< draft-ohba-pana-statemachine-00.txt   draft-ohba-pana-statemachine-01.txt >
PANA Working Group Y. Ohba
Internet-Draft V. Fajardo PANA Working Group V. Fajardo
Expires: January 9, 2005 TARI Internet-Draft Y. Ohba
Expires: July 2, 2005 TARI
R. Lopez R. Lopez
Univ. of Murcia Univ. of Murcia
July 11, 2004 January 2005
State Machines for Protocol for Carrying Authentication for Network State Machines for Protocol for Carrying Authentication for Network
Access (PANA) Access (PANA)
draft-ohba-pana-statemachine-00 draft-ohba-pana-statemachine-01
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable This document is an Internet-Draft and is subject to all provisions
patent or other IPR claims of which I am aware have been disclosed, of section 3 of RFC 3667. By submitting this Internet-Draft, each
and any of which I become aware will be disclosed, in accordance with author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 9, 2005. This Internet-Draft will expire on July 2, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2005).
Abstract Abstract
This document defines the conceptual state machines for the Protocol This document defines the conceptual state machines for the Protocol
for Carrying Authentication for Network Access (PANA). The state for Carrying Authentication for Network Access (PANA). The state
machines consist of the PANA Client (PaC) state machine and the PANA machines consist of the PANA Client (PaC) state machine and the PANA
Authentication Agent (PAA) state machine. The two state machines Authentication Agent (PAA) state machine. The two state machines
show how PANA can interface to EAP state machines and can be show how PANA can interface to EAP state machines and can be
implemented with supporting various features including separate NAP implemented with supporting various features including separate NAP
and ISP authentications, ISP selection and mobility optimization. and ISP authentications, ISP selection and mobility optimization.
skipping to change at page 2, line 17 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5
3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7
4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10 5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10
5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 11 5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 11
5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 12 5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 13
5.4 Common Message Initialization Rules . . . . . . . . . . . 13 5.4 Common Message Initialization Rules . . . . . . . . . . . 13
5.5 Common State Transitions . . . . . . . . . . . . . . . . . 13 5.5 Common Error Handling Rules . . . . . . . . . . . . . . . 13
6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 14 5.6 Common State Transitions . . . . . . . . . . . . . . . . . 14
6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 14 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 15
6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 14 6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 15
6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 14 6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 15
6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 14 6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 15
6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 15
6.1.4 EAP Authentication Result Notification from EAP 6.1.4 EAP Authentication Result Notification from EAP
Peer to PaC . . . . . . . . . . . . . . . . . . . . . 14 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 15
6.1.5 Alternate Failure Notification from PaC to EAP Peer . 15 6.1.5 Alternate Failure Notification from PaC to EAP Peer . 16
6.1.6 EAP Invalid Message Notification from EAP Peer to 6.1.6 EAP Invalid Message Notification from EAP Peer to
PaC . . . . . . . . . . . . . . . . . . . . . . . . . 15 PaC . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 15 6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 16
6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 17 6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 17
6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 17 6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 18
7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 27 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 30
7.1 Interface between PAA and EAP Authenticator . . . . . . . 27 7.1 Interface between PAA and EAP Authenticator . . . . . . . 30
7.1.1 EAP Restart Notification from PAA to EAP 7.1.1 EAP Restart Notification from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 27 Authenticator . . . . . . . . . . . . . . . . . . . . 30
7.1.2 Delivering EAP Responses from PAA to EAP 7.1.2 Delivering EAP Responses from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 27 Authenticator . . . . . . . . . . . . . . . . . . . . 30
7.1.3 Delivering EAP Messages from EAP Authenticator to 7.1.3 Delivering EAP Messages from EAP Authenticator to
PAA . . . . . . . . . . . . . . . . . . . . . . . . . 27 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.1.4 EAP Authentication Result Notification from EAP 7.1.4 EAP Authentication Result Notification from EAP
Authenticator to PAA . . . . . . . . . . . . . . . . . 27 Authenticator to PAA . . . . . . . . . . . . . . . . . 30
7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 28 7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 31
7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 30 7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 33
7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 31 7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 33
8. Implementation Considerations . . . . . . . . . . . . . . . . 41 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 47
8.1 Interface exposed by PANA to the Host System . . . . . . . 41 8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 47
8.2 PAA Interface to EP . . . . . . . . . . . . . . . . . . . 41 8.2 PaC Mobility Optimization State Machine . . . . . . . . . 47
8.3 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 42 8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 47
9. Security Considerations . . . . . . . . . . . . . . . . . . . 43 8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 48
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 44 8.2.3 PaC Mobility Optimization State Transition Table
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 45 Addendum . . . . . . . . . . . . . . . . . . . . . . . 48
11.1 Normative References . . . . . . . . . . . . . . . . . . . . 45 8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 51
11.2 Informative References . . . . . . . . . . . . . . . . . . . 45 8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 45 8.3.2 PAA Mobility Optimization State Transition Table
Intellectual Property and Copyright Statements . . . . . . . . 47 Addendum . . . . . . . . . . . . . . . . . . . . . . . 51
9. Implementation Considerations . . . . . . . . . . . . . . . . 53
9.1 Interface exposed by PANA to the Host System . . . . . . . 53
9.2 PAA Interface to EP . . . . . . . . . . . . . . . . . . . 53
9.3 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 54
10. Security Considerations . . . . . . . . . . . . . . . . . . 55
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 56
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 57
12.1 Normative References . . . . . . . . . . . . . . . . . . . . 57
12.2 Informative References . . . . . . . . . . . . . . . . . . . 57
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 57
Intellectual Property and Copyright Statements . . . . . . . . 59
1. Introduction 1. Introduction
This document defines the state machines for Protocol Carrying This document defines the state machines for Protocol Carrying
Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There
are state machines for the PANA client (PaC) and for the PANA are state machines for the PANA client (PaC) and for the PANA
Authentication Agent (PAA). Each state machine is specified through Authentication Agent (PAA). Each state machine is specified through
a set of variables, procedures and a state transition table. a set of variables, procedures and a state transition table.
A PANA protocol execution consists of several exchanges to carry A PANA protocol execution consists of several exchanges to carry
skipping to change at page 7, line 9 skipping to change at page 7, line 9
state machine, respectively, in this document. If an EAP peer and an state machine, respectively, in this document. If an EAP peer and an
EAP authenticator follow the state machines defined in EAP authenticator follow the state machines defined in
[I-D.ietf-eap-statemachine], the interfaces between PANA and EAP [I-D.ietf-eap-statemachine], the interfaces between PANA and EAP
could be based on that document. Detailed definition of interfaces could be based on that document. Detailed definition of interfaces
between PANA and EAP are described in the subsequent sections. between PANA and EAP are described in the subsequent sections.
3. Document Authority 3. Document Authority
When a discrepancy occurs between any part of this document and any When a discrepancy occurs between any part of this document and any
of the related documents ([I-D.ietf-pana-pana], of the related documents ([I-D.ietf-pana-pana],
[I-D.ietf-eap-statemachine] the latter (the other documents) are [I-D.ietf-pana-mobopts], [I-D.ietf-eap-statemachine] the latter (the
considered authoritative and takes precedence. other documents) are considered authoritative and takes precedence.
4. Notations 4. Notations
The following state transition tables are completed mostly based on The following state transition tables are completed mostly based on
the conventions specified in [I-D.ietf-eap-statemachine]. The the conventions specified in [I-D.ietf-eap-statemachine]. The
complete text is described below. complete text is described below.
State transition tables are used to represent the operation of the State transition tables are used to represent the operation of the
protocol by a number of cooperating state machines each comprising a protocol by a number of cooperating state machines each comprising a
group of connected, mutually exclusive states. Only one state of group of connected, mutually exclusive states. Only one state of
skipping to change at page 8, line 26 skipping to change at page 8, line 26
All permissible transitions from a given state to other states and All permissible transitions from a given state to other states and
associated actions performed when the transitions occur are associated actions performed when the transitions occur are
represented by using triplets of (exit condition, exit action, exit represented by using triplets of (exit condition, exit action, exit
state). All conditions are expressions that evaluate to TRUE or state). All conditions are expressions that evaluate to TRUE or
FALSE; if a condition evaluates to TRUE, then the condition is met. FALSE; if a condition evaluates to TRUE, then the condition is met.
A state "ANY" is a wildcard state that matches the current state in A state "ANY" is a wildcard state that matches the current state in
each state machine. The exit conditions of a wildcard state are each state machine. The exit conditions of a wildcard state are
evaluated after all other exit conditions of specific to the current evaluated after all other exit conditions of specific to the current
state are met. state are met.
On exit from a state, the procedures defined for the state and the On exit from a state, the exit actions defined for the state and the
exit condition are executed exactly once, in the order that they exit condition are executed exactly once, in the order that they
appear on the page. (Note that the procedures defined in appear on the page. (Note that the procedures defined in
[I-D.ietf-eap-statemachine] are executed on entry to a state, which [I-D.ietf-eap-statemachine] are executed on entry to a state, which
is one major difference from this document.) Each procedure is is one major difference from this document.) Each exit action is
deemed to be atomic; i.e., execution of a procedure completes before deemed to be atomic; i.e., execution of an exit action completes
the next sequential procedure starts to execute. No procedures before the next sequential exit action starts to execute. No exit
execute outside of a state block. The procedures in only one state action execute outside of a state block. The exit actions in only
block execute at a time, even if the conditions for execution of one state block execute at a time, even if the conditions for
state blocks in different state machines are satisfied, and all execution of state blocks in different state machines are satisfied,
procedures in an executing state block complete execution before the and all exit actions in an executing state block complete execution
transition to and execution of any other state block occurs, i.e., before the transition to and execution of any other state block
the execution of any state block appears to be atomic with respect to occurs, i.e., the execution of any state block appears to be atomic
the execution of any other state block and the transition condition with respect to the execution of any other state block and the
to that state from the previous state is TRUE when execution transition condition to that state from the previous state is TRUE
commences. The order of execution of state blocks in different state when execution commences. The order of execution of state blocks in
machines is undefined except as constrained by their transition different state machines is undefined except as constrained by their
conditions. A variable that is set to a particular value in a state transition conditions. A variable that is set to a particular value
block retains this value until a subsequent state block executes a in a state block retains this value until a subsequent state block
procedure that modifies the value. executes a exit action that modifies the value.
On completion of the transition from the previous state to the On completion of the transition from the previous state to the
current state, all exit conditions for the current state (including current state, all exit conditions for the current state (including
exit conditions defined for the wildcard state) are evaluated exit conditions defined for the wildcard state) are evaluated
continuously until one of the conditions is met. continuously until one of the conditions is met.
Any event variable is set to TRUE when the corresponding event occurs Any event variable is set to TRUE when the corresponding event occurs
and set to FALSE immediately after completion of the action and set to FALSE immediately after completion of the action
associated with the current state and the event. associated with the current state and the event.
skipping to change at page 10, line 14 skipping to change at page 10, line 14
5. Common Rules 5. Common Rules
There are following procedures, variables, message initializing rules There are following procedures, variables, message initializing rules
and state transitions that are common to both the PaC and PAA state and state transitions that are common to both the PaC and PAA state
machines. machines.
Throughout this document, the character string "PANA_MESSAGE_NAME" Throughout this document, the character string "PANA_MESSAGE_NAME"
matches any one of the abbreviated PANA message names, i.e., "PDI", matches any one of the abbreviated PANA message names, i.e., "PDI",
"PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR",
"PTA", "PRAR", "PRAA", "PAUR", "PAUA" and "PER". "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA".
