# Date 1287729992 -32400 # Node ID 4890fc91096d90972f31924349c92a1c226baeac # Parent b817687af36cdd6861fc1db27859cff40096805b Updates Seb. diff -r b817687af36c -r 4890fc91096d draft-ietf-dime-erp-05.xml --- a/draft-ietf-dime-erp-05.xml Thu Oct 21 16:22:23 2010 +0900 +++ b/draft-ietf-dime-erp-05.xml Fri Oct 22 15:46:32 2010 +0900 @@ -207,10 +207,10 @@ This document assumes the existence of at most one logical ER server entity in a domain. If several physical servers are deployed for robustness, a replication mechanism must be deployed to synchronize the - ERP states (root keysFFS: authorization attributes) between - these servers. This replication mechanism is out of the scope of this - document. If multiple ER servers are deployed in the domain, we assume - that they can be used interchangeably. + ERP states (root keys) between these servers. This replication mechanism + is out of the scope of this document. If multiple ER servers are + deployed in the domain, we assume that they can be used + interchangeably.

@@ -227,43 +227,31 @@ ]]> The ER server is located either in the home domain (same as EAP server) or in the visited domain (same as authenticator, when it - differs from the home domain). - Can the ER server - be located in a third domain (ex: broker's) according to ERP - mechanism? - When the peer initiates an ERP - exchange, the authenticator creates a Diameter-EAP-Request message . The Application Id of the message is set to - that of the Diameter ERP application (code: TBD) in the message. The - generation of the ERP/DER message is detailed in . If there - is an ER server in the same domain as the authenticator (local domain), - Diameter routing MUST - Should this say - "SHOULD: instead of "MUST"? - be configured so that this ERP/DER message reachs this server, - even if the Destination-Realm is not the local domain. If there is no local ER server, the message is routed - according to its Destination-Realm AVP content, extracted from the realm - component of the keyName-NAI attribute. As specified in RFC 5296, this realm is the home domain of the - peer in case of a bootstrapping exchange (the 'B' flag is set in the ERP - message) or the domain of the bootstrapped ER server otherwise. - This actually might - allow the ER server to be in a third party realm. - If no ER server is available in the - home domain either, the ERP/DER message cannot be delivered, and an - error DIAMETER_UNABLE_TO_DELIVER is generated and returned to the authenticator. The - authenticator may cache this information (with limited duration) to - avoid further attempts for ERP with this realm. It may also fallback to - full EAP authentication to authenticate the peer. When an ER server receives the ERP/DER message, it - searches its local database for a root key - and authorization - state? - matching the keyName part of the User-Name AVP. If such key is + differs from the home domain). When the peer + initiates an ERP exchange, the authenticator creates a + Diameter-EAP-Request message . The + Application Id of the message is set to that of the Diameter ERP + application (code: TBD) in the message. The generation of the ERP/DER + message is detailed in . If there is an ER server in the same domain as the + authenticator (local domain), Diameter routing must be configured so + that this ERP/DER message reachs this server, even if the + Destination-Realm is not the local domain. If + there is no local ER server, the message is routed according to its + Destination-Realm AVP content, extracted from the realm component of the + keyName-NAI attribute. As specified in RFC + 5296, this realm is the home domain of the peer in case of a + bootstrapping exchange (the 'B' flag is set in the ERP message) or the + domain of the bootstrapped ER server otherwise. If no ER server is available in the home domain + either, the ERP/DER message cannot be delivered, and an error + DIAMETER_UNABLE_TO_DELIVER is generated + and returned to the authenticator. The authenticator may cache this + information (with limited duration) to avoid further attempts for ERP + with this realm. It may also fallback to full EAP authentication to + authenticate the peer. When an ER server + receives the ERP/DER message, it searches its local database for a root + key matching the keyName part of the User-Name AVP. If such key is found, the ER server processes the ERP message as described in RFC 5296 then creates the ERP/DEA answer as described in . The rMSK is @@ -273,13 +261,11 @@ EAP-Payload AVP, the EAP-Finish/Re-Auth message, to the peer. If the EAP-Initiate/Re-Auth message has its 'B' flag set (Bootstrapping exchange), the ER server should not possess the root - key in its local database - This may not be - true in future RFC5296bis? - In this case, the ER server acts as a proxy, and forwards the - message to the home EAP server after changing its Application Id to - Diameter EAP and adding an AVP to request the root key. See for more detail on this process. + key in its local database. In this case, the ER server acts as a proxy, + and forwards the message to the home EAP server after changing its + Application Id to Diameter EAP and adding the ERP-RK-Request AVP to + request the root key. See for more + detail on this process.

