< draft-ietf-dime-erp-12.txt   draft-ietf-dime-erp-13.txt >
Network Working Group J. Bournelle Network Working Group J. Bournelle
Internet-Draft L. Morand Internet-Draft L. Morand
Intended status: Standards Track Orange Labs Intended status: Standards Track Orange Labs
Expires: February 1, 2013 S. Decugis Expires: April 25, 2013 S. Decugis
INSIDE Secure INSIDE Secure
Q. Wu Q. Wu
Huawei Huawei
G. Zorn G. Zorn
Network Zen Network Zen
July 31, 2012 October 22, 2012
Diameter Support for the EAP Re-authentication Protocol (ERP) Diameter Support for the EAP Re-authentication Protocol (ERP)
draft-ietf-dime-erp-12.txt draft-ietf-dime-erp-13.txt
Abstract Abstract
The EAP Re-authentication Protocol (ERP) defines extensions to the The EAP Re-authentication Protocol (ERP) defines extensions to the
Extensible Authentication Protocol (EAP) to support efficient re- Extensible Authentication Protocol (EAP) to support efficient re-
authentication between the peer and an EAP Re-authentication (ER) authentication between the peer and an EAP Re-authentication (ER)
server through a compatible authenticator. This document specifies server through a compatible authenticator. This document specifies
Diameter support for ERP. It defines a new Diameter ERP application Diameter support for ERP. It defines a new Diameter ERP application
to transport ERP messages between an ER authenticator and the ER to transport ERP messages between an ER authenticator and the ER
server, and a set of new AVPs that can be used to transport the server, and a set of new AVPs that can be used to transport the
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 1, 2013. This Internet-Draft will expire on April 25, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 24 skipping to change at page 2, line 24
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4
5. Bootstrapping the ER Server . . . . . . . . . . . . . . . . . 5 5. Bootstrapping the ER Server . . . . . . . . . . . . . . . . . 5
5.1. Bootstrapping During the Initial EAP authentication . . . 6 5.1. Bootstrapping During the Initial EAP authentication . . . 6
5.2. Bootstrapping During the First Re-authentication . . . . . 7 5.2. Bootstrapping During the First Re-authentication . . . . . 8
6. Re-Authentication . . . . . . . . . . . . . . . . . . . . . . 10 6. Re-Authentication . . . . . . . . . . . . . . . . . . . . . . 10
7. Application Id . . . . . . . . . . . . . . . . . . . . . . . . 11 7. Application Id . . . . . . . . . . . . . . . . . . . . . . . . 11
8. AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 8. AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. ERP-RK-Request AVP . . . . . . . . . . . . . . . . . . . . 12 8.1. ERP-RK-Request AVP . . . . . . . . . . . . . . . . . . . . 12
8.2. ERP-Realm AVP . . . . . . . . . . . . . . . . . . . . . . 12 8.2. ERP-Realm AVP . . . . . . . . . . . . . . . . . . . . . . 12
8.3. Key AVP . . . . . . . . . . . . . . . . . . . . . . . . . 12 8.3. Key AVP . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.3.1. Key-Type AVP . . . . . . . . . . . . . . . . . . . . . 12 8.3.1. Key-Type AVP . . . . . . . . . . . . . . . . . . . . . 12
8.3.2. Keying-Material AVP . . . . . . . . . . . . . . . . . 12 8.3.2. Keying-Material AVP . . . . . . . . . . . . . . . . . 12
8.3.3. Key-Name AVP . . . . . . . . . . . . . . . . . . . . . 13 8.3.3. Key-Name AVP . . . . . . . . . . . . . . . . . . . . . 13
8.3.4. Key-Lifetime AVP . . . . . . . . . . . . . . . . . . . 13 8.3.4. Key-Lifetime AVP . . . . . . . . . . . . . . . . . . . 13
skipping to change at page 3, line 7 skipping to change at page 3, line 7
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
12.1. Diameter Application Identifier . . . . . . . . . . . . . 14 12.1. Diameter Application Identifier . . . . . . . . . . . . . 14
12.2. New AVPs . . . . . . . . . . . . . . . . . . . . . . . . . 14 12.2. New AVPs . . . . . . . . . . . . . . . . . . . . . . . . . 14
12.3. New Permanent Failures Result-Code AVP Values . . . . . . 14 12.3. New Permanent Failures Result-Code AVP Values . . . . . . 14
13. Security Considerations . . . . . . . . . . . . . . . . . . . 14 13. Security Considerations . . . . . . . . . . . . . . . . . . . 14
14. Normative References . . . . . . . . . . . . . . . . . . . . . 15 14. Normative References . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
