Mercurial > hg > ietf
changeset 61:c9fdb3e03342
Added a recent source
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Fri, 05 Nov 2010 14:21:19 +0900 |
parents | 4c7f6ac0f8d1 |
children | 1e6465d45674 |
files | HOKEY/drafts/draft-ietf-hokey-arch-design.xml |
diffstat | 1 files changed, 867 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/HOKEY/drafts/draft-ietf-hokey-arch-design.xml Fri Nov 05 14:21:19 2010 +0900 @@ -0,0 +1,867 @@ +<?xml version="1.0" encoding="UTF-8"?> +<?xml-stylesheet type='text/xsl' +href='http://xml.resource.org/authoring/rfc2629.xslt' ?> +<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ +<!ENTITY rfc2119 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> +<!ENTITY rfc2828 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2828.xml"> +<!ENTITY rfc2865 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2865.xml"> +<!ENTITY rfc3588 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml"> +<!ENTITY rfc3748 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml"> +<!ENTITY rfc4306 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4306.xml"> +<!ENTITY rfc4962 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.4962.xml"> +<!ENTITY rfc5169 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5169.xml"> +<!ENTITY rfc5295 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5295.xml"> +<!ENTITY rfc5296 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5296.xml"> +<!ENTITY rfc5749 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5749.xml"> +<!ENTITY rfc5836 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5836.xml"> +<!ENTITY rfc5873 PUBLIC "" +"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5873.xml"> +]> +<?rfc toc="yes"?> +<?rfc symrefs="yes"?> +<?rfc compact="yes"?> +<?rfc subcompact="no"?> +<rfc category="info" docName="draft-ietf-hokey-arch-design-01" + ipr="trust200902"> + <front> + <title abbrev="Architecture Design">Handover Keying (HOKEY) Architecture + Design</title> + + <author fullname="Katrin Hoeper" initials="K." surname="Hoeper"> + <organization abbrev="Motorola">Motorola, Inc.</organization> + + <address> + <postal> + <street>1301 E. Algonquin Road</street> + + <city>Schaumburg</city> + + <region>IL</region> + + <code>60196</code> + + <country>USA</country> + </postal> + + <email>khoeper@motorola.com</email> + </address> + </author> + + <author fullname="Sebastien Decugis" initials="S." surname="Decugis"> + <organization abbrev="NICT">NICT</organization> + + <address> + <postal> + <street>4-2-1 Nukui-Kitamachi</street> + + <city>Tokyo</city> + + <region>Koganei</region> + + <code>184-8795</code> + + <country>Japan</country> + </postal> + + <email>sdecugis@nict.go.jp</email> + </address> + </author> + + <author fullname="Glen Zorn" initials="G." surname="Zorn"> + <organization abbrev="Network Zen">Network Zen</organization> + + <address> + <postal> + <street>1310 East Thomas Street</street> + + <city>Seattle</city> + + <region>Washington</region> + + <code>98102</code> + + <country>USA</country> + </postal> + + <email>gwz@net-zen.net</email> + </address> + </author> + + <author fullname="Qin Wu" initials="Q." surname="Wu"> + <organization abbrev="Huawei">Huawei Technologies Co.,Ltd</organization> + + <address> + <postal> + <street>Site B, Floor 12F, Huihong Mansion, No.91 Baixia + Rd.</street> + + <city>Nanjing</city> + + <region>JiangSu</region> + + <code>210001</code> + + <country>China</country> + </postal> + + <phone>+86-25-84565892</phone> + + <email>sunseawq@huawei.com</email> + </address> + </author> + + <author fullname="Tom Taylor" initials="T." surname="Taylor"> + <organization abbrev="Huawei">Huawei Technologies Co., Ltd</organization> + + <address> + <postal> + + <street></street> + + <city>Ottawa </city> + + <country>Canada</country> + </postal> + + <email>tom111.taylor@bell.net </email> + </address> + </author> + + <date year="2010" /> + + <workgroup>Network Working Group</workgroup> + + <abstract> + <t>The Handover Keying (HOKEY) Working Group seeks to minimize handover delay +due to authentication when a peer moves from one point of attachment to another. +Work has progressed on two different approaches to reduce handover delay: +early authentication (so that authentication does not need to be performed +during handover), and reuse of cryptographic material generated during an +initial authentication to save time during re-authentication. A starting +assumption is that the mobile host or "peer" is initially authenticated using +the Extensible Authentication Protocol (EAP), executed between the peer and an +EAP server as defined in RFC 3748.