idnits 2.17.1 draft-ietf-pana-statemachine-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 2395. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2372. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2379. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2385. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 2 instances of lines with control characters in the document. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 442: '... variable MUST be set when a link...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 10, 2005) is 6894 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-pana-requirements' is defined on line 2327, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-pana-snmp' is defined on line 2333, but no explicit reference was found in the text == Outdated reference: A later version (-18) exists of draft-ietf-pana-pana-08 ** Downref: Normative reference to an Informational draft: draft-ietf-eap-statemachine (ref. 'I-D.ietf-eap-statemachine') == Outdated reference: A later version (-01) exists of draft-ietf-pana-mobopts-00 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-pana-mobopts' == Outdated reference: A later version (-06) exists of draft-ietf-pana-snmp-03 Summary: 7 errors (**), 0 flaws (~~), 7 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PANA Working Group V. Fajardo 3 Internet-Draft Y. Ohba 4 Expires: December 12, 2005 TARI 5 R. Lopez 6 Univ. of Murcia 7 June 10, 2005 9 State Machines for Protocol for Carrying Authentication for Network 10 Access (PANA) 11 draft-ietf-pana-statemachine-00 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on December 12, 2005. 38 Copyright Notice 40 Copyright (C) The Internet Society (2005). 42 Abstract 44 This document defines the conceptual state machines for the Protocol 45 for Carrying Authentication for Network Access (PANA). The state 46 machines consist of the PANA Client (PaC) state machine and the PANA 47 Authentication Agent (PAA) state machine. The two state machines 48 show how PANA can interface to EAP state machines and can be 49 implemented with supporting various features including separate NAP 50 and ISP authentications, ISP selection and mobility optimization. 51 The state machines and associated model are informative only. 52 Implementations may achieve the same results using different methods. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 58 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 59 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 60 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 61 5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10 62 5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 11 63 5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 64 5.4 Common Message Initialization Rules . . . . . . . . . . . 14 65 5.5 Common Error Handling Rules . . . . . . . . . . . . . . . 14 66 5.6 Common State Transitions . . . . . . . . . . . . . . . . . 14 67 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 68 6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 16 69 6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 16 70 6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 16 71 6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 16 72 6.1.4 EAP Authentication Result Notification from EAP 73 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 74 6.1.5 Alternate Failure Notification from PaC to EAP Peer . 17 75 6.1.6 EAP Invalid Message Notification from EAP Peer to 76 PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 77 6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 78 6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 79 6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 19 80 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 30 81 7.1 Interface between PAA and EAP Authenticator . . . . . . . 30 82 7.1.1 EAP Restart Notification from PAA to EAP 83 Authenticator . . . . . . . . . . . . . . . . . . . . 30 84 7.1.2 Delivering EAP Responses from PAA to EAP 85 Authenticator . . . . . . . . . . . . . . . . . . . . 30 86 7.1.3 Delivering EAP Messages from EAP Authenticator to 87 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 30 88 7.1.4 EAP Authentication Result Notification from EAP 89 Authenticator to PAA . . . . . . . . . . . . . . . . . 30 90 7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 31 91 7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 33 92 7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 33 93 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 48 94 8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 48 95 8.2 PaC Mobility Optimization State Machine . . . . . . . . . 48 96 8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 48 97 8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 49 98 8.2.3 PaC Mobility Optimization State Transition Table 99 Addendum . . . . . . . . . . . . . . . . . . . . . . . 49 100 8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 52 101 8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 52 102 8.3.2 PAA Mobility Optimization State Transition Table 103 Addendum . . . . . . . . . . . . . . . . . . . . . . . 52 104 9. Implementation Considerations . . . . . . . . . . . . . . . . 54 105 9.1 PAA and PaC Interface to Service Management Entity . . . . 54 106 9.2 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 54 107 10. Security Considerations . . . . . . . . . . . . . . . . . . 55 108 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 56 109 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 57 110 12.1 Normative References . . . . . . . . . . . . . . . . . . . 57 111 12.2 Informative References . . . . . . . . . . . . . . . . . . 57 112 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 57 113 Intellectual Property and Copyright Statements . . . . . . . . 59 115 1. Introduction 117 This document defines the state machines for Protocol Carrying 118 Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There 119 are state machines for the PANA client (PaC) and for the PANA 120 Authentication Agent (PAA). Each state machine is specified through 121 a set of variables, procedures and a state transition table. 123 A PANA protocol execution consists of several exchanges to carry 124 authentication information. Specifically, EAP PDUs are transported 125 inside PANA PDUs between PaC and PAA, that is PANA represents a lower 126 layer for EAP protocol. Thus, a PANA state machine bases its 127 execution on an EAP state machine execution and vice versa. Thus 128 this document also shows for each of PaC and PAA an interface between 129 an EAP state machine and a PANA state machine and how this interface 130 allows to exchange information between them. Thanks to this 131 interface, a PANA state machine can be informed about several events 132 generated in an EAP state machine and make its execution conditional 133 to its events. 135 The details of EAP state machines are out of the scope of this 136 document. Additional information can be found in [I-D.ietf-eap- 137 statemachine]. Nevertheless PANA state machines presented here have 138 been coordinated with state machines shown by [I-D.ietf-eap- 139 statemachine]. 141 This document, apart from defining PaC and PAA state machines and 142 their interfaces to EAP state machines (running on top of PANA), 143 provides some implementation considerations, taking into account that 144 it is not a specification but an implementation guideline. 146 2. Interface Between PANA and EAP 148 PANA carries EAP messages exchanged between an EAP peer and an EAP 149 authenticator (see Figure 1). Thus a PANA state machine must 150 interact with an EAP state machine. 152 Two state machines are defined in this document : the PaC state 153 machine (see Section 6) and the PAA state machine (see Section 7). 154 The definition of each state machine consists of a set of variables, 155 procedures and a state transition table. A subset of these variables 156 and procedures defines the interface between a PANA state machine and 157 an EAP state machine and the state transition table defines the PANA 158 state machine behavior based on results obtained through them. 160 On the one hand, the PaC state machine interacts with an EAP peer 161 state machine in order to carry out the PANA protocol on the PaC 162 side. On the other hand, the PAA state machine interacts with an EAP 163 authenticator state machine to run the PANA protocol on the PAA side. 165 Peer |EAP Auth 166 EAP <---------|------------> EAP 167 ^ | | ^ | 168 EAP-Request | | | EAP-Response | | EAP-Request 169 EAP-Success | |EAP-Response | | |EAP-Success 170 EAP-Failure | v |PANA | vEAP-Failure 171 PaC <---------|------------> PAA 173 Figure 1: Interface between PANA and EAP 175 Thus two interfaces are needed between PANA state machines and EAP 176 state machines, namely: 178 o Interface between the PaC state machine and the EAP peer state 179 machine 181 o Interface between the PAA state machine and the EAP authenticator 182 state machine 184 In general, the PaC state machine presents EAP messages (EAP-Request, 185 EAP-Success and EAP-Failure messages) to the EAP peer state machine 186 through the interface. The EAP peer state machine processes these 187 messages and sends EAP messages (EAP-Response messages) through the 188 PaC state machine that is responsible for actually transmitting this 189 message. 191 On the other hand, the PAA state machine presents response messages 192 (EAP-Response messages) to the EAP authenticator state machine 193 through interface defined between them. The EAP authenticator 194 processes these messages and generate EAP messages (EAP-Request, EAP- 195 Success and EAP-Failure messages) that are send to the PAA state 196 machine to be sent. 198 For example, [I-D.ietf-eap-statemachine] specifies four interfaces to 199 lower layers: (i) an interface between the EAP peer state machine and 200 a lower layer, (ii) an interface between the EAP standalone 201 authenticator state machine and a lower layer, (iii) an interface 202 between the EAP full authenticator state machine and a lower layer 203 and (iv) an interface between the EAP backend authenticator state 204 machine and a lower layer. In this document, the PANA protocol is 205 the lower layer of EAP and only the first three interfaces are of 206 interest to PANA. The second and third interfaces are the same. In 207 this regard, the EAP standalone authenticator or the EAP full 208 authenticator and its state machine in [I-D.ietf-eap-statemachine] 209 are referred to as the EAP authenticator and the EAP authenticator 210 state machine, respectively, in this document. If an EAP peer and an 211 EAP authenticator follow the state machines defined in [I-D.ietf-eap- 212 statemachine], the interfaces between PANA and EAP could be based on 213 that document. Detailed definition of interfaces between PANA and 214 EAP are described in the subsequent sections. 