5.1 Common Procedures 5.1 Common Procedures
None() None()
A null procedure, i.e., nothing is done. A null procedure, i.e., nothing is done.
Disconnect() Disconnect()
A procedure to delete the PANA session as well as the A procedure to delete the PANA session as well as the
skipping to change at page 11, line 36 skipping to change at page 11, line 36
boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME")
A procedure that checks whether an AVP of the specified AVP name A procedure that checks whether an AVP of the specified AVP name
exists in the specified PANA message and returns TRUE if the exists in the specified PANA message and returns TRUE if the
specified AVP is found, otherwise returns FALSE. specified AVP is found, otherwise returns FALSE.
boolean key_available() boolean key_available()
A procedure to check whether the PANA session has a PANA_MAC_KEY. A procedure to check whether the PANA session has a PANA_MAC_KEY.
If the state machine already have a PANA_MAC_KEY, it returns TRUE. If the state machine already has a PANA_MAC_KEY, it returns TRUE.
If the state machine does not have a PANA_MAC_KEY, it tries to If the state machine does not have a PANA_MAC_KEY, it tries to
retrieve a AAA-Key from the EAP entity. If a AAA-Key is retrieve a AAA-Key from the EAP entity. If a AAA-Key is
retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns
TRUE. Otherwise, it returns FALSE. TRUE. Otherwise, it returns FALSE.
5.2 Common Variables boolean fatal(int)
A procedure to check whether an integer result code value
indicates a fatal error. If the result code indicates a fatal
error, the procedure returns TRUE, otherwise, it return FALSE. A
fatal error would also result in the termination of the session
and release of all resources related to that session.
5.2 Common Variables
PANA_MESSAGE_NAME.S_flag PANA_MESSAGE_NAME.S_flag
This variable contains the S-Flag value of the specified PANA This variable contains the S-Flag value of the specified PANA
message. message.
PBR.RESULT_CODE PBR.RESULT_CODE
This variable contains the Result-Code AVP value in the This variable contains the Result-Code AVP value in the
PANA-Bind-Request message in process. PANA-Bind-Request message in process.
PER.RESULT_CODE
This variable contains the Result-Code AVP value in the
PANA-Error-Request message in process.
RTX_COUNTER RTX_COUNTER
This variable contains the current number of retransmissions of This variable contains the current number of retransmissions of
the outstanding PANA message. the outstanding PANA message.
Rx:PANA_MESSAGE_NAME Rx:PANA_MESSAGE_NAME
This event variable is set to TRUE when the specified PANA message This event variable is set to TRUE when the specified PANA message
is received from its peering PANA entity. is received from its peering PANA entity.
RTX_TIMEOUT RTX_TIMEOUT
This event variable is set to TRUE when the retransmission timer This event variable is set to TRUE when the retransmission timer
is expired. is expired.
EAP_REAUTH REAUTH
This event variable is set to TRUE when an initiation of EAP-based This event variable is set to TRUE when an initiation of
re-authentication is triggered. re-authentication phase is triggered.
FAST_REAUTH TERMINATE
This event variable is set to TRUE when initiation of This event variable is set to TRUE when initiation of PANA session
re-authentication based on PRAR-PRAA exchange is triggered. termination is triggered.
PANA_PING
This event variable is set to TRUE when initiation of liveness
test based on PPR-PPA exchange is triggered.
SESS_TIMEOUT SESS_TIMEOUT
This event is variable is set to TRUE when the session timer is This event is variable is set to TRUE when the session timer is
expired. expired.
ABORT_ON_1ST_EAP_FAILURE ABORT_ON_1ST_EAP_FAILURE
This variable indicates whether the PANA session is immediately This variable indicates whether the PANA session is immediately
terminated when the 1st EAP authentication fails. terminated when the 1st EAP authentication fails.
CARRY_DEVICE_ID
This variable indicates whether a Device-Id AVP is carried in a
PANA-Bind-Request or PANA_Bind-Answer message.
ANY ANY
This event variable is set to TRUE when any event occurs. This event variable is set to TRUE when any event occurs.
5.3 Constants 5.3 Constants
RTX_MAX_NUM RTX_MAX_NUM
Configurable maximum for how many retransmissions should be Configurable maximum for how many retransmissions should be
attempted before aborting. attempted before aborting.
5.4 Common Message Initialization Rules 5.4 Common Message Initialization Rules
When a message is prepared for sending, it is initialized as follows: When a message is prepared for sending, it is initialized as follows:
o For a request message, R-flag of the header is set. Otherwise, o For a request message, R-flag of the header is set. Otherwise,
R-flag is not set. R-flag is not set.
o S-flag and N-flag of the header are not set. o S-flag and N-flag of the header are not set.
o AVPs that are mandatory included in a message are inserted with o AVPs that are mandatory included in a message are inserted with
appropriate values set. appropriate values set.
o A Notification AVP is inserted if there is some notification
string to send to the communicating peer.
5.5 Common State Transitions 5.5 Common Error Handling Rules
For simplicity, the PANA state machines defined in this document do
not support an optional feature of sending a PER message when an
invalid PANA message is received [I-D.ietf-pana-pana], while the
state machines support sending a PER message generated in other cases
as well as receiving and processing a PER message. It is left to
implementations as to whether they provide a means to send a PER
message when an invalid PANA message is received.
5.6 Common State Transitions
The following transitions can occur at any state. The following transitions can occur at any state.
---------- ----------
State: ANY State: ANY
---------- ----------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - (Reach maximum number of retransmission)- - - - - - - - - - - - (Reach maximum number of retransmission)- -
RTX_TIMEOUT && Retransmit(); (no change) RTX_TIMEOUT && Retransmit(); (no change)
RTX_COUNTER< RTX_COUNTER<
RTX_MAX_NUM RTX_MAX_NUM
RTX_TIMEOUT && Disconnect(); CLOSED RTX_TIMEOUT && Disconnect(); CLOSED
RTX_COUNTER>= RTX_COUNTER>=
RTX_MAX_NUM RTX_MAX_NUM
SESS_TIMEOUT Disconnect(); CLOSED SESS_TIMEOUT Disconnect(); CLOSED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - -
Rx:PER && PEA.insert_avp("MAC"); CLOSED
fatal Tx:PEA();
(PER.RESULT_CODE) && Disconnect();
PER.exist_avp("MAC") &&
key_available()
Rx:PER && Tx:PEA(); (no change)
!fatal
(PER.RESULT_CODE)) ||
!PER.exist_avp("MAC") ||
!key_available())
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
------------- -------------
State: CLOSED State: CLOSED
------------- -------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - -
ANY None(); CLOSED ANY None(); CLOSED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6. PaC State Machine 6. PaC State Machine
6.1 Interface between PaC and EAP Peer 6.1 Interface between PaC and EAP Peer
This interface defines the interactions between a PaC and an EAP This interface defines the interactions between a PaC and an EAP
skipping to change at page 14, line 23 skipping to change at page 15, line 23
notify the EAP peer of PaC events and a mechanism to receive notify the EAP peer of PaC events and a mechanism to receive
notification of EAP peer events. The EAP message delivery mechanism notification of EAP peer events. The EAP message delivery mechanism
as well as the event notification mechanism in this interface have as well as the event notification mechanism in this interface have
direct correlation with the PaC state transition table entries. direct correlation with the PaC state transition table entries.
These message delivery and event notifications mechanisms occur only These message delivery and event notifications mechanisms occur only
within the context of their associated states or exit actions. within the context of their associated states or exit actions.
6.1.1 Delivering EAP Messages from PaC to EAP Peer 6.1.1 Delivering EAP Messages from PaC to EAP Peer
TxEAP() procedure in the PaC state machine serves as the mechanism to TxEAP() procedure in the PaC state machine serves as the mechanism to
deliver EAP requests contained in PANA-Auth-Request messages to the deliver EAP request, EAP success and EAP failure messages contained
EAP peer. This procedure is enabled only after an EAP restart event in PANA-Auth-Request messages to the EAP peer. This procedure is
is notified to the EAP peer. In the case where the EAP peer follows enabled only after an EAP restart event is notified to the EAP peer.
the EAP peer state machine defined in [I-D.ietf-eap-statemachine], In the case where the EAP peer follows the EAP peer state machine
TxEAP() procedure sets eapReq variable of the EAP peer state machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure sets eapReq
and puts the EAP request in eapReqData variable of the EAP peer state variable of the EAP peer state machine and puts the EAP request in
machine. eapReqData variable of the EAP peer state machine.
6.1.2 Delivering EAP Responses from EAP Peer to PaC 6.1.2 Delivering EAP Responses from EAP Peer to PaC
An EAP response is delivered from the EAP peer to the PaC via An EAP response is delivered from the EAP peer to the PaC via
EAP_RESPONSE event variable. The event variable is set when the EAP EAP_RESPONSE event variable. The event variable is set when the EAP
peer passes the EAP response to its lower-layer. In the case where peer passes the EAP response to its lower-layer. In the case where
the EAP peer follows the EAP peer state machine defined in the EAP peer follows the EAP peer state machine defined in
[I-D.ietf-eap-statemachine], EAP_RESPONSE event variable refers to [I-D.ietf-eap-statemachine], EAP_RESPONSE event variable refers to
eapResp variable of the EAP peer state machine and the EAP response eapResp variable of the EAP peer state machine and the EAP response
is contained in eapRespData variable of the EAP peer state machine. is contained in eapRespData variable of the EAP peer state machine.
skipping to change at page 15, line 47 skipping to change at page 16, line 47
SEPARATE SEPARATE
This variable indicates whether the PaC desires NAP/ISP separate This variable indicates whether the PaC desires NAP/ISP separate
authentication. authentication.
1ST_EAP 1ST_EAP
This variable indicates whether the 1st EAP authentication is This variable indicates whether the 1st EAP authentication is
success, failure or yet completed. success, failure or yet completed.
TERMINATE
This event variable is set to TRUE when initiation of PANA session
termination is triggered.
AUTH_USER AUTH_USER
This event variable is set to TRUE when initiation of EAP-based This event variable is set to TRUE when initiation of EAP-based
(re-)authentication is triggered by the application. (re-)authentication is triggered by the application.
MOBILITY
This variable indicates whether the mobility handling feature
described in [I-D.ietf-pana-pana] is supported.
PANA_SA_RESUMED
This variable indicates whether the PANA SA of a previous PANA
session was resumed during the discovery and initial handshake.
EAP_SUCCESS EAP_SUCCESS
This event variable is set to TRUE when the EAP peer determines This event variable is set to TRUE when the EAP peer determines
that EAP conversation completes with success. that EAP conversation completes with success.
EAP_FAILURE EAP_FAILURE
This event variable is set to TRUE when the EAP peer determines This event variable is set to TRUE when the EAP peer determines
that EAP conversation completes with failure. that EAP conversation completes with failure.
skipping to change at page 16, line 44 skipping to change at page 17, line 29
This event variable is set to TRUE when the EAP peer delivers an This event variable is set to TRUE when the EAP peer delivers an
EAP Response to the PaC. This event accompanies an EAP-Response EAP Response to the PaC. This event accompanies an EAP-Response
message received from the EAP peer. message received from the EAP peer.