RFC6696 [RFC6696] defines the EAP Re-authentication Protocol (ERP). Cao, et al. [RFC6696] defines the EAP Re-authentication Protocol
It consists of the following steps: (ERP). It consists of the following steps:
Bootstrapping Bootstrapping
A root key for re-authentication is derived from the Extended A root key for re-authentication is derived from the Extended
Master Session Key (EMSK) created during EAP authentication Master Session Key (EMSK) created during EAP authentication
[RFC5295]. This root key is transported from the EAP server to [RFC5295]. This root key is transported from the EAP server to
the ER server. the ER server.
Re-authentication Re-authentication
skipping to change at page 3, line 33 skipping to change at page 3, line 33
This document defines how Diameter transports the ERP messages during This document defines how Diameter transports the ERP messages during
the re-authentication process. For this purpose, we define a new the re-authentication process. For this purpose, we define a new
Application Identifier for ERP, and re-use the Diameter EAP commands Application Identifier for ERP, and re-use the Diameter EAP commands
(DER/DEA). (DER/DEA).
This document also discusses the distribution of the root key during This document also discusses the distribution of the root key during
bootstrapping, in conjunction with either the initial EAP bootstrapping, in conjunction with either the initial EAP
authentication (implicit bootstrapping) or the first ERP exchange authentication (implicit bootstrapping) or the first ERP exchange
(explicit bootstrapping). Security considerations for this key (explicit bootstrapping). Security considerations for this key
distribution are detailed in RFC 5295 [RFC5295]. distribution are detailed in Salowey, et al. [RFC5295].
2. Terminology 2. Terminology
This document uses terminology defined in RFC3748 [RFC3748], RFC5295 This document uses terminology defined in Aboba, et al. [RFC3748],
[RFC5295], RFC6696 [RFC6696], and RFC4072 [RFC4072]. Salowey, et al. [RFC5295], Cao, et al. [RFC6696], and Eronen, Hiller
& Zorn [RFC4072].
The re-athentication Domain-Specific Root Key (rDSRK) is a re-
authentication Root Key (rRK, [RFC6696]) derived from the DSRK
instead of the EMSK.
"Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK "Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK
derived from an EMSK, depending on the location of the ER server in derived from an EMSK, depending on the location of the ER server in
home or foreign domain. home or foreign domain.
We use the notation "ERP/DER" and "ERP/DEA" in this document to refer We use the notation "ERP/DER" and "ERP/DEA" in this document to refer
to Diameter-EAP-Request and Diameter-EAP-Answer commands with the to Diameter-EAP-Request and Diameter-EAP-Answer commands with the
Application Id set to <Diameter ERP Application> Section 12.1; the Application Id set to <Diameter ERP Application> Section 12.1; the
same commands are denoted "EAP/DER" and "EAP/DEA" when the same commands are denoted "EAP/DER" and "EAP/DEA" when the
Application Id in the message is set to <Diameter EAP Application> Application Id in the message is set to <Diameter EAP Application>
skipping to change at page 4, line 16 skipping to change at page 4, line 18
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Assumptions 3. Assumptions
This document assumes the existence of at most one logical ER server This document assumes the existence of at most one logical ER server
entity in a domain. If several physical servers are deployed for entity in a domain. If several physical servers are deployed for
robustness, a replication mechanism must be deployed to synchronize robustness, a replication mechanism must be deployed to synchronize
the ERP states (root keys) between these servers. This replication the ERP state (e.g., root keys) between these servers. This
mechanism is out of the scope of this document. If multiple ER replication mechanism is out of the scope of this document. If
servers are deployed in the domain, we assume that they can be used multiple ER servers are deployed in the domain, we assume that they
interchangeably. If multiple ER servers are deployed across the can be used interchangeably. If multiple ER servers are deployed
domains, we assume only one ER server that is near to the peer is across the domains, we assume only one ER server that is near to the
getting involved in the ERP. peer is getting involved in the ERP.
