Diameter support for EAP + Re-authentication Protocol (ERP)

+ defines the EAP Re-authentication + Protocol (ERP). It consists in the following steps: + Bootstrapping: a root key for re-authentication is derived from + the Extended Master Session Key (EMSK) created during EAP + authentication . This root key is + transported from the EAP server to the ER server. + + Re-authentication: a one-round-trip exchange between the peer and + the ER server, resulting in mutual authentication. To accomplish the + EAP reauthentication functionality, ERP defines two new EAP codes - + EAP-Initiate and EAP-Finish. + + + This document defines how Diameter transports the ERP messages + (Re-authentication step). For this purpose, we define a new Application + Id for ERP, and re-use the Diameter EAP commands (DER/DEA). + + This document also discusses the distribution of the root key + (bootstrapping step), either during the initial EAP authentication + (implicit bootstrapping) or during the first ERP exchange (explicit + bootstrapping). Security considerations for this key distribution are + detailed in . + +

+ In this version, the main difference is that we define a new + Diameter Application for ERP. This allows the routing of Diameter + messages containing ERP payload to the appropriate realm and server, + and permits more flexibility in the deployment of ERP : with the + previous design from version -00, the ER server had to be collocated + with the EAP server (Editor's note: well, it was not written clearly + in the document, but it was the only working situation), which might + result in some deployment and scalability issues. + + The format of the newly defined AVP has also changed: we now define + two grouped AVP to transport the key request and key material. Grouped + AVP allow a more efficient parsing of the message, and keeps the + correlation of related information such as key name, key + lifetime... +

+ +

+ This document uses terminology defined in , , , and . + + "Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK + derived from an EMSK, depending on the location of the ER server in home + or foreign domain. + + We note in this document ERP/DER a Diameter-EAP-Request command with + the Application Id set to Diameter ERP application. On the same model, + we use ERP/DEA, EAP/DER and EAP/DEA. + +

+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in . +

+ +

+ This document makes the following assumptions. + + The Home EAP server of a peer that wants to use ERP is extended to + support: + Cryptographic operations needed to derive the ERP root key from + the EMSK. By deriving the ERP root key for a specific domain, the + home EAP server implicitly authorizes the use of ERP within this + domain. + + Diameter operations to include this root key inside an + appropriate AVP as defined in this document, in an answer message + corresponding to a request that contained a request for this + material (AVP for the request also defined in this document). + + (recommanded) Ability to answer a DER message with EAP-Payload + containing an explicit bootstrapping ERP message. + + + The Authenticator (NAS) is extended to support: + Allow the new ERP command codes (EAP-Initiate and EAP-Finish) in + its EAP pass-through mode. + + (optional) Send the EAP-Initiate/Re-Auth-Start message + + (optional) Provide the local domain name via lower layer specific + mechanism or via TLV in the EAP-Initiate/Re-Auth-Start message. + + Encapsulate ERP message and receive corresponding Diameter + answer, as described in this document. + + + If one of the components does not match these assumptions, the ERP + mechanism will fail. In such situation, a full EAP authentication may be + attempted as a fallback mechanism. + + We consider at most one logical ER server entity in a domain. If + several physical servers are deployed for robustness, a replication + mechanism must be deployed to synchronize the ERP states (root keys, + FFS: authorization attributes ) between these servers. This + replication mechanism is out of the scope of this document. If several + ER servers are deployed in the domain, we assume that they can be used + interchangeably. +

+ +

+ The following figure shows the components involved in ERP, and their + interactions. + +