</t> + + <t>This document documents the HOKEY architecture. Specifically, it describes +design objectives, the functional environment within which handover keying +operates, the functions to be performed by the HOKEY architecture itself, and +the assignment of those functions to architectural components. It goes on to +illustrate the operation of the architecture within various deployment +scenarios that are described more fully in other +documents produced by the HOKEY Working Group. </t> + </abstract> + </front> + + <middle> + <section title="Introduction"> + + <t>The Extensible Authentication Protocol (EAP) <xref +target="RFC3748"></xref> is an authentication framework that supports different +types of authentication methods. Originally designed for dial-up connections, +EAP is now commonly used for authentication in wireless access networks.</t> + + <t>When a host (or "peer", the term used from this point onward) changes its +point of attachment to the network, it must be re-authenticated. If a full EAP +authentication must be repeated, several message round-trips between the peer +and the home EAP server may be involved. The resulting delay will result in +degradation or in the worst case loss of any service session in progress if +communication is suspended while re-authentication is carried out. The delay is +worse if the new point of attachment is in a visited network rather than the +peer's home network, because of the extra procedural steps involved as well as +because of the probable increase in round-trip time. </t> + + <t><xref target="RFC5169"/> describes this problem more fully and establishes +design goals for solutions to reduce re-authentication delay for transfers +within a single administrative domain. <xref target="RFC5169"/> also suggests a +number of ways to achieve a solution: +<list style="symbols"> + <t>specification of a method-independent, efficient, re-authentication + protocol;</t> + + <t>reuse of keying material from the initial authentication;</t> + + <t>deployment of re-authentication servers local to the peer to reduce + round-trip delay; and</t> + + <t>specification of the additional protocol needed to allow the EAP + server to pass authentication information to the local re-authentication + servers.</t> +</list> + </t> + <t><xref target="RFC5295"/> tackles the problem of reuse of keying material +by specifying how to derive a hierarchy of cryptographically independent +purpose-specific keys from the results of the original EAP authentication. +<xref target="RFC5296"/> specifies a method-independent re-authentication +protocol (ERP) applicable to two specific deployment scenarios: + <list style="symbols"> + <t>where the peer's home EAP server also performs re-authentication; +and</t> + <t>where a local re-authentication server exists but is collocated with a + AAA proxy within the domain.</t> + </list> +</t> + + <t>Other work provides further pieces of the solution or insight +into the problem. For the purpose of this draft, <xref target="RFC5749"/> provides an abstract mechanism +for distribution of keying material from the EAP server to re-authentication servers. <xref target="RFC5836"/> +contrasts the EAP re-authentication (ER) strategy provided by <xref target="RFC5296"/> with an alternative strategy called "early authentication". +<xref target="RFC5836"></xref> defines EAP early +authentication as the use of EAP by a mobile peer to establish authenticated +keying material on a target attachment point prior to its arrival. Here, a full +EAP execution occurs before the handover of the peer takes place. Hence, the +goal of EAP early authentication is to complete all EAP-related communications, +including AAA signaling, in preparation for the handover, before the mobile +device actually moves. Early authentication includes direct and indirect pre-authentication as well as Authenticated Anticipatory Keying (AKK). +All three mechanims provide means to execute a full EAP authentication with a Candidate Access Point (CAP) while still being connected to the Serving + Access Point (SAP) but vary in their +respective system assumptions and communication paths. In particular, direct pre-authentication assumes that clients are capable of discovering candidate + access points and all communications are routed through the serving access point. On the other hand, indirect pre-authentication assumes an + existing relationship betweem SAP and CAP, whereas in AAK the client interacts with the AAA to discover and connect to CAPs.