216 3. Document Authority 218 When a discrepancy occurs between any part of this document and any 219 of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-pana- 220 mobopts], [I-D.ietf-eap-statemachine] the latter (the other 221 documents) are considered authoritative and takes precedence. 223 4. Notations 225 The following state transition tables are completed mostly based on 226 the conventions specified in [I-D.ietf-eap-statemachine]. The 227 complete text is described below. 229 State transition tables are used to represent the operation of the 230 protocol by a number of cooperating state machines each comprising a 231 group of connected, mutually exclusive states. Only one state of 232 each machine can be active at any given time. 234 All permissible transitions from a given state to other states and 235 associated actions performed when the transitions occur are 236 represented by using triplets of (exit condition, exit action, exit 237 state). All conditions are expressions that evaluate to TRUE or 238 FALSE; if a condition evaluates to TRUE, then the condition is met. 239 A state "ANY" is a wildcard state that matches the current state in 240 each state machine. The exit conditions of a wildcard state are 241 evaluated after all other exit conditions of specific to the current 242 state are met. 244 On exit from a state, the exit actions defined for the state and the 245 exit condition are executed exactly once, in the order that they 246 appear on the page. (Note that the procedures defined in [I-D.ietf- 247 eap-statemachine] are executed on entry to a state, which is one 248 major difference from this document.) Each exit action is deemed to 249 be atomic; i.e., execution of an exit action completes before the 250 next sequential exit action starts to execute. No exit action 251 execute outside of a state block. The exit actions in only one state 252 block execute at a time even if the conditions for execution of state 253 blocks in different state machines are satisfied. All exit actions 254 in an executing state block complete execution before the transition 255 to and execution of any other state blocks. The execution of any 256 state block appears to be atomic with respect to the execution of any 257 other state block and the transition condition to that state from 258 the previous state is TRUE when execution commences. The order 259 of execution of state blocks in different state machines is undefined 260 except as constrained by their transition conditions. A variable 261 that is set to a particular value in a state block retains this value 262 until a subsequent state block executes an exit action that modifies 263 the value. 265 On completion of the transition from the previous state to the 266 current state, all exit conditions occurring during the current state 267 (including exit conditions defined for the wildcard state) are 268 evaluated until an exit condition for that state is met. 270 Any event variable is set to TRUE when the corresponding event occurs 271 and set to FALSE immediately after completion of the action 272 associated with the current state and the event. 274 The interpretation of the special symbols and operators used is 275 defined in [I-D.ietf-eap-statemachine]. 277 5. Common Rules 279 There are following procedures, variables, message initializing rules 280 and state transitions that are common to both the PaC and PAA state 281 machines. 283 Throughout this document, the character string "PANA_MESSAGE_NAME" 284 matches any one of the abbreviated PANA message names, i.e., "PDI", 285 "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", 286 "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA". 288 5.1 Common Procedures 290 void None() 292 A null procedure, i.e., nothing is done. 294 void Disconnect() 296 A procedure to delete the PANA session as well as the 297 corresponding EAP session and authorization state. 299 boolean Authorize() 301 A procedure to create or modify authorization state. It returns 302 TRUE if authorization is successful. Otherwise, it returns FALSE. 303 It is assumed that Authorize() procedure of PaC state machine 304 always returns TRUE. 306 void Tx:PANA_MESSAGE_NAME() 308 A procedure to send a PANA message to its peering PANA entity. 310 void TxEAP() 312 A procedure to send an EAP message to the EAP state machine it 313 interfaces to. 315 void RtxTimerStart() 317 A procedure to start the retransmission timer, reset RTX_COUNTER 318 variable to zero and set an appropriate value to RTX_MAX_NUM 319 variable. 321 void RtxTimerStop() 322 A procedure to stop the retransmission timer. 324 void SessionTimerStart() 326 A procedure to start PANA session timer. 328 void Retransmit() 330 A procedure to retransmit a PANA message and increment RTX_COUNTER 331 by one(1). 333 void EAP_Restart() 335 A procedure to (re)start an EAP conversation resulting in the re- 336 initialization of an existing EAP session. 338 void PANA_MESSAGE_NAME.insert_avp("AVP_NAME") 340 A procedure to insert an AVP of the specified AVP name in the 341 specified PANA message. 343 boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") 345 A procedure that checks whether an AVP of the specified AVP name 346 exists in the specified PANA message and returns TRUE if the 347 specified AVP is found, otherwise returns FALSE. 349 boolean key_available() 351 A procedure to check whether the PANA session has a PANA_MAC_KEY. 352 If the state machine already has a PANA_MAC_KEY, it returns TRUE. 353 If the state machine does not have a PANA_MAC_KEY, it tries to 354 retrieve a AAA-Key from the EAP entity. If a AAA-Key is 355 retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns 356 TRUE. Otherwise, it returns FALSE. 358 boolean fatal(int) 360 A procedure to check whether an integer result code value 361 indicates a fatal error. If the result code indicates a fatal 362 error, the procedure returns TRUE, otherwise, it return FALSE. A 363 fatal error would also result in the termination of the session 364 and release of all resources related to that session. 366 5.2 Common Variables 367 PANA_MESSAGE_NAME.S_flag 369 This variable contains the S-Flag value of the specified PANA 370 message. 372 PBR.RESULT_CODE 374 This variable contains the Result-Code AVP value in the PANA-Bind- 375 Request message in process. When this variable carries 376 PANA_SUCCESS when there is only once EAP run in the authentication 377 and authorization phase, it is assumed that the PBR message always 378 contains an EAP-Payload AVP which carries an EAP-Success message. 380 PFER.RESULT_CODE 382 This variable contains the Result-Code AVP value in the PANA- 383 FirstAuth-End-Request message in process. When this variable 384 carries PANA_SUCCESS, it is assumed that the PFER message always 385 contains an EAP-Payload AVP which carries an EAP-Success message. 387 PER.RESULT_CODE 389 This variable contains the Result-Code AVP value in the PANA- 390 Error-Request message in process. 392 RTX_COUNTER 394 This variable contains the current number of retransmissions of 395 the outstanding PANA message. 397 Rx:PANA_MESSAGE_NAME 399 This event variable is set to TRUE when the specified PANA message 400 is received from its peering PANA entity. 402 RTX_TIMEOUT 404 This event variable is set to TRUE when the retransmission timer 405 is expired. 407 REAUTH 409 This event variable is set to TRUE when an initiation of re- 410 authentication phase is triggered. 412 TERMINATE 414 This event variable is set to TRUE when initiation of PANA session 415 termination is triggered. 417 PANA_PING 419 This event variable is set to TRUE when initiation of liveness 420 test based on PPR-PPA exchange is triggered. 422 NOTIFY 424 This event variable is set to TRUE if the PaC or PAA wants to send 425 attribute updates or notifications. For attribute updates, 426 UPDATE_POPA should be used by the PaC. 428 SESS_TIMEOUT 430 This event is variable is set to TRUE when the session timer is 431 expired. 433 ABORT_ON_1ST_EAP_FAILURE 435 This variable indicates whether the PANA session is immediately 436 terminated when the 1st EAP authentication fails. 438 CARRY_DEVICE_ID 440 This variable indicates whether a Device-Id AVP is carried in a 441 PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this 442 variable MUST be set when a link-layer or IP address is used as 443 the device identifier of the PaC and a Protection-Capability AVP 444 is included in the PANA-Bind-Request message. 446 ANY 448 This event variable is set to TRUE when any event occurs. 450 5.3 Constants 452 RTX_MAX_NUM 454 Configurable maximum for how many retransmissions should be 455 attempted before aborting. 457 5.4 Common Message Initialization Rules 459 When a message is prepared for sending, it is initialized as follows: 461 o For a request message, R-flag of the header is set. Otherwise, 462 R-flag is not set. 464 o S-flag and N-flag of the header are not set. 466 o AVPs that are mandatory included in a message are inserted with 467 appropriate values set. 469 o A Notification AVP is inserted if there is some notification 470 string to send to the communicating peer. 472 5.5 Common Error Handling Rules 474 For simplicity, the PANA state machines defined in this document do 475 not support an optional feature of sending a PER message when an 476 invalid PANA message is received [I-D.ietf-pana-pana], while the 477 state machines support sending a PER message generated in other cases 478 as well as receiving and processing a PER message. It is left to 479 implementations as to whether they provide a means to send a PER 480 message when an invalid PANA message is received. 482 5.6 Common State Transitions 484 The following transitions can occur at any state. 486 ---------- 487 State: ANY 488 ---------- 490 Exit Condition Exit Action Exit State 491 ------------------------+--------------------------+------------ 492 - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - 493 RTX_TIMEOUT && Retransmit(); (no change) 494 RTX_COUNTER< 495 RTX_MAX_NUM 496 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 497 - - - - - - - (Reach maximum number of transmissions)- - - - - - 498 RTX_TIMEOUT && Disconnect(); CLOSED 499 RTX_COUNTER>= 500 RTX_MAX_NUM 502 SESS_TIMEOUT Disconnect(); CLOSED 503 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 504 - - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - - 505 Rx:PER && PEA.insert_avp("MAC"); CLOSED 506 fatal Tx:PEA(); 507 (PER.RESULT_CODE) && Disconnect(); 508 PER.exist_avp("MAC") && 509 key_available() 511 Rx:PER && Tx:PEA(); (no change) 512 !fatal 513 (PER.RESULT_CODE) || 514 !PER.exist_avp("MAC") || 515 !key_available() 516 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 518 The following transitions can occur on any exit condition within the 519 specified state. 