idnits 2.17.1 draft-ietf-eap-rfc2284bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 11 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 1123 has weird spacing: '...ed Type of 6 ...' == Line 1193 has weird spacing: '...pe-Data field...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 2003) is 7769 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 1806 -- Looks like a reference, but probably isn't: '2' on line 1809 -- Looks like a reference, but probably isn't: '3' on line 1813 -- Looks like a reference, but probably isn't: '4' on line 1816 -- Looks like a reference, but probably isn't: '5' on line 1820 -- Looks like a reference, but probably isn't: '6' on line 1823 -- Looks like a reference, but probably isn't: '7' on line 1510 -- Looks like a reference, but probably isn't: '8' on line 1513 == Unused Reference: 'RFC2401' is defined on line 2015, but no explicit reference was found in the text == Unused Reference: 'IEEE.802-3.1996' is defined on line 2059, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2279 (Obsoleted by RFC 3629) ** Obsolete normative reference: RFC 2409 (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2434 (Obsoleted by RFC 5226) ** Obsolete normative reference: RFC 2988 (Obsoleted by RFC 6298) -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.802.1990' -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.802-1X.2001' -- Obsolete informational reference (is this intentional?): RFC 1510 (Obsoleted by RFC 4120, RFC 6649) -- Obsolete informational reference (is this intentional?): RFC 2246 (Obsoleted by RFC 4346) -- Obsolete informational reference (is this intentional?): RFC 2284 (Obsoleted by RFC 3748) -- Obsolete informational reference (is this intentional?): RFC 2486 (Obsoleted by RFC 4282) -- Obsolete informational reference (is this intentional?): RFC 2401 (Obsoleted by RFC 4301) -- Obsolete informational reference (is this intentional?): RFC 2408 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 2716 (Obsoleted by RFC 5216) == Outdated reference: A later version (-07) exists of draft-ietf-ipsra-pic-06 == Outdated reference: A later version (-22) exists of draft-aboba-radius-rfc2869bis-09 == Outdated reference: A later version (-05) exists of draft-narten-iana-experimental-allocations-03 Summary: 6 errors (**), 0 flaws (~~), 9 warnings (==), 19 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 EAP Working Group L. Blunk 3 Internet-Draft Merit Network, Inc 4 Obsoletes: 2284 (if approved) J. Vollbrecht 5 Expires: July 2, 2003 Vollbrecht Consulting LLC 6 B. Aboba 7 Microsoft 8 J. Carlson 9 Sun 10 H. Levkowetz, Ed. 11 ipUnplugged 12 January 2003 14 Extensible Authentication Protocol (EAP) 15 17 Status of this Memo 19 This document is an Internet-Draft and is in full conformance with 20 all provisions of Section 10 of RFC2026. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF), its areas, and its working groups. Note that other 24 groups may also distribute working documents as Internet-Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at http:// 32 www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This Internet-Draft will expire on July 2, 2003. 39 Copyright Notice 41 Copyright (C) The Internet Society (2003). All Rights Reserved. 43 Abstract 45 This document defines the Extensible Authentication Protocol (EAP), 46 an authentication framework which supports multiple authentication 47 mechanisms. EAP typically runs directly over the link layer without 48 requiring IP, but is reliant on lower layer ordering guarantees as in 49 PPP and IEEE 802. EAP does provide its own support for duplicate 50 elimination and retransmission. Fragmentation is not supported 51 within EAP itself; however, individual EAP methods may support this. 52 While EAP was originally developed for use with PPP, it is also now 53 in use with IEEE 802. 55 This document obsoletes RFC 2284. A summary of the changes between 56 this document and RFC 2284 is available in Appendix B. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 61 1.1 Specification of Requirements . . . . . . . . . . . . . . . 4 62 1.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4 63 2. Extensible Authentication Protocol (EAP) . . . . . . . . . . 7 64 2.1 Support for sequences . . . . . . . . . . . . . . . . . . . 9 65 2.2 EAP multiplexing model . . . . . . . . . . . . . . . . . . . 10 66 3. Lower layer behavior . . . . . . . . . . . . . . . . . . . . 12 67 3.1 Lower layer requirements . . . . . . . . . . . . . . . . . . 12 68 3.2 EAP usage within PPP . . . . . . . . . . . . . . . . . . . . 14 69 3.3 EAP usage within IEEE 802 . . . . . . . . . . . . . . . . . 15 70 3.4 Link layer indications . . . . . . . . . . . . . . . . . . . 15 71 4. EAP Packet format . . . . . . . . . . . . . . . . . . . . . 16 72 4.1 Request and Response . . . . . . . . . . . . . . . . . . . . 17 73 4.2 Success and Failure . . . . . . . . . . . . . . . . . . . . 20 74 5. Initial EAP Request/Response Types . . . . . . . . . . . . . 21 75 5.1 Identity . . . . . . . . . . . . . . . . . . . . . . . . . . 22 76 5.2 Notification . . . . . . . . . . . . . . . . . . . . . . . . 23 77 5.3 Nak . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 78 5.4 MD5-Challenge . . . . . . . . . . . . . . . . . . . . . . . 27 79 5.5 One-Time Password (OTP) . . . . . . . . . . . . . . . . . . 28 80 5.6 Generic Token Card (GTC) . . . . . . . . . . . . . . . . . . 29 81 5.7 Expanded types . . . . . . . . . . . . . . . . . . . . . . . 30 82 5.8 Experimental . . . . . . . . . . . . . . . . . . . . . . . . 31 83 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . 32 84 6.1 Definition of Terms . . . . . . . . . . . . . . . . . . . . 32 85 6.2 Recommended Registration Policies . . . . . . . . . . . . . 32 86 7. Security Considerations . . . . . . . . . . . . . . . . . . 33 87 7.1 Threat model . . . . . . . . . . . . . . . . . . . . . . . . 34 88 7.2 Security claims . . . . . . . . . . . . . . . . . . . . . . 34 89 7.3 Identity protection . . . . . . . . . . . . . . . . . . . . 36 90 7.4 Man-in-the-middle attacks . . . . . . . . . . . . . . . . . 36 91 7.5 Packet modification attacks . . . . . . . . . . . . . . . . 37 92 7.6 Dictionary attacks . . . . . . . . . . . . . . . . . . . . . 38 93 7.7 Connection to an untrusted network . . . . . . . . . . . . . 38 94 7.8 Negotiation attacks . . . . . . . . . . . . . . . . . . . . 38 95 7.9 Implementation idiosyncrasies . . . . . . . . . . . . . . . 39 96 7.10 Key derivation . . . . . . . . . . . . . . . . . . . . . . . 39 97 7.11 Weak ciphersuites . . . . . . . . . . . . . . . . . . . . . 41 98 7.12 Link layer . . . . . . . . . . . . . . . . . . . . . . . . . 41 99 7.13 Separation of EAP server and authenticator . . . . . . . . . 42 100 7.14 Strict Interpretation . . . . . . . . . . . . . . . . . . . 42 101 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 43 102 Normative References . . . . . . . . . . . . . . . . . . . . 43 103 Informative References . . . . . . . . . . . . . . . . . . . 44 104 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 46 105 A. Method Specific Behavior . . . . . . . . . . . . . . . . . . 47 106 A.1 Message Integrity Checks . . . . . . . . . . . . . . . . . . 47 107 B. Changes from RFC 2284 . . . . . . . . . . . . . . . . . . . 48 108 C. Open issues . . . . . . . . . . . . . . . . . . . . . . . . 49 109 Intellectual Property and Copyright Statements . . . . . . . 50 111 1. Introduction 113 This document defines the Extensible Authentication Protocol (EAP), 114 an authentication framework which supports multiple authentication 115 mechanisms. EAP typically runs directly over the link layer without 116 requiring IP, but is reliant on lower layer ordering guarantees as in 117 PPP and IEEE 802. EAP does provide its own support for duplicate 118 elimination and retransmission. Fragmentation is not supported 119 within EAP itself; however, individual EAP methods may support this. 121 EAP may be used on dedicated links as well as switched circuits, and 122 wired as well as wireless links. To date, EAP has been implemented 123 with hosts and routers that connect via switched circuits or dial-up 124 lines using PPP [RFC1661]. It has also been implemented with switches 125 and access points using IEEE 802 [IEEE.802.1990]. EAP encapsulation 126 on IEEE 802 wired media is described in [IEEE.802-1X.2001]. 128 One of the advantages of the EAP architecture is its flexibility. 129 EAP is used to select a specific authentication mechanism, typically 130 after the authenticator requests more information in order to 131 determine the specific authentication mechanism(s) to be used. 132 Rather than requiring the authenticator to be updated to support each 133 new authentication method, EAP permits the use of a backend 134 authentication server which may implement some or all authentication 135 methods, with the authenticator acting as a pass-through for some or 136 all methods and users. 138 Within this document, authenticator requirements apply regardless of 139 whether the authenticator is operating as a pass-through or not. 140 Where the requirement is meant to apply to either the authenticator 141 or backend authentication server, depending on where the EAP 142 authentication is terminated, the term "EAP server" will be used. 144 1.1 Specification of Requirements 146 In this document, several words are used to signify the requirements 147 of the specification. These words are often capitalized. The key 148 words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", 149 "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document 150 are to be interpreted as described in [RFC2119]. 152 1.2 Terminology 154 This document frequently uses the following terms: 156 authenticator 157 The end of the EAP link initiating the EAP authentication 158 methods. [Note: This terminology is also used in 160 [IEEE.802-1X.2001], and has the same meaning in this 161 document]. 163 peer 164 The end of the EAP Link that responds to the authenticator. 165 [Note:In [IEEE.802-1X.2001], this end is known as the 166 Supplicant.] 168 backend authentication server 169 A backend authentication server is an entity that provides 170 an authentication service to an authenticator. When used, 171 this server typically executes EAP Methods for the 172 authenticator. [This terminology is also used in 173 [IEEE.802-1X.2001].] 175 Displayable Message 176 This is interpreted to be a human readable string of 177 characters, and MUST NOT affect operation of the protocol. 178 The message encoding MUST follow the UTF-8 transformation 179 format [RFC2279]. 181 EAP server 182 The entity that terminates the EAP authentication method 183 with the peer. In the case where no backend authentication 184 server is used the EAP server is part of the authenticator. 185 In the case where the authenticator operates in pass 186 through mode, the EAP server is located on the backend 187 authentication server. 189 Silently Discard 190 This means the implementation discards the packet without 191 further processing. The implementation SHOULD provide the 192 capability of logging the event, including the contents of 193 the silently discarded packet, and SHOULD record the event 194 in a statistics counter. 196 Security claims terminology for EAP Methods (see Section 7.2): 198 Mutual authentication 199 This refers to an EAP method in which, within an 200 interlocked exchange, the authenticator authenticates the 201 peer and the peer authenticates the authenticator. Two 202 independent one-way methods, running in opposite directions 203 do not provide mutual authentication as defined here. 205 Integrity protection 206 This refers to providing data origin authentication and 207 protection against unauthorized modification of information 208 for EAP packets (including EAP Requests and Responses). 209 When making this claim, a method specification MUST 210 describe the EAP packets and fields within the EAP packet 211 that are protected. 213 Replay protection 214 This refers to protection against replay of EAP messages, 215 including EAP Requests and Responses, and method-specific 216 success and failure indications. 218 Confidentiality 219 This refers to encryption of EAP messages, including EAP 220 Requests and Responses, and method-specific success and 221 failure indications. A method making this claim MUST 222 support identity protection. 224 Key derivation 225 This refers to the ability of the EAP method to derive a 226 Master Key which is not exported, as well as a ciphersuite- 227 independent Master Session Keys. Both the Master Key and 228 Master Session Keys are used only for further key 229 derivation, not directly for protection of the EAP 230 conversation or subsequent data. 232 Key strength 233 If the effective key strength is N bits, the best currently 234 known methods to recover the key (with non-negligible 235 probability) require an effort comparable to 2^N operations 236 of a typical block cipher. 