</t> + + + + + <t>Both EAP re-authentication and early authentication enable faster +inter-authenticator handovers. However, it is currently unclear how the +necessary handover infrastructure is deployed and can be integrated into existing +EAP infrastructures. In particular, previous work has not described how ER +servers that act as endpoints in the re-authentication process should be integrated into local and home domain +networks. Furthermore, it is currently unspecified how EAP infrastructure can +support the timely triggering of early authentications and aid with the selection of candidate access points.</t> + + <t>This document proposes a general HOKEY architecture and demonstrates +how it can be adapted to different deployment scenarios. To begin with, <xref +target="goals"/> recalls the design objectives for the HOKEY architecture. <xref +target="fncns"/> reviews the functions that must be supported within the +architecture. <xref target="compon"/> describes the components of the HOKEY +architecture. Finally, <xref target="scen"/> describes the different deployment +scenarios that the HOKEY Working Group has addressed and the information flows +that must occur within those scenarios, by reference to the documents +summarized above where possible and otherwise within this document itself.</t> + +</section><!-- Introduction --> + + <section anchor="terms" title="Terminology"> + + <t>This document contains no normative language, hence +<xref target="RFC2119"/> language does not apply.</t> + + <t>This document reuses most of the terms defined in Section 2.2 of + <xref target="RFC5836"/>. In addition, it defines the following: + +<list style="hanging"> + <t hangText="EAP Early Authentication"><vspace blankLines="0" /> + The use of EAP by a mobile peer to establish authenticated keying material on a target attachment point prior to its arrival, + see <xref target="RFC5836"></xref>. + </t> + + <t hangText="EAP Re-authentication (ER)"><vspace blankLines="0" /> + The use of keying material derived from an initial EAP authentication + to enable single-roundtrip re-authentication of a mobile peer. For a + detailed description of the keying material see Section 3 of + <xref target="RFC5296"/>. + </t> + + <t hangText="ER Server"><vspace blankLines="0" /> + A component of the HOKEY architecture that terminates the EAP + re-authentication exchange with the peer. + </t> + + <t hangText="ER Key Management"><vspace blankLines="0" /> + An instantiation of the mechanism provided by <xref target="RFC5749"/> for + creating and delivering root keys from an EAP server to an ER server. + </t> + +</list> +</t> + </section> + + <section anchor="goals" title="Design Goals"> + + <t>This section investigates the design goals for the HOKEY +architecture. These include reducing the signaling overhead for re- +authentication and early authentication, integrating local domain name +discovery, +and improving deployment scalability. +These goals supplement the discussion in <xref target="RFC5169"/>.</t> + + <section anchor="sigOvhd" title="Reducing Signalling Overhead"> + +<section title="Minimized Communications with Home Servers"> + + <t>ERP requires only one round trip, however, this roundtrip may +require communications between a peer and its home ER and/or home AAA server +even if the peer is currently attached to a visited (local) network. As a +result, even this one round trip may introduce long delays because home ER and +home AAA servers may be distant from the peer. To lower the signaling overhead, +communication with the home ER server and home AAA server should be minimized. +Ideally, a peer should only need to communicate with local servers and other +local entities.</t> + + </section> + + <section title="Integrated Local Domain Name (LDN) Discovery"> + + <t> ERP bootstrapping must occur before (implicit) or during (explicit) a +handover to transport the necessary re-authentication root keys to the local ER +server involved. Implicit bootstrapping is preferable because it does not +require communication with the home ER server during handover (see previous +section), but it requires the peer to know the domain name of the ER server in +order to derive the necessary re-authentication keying material. <xref +target="RFC5296"></xref> does not specify such a domain name discovery +mechanism and suggests that the peer may learn the domain name through the EAP- +Initiate/Re-auth-Start message or via lower layer announcements. To allow more +efficient handovers, a HOKEY architecture should support an efficient domain +name discovery mechanism and allow its integration with ERP implicit +bootstrapping. Even in the case of explicit bootstrapping, local domain name +discovery should be optimized such that it does not require contacting the home +AAA server, as is currently the case.