521 ------------- 522 State: CLOSED 523 ------------- 525 Exit Condition Exit Action Exit State 526 ------------------------+--------------------------+------------ 527 - - - - - - - -(Session termination initiated by PaC) - - - - - 528 ANY None(); CLOSED 529 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 531 6. PaC State Machine 533 6.1 Interface between PaC and EAP Peer 535 This interface defines the interactions between a PaC and an EAP 536 peer. The interface serves as a mechanism to deliver EAP messages 537 for the EAP peer. It allows the EAP peer to receive EAP requests and 538 send EAP responses via the PaC. It also provides a mechanism to 539 notify the EAP peer of PaC events and a mechanism to receive 540 notification of EAP peer events. The EAP message delivery mechanism 541 as well as the event notification mechanism in this interface have 542 direct correlation with the PaC state transition table entries. 543 These message delivery and event notifications mechanisms occur only 544 within the context of their associated states or exit actions. 546 6.1.1 Delivering EAP Messages from PaC to EAP Peer 548 TxEAP() procedure in the PaC state machine serves as the mechanism to 549 deliver EAP request, EAP success and EAP failure messages contained 550 in PANA-Auth-Request messages to the EAP peer. This procedure is 551 enabled only after an EAP restart event is notified to the EAP peer 552 and before any event resulting in a termination of the EAP peer 553 session. In the case where the EAP peer follows the EAP peer state 554 machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure 555 sets eapReq variable of the EAP peer state machine and puts the EAP 556 request in eapReqData variable of the EAP peer state machine. 558 6.1.2 Delivering EAP Responses from EAP Peer to PaC 560 An EAP response is delivered from the EAP peer to the PaC via 561 EAP_RESPONSE event variable. The event variable is set when the EAP 562 peer passes the EAP response to its lower-layer. In the case where 563 the EAP peer follows the EAP peer state machine defined in [I-D.ietf- 564 eap-statemachine], EAP_RESPONSE event variable refers to eapResp 565 variable of the EAP peer state machine and the EAP response is 566 contained in eapRespData variable of the EAP peer state machine. 568 6.1.3 EAP Restart Notification from PaC to EAP Peer 570 The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has 571 an initialization procedure before receiving an EAP request. To 572 initialize the EAP state machine, the PaC state machine defines an 573 event notification mechanism to send an EAP (re)start event to the 574 EAP peer. The event notification is done via EAP_Restart() procedure 575 in the initialization action of the PaC state machine. 577 6.1.4 EAP Authentication Result Notification from EAP Peer to PaC 579 In order for the EAP peer to notify the PaC of an EAP authentication 580 result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In 581 the case where the EAP peer follows the EAP peer state machine 582 defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE 583 event variables refer to eapSuccess and eapFail variables of the EAP 584 peer state machine, respectively. In this case, if EAP_SUCCESS event 585 variable is set to TRUE and a AAA-Key is generated by the EAP 586 authentication method in use, eapKeyAvailable variable is set to TRUE 587 and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS 588 and EAP_FAILURE event variables may be set to TRUE even before the 589 PaC receives a PBR or a PFER from the PAA. 591 6.1.5 Alternate Failure Notification from PaC to EAP Peer 593 alt_reject() procedure in the PaC state machine serves as the 594 mechanism to deliver an authentication failure event to the EAP peer 595 without accompanying an EAP message. In the case where the EAP peer 596 follows the EAP peer state machine defined in [I-D.ietf-eap- 597 statemachine], alt_reject() procedure sets altReject variable of the 598 EAP peer state machine. Note that the EAP peer state machine in 599 [I-D.ietf-eap-statemachine] also defines altAccept variable, however, 600 it is never used in PANA in which EAP-Success messages are reliably 601 delivered by PANA-Bind exchange. 603 6.1.6 EAP Invalid Message Notification from EAP Peer to PaC 605 In order for the EAP peer to notify the PaC of a receipt of an 606 invalid EAP message, EAP_INVALID_MSG event variable is defined. In 607 the case where the EAP peer follows the EAP peer state machine 608 defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event 609 variable refers to eapNoResp variable of the EAP peer state machine. 611 6.2 Variables 613 SEPARATE 615 This variable indicates whether the PaC desires NAP/ISP separate 616 authentication. 618 1ST_EAP 620 This variable indicates whether the 1st EAP authentication is 621 success, failure or yet completed. 623 AUTH_USER 625 This event variable is set to TRUE when initiation of EAP-based 626 (re-)authentication is triggered by the application. 628 EAP_SUCCESS 630 This event variable is set to TRUE when the EAP peer determines 631 that EAP conversation completes with success. 633 EAP_FAILURE 635 This event variable is set to TRUE when the EAP peer determines 636 that EAP conversation completes with failure. 638 EAP_RESPONSE 640 This event variable is set to TRUE when the EAP peer delivers an 641 EAP Response to the PaC. This event accompanies an EAP-Response 642 message received from the EAP peer. 644 EAP_INVALID_MSG 646 This event variable is set to TRUE when the EAP peer silently 647 discards an EAP message. This event does not accompany any EAP 648 message. 650 UPDATE_POPA 652 This event variable is set to TRUE when there is a change in the 653 POPA of the PaC. 655 EAP_RESP_TIMEOUT 657 This event variable is set to TRUE when the PaC that has passed an 658 EAP-Request to the EAP-layer does not receive a corresponding EAP- 659 Response from the the EAP-layer in a given period. 661 6.3 Procedures 663 boolean choose_isp() 665 This procedure returns TRUE when the PaC chooses one ISP, 666 otherwise returns FALSE. 668 boolean ppac_available() 670 This procedure returns TRUE when the Post-PANA-Address- 671 Configuration method specified by the PAA is available in the PaC 672 and that the PaC will be able to comply. 674 boolean eap_piggyback() 676 This procedures returns TRUE to indicate whether the next EAP 677 response will be carried in the pending PAN message for 678 optimization. 680 void alt_reject() 682 This procedure informs the EAP peer of an authentication failure 683 event without accompanying an EAP message. 685 void EAP_RespTimerStart() 687 A procedure to start a timer to receive an EAP-Response from the 688 EAP peer. 690 void EAP_RespTimerStop() 692 A procedure to stop a timer to receive an EAP-Response from the 693 EAP peer. 695 6.4 PaC State Transition Table 697 ------------------------------ 698 State: OFFLINE (Initial State) 699 ------------------------------ 701 Initialization Action: 703 SEPARATE=Set|Unset; 704 CARRY_DEVICE_ID=Unset; 705 1ST_EAP=Unset; 706 RtxTimerStop(); 707 EAP_Restart(); 709 Exit Condition Exit Action Exit State 710 ------------------------+--------------------------+-------------- 711 - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - 712 Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ 713 PSR.exist_avp EAP_Restart(); IN_DISC 714 ("EAP-Payload") TxEAP(); 715 SEPARATE=Unset; 717 Rx:PSR && RtxTimerStop(); WAIT_PAA 718 !PSR.exist_avp if (choose_isp()) 719 ("EAP-Payload") && PSA.insert_avp("ISP"); 720 PSR.S_flag==1 && PSA.S_flag=1; 721 SEPARATE==Set && PSA.insert_avp("Cookie"); 722 PSR.exist_avp Tx:PSA(); 723 ("Cookie") RtxTimerStart(); 724 EAP_Restart(); 726 Rx:PSR && RtxTimerStop(); WAIT_PAA 727 !PSR.exist_avp if (choose_isp()) 728 ("EAP-Payload") && PSA.insert_avp("ISP"); 729 PSR.S_flag==1 && PSA.S_flag=1; 730 SEPARATE==Set && Tx:PSA(); 731 !PSR.exist_avp EAP_Restart(); 732 ("Cookie") 734 Rx:PSR && RtxTimerStop(); WAIT_PAA 735 !PSR.exist_avp if (choose_isp()) 736 ("EAP-Payload") && PSA.insert_avp("ISP"); 737 (PSR.S_flag!=1 || PSA.insert_avp("Cookie"); 738 SEPARATE==Unset) && Tx:PSA(); 739 PSR.exist_avp RtxTimerStart(); 740 ("Cookie") SEPARATE=Unset; 741 EAP_Restart(); 743 Rx:PSR && RtxTimerStop(); WAIT_PAA 744 !PSR.exist_avp if (choose_isp()) 745 ("EAP-Payload") && PSA.insert_avp("ISP"); 746 (PSR.S_flag!=1 || Tx:PSA(); 747 SEPARATE==Unset) && SEPARATE=Unset; 748 !PSR.exist_avp EAP_Restart(); 749 ("Cookie") 751 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 752 - - - - - - - - -(Authentication trigger from application) - - - 753 AUTH_USER Tx:PDI(); OFFLINE 754 RtxTimerStart(); 755 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 757 --------------------------- 758 State: WAIT_EAP_MSG_IN_DISC 759 --------------------------- 761 Exit Condition Exit Action Exit State 762 ------------------------+--------------------------+------------ 763 - - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - 764 EAP_RESPONSE PSA.insert_avp WAIT_PAA 765 ("EAP-Payload")) 766 Tx:PSA(); 768 EAP_RESP_TIMEOUT || None(); OFFLINE 769 EAP_INVALID_MSG 770 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 772 --------------- 773 State: WAIT_PAA 774 --------------- 776 Exit Condition Exit Action Exit State 777 ------------------------+--------------------------+------------ 778 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 779 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 780 !eap_piggyback() TxEAP(); 781 EAP_RespTimerStart(); 782 if (key_available()) 783 PAN.insert_avp("MAC"); 784 PAN.S_flag=PAR.S_flag; 785 PAN.N_flag=PAR.N_flag; 786 Tx:PAN(); 788 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 789 eap_piggyback() TxEAP(); 790 EAP_RespTimerStart(); 792 Rx:PAN RtxTimerStop(); WAIT_PAA 793 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 794 - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - 795 Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_ 796 1ST_EAP==Unset && TxEAP(); RESULT 797 SEPARATE==Set && 798 PFER.RESULT_CODE== 799 PANA_SUCCESS && 800 PFER.S_flag==1 802 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 803 1ST_EAP==Unset && TxEAP(); RESULT 804 SEPARATE==Set && 805 PFER.RESULT_CODE!= 806 PANA_SUCCESS && 807 PFER.S_flag==1 && 808 ABORT_ON_1ST_EAP_FAILURE 809 ==Unset && 810 PFER.exist_avp 811 ("EAP-Payload") 813 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 814 1ST_EAP==Unset && alt_reject(); RESULT 815 SEPARATE==Set && 816 PFER.RESULT_CODE!