238 Dictionary attack resistance 239 Where password authentication is used, users are 240 notoriously prone to select poor passwords. A method may be 241 said to be dictionary attack resistant if, when there is a 242 weak password in the secret, the method does not allow an 243 attack more efficient than brute force. 245 Fast reconnect 246 The ability, in the case where a security association has 247 been previously established, to create a new or refreshed 248 security association in a smaller number of round-trips. 250 Man-in-the-Middle resistance 251 The ability for the peer to demonstrate to the 252 authenticator that it has acted as the peer for each method 253 within the conversation. Similarly, the authenticator 254 demonstrates to the peer that it has acted as the 255 authenticator for each method within the conversation. If 256 this is not possible, then the authentication sequence or 257 tunnel may be vulnerable to a man-in-the-middle attack. 259 Acknowledged result indications 260 The ability of the authenticator to provide the peer with 261 an indication of whether the peer has successfully 262 authenticated to it, and for the peer to acknowledge 263 receipt, as well as providing an indication of whether the 264 authenticator has successfully authenticated to the peer. 265 Since EAP Success and Failure packets are neither 266 acknowledged nor integrity protected, this claim requires 267 implementation of a method- specific result exchange that 268 is integrity protected. 270 2. Extensible Authentication Protocol (EAP) 272 The EAP authentication exchange proceeds as follows: 274 [1] The authenticator sends a Request to authenticate the peer. The 275 Request has a type field to indicate what is being requested. 276 Examples of Request types include Identity, MD5-challenge, etc. 277 The MD5-challenge type corresponds closely to the CHAP 278 authentication protocol [RFC1994]. Typically, the authenticator 279 will send an initial Identity Request; however, an initial 280 Identity Request is not required, and MAY be bypassed. For 281 example, the identity may not be required where it is determined 282 by the port to which the peer has connected (leased lines, 283 dedicated switch or dial-up ports); or where the identity is 284 obtained in another fashion (via calling station identity or MAC 285 address, in the Name field of the MD5-Challenge Response, etc.). 287 [2] The peer sends a Response packet in reply to a valid Request. As 288 with the Request packet the Response packet contains a Type 289 field, which corresponds to the Type field of the Request. 291 [3] The authenticator sends an additional Request packet, and the 292 peer replies with a Response. The sequence of Requests and 293 Responses continues as long as needed. EAP is a 'lock step' 294 protocol, so that other than the initial Request, a new Request 295 cannot be sent prior to receiving a valid Response. The 296 Authenticator MUST NOT send a Success or Failure packet as a 297 result of a timeout. After a suitable number of timeouts have 298 elapsed, the Authenticator SHOULD end the EAP conversation. 300 [4] The conversation continues until the authenticator cannot 301 authenticate the peer (unacceptable Responses to one or more 302 Requests), in which case the authenticator implementation MUST 303 transmit an EAP Failure (Code 4). Alternatively, the 304 authentication conversation can continue until the authenticator 305 determines that successful authentication has occurred, in which 306 case the authenticator MUST transmit an EAP Success (Code 3). 308 Since EAP is a peer-to-peer protocol, an independent and simultaneous 309 authentication may take place in the reverse direction. Both peers 310 may act as authenticators and authenticatees at the same time. 312 Advantages 313 The EAP protocol can support multiple authentication mechanisms 314 without having to pre-negotiate a particular one. 316 Devices (e.g. a NAS, switch or access point) do not have to 317 understand each authentication method and MAY act as a 318 pass-through agent for a backend authentication server. Support 319 for pass-through is optional. An authenticator MAY authenticate 320 local users while at the same time acting as a pass-through for 321 non-local users and authentication methods it does not implement 322 locally. 324 For sessions in which the authenticator acts as a pass-through, it 325 MUST determine the outcome of the authentication solely based on 326 the Accept/Reject indication sent by the backend authentication 327 server; the outcome MUST NOT be determined by the contents of an 328 EAP packet sent along with the Accept/Reject indication, or the 329 absence of such an encapsulated EAP packet. 331 Separation of the authenticator from the backend authentication 332 server simplifies credentials management and policy decision 333 making. 335 Disadvantages 336 For use in PPP, EAP does require the addition of a new 337 authentication type to PPP LCP and thus PPP implementations will 338 need to be modified to use it. It also strays from the previous 339 PPP authentication model of negotiating a specific authentication 340 mechanism during LCP. Similarly, switch or access point 341 implementations need to support [IEEE.802-1X.2001] in order to use 342 EAP. 344 Where the authenticator is separate from the backend 345 authentication server, this complicates the security analysis and, 346 if needed, key distribution. 348 2.1 Support for sequences 350 An EAP conversation MAY utilize a sequence of methods. A common 351 example of this is an Identity request followed by a single EAP 352 authentication method such as an MD5-Challenge. However a peer MUST 353 utilize only one authentication method (Type 4 or greater) within an 354 EAP conversation, after which the authenticator MUST send a Success 355 or Failure packet. As a result, Identity Requery is not supported. 357 Once a peer has sent a Response of the same Type as the initial 358 Request, an authenticator MUST NOT send a Request of a different Type 359 prior to completion of the final round of a given method (with the 360 exception of a Notification-Request) and MUST NOT send a Request for 361 an additional method of any Type after completion of the initial 362 authentication method. 364 Supporting multiple authentication methods within an EAP conversation 365 would add complexity to the EAP protocol, would enable 366 man-in-the-middle attacks (see Section 7.4), and would result in 367 interoperability problems, since existing EAP implementations 368 typically do not support multiple authentication methods. 370 If an additional authentication method is requested by the 371 authenticator, or if the authenticator sends a Request of a different 372 Type prior to completion of the final round of a given method, the 373 peer SHOULD silently discard the Request. A peer MUST NOT send a Nak 374 (legacy or expanded) in reply to a Request, after an initial non-Nak 375 Response has been sent. Since spoofed EAP Request packets may be sent 376 by an attacker, an an authenticator receiving an unexpected Nak 377 SHOULD silently discard it and log the event. 379 Where a single EAP authentication method is utilized, but other 380 methods are run within it (e.g. "tunneled" methods) the prohibition 381 against multiple authentication methods does not apply. Such 382 "tunneled" methods appear as a single authentication method to EAP. 383 Backward compatibility can be provided, since a peer not supporting a 384 "tunneled" method can reply to the initial EAP-Request with a Nak. To 385 address security vulnerabilities, "tunneled" methods MUST support 386 protection against man-in-the-middle attacks. 388 Within or associated with each authenticator, it is not anticipated 389 that a particular named peer will support a choice of methods. This 390 would make the peer vulnerable to attacks that negotiate the least 391 secure method from among a set (negotiation attacks, described in 392 Section 7.8). Instead, for each named peer there SHOULD be an 393 indication of exactly one method used to authenticate that peer name. 394 If a peer needs to make use of different authentication methods under 395 different circumstances, then distinct identities SHOULD be employed, 396 each of which identifies exactly one authentication method. 398 2.2 EAP multiplexing model 400 Conceptually, EAP implementations consist of the following 401 components: 403 [a] Lower layer. The lower layer is responsible for transmitting and 404 receiving EAP frames between the peer and authenticator. EAP has 405 been run over a variety of lower layers including PPP; wired IEEE 406 802 LANs [IEEE.802-1X.2001]; IEEE 802.11 wireless LANs 407 [IEEE.802-11.1999]; UDP (L2TP [RFC2661] and ISAKMP [PIC]); and 408 TCP [PIC]. Lower layer behavior is discussed in Section 3. 410 [b] EAP layer. The EAP layer receives and transmits EAP packets via 411 the lower layer, implements the EAP state machine, and delivers 412 and receives EAP messages to and from EAP methods. 414 [c] EAP method. EAP methods implement the authentication algorithms 415 and receive and transmit EAP messages via the EAP layer. Since 416 fragmentation support is not provided by EAP itself, this is the 417 responsibility of EAP methods, which are discussed in Section 5. 419 The EAP multiplexing model is illustrated in figure 1 below. Note 420 that there is no requirement that an implementation conform to this 421 model, as long as the on-the-wire behavior is consistent with it. 423 +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ 424 | | | | | | 425 | EAP method| EAP method| | EAP method| EAP method| 426 | Type = X | Type = Y | | Type = X | Type = Y | 427 | V | | | ^ | | 428 +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ 429 | ! | | ! | 430 | EAP ! Layer | | EAP ! Layer | 431 | ! | | ! | 432 +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ 433 | ! | | ! | 434 | Lower ! Layer | | Lower ! Layer | 435 | ! | | ! | 436 +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ 437 ! ! 438 ! Peer ! Authenticator 439 +------------>-------------+ 441 Figure 1: EAP Multiplexing Model 443 Within EAP, the Type field functions much like a port number in UDP 444 or TCP. With the exception of Types handled by the EAP layer, it is 445 assumed that the EAP layer multiplexes incoming EAP packets according 446 to their Type, and delivers them only to the EAP method corresponding 447 to that Type code, with one exception. 449 Since EAP methods may wish to access the Identity, the Identity 450 Response can be assumed to be stored within the EAP layer so as to be 451 available to methods of Types other than 1 (Identity). The Identity 452 Type is discussed in Section 5.1. 454 A Notification Response is only used as confirmation that the peer 455 received the Notification Request, not that it has processed it, or 456 displayed the message to the user. It cannot be assumed that the 457 contents of the Notification Request or Response is available to 458 another method. The Notification Type is discussed in Section 5.2. 460 The Nak method is utilized for the purposes of method negotiation. 461 Peers MUST respond to an EAP Request for an unacceptable Type with a 462 Nak Response (legacy or expanded). It cannot be assumed that the 463 contents of the Nak Response is available to another method. The Nak 464 Type is discussed in Section 5.3. 466 EAP packets with codes of Success or Failure do not include a Type, 467 and therefore are not delivered to an EAP method. Success and Failure 468 are discussed in Section 4.2. 470 Given these considerations, the Success, Failure, Nak Response and 471 Notification Request/Response messages MUST NOT be used to carry data 472 destined for delivery to other EAP methods. 474 Where a pass-through authenticator is present, it forwards packets 475 back and forth between the peer and a backend authentication server, 476 based on the EAP layer header fields (Code, Identifier, Length). 477 Since pass-through authenticators rely on a backend authenticator 478 server to implement methods, the EAP method layer header fields 479 (Type, Type-Data) are not examined as part of the forwarding 480 decision. The forwarding model is illustrated in Figure 2. Compliant 481 pass-through authenticator implementations MUST by default be capable 482 of forwarding packets from any EAP method. 484 Peer Pass-through Authenticator Authentication 485 Server 487 +-+-+-+-+-+-+ +-+-+-+-+-+-+ 488 | | | | 489 |EAP method | |EAP method | 490 | Layer | | Layer | 491 | V | | ^ | 492 +-+-+-!-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-!-+-+-+ 493 | ! | | | | | ! | 494 |EAP !Layer| | EAP Layer | EAP Layer | |EAP !Layer| 495 | ! | | +-----+-----+ | | ! | 496 | ! | | ! | ! | | ! | 497 +-+-+-!