+ |Authenticator|<=======>| ER server | <---> | EAP | + +-------------+ +-----------+ | server | + +--------+ + (*) Diameter EAP application, + explicit bootstraping scenario only.]]> + + + The ER server is located either in the home domain (same as EAP + server) or in the visited domain (same as authenticator, when it differs + from the home domain). Can the ER server be located in a third + domain (ex: broker's) according to ERP mechanism? + + When the peer initiates an ERP exchange, the authenticator creates a + Diameter-EAP-Request message, as described in Diameter EAP application + . The Application Id of the message is set + to Diameter ERP application (code: TBD IANA) in the + message. The exact processing to generate the ERP/DER message is + detailed in section . + + If there is an ER server in the same domain as the authenticator + (local domain), Diameter routing MUST SHOULD ? FFS... be + configured so that this ERP/DER message reachs this server, even if the + Destination-Realm is not the local domain. + + If there is no local ER server, the message is routed according to + its Destination-Realm AVP content, extracted from the realm component of + the keyName-NAI attribute. As specified in , this realm is the home domain of the peer in + case of bootstrapping exchange ('B' flag is set in ERP message) or the + domain of the bootstrapped ER server otherwise This actually might + allow the ER server to be in a third party realm. + + If no ER server is available in the home domain either, the ERP/DER + message cannot be delivered, and an error DIAMETER_UNABLE_TO_DELIVER is + generated as specified in and returned to + the authenticator. The authenticator may cache this information (with + limited duration) to avoid further attempts for ERP with this realm. It + may also fallback to full EAP authentication to authenticate the + peer. + + When an ER server receives the ERP/DER message, it searches its local + database for a root key and authorization state ? matching + the keyName part of the User-Name AVP. If such key is found, the ER + server processes the ERP message as described in then creates the ERP/DEA answer as described in + . The rMSK is included in this + answer. + + Finally, the authenticator extracts the rMSK from the ERP/DEA as + described in , and forwards the content of + the EAP-Payload AVP, the EAP-Finish/Re-Auth message, to the peer. + + If the EAP-Initiate/Re-Auth message has its 'B' flag set + (Bootstrapping exchange), the ER server should not possess the root key + in its local database This may not be true in future RFC5296bis + ?. In this case, the ER server acts as a proxy, and forwards the + message to the home EAP server after changing its Application Id to + Diameter EAP and adding an AVP to request the root key. See section + for more detail on this + process. +

+ +

+ The bootstrapping process involves the home EAP server and the ER + server, but also impacts the peer and the authenticator. In ERP, the + peer must derive the same keying material as the ER server. To achieve + this, it must learn the domain name of the ER server. How this + information is acquired is outside the scope of this specification, but + it may involves that the authenticator is configured to advertize this + domain name, especially in the case of re-authentication after a + handover. + + The bootstrapping of an ER server with a given root key happens + either during the initial EAP authentication of the peer when the EMSK + -- from which the root key is derived -- is created, during the first + re-authentication, or sometime between those events. We only consider + the first two possibilities in this specification, in the following + subsections. + +

+ Bootstrapping the ER server during the initial EAP authentication + (also known as implicit bootstrapping) offers the advantage that the + server is immediatly available for re-authentication of the peer, thus + minimizing the re-authentication delay. On the other hand, it is + possible that only a small number of peers will use re-authentication + in the visited domain. Deriving and caching key material for all the + peers (for example, for the peers that do not support ERP) is a waste + of resources and SHOULD be avoided. + + To achieve implicit bootstrapping, the ER server must act as a + Diameter EAP Proxy, and routing must be configured so that Diameter + messages of a full EAP authentication are routed through this proxy. + The figure bellow captures this mechanism. + +

+ + Diameter EAP/DER + (EAP-Response) + -------------------------> + Diameter EAP/DER + (EAP-Response) + (ERP-RK-Request) + + <==================================================> + Multi-round Diameter EAP exchanges, unmodified + + <------------------------- + Diameter EAP/DEA + (EAP-Success) + (MSK) + (ERP-RK-Answer) + <------------------------- + Diameter EAP/DEA + (EAP-Success) + (MSK) + [ERP-Realm] +]]> + + + The ER server proxies the first DER of the full EAP authentication + and adds the ERP-RK-Request AVP inside, if this AVP is not already in + the message (which might happen if there are ER servers in the visited + and the home domains), then forwards the request. + + If the EAP server does not support ERP extensions, it will simply + ignore this grouped AVP and continue as specified in . If the server supports the ERP extensions, + it caches the ERP-Realm value with the session, and continues the EAP + authentication. When the authentication is complete, if it is + successful and the EAP method generated an EMSK, the server MUST + compute the rRK or rDSRK (depending on the value of ERP-Realm) as + specified in , and add an ERP-RK-Answer + AVP in the Diameter-EAP-Request message, in addition to the MSK and + EAP-Success payloads. + + When the ER server proxies a Diameter-EAP-Answer message with a + Session-Id corresponding to a message to which it added an + ERP-RK-Answer, and the Result-Code is DIAMETER_SUCCESS, it MUST + examine the message, extract and remove any ERP-RK-Answer AVP from the + message, and save its content. If the message does not contain an + ERP-RK-Answer AVP, the ER server MAY save this information to avoid + possible subsequent re-authentication attempts for this session. In + any case, the information stored SHOULD NOT have a lifetime greater + than the EMSK lifetime how does the ER server knows the EMSK + lifetime, if there is no ERP-RK-Answer? What is the lifetime of the + MSK for example? + + If the ER server is successfully bootstrapped, it MAY also add the + ERP-Realm AVP after removing the ERP-RK-Answer AVP in the EAP/DEA + message. This could be used by the authenticator to notify the peer + that ERP is bootstrapped, with the ER domain information. How this + information can be transmitted to the peer is outside the scope of + this document. Is it possible? It would be useful... +