= 817 PANA_SUCCESS && 818 PFER.S_flag==1 && 819 ABORT_ON_1ST_EAP_FAILURE 820 ==Unset && 821 !PFER.exist_avp 822 ("EAP-Payload") 824 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 825 1ST_EAP==Unset && TxEAP(); RESULT_CLOSED 826 SEPARATE==Set && 827 PFER.RESULT_CODE!= 828 PANA_SUCCESS && 829 (PFER.S_flag==0 || 830 ABORT_ON_1ST_EAP_FAILURE 831 ==Set) && 832 PFER.exist_avp 833 ("EAP-Payload") 835 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 836 1ST_EAP==Unset && alt_reject(); RESULT_CLOSED 837 SEPARATE==Set && 838 PFER.RESULT_CODE!= 839 PANA_SUCCESS && 840 (PFER.S_flag==0 || 841 ABORT_ON_1ST_EAP_FAILURE 842 ==Set) && 843 !PFER.exist_avp 844 ("EAP-Payload") 846 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 847 1ST_EAP==Unset && if (PBR.exist_avp 848 SEPARATE==Unset && ("Device-Id")) 849 PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; 850 PANA_SUCCESS 852 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 853 1ST_EAP==Unset && CLOSE 854 SEPARATE==Unset && 855 PBR.RESULT_CODE!= 856 PANA_SUCCESS && 857 PBR.exist_avp 858 ("EAP-Payload") 860 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 861 1ST_EAP==Unset && CLOSE 862 SEPARATE==Unset && 863 PBR.RESULT_CODE!= 864 PANA_SUCCESS && 865 !PBR.exist_avp 866 ("EAP-Payload") 867 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 868 - - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - 869 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 870 1ST_EAP==Success && if (PBR.exist_avp 871 PBR.RESULT_CODE== ("Device-Id")) 872 PANA_SUCCESS && CARRY_DEVICE_ID=Set; 873 PBR.exist_avp 874 ("EAP-Payload") 876 Rx:PBR && alt_reject(); WAIT_EAP_RESULT 877 1ST_EAP==Success && if (PBR.exist_avp 878 PBR.RESULT_CODE== ("Device-Id")) 879 PANA_SUCCESS && CARRY_DEVICE_ID=Set; 880 !PBR.exist_avp 881 ("EAP-Payload") 883 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 884 1ST_EAP==Success && CLOSE 885 PBR.RESULT_CODE!= 886 PANA_SUCCESS && 887 PBR.exist_avp 888 ("EAP-Payload") 890 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 891 1ST_EAP==Success && CLOSE 892 PBR.RESULT_CODE!= 893 PANA_SUCCESS && 894 !PBR.exist_avp 895 ("EAP-Payload") 897 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 898 1ST_EAP==Failure && if (PBR.exist_avp 899 PBR.RESULT_CODE== ("Device-Id")) 900 PANA_SUCCESS CARRY_DEVICE_ID=Set; 902 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 903 1ST_EAP==Failure && CLOSE 904 PBR.RESULT_CODE!= 905 PANA_SUCCESS && 907 PBR.exist_avp 908 ("EAP-Payload") 910 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 911 1ST_EAP==Failure && CLOSE 912 PBR.RESULT_CODE!= 913 PANA_SUCCESS && 914 !PBR.exist_avp 915 ("EAP-Payload") 916 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 918 ------------------- 919 State: WAIT_EAP_MSG 920 ------------------- 922 Exit Condition Exit Action Exit State 923 ------------------------+--------------------------+------------ 924 - - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - - 925 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 926 eap_piggyback() PAN.insert_avp 927 ("EAP-Payload"); 928 if (key_available()) 929 PAN.insert_avp("MAC"); 930 PAN.S_flag=PAR.S_flag; 931 PAN.N_flag=PAR.N_flag; 932 Tx:PAN(); 934 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 935 !eap_piggyback() PAR.insert_avp 936 ("EAP-Payload"); 937 if (key_available()) 938 PAR.insert_avp("MAC"); 939 PAR.S_flag=PAN.S_flag; 940 PAR.N_flag=PAN.N_flag; 941 Tx:PAR(); 942 RtxTimerStart(); 944 EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA 945 PAN.insert_avp("MAC"); 946 PAN.S_flag=PAR.S_flag; 947 PAN.N_flag=PAR.N_flag; 948 Tx:PAN(); 950 EAP_INVALID_MSG || None(); WAIT_PAA 951 EAP_SUCCESS || 952 EAP_FAILURE 953 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 954 ---------------------- 955 State: WAIT_EAP_RESULT 956 ---------------------- 958 Exit Condition Exit Action Exit State 959 ------------------------+--------------------------+------------ 960 - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - 961 EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN 962 PBR.exist_avp PBA.insert_avp("Key-Id"); 963 ("Key-Id") && if (CARRY_DEVICE_ID) 964 ppac_available() PBA.insert_avp 965 ("Device-Id"); 966 PBA.insert_avp("PPAC"); 967 Tx:PBA(); 968 Authorize(); 969 SessionTimerStart(); 971 EAP_SUCCESS && if (key_available()) OPEN 972 !PBR.exist_avp PBA.insert_avp("MAC"); 973 ("Key-Id") && if (CARRY_DEVICE_ID) 974 ppac_available() PBA.insert_avp 975 ("Device-Id"); 976 PBA.insert_avp("PPAC"); 977 Tx:PBA(); 978 Authorize(); 979 SessionTimerStart(); 981 EAP_SUCCESS && if (key_available()) WAIT_PEA 982 !ppac_available() PER.insert_avp("MAC"); 983 PER.RESULT_CODE= 984 PANA_PPAC_CAPABILITY_ 985 UNSUPPORTED 986 Tx:PER(); 987 RtxTimerStart(); 989 EAP_FAILURE if (key_available()) CLOSED 990 PBA.insert_avp("MAC"); 991 Tx:PBA(); 993 EAP_INVALID_MSG None(); WAIT_PAA 994 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 996 ---------------------------- 997 State: WAIT_EAP_RESULT_CLOSE 998 ---------------------------- 1000 Exit Condition Exit Action Exit State 1001 ------------------------+--------------------------+------------ 1002 - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - 1003 EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED 1004 PBR.exist_avp PBA.insert_avp("Key-Id"); 1005 ("Key-Id") Tx:PBA(); 1006 Disconnect(); 1008 EAP_SUCCESS && if (key_available()) CLOSED 1009 !PBR.exist_avp PBA.insert_avp("MAC"); 1010 ("Key-Id") Tx:PBA(); 1011 Disconnect(); 1013 EAP_FAILURE Tx:PBA(); CLOSED 1014 Disconnect(); 1016 EAP_INVALID_MSG None(); WAIT_PAA 1017 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1019 -------------------------- 1020 State: WAIT_1ST_EAP_RESULT 1021 -------------------------- 1023 Exit Condition Exit Action Exit State 1024 ------------------------+--------------------------+------------ 1025 - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - 1026 EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA 1027 PFER.exist_avp PFEA.S_flag=1; 1028 ("Key-Id") PFEA.N_flag=PFER.N_flag; 1029 PFEA.insert_avp("MAC"); 1030 Tx:PFEA(); 1031 EAP_Restart(); 1033 (EAP_SUCCESS && if (key_available()) WAIT_PAA 1034 !PFER.exist_avp PFEA.insert_avp("MAC"); 1035 ("Key-Id")) || PFEA.S_flag=1; 1036 EAP_FAILURE PFEA.N_flag=PFER.N_flag; 1037 Tx:PFEA(); 1038 EAP_Restart(); 1040 EAP_INVALID_MSG EAP_Restart(); WAIT_PAA 1041 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1043 -------------------------------- 1044 State: WAIT_1ST_EAP_RESULT_CLOSE 1045 -------------------------------- 1047 Exit Condition Exit Action Exit State 1048 ------------------------+--------------------------+------------ 1049 - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - 1050 EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED 1051 PFER.exist_avp PFEA.S_flag=0; 1052 ("Key-Id") PFEA.N_flag=0; 1053 PFEA.insert_avp("MAC"); 1054 Tx:PFEA(); 1055 Disconnect(); 1057 (EAP_SUCCESS && if (key_available()) CLOSED 1058 !PFER.exist_avp PFEA.insert_avp("MAC"); 1059 ("Key-Id")) || PFEA.S_flag=0; 1060 EAP_FAILURE PFEA.N_flag=0; 1061 Tx:PFEA(); 1062 Disconnect(); 1064 EAP_INVALID_MSG None(); WAIT_PAA 1065 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1067 ----------- 1068 State: OPEN 1069 ----------- 1071 Exit Condition Exit Action Exit State 1072 ------------------------+--------------------------+------------ 1073 - - - - - - - - - - (liveness test initiated by PAA)- - - - - - 1074 Rx:PPR if (key_available()) OPEN 1075 PPA.insert_avp("MAC"); 1076 Tx:PPA(); 1077 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1078 - - - - - - - - - - (liveness test initiated by PaC)- - - - - - 1079 PANA_PING if (key_available()) WAIT_PPA 1080 PPR.insert_avp("MAC"); 1081 Tx:PPR(); 1082 RtxTimerStart(); 1083 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1084 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 1085 REAUTH SEPARATE=Set|Unset; WAIT_PRAA 1086 1ST_EAP=Unset; 1087 if (key_available()) 1088 PRAR.insert_avp("MAC"); 1089 Tx:PRAR(); 1090 RtxTimerStart(); 1091 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1092 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1093 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 1094 !eap_piggyback() 1ST_EAP=Unset; 1095 EAP_RespTimerStart(); 1096 TxEAP(); 1097 if (key_available()) 1098 PAN.insert_avp("MAC"); 1099 PAN.S_flag=PAR.S_flag; 1100 PAN.N_flag=PAR.N_flag; 1101 Tx:PAN(); 1103 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 1104 eap_piggyback() 1ST_EAP=Unset; 1105 EAP_RespTimerStart(); 1106 TxEAP(); 1107 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1108 - - - - - - - -(Session termination initiated by PAA) - - - - - - 1109 Rx:PTR if (key_available()) CLOSED 1110 PTA.insert_avp("MAC"); 1111 Tx:PTA(); 1112 Disconnect(); 1113 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1114 - - - - - - - -(Session termination initiated by PaC) - - - - - - 1115 TERMINATE if (key_available()) SESS_TERM 1116 PTR.insert_avp("MAC"); 1117 Tx:PTR(); 1118 RtxTimerStart(); 1119 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1120 - - - - - - - - - - - - -(Address update) - - - - - - - - - - - - 1121 UPDATE_POPA || if (key_available()) WAIT_PUA 1122 NOTIFY PUR.insert_avp("MAC"); 1123 Tx:PUR(); 1124 RtxTimerStart(); 1125 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1126 - - - - - - - - - - -(Notification update)- - - - - - - - - - - 1127 Rx:PUR if (key_available()) OPEN 1128 PUA.insert_avp("MAC"); 1129 Tx:PUA(); 1130 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1132 ---------------- 1133 State: WAIT_PRAA 1134 ---------------- 1136 Exit Condition Exit Action Exit State 1137 ------------------------+--------------------------+------------ 1138 - - - - - - - - -(re-authentication initiated by PaC) - - - - - 1139 Rx:PRAA RtxTimerStop(); WAIT_PAA 1140 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1142 --------------- 1143 State: WAIT_PPA 1144 --------------- 1145 Exit Condition Exit Action Exit State 1146 ------------------------+--------------------------+------------ 1147 - - - - - - - - -(liveness test initiated by PAA) - - - - - - - 1148 Rx:PPA RtxTimerStop(); OPEN 1149 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1151 --------------- 1152 State: WAIT_PUA 1153 --------------- 1155 Exit Condition Exit Action Exit State 1156 ------------------------+--------------------------+------------ 1157 - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - 1158 Rx:PUA RtxTimerStop(); OPEN 1159 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1161 ---------------- 1162 State: SESS_TERM 1163 ---------------- 1165 Exit Condition Exit Action Exit State 1166 ------------------------+--------------------------+------------ 1167 - - - - - - - -(Session termination initiated by PaC) - - - - - 1168 Rx:PTA Disconnect(); CLOSED 1169 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1171 --------------- 1172 State: WAIT_PEA 1173 --------------- 1175 Exit Condition Exit Action Exit State 1176 ------------------------+--------------------------+------------ 1177 - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - 1178 Rx:PEA RtxTimerStop(); CLOSED 1179 Disconnect(); 1180 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1182 7. PAA State Machine 1184 7.1 Interface between PAA and EAP Authenticator 1186 The interface between a PAA and an EAP authenticator provides a 1187 mechanism to deliver EAP messages for the EAP authenticator as well 1188 as a mechanism to notify the EAP authenticator of PAA events and to 1189 receive notification of EAP authenticator events. These message 1190 delivery and event notification mechanisms occur only within context 1191 of their associated states or exit actions. 