EAP_INVALID_MSG EAP_INVALID_MSG
This event variable is set to TRUE when the EAP peer silently This event variable is set to TRUE when the EAP peer silently
discards an EAP message. This event does not accompany any EAP discards an EAP message. This event does not accompany any EAP
message. message.
UPDATE_DEVICE_ID
This event variable is set to TRUE when there is a change in the
device identifier of the PaC.
UPDATE_POPA UPDATE_POPA
This event variable is set to TRUE when there is a change in the This event variable is set to TRUE when there is a change in the
POPA of the PaC. POPA of the PaC.
EAP_RESP_TIMEOUT
This event variable is set to TRUE when the PaC that has passed an
EAP-Request to the EAP-layer does not receive a corresponding
EAP-Response from the the EAP-layer in a given period.
6.3 Procedures 6.3 Procedures
boolean choose_isp() boolean choose_isp()
This procedure returns TRUE when the PaC chooses one ISP, This procedure returns TRUE when the PaC chooses one ISP,
otherwise returns FALSE. otherwise returns FALSE.
boolean resume_pana_sa() boolean ppac_available()
This procedure returns TRUE when the Post-PANA-Address-
Configuration method specified by the PAA is available in the PaC
and that the PaC will be able to comply.
This procedure returns TRUE when a PANA SA for a previously eap_piggyback()
established PANA Session is resumed, otherwise returns FALSE.
Once a PANA SA is resumed, key_available() procedure must return This procedures returns TRUE to indicate whether the next EAP
TRUE. response will be carried in the pending PAN message for
optimization.
void alt_reject() void alt_reject()
This procedure informs the EAP peer of an authentication failure This procedure informs the EAP peer of an authentication failure
event without accompanying an EAP message. event without accompanying an EAP message.
EAP_RespTimerStart()
A procedure to start a timer to receive an EAP-Response from the
EAP peer.
EAP_RespTimerStop()
A procedure to stop a timer to receive an EAP-Response from the
EAP peer.
6.4 PaC State Transition Table 6.4 PaC State Transition Table
------------------------------ ------------------------------
State: OFFLINE (Initial State) State: OFFLINE (Initial State)
------------------------------ ------------------------------
Initialization Action: Initialization Action:
SEPARATE=Set|Unset; SEPARATE=Set|Unset;
1ST_EAP=Unset; 1ST_EAP=Unset;
RtxTimerStop(); RtxTimerStop();
PANA_SA_RESUMED=Unset;
EAP_Restart(); EAP_Restart();
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+--------------
- - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - -
Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_
PSR.exist_avp TxEAP(); IN_DISC PSR.exist_avp EAP_Restart(); IN_DISC
("EAP-Payload") SEPARATE=Unset; ("EAP-Payload") TxEAP();
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id");
MOBILITY==Set && PSA.insert_avp("Nonce");
resume_pana_sa() && PANA_SA_RESUMED=Set;
PSR.exist_avp PSA.insert_avp("Cookie");
("Cookie") PSA.insert_avp("MAC");
Tx:PSA();
RtxTimerStart();
SEPARATE=Unset; SEPARATE=Unset;
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id");
MOBILITY==Set && PSA.insert_avp("Nonce");
resume_pana_sa() && PSA.insert_avp("MAC");
!PSR.exist_avp Tx:PSA();
("Cookie") PANA_SA_RESUMED=Set;
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp()) !PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP"); ("EAP-Payload") && PSA.insert_avp("ISP");
(MOBILITY==Unset || PSA.S_flag=1; PSR.S_flag==1 && PSA.S_flag=1;
!resume_pana_sa()) && PSA.insert_avp("Cookie"); SEPARATE==Set && PSA.insert_avp("Cookie");
PSR.S_flag==1 && Tx:PSA(); PSR.exist_avp Tx:PSA();
SEPARATE==Set && RtxTimerStart(); ("Cookie") RtxTimerStart();
PSR.exist_avp EAP_Restart();
("Cookie")
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp()) !PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP"); ("EAP-Payload") && PSA.insert_avp("ISP");
(MOBILITY==Unset || PSA.S_flag=1; PSR.S_flag==1 && PSA.S_flag=1;
!resume_pana_sa()) && Tx:PSA(); SEPARATE==Set && Tx:PSA();
PSR.S_flag==1 && !PSR.exist_avp EAP_Restart();
SEPARATE==Set &&
!PSR.exist_avp
("Cookie") ("Cookie")
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp()) !PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP"); ("EAP-Payload") && PSA.insert_avp("ISP");
(MOBILITY==Unset || PSA.insert_avp("Cookie"); (PSA.S_flag!=1 || PSA.insert_avp("Cookie");
!resume_pana_sa()) && Tx:PSA(); SEPARATE==Unset) && Tx:PSA();
(PSA.S_flag!=1 || RtxTimerStart(); PSR.exist_avp RtxTimerStart();
SEPARATE==Unset) && SEPARATE=Unset; ("Cookie") SEPARATE=Unset;
PSR.exist_avp EAP_Restart();
("Cookie")
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp()) !PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP"); ("EAP-Payload") && PSA.insert_avp("ISP");
(MOBILITY==Unset || Tx:PSA(); (PSA.S_flag!=1 || Tx:PSA();
!resume_pana_sa()) && SEPARATE=Unset; SEPARATE==Unset) && SEPARATE=Unset;
(PSA.S_flag!=1 || !PSR.exist_avp EAP_Restart();
SEPARATE==Unset) &&
!PSR.exist_avp
("Cookie") ("Cookie")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -(Authentication trigger from application) - - - - - - - - - - - -(Authentication trigger from application) - - -
AUTH_USER Tx:PDI(); OFFLINE AUTH_USER Tx:PDI(); OFFLINE
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------------------- ---------------------------
State: WAIT_EAP_MSG_IN_DISC State: WAIT_EAP_MSG_IN_DISC
--------------------------- ---------------------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - - - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - -
EAP_RESPONSE PSA.insert_avp WAIT_PAA EAP_RESPONSE PSA.insert_avp WAIT_PAA
("EAP-Payload")) ("EAP-Payload"))
Tx:PSA(); Tx:PSA();
EAP_INVALID_MSG None(); OFFLINE EAP_RESP_TIMEOUT || None(); OFFLINE
EAP_INVALID_MSG
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- ---------------
State: WAIT_PAA State: WAIT_PAA
--------------- ---------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - -
Rx:PAR RtxTimerStop(); WAIT_EAP_MSG Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
TxEAP(); !eap_piggyback() TxEAP();
PANA_SA_RESUMED=Unset; EAP_RespTimerStart();
if (key_available())
PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag;
Tx:PAN();
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
eap_piggyback() TxEAP();
EAP_RespTimerStart();
Rx:PAN RtxTimerStop(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - -
Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_RESULT Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_RESULT
1ST_EAP==Unset && TxEAP(); 1ST_EAP==Unset && TxEAP();
SEPARATE==Set && SEPARATE==Set &&
PFER.RESULT_CODE== PFER.RESULT_CODE==
PANA_SUCCESS && PANA_SUCCESS &&
PFER.S_flag==1 PFER.S_flag==1 &&
PFER.exist_avp
("EAP-Payload")
Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_RESULT Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_RESULT
1ST_EAP==Unset && TxEAP(); 1ST_EAP==Unset && TxEAP();
SEPARATE==Set && SEPARATE==Set &&
PFER.RESULT_CODE!= PFER.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
PFER.S_flag==1 && PFER.S_flag==1 &&
ABORT_ON_1ST_EAP_FAILURE ABORT_ON_1ST_EAP_FAILURE
==Unset && ==Unset &&
PFER.exit_avp PFER.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_RESULT Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_RESULT
1ST_EAP==Unset && alt_reject(); 1ST_EAP==Unset && alt_reject();
SEPARATE==Set && SEPARATE==Set &&
PFER.RESULT_CODE!= PFER.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
PFER.S_flag==1 && PFER.S_flag==1 &&
ABORT_ON_1ST_EAP_FAILURE ABORT_ON_1ST_EAP_FAILURE
==Unset && ==Unset &&
!PFER.exit_avp !PFER.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_
1ST_EAP==Unset && TxEAP(); RESULT_CLOSED 1ST_EAP==Unset && TxEAP(); RESULT_CLOSED
SEPARATE==Set && SEPARATE==Set &&
PFER.RESULT_CODE!= PFER.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
(PFER.S_flag==0 || (PFER.S_flag==0 ||
ABORT_ON_1ST_EAP_FAILURE ABORT_ON_1ST_EAP_FAILURE
==Set) && ==Set) &&
skipping to change at page 20, line 48 skipping to change at page 21, line 38
SEPARATE==Set && SEPARATE==Set &&
PFER.RESULT_CODE!= PFER.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
(PFER.S_flag==0 || (PFER.S_flag==0 ||
ABORT_ON_1ST_EAP_FAILURE ABORT_ON_1ST_EAP_FAILURE
==Set) && ==Set) &&
!PFER.exist_avp !PFER.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && TxEAP(); WAIT_EAP_RESULT Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Unset && 1ST_EAP==Unset && if (PBR.exist_avp
SEPARATE==Unset && SEPARATE==Unset && ("Device-Id"))
PBR.RESULT_CODE== PBR.RESULT_CODE== CARRY_DEVICE_ID=Set;
PANA_SUCCESS && PANA_SUCCESS &&
PBR.exist_avp
("EAP-Payload")
PANA_SA_RESUMED!=Set Rx:PBR && alt_reject(); WAIT_EAP_RESULT
1ST_EAP==Unset && if (PBR.exist_avp
SEPARATE==Unset && ("Device-Id"))
PBR.RESULT_CODE== CARRY_DEVICE_ID=Set;
PANA_SUCCESS &&
!PBR.exist_avp
("EAP-Payload")
Rx:PBR && PBA.insert_avp("Key-Id"); OPEN Rx:PBR && PBA.insert_avp("Key-Id"); OPEN
1ST_EAP==Unset && PBA.insert_avp("MAC"); 1ST_EAP==Unset && PBA.insert_avp("MAC");
SEPARATE==Unset && TxPBA(); SEPARATE==Unset && if (PBR.exist_avp
PBR.RESULT_CODE== Authorize(); PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && SessionTimerStart(); PANA_SUCCESS && PBA.insert("Device-Id");
PANA_SA_RESUMED==Set && PBR.exist_avp Tx:PBA();
PBR.exist_avp ("Key-Id") && Authorize();
("Nonce") && PBR.exist_avp SessionTimerStart();
PBR.exist_avp
("Key-Id") &&
PBR.exist_avp
("MAC") ("MAC")
Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ Rx:PBR && TxEAP(); WAIT_EAP_RESULT_
1ST_EAP==Unset && CLOSE 1ST_EAP==Unset && CLOSE
SEPARATE==Unset && SEPARATE==Unset &&
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
PBR.exist_avp PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ Rx:PBR && alt_reject(); WAIT_EAP_RESULT_
1ST_EAP==Unset && CLOSE 1ST_EAP==Unset && CLOSE
SEPARATE==Unset && SEPARATE==Unset &&
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
!PBR.exist_avp !PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - - - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - -
Rx:PBR && TxEAP(); WAIT_EAP_RESULT Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Success && 1ST_EAP==Success && if (PBR.exist_avp
PBR.RESULT_CODE== PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && PANA_SUCCESS && CARRY_DEVICE_ID=Set;
PBR.exist_avp PBR.exist_avp
("EAP-Payload"); ("EAP-Payload");
Rx:PBR && alt_reject(); WAIT_EAP_RESULT Rx:PBR && alt_reject(); WAIT_EAP_RESULT
1ST_EAP==Success && 1ST_EAP==Success && if (PBR.exist_avp
PBR.RESULT_CODE== PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && PANA_SUCCESS && CARRY_DEVICE_ID=Set;
!PBR.exist_avp !PBR.exist_avp
("EAP-Payload"); ("EAP-Payload");
Rx:PBR && TxEAP(); WAIT_EAP_RESULT Rx:PBR && TxEAP(); WAIT_EAP_RESULT_
1ST_EAP==Success && 1ST_EAP==Success && CLOSE
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
PBR.exist_avp PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && alt_reject(); WAIT_EAP_RESULT_
Rx:PBR && alt_reject(); WAIT_EAP_RESULT 1ST_EAP==Success && CLOSE
1ST_EAP==Success &&
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