Also this document assumes the existence of at most one EAP server Also this document assumes the existence of at most one EAP server
entity in the home domain. In case of multiple physical home EAP entity in the home domain. In case of multiple physical home EAP
servers in the same domain, if the ER server wants to reach the same servers in the same domain, if the ER server wants to reach the same
home EAP server, the ER server may cache the Destination-Host AVP home EAP server, the ER server may cache the Destination-Host AVP
corresponding to the home EAP server it requests. corresponding to the home EAP server it requests.
4. Protocol Overview 4. Protocol Overview
The following figure shows the components involved in ERP, and their The following figure shows the components involved in ERP, and their
skipping to change at page 5, line 12 skipping to change at page 5, line 14
Section 12.1 in the message. The generation of the ERP/DER message Section 12.1 in the message. The generation of the ERP/DER message
is detailed in Section 6. is detailed in Section 6.
If there is an ER server in the same domain as the authenticator If there is an ER server in the same domain as the authenticator
(i.e., the local domain), Diameter routing MUST be configured so that (i.e., the local domain), Diameter routing MUST be configured so that
this ERP/DER message reaches that server, even if the Destination- this ERP/DER message reaches that server, even if the Destination-
Realm is not the same as local domain. Realm is not the same as local domain.
If there is no local ER server, the message is routed according to If there is no local ER server, the message is routed according to
its Destination-Realm AVP content, extracted from the realm component its Destination-Realm AVP content, extracted from the realm component
of the keyName-NAI attribute. As specified in RFC6696 [RFC6696], of the keyName-NAI attribute. As specified in RFC 6696, this realm
this realm is the home domain of the peer in the case of is the home domain of the peer in the case of bootstrapping exchange
bootstrapping exchange ('B' flag is set in ERP message) or the domain ('B' flag is set in ERP message) or the domain of the bootstrapped ER
of the bootstrapped ER server otherwise . server otherwise .
If no ER server is available in the home domain either, the ERP/DER If no ER server is available in the home domain either, the ERP/DER
message cannot be delivered, and an error DIAMETER_UNABLE_TO_DELIVER message cannot be delivered, and an error DIAMETER_UNABLE_TO_DELIVER
MUST be generated as specified in [I-D.ietf-dime-rfc3588bis] and MUST be generated as specified in [I-D.ietf-dime-rfc3588bis] and
returned to the authenticator. The authenticator MAY cache this returned to the authenticator. The authenticator MAY cache this
information (with limited duration) to avoid further attempts to information (with limited duration) to avoid further attempts to
execute ERP with this realm. It MAY also fallback to full EAP execute ERP with this realm. It MAY also fallback to full EAP
authentication to authenticate the peer. authentication to authenticate the peer.
When an ER server receives the ERP/DER message, it searches its local When an ER server receives the ERP/DER message, it searches its local
database for a valid, unexpired root key matching the keyName part of database for a valid, unexpired root key matching the keyName part of
the User-Name AVP. If such key is found, the ER server processes the the User-Name AVP. If such key is found, the ER server processes the
ERP message as described in [RFC6696] then creates the ERP/DEA answer ERP message as described in RFC 6696, then creates the ERP/DEA answer
as described in Section 6. The rMSK is included in this answer. as described in Section 6. The rMSK is included in this answer.