1193 7.1.1 EAP Restart Notification from PAA to EAP Authenticator 1195 An EAP authenticator state machine defined in [I-D.ietf-eap- 1196 statemachine] has an initialization procedure before sending the 1197 first EAP request. To initialize the EAP state machine, the PAA 1198 state machine defines an event notification mechanism to send an EAP 1199 (re)start event to the EAP peer. The event notification is done via 1200 EAP_Restart() procedure in the initialization action of the PAA state 1201 machine. 1203 7.1.2 Delivering EAP Responses from PAA to EAP Authenticator 1205 TxEAP() procedure in the PAA state machine serves as the mechanism to 1206 deliver EAP-Responses contained in PANA-Auth-Answer messages to the 1207 EAP authenticator. This procedure is enabled only after an EAP 1208 restart event is notified to the EAP authenticator and before any 1209 event resulting in a termination of the EAP authenticator session. 1210 In the case where the EAP authenticator follows the EAP authenticator 1211 state machines defined in [I-D.ietf-eap-statemachine], TxEAP() 1212 procedure sets eapResp variable of the EAP authenticator state 1213 machine and puts the EAP response in eapRespData variable of the EAP 1214 authenticator state machine. 1216 7.1.3 Delivering EAP Messages from EAP Authenticator to PAA 1218 An EAP request is delivered from the EAP authenticator to the PAA via 1219 EAP_REQUEST event variable. The event variable is set when the EAP 1220 authenticator passes the EAP request to its lower-layer. In the case 1221 where the EAP authenticator follows the EAP authenticator state 1222 machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event 1223 variable refers to eapReq variable of the EAP authenticator state 1224 machine and the EAP request is contained in eapReqData variable of 1225 the EAP authenticator state machine. 1227 7.1.4 EAP Authentication Result Notification from EAP Authenticator to 1228 PAA 1230 In order for the EAP authenticator to notify the PAA of the EAP 1231 authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event 1232 variables are defined. In the case where the EAP authenticator 1233 follows the EAP authenticator state machines defined in [I-D.ietf- 1234 eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event 1235 variables refer to eapSuccess, eapFail and eapTimeout variables of 1236 the EAP authenticator state machine, respectively. In this case, if 1237 EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is 1238 contained in eapReqData variable of the EAP authenticator state 1239 machine, and additionally, eapKeyAvailable variable is set to TRUE 1240 and eapKeyData variable contains a AAA-Key if the AAA-Key is 1241 generated as a result of successful authentication by the EAP 1242 authentication method in use. Similarly, if EAP_FAILURE event 1243 variable is set to TRUE, an EAP-Failure message is contained in 1244 eapReqData variable of the EAP authenticator state machine. The PAA 1245 uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a 1246 trigger to send a PBR or a PFER message to the PaC. 1248 7.2 Variables 1250 USE_COOKIE 1252 This variable indicates whether the PAA uses Cookie. 1254 EAP_PIGGYBACK 1256 This variable indicates whether the PAA is able to piggyback an 1257 EAP-Request in PANA-Start-Request. 1259 SEPARATE 1261 This variable indicates whether the PAA provides NAP/ISP separate 1262 authentication. 1264 1ST_EAP 1266 This variable indicates whether the 1st EAP authentication is a 1267 success, failure or yet completed. 1269 PSA.SESSION_ID 1271 This variable contains the Session-Id AVP value in the PANA-Start- 1272 Answer message in process. 1274 CARRY_LIFETIME 1275 This variable indicates whether a Session-Lifetime AVP is carried 1276 in PANA-Bind-Request message. 1278 PROTECTION_CAP_IN_PSR 1280 This variable indicates whether a Protection-Capability AVP is 1281 carried in a PANA-Start-Request message. 1283 PROTECTION_CAP_IN_PBR 1285 This variable indicates whether a Protection-Capability AVP is 1286 carried in a PANA-Bind-Request message. 1288 CARRY_NAP_INFO 1290 This variable indicates whether a NAP-Information AVP is carried 1291 in PANA-Start-Request message. 1293 CARRY_ISP_INFO 1295 This variable indicates whether an ISP-Information AVP is carried 1296 in PANA-Start-Request message. 1298 NAP_AUTH 1300 This variable indicates whether a NAP authentication is being 1301 performed or not. 1303 CARRY_PPAC 1305 This variable indicates whether a Post-PANA-Address-Configuration 1306 AVP is carried in PANA-Start-Request message. 1308 PAC_FOUND 1310 This variable is set to TRUE during the EP-to-PAA notification as 1311 a result of a traffic-driven PAA discovery or link-up event 1312 notification by the EP as a result of the presence of a new PaC. 1314 EAP_SUCCESS 1316 This event variable is set to TRUE when EAP conversation completes 1317 with success. This event accompanies an EAP- Success message 1318 passed from the EAP authenticator. 1320 EAP_FAILURE 1322 This event variable is set to TRUE when EAP conversation completes 1323 with failure. This event accompanies an EAP- Failure message 1324 passed from the EAP authenticator. 1326 EAP_REQUEST 1328 This event variable is set to TRUE when the EAP authenticator 1329 delivers an EAP Request to the PAA. This event accompanies an 1330 EAP-Request message received from the EAP authenticator. 1332 EAP_TIMEOUT 1334 This event variable is set to TRUE when EAP conversation times out 1335 without generating an EAP-Success or an EAP-Failure message. This 1336 event does not accompany any EAP message. 1338 7.3 Procedures 1340 boolean new_key_available() 1342 A procedure to check whether the PANA session has a new 1343 PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, 1344 it returns FALSE. If the state machine does not have a 1345 PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. 1346 If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from 1347 the AAA-Key and returns TRUE. Otherwise, it returns FALSE. 1349 boolean new_source_address() 1351 A procedure to check the PaC's source IP address from the current 1352 PUR message. If the source IP address of the message is different 1353 from the last known IP address stored in the PANA session, this 1354 procedure returns TRUE. Otherwise, it returns FALSE. 1356 void update_popa() 1358 A procedure to extract the PaC's source IP address from the 1359 current PUR message and update the PANA session with this new IP 1360 address. 1362 7.4 PAA State Transition Table 1364 ------------------------------ 1365 State: OFFLINE (Initial State) 1366 ------------------------------ 1368 Initialization Action: 1370 USE_COOKIE=Set|Unset; 1371 EAP_PIGGYBACK=Set|Unset; 1372 SEPARATE=Set|Unset; 1373 if (EAP_PIGGYBACK==Set) 1374 SEPARATE=Unset; 1375 1ST_EAP=Unset; 1376 ABORT_ON_1ST_EAP_FAILURE=Set|Unset; 1377 CARRY_LIFETIME=Set|Unset; 1378 CARRY_DEVICE_ID=Set|Unset; 1379 CARRY_NAP_INFO=Set|Unset; 1380 CARRY_ISP_INFO=Set|Unset; 1381 CARRY_PPAC=Set|Unset; 1382 PROTECTION_CAP_IN_PSR=Set|Unset; 1383 PROTECTION_CAP_IN_PBR=Set|Unset; 1384 if (PROTECTION_CAP_IN_PBR=Unset) 1385 PROTECTION_CAP_IN_PSR=Unset; 1386 else 1387 CARRY_DEVICE_ID=Set; 1388 NAP_AUTH=Unset; 1389 RTX_COUNTER=0; 1390 RtxTimerStop(); 1392 Exit Condition Exit Action Exit State 1393 ------------------------+--------------------------+------------ 1394 - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - 1395 (Rx:PDI || EAP_Restart(); WAIT_EAP_MSG_ 1396 PAC_FOUND) && IN_DISC 1397 USE_COOKIE==Unset && 1398 EAP_PIGGYBACK==Set 1400 (Rx:PDI || if (SEPARATE==Set) STATEFUL_DISC 1401 PAC_FOUND) && PSR.S_flag=1; 1402 USE_COOKIE==Unset && if (CARRY_NAP_INFO==Set) 1403 EAP_PIGGYBACK==Unset PSR.insert_avp 1404 ("NAP-Information"); 1405 if (CARRY_ISP_INFO==Set) 1406 PSR.insert_avp 1407 ("ISP-Information"); 1408 if (CARRY_PPAC==Set) 1409 PSR.insert_avp 1410 ("Post-PANA-Address- 1411 Configuration"); 1412 if (PROTECTION_CAP_IN_PSR 1413 ==Set) 1415 PSR.insert_avp 1416 ("Protection-Cap."); 1417 Tx:PSR(); 1418 RtxTimerStart(); 1419 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1420 - - - - - - - - - - - - - (Stateless discovery) - - - - - - - - 1421 (Rx:PDI || if (SEPARATE==Set) OFFLINE 1422 PAC_FOUND) && PSR.S_flag=1; 1423 USE_COOKIE==Set PSR.insert_avp 1424 ("Cookie"); 1425 if (CARRY_NAP_INFO==Set) 1426 PSR.insert_avp 1427 ("NAP-Information"); 1428 if (CARRY_ISP_INFO==Set) 1429 PSR.insert_avp 1430 ("ISP-Information"); 1431 if (CARRY_PPAC==Set) 1432 PSR.insert_avp 1433 ("Post-PANA-Address- 1434 Configuration"); 1435 if (PROTECTION_CAP_IN_PSR 1436 ==Set) 1437 PSR.insert_avp 1438 ("Protection-Cap."); 1439 Tx:PSR(); 1440 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1441 - - - - - - - - - - - - - - (PSA processing) - - - - - - - - - 1442 Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG 1443 USE_COOKIE==Set PSA.S_flag==0) 1444 SEPARATE=Unset; 1445 if (SEPARATE==Set) 1446 NAP_AUTH=Set|Unset; 1447 EAP_Restart(); 1448 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1450 --------------------------- 1451 State: WAIT_EAP_MSG_IN_DISC 1452 --------------------------- 1454 Exit Condition Exit Action Exit State 1455 ------------------------+--------------------------+------------ 1456 - - - - - - - - - - - (Send PSR with EAP-Request) - - - - - - - 1457 EAP_REQUEST PSR.insert_avp STATEFUL_DISC 1458 ("EAP-Payload"); 1459 if (CARRY_NAP_INFO==Set) 1460 PSR.insert_avp 1461 ("NAP-Information"); 1462 if (CARRY_ISP_INFO==Set) 1463 PSR.insert_avp 1464 ("ISP-Information"); 1465 if (CARRY_PPAC==Set) 1466 PSR.insert_avp 1467 ("Post-PANA-Address- 1468 Configuration"); 1469 Tx:PSR(); 1470 RtxTimerStart(); 1472 EAP_TIMEOUT