@@ -305,13 +291,11 @@ that only a small number of peers will use re-authentication in the visited domain. Deriving and caching key material for all the peers (for example, for the peers that do not support ERP) is a waste of - resources and SHOULD be avoided. To achieve - implicit bootstrapping, the ER server must act as a Diameter EAP Proxy - as defined in the Diameter Base Protocol , and routing must be configured so that - Diameter messages of a full EAP authentication are routed through this - proxy. The figure bellow illustrates this mechanism.

To achieve + implicit bootstrapping, the ER server acts as a Diameter EAP Proxy, + and Diameter routing must be configured so that Diameter EAP + application messages are routed through this proxy. The figure bellow + illustrates this mechanism.

The ER server proxies the first DER of the full EAP authentication and adds the ERP-RK-Request AVP inside, if this AVP is - not already in the message (which might happen if there are ER servers - in the visited and the home domains), then forwards the request. - If the EAP server does not support the ERP - extensions, it will simply ignore this grouped AVP and continue as + not already in the message (which might happen if there are several ER + servers on the path), then forwards the request. If the EAP server does not support the ERP + extensions, it simply ignores the ERP-RK-Request AVP and continues as specified in RFC 4072. If the server - supports the ERP extensions, it caches the ERP-Realm value with the - session data, and continues the EAP authentication. When the - authentication is complete, if it is successful and the EAP method - generated an EMSK, the server MUST derive the rRK as specified in - RFC 5296, and include an instance of the - Key AVP in the Diameter-EAP-Answer - message. When the ER server proxies a - Diameter-EAP-Answer message with a Session-Id corresponding to a - message to which it added an ERP-RK-Answer, and the Result-Code is - DIAMETER_SUCCESS, it MUST examine the message, extract and remove any - Key AVP from the message, and save its - content. If the message does not contain an ERP-RK-Answer AVP, the ER - server MAY cache this information to avoid possible subsequent - re-authentication attempts for this session. In any case, the - information stored SHOULD NOT have a lifetime greater than the EMSK - lifetime - How does the ER - server knows the EMSK lifetime, if there is no ERP-RK-Answer? What - is the lifetime of the MSK for example? - If the ER server is successfully - bootstrapped, it MAY also add the ERP-Realm AVP after removing the - ERP-RK-Answer AVP in the EAP/DEA message. This could be used by the - authenticator to notify the peer that ERP is bootstrapped, with the ER - domain information. How this information can be transmitted to the - peer is outside the scope of this document. - Is this - possible? It might be useful... - + supports the ERP extensions, it saves the value of the ERP-Realm AVP + found inside the ERP-RK-Request AVP, and continues with the EAP + authentication. When the authentication completes, if it is successful + and the EAP method has generated an EMSK, the server MUST derive the + rRK as specified in RFC 5296, using the + saved domain name. It then includes the rRK inside a Key AVP with the Key-Type AVP set to rRK, before sending + the DEA as usual. When the ER server proxies + a Diameter-EAP-Answer message with a Session-Id corresponding to a + message to which it added an ERP-RK-Request AVP, and the Result-Code + is DIAMETER_SUCCESS, it MUST examine the message and save and remove + any Key AVP with Key-Type AVP set to rRK. + If the message does not contain such Key AVP, the ER server may cache + the information that ERP is not possible for this session to avoid + possible subsequent attempts. In any case, the information stored in + ER server concerning a session should not have a lifetime greater than + the EMSK for this session. If the ER server + is successfully bootstrapped, it should also add the ERP-Realm AVP + after removing the Key AVP with Key-Type of rRK in the EAP/DEA + message. This ERP-Realm information can be used by the authenticator + to notify the peer that ER server is bootstrapped, and for which + domain. How this information can be transmitted to the peer is outside + the scope of this document. This information needs to be sent to the + peer if both implicit and explicit bootstrapping mechanisms are + possible, because the ERP message and the root key used for protecting + this message are different in bootstrapping exchanges and + non-bootstrapping exchanges.

