Mercurial > hg > ietf
changeset 9:5fdd3345477f
Cleanups.
| author | Sebastien Decugis <sdecugis@nict.go.jp> |
|---|---|
| date | Wed, 18 Mar 2009 14:06:05 +0900 |
| parents | 45a13fe6e0be |
| children | 4f4591406a24 |
| files | New_ERP_draft_src.txt |
| diffstat | 1 files changed, 61 insertions(+), 58 deletions(-) [+] |
line wrap: on
line diff
--- a/New_ERP_draft_src.txt Wed Mar 18 13:21:39 2009 +0900 +++ b/New_ERP_draft_src.txt Wed Mar 18 14:06:05 2009 +0900 @@ -6,34 +6,34 @@ *Differences with [draft-ietf-dime-erp-00]* -In this document, we specify a new Diameter application ID for Diameter messages transporting ERP exchanges. We re-use the mechanism described in [draft-ietf-dime-erp-00] as an option available to provide implicit bootstrapping to the ER server. +In this document, we specify a new Diameter application ID for Diameter messages transporting ERP exchanges between authenticator and ER server. We re-use the mechanism described in [draft-ietf-dime-erp-00] as an option available to provide implicit bootstrapping to the ER server. *Introduction.* -During full EAP authentication, both the peer and the home EAP server derive EMSK material in addition to MSK. The EMSK can be used to derive a re-authentication root key (rRK or rDSRK) as described in [RFC5296]. This root key is transported to an ER server, this is called bootstrapping the ER server. When the peer re-authenticates using ERP, a one round-trip exchange occurs between the authenticator and the ER server, and new rMSK material is derived. The ER server may be located in the visited domain or home domain. +During full EAP authentication, both the peer and the home EAP server derive EMSK material in addition to MSK. The EMSK can be used to derive a re-authentication root key (rRK or rDSRK) as described in [RFC5296]. This root key is transported to an ER server, this is called bootstrapping the ER server. When the peer re-authenticates using ERP, a one round-trip exchange occurs between the authenticator and the ER server, where new rMSK material is derived. The ER server may be located in the visited domain or home domain. -There are two types of exchanges between AAA entities in the Re-authentication mechanism: transport of the re-authentication root key between the home EAP server and the ER server to bootstrap the mechanism, and transport of ERP messages and rMSK material between authenticator and ER server. This document specifies how the re-authentication exchange is transported using Diameter. It also contains information on how bootstrapping can be achieved in several situations. +There are two types of exchanges between AAA entities in the Re-authentication mechanism: transport of the re-authentication root key between the home EAP server and the ER server to bootstrap the mechanism, and transport of ERP messages and rMSK material between ER server and authenticator. This document specifies how the re-authentication exchange is transported using Diameter. It also provides information on how bootstrapping can be achieved in several situations. Diameter +--------+ +-------------+ ERP +-----------+ (*) | Home | Peer <->|Authenticator|<=======>| ER server | <---> | EAP | +-------------+ +-----------+ | server | +--------+ -(*) Several protocols can be used between ER server and home EAP server to transport bootstrapping material. Diameter EAP is one of them. +(*) Several protocols can be used between ER server and home EAP server to transport bootstrapping material. Diameter EAP is one of the possibilities. - Figure 1. Diameter applications used in the ERP mechanism. + Figure 1. Diameter applications used in the ERP mechanism. *Assumptions.* -For the peer to start an ERP exchange when attaching to a new authenticator, the following assumptions must be verified. Note that the peer can always fall back to full EAP authentication if one of these conditions is not met. +For the peer to start an ERP exchange when attaching to a new authenticator, the following assumptions must be verified. Note that the peer can always fall back to full EAP authentication if one of these conditions is not met. These assumptions are implicit from [RFC5296]. The peer must have non-expired keying material (EMSK) derived from a previous full EAP authentication. -The peer must learn the realm of the new authenticator before starting the exchange, for example using L2-dependent mechanism. If this condition is not met, the peer cannot assume that an ER server is available and bootstrapped in the domain of this authenticator. It should start an ERP bootstrapping exchange as described in [RFC5296]. In addition, if the peer is attaching to this realm for the first time since the EMSK was derived (inter-domain handover), an ERP bootstrapping exchange must be initiated. +The peer must learn the realm of the new authenticator before starting the exchange, for example using L2-dependent mechanism. If this condition is not met, the peer cannot assume that an ER server is available and bootstrapped in the realm of this authenticator. It should start an ERP bootstrapping exchange as described in [RFC5296]. In addition, if the peer is attaching to this realm for the first time since the EMSK was derived (inter-domain handover), an ERP bootstrapping exchange must be initiated. The authenticator must support ERP extensions. If this condition is not met, the ERP messages will be dropped by the authenticator