None(); OFFLINE 1473 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1475 -------------------- 1476 State: STATEFUL_DISC 1477 -------------------- 1479 Exit Condition Action Exit State 1480 ------------------------+--------------------------+------------ 1481 - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - 1482 Rx:PSA if (SEPARATE==Set && WAIT_EAP_MSG 1483 PSA.S_flag==0) 1484 SEPARATE=Unset; 1485 if (PSA.exist_avp 1486 ("EAP-Payload")) 1487 TxEAP(); 1488 else { 1489 if (SEPARATE==Set) 1490 NAP_AUTH=Set|Unset; 1491 EAP_Restart(); 1492 } 1494 EAP_TIMEOUT if (key_available()) WAIT_PEA 1495 PER.insert_avp("MAC"); 1496 Tx:PER(); 1497 RtxTimerStart(); 1498 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1500 ------------------- 1501 State: WAIT_EAP_MSG 1502 ------------------- 1504 Exit Condition Exit Action Exit State 1505 ------------------------+--------------------------+------------ 1506 - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - 1507 EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR 1508 PAR.insert_avp("MAC"); 1510 if (SEPARATE==Set) { 1511 PAR.S_flag=1; 1512 if (NAP_AUTH==Set) 1513 PAR.N_flag=1; 1514 } 1515 Tx:PAR(); 1516 RtxTimerStart(); 1517 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1518 - - - - - - -(Receiving EAP-Success/Failure single EAP)- - - - 1519 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1520 1ST_EAP==Unset && ("EAP-Payload"); 1521 SEPARATE==Unset if (key_available()) 1522 PBR.insert_avp("MAC"); 1523 Tx:PBR(); 1524 RtxTimerStart(); 1526 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1527 1ST_EAP==Unset && ("EAP-Payload"); 1528 SEPARATE==Unset && if (CARRY_DEVICE_ID==Set) 1529 Authorize() PBR.insert_avp 1530 ("Device-Id"); 1531 if (CARRY_LIFETIME==Set) 1532 PBR.insert_avp 1533 ("Session-Lifetime"); 1534 if (PROTECTION_CAP_IN_PBR 1535 ==Set) 1536 PBR.insert_avp 1537 ("Protection-Cap."); 1538 if (new_key_available()) 1539 PBR.insert_avp 1540 ("Key-Id"); 1541 if (key_available()) 1542 PBR.insert_avp("MAC"); 1543 Tx:PBR(); 1544 RtxTimerStart(); 1546 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1547 1ST_EAP==Unset && ("EAP-Payload"); 1548 SEPARATE==Unset && if (new_key_available()) 1549 !Authorize() PBR.insert_avp 1550 ("Key-Id"); 1551 if (key_available()) 1552 PBR.insert_avp("MAC"); 1553 Tx:PBR(); 1554 RtxTimerStart(); 1556 EAP_TIMEOUT && if (key_available()) WAIT_PEA 1557 1ST_EAP==Unset && PER.insert_avp("MAC"); 1558 SEPARATE==Unset Tx:PER(); 1559 RtxTimerStart(); 1561 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1562 - - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - - 1563 EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA 1564 1ST_EAP==Unset && PFER.insert_avp 1565 SEPARATE==Set && ("EAP-Payload"); 1566 ABORT_ON_1ST_EAP_FAILURE if (key_available()) 1567 ==Unset PFER.insert_avp("MAC"); 1568 PFER.S_flag=1; 1569 if (NAP_AUTH) 1570 PFER.N_flag=1; 1571 Tx:PFER(); 1572 RtxTimerStart(); 1574 EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA 1575 1ST_EAP==Unset && PFER.insert_avp 1576 SEPARATE==Set && ("EAP-Payload"); 1577 ABORT_ON_1ST_EAP_FAILURE if (key_available()) 1578 ==Set PFER.insert_avp("MAC"); 1579 PFER.S_flag=0; 1580 Tx:PFER(); 1581 RtxTimerStart(); 1583 EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA 1584 1ST_EAP==Unset && PFER.insert_avp 1585 SEPARATE==Set ("EAP-Payload"); 1586 if (new_key_available()) 1587 PFER.insert_avp 1588 ("Key-Id"); 1589 if (key_available()) 1590 PFER.insert_avp("MAC"); 1591 PFER.S_flag=1; 1592 if (NAP_AUTH) 1593 PFER.N_flag=1; 1594 Tx:PFER(); 1595 RtxTimerStart(); 1597 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1598 1ST_EAP==Unset && if (key_available()) 1599 SEPARATE==Set && PFER.insert_avp("MAC"); 1600 ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; 1601 ==Unset if (NAP_AUTH) 1602 PFER.N_flag=1; 1603 Tx:PFER(); 1604 RtxTimerStart(); 1606 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1607 1ST_EAP==Unset && if (key_available()) 1608 SEPARATE==Set && PFER.insert_avp("MAC"); 1609 ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; 1610 ==Set PFER.S_flag=0; 1611 Tx:PFER(); 1612 RtxTimerStart(); 1613 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1614 - - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - 1615 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1616 1ST_EAP==Failure && ("EAP-Payload"); 1617 SEPARATE==Set if (key_available()) 1618 PBR.insert_avp("MAC"); 1619 PBR.S_flag=1; 1620 if (NAP_AUTH) 1621 PBR.N_flag=1; 1622 Tx:PBR(); 1623 RtxTimerStart(); 1625 EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA 1626 1ST_EAP==Success && ("EAP-Payload"); 1627 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1628 Authorize() PBR.insert_avp 1629 ("Device-Id"); 1630 if (CARRY_LIFETIME==Set) 1631 PBR.insert_avp 1632 ("Session-Lifetime"); 1633 if (PROTECTION_CAP_IN_PBR 1634 ==Set) 1635 PBR.insert_avp 1636 ("Protection-Cap."); 1637 if (new_key_available()) 1638 PBR.insert_avp 1639 ("Key-Id"); 1640 if (key_available()) 1641 PBR.insert_avp("MAC"); 1642 PBR.S_flag=1; 1643 if (NAP_AUTH) 1644 PBR.N_flag=1; 1645 Tx:PBR(); 1646 RtxTimerStart(); 1648 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1649 1ST_EAP==Success && ("EAP-Payload"); 1650 SEPARATE==Set && if (key_available()) 1651 !Authorize() PBR.insert_avp("MAC"); 1652 PBR.S_flag=1; 1653 if (NAP_AUTH) 1654 PBR.N_flag=1; 1655 Tx:PBR(); 1656 RtxTimerStart(); 1658 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1659 1ST_EAP==Success && ("EAP-Payload"); 1660 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1661 Authorize() PBR.insert_avp 1662 ("Device-Id"); 1663 if (CARRY_LIFETIME==Set) 1664 PBR.insert_avp 1665 ("Session-Lifetime"); 1666 if (PROTECTION_CAP_IN_PBR 1667 ==Set) 1668 PBR.insert_avp 1669 ("Protection-Cap."); 1670 if (new_key_available()) 1671 PBR.insert_avp 1672 ("Key-Id"); 1673 if (key_available()) 1674 PBR.insert_avp("MAC"); 1675 PBR.S_flag=1; 1676 if (NAP_AUTH) 1677 PBR.N_flag=1; 1678 Tx:PBR(); 1679 RtxTimerStart(); 1681 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1682 1ST_EAP==Success && ("EAP-Payload"); 1683 SEPARATE==Set && if (new_key_available()) 1684 !Authorize() PBR.insert_avp 1685 ("Key-Id"); 1686 if (key_available()) 1687 PBR.insert_avp("MAC"); 1688 PBR.S_flag=1; 1689 if (NAP_AUTH) 1690 PBR.N_flag=1; 1691 Tx:PBR(); 1692 RtxTimerStart(); 1694 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1695 1ST_EAP==Failure && ("EAP-Payload"); 1696 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1697 Authorize() PBR.insert_avp 1698 ("Device-Id"); 1699 if (CARRY_LIFETIME==Set) 1700 PBR.insert_avp 1701 ("Session-Lifetime"); 1703 if (PROTECTION_CAP_IN_PBR 1704 ==Set) 1705 PBR.insert_avp 1706 ("Protection-Cap."); 1707 if (new_key_available()) 1708 PBR.insert_avp 1709 ("Key-Id"); 1710 if (key_available()) 1711 PBR.insert_avp("MAC"); 1712 PBR.S_flag=1; 1713 if (NAP_AUTH) 1714 PBR.N_flag=1; 1715 Tx:PBR(); 1716 RtxTimerStart(); 1718 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1719 1ST_EAP==Failure && ("EAP-Payload"); 1720 SEPARATE==Set && if (key_available()) 1721 !Authorize() PBR.insert_avp("MAC"); 1722 PBR.S_flag=1; 1723 if (NAP_AUTH) 1724 PBR.N_flag=1; 1725 Tx:PBR(); 1726 RtxTimerStart(); 1728 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1729 1ST_EAP==Failure && PBR.insert_avp("MAC"); 1730 SEPARATE==Set PBR.S_flag=1; 1731 if (NAP_AUTH) 1732 PBR.N_flag=1; 1733 Tx:PBR(); 1734 RtxTimerStart(); 1736 EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 1737 1ST_EAP==Success && PBR.insert_avp 1738 SEPARATE==Set && ("Device-Id"); 1739 Authorize() if (CARRY_LIFETIME==Set) 1740 PBR.insert_avp 1741 ("Session-Lifetime"); 1742 if (PROTECTION_CAP_IN_PBR 1743 ==Set) 1744 PBR.insert_avp 1745 ("Protection-Cap."); 1746 if (new_key_available()) 1747 PBR.insert_avp 1748 ("Key-Id"); 1749 if (key_available()) 1750 PBR.insert_avp("MAC"); 1751 PBR.S_flag=1; 1752 if (NAP_AUTH) 1753 PBR.N_flag=1; 1754 Tx:PBR(); 1755 RtxTimerStart(); 1757 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1758 1ST_EAP==Success && PBR.insert_avp("MAC"); 1759 SEPARATE==Set && PBR.S_flag=1; 1760 !Authorize() if (NAP_AUTH) 1761 PBR.N_flag=1; 1762 Tx:PBR(); 1763 RtxTimerStart(); 1764 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1766 ---------------- 1767 State: WAIT_PFEA 1768 ---------------- 1770 Event/Condition Action Exit State 1771 ------------------------+--------------------------+------------ 1772 - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - - 1773 Rx:PFEA && RtxTimerStop(); WAIT_EAP_MSG 1774 (1ST_EAP==Success || EAP_Restart(); 1775 (PFEA.S_flag==1 && if (NAP_AUTH==Set) 1776 1ST_EAP==Failure)) NAP_AUTH=Unset; 1777 else 1778 NAP_AUTH=Set; 1780 Rx:PFEA && RtxTimerStop(); CLOSED 1781 PFEA.S_flag==0 && Disconnect(); 1782 1ST_EAP==Failure 1783 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1785 --------------------- 1786 State: WAIT_FAIL_PFEA 1787 --------------------- 1789 Event/Condition Action Exit State 1790 ------------------------+--------------------------+------------ 1791 - - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - 1792 Rx:PFEA RtxTimerStop(); CLOSED 1793 Disconnect(); 1794 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1796 -------------------- 1797 State: WAIT_SUCC_PBA 1798 -------------------- 1800 Event/Condition Action Exit State 1801 ------------------------+--------------------------+------------ 1802 - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - 1803 Rx:PBA && SessionTimerStart(); OPEN 1804 (CARRY_DEVICE_ID==Unset || 1805 (CARRY_DEVICE_ID==Set && 1806 PBA.exit_avp("Device-Id"))) 1808 Rx:PBA && PER.RESULT_CODE= WAIT_PEA 1809 CARRY_DEVICE_ID==Set && PANA_MISSING_AVP 1810 !PBA.exit_avp Tx:PER(); 1811 ("Device-Id") RtxTimerStart(); 1812 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1814 -------------------- 1815 State: WAIT_FAIL_PBA 1816 -------------------- 1818 Exit Condition Exit Action Exit State 1819 ------------------------+--------------------------+------------ 1820 - - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - 1821 Rx:PBA RtxTimerStop(); CLOSED 1822 Disconnect(); 1823 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1825 ----------- 1826 State: OPEN 1827 ----------- 1829 Event/Condition Action Exit State 1830 ------------------------+--------------------------+------------ 1831 - - - - - - - - (re-authentication initiated by PaC) - - - - - - 1832 Rx:PRAR if (key_available()) WAIT_EAP_MSG 1833 PRAA.insert_avp("MAC"); 1834 EAP_Restart(); 1835 1ST_EAP=Unset; 1836 NAP_AUTH=Set|Unset; 1837 Tx:PRAA(); 1838 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1839 - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1840 REAUTH EAP_Restart(); WAIT_EAP_MSG 1841 1ST_EAP=Unset; 1842 NAP_AUTH=Set|Unset; 1843 