idnits 2.17.1 draft-ietf-hokey-ldn-discovery-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 22, 2011) is 4743 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- No information found for draft-ietf-dhc-dhcpv6-relay-supplied-options - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-dhc-dhcpv6-relay-supplied-options' ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 5296 (Obsoleted by RFC 6696) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zorn 3 Internet-Draft Network Zen 4 Intended status: Standards Track Q. Wu 5 Expires: October 24, 2011 Y. Wang 6 Huawei 7 April 22, 2011 9 The ERP Local Domain Name DHCPv6 Option 10 draft-ietf-hokey-ldn-discovery-10 12 Abstract 14 In order to derive a Domain-Specific Root Key (DSRK) from the 15 Extended Master Session Key (EMSK) generated as a side-effect of an 16 Extensible Authentication Protocol (EAP) method, the EAP peer must 17 discover the name of the domain to which it is attached. 19 This document specifies a Dynamic Host Configuration Protocol Version 20 6 (DHCPv6) option designed to allow a DHCPv6 server to inform clients 21 using the EAP Re-authentication Protocol (ERP) EAP method of the name 22 of the local domain for ERP. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on October 24, 2011. 41 Copyright Notice 43 Copyright (c) 2011 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.1. Standards Language . . . . . . . . . . . . . . . . . . . . 3 61 2.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. Option Format . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 3.1. DHCPv6 ERP Local Domain Name Option . . . . . . . . . . . . 3 64 4. Client Behavior . . . . . . . . . . . . . . . . . . . . . . . . 4 65 5. Relay Agent Behavior . . . . . . . . . . . . . . . . . . . . . 4 66 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 67 7. IANA considerations . . . . . . . . . . . . . . . . . . . . . . 5 68 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 69 8.1. Normative References . . . . . . . . . . . . . . . . . . . 5 70 8.2. Informative References . . . . . . . . . . . . . . . . . . 6 72 1. Introduction 74 The EAP Re-authentication Protocol (ERP) [RFC5296] is designed to 75 allow faster re-authentication of a mobile device which was 76 previously authenticated by means of the Extensible Authentication 77 Protocol [RFC3748]. Given that the local root key (e.g., DSRK RFC 78 5295 [RFC5295]) is generated using the local domain name (LDN), LDN 79 discovery is an important part of re-authentication. As described in 80 RFC 5296 [RFC5296], the LDN to be used in ERP can be learned by the 81 mobile device through the ERP exchange or via a lower-layer 82 mechanism. However, no lower-layer mechanisms for LDN discovery have 83 yet been defined. 85 This document specifies an extension to DHCPv6 for LDN to be used in 86 ERP. 88 2. Terminology 90 2.1. Standards Language 92 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 93 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 94 document are to be interpreted as described in [RFC2119]. 96 2.2. Acronyms 98 FQDN Fully Qualified Domain Name 100 AAA Authentication, Authorization and Accounting 102 DSRK Domain-Specific Root Key 104 3. Option Format 106 In DHCPv6-based local domain name discovery, the LDN option is used 107 by the DHCPv6 client to obtain the local domain name from the DHCPv6 108 Server after full EAP authentication has taken place. 110 The contents of the ERP Local Domain Name option are intended only 111 for use with ERP and do not represent the name of a local domain for 112 any other purposes. 