!PBR.exist_avp !PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && TxEAP(); WAIT_EAP_RESULT Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Failure && 1ST_EAP==Failure && if (PBR.exist_avp
PBR.RESULT_CODE== PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS PANA_SUCCESS && CARRY_DEVICE_ID=Set;
PBR.exist_avp
("EAP-Payload");
Rx:PBR && TxEAP() WAIT_EAP_RESULT_ Rx:PBR && alt_reject(); WAIT_EAP_RESULT
1ST_EAP==Failure && if (PBR.exist_avp
PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && CARRY_DEVICE_ID=Set;
!PBR.exist_avp
("EAP-Payload");
Rx:PBR && TxEAP(); WAIT_EAP_RESULT_
1ST_EAP==Failure && CLOSE 1ST_EAP==Failure && CLOSE
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
PBR.exist_avp PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && alt_reject() WAIT_EAP_RESULT_ Rx:PBR && alt_reject(); WAIT_EAP_RESULT_
1ST_EAP==Failure && CLOSE 1ST_EAP==Failure && CLOSE
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
!PBR.exist_avp !PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
------------------- -------------------
State: WAIT_EAP_MSG State: WAIT_EAP_MSG
------------------- -------------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - - - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - -
EAP_RESPONSE if (key_available()) WAIT_PAA EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA
eap_piggyback() PAN.insert_avp
("EAP-Payload");
if (key_available())
PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag;
Tx:PAN();
EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA
!eap_piggyback() PAR.insert_avp
("EAP-Payload");
if (key_available())
PAR.insert_avp("MAC");
PAR.S_flag=PAN.S_flag;
PAR.N_flag=PAN.N_flag;
Tx:PAR();
RtxTimerStart();
EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA
PAN.insert_avp("MAC"); PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
EAP_INVALID_MSG || None(); WAIT_PAA EAP_INVALID_MSG || None(); WAIT_PAA
EAP_SUCCESS || EAP_SUCCESS ||
EAP_FAILURE EAP_FAILURE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------- ----------------------
State: WAIT_EAP_RESULT State: WAIT_EAP_RESULT
---------------------- ----------------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - -
EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN
PBR.exist_avp PBA.insert_avp("Key-Id"); PBR.exist_avp PBA.insert_avp("Key-Id");
("Key-Id") Tx:PBA(); ("Key-Id") && if (CARRY_DEVICE_ID)
ppac_available() PBA.insert_avp
("Device-Id");
PBA.insert_avp("PPAC");
Tx:PBA();
Authorize(); Authorize();
SessionTimerStart(); SessionTimerStart();
EAP_SUCCESS && if (key_available()) OPEN EAP_SUCCESS && if (key_available()) OPEN
!PBR.exist_avp PBA.insert_avp("MAC"); !PBR.exist_avp PBA.insert_avp("MAC");
("Key-Id") Tx:PBA(); ("Key-Id") && if (CARRY_DEVICE_ID)
ppac_avaialble() PBA.insert_avp
("Device-Id");
PBA.insert_avp("PPAC");
Tx:PBA();
SessionTimerStart(); SessionTimerStart();
Authorize(); Authorize();
EAP_FAILURE if (key_available()) OPEN EAP_SUCCESS && if (key_available()) WAIT_PEA
!ppac_available() PER.insert_avp("MAC");
PER.RESULT_CODE=
PANA_PPAC_CAPABILITY_
UNSUPPORTED
Tx:PER();
RtxTimerStart();
EAP_FAILURE if (key_available()) CLOSED
PBA.insert_avp("MAC"); PBA.insert_avp("MAC");
Tx:PBA(); Tx:PBA();
EAP_INVALID_MSG None(); WAIT_PAA EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------- ----------------------------
State: WAIT_EAP_RESULT_CLOSE State: WAIT_EAP_RESULT_CLOSE
---------------------------- ----------------------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - -
EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED
PBR.exist_avp PBA.insert_avp("Key-Id"); PBR.exist_avp PBA.insert_avp("Key-Id");
("Key-Id") Tx:PBA(); ("Key-Id") Tx:PBA();
Disconnect(); Disconnect();
EAP_SUCCESS && if (key_available()) CLOSED EAP_SUCCESS && if (key_available()) CLOSED
!PBR.exist_avp PBA.insert_avp("MAC"); !PBR.exist_avp PBA.insert_avp("MAC");
("Key-Id") Tx:PBA(); ("Key-Id") Tx:PBA();
skipping to change at page 24, line 12 skipping to change at page 25, line 50
EAP_FAILURE Tx:PBA(); CLOSED EAP_FAILURE Tx:PBA(); CLOSED
Disconnect(); Disconnect();
EAP_INVALID_MSG None(); WAIT_PAA EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------- --------------------------
State: WAIT_1ST_EAP_RESULT State: WAIT_1ST_EAP_RESULT
-------------------------- --------------------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - -
EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA
PFER.exist_avp PFEA.S_flag=1; PFER.exist_avp PFEA.S_flag=1;
("Key-Id") PFEA.N_flag=PFER.N_flag; ("Key-Id") PFEA.N_flag=PFER.N_flag;
PFEA.insert_avp("MAC"); PFEA.insert_avp("MAC");
Tx:PFEA(); Tx:PFEA();
EAP_Restart();
(EAP_SUCCESS && if (key_available()) WAIT_PAA (EAP_SUCCESS && if (key_available()) WAIT_PAA
!PFER.exist_avp PFEA.insert_avp("MAC"); !PFER.exist_avp PFEA.insert_avp("MAC");
("Key-Id")) || PFEA.S_flag=1; ("Key-Id")) || PFEA.S_flag=1;
EAP_FAILURE PFEA.N_flag=PFER.N_flag; EAP_FAILURE PFEA.N_flag=PFER.N_flag;
Tx:PFEA(); Tx:PFEA();
EAP_Restart();
EAP_INVALID_MSG None(); WAIT_PAA EAP_INVALID_MSG EAP_Restart(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------- --------------------------------
State: WAIT_1ST_EAP_RESULT_CLOSE State: WAIT_1ST_EAP_RESULT_CLOSE
-------------------------------- --------------------------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - -
EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED
PFER.exist_avp PFEA.S_flag=0; PFER.exist_avp PFEA.S_flag=0;
("Key-Id") PFEA.N_flag=0; ("Key-Id") PFEA.N_flag=0;
PFEA.insert_avp("MAC"); PFEA.insert_avp("MAC");
Tx:PFEA(); Tx:PFEA();
Disconnect(); Disconnect();
(EAP_SUCCESS && if (key_available()) CLOSED (EAP_SUCCESS && if (key_available()) CLOSED
skipping to change at page 25, line 4 skipping to change at page 26, line 45
(EAP_SUCCESS && if (key_available()) CLOSED (EAP_SUCCESS && if (key_available()) CLOSED
!PFER.exist_avp PFEA.insert_avp("MAC"); !PFER.exist_avp PFEA.insert_avp("MAC");
("Key-Id")) || PFEA.S_flag=0; ("Key-Id")) || PFEA.S_flag=0;
EAP_FAILURE PFEA.N_flag=0; EAP_FAILURE PFEA.N_flag=0;
Tx:PFEA(); Tx:PFEA();
Disconnect(); Disconnect();
EAP_INVALID_MSG None(); WAIT_PAA EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------- -----------
State: OPEN State: OPEN
----------- -----------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- (re-authentication based on PRAR-PRAA exchange initiated by PAA) - - - - - - - - - - (liveness test initiated by PAA)- - - - - -
Rx:PRAR if (key_available()) OPEN Rx:PPR if (key_available()) OPEN
PRAA.insert_avp("MAC"); PPA.insert_avp("MAC");
Tx:PRAA(); Tx:PPA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (re-authentication based on PRAR-PRAA exchange initiated by PaC) - - - - - - - - - - (liveness test initiated by PaC)- - - - - -
FAST_REAUTH if (key_available()) WAIT_PRAA PANA_PING if (key_available()) WAIT_PPA
PRAR.insert_avp("MAC"); PPR.insert_avp("MAC");
Tx:PRAR(); Tx:PPR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - (EAP-based re-authentication initiated by PaC)- - - - - - - - - - - - - - (re-authentication initiated by PaC)- - - - - -
EAP_REAUTH PDI.insert_avp WAIT_PAA REAUTH SEPARATE=Set|Unset; WAIT_PRAA
("Session-Id");
RtxTimerStart();
1ST_EAP=Unset; 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; if (key_available())
Tx:PDI(); PRAR.insert_avp("MAC");
Tx:PRAR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(EAP-based re-authentication initiated by PAA) - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
Rx:PAR SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
1ST_EAP=Unset; !eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; EAP_RespTimerStart();
TxEAP();
if (key_available())
PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag;
Tx:PAN();
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
eap_piggyback() 1ST_EAP=Unset;
EAP_RespTimerStart();
TxEAP(); TxEAP();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PAA) - - - - - - - - - - - - - -(Session termination initiated by PAA) - - - - - -
Rx:PTR if (key_available()) CLOSED Rx:PTR if (key_available()) CLOSED
PTA.insert_avp("MAC"); PTA.insert_avp("MAC");
Tx:PTA(); Tx:PTA();
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - -
TERMINATE if (key_available()) SESS_TERM TERMINATE if (key_available()) SESS_TERM
PTR.insert_avp("MAC"); PTR.insert_avp("MAC");
Tx:PTR(); Tx:PTR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - -(Address update) - - - - - - - - - - - - - - - - - - - - - - - -(Address update) - - - - - - - - - - - -
UPDATE_DEVICE_ID || if (UPDATE_DEVICE_ID) WAIT_PAUA UPDATE_POPA if (key_available()) WAIT_PUA
UPDATE_POPA PAUR.insert_avp PUR.insert_avp("MAC");
("Device-Id"); PUR.insert_avp("IP-Address");
Tx:PUR();
if (UPDATE_POPA)
PAUR.insert_avp
("IP-Address");
if (key_available())
PAUR.insert_avp("MAC");
Tx:PAUR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - -(Notification update)- - - - - - - - - - -
Rx:PUR && Tx:PUA(); OPEN
! PUR.exist_avp
("IP-Address")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: WAIT_PRAA State: WAIT_PRAA
---------------- ----------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- (re-authentication based on PRAR-PRAA exchange initiated by PAA) - - - - - - - - -(re-authentication initiated by PaC) - - - - -
Rx:PRAA None(); OPEN Rx:PRAA RtxTimerStop(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ---------------
State: WAIT_PAUA State: WAIT_PPA
---------------- ---------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (PAUA processing) - - - - - - - - - - - - - - - - - - -(liveness test initiated by PAA) - - - - - - -
Rx:PAUA RtxTimerStop(); OPEN Rx:PPA RtxTimerStop(); OPEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------
State: WAIT_PUA
---------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - (PUA processing)- - - - - - - - - - -
Rx:PUA RtxTimerStop(); OPEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: SESS_TERM State: SESS_TERM
---------------- ----------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - -
Rx:PTA Disconnect(); CLOSED Rx:PTA Disconnect(); CLOSED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------
State: WAIT_PEA
---------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PEA processing) - - - - - - - - - -
Rx:PEA RtxTimerStop(); CLOSED
Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7. PAA State Machine 7. PAA State Machine
7.1 Interface between PAA and EAP Authenticator 7.1 Interface between PAA and EAP Authenticator
The interface between a PAA and an EAP authenticator provides a The interface between a PAA and an EAP authenticator provides a
mechanism to deliver EAP messages for the EAP authenticator as well mechanism to deliver EAP messages for the EAP authenticator as well
as a mechanism to notify the EAP authenticator of PAA events and to as a mechanism to notify the EAP authenticator of PAA events and to
receive notification of EAP authenticator events. These message receive notification of EAP authenticator events. These message
delivery and event notification mechanisms occur only within context delivery and event notification mechanisms occur only within context
of their associated states or exit actions. of their associated states or exit actions.
