| < draft-ietf-dime-erp-10.txt | draft-ietf-dime-erp-11.txt > | |||
|---|---|---|---|---|
| Network Working Group J. Bournelle | Network Working Group J. Bournelle | |||
| Internet-Draft L. Morand | Internet-Draft L. Morand | |||
| Intended status: Standards Track Orange Labs | Intended status: Standards Track Orange Labs | |||
| Expires: December 5, 2012 S. Decugis | Expires: February 1, 2013 S. Decugis | |||
| INSIDE Secure | INSIDE Secure | |||
| Q. Wu | Q. Wu | |||
| Huawei | Huawei | |||
| G. Zorn | G. Zorn | |||
| Network Zen | Network Zen | |||
| June 3, 2012 | July 31, 2012 | |||
| Diameter Support for the EAP Re-authentication Protocol (ERP) | Diameter Support for the EAP Re-authentication Protocol (ERP) | |||
| draft-ietf-dime-erp-10.txt | draft-ietf-dime-erp-11 .txt | |||
| Abstract | Abstract | |||
| The EAP Re-authentication Protocol (ERP) defines extensions to the | The EAP Re-authentication Protocol (ERP) defines extensions to the | |||
| Extensible Authentication Protocol (EAP) to support efficient re- | Extensible Authentication Protocol (EAP) to support efficient re- | |||
| authentication between the peer and an EAP Re-authentication (ER) | authentication between the peer and an EAP Re-authentication (ER) | |||
| server through a compatible authenticator. This document specifies | server through a compatible authenticator. This document specifies | |||
| Diameter support for ERP. It defines a new Diameter ERP application | Diameter support for ERP. It defines a new Diameter ERP application | |||
| to transport ERP messages between an ER authenticator and the ER | to transport ERP messages between an ER authenticator and the ER | |||
| server, and a set of new AVPs that can be used to transport the | server, and a set of new AVPs that can be used to transport the | |||
| skipping to change at page 1, line 43 ¶ | skipping to change at page 1, line 43 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 5, 2012. | This Internet-Draft will expire on February 1, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 8, line 27 ¶ | skipping to change at page 8, line 27 ¶ | |||
| EAP Application> [RFC4072] | EAP Application> [RFC4072] | |||
| Extract the ERP-RK-Request AVP from the ERP/DER message, which | Extract the ERP-RK-Request AVP from the ERP/DER message, which | |||
| contains the name of the domain where the ER server is located and | contains the name of the domain where the ER server is located and | |||
| add it to the newly created ERP/DER message. | add it to the newly created ERP/DER message. | |||
| Then the newly created EAP/DER is sent and routed to the home | Then the newly created EAP/DER is sent and routed to the home | |||
| Diameter EAP application server. | Diameter EAP application server. | |||
| If the home Diameter EAP server does not support ERP extensions, EAP | If the home Diameter EAP server does not support ERP extensions, EAP | |||
| packets with an unknown ERP-specific code (EAP-Initiate) are not | packets with an unknown ERP-specific code (EAP-Initiate) will not be | |||
| understood. In such a case, the home Diameter EAP server MUST send | understood. In such a case, the home Diameter EAP server MUST send | |||
| an EAP/DEA with a Result-Code set to DIAMETER_ERROR_EAP_CODE_UNKNOWN. | an EAP/DEA with a Result-Code indicating a Permanent Failure (for | |||
| The Failed-AVP AVP MUST be included and contain a copy of the EAP- | example, DIAMETER_ERROR_EAP_CODE_UNKNOWN or | |||
| Payload AVP. Otherwise, it processes the DSRK request as described | DIAMETER_UNABLE_TO_COMPLY). The Failed-AVP AVP MUST be included and | |||
| in [RFC5296]. In particular, it includes the Domain- Name TLV | contain a copy of the EAP-Payload AVP. Otherwise, it processes the | |||
| attribute with the content from the ERP-Realm AVP. The server | DSRK request as described in [RFC5296]. In particular, it includes | |||
| creates the EAP/DEA reply message [RFC4072] including an instance of | the Domain- Name TLV attribute with the content from the ERP-Realm | |||
| the Key AVP (Section 8.3) with Key-Type AVP set to rRK and an | AVP. The server creates the EAP/DEA reply message [RFC4072] | |||
| instance of the Domain-Name TLV attribute with the content from the | including an instance of the Key AVP (Section 8.3) with Key-Type AVP | |||
| ERP-Realm AVP. | set to rRK and an instance of the Domain-Name TLV attribute with the | |||
| content from the ERP-Realm AVP. | ||||
| The ER server receives this EAP/DEA and proxies it as follows, in | The ER server receives this EAP/DEA and proxies it as follows, in | |||
| addition to standard proxy operations: | addition to standard proxy operations: | |||