-+-+-+ +-+-+-!-+-+-+-+-+-!-+-+-+ +-+-+-!-+-+-+ 498 | ! | | ! | ! | | ! | 499 |Lower!Layer| |Lower!Layer| AAA ! /IP | | AAA ! /IP | 500 | ! | | ! | ! | | ! | 501 +-+-+-!-+-+-+ +-+-+-!-+-+-+-+-+-!-+-+-+ +-+-+-!-+-+-+ 502 ! ! ! ! 503 ! ! ! ! 504 +-------->-----+ +------->------+ 506 Figure 2: Pass-through Authenticator 508 3. Lower layer behavior 510 3.1 Lower layer requirements 512 EAP makes the following assumptions about lower layers: 514 [1] Lower layer CRC or checksum is not necessary. In EAP, the 515 authenticator retransmits Requests that have not yet received 516 Responses, so that EAP does not assume that lower layers are 517 reliable. Since EAP defines its own retransmission behavior, 518 when run over a reliable lower layer, it is possible (though 519 undesirable) for retransmission to occur both in the lower layer 520 and the EAP layer. 522 If lower layers exhibit a high loss rate, then retransmissions 523 are likely, and since EAP Success and Failure are not 524 retransmitted, timeouts are also likely to result. EAP methods 525 such as EAP TLS [RFC2716] include a message integrity check (MIC) 526 and regard MIC errors as fatal. Therefore if a checksum or CRC is 527 not provided by the lower layer, then some methods may not behave 528 well. 530 [2] Lower layer data security. After EAP authentication is complete, 531 the peer will typically transmit data to the network, through the 532 authenticator. In order to provide assurance that the peer 533 transmitting data is the one that successfully completed EAP 534 authentication, it is necessary for the lower layer to provide 535 per- packet integrity, authentication and replay protection that 536 is bound to the original EAP authentication, or for the lower 537 layer to be physically secure. Otherwise it is possible for 538 subsequent data traffic to be hijacked, or replayed. 540 As a result of these considerations, EAP SHOULD be used only when 541 lower layers provide physical security for data (e.g. wired PPP 542 or IEEE 802 links), or for insecure links, where per-packet 543 authentication, integrity and replay protection is provided. 544 Where keying material for the lower layer ciphersuite is itself 545 provided by EAP, typically the lower layer ciphersuite cannot be 546 enabled until late in the EAP conversation, after key derivation 547 has completed. Thus it may only be possible to use the lower 548 layer ciphersuite to protect a portion of the EAP conversation, 549 such as the EAP Success or Failure packet. 551 [3] Known MTU. The EAP layer does not support fragmentation and 552 reassembly. However, EAP methods SHOULD be capable of handling 553 fragmentation and reassembly. As a result, EAP is capable of 554 functioning across a range of MTU sizes, as long as the MTU is 555 known. 557 [4] Possible duplication. Where the lower layer is reliable, it will 558 provide the EAP layer with a non-duplicated stream of packets. 559 However, while it is desirable that lower layers provide for non- 560 duplication, this is not a requirement. The Identifier field 561 provides both the peer and authenticator with the ability to 562 detect duplicates. 564 [5] Ordering guarantees. EAP does not require the Identifier to be 565 monotonically increasing, and so is reliant on lower layer 566 ordering guarantees for correct operation. Also, EAP was 567 originally defined to run on PPP, and [RFC1661] Section 1 has an 568 ordering requirement: 570 "The Point-to-Point Protocol is designed for simple links which 571 transport packets between two peers. These links provide full- 572 duplex simultaneous bi-directional operation, and are assumed to 573 deliver packets in order." 575 Lower lower transports for EAP MUST preserve ordering between a 576 source and destination, at a given priority level (the level of 577 ordering guarantee provided by [IEEE.802.1990]). 579 3.2 EAP usage within PPP 581 In order to establish communications over a point-to-point link, each 582 end of the PPP link must first send LCP packets to configure the data 583 link during Link Establishment phase. After the link has been 584 established, PPP provides for an optional Authentication phase before 585 proceeding to the Network-Layer Protocol phase. 587 By default, authentication is not mandatory. If authentication of the 588 link is desired, an implementation MUST specify the Authentication- 589 Protocol Configuration Option during Link Establishment phase. 591 If the identity of the peer has been established in the 592 Authentication phase, the server can use that identity in the 593 selection of options for the following network layer negotiations. 595 When implemented within PPP, EAP does not select a specific 596 authentication mechanism at PPP Link Control Phase, but rather 597 postpones this until the Authentication Phase. This allows the 598 authenticator to request more information before determining the 599 specific authentication mechanism. This also permits the use of a 600 "back-end" server which actually implements the various mechanisms 601 while the PPP authenticator merely passes through the authentication 602 exchange. The PPP Link Establishment and Authentication phases, and 603 the Authentication-Protocol Configuration Option, are defined in The 604 Point-to-Point Protocol (PPP) [RFC1661]. 606 3.2.1 PPP Configuration Option Format 608 A summary of the PPP Authentication-Protocol Configuration Option 609 format to negotiate the EAP Authentication Protocol is shown below. 610 The fields are transmitted from left to right. 612 Exactly one EAP packet is encapsulated in the Information field of a 613 PPP Data Link Layer frame where the protocol field indicates type hex 614 C227 (PPP EAP). 616 0 1 2 3 617 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 618 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 619 | Type | Length | Authentication-Protocol | 620 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 622 Type 624 3 626 Length 628 4 630 Authentication-Protocol 632 C227 (Hex) for PPP Extensible Authentication Protocol (EAP) 634 3.3 EAP usage within IEEE 802 636 The encapsulation of EAP over IEEE 802 is defined in 637 [IEEE.802-1X.2001]. The IEEE 802 encapsulation of EAP does not 638 involve PPP, and IEEE 802.1X does not include support for link or 639 network layer negotiations. As a result, within IEEE 802.1X it is not 640 possible to negotiate non-EAP authentication mechanisms, such as PAP 641 or CHAP [RFC1994]. 643 3.4 Link layer indications 645 The reliability and security of link layer indications is dependent 646 on the medium. Since EAP is media independent, the presence or 647 absence of link layer security is not taken into account in the 648 processing of EAP messages. 650 Link layer failure indications provided to EAP by the link layer MUST 651 be processed and will cause an EAP exchange in progress to be 652 aborted. However, link layer success indications MUST NOT affect EAP 653 message processing so that an EAP implementation MUST NOT conclude 654 that authentication has succeeded based on those indications. This 655 ensures that an attacker spoofing link layer indications can at best 656 succeed in a denial of service attack. 658 A discussion of some reliability and security issues with link layer 659 indications in PPP, IEEE 802 wired networks and IEEE 802.11 wireless 660 LANs can be found in the Security Considerations, Section 7.12. 662 In IEEE 802.11 a "link down" indication is an unreliable indication 663 of link failure, since wireless signal strength can come and go and 664 may be influenced by radio frequency interference generated by an 665 attacker. To avoid unnecessary resets, it is advisable to damp these 666 indications, rather than passing them directly to the EAP. Since EAP 667 supports retransmission, it is robust against transient connectivity 668 losses. 670 4. EAP Packet format 672 A summary of the EAP packet format is shown below. The fields are 673 transmitted from left to right. 675 0 1 2 3 676 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 677 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 678 | Code | Identifier | Length | 679 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 680 | Data ... 681 +-+-+-+-+ 683 Code 685 The Code field is one octet and identifies the type of EAP packet. 686 EAP Codes are assigned as follows: 688 1 Request 689 2 Response 690 3 Success 691 4 Failure 693 Since EAP only defines Codes 1-4, EAP packets with other codes 694 MUST be silently discarded by both authenticators and peers. 696 Identifier 698 The Identifier field is one octet and aids in matching Responses 699 with Requests. 701 Length 703 The Length field is two octets and indicates the length of the EAP 704 packet including the Code, Identifier, Length and Data fields. 706 Octets outside the range of the Length field should be treated as 707 Data Link Layer padding and should be ignored on reception. 709 Data 711 The Data field is zero or more octets. The format of the Data 712 field is determined by the Code field. 714 4.1 Request and Response 716 Description 718 The Request packet (Code field set to 1) is sent by the 719 authenticator to the peer. Each Request has a Type field which 720 serves to indicate what is being requested. Additional Request 721 packets MUST be sent until a valid Response packet is received, or 722 an optional retry counter expires. 724 Retransmitted Requests MUST be sent with the same Identifier value 725 in order to distinguish them from new Requests. The contents of 726 the data field is dependent on the Request type. The peer MUST 727 send a Response packet in reply to a valid Request packet. 728 Responses MUST only be sent in reply to a valid Request and never 729 retransmitted on a timer. 731 The Identifier field of the Response MUST match that of the 732 currently outstanding Request. An authenticator receiving a 733 Response whose Identifier value does not match that of the 734 currently outstanding Request MUST silently discard the Response. 735 The Type field of a Response MUST either match that of the 736 Request, or correspond to a legacy or expanded Nak (see Section 737 5.3). 739 Implementation Note: The authenticator is responsible for 740 retransmitting Request messages. If the Request message is 741 obtained from elsewhere (such as from a backend authentication 742 server), then the authenticator will need to save a copy of the 743 Request in order to accomplish this. The peer is responsible 744 for detecting and handling duplicate Request messages before 745 processing them in any way, including passing them on to an 746 outside party. The authenticator is also responsible for 747 discarding Response messages with a non-matching Identifier 748 value before acting on them in any way, including passing them 749 on to the backend authentication server for verification. Since 750 the authenticator can retransmit before receiving a Response 751 from the peer, the authenticator can receive multiple 752 Responses, each with a matching Identifier. Until a new Request 753 is received by the authenticator, the Identifier value is not 754 updated, so that the authenticator forwards Responses to the 755 backend authentication server, one at a time. 757 Because the authentication process will often involve user 758 input, some care must be taken when deciding upon 759 retransmission strategies and authentication timeouts. By 760 default, where EAP is run over an unreliable lower layer, the 761 EAP retransmission timer SHOULD be computed as described in 762 [RFC2988]. This includes use of Karn's algorithm to filter RTT 763 estimates resulting from retransmissions. A maximum of 3-5 764 retransmissions is suggested. 766 When run over a reliable lower layer (e.g. EAP over ISAKMP/TCP, 767 as within [PIC]), the authenticator retransmission timer SHOULD 768 be set to an infinite value, so that retransmissions do not 769 occur at the EAP layer. Note that in this case the peer may 770 still maintain a timeout value so as to avoid waiting 771 indefinitely for a Request. 773 Where the authentication process requires user input, the 774 measured round trip times are largely determined by user 775 responsiveness rather than network characteristics, so that RTO 776 estimation is not helpful. Instead, the retransmission timer 777 SHOULD be set so as to provide sufficient time for the user to 778 respond, with longer timeouts required in certain cases, such 779 as where Token Cards (see Section 5.6) are involved. 781 In order to provide the EAP authenticator with guidance as to 782 the appropriate timeout value, a hint can be communicated to 783 the authenticator by the backend authentication server (such as 784 via the RADIUS Session-Timeout attribute). 