Bootstrapping the ER server during the first re-authentication - (also known as explicit bootstrapping) offers several advantages: it - saves resources, since we generate and cache only root keys that we - actually need, and it can accomodate inter-domain handovers or ER - servers that lose their state (for example after reboot). - This last point - might not be true currently, since the peer would not issue a - bootstrapping exchange... But this might change also with - RFC5296bis AFAIU - On the other hand, the first re-authentication with the ER - server requires a one-round-trip exchange with the home EAP server, - which adds some delay to the process (but it is more efficient than a - full EAP authentication in any case). It also requires some - synchronization between the peer and the visited domain: since the ERP - message used is different - and the root key - used also? - for the explicit bootstrapping exchange than for normal - re-authentication; explicit bootstrapping should not be used if - implicit bootstrapping was already performed. - What should we - do if the ER server receives an explicit bootstrapping request but - already possess the rDSRK? Can it answer without going to the home - server? That would be simpler -- planned in rfc5296bis ? - The ER server receives the ERP/DER - message containing the EAP-Initiate/Re-Auth message with the 'B' flag - set. It proxies this message, and performs the following processing in + (also known as explicit bootstrapping) is less resource-consuming, + since root keys are generated and cached only when needed. On the + other hand, in that case first re-authentication requires a + one-round-trip exchange with the home EAP server, which is less + efficient than the implicit bootstrapping scenario. The ER server receives the ERP/DER message + containing the EAP-Initiate/Re-Auth message with the 'B' flag set. It + proxies this message, and performs the following processing in addition to standard proxy operations: Changes the Application Id in the header of the message to Diameter EAP Application (code 5). Change the content of Application-Auth-Id accordingly. - Is t better - to leave it unmodified? + Is it better + to leave it unmodified, so that the server can easily + differenciate between ERP and standard EAP message ? Add the ERP-RK-Request AVP, which contains the name of the domain where the ER server is located. - Add the - Destination-Host to reach the appropriate EAP server, the one - with the EMSK. How does the ER server know this - information? + Add the + Destination-Host AVP to reach the appropriate Diameter EAP + server in case there is more than one in destination domain, + the one with the EMSK. How does the ER server know this + information? Or can we require that all Diameter EAP servers + can be used interchangeably for this purpose? - Then the server forwards the EAP/DER request, which is - routed to the home EAP server. If the home - EAP server does not support the ERP extensions, it replies with an - error since the encapsulated EAP-Initiate/Re-auth command is not - understood. Otherwise, it processes the ERP request as described in - . In particular, it includes the - Domain-Name TLV attribute with the content from the ERP-Realm AVP. It - creates the EAP/DEA reply message . - including an instance of the Key AVP . - - What about - authorization AVPs? - The ER server receives this + Then the proxied EAP/DER request is sent and routed to the + home Diameter EAP server. If the home EAP + server does not support the ERP extensions, it replies with an error + since the encapsulated EAP-Initiate/Re-auth command is not understood. + Otherwise, it processes the ERP request as described in . In particular, it includes the Domain-Name + TLV attribute with the content from the ERP-Realm AVP. It creates the + EAP/DEA reply message . including an + instance of the Key AVP with Key-Type AVP + set to rRK. The ER server receives this EAP/DEA and proxies it as follows, in addition to standard proxy operations: - Set the Application Id back to Diameter ERP (code TBD) + Set the Application Id back to Diameter ERP application Id + (code TBD) - Extract and cache the content of the Key AVP. - And - authorization AVPs ? - - The DEA is then forwarded to the authenticator, that can use - the rMSK as described in RFC 5296. - The figure below captures this proxy - behavior:

Extract and cache the content of the Key AVP with Key-Type set + to rRK, as described in implicit scenario. + The ERP/DEA message is then forwarded to the authenticator, + that can use the rMSK as described in RFC + 5296. The figure below captures this + proxy behavior:

- This section describes in detail a re-authentication exchange with a - (bootstrapped) ER server. The following figure summarizes the - re-authentication exchange.

+ This section describes in detail a re-authentication exchange with an + ER server that was previously bootstrapped. The following figure + summarizes the re-authentication exchange.

EAP-Initiate/Re-auth @@ -502,19 +465,19 @@ <---------------------- EAP-Finish/Re-auth ]]> - In ERP, the peer sends an EAP-Initiate/Re-auth message to - the ER server via the authenticator. Alternatively, the authenticator - may send an EAP-Initiate/Re-auth-Start message to the peer to trigger - the start of ERP. In this case, the peer responds with an - EAP-Initiate/Re-auth message. If the - authenticator does not support ERP (pure - support), it discards the EAP packets with an unknown ERP-specific code - (EAP-Initiate). The peer may fallback to full EAP authentication in this - case. When the authenticator receives an - EAP-Initiate/Re-auth message from the peer, it process as described in + The peer sends an EAP-Initiate/Re-auth message to the ER + server via the authenticator. Alternatively, the authenticator may send + an EAP-Initiate/Re-auth-Start message to the peer to trigger the + mechanism. In this case, the peer responds with an EAP-Initiate/Re-auth + message. If the authenticator does not support + ERP (pure Diameter EAP support), it + discards the EAP packets with an unknown ERP-specific code + (EAP-Initiate). The peer should fallback to full EAP authentication in + this case. When the authenticator receives an + EAP-Initiate/Re-auth message from the peer, it processes as described in with regards to the EAP state machine. It creates a Diameter EAP Request message following the general process of - DiameterEAP, with the following + Diameter EAP, with the following differences: The Application Id in the header is set to Diameter ERP (code TBD). @@ -527,21 +490,14 @@ What about - Session-ID AVP -- in case of re-auth at the same place, and in - case of handover? + Session-ID AVP ? - The Auth-Request-Type AVP content is set to [Editor's note: FFS]. - - Do we really - do authorization with Diameter ERP ? -- need to pass the - authorization attrs to the ER server in that case. Idea FFS: we - do authorization only for explicit bootstrapping - exchanges... - + The Auth-Request-Type AVP content is set to [Editor's note: FFS + -- cf. open issues]. - The EAP-Payload AVP contains the ERP message, - EAP-Initiate/Re-Auth. + The EAP-Payload AVP contains the EAP-Initiate/Re-Auth + message. Then this ERP/DER message is sent as described in . The ER server receives and processes this request as described in The value of the Auth-Application-Id AVP is also set to Diameter ERP Application. - The EAP-Payload AVP contains the ERP message, - EAP-Finish/Re-auth. + The EAP-Payload AVP contains the EAP-Finish/Re-auth message. In case of successful authentication, an instance of the Key AVP containing the Re-authentication Master Session Key (rMSK) derived - by ERP is included. - What about all - the authorization attributes? If we want to include them, they - have to be present on the ER server... - + by ERP is included. When the authenticator receives this ERP/DEA answer, it processes it as described in Diameter EAP and RFC 5296: the content of EAP-Payload @@ -607,30 +558,26 @@

The ERP-Realm AVP (AVP Code TBD) is of type DiameterIdentity. It contains the name of the realm in which the ER server is located. - - We may re-use - Origin-Realm here instead? On the other hand, ERP-Realm may be - useful if the ER server is in a third-party realm, if this is - possible. - This AVP has the M and V bits - cleared. + This AVP has the M and V bits cleared.