Finally, the authenticator extracts the rMSK from the ERP/DEA as Finally, the authenticator extracts the rMSK from the ERP/DEA as
described in RFC6696 [RFC6696], and forwards the content of the EAP- described in RFC 6696, and forwards the content of the EAP-Payload
Payload AVP, the EAP-Finish/Re-Auth message, to the peer. AVP, the EAP-Finish/Re-Auth message, to the peer.
The ER server may or may not possess the root key in its local The ER server may or may not possess the root key in its local
database. If the EAP-Initiate/Re-Auth message has its 'B' flag set database. If the EAP-Initiate/Re-Auth message has its 'B' flag set
(Bootstrapping exchange) and the ER server possesses the root key, (Bootstrapping exchange) and the ER server possesses the root key,
the ER server SHOULD respond directly to the peer that initiated the the ER server SHOULD respond directly to the peer that initiated the
ERP exchange. Otherwise, the ER server SHOULD act as a proxy and ERP exchange. Otherwise, the ER server SHOULD act as a proxy and
forward the message to the home EAP server after changing its forward the message to the home EAP server after changing its
Application Id to Diameter EAP and adding the ERP-RK-Request AVP to Application Id to Diameter EAP and adding the ERP-RK-Request AVP to
request the root key. See Section 5 for more detail on this process. request the root key. See Section 5 for more detail on this process.
skipping to change at page 7, line 4 skipping to change at page 7, line 28
<------------------------- <-------------------------
Diameter EAP/DEA Diameter EAP/DEA
(EAP-Success) (EAP-Success)
(MSK) (MSK)
(Key AVP (rRK)) (Key AVP (rRK))
<------------------------- <-------------------------
Diameter EAP/DEA Diameter EAP/DEA
(EAP-Success) (EAP-Success)
(MSK) (MSK)
[ERP-Realm] [ERP-Realm]
Figure 2: ERP Bootstrapping During Full EAP Authentication Figure 2: ERP Bootstrapping During Full EAP Authentication
The authenticator creates the first DER of the full EAP The authenticator creates the first DER of the full EAP
authentication and sends it to the ER server. The ER server proxies authentication and sends it to the ER server. The ER server proxies
the first DER of the full EAP authentication and adds the ERP-RK- the first DER of the full EAP authentication and adds the ERP-RK-
Request AVP inside, then forwards the request to the home EAP server. Request AVP inside, then forwards the request to the home EAP server.
If the home Diameter server does not support the Diameter ERP If the home Diameter server does not support the Diameter ERP
extensions, it simply ignores the ERP-RK-Request AVP and continues as extensions, it simply ignores the ERP-RK-Request AVP and continues as
specified in RFC 4072 [RFC4072]. If the server supports the ERP specified in RFC 4072 [RFC4072]. If the server supports the ERP
extensions, it saves the value of the ERP-Realm AVP found inside the extensions, it saves the value of the ERP-Realm AVP found inside the
ERP-RK-Request AVP, and continues with the EAP authentication. When ERP-RK-Request AVP, and continues with the EAP authentication. When
the authentication completes, if it is successful and the EAP method the authentication completes, if it is successful and the EAP method
has generated an EMSK, the server MUST derive the rRK as specified in has generated an EMSK, the server MUST derive the rRK as specified in
RFC 6696 [RFC6696], using the saved domain name. It then includes RFC 6696, using the saved domain name. It then includes the rRK
the rRK inside a Key AVP (Section 8.3) with the Key-Type AVP set to inside a Key AVP (Section 8.3) with the Key-Type AVP set to rRK,
rRK, before sending the DEA as usual. before sending the DEA as usual.