786 A summary of the Request and Response packet format is shown below. 787 The fields are transmitted from left to right. 789 0 1 2 3 790 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 791 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 792 | Code | Identifier | Length | 793 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 794 | Type | Type-Data ... 795 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 796 Code 798 1 for Request 799 2 for Response 801 Identifier 803 The Identifier field is one octet. The Identifier field MUST be 804 the same if a Request packet is retransmitted due to a timeout 805 while waiting for a Response. Any new (non-retransmission) 806 Requests MUST modify the Identifier field. In order to avoid 807 confusion between new Requests and retransmissions, the Identifier 808 value chosen for each new Request need only be different from the 809 previous Request, but need not be unique within the conversation. 810 One way to achieve this is to start the Identifier at an initial 811 value and increment it for each new Request. Initializing the 812 first Identifier with a random number rather than starting from 813 zero is recommended, since it makes sequence attacks somewhat 814 harder. 816 Since the Identifier space is unique to each session, 817 authenticators are not restricted to only 256 simultaneous 818 authentication conversations. Similarly, with re-authentication, 819 an EAP conversation might continue over a long period of time, and 820 is not limited to only 256 roundtrips. 822 If a peer receives a valid duplicate Request for which it has 823 already sent a Response, it MUST resend its original Response. If 824 a peer receives a duplicate Request before it has sent a Response, 825 but after it has determined the initial Request to be valid (i.e. 826 it is waiting for user input), it MUST silently discard the 827 duplicate Request. An EAP message may be found invalid for a 828 variety of reasons: failed lower layer CRC or checksum, malformed 829 EAP packet, EAP method MIC failure, etc. 831 Length 833 The Length field is two octets and indicates the length of the EAP 834 packet including the Code, Identifier, Length, Type, and Type-Data 835 fields. Octets outside the range of the Length field should be 836 treated as Data Link Layer padding and should be ignored on 837 reception. 839 Type 841 The Type field is one octet. This field indicates the Type of 842 Request or Response. A single Type MUST be specified for each EAP 843 Request or Response. Normally, the Type field of the Response 844 will be the same as the Type of the Request. However, there is 845 also a Nak Response Type for indicating that a Request type is 846 unacceptable to the peer. An initial specification of Types 847 follows in a later section of this document. 849 Type-Data 851 The Type-Data field varies with the Type of Request and the 852 associated Response. 854 4.2 Success and Failure 856 The Success packet is sent by the authenticator to the peer to 857 acknowledge successful authentication. The authenticator MUST 858 transmit an EAP packet with the Code field set to 3 (Success). If 859 the authenticator cannot authenticate the peer (unacceptable 860 Responses to one or more Requests) then the implementation MUST 861 transmit an EAP packet with the Code field set to 4 (Failure). An 862 authenticator MAY wish to issue multiple Requests before sending a 863 Failure response in order to allow for human typing mistakes. Success 864 and Failure packets MUST NOT contain additional data. 866 Implementation Note: Because the Success and Failure packets are 867 not acknowledged, the authenticator cannot know whether they have 868 been received. As a result, these packets are not retransmitted by 869 the authenticator. If acknowledged success and failure indications 870 are desired, these MAY be implemented within individual EAP 871 methods. Since only a single EAP authentication method is 872 supported within an EAP conversation, a peer that successfully 873 authenticates the authenticator MAY, in the event that an EAP 874 Success is not received, conclude that the EAP Success packet was 875 lost and enable the link. 877 A summary of the Success and Failure packet format is shown below. 878 The fields are transmitted from left to right. 880 0 1 2 3 881 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 882 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 883 | Code | Identifier | Length | 884 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 886 Code 888 3 for Success 889 4 for Failure 891 Identifier 893 The Identifier field is one octet and aids in matching replies to 894 Responses. The Identifier field MUST match the Identifier field 895 of the Response packet that it is sent in response to. 897 Length 899 4 901 4.2.1 Processing of success and failure 903 EAP Success or Failure packets MUST NOT be sent by an authenticator 904 prior to completion of the final round of a given method. A peer EAP 905 implementation receiving a Success or Failure packet prior to 906 completion of the method in progress MUST silently discard it. By 907 default, an EAP peer MUST silently discard a "canned" EAP Success 908 message (an EAP Success message sent immediately upon connection). 909 This ensures that a rogue authenticator will not be able to bypass 910 mutual authentication by sending an EAP Success prior to conclusion 911 of the EAP method conversation. 913 5. Initial EAP Request/Response Types 915 This section defines the initial set of EAP Types used in Request/ 916 Response exchanges. More Types may be defined in follow-on 917 documents. The Type field is one octet and identifies the structure 918 of an EAP Request or Response packet. The first 3 Types are 919 considered special case Types. 921 The remaining Types define authentication exchanges. The Nak Type is 922 valid only for Response packets, it MUST NOT be sent in a Request. 923 The Nak Type MUST only be sent in response to a Request which uses an 924 authentication Type code (i.e., Type of 4 or greater). 926 All EAP implementations MUST support Types 1-4, which are defined in 927 this document, and SHOULD support Type 254. Follow-on RFCs MAY define 928 additional EAP Types. 930 1 Identity 931 2 Notification 932 3 Nak (Response only) 933 4 MD5-Challenge 934 5 One Time Password (OTP) 935 6 Generic Token Card (GTC) 936 254 Expanded types 937 255 Experimental use 939 5.1 Identity 941 Description 943 The Identity Type is used to query the identity of the peer. 944 Generally, the authenticator will issue this as the initial 945 Request. An optional displayable message MAY be included to prompt 946 the peer in the case where there expectation of interaction with a 947 user. A Response of Type 1 (Identity) SHOULD be sent in Response 948 to a Request with a Type of 1 (Identity). 950 Since Identity Requests and Responses are not protected, from a 951 security perspective, it may be preferable for protected method- 952 specific Identity exchanges to be used instead. 954 Implementation Note: The peer MAY obtain the Identity via user 955 input. It is suggested that the authenticator retry the 956 Identity Request in the case of an invalid Identity or 957 authentication failure to allow for potential typos on the part 958 of the user. It is suggested that the Identity Request be 959 retried a minimum of 3 times before terminating the 960 authentication phase with a Failure reply. The Notification 961 Request MAY be used to indicate an invalid authentication 962 attempt prior to transmitting a new Identity Request 963 (optionally, the failure MAY be indicated within the message of 964 the new Identity Request itself). 966 Type 968 1 970 Type-Data 972 This field MAY contain a displayable message in the Request, 973 containing UTF-8 encoded ISO 10646 characters [RFC2279]. The 974 Response uses this field to return the Identity. If the Identity 975 is unknown, this field should be zero bytes in length. The field 976 MUST NOT be null terminated. The length of this field is derived 977 from the Length field of the Request/Response packet and hence a 978 null is not required. 980 5.2 Notification 982 Description 984 The Notification Type is optionally used to convey a displayable 985 message from the authenticator to the peer. An authenticator MAY 986 send a Notification Request to the peer at any time when there is 987 no outstanding Request. The peer MUST respond to a Notification 988 Request with a Notification Response; a Nak Response MUST NOT be 989 sent. 991 The peer SHOULD display this message to the user or log it if it 992 cannot be displayed. The Notification Type is intended to provide 993 an acknowledged notification of some imperative nature, but it is 994 not an error indication, and therefore does not change the state 995 of the peer. Examples include a password with an expiration time 996 that is about to expire, an OTP sequence integer which is nearing 997 0, an authentication failure warning, etc. In most circumstances, 998 Notification should not be required. 1000 Type 1002 2 1004 Type-Data 1006 The Type-Data field in the Request contains a displayable message 1007 greater than zero octets in length, containing UTF-8 encoded ISO 1008 10646 characters [RFC2279]. The length of the message is 1009 determined by Length field of the Request packet. The message 1010 MUST NOT be null terminated. A Response MUST be sent in reply to 1011 the Request with a Type field of 2 (Notification). The Type-Data 1012 field of the Response is zero octets in length. The Response 1013 should be sent immediately (independent of how the message is 1014 displayed or logged). 1016 5.3 Nak 1018 5.3.1 Legacy Nak 1019 Description 1021 The legacy Nak Type is valid only in Response messages. It is sent 1022 in reply to a Request where the desired authentication Type is 1023 unacceptable. Authentication Types are numbered 4 and above. The 1024 Response contains one or more authentication Types desired by the 1025 Peer. Type zero (0) is used to indicate that the sender has no 1026 viable alternatives. 1028 Since the legacy Nak Type is valid only in Responses and has very 1029 limited functionality, it MUST NOT be used as a general purpose 1030 error indication, such as for communication of error messages, or 1031 negotiation of parameters specific to a particular EAP method. 1033 Code 1035 2 for Response. 1037 Identifier 1039 The Identifier field is one octet and aids in matching Responses 1040 with Requests. The Identifier field of a legacy Nak Response MUST 1041 match the Identifier field of the Request packet that it is sent 1042 in response to. 1044 Length 1046 >=6 1048 Type 1050 3 1052 Type-Data 1054 Where any peer receives a Request for an unacceptable Type in the 1055 range (1-253,255), or a peer lacking support for Expanded Types 1056 receives a Request for Type 254, a legacy Nak Response MUST be 1057 sent. The Type-Data field of the legacy Nak Response MUST contain 1058 one or more octets indicating the desired authentication Type(s), 1059 one octet per Type, or the value zero (0) to indicate no proposed 1060 alternative. A peer supporting Expanded Types that receives a 1061 Request for an unacceptable Type (1-253, 255) MAY include the 1062 value 254 in the legacy Nak Response in order to indicate the 1063 desire for an Expanded authentication Type. If the authenticator 1064 can accomodate this preference, it will respond with an Expanded 1065 Type Request. 1067 5.3.2 Expanded Nak 1069 Description 1071 The Expanded Nak Type is valid only in Response messages. It MUST 1072 be sent only in reply to a Request of Type 254 (Expanded Type) 1073 where the authentication Type is unacceptable. The Expanded Nak 1074 Type uses the Expanded Type format itself, and the Response 1075 contains one or more authentication Types desired by the peer, all 1076 in Expanded Type format. Type zero (0) is used to indicate that 1077 the sender has no viable alternatives. The general format of the 1078 Expanded Type is described in Section 5.7. 1080 Since the Expanded Nak Type is valid only in Responses and has 1081 very limited functionality, it MUST NOT be used as a general 1082 purpose error indication, such as for communication of error 1083 messages, or negotiation of parameters specific to a particular 1084 EAP method. 1086 Code 1088 2 for Response. 