skipping to change at page 27, line 40 skipping to change at page 30, line 40
EAP authenticator. This procedure is enabled only after an EAP EAP authenticator. This procedure is enabled only after an EAP
restart event is notified to the EAP authenticator. In the case restart event is notified to the EAP authenticator. In the case
where the EAP authenticator follows the EAP authenticator state where the EAP authenticator follows the EAP authenticator state
machines defined in [I-D.ietf-eap-statemachine], TxEAP() procedure machines defined in [I-D.ietf-eap-statemachine], TxEAP() procedure
sets eapResp variable of the EAP authenticator state machine and puts sets eapResp variable of the EAP authenticator state machine and puts
the EAP response in eapRespData variable of the EAP authenticator the EAP response in eapRespData variable of the EAP authenticator
state machine. state machine.
7.1.3 Delivering EAP Messages from EAP Authenticator to PAA 7.1.3 Delivering EAP Messages from EAP Authenticator to PAA
An EAP request is delivered from the EAP authenticator to the PaC via An EAP request is delivered from the EAP authenticator to the PAA via
EAP_REQUEST event variable. The event variable is set when the EAP EAP_REQUEST event variable. The event variable is set when the EAP
authenticator passes the EAP request to its lower-layer. In the case authenticator passes the EAP request to its lower-layer. In the case
where the EAP authenticator follows the EAP authenticator state where the EAP authenticator follows the EAP authenticator state
machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event
variable refers to eapReq variable of the EAP authenticator state variable refers to eapReq variable of the EAP authenticator state
machine and the EAP request is contained in eapReqData variable of machine and the EAP request is contained in eapReqData variable of
the EAP authenticator state machine. the EAP authenticator state machine.
7.1.4 EAP Authentication Result Notification from EAP Authenticator to 7.1.4 EAP Authentication Result Notification from EAP Authenticator to
PAA PAA
skipping to change at page 28, line 27 skipping to change at page 31, line 27
eapReqData variable of the EAP authenticator state machine. The PAA eapReqData variable of the EAP authenticator state machine. The PAA
uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a
trigger to send a PBR or a PFER message to the PaC. trigger to send a PBR or a PFER message to the PaC.
7.2 Variables 7.2 Variables
USE_COOKIE USE_COOKIE
This variable indicates whether the PAA uses Cookie. This variable indicates whether the PAA uses Cookie.
PIGGYBACK EAP_PIGGYBACK
This variable indicates whether the PAA is able to piggyback an This variable indicates whether the PAA is able to piggyback an
EAP-Request in PANA-Start-Request. EAP-Request in PANA-Start-Request.
SEPARATE SEPARATE
This variable indicates whether the PAA provides NAP/ISP separate This variable indicates whether the PAA provides NAP/ISP separate
authentication. authentication.
1ST_EAP 1ST_EAP
This variable indicates whether the 1st EAP authentication is This variable indicates whether the 1st EAP authentication is a
success, failure or yet completed. success, failure or yet completed.
MOBILITY
This variable indicates whether the mobility handling feature
described in Section 4.9 of [I-D.ietf-pana-pana] is supported.
PSA.SESSION_ID PSA.SESSION_ID
This variable contains the Session-Id AVP value in the This variable contains the Session-Id AVP value in the
PANA-Start-Answer message in process. PANA-Start-Answer message in process.
CARRY_LIFETIME CARRY_LIFETIME
This variable indicates whether a Session-Lifetime AVP is carried This variable indicates whether a Session-Lifetime AVP is carried
in PANA-Bind-Request message. in PANA-Bind-Request message.
PROTECTION_CAP PROTECTION_CAP_IN_PSR
This variable indicates whether a Protection-Capability AVP is This variable indicates whether a Protection-Capability AVP is
carried in PANA-Bind-Request message. carried in a PANA-Start-Request message.
CARRY_EP_DEVICE_ID PROTECTION_CAP_IN_PBR
This variable indicates whether an EP-Device-Id AVP is carried in This variable indicates whether a Protection-Capability AVP is
PANA-Bind-Request message. carried in a PANA-Bind-Request message.
CARRY_NAP_INFO CARRY_NAP_INFO
This variable indicates whether a NAP-Information AVP is carried This variable indicates whether a NAP-Information AVP is carried
in PANA-Start-Request message. in PANA-Start-Request message.
CARRY_ISP_INFO CARRY_ISP_INFO
This variable indicates whether an ISP-Information AVP is carried This variable indicates whether an ISP-Information AVP is carried
in PANA-Start-Request message. in PANA-Start-Request message.
skipping to change at page 29, line 44 skipping to change at page 32, line 39
This variable indicates whether a NAP authentication is being This variable indicates whether a NAP authentication is being
performed or not. performed or not.
CARRY_PPAC CARRY_PPAC
This variable indicates whether a Post-PANA-Address-Configuration This variable indicates whether a Post-PANA-Address-Configuration
AVP is carried in PANA-Start-Request message. AVP is carried in PANA-Start-Request message.
PAC_FOUND PAC_FOUND
This event variable is set to TRUE when presence of a new PaC is This variable is set to TRUE during the EP-to-PAA notification as
informed by EP. a result of a traffic-driven PAA discovery or link-up event
notification by the EP as a result of the presence of a new PaC.
FAST_REAUTH
This event variable is set to TRUE when initiation of
re-authentication based on PRAR-PRAA exchange is triggered.
TERMINATE
This event variable is set to TRUE when initiation of PANA session
termination is triggered.
EAP_SUCCESS EAP_SUCCESS
This event variable is set to TRUE when EAP conversation completes This event variable is set to TRUE when EAP conversation completes
with success. This event accompanies an EAP- Success message with success. This event accompanies an EAP- Success message
passed from the EAP authenticator. passed from the EAP authenticator.
EAP_FAILURE EAP_FAILURE
This event variable is set to TRUE when EAP conversation completes This event variable is set to TRUE when EAP conversation completes
with failure. This event accompanies an EAP- Failure message with failure. This event accompanies an EAP- Failure message
passed from the EAP authenticator. passed from the EAP authenticator.
EAP_REQUEST EAP_REQUEST
This event variable is set to TRUE when the EAP authenticator This event variable is set to TRUE when the EAP authenticator
delivers an EAP Request to the PAA. This event accompanies an delivers an EAP Request to the PAA. This event accompanies an
EAP-Request message received from the EAP authenticator. EAP-Request message received from the EAP authenticator.
EAP_TIMEOUT EAP_TIMEOUT
This event variable is set to TRUE when EAP conversation times out This event variable is set to TRUE when EAP conversation times out
without generating an EAP-Success or an EAP-Failure message. This without generating an EAP-Success or an EAP-Failure message. This
event does not accompany any EAP message. event does not accompany any EAP message.
7.3 Procedures 7.3 Procedures
boolean retrieve_pana_sa(Session-Id)
This procedure returns TRUE when a PANA SA for the PANA Session
corresponds to the specified Session-Id has been retrieved,
otherwise returns FALSE.
boolean new_key_available() boolean new_key_available()
A procedure to check whether the PANA session has a new A procedure to check whether the PANA session has a new
PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY,
it returns FALSE. If the state machine does not have a it returns FALSE. If the state machine does not have a
PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity.
If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from
the AAA-Key and returns TRUE. Otherwise, it returns FALSE. the AAA-Key and returns TRUE. Otherwise, it returns FALSE.
