Application-Id AVP is also set to Diameter ERP Application. @@ -610,7 +612,7 @@
We define a new Diameter application in this document, Diameter ERP - Application, with an Application Id value of TBD IANA. + Application, with an Application Id value of TBDTBD IANA. Diameter nodes conforming to this specification in the role of ER server MUST advertise support by including an Auth-Application-Id AVP with a value of Diameter ERP Application in the of the @@ -630,8 +632,8 @@ item
- The ERP-RK-Request AVP (AVP Code TBD IANA) is of type - grouped AVP. This AVP is used by the ER server to indicate its + The ERP-RK-Request AVP (AVP Code TBDTBD IANA) is of + type grouped AVP. This AVP is used by the ER server to indicate its willingness to act as ER server for a particular session. This AVP has the M and V bits cleared. @@ -646,7 +648,7 @@
- The ERP-Realm AVP (AVP Code TBD IANA) is of type + The ERP-Realm AVP (AVP Code TBDTBD IANA) is of type DiameterIdentity. It contains the name of the realm in which the ER server is located. @@ -658,9 +660,9 @@
- The ERP-RK-Answer AVP (AVP Code TBD IANA) is of type - grouped AVP. It is used by the home EAP server to provide ERP root key - material to the ER server. + The ERP-RK-Answer AVP (AVP Code TBDTBD IANA) is of + type grouped AVP. It is used by the home EAP server to provide ERP + root key material to the ER server. This AVP has the M and V bits cleared. @@ -676,7 +678,7 @@
- The ERP-RK AVP (AVP Code TBD IANA) is of type + The ERP-RK AVP (AVP Code TBDTBD IANA) is of type OctetString. It contains the root key (either rRK or rDSRK) sent by the home EAP server to the ER server, in answer to request containing an ERP-RK-Request AVP. How this material is derived and used is @@ -689,7 +691,7 @@
- The ERP-RK-Name AVP (AVP Code TBD IANA) is of type + The ERP-RK-Name AVP (AVP Code TBDTBD IANA) is of type OctetString. This AVP contains the EMSKname which identifies the keying material. How this name is derived is beyond the scope of this document and defined in . @@ -700,14 +702,14 @@
- The ERP-RK-Lifetime AVP (AVP Code TBD IANA) is of type - Unsigned32 do we really need 64 as in -00 ? 2^32 secs is already - more than 100 years, which is too long for a key lifetime ! and - contains the root key material remaining lifetime in seconds. It MUST - not be greater than the remaining lifetime of the EMSK it is derived - from. FFS: is it better to pass an absolute value here, for - example expiration date? How to express it then (TZ, ...)? - Synchronization problems? + The ERP-RK-Lifetime AVP (AVP Code TBDTBD IANA) is of + type Unsigned32 do we really need 64 as in -00 ? 2^32 secs is + already more than 100 years, which is too long for a key lifetime + ! and contains the root key material remaining lifetime in + seconds. It MUST not be greater than the remaining lifetime of the + EMSK it is derived from. FFS: is it better to pass an absolute + value here, for example expiration date? How to express it then (TZ, + ...)? Synchronization problems? This AVP has the M and V bits cleared.