+ +

+ Bootstrapping the ER server during the first re-authentication + (also known as explicit bootstrapping) offers several advantages: it + saves resources, since we generate and cache only root key that we + actually need, and it can accomodate inter-domain handovers or ER + servers that loose their state (for example after reboot) This + last point might not be true currently, since the peer would not issue + a bootstrapping exchange... But this might change also with RFC5296bis + AFAIU. On the other hand, the first re-authentication with the + ER server requires a one-round-trip exchange with the home EAP server, + which adds some delay to the process (but it is more efficient than a + full EAP authentication in any case). It also requires some + synchronization between the peer and the visited domain: since the ERP + message is differentand the root key used also ? for + explicit bootstrapping exchange and for normal re-authentication, + explicit bootstrapping should not be used if implicit bootstrapping + was already performed. + + What should we do if the ER server receives an explicit + bootstrapping request but already possess the rDSRK? Can it answer + without going to the home server? That would be simpler -- planned in + rfc5296bis ? + + The ER server receives the ERP/DER message containing the + EAP-Initiate/Re-Auth message with the 'B' flag set. It proxies this + message, and do the following processing in addition to standard proxy + operations: + Change the Application Id in the header of the message to + Diameter EAP Application (code 5). What about the + Application-Auth-Id AVP? + + Add the ERP-RK-Request AVP, which contains the name of the + domain where the ER server is located. + + Add the Destination-Host to reach the appropriate EAP + server, the one with the EMSK. How does the ER server know this + information ? + Then the server forwards the EAP/DER request, which is routed + to the home EAP server. + + If the home EAP server does not support ERP extensions, it replies + with an error since the encapsulated EAP-Initiate/Re-auth command is + not understood. Otherwise, it processes the ERP request as described + in . In particular, it includes the + Domain-Name TLV attribute with the content from the ERP-Realm AVP. It + creates the EAP/DEA reply message following standard processing from + (in particular EAP-Master-Session-Key + AVP is used to transport the rMSK), and includes the ERP-RK-Answer + AVP. What about authorization AVPs ? + + The ER server receives this EAP/DEA and proxies it as follow, in + addition to standard proxy operations: + Set the Application Id back to Diameter ERP (code TBD + IANA) + + Extract and cache the content of the ERP-RK-Answer. And + authorization AVPs ? + The DEA is then forwarded to the authenticator, that can use + the rMSK as described in . + + The figure below captures this proxy behavior: + +

+ + Diameter ERP/DER + (EAP-Initiate) + ------------------------> + Diameter EAP/DER + (EAP-Initiate) + (ERP-RK-Request) + + <------------------------ + Diameter EAP/DEA + (EAP-Finish) + (ERP-RK-Answer) + (rMSK) + <---------------------- + Diameter ERP/DEA + (EAP-Finish) + (rMSK) +]]> + +

+ +

+ This section describes in detail a re-authentication exchange with a + (bootstrapped) ER server. The following figure summarizes the + re-authentication exchange. + +