7.4 PAA State Transition Table 7.4 PAA State Transition Table
------------------------------ ------------------------------
State: OFFLINE (Initial State) State: OFFLINE (Initial State)
------------------------------ ------------------------------
Initialization Action: Initialization Action:
USE_COOKIE=Set|Unset; USE_COOKIE=Set|Unset;
PIGGYBACK=Set|Unset; EAP_PIGGYBACK=Set|Unset;
SEPARATE=Set|Unset; SEPARATE=Set|Unset;
if (PIGGYBACK==Set) if (EAP_PIGGYBACK==Set)
SEPARATE=Unset; SEPARATE=Unset;
MOBILITY=Set|Unset;
1ST_EAP=Unset; 1ST_EAP=Unset;
ABORT_ON_1ST_EAP_FAILURE=Set|Unset; ABORT_ON_1ST_EAP_FAILURE=Set|Unset;
PROTECTION_CAP=Set|Unset; PROTECTION_CAP_IN_PSR=Set|Unset;
PROTECTION_CAP_IN_PBR=Set|Unset;
if (PROTECTION_CAP_IN_PBR=Unset)
PROTECTION_CAP_IN_PSR=Unset;
CARRY_LIFETIME=Set|Unset; CARRY_LIFETIME=Set|Unset;
CARRY_EP_DEVICE_ID=Set|Unset; CARRY_DEVICE_ID=Set|Unset;
CARRY_NAP_INFO=Set|Unset; CARRY_NAP_INFO=Set|Unset;
CARRY_ISP_INFO=Set|Unset; CARRY_ISP_INFO=Set|Unset;
CARRY_PPAC=Set|Unset; CARRY_PPAC=Set|Unset;
NAP_AUTH=Unset; NAP_AUTH=Unset;
RTX_COUNTER=0; RTX_COUNTER=0;
RtxTimerStop(); RtxTimerStop();
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - -
(Rx:PDI || EAP_Restart(); WAIT_EAP_MSG_ (Rx:PDI || EAP_Restart(); WAIT_EAP_MSG_
PAC_FOUND) && IN_DISC PAC_FOUND) && IN_DISC
USE_COOKIE==Unset && USE_COOKIE==Unset &&
PIGGYBACK==Set EAP_PIGGYBACK==Set
(Rx:PDI || if (SEPARATE==Set) STATEFUL_DISC (Rx:PDI || if (SEPARATE==Set) STATEFUL_DISC
PAC_FOUND) && PSR.S_flag=1; PAC_FOUND) && PSR.S_flag=1;
USE_COOKIE==Unset && if (CARRY_NAP_INFO==Set) USE_COOKIE==Unset && if (CARRY_NAP_INFO==Set)
PIGGYBACK==Unset PSR.insert_avp EAP_PIGGYBACK==Unset PSR.insert_avp
("NAP-Information"); ("NAP-Information");
if (CARRY_ISP_INFO==Set) if (CARRY_ISP_INFO==Set)
PSR.insert_avp PSR.insert_avp
("ISP-Information"); ("ISP-Information");
if (CARRY_PPAC==Set) if (CARRY_PPAC==Set)
PSR.insert_avp PSR.insert_avp
("Post-PANA-Address- ("Post-PANA-Address-
Configuration"); Configuration");
if (PROTECTION_CAP_IN_PSR
==Set)
PSR.insert_avp
("Protection-Cap.");
Tx:PSR(); Tx:PSR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - (Stateless discovery) - - - - - - - - - - - - - - - - - - - - - (Stateless discovery) - - - - - - - -
(Rx:PDI || if (SEPARATE==Set) OFFLINE (Rx:PDI || if (SEPARATE==Set) OFFLINE
PAC_FOUND) && PSR.S_flag=1; PAC_FOUND) && PSR.S_flag=1;
USE_COOKIE==Set PSR.insert_avp USE_COOKIE==Set PSR.insert_avp
("Cookie"); ("Cookie");
if (CARRY_NAP_INFO==Set) if (CARRY_NAP_INFO==Set)
PSR.insert_avp PSR.insert_avp
("NAP-Information"); ("NAP-Information");
if (CARRY_ISP_INFO==Set) if (CARRY_ISP_INFO==Set)
PSR.insert_avp PSR.insert_avp
("ISP-Information"); ("ISP-Information");
if (CARRY_PPAC==Set) if (CARRY_PPAC==Set)
PSR.insert_avp PSR.insert_avp
("Post-PANA-Address- ("Post-PANA-Address-
Configuration"); Configuration");
if (PROTECTION_CAP_IN_PSR
==Set)
PSR.insert_avp
("Protection-Cap.");
Tx:PSR(); Tx:PSR();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - (PSA processing without mobility support) - - - - - - - - - - - - - - - - - - (PSA processing) - - - - - - - - -
Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG
USE_COOKIE==Set && PSA.S_flag==0) USE_COOKIE==Set PSA.S_flag==0)
(!PSA.exist_avp SEPARATE=Unset; SEPARATE=Unset;
("Session-Id") || EAP_Restart(); NAP_AUTH=Set|Unset;
!PSA.exit_avp EAP_Restart();
("Nonce") ||
MOBILITY==Unset ||
(MOBILITY==Set &&
!retrieve_pana_sa
(PSA.SESSION_ID)))
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (PSA processing with mobility support)- - - - -
Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA
USE_COOKIE==Set && PBR.insert_avp("Nonce");
PSA.exist_avp PBR.insert_avp("Key-Id");
("Session-Id") && if (CARRY_EP_DEVICE_ID
PSA.exist_avp ==Set)
("Nonce") && PBR.insert_avp
MOBILITY==Set && ("EP-Device-Id");
retrieve_pana_sa if (PROTECTION_CAP==Set)
(PSA.SESSION_ID) PBR.insert_avp
("Protection-Cap.");
PBR.insert_avp("MAC");
Tx:PBR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------------------- ---------------------------
State: WAIT_EAP_MSG_IN_DISC State: WAIT_EAP_MSG_IN_DISC
--------------------------- ---------------------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - (Send PSR with EAP-Request) - - - - - - - - - - - - - - - - - - (Send PSR with EAP-Request) - - - - - - -
EAP_REQUEST PSR.insert_avp STATEFUL_DISC EAP_REQUEST PSR.insert_avp STATEFUL_DISC
("EAP-Payload"); ("EAP-Payload");
if (CARRY_NAP_INFO==Set) if (CARRY_NAP_INFO==Set)
PSR.insert_avp PSR.insert_avp
("NAP-Information"); ("NAP-Information");
if (CARRY_ISP_INFO==Set) if (CARRY_ISP_INFO==Set)
PSR.insert_avp PSR.insert_avp
("ISP-Information"); ("ISP-Information");
skipping to change at page 33, line 29 skipping to change at page 35, line 46
("Post-PANA-Address- ("Post-PANA-Address-
Configuration"); Configuration");
Tx:PSR(); Tx:PSR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------- --------------------
State: STATEFUL_DISC State: STATEFUL_DISC
-------------------- --------------------
Exit Condition Action Next-State Exit Condition Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - -
Rx:PSA if (SEPARATE==Set && WAIT_PAN Rx:PSA if (SEPARATE==Set && WAIT_EAP_MSG
PSA.S_flag==0) PSA.S_flag==0)
SEPARATE=Unset;
if (SEPARATE==Set) { SEPARATE=Unset;
PAR.S_flag=1; if (PSA.exist_avp
NAP_AUTH=Set|Unset; ("EAP-Payload"))
if (NAP_AUTH==Set) TxEAP();
PAR.N_flag=1; else {
if (SEPARATE==Set)
NAP_AUTH=Set|Unset;
EAP_Restart();
} }
Tx:PAR();
EAP_TIMEOUT Tx:PER(); CLOSED EAP_TIMEOUT if (key_available()) WAIT_PEA
Disconnect(); PER.insert_avp("MAC");
Tx:PER();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
------------------- -------------------
State: WAIT_EAP_MSG State: WAIT_EAP_MSG
------------------- -------------------
Exit Condition Exit Action Exist State
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - -
EAP_REQUEST if (key_available()) WAIT_PAN EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR
PAR.insert_avp("MAC"); PAR.insert_avp("MAC");
if (SEPARATE==Set) { if (SEPARATE==Set) {
PAR.S_flag=1; PAR.S_flag=1;
if (NAP_AUTH==Set) if (NAP_AUTH==Set)
PAR.N_flag=1; PAR.N_flag=1;
} }
Tx:PAR(); Tx:PAR();
RtxTimerStart();
EAP_TIMEOUT Tx:PER(); CLOSED
Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - - - - - - - - -(Receiving EAP-Success/Failure single EAP)- - - -
EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PBA EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Unset && PBR.insert_avp 1ST_EAP==Unset && ("EAP-Payload");
SEPARATE==Unset ("EAP-Payload"); SEPARATE==Unset if (key_available())
if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && 1ST_EAP=Success WAIT_SUCC_PBA EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Unset && PBR.insert_avp 1ST_EAP==Unset && ("EAP-Payload");
SEPARATE==Unset && ("EAP-Payload"); SEPARATE==Unset && if (CARRY_DEVICE_ID==Set)
Authorize() if (CARRY_EP_DEVICE_ID Authorize() PBR.insert_avp
==Set) ("Device-Id");
PBR.insert_avp
("EP-Device-Id");
if (CARRY_LIFETIME==Set) if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("Session-Lifetime"); ("Session-Lifetime");
if (PROTECTION_CAP==Set) if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (new_key_available()) if (new_key_available())
PBR.insert_avp PBR.insert_avp
("Key-Id"); ("Key-Id");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && 1ST_EAP=Success WAIT_FAIL_PBA EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Unset && PBR.insert_avp 1ST_EAP==Unset && ("EAP-Payload");
SEPARATE==Unset && ("EAP-Payload"); SEPARATE==Unset && if (new_key_available())
!Authorize() if (new_key_available()) !Authorize() PBR.insert_avp
PBR.insert_avp
("Key-Id"); ("Key-Id");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_PEA
1ST_EAP==Unset && PER.insert_avp("MAC");
SEPARATE==Unset Tx:PER();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - -
EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && PBR.insert_avp 1ST_EAP==Unset && PFER.insert_avp
SEPARATE==Set && ("EAP-Payload"); SEPARATE==Set && ("EAP-Payload");
ABORT_ON_1ST_EAP_FAILURE if (key_available()) ABORT_ON_1ST_EAP_FAILURE if (key_available())
==Unset PFER.insert_avp("MAC"); ==Unset PFER.insert_avp("MAC");
PFER.S_flag=1; PFER.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PFER.N_flag=1; PFER.N_flag=1;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA
skipping to change at page 35, line 46 skipping to change at page 38, line 21
PFER.insert_avp PFER.insert_avp
("Key-Id"); ("Key-Id");
if (key_available()) if (key_available())
PFER.insert_avp("MAC"); PFER.insert_avp("MAC");
PFER.S_flag=1; PFER.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PFER.N_flag=1; PFER.N_flag=1;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure FAIT_FAIL_PBA
1ST_EAP==Unset && if (key_available())
SEPARATE==Unset PBR.insert_avp("MAC");
Tx:PBR();
RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && if (key_available()) 1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("MAC"); SEPARATE==Set && PFER.insert_avp("MAC");
ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1;
==Unset if (NAP_AUTH) ==Unset if (NAP_AUTH)
PFER.N_flag=1; PFER.N_flag=1;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA
1ST_EAP==Unset && if (key_available()) 1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("MAC"); SEPARATE==Set && PFER.insert_avp("MAC");
ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset;
==Set PFER.S_flag=0; ==Set PFER.S_flag=0;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - - - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - -
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Failure ("EAP-Payload"); 1ST_EAP==Failure && ("EAP-Payload");
if (key_available()) SEPARATE==Set if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
if (SEPARATE) PBR.S_flag=1;
PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Success && ("EAP-Payload"); 1ST_EAP==Success && ("EAP-Payload");
Authorize() if (CARRY_EP_DEVICE_ID SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
==Set) Authorize() PBR.insert_avp
("Device-Id");
if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("EP-Device-Id"); ("Session-Lifetime");
if (PROTECTION_CAP==Set) if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (new_key_available()) if (new_key_available())
PBR.insert_avp PBR.insert_avp
("Key-Id"); ("Key-Id");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
if (SEPARATE) PBR.S_flag=1;
PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Success && ("EAP-Payload");
SEPARATE==Set && if (key_available())
!Authorize() PBR.insert_avp("MAC");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Success && ("EAP-Payload"); 1ST_EAP==Success && ("EAP-Payload");
!Authorize() if (new_key_available()) SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp
("Device-Id");
if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (new_key_available())
PBR.insert_avp PBR.insert_avp
("Key-Id"); ("Key-Id");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
if (SEPARATE) PBR.S_flag=1;
PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Success && ("EAP-Payload"); 1ST_EAP==Success && ("EAP-Payload");
Authorize() if (key_available()) SEPARATE==Set && if (new_key_available())
!Authorize() PBR.insert_avp
("Key-Id");
if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
if (SEPARATE) PBR.S_flag=1;
PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Success && ("EAP-Payload"); 1ST_EAP==Failure && ("EAP-Payload");
!Authorize() if (key_available()) SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp
("Device-Id");
if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (new_key_available())
PBR.insert_avp
("Key-Id");
if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
if (SEPARATE) PBR.S_flag=1;
PBR.S_flag=1; if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Failure && ("EAP-Payload");
SEPARATE==Set && if (key_available())
!Authorize() PBR.insert_avp("MAC");
PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Failure PBR.insert_avp("MAC"); 1ST_EAP==Failure && PBR.insert_avp("MAC");
if (SEPARATE) SEPARATE==Set PBR.S_flag=1;
PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_SUCC_PBA EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA
1ST_EAP==Success && PBR.insert_avp("MAC"); 1ST_EAP==Success && PBR.insert_avp
Authorize() if (SEPARATE) SEPARATE==Set && ("Device-Id");
PBR.S_flag=1; Authorize() if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (new_key_available())
PBR.insert_avp
("Key-Id");
if (key_available())
PBR.insert_avp("MAC");
PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Success && PBR.insert_avp("MAC"); 1ST_EAP==Success && PBR.insert_avp("MAC");
!Authorize() if (SEPARATE) SEPARATE==Set && PBR.S_flag=1;
PBR.S_flag=1; !Authorize() if (NAP_AUTH)
if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: WAIT_PFEA State: WAIT_PFEA
---------------- ----------------
Event/Condition Action Next-State Event/Condition Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - -
Rx:PFEA && if (key_available()) WAIT_EAP_MSG Rx:PFEA && RtxTimerStop(); WAIT_EAP_MSG
PFEA.S_flag==1 PAR.insert_avp("MAC"); (1ST_EAP==Success || EAP_Restart();
if (NAP_AUTH==Set) { (PFEA.S_flag==1 && if (NAP_AUTH==Set)
NAP_AUTH=Unset; 1ST_EAP==Failure)) NAP_AUTH=Unset;
PAR.N_flag=0; else
} else { NAP_AUTH=Set;
NAP_AUTH=Set;
PAR.N_flag=1;
};
EAP_Restart();
Rx:PFEA && RtxTimerStop(); CLOSED Rx:PFEA && RtxTimerStop(); CLOSED
PFEA.S_flag==0 Disconnect(); PFEA.S_flag==0 && Disconnect();
1ST_EAP==Failure
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------------- ---------------------
State: WAIT_FAIL_PFEA State: WAIT_FAIL_PFEA
--------------------- ---------------------
Event/Condition Action Next-State Event/Condition Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - -
Rx:PFEA RtxTimerStop(); CLOSED Rx:PFEA RtxTimerStop(); CLOSED
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------- --------------------
State: WAIT_SUCC_PBA State: WAIT_SUCC_PBA
-------------------- --------------------
Event/Condition Action Next-State Event/Condition Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - -
Rx:PBA SessionTimerStart(); OPEN Rx:PBA SessionTimerStart(); OPEN
Authorize();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------- --------------------
State: WAIT_FAIL_PBA State: WAIT_FAIL_PBA
-------------------- --------------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - -
Rx:PBA RtxTimerStop(); CLOSED Rx:PBA RtxTimerStop(); CLOSED
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------- -----------
State: OPEN State: OPEN
----------- -----------
Event/Condition Action Exit State
Event/Condition Action Next-State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - (EAP-based re-authentication) - - - - - - - - - - - - - - - (re-authentication initiated by PaC) - - - - - -
EAP_REAUTH || if (key_available()) WAIT_EAP_MSG Rx:PRAR if (key_available()) WAIT_EAP_MSG
(Rx:PDI && PAR.insert_avp("MAC"); PRAA.insert_avp("MAC");
PDI.exist_avp EAP_Restart(); EAP_Restart();
("Session-Id")) 1ST_EAP=Unset; 1ST_EAP=Unset;
NAP_AUTH=Set|Unset; NAP_AUTH=Set|Unset;
Tx:PRAA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (re-authentication based on PRAR-PRAA exchange initiated by PAA) - - - - - - - - (re-authentication initiated by PAA)- - - - - -
FAST_REAUTH Tx:PRAR(); WAIT_PRAA REAUTH EAP_Restart(); WAIT_EAP_MSG
1ST_EAP=Unset;
NAP_AUTH=Set|Unset;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - (liveness test based on PPR-PPA exchange initiated by PAA)-
PANA_PING Tx:PPR(); WAIT_PPA
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - (liveness test based on PPR-PPA exchange initiated by PaC)-
Rx:PPR if (key_available()) OPEN
PPA.insert_avp("MAC");
Tx:PPA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (Session termination initated from PAA) - - - - - - - - - - - - (Session termination initated from PAA) - - - -
TERMINATE if (key_available()) SESS_TERM TERMINATE if (key_available()) SESS_TERM
PTR.insert_avp("MAC"); PTR.insert_avp("MAC");
Tx:PTR(); Tx:PTR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (Session termination initated from PaC) - - - - - - - - - - - - (Session termination initated from PaC) - - - -
Rx:PTR if (key_available()) CLOSED Rx:PTR if (key_available()) CLOSED
PTA.insert_avp("MAC"); PTA.insert_avp("MAC");
Tx:PTA(); Tx:PTA();
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - -(Address update) - - - - - - - - - - - - - - - - - - - - - - - -(Address update) - - - - - - - - - - -
Rx:PAUR && Tx:PAUA(); OPEN Rx:PUR && Tx:PUA(); OPEN
PUR.exist_avp
("IP-Address") &&
Authorize() Authorize()
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - -(Notification update)- - - - - - - - - - -
Rx:PUR && Tx:PUA(); OPEN
! PUR.exist_avp
("IP-Address")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------
State: WAIT_PPA
---------------
---------------- Exit Condition Exit Action Exit State
State: WAIT_PRAA
----------------
Exit Condition Exit Action Exist State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (PRAA processing) - - - - - - - - - - - - - - - - - - - - - - - -(PPA processing) - - - - - - - - - -
Rx:PRAA RtxTimerStop(); OPEN Rx:PPA RtxTimerStop(); OPEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- ----------------------
State: WAIT_PAN State: WAIT_PAN_OR_PAR
--------------- ----------------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - (Pass EAP Resposne to the EAP authenticator)- - - - - - - - - - (Pass EAP Response to the EAP authenticator)- - - -
Rx:PAN TxEAP(); WAIT_EAP_MSG Rx:PAN && TxEAP(); WAIT_EAP_MSG
PAN.exist_avp
("EAP-Payload")
EAP_TIMEOUT Tx:PER(); CLOSED Rx:PAR TxEAP(); WAIT_EAP_MSG
if (key_available())
PAN.insert_avp("MAC");
if (SEPARATE==Set) {
PAN.S_flag=1;
if (NAP_AUTH==Set)
PAN.N_flag=1;
}
RtxTimerStop(); RtxTimerStop();
Disconnect(); Tx:PAN();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - (PAN without an EAP response) - - - - - - -
Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR
!PAN.exist_avp
("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -(EAP authenitication timeout)- - - - - - - - -
EAP_TIMEOUT && if (key_available()) WAIT_PEA
1ST_EAP==Unset && PER.insert_avp("MAC");
SEPARATE==Unset Tx:PER();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - -(EAP authenitication timeout for 1st EAP)- - - - - -
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("MAC");
ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1;
==Unset if (NAP_AUTH)
PFER.N_flag=1;
Tx:PFER();
RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA
1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("MAC");
ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset;
==Set PFER.S_flag=0;
Tx:PFER();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - -(EAP authenitication timeout for 2nd EAP)- - - - - -
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Failure && PBR.insert_avp("MAC");
SEPARATE==Set PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA
1ST_EAP==Success && PBR.insert_avp
SEPARATE==Set && ("Device-Id");
Authorize() if (CARRY_LIFETIME==Set)
PBR.insert_avp
("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR
==Set)
PBR.insert_avp
("Protection-Cap.");
if (new_key_available())
PBR.insert_avp
("Key-Id");
if (key_available())
PBR.insert_avp("MAC");
PBR.S_flag=1;
if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Success && PBR.insert_avp("MAC");
SEPARATE==Set && PBR.S_flag=1;
!Authorize() if (NAP_AUTH)
PBR.N_flag=1;
Tx:PBR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: SESS_TERM State: SESS_TERM
---------------- ----------------
Exit Condition Exit Action Exist State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - -
Rx:PTA RtxTimerStop(); CLOSED Rx:PTA RtxTimerStop(); CLOSED
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8. Implementation Considerations ---------------
State: WAIT_PEA
---------------
8.1 Interface exposed by PANA to the Host System Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PEA processing) - - - - - - - - - -
Rx:PEA RtxTimerStop(); CLOSED
Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8. Mobility Optimization Support
The state machines outlined in preceeding sections provide only PANA
base protocol functionality. In order to support PANA mobility
optimization outlined in [I-D.ietf-pana-mobopts], additions and
changes to the PaC and PAA state machines is required. The additions
and changes provides only basic mobility optimization and is not
explicit on integration of other mobility functionality such as
context-transfer mechanisms. However, it does provide enough
flexibility to accomodate future inclusion of such mechanisms.
The variables, procedures and state transition described in this
section is designed to be seamlessly be integrated into the
appropriate base protocol state machines. They should be treated as
a mobility optimization addendum to the base protocol state machine.
In this addendum, no additional states has been defined but some
modifications to the base protocol state machine is required. The
modifications are to accomodate the mobility variables and procedures
as they relate to existing state transition actions and events.
These modifications to existing state transition are noted in state
transition tables in this section. These modified state transitions
are intended to replace thier base protocol counterpart. Addition of
new state transitions specific to mobility optimization is also
present. Variable initialization also need to be added to the
appropriate base protocol state to complete the mobility optimization
support.
8.1 Common Variables
MOBILITY
This variable indicates whether the mobility handling feature
described in [I-D.ietf-pana-mobopts] is supported. This should be
present in both PaC and PAA state machine. Existing state
transitions in the base protocol state machine that can be
affected by mobility optimization must treat this variable as
being Unset unless the state transitions is explicitly redefined
in this section.
8.2 PaC Mobility Optimization State Machine
8.2.1 Variables
PANA_SA_RESUMED
This variable indicates whether the PANA SA of a previous PANA
session was resumed during the discovery and initial handshake.
8.2.2 Procedures
boolean resume_pana_sa()
This procedure returns TRUE when a PANA SA for a previously
established PANA Session is resumed, otherwise returns FALSE.
Once a PANA SA is resumed, key_available() procedure must return
TRUE. Existing state transitions in the base protocol state
machine that can be affected by mobility optimization must assume
that this procedure always returns FALSE unless the state
transition is explicitly redefined in this section.