When the ER server proxies a Diameter-EAP-Answer message with a When the ER server proxies a Diameter-EAP-Answer message with a
Session-Id corresponding to a message to which it added an ERP-RK- Session-Id corresponding to a message to which it added an ERP-RK-
Request AVP, and the Result-Code is DIAMETER_SUCCESS, it MUST examine Request AVP, and the Result-Code is DIAMETER_SUCCESS, it MUST examine
the message and save and remove any Key AVP (Section 8.3) with Key- the message and save and remove any Key AVP (Section 8.3) with Key-
Type AVP set to rRK. If the message does not contain such Key AVP, Type AVP set to rRK. If the message does not contain such Key AVP,
the ER server may cache the information that ERP is not possible for the ER server may cache the information that ERP is not possible for
this session to avoid possible subsequent attempts. In any case, the this session to avoid possible subsequent attempts. In any case, the
information stored in ER server concerning a session should not have information stored in ER server concerning a session should not have
a lifetime greater than the EMSK for this session. a lifetime greater than the EMSK for this session.
skipping to change at page 8, line 33 skipping to change at page 9, line 8
Then the newly created EAP/DER is sent and routed to the home Then the newly created EAP/DER is sent and routed to the home
Diameter EAP application server. Diameter EAP application server.
If the home Diameter EAP server does not support ERP extensions, EAP If the home Diameter EAP server does not support ERP extensions, EAP
packets with an unknown ERP-specific code (EAP-Initiate) will not be packets with an unknown ERP-specific code (EAP-Initiate) will not be
understood. In such a case, the home Diameter EAP server MUST send understood. In such a case, the home Diameter EAP server MUST send
an EAP/DEA with a Result-Code indicating a Permanent Failure (for an EAP/DEA with a Result-Code indicating a Permanent Failure (for
example, DIAMETER_ERROR_EAP_CODE_UNKNOWN or example, DIAMETER_ERROR_EAP_CODE_UNKNOWN or
DIAMETER_UNABLE_TO_COMPLY). The Failed-AVP AVP MUST be included and DIAMETER_UNABLE_TO_COMPLY). The Failed-AVP AVP MUST be included and
contain a copy of the EAP-Payload AVP. Otherwise, it processes the contain a copy of the EAP-Payload AVP. Otherwise, it processes the
DSRK request as described in [RFC6696]. In particular, it includes DSRK request as described in RFC 6696. In particular, it includes
the Domain- Name TLV attribute with the content from the ERP-Realm the Domain- Name TLV attribute with the content from the ERP-Realm
AVP. The server creates the EAP/DEA reply message [RFC4072] AVP. The server creates the EAP/DEA reply message [RFC4072]
including an instance of the Key AVP (Section 8.3) with Key-Type AVP including an instance of the Key AVP (Section 8.3) with Key-Type AVP
set to rRK and an instance of the Domain-Name TLV attribute with the set to rRK and an instance of the Domain-Name TLV attribute with the
content from the ERP-Realm AVP. content from the ERP-Realm AVP.
The ER server receives this EAP/DEA and proxies it as follows, in The ER server receives this EAP/DEA and proxies it as follows, in
addition to standard proxy operations: addition to standard proxy operations:
Set the Application Id back to Diameter ERP Application Id Set the Application Id back to Diameter ERP Application Id
(Section 12.1 ) (Section 12.1 )
Extract and cache the content of the Key AVP with Key-Type set to Extract and cache the content of the Key AVP with Key-Type set to
rRK, as described in the implicit scenario (Section 5.1). rRK, as described in the implicit scenario (Section 5.1).
The ERP/DEA message is then forwarded to the authenticator, that can The ERP/DEA message is then forwarded to the authenticator, that can
use the rMSK as described in RFC 6696 [RFC6696]. use the rMSK as described in RFC 6696.
