Mercurial > hg > ietf
changeset 11:c8dd0bdbd9e6
More cleanups.
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Wed, 18 Mar 2009 14:16:22 +0900 |
parents | 4f4591406a24 |
children | ece18f20b72c aa31cf892b1b |
files | New_ERP_draft_src.txt |
diffstat | 1 files changed, 21 insertions(+), 17 deletions(-) [+] |
line wrap: on
line diff
--- a/New_ERP_draft_src.txt Wed Mar 18 14:04:55 2009 +0900 +++ b/New_ERP_draft_src.txt Wed Mar 18 14:16:22 2009 +0900 @@ -1,3 +1,4 @@ + *Abstract* The EAP Re-authentication Protocol [RFC5296] provides an optimization for EAP authentication when a peer moves from an authenticator to another. This protocol assumes that a AAA protocol is available to transport the ERP messages between authenticator and ER server. [draft-gaonkar-radext-erp-attrs-03] specifies the transport of ERP using RADIUS. This document specifies the transport of ERP using Diameter [RFC3588]. @@ -47,11 +48,12 @@ There are several options to bootstrap the ER server. This document discusses some of the options, but a different mechanism not described here may be deployed as well. See the following sections for more details about bootstrapping scenarii. - - Peer Authenticator ER server - ==== ============= (bootstrapped) - [ <------------------------ ] (local or home domain) - [optional EAP-Initiate/Re-auth-start] ====================== + ER server + (bootstrapped) + Peer Authenticator (local or home domain) + ==== ============= ====================== + [ <------------------------ ] + [optional EAP-Initiate/Re-auth-start] -----------------------> EAP-Initiate/Re-auth @@ -76,6 +78,7 @@ The purpose of bootstrapping is to provide the keying material to the ER server. This keying material is rRK (directly derived from EMSK) when the ER server is in the peer's home domain. The keying material is rDSRK (derived from DSRK, itself derived from EMSK) when the ER server is in the visited domain. + *Scenario 1: explicit bootstrapping* As described in [RFC5296], an explicit bootstrapping exchange can be initiated by the peer. In this case, the realm part of the Keyname-NAI is the home domain of the peer. @@ -101,22 +104,22 @@ Authenticator ER server Home EAP server ============= ========= =============== -----------------------> - ERP/DER - (EAP-Initiate) + Diameter ERP/DER + (EAP-Initiate) ------------------------> - EAP/DER + Diameter EAP/DER (EAP-Initiate) (ERP-RK-Request) <------------------------ - EAP/DEA + Diameter EAP/DEA (EAP-Finish) (ERP-RK-Answer) (rMSK) <---------------------- - ERP/DEA - (EAP-Finish) - (rMSK) + Diameter ERP/DEA + (EAP-Finish) + (rMSK) Figure 3. ERP explicit bootstrapping message flow. @@ -138,23 +141,23 @@ Authenticator ER server Home EAP server ============= =========== =============== -------------------------> - EAP/DER + Diameter EAP/DER (EAP-Response) -------------------------> - EAP/DER + Diameter EAP/DER (EAP-Response) (ERP-RK-Request) <==================================================> - Multi-round EAP exchanges, unmodified + Multi-round Diameter EAP exchanges, unmodified <------------------------- - EAP/DEA + Diameter EAP/DEA (EAP-Success) (MSK) (ERP-RK-Answer) <------------------------- - EAP/DEA + Diameter EAP/DEA (EAP-Success) (MSK) @@ -167,6 +170,7 @@ {TODO: study this case ?} + *Scenario 5: Other possibilities* {In case implementation-specific solution is retained, list here the constraints?}