conforming to [RFC4072] and ERP will fail. @@ -41,33 +41,33 @@ *Overview* -We define a new Diameter Application ID for ERP. When the authenticator receives an EAP-Initiate/Re-auth message, it encapsulates in a DER message following the rules described in [RFC4072]. The application id of the DER message is set to the new ERP application ID. The User-Name and Destination-Realm AVPs are extracted from the keyName-NAI included in the ERP message, as described in [RFC5296]. In the case were ERP is already bootstrapped in this domain, and the peer knows it, the Destination-Realm of the message is the local domain. In the other case, the peer is initiating a bootstrapping ERP exchange, and the Destination-Realm is the home domain. +We define a new Diameter Application ID for ERP. When the authenticator receives an EAP-Initiate/Re-auth message, it encapsulates it in a DER message following the rules described in [RFC4072]. The application id of the DER message is set to the Diameter ERP application ID. The User-Name and Destination-Realm AVPs are extracted from the keyName-NAI included in the ERP message, as described in [RFC5296]. In the case were ERP is already bootstrapped in this domain, and the peer knows it, the Destination-Realm of the message is the local domain. In other cases, the peer is initiating a bootstrapping ERP exchange, and the Destination-Realm is the home domain. When ERP is already bootstrapped, the message is routed to the bootstrapped ER server. This server processes the ERP message as described in [RFC5296] then derives a new rMSK and answers a DEA encapsulating the EAP-Finish/Re-auth answer and the rMSK for the authenticator. Re-authentication is complete {see pending question in the end of this document}. This exchange is described in Figure 2 bellow. -There are several options to bootstrap the local ER server. This document discusses some of the options, but a different mechanism not described here may be deployed as well. See the following sections for more details about bootstrapping scenarii. +There are several options to bootstrap the ER server. This document discusses some of the options, but a different mechanism not described here may be deployed as well. See the following sections for more details about bootstrapping scenarii. -Peer Authenticator ER server -==== ============= (bootstrapped) -[ <------------------------ ] (local or home domain) -[optional EAP-Initiate/Re-auth-start] ====================== + Peer Authenticator ER server + ==== ============= (bootstrapped) + [ <------------------------ ] (local or home domain) + [optional EAP-Initiate/Re-auth-start] ====================== - -----------------------> - EAP-Initiate/Re-auth - =====================================> - Diameter ERP, cmd code DER - User-Name: Keyname-NAI - EAP-Payload: EAP-Initiate/Re-auth + -----------------------> + EAP-Initiate/Re-auth + =====================================> + Diameter ERP, cmd code DER + User-Name: Keyname-NAI + EAP-Payload: EAP-Initiate/Re-auth + + <===================================== + Diameter ERP, cmd code DEA + EAP-Payload: EAP-Finish/Re-auth + EAP-Master-Session-Key: rMSK + <---------------------- + EAP-Finish/Re-auth - <===================================== - Diameter ERP, cmd code DEA - EAP-Payload: EAP-Finish/Re-auth - EAP-Master-Session-Key: rMSK - <---------------------- - EAP-Finish/Re-auth - -Figure 2. Diameter ERP exchange. + Figure 2. Diameter ERP exchange. @@ -87,84 +87,84 @@ When the ER server (in local or home domain) receives the ERP/DER request, it must process as follow: - Check in the local key store if a key with same name is available. If such key is found, process the request locally and answer. - Check if the EAP-Initiate/Re-auth message has the [B] (bootstrapping) flag set. If this flag is not set, relay the message without altering it (except adding the Route-Record information) or reply with an error if no other Diameter node is available to handle the request, following the rules of Diameter Base Protocol. -- If the [B] flag was set, the message is proxied locally, and modified as follow: +- If the [B] flag was set, the message is proxied locally and modified as follow: * Change the application-id of the message from Diameter ERP to Diameter EAP (so that the message will reach the Home EAP server). - * Add the rDSRK-Request AVP if ER server is in visited domain, or rRK-Request AVP if ER server is in home domain.@These grouped AVP are described in this document. + * Add the ERP-RK-Request AVP, defined in this document. * Send the new message. It will reach the Home EAP server. -If the home EAP server does not support ERP extensions, it replies with an error since EAP-Initiate/Re-auth command is not understood. Otherwise, it processes the EAP-Initiate/Re-auth message as described in [RFC5296] and derives the requested rDSRK or rRK, and new rMSK. It sends this material using the new AVPs described in this document. It also includes the realm of the ER server in the EAP-Finish/Re-auth message to inform the peer of the location of the ER server. +If the home EAP server does not support ERP extensions, it replies with an error since encapsulated EAP-Initiate/Re-auth command is not understood. Otherwise, it processes the EAP-Initiate/Re-auth message as described in [RFC5296] and derives the requested rDSRK or rRK, and new rMSK. It sends this material using the new ERP-RK-Answer AVP described