1090 Identifier 1092 The Identifier field is one octet and aids in matching Responses 1093 with Requests. The Identifier field of a Expanded Nak Response 1094 MUST match the Identifier field of the Request packet that it is 1095 sent in response to. 1097 Length 1099 >=40 1101 Type 1103 254 1105 Vendor-Id 1107 0 (IETF) 1109 Vendor-Type 1111 3 (Nak) 1113 Vendor-Data 1115 The Expanded Nak Type is only sent when the Request contains an 1116 Expanded Type (254) as defined in Section 5.7. The Vendor-Data 1117 field of the Nak Response MUST contain one or more authentication 1118 Types (4 or greater), all in expanded format, 8 octets per Type, 1119 or the value zero (0), also in Expanded Type format, to indicate 1120 no proposed alternative. The desired authentication Types may 1121 include a mixture of Vendor-Specific and IETF Types. For example, 1122 an Expanded Nak Response indicating a preference for OTP (Type 5), 1123 and an MIT (Vendor-Id=20) Expanded Type of 6 would appear as 1124 follows: 1126 0 1 2 3 1127 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1129 | 2 | Identifier | Length | 1130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1131 | Type=254 | 0 (IETF) | 1132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1133 | 3 (Nak) | 1134 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1135 | Type=254 | 0 (IETF) | 1136 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1137 | 5 (OTP) | 1138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1139 | Type=254 | 20 (MIT) | 1140 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1141 | 6 | 1142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1144 An Expanded Nak Response indicating a no desired alternative would 1145 appear as follows: 1147 0 1 2 3 1148 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1150 | 2 | Identifier | Length | 1151 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1152 | Type=254 | 0 (IETF) | 1153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1154 | 3 (Nak) | 1155 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1156 | Type=254 | 0 (IETF) | 1157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1158 | 0 (No alternative) | 1159 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1161 5.4 MD5-Challenge 1163 Description 1165 The MD5-Challenge Type is analogous to the PPP CHAP protocol 1166 [RFC1994] (with MD5 as the specified algorithm). The Request 1167 contains a "challenge" message to the peer. A Response MUST be 1168 sent in reply to the Request. The Response MAY be either of Type 1169 4 (MD5-Challenge) or Type 3 (Nak). The Nak reply indicates the 1170 peer's desired authentication Type(s). EAP peer and EAP server 1171 implementations MUST support the MD5-Challenge mechanism. An 1172 authenticator that supports only pass-through MUST allow 1173 communication with a backend authentication server that is capable 1174 of supporting MD5-Challenge, although the EAP authenticator 1175 implementation need not support MD5-Challenge itself. However, if 1176 the EAP authenticator can be configured to authenticate peers 1177 locally (e.g. not operate in pass-through), then the requirement 1178 for support of the MD5-Challenge mechanism applies. 1180 Note that the use of the Identifier field in the MD5-Challenge 1181 Type is different from that described in [RFC1994]. EAP allows 1182 for retransmission of MD5-Challenge Request packets while 1183 [RFC1994] states that both the Identifier and Challenge fields 1184 MUST change each time a Challenge (the CHAP equivalent of the 1185 MD5-Challenge Request packet) is sent. 1187 Type 1189 4 1191 Type-Data 1193 The contents of the Type-Data field is summarized below. For 1194 reference on the use of these fields see the PPP Challenge 1195 Handshake Authentication Protocol [RFC1994]. 1197 0 1 2 3 1198 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1199 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1200 | Value-Size | Value ... 1201 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1202 | Name ... 1203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1205 Security Claims (see Section 7.2): 1207 Intended use: Wired networks, including PPP, PPPOE, and 1208 IEEE 802 wired media. Use over the 1209 Internet or with wireless media only when 1210 protected. 1211 Mechanism: Password or pre-shared key. 1212 Mutual authentication: No 1213 Integrity protection: No 1214 Replay protection: No 1215 Confidentiality: No 1216 Key Derivation: No 1217 Key strength: N/A 1218 Dictionary attack prot: No 1219 Key hierarchy: N/A 1220 Fast reconnect: No 1221 MiTM resistance: No 1222 Acknowledged S/F: No 1224 5.5 One-Time Password (OTP) 1226 Description 1228 The One-Time Password system is defined in "A One-Time Password 1229 System" [RFC2289] and "OTP Extended Responses" [RFC2243]. The 1230 Request contains a displayable message containing an OTP 1231 challenge. A Response MUST be sent in reply to the Request. The 1232 Response MUST be of Type 5 (OTP) or Type 3 (Nak). The Nak 1233 Response indicates the peer's desired authentication Type(s). 1235 Type 1237 5 1239 Type-Data 1241 The Type-Data field contains the OTP "challenge" as a displayable 1242 message in the Request. In the Response, this field is used for 1243 the 6 words from the OTP dictionary [RFC2289]. The messages MUST 1244 NOT be null terminated. The length of the field is derived from 1245 the Length field of the Request/Reply packet. 1247 Security Claims (see Section 7.2): 1249 Intended use: Wired networks, including PPP, PPPOE, and 1250 IEEE 802 wired media. Use over the 1251 Internet or with wireless media only when 1252 protected. 1253 Mechanism: One-Time Password 1254 Mutual authentication: No 1255 Integrity protection: No 1256 Replay protection: No 1257 Confidentiality: No 1258 Key Derivation: No 1259 Key strength: N/A 1260 Dictionary attack prot: No 1261 Key hierarchy: N/A 1262 Fast reconnect: No 1263 MiTM resistance: No 1264 Acknowledged S/F: No 1266 5.6 Generic Token Card (GTC) 1268 Description 1270 The Generic Token Card Type is defined for use with various Token 1271 Card implementations which require user input. The Request 1272 contains a displayable message and the Response contains the Token 1273 Card information necessary for authentication. Typically, this 1274 would be information read by a user from the Token card device and 1275 entered as ASCII text. A Response MUST be sent in reply to the 1276 Request. The Response MUST be of Type 6 (GTC) or Type 3 (Nak). 1277 The Nak Response indicates the peer's desired authentication 1278 Type(s). 1280 Type 1282 6 1284 Type-Data 1286 The Type-Data field in the Request contains a displayable message 1287 greater than zero octets in length. The length of the message is 1288 determined by the Length field of the Request packet. The message 1289 MUST NOT be null terminated. A Response MUST be sent in reply to 1290 the Request with a Type field of 6 (Generic Token Card). The 1291 Response contains data from the Token Card required for 1292 authentication. The length of the data is determined by the 1293 Length field of the Response packet. 1295 Security Claims (see Section 7.2): 1297 Intended use: Wired networks, including PPP, PPPOE, and 1298 IEEE 802 wired media. Use over the 1299 Internet or with wireless media only when 1300 protected. 1301 Mechanism: Hardware token. 1302 Mutual authentication: No 1303 Integrity protection: No 1304 Replay protection: No 1305 Confidentiality: No 1306 Key Derivation: No 1307 Key strength: N/A 1308 Dictionary attack prot: No 1309 Key hierarchy: N/A 1310 Fast reconnect: No 1311 MiTM resistance: No 1312 Acknowledged S/F: No 1314 5.7 Expanded types 1316 Description 1318 Due to EAP's popularity, the original Method Type space, which 1319 only provides for 255 values, is being allocated at a pace which 1320 if continued would result in exhaustion within a few years. Since 1321 many of the existing uses of EAP are vendor-specific, the Expanded 1322 Method Type is available to allow vendors to support their own 1323 Expanded Types not suitable for general usage. 1325 The Expanded type is also used to expand the global Method Type 1326 space beyond the original 255 values. A Vendor-Id of 0 maps the 1327 original 255 possible types onto a namespace of 2^32-1 possible 1328 types, allowing for virtually unlimited expansion. (Type 0 is only 1329 used in a Nak Response, to indicate no acceptable alternative) 1331 An implementation that supports the Expanded attribute MUST treat 1332 EAP types that are less than 256 equivalently whether they appear 1333 as a single octet or as the 32-bit Vendor-Type within a Expanded 1334 type where Vendor-Id is 0. Peers not equipped to interpret the 1335 Expanded Type MUST send a Nak as described in Section 5.3.1, and 1336 negotiate a more suitable authentication method. 1338 A summary of the Expanded Type format is shown below. The fields 1339 are transmitted from left to right. 1341 0 1 2 3 1342 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1343 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1344 | Type | Vendor-Id | 1345 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1346 | Vendor-Type | 1347 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1348 | Vendor data... 1349 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1351 Type 1353 254 for Expanded type 1355 Vendor-Id 1357 The Vendor-Id is 3 octets and represents the SMI Network 1358 Management Private Enterprise Code of the Vendor in network byte 1359 order, as allocated by IANA. A Vendor-Id of zero is reserved for 1360 use by the IETF in providing an expanded global EAP Type space. 1362 Vendor-Type 1364 The Vendor-Type field is four octets and represents the vendor- 1365 specific Method Type. 1367 If Vendor-Id is zero, the Vendor-Type field is an extension and 1368 superset of the existing namespace for EAP types. The first 256 1369 types are reserved for compatibility with single-octet EAP types 1370 that have already been assigned or may be assigned in the future. 1371 Thus, EAP types from 0 through 255 are semantically identical 1372 whether they appear as single octet EAP types or as Vendor-Types 1373 when Vendor-Id is zero. 1375 Vendor-Data 1377 The Vendor-Data field is defined by the vendor. Where a Vendor-Id 1378 of zero is present, the Vendor-Data field will be used for 1379 transporting the contents of EAP methods of Types defined by the 1380 IETF. 1382 5.8 Experimental 1384 Description 1386 The experimental type has no fixed format or content. It is 1387 intended for use when experimenting with new EAP types. This type 1388 is intended for experimental and testing purposes. No guarantee is 1389 made for interoperability between peers using this type, as 1390 outlined in [IANA-EXP]. 1392 Type 1394 255 1396 Type-Data 1398 Undefined 1400 6. IANA Considerations 1402 This section provides guidance to the Internet Assigned Numbers 1403 Authority (IANA) regarding registration of values related to the EAP 1404 protocol, in accordance with BCP 26, [RFC2434]. 1406 There are two name spaces in EAP that require registration: Packet 1407 Codes and Method Types. 1409 EAP is not intended as a general-purpose protocol, and allocations 1410 SHOULD NOT be made for purposes unrelated to authentication. 1412 6.1 Definition of Terms 1414 The following terms are used here with the meanings defined in BCP 1415 26: "name space", "assigned value", "registration". 1417 The following policies are used here with the meanings defined in BCP 1418 26: "Private Use", "First Come First Served", "Expert Review", 1419 "Specification Required", "IETF Consensus", "Standards Action". 1421 6.2 Recommended Registration Policies 1423 For registration requests where a Designated Expert should be 1424 consulted, the responsible IESG area director should appoint the 1425 Designated Expert. For Designated Expert with Specification Required, 1426 the request is posted to the EAP WG mailing list (or, if it has been 1427 disbanded, a successor designated by the Area Director) for comment 1428 and review, and MUST include a pointer to a public specification. 1429 Before a period of 30 days has passed, the Designated Expert will 1430 either approve or deny the registration request and publish a notice 1431 of the decision to the EAP WG mailing list or its successor. A denial 1432 notice must be justified by an explanation and, in the cases where it 1433 is possible, concrete suggestions on how the request can be modified 1434 so as to become acceptable. 1436 For registration requests requiring Expert Review, the EAP mailing 1437 list should be consulted. If the EAP mailing list is no longer 1438 operational, an alternative mailing list may be designated by the 1439 responsible IESG Area Director. 1441 Packet Codes have a range from 1 to 255, of which 1-4 have been 1442 allocated. Because a new Packet Code has considerable impact on 1443 interoperability, a new Packet Code requires Standards Action, and 1444 should be allocated starting at 5. 1446 The original EAP Method Type space has a range from 1 to 255, and is 1447 the scarcest resource in EAP, and thus must be allocated with care. 1448 Method Types 1-36 have been allocated, with 20 available for re-use. 1449 Method Types 37-191 may be allocated on the advice of a Designated 1450 Expert, with Specification Required. 