114 3.1. DHCPv6 ERP Local Domain Name Option 116 The format of this option is: 118 0 1 2 3 119 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 120 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 121 | OPTION_ERP_LOCAL_DOMAIN_NAME| option-length | 122 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 123 | erp-local-domain-name... 124 +-+-+-+-+-+-+-+-+-+-+-+-+- 126 option code 127 OPTION_ERP_LOCAL_DOMAIN_NAME (TBD) 129 option-length 130 Length of the erp-local-domain-name field, in octets 132 erp-local-domain-name 133 This field contains the name of the local ERP domain and MUST be 134 encoded as specified in Section 8 of RFC 3315 [RFC3315]. Note 135 that this encoding does enable the use of internationalized domain 136 names, but only as a set of A-labels [RFC5890]. 138 4. Client Behavior 140 If a DHCPv6 client doesn't know the ERP LDN and requires the DHCPv6 141 Server to provide the DHCPv6 ERP LDN option, it MUST include an 142 Option Request option requesting the DHCPv6 ERP Local Domain Name 143 option, as described in Section 22.7 of RFC 3315 [RFC3315]. 145 When the DHCPv6 client recieves an ERP Local Domain Name option with 146 the ERP LDN present in it, it MUST verify that the option length is 147 no more than 256 octets (the maximum length of a single fully- 148 qualified domain name (FQDN) allowed by the DNS), and that the local 149 domain name is a properly encoded single FQDN, as specified in 150 Section 8, "Representation and Use of Domain Names" of RFC3315 151 [RFC3315]. 153 5. Relay Agent Behavior 155 If a DHCPv6 relay agent has pre-existing knowledge of the ERP local 156 domain name for a client (for example, from a previous AAA exchange), 157 it SHOULD include it in an instance of the DHCPv6 ERP Local Domain 158 Name option and forward to the DHCPv6 server as a suboption of the 159 Relay-Supplied Options option 160 [I-D.ietf-dhc-dhcpv6-relay-supplied-options]. 162 6. Security Considerations 164 The communication between the DHCPv6 client and the DHCPv6 server for 165 the exchange of local domain name information is security sensitive 166 and requires server authentication and integrity protection. DHCPv6 167 security [RFC3315] can be used for this purpose. 169 7. IANA considerations 171 IANA is requested to assign one new option code from the registry of 172 DHCP Option Codes maintained at 173 http://www.iana.org/assignments/dhcpv6-parameters, referencing this 174 document. 176 8. References 178 8.1. Normative References 180 [I-D.ietf-dhc-dhcpv6-relay-supplied-options] Lemon, T. and W. Wu, 181 "Relay-Supplied DHCP 182 Options", draft-ietf- 183 dhc-dhcpv6-relay- 184 supplied-options-04 185 (work in progress), 186 October 2010. 188 [RFC2119] Bradner, S., "Key words 189 for use in RFCs to 190 Indicate Requirement 191 Levels", BCP 14, 192 RFC 2119, March 1997. 194 [RFC3315] Droms, R., Bound, J., 195 Volz, B., Lemon, T., 196 Perkins, C., and M. 197 Carney, "Dynamic Host 198 Configuration Protocol 199 for IPv6 (DHCPv6)", 200 RFC 3315, July 2003. 202 [RFC5295] Salowey, J., Dondeti, 203 L., Narayanan, V., and 204 M. Nakhjiri, 205 "Specification for the 206 Derivation of Root Keys 207 from an Extended Master 208 Session Key (EMSK)", 209 RFC 5295, August 2008. 211 [RFC5296] Narayanan, V. and L. 212 Dondeti, "EAP 213 Extensions for EAP Re- 214 authentication Protocol 215 (ERP)", RFC 5296, 216 August 2008. 218 8.2. Informative References 220 [RFC3748] Aboba, B., Blunk, L., 221 Vollbrecht, J., 222 Carlson, J., and H. 223 Levkowetz, "Extensible 224 Authentication Protocol 225 (EAP)", RFC 3748, 226 June 2004. 228 [RFC5890] Klensin, J., 229 "Internationalized 230 Domain Names for 231 Applications (IDNA): 232 Definitions and 233 Document Framework", 234 RFC 5890, August 2010. 236 Authors' Addresses 238 Glen Zorn 239 Network Zen 240 227/358 Thanon Sanphawut 241 Bang Na, Bangkok 10260 242 Thailand 244 Phone: +66 (0) 87-040-4617 245 EMail: gwz@net-zen.net 247 Qin Wu 248 Huawei Technologies Co., Ltd. 249 101 Software Avenue, Yuhua District 250 Nanjing, Jiangsu 21001 251 China 253 Phone: +86-25-84565892 254 EMail: sunseawq@huawei.com 255 Yungui Wang 256 Huawei Technologies Co., Ltd. 257 Site B, Floor 10, HuiHong Mansion, No.91 BaiXia Rd. 258 Nanjing, Jiangsu 210001 259 P.R. China 261 Phone: +86 25 84565893 262 EMail: w52006@huawei.com