</t> + + </section> + +</section><!-- sigOvhd --> + + <section title="Better Deployment Scalability"> + + <t>To provide better deployment scalability, it should not be required +that the HOKEY server and AAA servers or proxies are collocated. Separation of +these entities may cause problems with routing, but allows flexibility in +deployment and implementation.</t> + + </section> + + </section> + + <section anchor="fncns" title="Functions That Must Be Supported"> + <section title="System Overview"> + +<t>This section views the HOKEY architecture as the implementation of a +subsystem providing authentication services to AAA. Not only does AAA depend on +the authentication subsystem, but the latter also depends on AAA as a means for +the routing and secure transport of messages internal to the operation of +network access authentication.</t> + +<t>The operation of the authentication subsystem also depends on the +availability of a number of discovery functions: +<list style="symbols"> +<t>discovery of candidate access points, by the peer, by the serving attachment +point, or by some other entity;</t> +<t>discovery of the authentication services supported at a given candidate +access +point;</t> +<t>discovery of the required server in the home domain when a candidate +access point is not in the same domain as the serving attachment point, or +no local server is available;</t> +<t>peer discovery of the local domain name (LDN) when EAP re-authentication +is used with a local server. </t> +</list> +It is assumed that +these functions are provided by the environment within which the +authentication subsystem operates, and are outside the scope of the +authentication subsystem itself. Local domain name discovery is +a possible exception. </t> + +<t><xref target="fig_fctlOver"/> shows the major functions comprising +the authentication subsystem and their interdependencies. These functions +are described below. +[EDITOR'S NOTE: These probably need refinement. The relationship +of pre-authentication to EAP authentication, for instance, is +currently not totally correct, when one takes account of the +roles described in <xref target="compon"/>. AAK also needs +an extension of ER key management.]</t> + +<figure anchor="fig_fctlOver" title="Authentication Subsystem + Functional Overview"> + <artwork> ++------------------------------------------------------------+ +| AAA Network Access Authentication and Authorization | ++---+-------------.----------------------------+-------------+ + | /|\ | + | | Authentication subsystem | ++===|=============|============================|=============+ +| | +---------+----------+ +-------------V---------+ | +| | | Direct and | | EAP Re-authentication | | +| | | Indirect | +--+------+-------------+ | +| | | Pre-Authentication | / / | +| | +--------------------+ / / | +| | / / +---------------+ | +| | / | | Authenticated | | +| | / | | Anticipatory | | +| | / | | Keying (AAK) | | +| | / | +-------+-------+ | +| | / | | | +| +-V------------------+ / +---------V----------V--------+ | +| | EAP Authentication | | | ER Key Management | | +| +---------+----------+ | |+------------+ +------------+| | +| | | ||Handover Key| |Handover Key|| | +| | | || Derivation | |Distribution|| | +| | | |+------------+ +------+-----+| | +| | | +----------------------|------+ | ++===========|=============|=========================|========+ + | | | ++-----------V-------------V-------------------------V--------+ +| AAA routing and secure transport | ++------------------------------------------------------------+ +</artwork> +<postamble>Arrows show the direction of functional dependency.</postamble> + </figure> + + <t><xref target="fig_fctlOver"/> shows the following dependencies: +<list style="symbols"> +<t>When AAA is invoked to authenticate and authorize network access, it uses one +of two services offered by the authentication subsystem: full EAP +authentication, or EAP re-authentication.</t> + +<t>Pre-authentication triggers AAA network access authentication and +authorization at each candidate access point, which in turn causes full EAP +authentication to be invoked. </t> + +<t> EAP re-authentication invokes ER key management at the time of +authentication to create and distribute keying material to ER servers.