1452 Allocation of blocks of Method Types (more than one for a given 1453 purpose) should require IETF Consensus. EAP Type Values 192-253 are 1454 reserved and allocation requires Standards Action. 1456 Method Type 254 is allocated for the Expanded Type. Where the 1457 Vendor-Id field is non-zero, the Expanded Type is used for functions 1458 specific only to one vendor's implementation of EAP, where no 1459 interoperability is deemed useful. When used with a Vendor-Id of 1460 zero, Method Type 254 can also be used to provide for an expanded 1461 IETF Method Type space. Method Type values 256-4294967295 may be 1462 allocated after Type values 1-191 have been allocated. 1464 Method Type 255 is allocated for Experimental use, such as testing of 1465 new EAP methods before a permanent Type code is allocated. 1467 7. Security Considerations 1469 EAP was designed for use with dialup PPP [RFC1661] and was later 1470 adapted for use in wired IEEE 802 networks [IEEE.802.1990] in 1471 [IEEE.802-1X.2001]. On these networks, an attacker would need to 1472 gain physical access to the telephone or switch infrastructure in 1473 order to mount an attack. While such attacks have been documented, 1474 such as in [DECEPTION], they are assumed to be rare. 1476 However, subsequently EAP has been proposed for use on wireless 1477 networks, and over the Internet, where physical security cannot be 1478 assumed. On such networks, the security vulnerabilities are greater, 1479 as are the requirements for EAP security. 1481 This section defines the threat model and security terms and 1482 describes the security claims section required in EAP method 1483 specifications. We then discuss threat mitigation. 1485 7.1 Threat model 1487 On physically insecure networks, it is possible for an attacker to 1488 gain access to the physical medium. This enables a range of attacks, 1489 including the following: 1491 [1] An adversary may try to discover user identities by snooping 1492 authentication traffic. 1494 [2] An adversary may try to modify or spoof EAP packets. 1496 [3] An adversary may launch denial of service attacks by spoofing 1497 layer 2 indications or EAP layer success/failure indications, 1498 replaying EAP packets, or generating packets with overlapping 1499 Identifiers. 1501 [4] An adversary might attempt to recover the pass-phrase by mounting 1502 an offline dictionary attack. 1504 [5] An adversary may attempt to convince the peer to connect to an 1505 untrusted network, by mounting a man-in-the-middle attack. 1507 [6] An adversary may attempt to disrupt the EAP negotiation in order 1508 to weaken the authentication. 1510 [7] An attacker may attempt to recover the key by taking advantage of 1511 weak key derivation techniques used within EAP methods. 1513 [8] An attacker may attempt to take advantage of weak ciphersuites 1514 subsequently used after the EAP conversation is complete. 1516 Where EAP is used over wireless networks, an attacker needs to be 1517 within the coverage area of the wireless medium in order to carry out 1518 these attacks. However, where EAP is used over the Internet, no such 1519 restrictions apply. 1521 7.2 Security claims 1523 In order to clearly articulate the security provided by an EAP 1524 method, EAP method specifications MUST include a Security Claims 1525 section including the following declarations: 1527 [a] Intended use. This includes a statement of whether the method is 1528 intended for use over a physically secure or insecure network, as 1529 well as a statement of the applicable media. 1531 [b] Mechanism. This is a statement of the authentication technology: 1532 certificates, pre-shared keys, passwords, token cards, etc. 1534 [c] Security claims. This is a statement of the claimed security 1535 properties of the method, using terms defined in Section 1.2: 1536 mutual authentication, integrity protection, replay protection, 1537 confidentiality, key derivation, key strength, dictionary attack 1538 resistance, fast reconnect, man-in-the-middle resistance, 1539 acknowledged result indications. The Security Claims section of 1540 an EAP method specification SHOULD provide justification for the 1541 claims that are made. This can be accomplished by including a 1542 proof in an Appendix, or including a reference to a proof. 1544 [d] Key strength. If the method derives keys, then the effective key 1545 strength MUST be estimated. This estimate is meant for potential 1546 users of the method to determine if the keys produced are strong 1547 enough for the intended application. 1549 The effective key strength SHOULD be stated as number of bits, 1550 defined as follows: If the effective key strength is N bits, the 1551 best currently known methods to recover the key (with 1552 non-negligible probability) require an effort comparable to 2^N 1553 operations of a typical block cipher. The statement SHOULD be 1554 accompanied by a short rationale, explaining how this number was 1555 arrived at. This explanation SHOULD include the parameters 1556 required to achieve N bits of entropy based on current knowledge 1557 of the algorithms. 1559 (Note: Although it is difficult to define what "comparable 1560 effort" and "typical block cipher" exactly mean, reasonable 1561 approximations are sufficient here. Refer to e.g. [SILVERMAN] for 1562 more discussion.) 1564 The key strength depends on the methods used to derive the keys. 1565 For instance, if keys are derived from a shared secret (such as a 1566 password or master key), and possibly some public information 1567 such as nonces, the effective key strength is limited by the 1568 entropy of the long-term secret (assuming that the derivation 1569 procedure is computationally simple). To take another example, 1570 when using public key algorithms, the strength of the symmetric 1571 key depends on the strength of the public keys used. 1573 [e] Description of key hierarchy. EAP methods deriving keys MUST 1574 either provide a reference to a key hierarchy specification, or 1575 describe how keys used for authentication/integrity, encryption 1576 and IVs are to be derived from the provided keying material, and 1577 how cryptographic separation is maintained between keys used for 1578 different purposes. 1580 [f] Indication of vulnerabilities. In addition to the security claims 1581 that are made, the specification MUST indicate which of the 1582 security claims detailed in Section 1.2 are NOT being made. 1584 7.3 Identity protection 1586 An Identity exchange is optional within the EAP conversation. 1587 Therefore, it is possible to omit the Identity exchange entirely, or 1588 to postpone it until later in the conversation once a protected 1589 channel has been established. 1591 However, where roaming is supported as described in [RFC2607], it may 1592 be necessary to locate the appropriate backend authentication server 1593 before the authentication conversation can proceed. The realm 1594 portion of the Network Access Identifier (NAI) [RFC2486] is typically 1595 included within the Identity-Response in order to enable the 1596 authentication exchange to be routed to the appropriate backend 1597 authentication server. Therefore while the peer-name portion of the 1598 NAI may be omitted in the Identity- Response, where proxies or relays 1599 are present, the realm portion may be required. 1601 7.4 Man-in-the-middle attacks 1603 Where a sequence of methods is utilized for authentication or EAP is 1604 tunneled within another protocol that omits peer authentication, 1605 there exists a potential vulnerability to man-in-the-middle attack. 1607 Where a sequence of EAP methods is utilized for authentication, the 1608 peer might not have proof that a single entity has acted as the 1609 authenticator for all EAP methods within the sequence. For example, 1610 an authenticator might terminate one EAP method, then forward the 1611 next method in the sequence to another party without the peer's 1612 knowledge or consent. Similarly, the authenticator might not have 1613 proof that a single entity has acted as the peer for all EAP methods 1614 within the sequence. 1616 This enables an attack by a rogue EAP authenticator tunneling EAP to 1617 a legitimate server. Where the tunneling protocol is used for key 1618 establishment but does not require peer authentication, an attacker 1619 convincing a legitimate peer to connect to it will be able to tunnel 1620 EAP packets to a legitimate server, successfully authenticating and 1621 obtaining the key. This allows the attacker to successfully establish 1622 itself as a man-in-the-middle, gaining access to the network, as well 1623 as the ability to decrypt data traffic between the legitimate peer 1624 and server. 1626 This attack may be mitigated by the following measures: 1628 [a] Requiring mutual authentication within EAP tunneling mechanisms. 1630 [b] Requiring cryptographic binding between EAP methods executed 1631 within a sequence or between the EAP tunneling protocol and the 1632 tunneled EAP methods. Where cryptographic binding is supported, a 1633 mechanism is also needed to protect against downgrade attacks 1634 that would bypass it. 1636 [c] Limiting the EAP methods authorized for use without protection, 1637 based on peer and authenticator policy. 1639 [d] Avoiding the use of sequences or tunnels when a single, strong 1640 method is available. 1642 7.5 Packet modification attacks 1644 While individual EAP methods may support per-packet data origin 1645 authentication, integrity and replay protection, EAP itself does not 1646 provide built-in support for this. 1648 Since the Identifier is only a single octet, it is easy to guess, 1649 allowing an attacker to successfully inject or replay EAP packets. 1650 An attacker may also modify EAP headers within EAP packets where the 1651 header is unprotected. This could cause packets to be inappropriately 1652 discarded or misinterpreted. 1654 In the case of PPP and IEEE 802 wired links, it is assumed that such 1655 attacks are restricted to attackers who can gain access to the 1656 physical link. However, where EAP is run over physically insecure 1657 lower layers such as IEEE 802.11 or the Internet (such as within 1658 protocols supporting PPP, EAP or Ethernet Tunneling), this assumption 1659 is no longer valid and the vulnerability to attack is greater. 1661 To protect EAP messages sent over physically insecure lower layers, 1662 methods providing mutual authentication and key derivation, as well 1663 as per-packet origin authentication, integrity and replay protection 1664 SHOULD be used. Method-specific MICs may be used to provide 1665 protection. Since EAP messages of Types Identity, Notification, and 1666 Nak do not include their own MIC, it may be desirable for the EAP 1667 method MIC to cover information contained within these messages, as 1668 well as the header of each EAP message. To provide protection, EAP 1669 also may be encapsulated within a protected channel created by 1670 protocols such as ISAKMP [RFC2408] as is done in [PIC] or within TLS 1671 [RFC2246]. However, as noted in Section 7.4, EAP tunneling may 1672 result in a man-in-the-middle vulnerability. 1674 7.6 Dictionary attacks 1676 Password authentication algorithms such as EAP-MD5, MS-CHAPv1 1677 [RFC2433] and Kerberos V [RFC1510] are known to be vulnerable to 1678 dictionary attacks. MS-CHAPv1 vulnerabilities are documented in 1679 [PPTPv1]; Kerberos vulnerabilities are described in [KRBATTACK], 1680 [KRBLIM], and [KERB4WEAK]. 1682 In order to protect against dictionary attacks, an authentication 1683 algorithm resistant to dictionary attack (as defined in Section 7.2) 1684 may be used. This is particularly important when EAP runs over media 1685 which are not physically secure. 1687 If an authentication algorithm is used that is known to be vulnerable 1688 to dictionary attack, then the conversation may be tunneled within a 1689 protected channel, in order to provide additional protection. 1690 However, as noted in Section 7.4, EAP tunneling may result in a 1691 man-in-the-middle vulnerability, and therefore dictionary attack 1692 resistant methods are preferred. 1694 7.7 Connection to an untrusted network 1696 With EAP methods supporting one-way authentication, such as EAP-MD5, 1697 the authenticator's identity is not verified. Where the lower layer 1698 is not physically secure (such as where EAP runs over wireless media 1699 or IP), this enables the peer to connect to a rogue authenticator. As 1700 a result, where the lower layer is not physically secure, a method 1701 supporting mutual authentication is recommended. 1703 In EAP there is no requirement that authentication be full duplex or 1704 that the same protocol be used in both directions. It is perfectly 1705 acceptable for different protocols to be used in each direction. 