+ + EAP-Initiate/Re-auth + ==================================> + Diameter ERP, cmd code DER + User-Name: Keyname-NAI + EAP-Payload: EAP-Initiate/Re-auth + + <================================== + Diameter ERP, cmd code DEA + EAP-Payload: EAP-Finish/Re-auth + EAP-Master-Session-Key: rMSK + <---------------------- + EAP-Finish/Re-auth +]]> + + + In ERP, the peer sends an EAP-Initiate/Re-auth message to the ER + server via the authenticator. Alternatively, the NAS may send an + EAP-Initiate/Re-auth-Start message to the peer to trigger the start of + ERP. In this case, the peer responds with an EAP-Initiate/Re-auth + message to the NAS. + + If the authenticator does not support ERP (pure support), it discards the EAP packets with + unknown ERP-specific code (EAP-Initiate). The peer may fallback to full + EAP authentication in such case. + + When the authenticator receives an EAP-Initiate/Re-auth message from + the peer, it process as described in with + regards to the EAP state machine. It creates a Diameter EAP Request + message following the general process of Diameter + EAP, with the following differences: + The Application Id in the header is set to Diameter ERP (code + TBD IANA). + + The value in Auth-Application-Id AVP is also set to Diameter ERP + Application. + + The keyName-NAI attribute from ERP message is used to create the + content of User-Name AVP and Destination-Realm AVP. + + FFS: What about Session-ID AVP -- in case of re-auth at the + same place, and in case of handover? + + The Auth-Request-Type AVP content is set to FFS -- Do we + really do authorization with Diameter ERP ? -- need to pass the + authorization attrs to the ER server in that case. Idea FFS: we do + authorization only for explicit bootstrapping + exchanges.... + + The EAP-Payload AVP contains the ERP message, + EAP-Initiate/Re-Auth. + Then this ERP/DER message is sent as described in . + + The ER server receives and processes this request as described in + . It then creates a Diameter answer + ERP/DEA, following the general processing described in , with the following differences: + The Application Id in the header is set to Diameter ERP (code + TBD IANA). + + The value in Auth-Application-Id AVP is also set to Diameter ERP + Application. + + The Result-Code AVP is set to version -00 stated a SHOULD + here, not sure why ? an error value in case ERP + authentication fails, or to DIAMETER_SUCCESS if ERP is + successful. + + The EAP-Payload AVP contains the ERP message, + EAP-Finish/Re-auth. + + In case of successful authentication, the EAP-Master-Session-Key + AVP contains the Re-authentication Master Session Key (rMSK) derived + by ERP. + + What about all the authorization attributes? If we want to + include them, they have to be present on the ER server... + + + When the authenticator receives this ERP/DEA answer, it processes it + as described in Diameter EAP and : the content of EAP-Payload AVP content is + forwarded to the peer, and the content of EAP-Master-Session-Key AVP is + used as a shared secret for Secure Association Protocol. +

+ +

+ We define a new Diameter application in this document, Diameter ERP + Application, with an Application Id value of TBD IANA. + Diameter nodes conforming to this specification in the role of ER server + MUST advertise support by including an Auth-Application-Id AVP with a + value of Diameter ERP Application in the of the + Capabilities-Exchange-Request and Capabilities-Exchange-Answer commands, + as described in . + + The primary use of the Diameter ERP Application Id is to ensure + proper routing of the messages, and that the nodes that advertise the + support for this application do understand the new AVPs defined in + section , although these AVP have the 'M' + flag cleared. +

+ +

+ This specification defines the following new AVPs. FFS: to + align with draft-wu-dime-local-keytran-02 if it becomes a WG + item + +

+ The ERP-RK-Request AVP (AVP Code TBD IANA) is of type + grouped AVP. This AVP is used by the ER server to indicate its + willingness to act as ER server for a particular session. + + This AVP has the M and V bits cleared. + +

+ + { ERP-Realm } + * [ AVP ] +]]> + +

+ +

+ The ERP-Realm AVP (AVP Code TBD IANA) is of type + DiameterIdentity. It contains the name of the realm in which the ER + server is located. + + FFS: We may re-use Origin-Realm here instead? On the other + hand, ERP-Realm may be useful if the ER server is not in a third-party + realm, if this is possible. + + This AVP has the M and V bits cleared. +

+ +

+ The ERP-RK-Answer AVP (AVP Code TBD IANA) is of type + grouped AVP. It is used by the home EAP server to provide ERP root key + material to the ER server. + + This AVP has the M and V bits cleared. + +

+ + { ERP-RK } + { ERP-RK-Name } + { ERP-RK-Lifetime } + * [ AVP ] +]]> + +

+ +

+ The ERP-RK AVP (AVP Code TBD IANA) is of type + OctetString. It contains the root key (either rRK or rDSRK) sent by + the home EAP server to the ER server, in answer to request containing + an ERP-RK-Request AVP. How this material is derived and used is + specified in . + + Can we re-use EAP-Master-Session-Key here instead? Must check + the exact definition... + + This AVP has the M and V bits cleared. +