</t> + +<t>Authenticated anticipatory keying (AAK) relies on ER key management to +establish keying material on ER/AAK servers, but uses an extension +to ER key management to derive and establish keying material on +candidate authenticators.</t> +</list> +</t> + +<t>EAP authentication, EAP re-authentication, and handover key distribution +depend on the routing and secure transport service +provided by AAA. Discovery functions and the function of authentication and +authorization of network entities (access points, ER servers) +are not shown. As stated above, these are external to the authentication +subsystem.</t> + + </section><!-- System Overview --> + +<section anchor="preauth" title="Pre-Authentication Function (Direct or +Indirect)"> + +<t>The pre-authentication function is responsible for discovery of candidate +access points and completion of network access authentication and +authorization at each candidate access point in advance of handover. The operation of this function +is described in general terms in <xref target="RFC5836"/>. No document is +yet available to describe the implementation of pre-authentication +in terms of specific protocols. <xref target="RFC5873"/> +could be part of the solution, but is Experimental rather +than Standards Track.</t> + +</section><!-- preauth --> + +<section anchor="reauth" title="EAP Re-authentication Function"> + +<t>The EAP re-authentication function is responsible for authenticating +the peer at a specific access point using keying material +derived from a prior full EAP authentication. <xref target="RFC5169"/> +provides the design objectives for an implementation of this function. +<xref target="RFC5296"/> describes a protocol to implement EAP +re-authentication subject to the architectural restrictions noted +above. Work is in progress to relax those restrictions.</t> + +</section><!-- reauth --> + +<section anchor="EAPauthen" title="EAP Authentication Function"> + +<t>The EAP authentication function is responsible for authenticating +the peer at a specific access point using a full EAP exchange. +<xref target="RFC3748"/> defines the associated protocol. +<xref target="RFC5836"/> shows the use of EAP as part of +pre-authentication. Note that the HOKEY Working Group has not specified +the non-AAA protocol required +to transport EAP frames over IP that is shown in Figures 3 and 5 +of <xref target="RFC5836"/>, although <xref target="RFC5873"/> +is a candidate. +</t> + +</section><!-- EAPauthen --> + +<section anchor="AAKfcn" title="Authenticated Anticipatory Keying (AAK) +Function"> + +<t>The authenticated anticipatory keying function is responsible for +pre-placing keying material derived from an initial full EAP authentication +on candidate access points. The operation is carried out in two steps: +ER key management (with trigger not currently specified) places root +keys derived from initial EAP authentication onto an ER/AAK server +associated with the peer. When requested by the peer, the ER/AAK server +derives and pushes predefined master session keys to a list of +candidate access points. The operation +of the authenticated anticipatory keying function is described in very +general terms in <xref target="RFC5836"/>. +A protocol implementation is being specified +in <xref target="I-D.ietf-hokey-erp-aak"/>.</t> + +</section><!-- AAKfcn --> + +<section anchor="keyMgmt" title="EAP-Based Handover Key Management"> + + <t>EAP-based handover key management consists of EAP method +independent key derivation and distribution and comprises the following +specific functions: +<list style="symbols"> + <t>handover key derivation; and</t> + <t>handover key distribution.</t> +</list> +The derivation of handover keys is specified in <xref +target="RFC5295"></xref>, and key distribution is specified in <xref +target="RFC5749"></xref>.</t> + +</section><!-- keyMgmt --> + + </section><!-- fncns --> + +<section anchor="compon" title="Components of the HOKEY Architecture"> + +<t>This section describes the components of the HOKEY architecture, in terms +of the functions they perform. The components cooperate as described in +this section to carry out the functions described in the previous section. +<xref target="scen"/> describes the different +deployment scenarios that are possible using these functions.</t> + +<t>The components of the HOKEY architecture are as follows: +<list style="symbols"> + <t>the peer;</t> + <t>the authenticator, which is a part of the serving access point + and candidate access points;</t> + <t>the EAP server; and</t> + <t>the ER server, either in the home domain or local to the + authenticator.