The Key AVP is - of type "Grouped" and is used to carry the rMSK and associated + of type "Grouped" and is used to carry the rRK or rMSK and associated attributes. The usage of the Key AVP and its constituent AVPs in this application is specified in the following sub-sections.

- The value of the Key-Type AVP MUST be set to 3 for rRK. + The value of the Key-Type AVP MUST be set to 2 for rRK or 3 for + rMSK.

The Keying-Material AVP contains rRK sent by the home EAP server to the ER server, in answer to a request containing an - ERP-RK-Request AVP. How this material is derived and used is - specified in RFC 5296. + ERP-RK-Request AVP, or the rMSK sent by ER server to authenticator. + How this material is derived and used is specified in RFC 5296.

@@ -653,17 +600,24 @@ them. The main issue is the use of ERP for authentication after a handover of the peer to a new authenticator (or different authenticator port). Diameter ERP is not meant to be a - mobility protocol. A number of issues appear when we try to do handover - in Diameter ERP (alone): how to manage the Session-Id AVP; how does the - ER server provide the Authorization AVPs; how does the peer learn the - ERP domain of the new authenticator; how does the home server reachs the - peer to for example terminate the session; and so on... Therefore, the - management of the session for a mobile peer is not (yet) addressed in - this document. It must be studied how Diameter ERP can be for example - used in conjunction with a mobility application (Diameter MIP4, Diameter - MIP6) to support the optimized re-authentication in such situation. - Another issue concerns the case where the home - realm contains several EAP servers. In multi rounds full EAP + mobility application. A number of issues appear when we try to do + handover while using Diameter ERP: + how to manage the Session-Id AVP -- is it a new session each + time, or do we try to reuse the same Diameter session?; + + how does the ER authenticator acquire the Authorization AVPs? Is + it cached in the Diameter ER server (received during bootstrapping) + or do we use first Authenticate-Only with ER server, then + Authorize-Only with home domain (and in that case how does the ER + authenticator learn what the home domain is?) + + how does the peer learn the ERP domain of the new authenticator + -- this is being addressed in HOKEY architecture draft; + + how does the home server reachs the peer to for example terminate + the session if there is no notification sent to the home domain; + Another issue concerns the case where + the home realm contains several EAP servers. In multi rounds full EAP authentication, the Destination-Host AVP provides the solution to reach the same server across the exchanges. Only this server possess the EMSK for the session. In case of explicit bootstrapping, the ER server must @@ -672,9 +626,12 @@ EAP/DEA in the ER server, which is a bit similar to the implicit bootstrapping scenario described here -- only we save the server name instead of the root key, and we must then be able to match the DSRK with - the user name. Finally, this document - currently lacks a description of what happens when a Re-Auth-Request is - received for a peer on the authenticator. + the user name. In roaming environments, it + might be useful that a broker provides ERP services. The security + implications of storing the DSRK generated for the visited domain into + the broker's server should be studied. Finally, + this document currently lacks a description of what happens when a + Re-Auth-Request is received for a peer on the authenticator.

@@ -725,8 +682,9 @@ Do we really respect these security considerations with the mechanism we describe here? - Is it safe to use ERP-RK-Request / Answer AVPs? What is the worst - case? + Is it safe to use ERP-RK-Request & Key AVPs? What is the worst + case? For example if a domain tricks the peer into beliving it is + located in a different domain? EAP channel bindings may be necessary to ensure that the Diameter client and the server are in sync regarding the key Requesting Entity's Identity. Specifically, the Requesting Entity advertises its