+ +

+ The ERP-RK-Name AVP (AVP Code TBD IANA) is of type + OctetString. This AVP contains the EMSKname which identifies the + keying material. How this name is derived is beyond the scope of this + document and defined in . + + Can we re-use EAP-Key-Name here instead ? + + This AVP has the M and V bits cleared. +

+ +

+ The ERP-RK-Lifetime AVP (AVP Code TBD IANA) is of type + Unsigned32 do we really need 64 as in -00 ? 2^32 secs is already + more than 100 years, which is too long for a key lifetime ! and + contains the root key material remaining lifetime in seconds. It MUST + not be greater than the remaining lifetime of the EMSK it is derived + from. FFS: is it better to pass an absolute value here, for + example expiration date? How to express it then (TZ, ...)? + Synchronization problems? + + This AVP has the M and V bits cleared. +

+ +

+ We do not define any new command in this specification. We reuse the + Diameter-EAP-Request and Diameter-EAP-Answer commands defined in . + + Since the original ABNF of these commands allow other optional AVPs + ("* [ AVP ]"), and the new AVPs defined in this specification do not + have the 'M' flag set, the ABNF does not need any change. Anyway, a + Diameter node that advertizes support for the Diameter ERP application + MUST support the new AVPs defined in this specification. + +

+ + +

+ +

+ This document does not address some known issues in Diameter ERP + mechanism. The authors would like to hear ideas about how to address + them. + + The main issue is the use of ERP for authentication after a handover + of the peer to a new authenticator (or different authenticator port). + Diameter ERP is not meant to be a mobility protocol. A number of issues + appear when we try to do handover in Diameter ERP (alone): how to manage + the Session-Id AVP; how does the ER server provide the Authorization + AVPs; how does the peer learn the ERP domain of the new authenticator; + how does the home server reachs the peer to for example terminate the + session; and so on... Therefore, the management of the session for a + mobile peer is not (yet) addressed in this document. It must be studied + how Diameter ERP can be for example used in conjunction with a mobility + application (Diameter MIP4, Diameter MIP6) to support the optimized + re-authentication in such situation. + + Another issue concerns the case where the home realm contains several + EAP servers. In multi rounds full EAP authentication, the + Destination-Host AVP provides the solution to reach the same server + across the exchanges. Only this server possess the EMSK for the session. + In case of explicit bootstrapping, the ER server must therefore be able + to reach the correct server to request the DSRK. A solution might + consist in saving the Origin-Host AVP of all successful EAP/DEA in the + ER server, which is a bit similar to the implicit bootstrapping scenario + described here -- only we save the server name instead of the root key, + and we must then be able to match the DSRK with the user name. + + Finally, this document currently lacks a description of what happens + when a Re-Auth-Request is received for a peer on the authenticator. +

+ +

+ Hannes Tschofenig wrote the initial draft for this document and + provided useful reviews. + + Vidya Narayanan reviewed a rough draft version of the document and + found some errors. + + Glen Zorn actively participated in the discussions on the design for + Diameter ERP, providing the point of view and experience from HOKEY + workgroup. + + Many thanks to these people! +

+ +

+ This document requires IANA registration of the following new + elements in the Authentication, + Authorization, and Accounting (AAA) Parameters registries. + +

+ This specification requires IANA to allocate a new value "Diameter + ERP" in the "Application IDs" registry created by in . + +

+ + +

+ +

+ This specification requires IANA to allocate new values from the + "AVP Codes" registry defined in for the + following AVPs: + ERP-RK-Request + + ERP-Realm + + ERP-RK-Answer + + ERP-RK + + ERP-RK-Name + + ERP-RK-Lifetime + These AVPs are defined in section . +

+ +

+ The security considerations from the following RFC apply here: , , , , and . + + FFS: Do we really respect these security considerations with + the mechanism we describe here? Is it safe to use ERP-RK-Request / + Answer AVPs? What is the worst case? + + EAP channel bindings may be necessary to ensure that the Diameter + client and the server are in sync regarding the key Requesting Entity's + Identity. Specifically, the Requesting Entity advertises its identity + through the EAP lower layer, and the user or the EAP peer communicates + that identity to the EAP server (and the EAP server communicates that + identity to the Diameter server) via the EAP method for user/peer to + server verification of the Requesting Entity's Identity.Editor: I + really don't understand this paragraph ^^'... +