< draft-ietf-dime-erp-13.txt   draft-ietf-dime-erp-14.txt >
skipping to change at page 1, line 15 skipping to change at page 1, line 15
Intended status: Standards Track Orange Labs Intended status: Standards Track Orange Labs
Expires: April 25, 2013 S. Decugis Expires: April 25, 2013 S. Decugis
INSIDE Secure INSIDE Secure
Q. Wu Q. Wu
Huawei Huawei
G. Zorn G. Zorn
Network Zen Network Zen
October 22, 2012 October 22, 2012
Diameter Support for the EAP Re-authentication Protocol (ERP) Diameter Support for the EAP Re-authentication Protocol (ERP)
draft-ietf-dime-erp-13.txt draft-ietf-dime-erp-14.txt
Abstract Abstract
The EAP Re-authentication Protocol (ERP) defines extensions to the The EAP Re-authentication Protocol (ERP) defines extensions to the
Extensible Authentication Protocol (EAP) to support efficient re- Extensible Authentication Protocol (EAP) to support efficient re-
authentication between the peer and an EAP Re-authentication (ER) authentication between the peer and an EAP Re-authentication (ER)
server through a compatible authenticator. This document specifies server through a compatible authenticator. This document specifies
Diameter support for ERP. It defines a new Diameter ERP application Diameter support for ERP. It defines a new Diameter ERP application
to transport ERP messages between an ER authenticator and the ER to transport ERP messages between an ER authenticator and the ER
server, and a set of new AVPs that can be used to transport the server, and a set of new AVPs that can be used to transport the
skipping to change at page 10, line 51 skipping to change at page 10, line 51
specific code (EAP-Initiate). The peer should fallback to full EAP specific code (EAP-Initiate). The peer should fallback to full EAP
authentication in this case. authentication in this case.
When the authenticator receives an EAP-Initiate/Re-auth message from When the authenticator receives an EAP-Initiate/Re-auth message from
the peer, the message is processed as described in RFC 6696 with the peer, the message is processed as described in RFC 6696 with
regard to the EAP state machine. It creates a Diameter ERP/DER regard to the EAP state machine. It creates a Diameter ERP/DER
message following the general process of Diameter EAP [RFC4072], with message following the general process of Diameter EAP [RFC4072], with
the following differences: the following differences:
The Application Id in the header is set to <Diameter ERP> (code The Application Id in the header is set to <Diameter ERP> (code
TBD ). TBD1 ).
The value in Auth-Application-Id AVP is also set to <Diameter The value in Auth-Application-Id AVP is also set to <Diameter
ERP>. ERP>.
The keyName-NAI attribute from the ERP message is used to create The keyName-NAI attribute from the ERP message is used to create
the content of the User-Name and Destination-Realm AVPs. the content of the User-Name and Destination-Realm AVPs.
The Auth-Request-Type AVP content is set to the appropriate value. The Auth-Request-Type AVP content is set to the appropriate value.
The EAP-Payload AVP contains the EAP-Initiate/Re-Auth meassge. The EAP-Payload AVP contains the EAP-Initiate/Re-Auth meassge.
Then this ERP/DER message is sent as described in Section 4. Then this ERP/DER message is sent as described in Section 4.
The ER server receives and processes this request as described in The ER server receives and processes this request as described in
Section 4. It then creates an ERP/DEA message following the general Section 4. It then creates an ERP/DEA message following the general
process described in RFC4072 [RFC4072], with the following process described in RFC4072 [RFC4072], with the following
differences: differences:
The Application Id in the header is set to <Diameter ERP> (code The Application Id in the header is set to <Diameter ERP> (code
TBD). TBD1).
The value of the Auth-Application-Id AVP is also set to <Diameter The value of the Auth-Application-Id AVP is also set to <Diameter
ERP>. ERP>.
The EAP-Payload AVP contains the EAP-Finish/Re-auth message. The EAP-Payload AVP contains the EAP-Finish/Re-auth message.
If authentication is successful, an instance of the Key AVP If authentication is successful, an instance of the Key AVP
containing the Re-authentication Master Session Key (rMSK) derived containing the Re-authentication Master Session Key (rMSK) derived
by ERP is included. by ERP is included.
When the authenticator receives this ERP/DEA answer, it processes it When the authenticator receives this ERP/DEA answer, it processes it
as described in the Diameter EAP Application specification [RFC4072] as described in the Diameter EAP Application specification [RFC4072]
and RFC 6696: the content of the EAP-Payload AVP is forwarded to the and RFC 6696: the content of the EAP-Payload AVP is forwarded to the
peer, and the contents of the Keying-Material AVP peer, and the contents of the Keying-Material AVP
[I-D.ietf-dime-local-keytran] is used as a shared secret for a secure [I-D.ietf-dime-local-keytran] is used as a shared secret for a secure
association protocol specific to the lower-layer in use. association protocol specific to the lower-layer in use.
7. Application Id 7. Application Id
We define a new Diameter application in this document, Diameter ERP We define a new Diameter application in this document, Diameter ERP
Application, with an Application Id value of TBD. Diameter nodes Application, with an Application Id value of TBD1. Diameter nodes
conforming to this specification in the role of ER server MUST conforming to this specification in the role of ER server MUST
advertise support by including an Auth-Application-Id AVP with a advertise support by including an Auth-Application-Id AVP with a
value of Diameter ERP in the Capabilities-Exchange-Request and value of Diameter ERP in the Capabilities-Exchange-Request and
Capabilities-Exchange-Answer commands [I-D.ietf-dime-rfc3588bis]. Capabilities-Exchange-Answer commands [I-D.ietf-dime-rfc3588bis].