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1844 - - (liveness test based on PPR-PPA exchange initiated by PAA)- 1845 PANA_PING Tx:PPR(); WAIT_PPA 1846 RtxTimerStart(); 1847 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1848 - - (liveness test based on PPR-PPA exchange initiated by PaC)- 1849 Rx:PPR if (key_available()) OPEN 1850 PPA.insert_avp("MAC"); 1851 Tx:PPA(); 1852 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1853 - - - - - - - - (Session termination initated from PAA) - - - - 1854 TERMINATE if (key_available()) SESS_TERM 1855 PTR.insert_avp("MAC"); 1856 Tx:PTR(); 1857 RtxTimerStart(); 1858 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1859 - - - - - - - - (Session termination initated from PaC) - - - - 1860 Rx:PTR if (key_available()) CLOSED 1861 PTA.insert_avp("MAC"); 1862 Tx:PTA(); 1863 Disconnect(); 1864 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1865 - - - - - - - - - -(Notification message) - - - - - - - - - - - 1866 NOTIFY if (key_available()) WAIT_PUA 1867 PUR.insert_avp("MAC"); 1868 Tx:PUR(); 1869 RtxTimerStart(); 1870 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1871 - - - - - - - -(Notification/Address update) - - - - - - - - - 1872 Rx:PUR If (key_avaialble()) OPEN 1873 PUA.insert_avp("MAC"); 1874 Tx:PUA(); 1875 if (new_source_address()) 1876 update_popa(); 1877 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1879 --------------- 1880 State: WAIT_PPA 1881 --------------- 1883 Exit Condition Exit Action Exit State 1884 ------------------------+--------------------------+------------ 1885 - - - - - - - - - - - - - -(PPA processing) - - - - - - - - - - 1886 Rx:PPA RtxTimerStop(); OPEN 1887 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1889 ---------------------- 1890 State: WAIT_PAN_OR_PAR 1891 ---------------------- 1892 Exit Condition Exit Action Exit State 1893 ------------------------+--------------------------+------------ 1894 - - - - - - (Pass EAP Response to the EAP authenticator)- - - - 1895 Rx:PAN && TxEAP(); WAIT_EAP_MSG 1896 PAN.exist_avp 1897 ("EAP-Payload") 1899 Rx:PAR TxEAP(); WAIT_EAP_MSG 1900 if (key_available()) 1901 PAN.insert_avp("MAC"); 1902 if (SEPARATE==Set) { 1903 PAN.S_flag=1; 1904 if (NAP_AUTH==Set) 1905 PAN.N_flag=1; 1906 } 1907 RtxTimerStop(); 1908 Tx:PAN(); 1909 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1910 - - - - - - - - - - (PAN without an EAP response) - - - - - - - 1911 Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR 1912 !PAN.exist_avp 1913 ("EAP-Payload") 1914 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1915 - - - - - - - - -(EAP authentication timeout)- - - - - - - - - 1916 EAP_TIMEOUT && if (key_available()) WAIT_PEA 1917 1ST_EAP==Unset && PER.insert_avp("MAC"); 1918 SEPARATE==Unset Tx:PER(); 1919 RtxTimerStart(); 1920 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1921 - - - - - -(EAP authentication timeout for 1st EAP)- - - - - - 1922 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1923 1ST_EAP==Unset && if (key_available()) 1924 SEPARATE==Set && PFER.insert_avp("MAC"); 1925 ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; 1926 ==Unset if (NAP_AUTH) 1927 PFER.N_flag=1; 1928 Tx:PFER(); 1929 RtxTimerStart(); 1931 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1932 1ST_EAP==Unset && if (key_available()) 1933 SEPARATE==Set && PFER.insert_avp("MAC"); 1934 ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; 1935 ==Set PFER.S_flag=0; 1936 Tx:PFER(); 1937 RtxTimerStart(); 1938 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1939 - - - - - -(EAP authentication timeout for 2nd EAP)- - - - - - 1940 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1941 1ST_EAP==Failure && PBR.insert_avp("MAC"); 1942 SEPARATE==Set PBR.S_flag=1; 1943 if (NAP_AUTH) 1944 PBR.N_flag=1; 1945 Tx:PBR(); 1946 RtxTimerStart(); 1948 EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 1949 1ST_EAP==Success && PBR.insert_avp 1950 SEPARATE==Set && ("Device-Id"); 1951 Authorize() if (CARRY_LIFETIME==Set) 1952 PBR.insert_avp 1953 ("Session-Lifetime"); 1954 if (PROTECTION_CAP_IN_PBR 1955 ==Set) 1956 PBR.insert_avp 1957 ("Protection-Cap."); 1958 if (new_key_available()) 1959 PBR.insert_avp 1960 ("Key-Id"); 1961 if (key_available()) 1962 PBR.insert_avp("MAC"); 1963 PBR.S_flag=1; 1964 if (NAP_AUTH) 1965 PBR.N_flag=1; 1966 Tx:PBR(); 1967 RtxTimerStart(); 1969 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1970 1ST_EAP==Success && PBR.insert_avp("MAC"); 1971 SEPARATE==Set && PBR.S_flag=1; 1972 !Authorize() if (NAP_AUTH) 1973 PBR.N_flag=1; 1974 Tx:PBR(); 1975 RtxTimerStart(); 1977 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1979 --------------- 1980 State: WAIT_PUA 1981 --------------- 1983 Exit Condition Exit Action Exit State 1984 ------------------------+--------------------------+------------ 1985 - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - 1986 Rx:PUA RtxTimerStop(); OPEN 1987 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1989 ---------------- 1990 State: SESS_TERM 1991 ---------------- 1993 Exit Condition Exit Action Exit State 1994 ------------------------+--------------------------+------------ 1995 - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - 1996 Rx:PTA RtxTimerStop(); CLOSED 1997 Disconnect(); 1998 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2000 --------------- 2001 State: WAIT_PEA 2002 --------------- 2004 Exit Condition Exit Action Exit State 2005 ------------------------+--------------------------+------------ 2006 - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - 2007 Rx:PEA RtxTimerStop(); CLOSED 2008 Disconnect(); 2009 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2011 8. Mobility Optimization Support 2013 The state machines outlined in preceeding sections provide only PANA 2014 base protocol functionality. In order to support PANA mobility 2015 optimization outlined in [I-D.ietf-pana-mobopts], additions and 2016 changes to the PaC and PAA state machines is required. The additions 2017 and changes provides only basic mobility optimization and is not 2018 explicit on integration of other mobility functionality such as 2019 context-transfer mechanisms. However, it does provide enough 2020 flexibility to accomodate future inclusion of such mechanisms. 2022 The variables, procedures and state transition described in this 2023 section is designed to be seamlessly integrated into the appropriate 2024 base protocol state machines. They should be treated as a mobility 2025 optimization addendum to the base protocol state machine. In this 2026 addendum, no additional states has been defined but some 2027 modifications to the base protocol state machine is required. The 2028 modifications are to accomodate the mobility variables and procedures 2029 as they relate to existing state transition actions and events. 2030 These modifications to existing state transition are noted in state 2031 transition tables in this section. These modified state transitions 2032 are intended to replace thier base protocol counterpart. Addition of 2033 new state transitions specific to mobility optimization is also 2034 present. Variable initialization also need to be added to the 2035 appropriate base protocol state to complete the mobility optimization 2036 support. 2038 8.1 Common Variables 2040 MOBILITY 2042 This variable indicates whether the mobility handling feature 2043 described in [I-D.ietf-pana-mobopts] is supported. This should be 2044 present in both PaC and PAA state machine. Existing state 2045 transitions in the base protocol state machine that can be 2046 affected by mobility optimization must treat this variable as 2047 being Unset unless the state transitions is explicitly redefined 2048 in this section. 2050 8.2 PaC Mobility Optimization State Machine 2052 8.2.1 Variables 2054 PANA_SA_RESUMED 2055 This variable indicates whether the PANA SA of a previous PANA 2056 session was resumed during the discovery and initial handshake. 2058 8.2.2 Procedures 2060 boolean resume_pana_sa() 2062 This procedure returns TRUE when a PANA SA for a previously 2063 established PANA Session is resumed, otherwise returns FALSE. 2064 Once a PANA SA is resumed, key_available() procedure must return 2065 TRUE. Existing state transitions in the base protocol state 2066 machine that can be affected by mobility optimization must assume 2067 that this procedure always returns FALSE unless the state 2068 transition is explicitly redefined in this section. 2070 8.2.3 PaC Mobility Optimization State Transition Table Addendum 2072 ------------------------------ 2073 State: OFFLINE (Initial State) 2074 ------------------------------ 2076 Initialization Action: 2078 MOBILITY=Set|Unset; 2079 PANA_SA_RESUMED=Unset; 2081 Exit Condition Exit Action Exit State 2082 ------------------------+--------------------------+------------ 2083 - - - - - - - - (PSR processing with mobility support)- - - - - 2084 - The following state transitions are intended to be added - 2085 - to the OFFLINE state of the PaC base protocol state - 2086 - machine. - 2087 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2088 Rx:PSR && RtxTimerStop(); WAIT_PAA 2089 !PSR.exist_avp PSA.insert_avp 2090 ("EAP-Payload") && ("Session-Id"); 2091 MOBILITY==Set && SEPARATE=Unset; 2092 resume_pana_sa() && PANA_SA_RESUMED=Set; 2093 PSR.exist_avp PSA.insert_avp("Cookie"); 2094 ("Cookie") PSA.insert_avp("MAC"); 2095 Tx:PSA(); 2096 RtxTimerStart(); 2098 Rx:PSR && RtxTimerStop(); WAIT_PAA 2099 !PSR.exist_avp PSA.insert_avp 2100 ("EAP-Payload") && ("Session-Id"); 2101 MOBILITY==Set && PSA.insert_avp("MAC"); 2102 resume_pana_sa() && Tx:PSA(); 2103 !PSR.exist_avp PANA_SA_RESUMED=Set; 2104 ("Cookie") 2106 --------------- 2107 State: WAIT_PAA 2108 --------------- 2110 Exit Condition Exit Action Exit State 2111 ------------------------+--------------------------+------------ 2112 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 2113 - The following state transitions are intended to replace - 2114 - existing base protocol state transitions. Original base - 2115 - protocol state transitions can be referenced by the same - 2116 - exit conditions that exist in the WAIT_PAA state of the PaC - 2117 - base protocol state machine. - 2118 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2119 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 2120 !eap_piggyback() TxEAP(); 2121 PANA_SA_RESUMED=Unset; 2122 EAP_RespTimerStart(); 2123 if (key_available()) 2124 PAN.insert_avp("MAC"); 2125 PAN.S_flag=PAR.S_flag; 2126 PAN.N_flag=PAR.N_flag; 2127 Tx:PAN(); 2129 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 2130 eap_piggyback() TxEAP(); 2131 PANA_SA_RESUMED=Unset; 2132 EAP_RespTimerStart(); 2134 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2135 - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - 2136 - The following state transitions are intended to replace - 2137 - existing base protocol state transitions. Original base - 2138 - protocol state transitions can be referenced by exit - 2139 - conditions that excludes PANA_SA_RESUMED variable checks. - 2140 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2141 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 2142 1ST_EAP==Unset && if (PBR.exist_avp 2143 SEPARATE==Unset && ("Device-Id")) 2144 PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; 2145 PANA_SUCCESS && 2146 PANA_SA_RESUMED!