8.2.3 PaC Mobility Optimization State Transition Table Addendum
------------------------------
State: OFFLINE (Initial State)
------------------------------
Initialization Action:
MOBILITY=Set|Unset;
PANA_SA_RESUMED=Unset;
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - (PSR processing with mobility support)- - - - -
- The following state transitions are intended to be added -
- to the OFFLINE state of the PaC base protocol state -
- machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id");
MOBILITY==Set && SEPARATE=Unset;
resume_pana_sa() && PANA_SA_RESUMED=Set;
PSR.exist_avp PSA.insert_avp("Cookie");
("Cookie") PSA.insert_avp("MAC");
Tx:PSA();
RtxTimerStart();
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id");
MOBILITY==Set && PSA.insert_avp("MAC");
resume_pana_sa() && Tx:PSA();
!PSR.exist_avp PANA_SA_RESUMED=Set;
("Cookie")
---------------
State: WAIT_PAA
---------------
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - -
- The following state transitions are intended to replace -
- existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by the same -
- exit conditions that exist in the WAIT_PAA state of the PaC -
- base protocol state machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
!eap_piggyback() TxEAP();
PANA_SA_RESUMED=Unset;
EAP_RespTimerStart();
if (key_available())
PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag;
Tx:PAN();
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
eap_piggyback() TxEAP();
PANA_SA_RESUMED=Unset;
EAP_RespTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - -
- The following state transitions are intended to replace -
- existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by exit -
- conditions that excludes PANA_SA_RESUMED variable checks. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Unset && if (PBR.exist_avp
SEPARATE==Unset && ("Device-Id"))
PBR.RESULT_CODE== CARRY_DEVICE_ID=Set;
PANA_SUCCESS &&
PANA_SA_RESUMED!=Set &&
PBR.exist_avp
("EAP-Payload")
Rx:PBR && alt_reject(); WAIT_EAP_RESULT
1ST_EAP==Unset && if (PBR.exist_avp
SEPARATE==Unset && ("Device-Id"))
PBR.RESULT_CODE== CARRY_DEVICE_ID=Set;
PANA_SUCCESS &&
PANA_SA_RESUMED!=Set &&
!PBR.exist_avp
("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (PBR processing with mobility support)- - - - -
- The following state transitions are intended to be added -
- to the WAIT_PAA state of the PaC base protocol state -
- machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PBR && PBA.insert_avp("Key-Id"); OPEN
1ST_EAP==Unset && PBA.insert_avp("MAC");
SEPARATE==Unset && if (PBR.exist_avp
PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && PBA.insert("Device-Id");
PANA_SA_RESUMED==Set && Tx:PBA();
PBR.exist_avp Authorize();
("Key-Id") && SessionTimerStart();
PBR.exist_avp
("MAC")
-----------
State: OPEN
-----------
Exit Condition Exit Action Exit State
------------------------+--------------------------+-------------
- - - - - - - - - (re-authentication initiated by PaC)- - - - - -
- The following state transitions are intended to replace -
- existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by the same -
- exit conditions that exist in the OPEN state of the PaC -
- base protocol state machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
REAUTH SEPARATE=Set|Unset; WAIT_PRAA
1ST_EAP=Unset;
PANA_SA_RESUMED=Unset;
if (key_available())
PRAR.insert_avp("MAC");
Tx:PRAR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PAA)- - - - - -
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
!eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset;
EAP_RespTimerStart();
TxEAP();
if (key_available())
PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag;
Tx:PAN();
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset;
EAP_RespTimerStart();
TxEAP();
8.3 PAA Mobility Optimization
8.3.1 Procedures
boolean retrieve_pana_sa(Session-Id)
This procedure returns TRUE when a PANA SA for the PANA Session
corresponds to the specified Session-Id has been retrieved,
otherwise returns FALSE.
8.3.2 PAA Mobility Optimization State Transition Table Addendum
------------------------------
State: OFFLINE (Initial State)
------------------------------
Initialization Action:
MOBILITY=Set|Unset;
Exit Condition Exit Action Exit State
------------------------+--------------------------+------------
- - - - - - - (PSA processing without mobility support) - - - -
- The following state transitions are intended to replace -
- existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by exit -
- conditions that excludes MOBILITY variable checks and -
- retrieve_pana_sa() procedure calls. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG
USE_COOKIE==Set && PSA.S_flag==0)
(!PSA.exist_avp SEPARATE=Unset;
("Session-Id") || NAP_AUTH=Set|Unset;
MOBILITY==Unset || EAP_Restart();
(MOBILITY==Set &&
!retrieve_pana_sa
(PSA.SESSION_ID)))
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (PSA processing with mobility support)- - - - -
Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA
USE_COOKIE==Set && PBR.insert_avp("Key-Id");
PSA.exist_avp if (CARRY_DEVICE_ID==Set)
("Session-Id") && PBR.insert_avp
MOBILITY==Set && ("Device-Id");
retrieve_pana_sa && if (PROTECTION_CAP_IN_PBR
(PSA.SESSION_ID) ==Set)
PBR.insert_avp
("Protection-Cap.");
Tx:PBR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9. Implementation Considerations
9.1 Interface exposed by PANA to the Host System
It is recommended that a generic interface be provided by the It is recommended that a generic interface be provided by the
implementation to enable the host system to manage the PANA protocol implementation to enable the host system to manage the PANA protocol
stack. It is conceivable that the PANA protocol stack resides as stack. It is conceivable that the PANA protocol stack resides as
part of the operating system network services. Therefore, it is part of the operating system network services. Therefore, it is
conceded that this interface will inherently have a certain level of conceded that this interface will inherently have a certain level of
system dependency. However, common procedures such as startup, system dependency. However, common procedures such as startup,
shutdown, re-authenticate signals and provisions for extracting shutdown, re-authenticate signals and provisions for extracting
keying material should be provided by all implementations. Host keying material should be provided by all implementations. Host
operating systems may require finer control on when re-authentication operating systems may require finer control on when re-authentication
can occur. Also, access to keying material is especially critical can occur. Also, access to keying material is especially critical
when PANA is used for bootstrapping external protocols such as IPsec. when PANA is used for bootstrapping external protocols such as IPsec.
Additional bootstrapping interface may also need to be defined to Additional bootstrapping interface may also need to be defined to
accommodate such functionality. accommodate such functionality.
8.2 PAA Interface to EP 9.2 PAA Interface to EP
Since the PANA protocol stack has a peer relationship with the EP and Since the PANA protocol stack has a peer relationship with the EP and
perhaps other network services in a host system, it is recommended perhaps other network services in a host system, it is recommended
that a standardized interface be defined to accommodate their that a standardized interface be defined to accommodate their
integration. If the PAA and EP are not co-located, this interface integration. If the PAA and EP are not co-located, this interface
may come in the form of an SNMP conversations between PANA and EP as may come in the form of an SNMP conversations between PANA and EP as
defined in [I-D.ietf-pana-snmp]. A standard mechanism such as SNMP defined in [I-D.ietf-pana-snmp]. A standard mechanism such as SNMP
minimizes complications associated with proprietary PAA-to-EP minimizes complications associated with proprietary PAA-to-EP
interfaces. interfaces.
skipping to change at page 42, line 5 skipping to change at page 54, line 5
DCOM, CORBA, SOAP or RPC messaging systems may be used to decrease DCOM, CORBA, SOAP or RPC messaging systems may be used to decrease
system dependency. These models may also provide support for non system dependency. These models may also provide support for non
co-located invocations of the API and may even provide some degree of co-located invocations of the API and may even provide some degree of
inherent security. However, such usage is recommended only if there inherent security. However, such usage is recommended only if there
is high level of certainty that all entities are within the same is high level of certainty that all entities are within the same
administratively secure domain. It is left to the implementation to administratively secure domain. It is left to the implementation to
decide which programming model the API will utilize. Such decisions decide which programming model the API will utilize. Such decisions
are dictated by software engineering practices as well as the are dictated by software engineering practices as well as the
implementation environment and are beyond the scope of this document. implementation environment and are beyond the scope of this document.
8.3 Multicast Traffic 9.3 Multicast Traffic
In general, binding a UDP socket to a multicast address and/or port In general, binding a UDP socket to a multicast address and/or port
is system dependent. In most systems, a socket can be bounded to any is system dependent. In most systems, a socket can be bounded to any
address and a specific port. This allows the socket to receive all address and a specific port. This allows the socket to receive all
packets destined for the local host (on all it's local addresses) for packets destined for the local host (on all it's local addresses) for
that port. If the host subscribes to a multicast addresses then this that port. If the host subscribes to a multicast addresses then this
socket will also receive multicast traffic as well. In some systems, socket will also receive multicast traffic as well. In some systems,
this would also result in the socket receiving all multicast traffic this would also result in the socket receiving all multicast traffic
even though it has subscribed to only one multicast address. This is even though it has subscribed to only one multicast address. This is
because most physical interfaces has either multicast traffic enabled because most physical interfaces has either multicast traffic enabled
or disabled and does not provide specific address filtering. or disabled and does not provide specific address filtering.
Normally, it is not possible to filter out specific traffic on a Normally, it is not possible to filter out specific traffic on a
socket from the user level. Most environments provides lower layer socket from the user level. Most environments provides lower layer
filtering that allows the use of only one socket to receive both filtering that allows the use of only one socket to receive both
unicast and specific multicast address. However it might introduce unicast and specific multicast address. However it might introduce
portability problems. portability problems.
9. Security Considerations 10. Security Considerations
This document's intent is to describe the PANA state machines fully. This document's intent is to describe the PANA state machines fully.
To this end, any security concerns with this document are likely a To this end, any security concerns with this document are likely a
reflection of security concerns with PANA itself. reflection of security concerns with PANA itself.
10. Acknowledgments 11. Acknowledgments
This work was started from state machines originally made by Dan This work was started from state machines originally made by Dan
Forsberg. Forsberg.
11. References 12. References
11.1 Normative References 12.1 Normative References
[I-D.ietf-pana-pana] [I-D.ietf-pana-pana]
Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H. and A. Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H. and A.
Yegin, "Protocol for Carrying Authentication for Network Yegin, "Protocol for Carrying Authentication for Network
Access (PANA)", draft-ietf-pana-pana-04 (work in Access (PANA)", draft-ietf-pana-pana-07 (work in
progress), May 2004. progress), December 2004.
[I-D.ietf-eap-statemachine] [I-D.ietf-eap-statemachine]
Vollbrecht, J., Eronen, P., Petroni, N. and Y. Ohba, Vollbrecht, J., Eronen, P., Petroni, N. and Y. Ohba,
"State Machines for Extensible Authentication Protocol "State Machines for Extensible Authentication Protocol
(EAP) Peer and Authenticator", (EAP) Peer and Authenticator",
draft-ietf-eap-statemachine-03 (work in progress), March draft-ietf-eap-statemachine-06 (work in progress),
2004. December 2004.
11.2 Informative References [I-D.ietf-pana-mobopts]
Forsberg, D., "PANA Mobility Optimizations",
draft-ietf-pana-mobopts-00 (work in progress), January
2005.
12.2 Informative References
[I-D.ietf-pana-requirements] [I-D.ietf-pana-requirements]
Yegin, A. and Y. Ohba, "Protocol for Carrying Yegin, A. and Y. Ohba, "Protocol for Carrying
Authentication for Network Access (PANA)Requirements", Authentication for Network Access (PANA)Requirements",
draft-ietf-pana-requirements-08 (work in progress), June draft-ietf-pana-requirements-09 (work in progress), August
2004. 2004.
[I-D.ietf-pana-snmp] [I-D.ietf-pana-snmp]
Mghazli, Y., Ohba, Y. and J. Bournelle, "SNMP usage for Mghazli, Y., Ohba, Y. and J. Bournelle, "SNMP usage for
PAA-2-EP interface", draft-ietf-pana-snmp-00 (work in PAA-2-EP interface", draft-ietf-pana-snmp-02 (work in
progress), April 2004. progress), October 2004.
Authors' Addresses Authors' Addresses
Yoshihiro Ohba Victor Fajardo
Toshiba America Research, Inc. Toshiba America Research, Inc.
1 Telcordia Drive 1 Telcordia Drive
Piscataway, NJ 08854 Piscataway, NJ 08854
USA USA
Phone: +1 732 699 5305 Phone: +1 732 699 5368
EMail: yohba@tari.toshiba.com EMail: vfajardo@tari.toshiba.com
Victor Fajardo Yoshihiro Ohba
Consultant of Toshiba America Research, Inc. Toshiba America Research, Inc.
1 Telcordia Drive 1 Telcordia Drive
Piscataway, NJ 08854 Piscataway, NJ 08854
USA USA
Phone: +1 732 699 5368 Phone: +1 732 699 5305
EMail: vfajardo@msbx.net EMail: yohba@tari.toshiba.com
Rafa Marin Lopez Rafa Marin Lopez
University of Murcia University of Murcia
30071 Murcia 30071 Murcia
Spain Spain
EMail: rafa@dif.um.es EMail: rafa@dif.um.es
Intellectual Property Statement Intellectual Property Statement
skipping to change at page 47, line 41 skipping to change at page 59, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 201 change blocks. 
452 lines changed or deleted 969 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/