Re: [Dime] DiME ERP - Getting the message flows right
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dime] DiME ERP - Getting the message flows right
Hi Behcet,
Hi Hannes,
Fig. 1 in RFC 5296 is included to introduce full EAP
authentication to the reader so that EAP Re-authentication Protocol can be
presented.
[hannes] OK. Makes sense in RFC 5296 but not in the Diameter document, I
believe.
I agree with you that in Fig. 2 should have indicated ER Server
not just Server, but I think this has been clarified in the text.
[hannes] Maybe it is but still there is still a lot of confusion on how the
message routing works and these details make it even more difficult to
understand.
Shouldn't it be ER Server but not ERP Server? ER Server is defined
in the terminology section of RFC 5296.
[hannes] Correct.
Ciao
Hannes
Regards,
Behcet
________________________________
From: Hannes Tschofenig <Hannes.Tschofenig at gmx.net>
To: Qin Wu <sunseawq at huawei.com>; Julien Bournelle
<julien.bournelle at gmail.com>
Cc: dime at ietf.org; hokey at ietf.org
Sent: Thursday, March 12, 2009 5:39:51 AM
Subject: [Dime] DiME ERP - Getting the message flows right
The figures in http://www.ietf.org/rfc/rfc5296.txt are pretty
confusing.
For example, Figure 2 talks about a 'server' rather than saying that
this is
the ERP server.
Figure 3 is even more confusing as it shows a standard EAP exchange
but then
has a ER server in there.
Peer EAP Authenticator Local ER Server Home EAP
Server
==== ================= ===============
===============
<-- EAP-Request/ --
Identity
-- EAP Response/-->
Identity --AAA(EAP Response/-->
Identity) --AAA(EAP Response/ -->
Identity,
[DSRK Request,
domain name])
<------------------------ EAP Method exchange------------------>
<---AAA(MSK, DSRK, ----
EMSKname,
EAP-Success)
<--- AAA(MSK, -----
EAP-Success)
<---EAP-Success-----
Figure 3: Local ERP Exchange, Initial EAP Exchange
I think that the figures have to look like:
============================================================================
=======
EAP Peer Diameter EAP Client EAP Server
======== ================= ==========
<--- EAP-Request/ ------
Identity
----- EAP Response/ --->
Identity ---AAA(EAP Response/Identity)-->
<--- EAP Method -------> <------ AAA(EAP Method -------->
exchange exchange)
<----AAA(MSK, EAP-Success)------
<---EAP-Success---------
Figure 1: EAP Authentication
[This figure does not have any ERP stuff in there. That does not
seem to be
right or at least not relevant then.]
Peer Diameter ERP Client ERP Server
==== ============= ======
[<-- EAP-Initiate/ -----
Re-auth-Start]
[<-- EAP-Request/ ------
Identity]
---- EAP-Initiate/ ----> ----AAA(EAP-Initiate/ ---------->
Re-auth/ Re-auth/
[Bootstrap] [Bootstrap])
<--- EAP-Finish/ ------> <---AAA(rMSK,EAP-Finish/---------
Re-auth/ Re-auth/
[Bootstrap] [Bootstrap])
Note: [] brackets indicate optionality.
Figure 2: ERP Exchange
[New Diameter ERP application in action.]
Peer Diameter ERP/EAP Local EAP Proxy/ Home EAP/ERP
==== =====Client====== ===ERP server== ====Server=====
<-- EAP-Request/ --
Identity
-- EAP Response/-->
Identity --AAA(EAP Response/-->
Identity) --AAA(EAP Response/ -->
Identity,
[DSRK Request,
domain name])
<------------------------ EAP Method exchange------------------>
<---AAA(MSK, [DSRK, ----
EMSKname],
EAP-Success)
<--- AAA(MSK, -----
EAP-Success)
<---EAP-Success-----
Figure 3: Local ERP Exchange, Initial EAP Exchange
[Here we assume that there is some communication going on between
the
Diameter EAP proxy and the ERP server in the local network.
For editorial reasons we do not show the two entities separately but
maybe
we should. The same is true for the Diameter EAP server and the ERP
server.
Graphically, this could be shown as:
Diameter EAP +-------------+ Diameter EAP +-------------+
| | | |
<------------>| Local |<---------------->| Home |
| Diameter | | Diameter |
| EAP Proxy | | EAP Server |
| | | |
+-------------+ +-------------+
^ ^
(a)| proprietary proprietary |(b)
v v
+-------------+ +-------------+
Diameter ERP | | Diameter ERP | |
| Local | | Home |
<------------>| Diameter |<---------------->| Diameter |
| ERP Server | | ERP Server |
| | | |
+-------------+ +-------------+
It might be useful to say what information is exchanged at (a) and
(b) and
when in the protocol exchange.
]
Peer ER Authenticator Local ER Server
==== ================ ===============
[<-- EAP-Initiate/ --------
Re-auth-Start]
[<-- EAP-Request/ ---------
Identity]
---- EAP-Initiate/ -------> ----AAA(EAP-Initiate/ -------->
Re-auth Re-auth)
<--- EAP-Finish/ ---------- <---AAA(rMSK,EAP-Finish/-------
Re-auth Re-auth)
Figure 4: Local ERP Exchange
[Is this figure from a Diameter ERP routing the same as Figure 2?]
So, I suggest to get the high level messaing right before starting
with the
details
Ciao
Hannes
_______________________________________________
DiME mailing list
DiME at ietf.org
https://www.ietf.org/mailman/listinfo/dime
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
