Re: [Dime] DiME ERP: new Application ID or not ? (non-roaming case)

["Hannes Tschofenig" <Hannes.Tschofenig at gmx.net>]

Hi Julien, 

When we discussed this at the phone conference call (and the discussion is
also captured in the meeting minutes) then I thought that the conclusion was
to define a new Diameter application for this exchange:


   Peer               Authenticator                      Server
   ====               =============                      ======

    [<-- EAP-Initiate/ -----
        Re-auth-Start]
    [<-- EAP-Request/ ------
        Identity]


    ---- EAP-Initiate/ ----> ----AAA(EAP-Initiate/ ---------->
          Re-auth/                  Re-auth/
         [Bootstrap]              [Bootstrap])

    <--- EAP-Finish/ ------> <---AAA(rMSK,EAP-Finish/---------
          Re-auth/                   Re-auth/
        [Bootstrap]                [Bootstrap])

   Note: [] brackets indicate optionality.

                          Figure 2: ERP Exchange

(The server in the figure above is the HOKEY server, a dedicated entity.)


The initial EAP authentication is left untouched and, as Glen explained us,
there is the assumption that the AAA entities work together with the HOKEY
servers in a non-standardized way. To me that sounded like a good plan. 

Does this make any sense? 


The non-HOKEY expert
Hannes

PS: I never said that this is specific document is going to be trivial :-) 

>-----Original Message-----
>From: dime-bounces at ietf.org [mailto:dime-bounces at ietf.org] On 
>Behalf Of Julien Bournelle
>Sent: 04 March, 2009 09:05
>To: dime at ietf.org
>Subject: [Dime] DiME ERP: new Application ID or not ? 
>(non-roaming case)
>
>Hi all,
>
> we try to solve the issue concerning the need for a new App-Id or not.
>
> The ERP protocol (RFC 5296) is to be used along with EAP. It 
>basically defines two new EAP codes and uses keying material 
>derived from a first EAP authentication.
>
> To start the discussion, let's take the non-roaming case.
>
> In non-roaming, we have first an EAP authentication using 
>Diameter EAP.
> Then, for reauthentication using ERP, we have two messages 
>(Request/Response)  between NAS and the AAA/ERP server 
>carrying EAP packets
>
> See (http://tools.ietf.org/html/rfc5296#page-6)
>
> So, either we reuse the Diameter EAP Application (DER/DEA) or 
>we define a new Diameter Application.
>
> If we use a new Diameter Application, a new Diameter session 
>will be created and eventually a new Diameter server will be 
>reached. What bothers me in this case is that we basically 
>perform a reauthentication for the same session which is 
>primarly handled at the AAA/EAP server. So, i'm wondering what 
>happens concerning Authorization Lifetime session etc..
>
> Note that I still don't have strong opinion and I'll be glad 
>to hear opinions from others.
>
> Regards,
>
> Julien
>_______________________________________________
>DiME mailing list
>DiME at ietf.org
>https://www.ietf.org/mailman/listinfo/dime
>