in this document. It also includes the realm of the ER server in the EAP-Finish/Re-auth message to inform the peer of the location of the ER server. The ER server receives this DEA, extracts and cache the rRK or rDSRK material, restores the application-id to Diameter ERP and forwards the message to the authenticator. -This flow is captured bellow: +This flow is captured figure 3. Authenticator ER server Home EAP server ============= ========= =============== -----------------------> - ERP, DER + ERP/DER (EAP-Initiate) ------------------------> - EAP, DER + EAP/DER (EAP-Initiate) - (rDSRK-Request or rRK-Request) + (ERP-RK-Request) <------------------------ - EAP, DEA + EAP/DEA (EAP-Finish) - (rDSRK or rRK) + (ERP-RK-Answer) (rMSK) <---------------------- - ERP, DEA + ERP/DEA (EAP-Finish) (rMSK) -Figure 3. ERP explicit bootstrapping message flow. + Figure 3. ERP explicit bootstrapping message flow. *Scenario 2: implicit bootstrapping during full EAP authentication* -In some deployment scenarii, the ER server may be collocated with the EAP proxy or server. In that case, the optional ERP AVPs defined in this document may be used during initial full EAP authentication to provide implicit bootstrapping (section 5.1 of [RFC5296]) as described bellow. +In some deployment scenarii, the ER server may be collocated with an EAP proxy or server. In that case, the optional ERP AVPs defined in this document may be used during initial full EAP authentication to provide implicit bootstrapping (section 5.1 of [RFC5296]) as described bellow. -In this situation, ERP key material is derived and cached regardless of the peer support and willingness for ERP, which may lead to scalability or other issues. Implementors may provide other ways to select which sessions should use implicit bootstrapping. +In this scenario, the ERP key material is derived and cached regardless of the peer support and willingness for ERP. This may lead to scalability and other issues. Implementors may provide other ways to select which sessions should use implicit bootstrapping. -In the first round of full EAP exchange, the ER server adds the rDSRK-Request or rRK-request to the DER message. -If the home EAP server supports ERP extensions, it caches this request and continues the normal EAP authentication until completion. -When the authentication is successful and EMSK is generated, the home EAP server will also derive the rRK or rDSRK as requested, and add this material to the final DEA in the new AVPs defined in this document. The server may check that the ER server that requested the material is in the Route-Record list of the last DER, but this is not mandatory. +In the first round of full EAP exchange, the ER server adds the ERP-RK-Request AVP to the DER message. +If the home EAP server supports ERP extensions, it caches this request and continues the normal EAP authentication until completion. Otherwise, the optional AVP is simply ignored. +When the authentication is successful and EMSK is generated, the home EAP server derives the rRK or rDSRK as requested, and adds this material to the last DEA in the ERP-RK-Answer AVP defined in this document. The server may check that the ER server that requested the material is in the Route-Record list of the last DER, but this is not mandatory. -When the ER server collocated with EAP proxy receives a DEA containing ERP AVPs, it extracts these AVP and saves the rRK or rDSRK material for later use. +When the ER server collocated with EAP proxy receives the DEA containing ERP-RK-Answer AVP, it extracts this AVP and saves the rRK or rDSRK material for later use. EAP Proxy / Authenticator ER server Home EAP server ============= =========== =============== -------------------------> - EAP, DER + EAP/DER (EAP-Response) -------------------------> - EAP, DER + EAP/DER (EAP-Response) - (rDSRK-Request or rRK-Request) + (ERP-RK-Request) <==================================================> - Multi-round EAP unmodified exchanges + Multi-round EAP exchanges, unmodified <------------------------- - EAP, DEA + EAP/DEA (EAP-Success) - (MSK) - (rDSRK or rRK) + (MSK) + (ERP-RK-Answer) <------------------------- - EAP, DEA + EAP/DEA (EAP-Success) - (MSK) + (MSK) - Figure 4. Implicit ERP bootstrapping during full EAP authentication. + Figure 4. Implicit ERP bootstrapping during full EAP authentication. -*Scenario 4: Case of MIP6 ?* +*Scenario 4: Case of MIP6* -{TODO: study this case} +{TODO: study this case ?} *Scenario 5: Other possibilities* @@ -183,6 +183,9 @@ Diameter-EAP-Answer DEA 268 RFC 4072 Diameter ERP Figure 5: Command Codes +The following new AVPs are defined in this document. + + *ERP-RK-Request AVP* @@ -199,6 +202,7 @@ *ERP-Realm AVP* The ERP-Realm AVP (AVP Code TBD) is of type {DiameterIdentity? OctetString?}. It contains the name of the realm in which the ER server is located. +{FFS: We may re-use Origin-Realm here instead?} @@ -217,7 +221,7 @@ *ERP-RK AVP* -The ERP-RK AVP (AVP Code TBD) is of type OctetString. It contains the root key (either rRK or rDSRK) to be used for ERP feature with the peer to which this session belongs. How this material is derived and used is specified in [RFC5296]. +The ERP-RK AVP (AVP Code TBD) is of type OctetString. It contains the root key (either rRK or rDSRK) to be used for ERP with the peer to which this session belongs. How this material is derived and used is specified in [RFC5296]. @@ -247,4 +251,3 @@ -