The primary use of the Diameter ERP Application Id is to ensure The primary use of the Diameter ERP Application Id is to ensure
proper routing of the messages, and that the nodes that advertise the proper routing of the messages, and that the nodes that advertise the
support for this application do understand the new AVPs defined in support for this application do understand the new AVPs defined in
Section 8, although these AVP have the 'M' flag cleared. Section 8, although these AVP have the 'M' flag cleared.
8. AVPs 8. AVPs
The following sub-sections discuss the AVPs used by the Diameter ERP The following sub-sections discuss the AVPs used by the Diameter ERP
application. application.
8.1. ERP-RK-Request AVP 8.1. ERP-RK-Request AVP
The ERP-RK-Request AVP (AVP Code TBD) is of type grouped AVP. This The ERP-RK-Request AVP (AVP Code TBD2) is of type grouped AVP. This
AVP is used by the ER server to indicate its willingness to act as ER AVP is used by the ER server to indicate its willingness to act as ER
server for a particular session. server for a particular session.
This AVP has the M and V bits cleared. This AVP has the M and V bits cleared.
ERP-RK-Request ::= < AVP Header: TBD > ERP-RK-Request ::= < AVP Header: TBD2 >
{ ERP-Realm } { ERP-Realm }
* [ AVP ] * [ AVP ]
Figure 5: ERP-RK-Request ABNF Figure 5: ERP-RK-Request ABNF
8.2. ERP-Realm AVP 8.2. ERP-Realm AVP
The ERP-Realm AVP (AVP Code TBD) is of type DiameterIdentity. It The ERP-Realm AVP (AVP Code TBD3) is of type DiameterIdentity. It
contains the name of the realm in which the ER server is located. contains the name of the realm in which the ER server is located.
This AVP has the M and V bits cleared. This AVP has the M and V bits cleared.
8.3. Key AVP 8.3. Key AVP
The Key AVP [I-D.ietf-dime-local-keytran] is of type "Grouped" and is The Key AVP [I-D.ietf-dime-local-keytran] is of type "Grouped" and is
used to carry the rRK or rMSK and associated attributes. The usage used to carry the rRK or rMSK and associated attributes. The usage
of the Key AVP and its constituent AVPs in this application is of the Key AVP and its constituent AVPs in this application is
specified in the following sub-sections. specified in the following sub-sections.
skipping to change at page 13, line 28 skipping to change at page 13, line 28
This section defines new Result-Code [I-D.ietf-dime-rfc3588bis] This section defines new Result-Code [I-D.ietf-dime-rfc3588bis]
values that MUST be supported by all Diameter implementations that values that MUST be supported by all Diameter implementations that
conform to this specification. conform to this specification.
9.1. Permanent Failures 9.1. Permanent Failures
Errors that fall within the Permanent Failures category are used to Errors that fall within the Permanent Failures category are used to
inform the peer that the request failed and SHOULD NOT be attempted inform the peer that the request failed and SHOULD NOT be attempted
again. again.
DIAMETER_ERROR_ EAP_CODE_UNKNOWN (TBD) DIAMETER_ERROR_ EAP_CODE_UNKNOWN (TBD4)
This error code is used by the Diameter server to inform the This error code is used by the Diameter server to inform the
peer that the received EAP-PAYLOAD AVP contains an EAP packet peer that the received EAP-PAYLOAD AVP contains an EAP packet
with an unknown EAP code. with an unknown EAP code.
10. Contributors 10. Contributors
Hannes Tschofenig wrote the initial draft of this document. Hannes Tschofenig wrote the initial draft of this document.
Lakshminath Dondeti contributed to the early versions of the Lakshminath Dondeti contributed to the early versions of the
document. document.
11. Acknowledgements 11. Acknowledgements
Hannes Tschofenig, Zhen Cao and Jouni Korhonen provided useful Hannes Tschofenig, Zhen Cao, Benoit Claise, Elwyn Davies and Jouni
reviews. Korhonen provided useful reviews.
Vidya Narayanan reviewed a rough draft version of the document and Vidya Narayanan reviewed a rough draft version of the document and
found some errors. found some errors.
Many thanks to these people! Many thanks to these people!
12. IANA Considerations 12. IANA Considerations
This document requires IANA registration of the following new This document requires IANA registration of the following new
elements in the Authentication, Authorization, and Accounting (AAA) elements in the Authentication, Authorization, and Accounting (AAA)
skipping to change at page 14, line 36 skipping to change at page 14, line 36
These AVPs are defined in Section 8. These AVPs are defined in Section 8.
12.3. New Permanent Failures Result-Code AVP Values 12.3. New Permanent Failures Result-Code AVP Values
This specification requires IANA to allocate a new value from the This specification requires IANA to allocate a new value from the
"Result-Code AVP Values (code 268) - Permanent Failure" registry "Result-Code AVP Values (code 268) - Permanent Failure" registry
according to the policy specified in Section 11.3.2 of Fajardo, et according to the policy specified in Section 11.3.2 of Fajardo, et
al. [I-D.ietf-dime-rfc3588bis] for the following Result-Code: al. [I-D.ietf-dime-rfc3588bis] for the following Result-Code:
DIAMETER_ERROR_EAP_CODE_UNKNOWN TBD DIAMETER_ERROR_EAP_CODE_UNKNOWN TBD4
This result-code value is defined in Section 9. This result-code value is defined in Section 9.
13. Security Considerations 13. Security Considerations
The security considerations from the following documents apply here: The security considerations from the following documents apply here:
o Fajardo, et al. [I-D.ietf-dime-rfc3588bis] o Fajardo, et al. [I-D.ietf-dime-rfc3588bis]
o RFC 4072 [RFC4072] o RFC 4072 [RFC4072]
 End of changes. 10 change blocks. 
11 lines changed or deleted 11 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/