</t> +</list> +[EDITOR'S NOTE: probably have to add the ER/AAK server named +in <xref target="I-D.ietf-hokey-erp-aak"/> to this list.] +</t> + +<section anchor="peerFnc" title="Functions of the Peer"> + +<t>The peer participates in the functions described in <xref target="fncns"/> +as shown in <xref target="tab_peerFnc"/>.</t> + +<texttable anchor="tab_peerFnc" title="Functions of the Peer"> +<ttcol>Function</ttcol> +<ttcol>Peer Role</ttcol> + +<c>EAP authentication</c> +<c>Determines that full EAP authentication is needed based on context +(e.g., initial authentication), prompting from the authenticator, or +discovery that only EAP authentication is supported. Participates +in the EAP exchange with the EAP server.</c> +<c>-</c> +<c>-</c> + +<c>Direct pre-authentication</c> +<c>Discovers candidate access points. Initiates pre-authentication +with each, followed by EAP authentication as above, but using IP +rather than L2 transport for the EAP frames.</c> +<c>-</c> +<c>-</c> + +<c>Indirect pre-authentication</c> +<c>Enters into a full EAP exchange when triggered, using either L2 +or L3 transport for the frames. </c> +<c>-</c> +<c>-</c> + +<c>EAP re-authentication</c> +<c>Determines that EAP re-authentication is possible based on +discovery or authenticator prompting. Discovers ER server. +Participates in ERP exchange with ER server.</c> +<c>-</c> +<c>-</c> + +<c>Authenticated anticipatory keying</c> +<c>Determines that AAK is possible based on discovery or +serving authenticator prompting. Discovers candidate access points. +Sends request to serving authenticator to distribute keying +material to the candidate access points. +</c> +<c>-</c> +<c>-</c> + +<c>ER key management</c> +<c>No role.</c> +</texttable> + + +</section><!-- peerFnc --> + +<section anchor="saFnc" title="Functions of the Serving Authenticator"> + +<t>The serving authenticator participates in the functions described +in <xref target="fncns"/> +as shown in <xref target="tab_saFnc"/>.</t> + +<texttable anchor="tab_saFnc" title="Functions of the Serving Authenticator"> +<ttcol>Function</ttcol> +<ttcol>Serving Authenticator Role</ttcol> + +<c>EAP authentication</c> +<c>No role. </c> +<c>-</c> +<c>-</c> + +<c>Direct pre-authentication</c> +<c>No role.</c> +<c>-</c> +<c>-</c> + +<c>Indirect pre-authentication</c> +<c>Discovers candidate access points. Initiates an EAP exchange +between the peer and the EAP server through each candidate +authenticator. Mediates between L2 transport of EAP frames on the peer +side and a non-AAA protocol over IP toward the candidate access point.</c> +<c>-</c> +<c>-</c> + +<c>EAP re-authentication</c> +<c>No role.</c> +<c>-</c> +<c>-</c> + +<c>Authenticated anticipatory keying</c> +<c>Mediates between L2 transport of AAK frames on the peer side +and AAA transport toward the ER/AAK server.</c> +<c>-</c> +<c>-</c> + +<c>ER key management</c> +<c>No role.</c> +</texttable> + +</section><!-- saFnc --> + +<section anchor="caFnc" title="Functions of the Candidate Authenticator"> + +<t>The candidate authenticator participates in the functions described +in <xref target="fncns"/> +as shown in <xref target="tab_caFnc"/>.</t> + +<texttable anchor="tab_caFnc" title="Functions of the Candidate Authenticator"> +<ttcol>Function</ttcol> +<ttcol>Candidate Authenticator Role</ttcol> + +<c>EAP authentication</c> +<c>Invokes AAA network access authentication and authorization +upon handover/initial attachment. +Mediates between L2 transport of EAP frames on the peer link and AAA +transport toward the EAP server.</c> +<c>-</c> +<c>-</c> + +<c>Direct pre-authentication</c> +<c>Invokes AAA network access authentication and authorization +when the peer initiates authentication. +Mediates between non-AAA L3 transport of EAP frames on the peer side and AAA +transport toward the EAP server. </c> +<c>-</c> +<c>-</c> + +<c>Indirect pre-authentication</c> +<c>Same as direct pre-authentication, except that it communicates with +the serving authenticator rather than the peer.</c> +<c>-</c> +<c>-</c> + +<c>EAP re-authentication</c> +<c>Invokes AAA network access authentication and authorization upon handover. +Discovers or is configured with the address of the ER server. +Mediates between L2 transport of a ERP frames on the peer side +and AAA transport toward the ER server.</c> +<c>-</c> +<c>-</c> + +<c>Authenticated anticipatory keying</c> +<c>Receives and saves pMSK.</c> +<c>-</c> +<c>-</c> + +<c>ER key management</c> +<c>No role.</c> +</texttable> + +</section><!