1706 This will, of course, depend on the specific protocols negotiated. 1707 However, in general, completing a single unitary mutual 1708 authentication is preferable to two one-way authentications, one in 1709 each direction. This is because separate authentications that are 1710 not bound cryptographically so as to demonstrate they are part of the 1711 same session are subject to man-in-the-middle attacks, as discussed 1712 in Section 7.4. 1714 7.8 Negotiation attacks 1716 In a negotiation attack, the attacker attempts to convince the peer 1717 and authenticator to negotiate a less secure EAP method. EAP does not 1718 provide protection for the Nak packet, although it is possible for a 1719 method to include coverage of Nak Responses within a method-specific 1720 MIC. 1722 To avoid negotiation attacks in situations where EAP runs over 1723 physically insecure media, for each named peer there SHOULD be an 1724 indication of exactly one method used to authenticate that peer name, 1725 as described in Section 2.1. 1727 7.9 Implementation idiosyncrasies 1729 The interaction of EAP with lower layer transports such as PPP and 1730 IEEE 802 are highly implementation dependent. 1732 For example, upon failure of authentication, some PPP implementations 1733 do not terminate the link, instead limiting traffic in Network-Layer 1734 Protocols to a filtered subset, which in turn allows the peer the 1735 opportunity to update secrets or send mail to the network 1736 administrator indicating a problem. Similarly, while in IEEE 802.1X 1737 an authentication failure will result in denied access to the 1738 controlled port, limited traffic may be permitted on the uncontrolled 1739 port. 1741 In EAP there is no provision for retries of failed authentication. 1742 However, in PPP the LCP state machine can renegotiate the 1743 authentication protocol at any time, thus allowing a new attempt. 1744 Similarly, in IEEE 802.1X the Supplicant or Authenticator can 1745 re-authenticate at any time. It is recommended that any counters used 1746 for authentication failure not be reset until after successful 1747 authentication, or subsequent termination of the failed link. 1749 7.10 Key derivation 1751 It is possible for the peer and EAP server to mutually authenticate, 1752 and derive a Master Key (MK). The MK is unique to the peer and EAP 1753 server and MUST NOT be exported by the EAP method, or used directly 1754 to protect the EAP conversation or subsequent data. As a result, 1755 possession of the MK represents proof of a successful authentication, 1756 and this is potentially useful in enabling features such as fast 1757 reconnect, or fast handoff. 1759 In order to provide keying material for use in a subsequently 1760 negotiated ciphersuite, the EAP method exports a Master Session Key 1761 (MSK). Like the EAP Master Key, EAP Master Session Keys are also not 1762 used directly to protect data; however, they are of sufficient size 1763 to enable subsequent derivation of Transient Session Keys (TSKs) for 1764 use with the selected ciphersuite. 1766 EAP methods provide Master Session Keys and not Transient Session 1767 Keys so as to allow EAP methods to be ciphersuite and media 1768 independent. Depending on the lower layer, EAP methods may run before 1769 or after ciphersuite negotiation, so that the selected ciphersuite 1770 may not be known to the EAP method. By providing keying material 1771 usable with any ciphersuite, EAP methods can used with a wide range 1772 of ciphersuites and media. Since the peer and EAP client reside on 1773 the same machine, TSKs can be provided to the lower layer security 1774 module without needing to leave the machine. 1776 In the case where the backend authentication server and authenticator 1777 reside on different machines, there are several implications for 1778 security: 1780 [a] Mutual authentication may occur between the peer and the backend 1781 authentication server, if the negotiated EAP method supports 1782 this. However, where the authenticator and backend authentication 1783 server are separate, the peer and authenticator do not mutually 1784 authenticate within EAP. However, subsequent to completion of 1785 the EAP conversation, the lower layer may support mutual 1786 authentication between the peer and authenticator. For example, 1787 IEEE 802.11i includes a Transient Session Key derivation protocol 1788 known as the 4-way handshake, which guarantees liveness of the 1789 TSKs, provides for mutual authentication between the peer and 1790 authenticator, replay protection, and protected ciphersuite 1791 negotiation. 1793 [b] The MSK negotiated between the peer and backend authentication 1794 server will need to be transmitted to the authenticator. The 1795 specification of this transit mechanism is outside the scope of 1796 this document. 1798 This specification does not provide detailed guidance on how EAP 1799 methods are to derive the MK and MSK. Key derivation is an art that 1800 is best practiced by professionals; rather than inventing new key 1801 derivation algorithms, reuse of existing algorithms such as those 1802 specified in IKE [RFC2409], or TLS [RFC2246] is recommended. 1804 However, some general guidelines can be provided: 1806 [1] The MK is for use only by the EAP authenticator and peer and MUST 1807 NOT be exported by the EAP method or provided to a third party. 1809 [2] Since the MSK is exported by the EAP method, while the MK is not, 1810 possession of the MSK MUST NOT provide information useful in 1811 determining the MK. 1813 [3] The MSK and TSKs MUST be fresh. Otherwise it is infeasible to 1814 detect messages replayed from prior sessions. 1816 [4] TSKs MUST be cryptographically independent from each other so 1817 that if an attacker obtains one of them, he will not have gained 1818 information useful in determining the other ones. 1820 [5] There MUST be a way to determine whether TSKs belong to this or 1821 to some other session. 1823 [6] The MSK derived by EAP methods MUST be bound to the peers as well 1824 as to the authentication method, so as to avoid a 1825 man-in-the-middle attack (see Section 7.4). 1827 7.11 Weak ciphersuites 1829 If after the initial EAP authentication, data packets are sent 1830 without per-packet authentication, integrity and replay protection, 1831 an attacker with access to the media can inject packets, "flip bits" 1832 within existing packets, replay packets, or even hijack the session 1833 completely. Without per-packet confidentiality, it is possible to 1834 snoop data packets. 1836 As a result, as noted in Section 3.1, where EAP is used over a 1837 physically insecure lower layer, per-packet authentication, integrity 1838 and replay protection SHOULD be used, and per-packet confidentiality 1839 is also recommended. 1841 7.12 Link layer 1843 There exists a number of reliability and security issues with link 1844 layer indications in PPP, IEEE 802 wired networks and IEEE 802.11 1845 wireless LANs: 1847 [a] PPP. In PPP, link layer indications such as LCP-Terminate (a 1848 link failure indication) and NCP (a link success indication) are 1849 not authenticated or integrity protected. They can therefore be 1850 spoofed by an attacker with access to the physical medium. 1852 [b] IEEE 802 wired networks. On wired networks, IEEE 802.1X messages 1853 are sent to a non-forwardable multicast MAC address. As a result, 1854 while the IEEE 802.1X EAPOL-Start and EAPOL-Logoff frames are not 1855 authenticated or integrity protected, only an attacker with 1856 access to the physical link can spoof these messages. 1858 [c] IEEE 802.11 wireless LANs. In IEEE 802.11, link layer indications 1859 include Disassociate and Deauthenticate frames (link failure 1860 indications), and Association and Reassociation Response frames 1861 (link success indications). These messages are not authenticated 1862 or integrity protected, and although they are not forwardable, 1863 they are spoofable by an attacker within range. 1865 In IEEE 802.11, IEEE 802.1X data frames are sent as Class 3 1866 unicast data frames, are therefore forwardable. This implies that 1867 while EAPOL-Start and EAPOL-Logoff messages may be authenticated 1868 and integrity protected, they can be spoofed by an authenticated 1869 attacker far from the target when "pre-authentication" is 1870 enabled. 1872 7.13 Separation of EAP server and authenticator 1874 It is possible for the EAP peer and authenticator to mutually 1875 authenticate, and derive a Master Session Key (MSK) for a ciphersuite 1876 used to protect subsequent data traffic. This does not present an 1877 issue on the peer, since the peer and EAP client reside on the same 1878 machine; all that is required is for the EAP client module to derive 1879 and pass a Transient Session Key (TSK) to the ciphersuite module. 1881 However, in the case where the EAP server and authenticator reside on 1882 different machines, there are several implications for security. 1884 [a] Authentication will occur between the peer and the EAP server, 1885 not between the peer and the authenticator. This means that it is 1886 not possible for the peer to validate the identity of the NAS or 1887 tunnel server that it is speaking to, using EAP alone. 1889 [b] As discussed in [RFC2869bis], the authenticator is dependent on 1890 the AAA protocol in order to know the outcome of an 1891 authentication conversation, and does not look at the 1892 encapsulated EAP packet (if one is present) to determine the 1893 outcome. In practice this means that the AAA protocol spoken 1894 between the authenticator and authentication server MUST support 1895 per-packet authentication, integrity and replay protection. 1897 [c] A EAP Master Session Key (MSK) negotiated between the peer and 1898 EAP server will need to be transmitted to the authenticator. 1899 Therefore a mechanism needs to be provided to transmit the MSK 1900 from the EAP server to the authenticator or tunnel server that 1901 needs it. The specification of the key transport and wrapping 1902 mechanism is outside the scope of this document. 1904 7.14 Strict Interpretation 1906 An EAP method wishing to enforce tighter security than is provided by 1907 the packet processing rules of Section 2.1 and Section 4.2.1 MAY 1908 indicate within their specification that they follow a "strict 1909 interpretation" of EAP. 1911 When requested by a method, "strict interpretation" causes the EAP 1912 implementation to impose inbound filter rules from the point where an 1913 initial Request is answered with a Response of the same Type, until 1914 the method completes. "Strict interpretation" also implies that on 1915 completion the peer method will indicate whether it succeeded (was 1916 able to authenticate the authenticator) or failed (did not succeed in 1917 authenticating the authenticator). 1919 An EAP method making use of "strict interpretation" must include a 1920 definition of completion for both the peer and authenticator, and 1921 also must indicate the conditions under which successful completion 1922 will be indicated. 1924 The filter rules are as follows: 1926 [a] On the peer, all EAP packets are silently discarded, except for 1927 those with Code=1 (Request) and Type=Method-Type. This implies 1928 that methods supporting "strict interpretation" do not utilize 1929 Notification, but instead support their own method-specific error 1930 messages. 1932 [b] On the peer, once the method completes unsuccessfully, the EAP 1933 conversation is terminated, the link is not enabled and Success 1934 packets are silently discarded. If the conversation completes 1935 successfully, then Failure packets are silently discarded. 1937 [c] On the EAP server, once the initial EAP Request is responded to 1938 with an EAP Response of the same Type, all EAP packets are 1939 silently discarded, except those with Code=2 (Response) and 1940 Type=EAP-Method-Type. 1942 Implementation note: While none of the methods defined in this 1943 document support strict interpretation, EAP-TLS [RFC2716] 1944 implementations SHOULD support strict interpretation. 1946 8. Acknowledgments 1948 This protocol derives much of its inspiration from Dave Carrel's AHA 1949 draft as well as the PPP CHAP protocol [RFC1994]. Valuable feedback 1950 was provided by Yoshihiro Ohba of Toshiba America Research, Jari 1951 Arkko of Ericsson, Sachin Seth of Microsoft, Glen Zorn of Cisco 1952 Systems, Jesse Walker of intel, Nick Petroni, Paul Funk of Funk 1953 Software and Pasi Eronen of Nokia. 1955 Normative References 1957 [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, 1958 RFC 1661, July 1994. 1960 [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication 1961 Protocol (CHAP)", RFC 1994, August 1996. 1963 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1964 Requirement Levels", BCP 14, RFC 2119, March 1997. 