=Set 2148 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2149 - - - - - - - - (PBR processing with mobility support)- - - - - 2150 - The following state transitions are intended to be added - 2151 - to the WAIT_PAA state of the PaC base protocol state - 2152 - machine. - 2153 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2154 Rx:PBR && PBA.insert_avp("Key-Id"); OPEN 2155 1ST_EAP==Unset && PBA.insert_avp("MAC"); 2156 SEPARATE==Unset && if (PBR.exist_avp 2157 PBR.RESULT_CODE== ("Device-Id")) 2158 PANA_SUCCESS && PBA.insert("Device-Id"); 2159 PANA_SA_RESUMED==Set && Tx:PBA(); 2160 PBR.exist_avp Authorize(); 2161 ("Key-Id") && SessionTimerStart(); 2162 PBR.exist_avp 2163 ("MAC") 2165 ----------- 2166 State: OPEN 2167 ----------- 2169 Exit Condition Exit Action Exit State 2170 ------------------------+--------------------------+------------- 2171 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 2172 - The following state transitions are intended to replace - 2173 - existing base protocol state transitions. Original base - 2174 - protocol state transitions can be referenced by the same - 2175 - exit conditions that exist in the OPEN state of the PaC - 2176 - base protocol state machine. - 2177 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2178 REAUTH SEPARATE=Set|Unset; WAIT_PRAA 2179 1ST_EAP=Unset; 2180 PANA_SA_RESUMED=Unset; 2181 if (key_available()) 2182 PRAR.insert_avp("MAC"); 2183 Tx:PRAR(); 2184 RtxTimerStart(); 2185 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2186 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 2187 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 2188 !eap_piggyback() 1ST_EAP=Unset; 2189 PANA_SA_RESUMED=Unset; 2190 EAP_RespTimerStart(); 2191 TxEAP(); 2192 if (key_available()) 2193 PAN.insert_avp("MAC"); 2194 PAN.S_flag=PAR.S_flag; 2195 PAN.N_flag=PAR.N_flag; 2196 Tx:PAN(); 2198 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 2199 eap_piggyback() 1ST_EAP=Unset; 2200 PANA_SA_RESUMED=Unset; 2201 EAP_RespTimerStart(); 2202 TxEAP(); 2204 8.3 PAA Mobility Optimization 2206 8.3.1 Procedures 2208 boolean retrieve_pana_sa(Session-Id) 2210 This procedure returns TRUE when a PANA SA for the PANA Session 2211 corresponds to the specified Session-Id has been retrieved, 2212 otherwise returns FALSE. 2214 8.3.2 PAA Mobility Optimization State Transition Table Addendum 2215 ------------------------------ 2216 State: OFFLINE (Initial State) 2217 ------------------------------ 2219 Initialization Action: 2221 MOBILITY=Set|Unset; 2223 Exit Condition Exit Action Exit State 2224 ------------------------+--------------------------+------------ 2225 - - - - - - - (PSA processing without mobility support) - - - - 2226 - The following state transitions are intended to replace - 2227 - existing base protocol state transitions. Original base - 2228 - protocol state transitions can be referenced by exit - 2229 - conditions that excludes MOBILITY variable checks and - 2230 - retrieve_pana_sa() procedure calls. - 2231 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2232 Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG 2233 USE_COOKIE==Set && PSA.S_flag==0) 2234 (!PSA.exist_avp SEPARATE=Unset; 2235 ("Session-Id") || if (SEPARATE==Set) 2236 MOBILITY==Unset || NAP_AUTH=Set|Unset; 2237 (MOBILITY==Set && EAP_Restart(); 2238 !retrieve_pana_sa 2239 (PSA.SESSION_ID))) 2240 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2241 - - - - - - - - (PSA processing with mobility support)- - - - - 2242 Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA 2243 USE_COOKIE==Set && PBR.insert_avp("Key-Id"); 2244 PSA.exist_avp if (CARRY_DEVICE_ID==Set) 2245 ("Session-Id") && PBR.insert_avp 2246 MOBILITY==Set && ("Device-Id"); 2247 retrieve_pana_sa if (PROTECTION_CAP_IN_PBR 2248 (PSA.SESSION_ID) ==Set) 2249 PBR.insert_avp 2250 ("Protection-Cap."); 2251 Tx:PBR(); 2252 RtxTimerStart(); 2253 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2255 9. Implementation Considerations 2257 9.1 PAA and PaC Interface to Service Management Entity 2259 In general, it is assumed in each device that has a PANA protocol 2260 stack that there is a Service Management Entity (SME) that manages 2261 the PANA protocol stack. It is recommended that a generic interface 2262 (i.e., the SME-PANA interface) between the SME and the PANA protocol 2263 stack be provided by the implementation. Especially, common 2264 procedures such as startup, shutdown, re-authenticate signals and 2265 provisions for extracting keying material should be provided by such 2266 an interface. The SME-PANA interface in a PAA device should also 2267 provide a method for communicating filtering parameters to the EP(s). 2268 When cryptographic filtering is used, the filtering parameters 2269 include keying material used for bootstrapping per-packet ciphering. 2270 When a PAA device interacts with the backend authentication server 2271 using a AAA protocol, its SME may also have an interface to the AAA 2272 protocol to obtain authorization parameters such as the authorization 2273 lifetime and additional filtering parameters. 2275 9.2 Multicast Traffic 2277 In general, binding a UDP socket to a multicast address and/or port 2278 is system dependent. In most systems, a socket can be bound to any 2279 address and a specific port. This allows the socket to receive all 2280 packets destined for the local host (on all it's local addresses) for 2281 that port. If the host subscribes to a multicast addresses then this 2282 socket will also receive multicast traffic as well. In some systems, 2283 this would also result in the socket receiving all multicast traffic 2284 even though it has subscribed to only one multicast address. This is 2285 because most physical interfaces has either multicast traffic enabled 2286 or disabled and does not provide specific address filtering. 2287 Normally, it is not possible to filter out specific traffic on a 2288 socket from the user level. Most environments provides lower layer 2289 filtering that allows the use of only one socket to receive both 2290 unicast and specific multicast address. However it might introduce 2291 portability problems. 2293 10. Security Considerations 2295 This document's intent is to describe the PANA state machines fully. 2296 To this end, any security concerns with this document are likely a 2297 reflection of security concerns with PANA itself. 2299 11. Acknowledgments 2301 This work was started from state machines originally made by Dan 2302 Forsberg. 2304 12. References 2306 12.1 Normative References 2308 [I-D.ietf-pana-pana] 2309 Forsberg, D., "Protocol for Carrying Authentication for 2310 Network Access (PANA)", draft-ietf-pana-pana-08 (work in 2311 progress), May 2005. 2313 [I-D.ietf-eap-statemachine] 2314 Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, 2315 "State Machines for Extensible Authentication Protocol 2316 (EAP) Peer and Authenticator", 2317 draft-ietf-eap-statemachine-06 (work in progress), 2318 December 2004. 2320 [I-D.ietf-pana-mobopts] 2321 Forsberg, D., "PANA Mobility Optimizations", 2322 draft-ietf-pana-mobopts-00 (work in progress), 2323 January 2005. 2325 12.2 Informative References 2327 [I-D.ietf-pana-requirements] 2328 Yegin, A. and Y. Ohba, "Protocol for Carrying 2329 Authentication for Network Access (PANA)Requirements", 2330 draft-ietf-pana-requirements-09 (work in progress), 2331 August 2004. 2333 [I-D.ietf-pana-snmp] 2334 Mghazli, Y., "SNMP usage for PAA-EP interface", 2335 draft-ietf-pana-snmp-03 (work in progress), February 2005. 2337 Authors' Addresses 2339 Victor Fajardo 2340 Toshiba America Research, Inc. 2341 1 Telcordia Drive 2342 Piscataway, NJ 08854 2343 USA 2345 Phone: +1 732 699 5368 2346 Email: vfajardo@tari.toshiba.com 2347 Yoshihiro Ohba 2348 Toshiba America Research, Inc. 2349 1 Telcordia Drive 2350 Piscataway, NJ 08854 2351 USA 2353 Phone: +1 732 699 5305 2354 Email: yohba@tari.toshiba.com 2356 Rafa Marin Lopez 2357 University of Murcia 2358 30071 Murcia 2359 Spain 2361 Email: rafa@dif.um.es 2363 Intellectual Property Statement 2365 The IETF takes no position regarding the validity or scope of any 2366 Intellectual Property Rights or other rights that might be claimed to 2367 pertain to the implementation or use of the technology described in 2368 this document or the extent to which any license under such rights 2369 might or might not be available; nor does it represent that it has 2370 made any independent effort to identify any such rights. Information 2371 on the procedures with respect to rights in RFC documents can be 2372 found in BCP 78 and BCP 79. 2374 Copies of IPR disclosures made to the IETF Secretariat and any 2375 assurances of licenses to be made available, or the result of an 2376 attempt made to obtain a general license or permission for the use of 2377 such proprietary rights by implementers or users of this 2378 specification can be obtained from the IETF on-line IPR repository at 2379 http://www.ietf.org/ipr. 2381 The IETF invites any interested party to bring to its attention any 2382 copyrights, patents or patent applications, or other proprietary 2383 rights that may cover technology that may be required to implement 2384 this standard. Please address the information to the IETF at 2385 ietf-ipr@ietf.org. 2387 Disclaimer of Validity 2389 This document and the information contained herein are provided on an 2390 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2391 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 2392 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 2393 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 2394 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2395 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2397 Copyright Statement 2399 Copyright (C) The Internet Society (2005). This document is subject 2400 to the rights, licenses and restrictions contained in BCP 78, and 2401 except as set forth therein, the authors retain all their rights. 2403 Acknowledgment 2405 Funding for the RFC Editor function is currently provided by the 2406 Internet Society.