The figure below captures this proxy behavior: The figure below captures this proxy behavior:
Authenticator ER server Home Diameter server Authenticator ER server Home Diameter server
============= ========= ==================== ============= ========= ====================
-----------------------> ----------------------->
Diameter ERP/DER Diameter ERP/DER
(EAP-Initiate) (EAP-Initiate)
------------------------> ------------------------>
Diameter EAP/DER Diameter EAP/DER
skipping to change at page 10, line 11 skipping to change at page 10, line 11
(Key AVP (rMSK)) (Key AVP (rMSK))
Figure 3: ERP Explicit Bootstrapping Message Flow Figure 3: ERP Explicit Bootstrapping Message Flow
6. Re-Authentication 6. Re-Authentication
This section describes in detail a re-authentication exchange with an This section describes in detail a re-authentication exchange with an
ER server that was previously bootstrapped. The following figure ER server that was previously bootstrapped. The following figure
summarizes the re-authentication exchange. summarizes the re-authentication exchange.
ER server ER server
Peer Authenticator (bootstrapped) Peer Authenticator (bootstrapped)
==== ============= ====================== ==== ============= ======================
[ <------------------------ ] [ <------------------------ ]
[optional EAP-Initiate/Re-auth-start,] [optional EAP-Initiate/Re-auth-start,]
[ possibly with ERP domain name ] [ possibly with ERP domain name ]
-----------------------> ----------------------->
EAP-Initiate/Re-auth EAP-Initiate/Re-auth
===============================> ===============================>
Diameter ERP, cmd code DER Diameter ERP, cmd code DER
User-Name: Keyname-NAI User-Name: Keyname-NAI
EAP-Payload: EAP-Initiate/Re-auth EAP-Payload: EAP-Initiate/Re-auth
<=============================== <===============================
Diameter ERP, cmd code DEA Diameter ERP, cmd code DEA
EAP-Payload: EAP-Finish/Re-auth EAP-Payload: EAP-Finish/Re-auth
Key AVP: rMSK Key AVP: rMSK
<---------------------- <----------------------
EAP-Finish/Re-auth EAP-Finish/Re-auth
Figure 4: Diameter ERP Re-authentication Exchange Figure 4: Diameter ERP Re-authentication Exchange
The peer sends an EAP-Initiate/Re-auth message to the ER server via The peer sends an EAP-Initiate/Re-auth message to the ER server via
the authenticator. Alternatively, the authenticator may send an EAP- the authenticator. Alternatively, the authenticator may send an EAP-
Initiate/Re-auth-Start message to the peer to trigger the mechanism. Initiate/Re-auth-Start message to the peer to trigger the mechanism.
In this case, the peer responds with an EAP-Initiate/Re-auth message. In this case, the peer responds with an EAP-Initiate/Re-auth message.
If the authenticator does not support ERP (pure Diameter EAP If the authenticator does not support ERP (pure Diameter EAP
[RFC4072] support), it discards the EAP packets with an unknown ERP- [RFC4072] support), it discards the EAP packets with an unknown ERP-
specific code (EAP-Initiate). The peer should fallback to full EAP specific code (EAP-Initiate). The peer should fallback to full EAP
authentication in this case. authentication in this case.
When the authenticator receives an EAP-Initiate/Re-auth message from When the authenticator receives an EAP-Initiate/Re-auth message from
the peer, the message is processed as described in [RFC6696] with the peer, the message is processed as described in RFC 6696 with
regard to the EAP state machine. It creates a Diameter ERP/DER regard to the EAP state machine. It creates a Diameter ERP/DER
message following the general process of Diameter EAP [RFC4072], with message following the general process of Diameter EAP [RFC4072], with
the following differences: the following differences:
The Application Id in the header is set to <Diameter ERP> (code The Application Id in the header is set to <Diameter ERP> (code
TBD ). TBD ).
The value in Auth-Application-Id AVP is also set to <Diameter The value in Auth-Application-Id AVP is also set to <Diameter
ERP>. ERP>.
skipping to change at page 11, line 35 skipping to change at page 11, line 35
The value of the Auth-Application-Id AVP is also set to <Diameter The value of the Auth-Application-Id AVP is also set to <Diameter
ERP>. ERP>.