1966 [RFC2243] Metz, C., "OTP Extended Responses", RFC 2243, November 1967 1997. 1969 [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 1970 10646", RFC 2279, January 1998. 1972 [RFC2289] Haller, N., Metz, C., Nesser, P. and M. Straw, "A One-Time 1973 Password System", RFC 2289, February 1998. 1975 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 1976 (IKE)", RFC 2409, November 1998. 1978 [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1979 IANA Considerations Section in RFCs", BCP 26, RFC 2434, 1980 October 1998. 1982 [RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission 1983 Timer", RFC 2988, November 2000. 1985 [IEEE.802.1990] 1986 Institute of Electrical and Electronics Engineers, "Local 1987 and Metropolitan Area Networks: Overview and 1988 Architecture", IEEE Standard 802, 1990. 1990 [IEEE.802-1X.2001] 1991 Institute of Electrical and Electronics Engineers, "Local 1992 and Metropolitan Area Networks: Port-Based Network Access 1993 Control", IEEE Standard 802.1X, September 2001. 1995 Informative References 1997 [DECEPTION] 1998 Slatalla, M. and J. Quittner, "Masters of Deception", 1999 HarperCollins , New York, 1995. 2001 [RFC1510] Kohl, J. and B. Neuman, "The Kerberos Network 2002 Authentication Service (V5)", RFC 1510, September 1993. 2004 [RFC2246] Dierks, T., Allen, C., Treese, W., Karlton, P., Freier, A. 2006 and P. Kocher, "The TLS Protocol Version 1.0", RFC 2246, 2007 January 1999. 2009 [RFC2284] Blunk, L. and J. Vollbrecht, "PPP Extensible 2010 Authentication Protocol (EAP)", RFC 2284, March 1998. 2012 [RFC2486] Aboba, B. and M. Beadles, "The Network Access Identifier", 2013 RFC 2486, January 1999. 2015 [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the 2016 Internet Protocol", RFC 2401, November 1998. 2018 [RFC2408] Maughan, D., Schneider, M. and M. Schertler, "Internet 2019 Security Association and Key Management Protocol 2020 (ISAKMP)", RFC 2408, November 1998. 2022 [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2023 2433, October 1998. 2025 [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy 2026 Implementation in Roaming", RFC 2607, June 1999. 2028 [RFC2661] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G. 2029 and B. Palter, "Layer Two Tunneling Protocol "L2TP"", RFC 2030 2661, August 1999. 2032 [RFC2716] Aboba, B. and D. Simon, "PPP EAP TLS Authentication 2033 Protocol", RFC 2716, October 1999. 2035 [KRBATTACK] 2036 Wu, T., "A Real-World Analysis of Kerberos Password 2037 Security", Stanford University Computer Science 2038 Department, http://theory.stanford.edu/~tjw/krbpass.html. 2040 [KRBLIM] Bellovin, S. and M. Merrit, "Limitations of the Kerberos 2041 authentication system", Proceedings of the 1991 Winter 2042 USENIX Conference, pp. 253-267, 1991. 2044 [KERB4WEAK] 2045 Dole, B., Lodin, S. and E. Spafford, "Misplaced trust: 2046 Kerberos 4 session keys", Proceedings of the Internet 2047 Society Network and Distributed System Security Symposium, 2048 pp. 60-70, March 1997. 2050 [PIC] Aboba, B., Krawczyk, H. and Y. Sheffer, "PIC, A Pre-IKE 2051 Credential Provisioning Protocol", draft-ietf-ipsra-pic-06 2052 (work in progress), October 2002. 2054 [PPTPv1] Schneier, B. and Mudge, "Cryptanalysis of Microsoft's 2055 Point-to- Point Tunneling Protocol", Proceedings of the 2056 5th ACM Conference on Communications and Computer 2057 Security, ACM Press, November 1998. 2059 [IEEE.802-3.1996] 2060 Institute of Electrical and Electronics Engineers, 2061 "Information technology - Telecommunications and 2062 Information Exchange between Systems - Local and 2063 Metropolitan Area Networks - Specific requirements - Part 2064 3: Carrier sense multiple access with collision detection 2065 (CSMA/CD) Access Method and Physical Layer 2066 Specifications", IEEE Standard 802.3, 1996. 2068 [IEEE.802-11.1999] 2069 Institute of Electrical and Electronics Engineers, 2070 "Information Technology - Telecommunications and 2071 Information Exchange between Systems - Local and 2072 Metropolitan Area Network - Specific Requirements - Part 2073 11: Wireless LAN Medium Access Control (MAC) and Physical 2074 Layer (PHY) Specifications", IEEE Standard 802.11, 1999. 2076 [SILVERMAN] 2077 Silverman, Robert D., "A Cost-Based Security Analysis of 2078 Symmetric and Asymmetric Key Lengths", RSA Laboratories 2079 Bulletin 13, April 2000 (Revised November 2001), http:// 2080 www.rsasecurity.com/rsalabs/bulletins/bulletin13.html. 2082 [RFC2869bis] 2083 Aboba, B. and P. Calhoun, "RADIUS Support For Extensible 2084 Authentication Protocol (EAP)", 2085 draft-aboba-radius-rfc2869bis-09 (work in progress), 2086 February 2003. 2088 [IANA-EXP] 2089 Narten, T., "Assigning Experimental and Testing Numbers 2090 Considered Useful", 2091 draft-narten-iana-experimental-allocations-03 (work in 2092 progress), December 2002. 2094 Authors' Addresses 2096 Larry J. Blunk 2097 Merit Network, Inc 2098 4251 Plymouth Rd., Suite 2000 2099 Ann Arbor, MI 48105-2785 2100 USA 2102 Phone: +1 734-647-9563 2103 Fax: +1 734-647-3185 2104 EMail: ljb@merit.edu 2106 John R. Vollbrecht 2107 Vollbrecht Consulting LLC 2108 9682 Alice Hill Drive 2109 Dexter, MI 48130 2110 USA 2112 Phone: 2113 EMail: jrv@umich.edu 2115 Bernard Aboba 2116 Microsoft Corporation 2117 One Microsoft Way 2118 Redmond, WA 98052 2119 USA 2121 Phone: +1 425 706 6605 2122 Fax: +1 425 936 6605 2123 EMail: bernarda@microsoft.com 2125 James Carlson 2126 Sun Microsystems, Inc 2127 1 Network Drive 2128 Burlington, MA 01803-2757 2129 USA 2131 Phone: +1 781 442 2084 2132 Fax: +1 781 442 1677 2133 EMail: james.d.carlson@sun.com 2134 Henrik Levkowetz 2135 ipUnplugged AB 2136 Arenavagen 33 2137 Stockholm S-121 28 2138 SWEDEN 2140 Phone: +46 8 725 9513 2141 EMail: henrik@levkowetz.com 2143 Appendix A. Method Specific Behavior 2145 A.1 Message Integrity Checks 2147 Today, EAP methods commonly define message integrity checks (MICs) 2148 that cover more than one EAP packet. For example, EAP-TLS [RFC2716] 2149 defines a MIC over a TLS record that could be split into multiple 2150 fragments; within the FINISHED message, the MIC is computed over 2151 previous messages. Where the MIC covers more than one EAP packet, a 2152 MIC validation failure is typically considered a fatal error.. 2154 If a per-packet MIC is employed within an EAP method, then peers, 2155 authentication servers, and authenticators not operating in 2156 pass-through mode MUST validate the MIC. MIC validation failures 2157 SHOULD be logged. Whether a MIC validation failure is considered a 2158 fatal error or not is determined by the EAP method specification. 2160 Within EAP-TLS [RFC2716] a MIC validation failures is treated as a 2161 fatal error, since that is what is specified in TLS [RFC2246]. 2162 However, it is also possible to develop EAP methods that support 2163 per-packet MICs, and respond to verification failures by silently 2164 discarding the offending packet. 2166 In this document, descriptions of EAP message handling assume that 2167 per-packet MIC validation, where it occurs, is effectively performed 2168 as though it occurs before sending any responses or changing the 2169 state of the host which received the packet. 2171 Appendix B. Changes from RFC 2284 2173 This section lists the major changes between [RFC2284] and this 2174 document. Minor changes, including style, grammar, spelling and 2175 editorial changes are not mentioned here. 2177 o The Terminology section (Section 1.2) has been expanded, defining 2178 more concepts and giving more exact definitions. 2180 o In Section 2, it is explicitly specified that more than one 2181 exchange of Request and Response packets may occur as part of the 2182 EAP authentication exchange. How this may and may not be used is 2183 specified in detail in Section 2.1. 2185 o Also in Section 2, some requirements on the authenticator when 2186 acting in pass-through mode has been made explicit. 2188 o An EAP multiplexing model (Section 2.2) has been added, to 2189 illustrate a typical implementation of EAP. There is no 2190 requirement that an implementation conforms to this model, as long 2191 as the on-the-wire behavior is consistent with it. 2193 o As EAP is now in use with a variety of lower layers, not just PPP 2194 for which it was first designed, Section 3 on lower layer behavior 2195 has been added. 2197 o In the description of the EAP Request and Response interaction 2198 (Section 4.1), it has been more exactly specified when packets 2199 should be silently discarded, and also the behavior on receiving 2200 duplicate requests. The implementation notes in this section has 2201 been substantially expanded. 2203 o In Section 4.2, it has been clarified that Success and Failure 2204 packets must not contain additional data, and the implementation 2205 note has been expanded. A subsection giving requirements on 2206 processing of success and failure packets has been added. 2208 o Section 5 on EAP Request/Response Types lists two new type values: 2209 the Expanded type (Section 5.7), which is used to expand the type 2210 value number space, and the Experimental type. In the Expanded 2211 type number space, the new Expanded Nak (Section 5.3.2) type has 2212 been added. Clarifications have been made in the description of 2213 most of the existing types. Security claims summaries have been 2214 added for authentication methods. 2216 o An IANA Considerations section (Section 6) has been added, giving 2217 registration policies for the numbering spaces defined for EAP. 2219 o The Security Considerations (Section 7) have been greatly 2220 expanded, aiming at giving a much more comprehensive coverage of 2221 possible threats and other security considerations. 2223 Appendix C. Open issues 2225 (This section should be removed by the RFC editor before publication) 2227 Open issues relating to this specification are tracked on the 2228 following web site: 2230 http://www.drizzle.com/~aboba/EAP/eapissues.html 2232 The current working documents for this draft are available at this 2233 web site: 2235 http://www.levkowetz.com/pub/ietf/drafts/eap/ 2237 Intellectual Property Statement 2239 The IETF takes no position regarding the validity or scope of any 2240 intellectual property or other rights that might be claimed to 2241 pertain to the implementation or use of the technology described in 2242 this document or the extent to which any license under such rights 2243 might or might not be available; neither does it represent that it 2244 has made any effort to identify any such rights. Information on the 2245 IETF's procedures with respect to rights in standards-track and 2246 standards-related documentation can be found in BCP-11. Copies of 2247 claims of rights made available for publication and any assurances of 2248 licenses to be made available, or the result of an attempt made to 2249 obtain a general license or permission for the use of such 2250 proprietary rights by implementors or users of this specification can 2251 be obtained from the IETF Secretariat. 2253 The IETF invites any interested party to bring to its attention any 2254 copyrights, patents or patent applications, or other proprietary 2255 rights which may cover technology that may be required to practice 2256 this standard. Please address the information to the IETF Executive 2257 Director. 2259 Full Copyright Statement 2261 Copyright (C) The Internet Society (2003). All Rights Reserved. 2263 This document and translations of it may be copied and furnished to 2264 others, and derivative works that comment on or otherwise explain it 2265 or assist in its implementation may be prepared, copied, published 2266 and distributed, in whole or in part, without restriction of any 2267 kind, provided that the above copyright notice and this paragraph are 2268 included on all such copies and derivative works. However, this 2269 document itself may not be modified in any way, such as by removing 2270 the copyright notice or references to the Internet Society or other 2271 Internet organizations, except as needed for the purpose of 2272 developing Internet standards in which case the procedures for 2273 copyrights defined in the Internet Standards process must be 2274 followed, or as required to translate it into languages other than 2275 English. 2277 The limited permissions granted above are perpetual and will not be 2278 revoked by the Internet Society or its successors or assignees. 2280 This document and the information contained herein is provided on an 2281 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 2282 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 2283 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 2284 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 2285 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2287 Acknowledgement 2289 Funding for the RFC Editor function is currently provided by the 2290 Internet Society.