| Set the Application Id back to Diameter ERP Application Id | Set the Application Id back to Diameter ERP Application Id | |||
| (Section 12.1 ) | (Section 12.1 ) | |||
| Extract and cache the content of the Key AVP with Key-Type set to | Extract and cache the content of the Key AVP with Key-Type set to | |||
| rRK, as described in the implicit scenario (Section 5.1). | rRK, as described in the implicit scenario (Section 5.1). | |||
| skipping to change at page 13, line 43 ¶ | skipping to change at page 13, line 43 ¶ | |||
| 10. Contributors | 10. Contributors | |||
| Hannes Tschofenig wrote the initial draft of this document. | Hannes Tschofenig wrote the initial draft of this document. | |||
| Lakshminath Dondeti contributed to the early versions of the | Lakshminath Dondeti contributed to the early versions of the | |||
| document. | document. | |||
| 11. Acknowledgements | 11. Acknowledgements | |||
| Hannes Tschofenig provided useful reviews. | Hannes Tschofenig, Zhen Cao and Jouni Korhonen provided useful | |||
| reviews. | ||||
| Vidya Narayanan reviewed a rough draft version of the document and | Vidya Narayanan reviewed a rough draft version of the document and | |||
| found some errors. | found some errors. | |||
| Many thanks to these people! | Many thanks to these people! | |||
| 12. IANA Considerations | 12. IANA Considerations | |||
| This document requires IANA registration of the following new | This document requires IANA registration of the following new | |||
| elements in the Authentication, Authorization, and Accounting (AAA) | elements in the Authentication, Authorization, and Accounting (AAA) | |||
| skipping to change at page 14, line 34 ¶ | skipping to change at page 14, line 34 ¶ | |||
| ERP-Realm | ERP-Realm | |||
| These AVPs are defined in Section 8. | These AVPs are defined in Section 8. | |||
| 12.3. New Permanent Failures Result-Code AVP Values | 12.3. New Permanent Failures Result-Code AVP Values | |||
| This specification requires IANA to allocate a new value from the | This specification requires IANA to allocate a new value from the | |||
| "Result-Code AVP Values (code 268) - Permanent Failure" registry | "Result-Code AVP Values (code 268) - Permanent Failure" registry | |||
| according to the policy specified in Section 11.3.2 of Fajardo, et | according to the policy specified in Section 11.3.2 of Fajardo, et | |||
| al. [I-D.ietf-dime-rfc3588bis] for the following Result-Code: | al. [I-D.ietf-dime-rfc3588bis] for the following Result-Code: | |||
| DIAMETER_ERROR_EAP_CODE_UNKNOWN TBD | DIAMETER_ERROR_EAP_CODE_UNKNOWN TBD | |||
| This result-code value is defined in Section 9. | This result-code value is defined in Section 9. | |||
| 13. Security Considerations | 13. Security Considerations | |||
| The security considerations from the following documents apply here: | The security considerations from the following documents apply here: | |||
| o Fajardo, et al. [I-D.ietf-dime-rfc3588bis] | o Fajardo, et al. [I-D.ietf-dime-rfc3588bis] | |||
| o RFC 4072 [RFC4072] | o RFC 4072 [RFC4072] | |||
| o RFC 5296 [RFC5296] | o RFC 5296 [RFC5296] | |||
| o Zorn, Wu and Cakulev [I-D.ietf-dime-local-keytran] | o Zorn, Wu and Cakulev [I-D.ietf-dime-local-keytran] | |||
| 14. Normative References | 14. Normative References | |||
| [I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev, | [I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev, | |||
| "Diameter Attribute-Value Pairs for | "Diameter Attribute-Value Pairs for | |||
| Cryptographic Key Transport", | Cryptographic Key Transport", | |||
| draft-ietf-dime-local-keytran-14 (work | draft-ietf-dime-local-keytran-14 (work | |||
| in progress), August 2011. | in progress), August 2011. | |||
| [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., | [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., | |||
| and G. Zorn, "Diameter Base Protocol", | and G. Zorn, "Diameter Base Protocol", | |||
| draft-ietf-dime-rfc3588bis-33 (work in | draft-ietf-dime-rfc3588bis-34 (work in | |||
| progress), May 2012. | progress), June 2012. | |||
| [RFC2119] Bradner, S., "Key words for use in | [RFC2119] Bradner, S., "Key words for use in | |||
| RFCs to Indicate Requirement Levels", | RFCs to Indicate Requirement Levels", | |||
| BCP 14, RFC 2119, March 1997. | BCP 14, RFC 2119, March 1997. | |||
| [RFC3588] Calhoun, P., Loughney, J., Guttman, | [RFC3588] Calhoun, P., Loughney, J., Guttman, | |||
| E., Zorn, G., and J. Arkko, "Diameter | E., Zorn, G., and J. Arkko, "Diameter | |||
| Base Protocol", RFC 3588, | Base Protocol", RFC 3588, | |||
| September 2003. | September 2003. | |||
| End of changes. 10 change blocks. | ||||
| 19 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||