-- caFnc --> + +<section anchor="EAPsrvFnc" title="Functions of the EAP Server"> + +<t>The EAP server participates in the functions described in +<xref target="fncns"/> +as shown in <xref target="tab_EAPsrvFnc"/>.</t> + +<texttable anchor="tab_EAPsrvFnc" title="Functions of the EAP Server"> +<ttcol>Function</ttcol> +<ttcol>EAP Server Role</ttcol> + +<c>EAP authentication</c> +<c>Authenticates and authorizes the candidate access point to act as +authenticator. +Terminates EAP signalling between it and the peer via the candidate +authenticator. Determines whether +network access authentication succeeds or fails. Provides MSK +to authenticator.</c> +<c>-</c> +<c>-</c> + +<c>Direct pre-authentication</c> +<c>As for EAP authentication.</c> +<c>-</c> +<c>-</c> + +<c>Indirect pre-authentication</c> +<c>As for EAP authentication.</c> +<c>-</c> +<c>-</c> + +<c>EAP re-authentication</c> +<c>Mutually authenticates with the ER server and authorizes it for +receiving keying amterial. Provides rRK or DSrRK to the ER server.</c> +<c>-</c> +<c>-</c> + +<c>Authenticated anticipatory keying</c> +<c>As for EAP re-authentication.</c> +<c>-</c> +<c>-</c> + +<c>ER key management</c> +<c>Creates rRK or DSrRK and distributes it to ER server requesting the +information.</c> +</texttable> + +</section><!-- EAPsrvFnc --> + +<section anchor="ERsrvFnc" title="Functions of the ER Server"> + +<t>The ER server participates in the functions described in +<xref target="fncns"/> +as shown in <xref target="tab_ERsrvFnc"/>. [EDITOR'S NOTE: Need discussion of +respective roles of local and home ER server, or whether there should even be +such a distinction.]</t> + +<texttable anchor="tab_ERsrvFnc" title="Functions of the ER Server"> +<ttcol>Function</ttcol> +<ttcol>ER Server Role</ttcol> + +<c>EAP authentication</c> +<c>No role.</c> +<c>-</c> +<c>-</c> + +<c>Direct pre-authentication</c> +<c>No role.</c> +<c>-</c> +<c>-</c> + +<c>Indirect pre-authentication</c> +<c>No role.</c> +<c>-</c> +<c>-</c> + +<c>EAP re-authentication</c> +<c>Authenticates and authorizes the candidate access point to act as +authenticator. Authenticates itself to the EAP server and acquires +rRK or DSrRK as applicable when necessary. +Terminates ERP signalling between it and the peer via the candidate +authenticator. Determines whether +network access authentication succeeds or fails. Provides MSK +to authenticator.</c> +<c>-</c> +<c>-</c> + +<c>Authenticated anticipatory keying</c> +<c>Authenticates itself to the EAP server and acquires +rRK or DSrRK as applicable when necessary. Authenticates and authorizes +the candidate access points to act as authenticator. Derives pMSKs and +passes them to the candidate access points.</c> +<c>-</c> +<c>-</c> + +<c>ER key management</c> +<c>Receives and saves rRK or DSrRK as applicable.</c> +</texttable> + +</section><!-- ERsrvFnc --> + +</section><!-- compon --> + + + <section anchor="scen" title="Deployment Scenarios"> + +<t>The necessity for this section and its contents are TBD.</t> + +</section><!-- scen --> + + + <section title="AAA Consideration"> + <section title="Standalone HOKEY server"> + <t>TBD.</t> + </section> + </section> + + <section title="Security Considerations"> + <t>TBD</t> + </section> + + <section title="IANA Considerations"> + <t>This document has no actions for IANA.</t> + </section> + + <section title="Acknowledgments"> + <t>The authors would like to thank Mark Jones and Zhen Cao + for their reviews of previous versions of this draft.</t> + </section> + </middle> + + <back> + <references title="Informative References"> +&rfc2119; +&rfc3748; +&rfc5169; +&rfc5295; +&rfc5296; +&rfc5749; +&rfc5836; +&rfc5873; + +<reference anchor="I-D.ietf-hokey-erp-aak"> +<front> +<title>EAP Re-authentication Protocol Extensions for Authenticated Anticipatory + Keying (ERP/AAK)</title> +<author fullname="Zhen Cao" initials="Z." surname="Cao"> +<organization>China Mobile +</organization> +</author> +<author fullname="Hui Deng" initials="H." surname="Deng"> +<organization>China Mobile +</organization> +</author> +<author fullname="Yungui Wang" initials="Y." surname="Wang"> +<organization>Huawei Technologies</organization> +</author> +<author fullname="Qin Wu" initials="Q." surname="Wu"> +<organization>Huawei technologies</organization> +</author> +<author fullname="Glen Zorn" initials="G." surname="Zorn"> +<organization>Network Zen</organization> +</author> +<date month="May" year="2010" /> +</front><seriesInfo name="Internet Draft" value="draft-ietf-hokey-erp-aak-02" /> + +</reference> + + + </references> + + </back> +</rfc>