The EAP-Payload AVP contains the EAP-Finish/Re-auth message. The EAP-Payload AVP contains the EAP-Finish/Re-auth message.
If authentication is successful, an instance of the Key AVP If authentication is successful, an instance of the Key AVP
containing the Re-authentication Master Session Key (rMSK) derived containing the Re-authentication Master Session Key (rMSK) derived
by ERP is included. by ERP is included.
When the authenticator receives this ERP/DEA answer, it processes it When the authenticator receives this ERP/DEA answer, it processes it
as described in Diameter EAP [RFC4072] and RFC 6696 [RFC6696]: the as described in the Diameter EAP Application specification [RFC4072]
content of the EAP-Payload AVP is forwarded to the peer, and the and RFC 6696: the content of the EAP-Payload AVP is forwarded to the
contents of the Keying-Material AVP [I-D.ietf-dime-local-keytran] is peer, and the contents of the Keying-Material AVP
used as a shared secret for a secure association protocol specific to [I-D.ietf-dime-local-keytran] is used as a shared secret for a secure
the lower-layer in use. association protocol specific to the lower-layer in use.
7. Application Id 7. Application Id
We define a new Diameter application in this document, Diameter ERP We define a new Diameter application in this document, Diameter ERP
Application, with an Application Id value of TBD. Diameter nodes Application, with an Application Id value of TBD. Diameter nodes
conforming to this specification in the role of ER server MUST conforming to this specification in the role of ER server MUST
advertise support by including an Auth-Application-Id AVP with a advertise support by including an Auth-Application-Id AVP with a
value of Diameter ERP in the Capabilities-Exchange-Request and value of Diameter ERP in the Capabilities-Exchange-Request and
Capabilities-Exchange-Answer commands [I-D.ietf-dime-rfc3588bis]. Capabilities-Exchange-Answer commands [I-D.ietf-dime-rfc3588bis].
skipping to change at page 12, line 48 skipping to change at page 12, line 48
8.3.1. Key-Type AVP 8.3.1. Key-Type AVP
The value of the Key-Type AVP MUST be set to 2 for rRK or 3 for rMSK. The value of the Key-Type AVP MUST be set to 2 for rRK or 3 for rMSK.
8.3.2. Keying-Material AVP 8.3.2. Keying-Material AVP
The Keying-Material AVP contains the rRK sent by the home EAP server The Keying-Material AVP contains the rRK sent by the home EAP server
to the ER server, in answer to a request containing an ERP-RK-Request to the ER server, in answer to a request containing an ERP-RK-Request
AVP, or the rMSK sent by the ER server to the authenticator. How AVP, or the rMSK sent by the ER server to the authenticator. How
this material is derived and used is specified in RFC 6696 [RFC6696]. this material is derived and used is specified in RFC 6696.
8.3.3. Key-Name AVP 8.3.3. Key-Name AVP
This AVP contains the EMSKname which identifies the keying material. This AVP contains the EMSKname which identifies the keying material.
The derivation of this name is specified in RGC 6696 [RFC6696]. The derivation of this name is specified in RFC 6696.
8.3.4. Key-Lifetime AVP 8.3.4. Key-Lifetime AVP
The Key-Lifetime AVP contains the lifetime of the keying material in The Key-Lifetime AVP contains the lifetime of the keying material in
seconds. It MUST NOT be greater than the remaining lifetime of the seconds. It MUST NOT be greater than the remaining lifetime of the
EMSK from which the material was derived. EMSK from which the material was derived.
9. Result-Code AVP Values 9. Result-Code AVP Values
This section defines new Result-Code [I-D.ietf-dime-rfc3588bis] This section defines new Result-Code [I-D.ietf-dime-rfc3588bis]
 End of changes. 22 change blocks. 
39 lines changed or deleted 43 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/