idnits 2.17.1 draft-ietf-pana-statemachine-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 2466. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2443. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2450. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2456. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 448: '... variable MUST be set when a link...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 11, 2005) is 6835 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4058' is defined on line 2400, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-pana-snmp' is defined on line 2404, but no explicit reference was found in the text == Outdated reference: A later version (-18) exists of draft-ietf-pana-pana-08 ** Downref: Normative reference to an Informational draft: draft-ietf-eap-statemachine (ref. 'I-D.ietf-eap-statemachine') == Outdated reference: A later version (-01) exists of draft-ietf-pana-mobopts-00 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-pana-mobopts' == Outdated reference: A later version (-06) exists of draft-ietf-pana-snmp-04 Summary: 5 errors (**), 0 flaws (~~), 7 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PANA Working Group V. Fajardo 3 Internet-Draft Y. Ohba 4 Expires: January 12, 2006 TARI 5 R. Lopez 6 Univ. of Murcia 7 July 11, 2005 9 State Machines for Protocol for Carrying Authentication for Network 10 Access (PANA) 11 draft-ietf-pana-statemachine-01 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on January 12, 2006. 38 Copyright Notice 40 Copyright (C) The Internet Society (2005). 42 Abstract 44 This document defines the conceptual state machines for the Protocol 45 for Carrying Authentication for Network Access (PANA). The state 46 machines consist of the PANA Client (PaC) state machine and the PANA 47 Authentication Agent (PAA) state machine. The two state machines 48 show how PANA can interface to EAP state machines and can be 49 implemented with supporting various features including separate NAP 50 and ISP authentications, ISP selection and mobility optimization. 51 The state machines and associated model are informative only. 52 Implementations may achieve the same results using different methods. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 58 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 59 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 60 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 61 5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10 62 5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 12 63 5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 64 5.4 Common Message Initialization Rules . . . . . . . . . . . 14 65 5.5 Common Error Handling Rules . . . . . . . . . . . . . . . 14 66 5.6 Common State Transitions . . . . . . . . . . . . . . . . . 14 67 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 68 6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 16 69 6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 16 70 6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 16 71 6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 16 72 6.1.4 EAP Authentication Result Notification from EAP 73 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 74 6.1.5 Alternate Failure Notification from PaC to EAP Peer . 17 75 6.1.6 EAP Invalid Message Notification from EAP Peer to 76 PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 77 6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 78 6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 79 6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 19 80 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31 81 7.1 Interface between PAA and EAP Authenticator . . . . . . . 31 82 7.1.1 EAP Restart Notification from PAA to EAP 83 Authenticator . . . . . . . . . . . . . . . . . . . . 31 84 7.1.2 Delivering EAP Responses from PAA to EAP 85 Authenticator . . . . . . . . . . . . . . . . . . . . 31 86 7.1.3 Delivering EAP Messages from EAP Authenticator to 87 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31 88 7.1.4 EAP Authentication Result Notification from EAP 89 Authenticator to PAA . . . . . . . . . . . . . . . . . 31 90 7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 91 7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 92 7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 34 93 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49 94 8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 49 95 8.2 PaC Mobility Optimization State Machine . . . . . . . . . 49 96 8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 49 97 8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 50 98 8.2.3 PaC Mobility Optimization State Transition Table 99 Addendum . . . . . . . . . . . . . . . . . . . . . . . 50 100 8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 53 101 8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 53 102 8.3.2 PAA Mobility Optimization State Transition Table 103 Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 104 9. Implementation Considerations . . . . . . . . . . . . . . . . 55 105 9.1 PAA and PaC Interface to Service Management Entity . . . . 55 106 9.2 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 107 10. Security Considerations . . . . . . . . . . . . . . . . . . 56 108 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 57 109 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 58 110 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 111 13.1 Normative References . . . . . . . . . . . . . . . . . . . 59 112 13.2 Informative References . . . . . . . . . . . . . . . . . . 59 113 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 59 114 Intellectual Property and Copyright Statements . . . . . . . . 61 116 1. Introduction 118 This document defines the state machines for Protocol Carrying 119 Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There 120 are state machines for the PANA client (PaC) and for the PANA 121 Authentication Agent (PAA). Each state machine is specified through 122 a set of variables, procedures and a state transition table. 124 A PANA protocol execution consists of several exchanges to carry 125 authentication information. Specifically, EAP PDUs are transported 126 inside PANA PDUs between PaC and PAA, that is PANA represents a lower 127 layer for EAP protocol. Thus, a PANA state machine bases its 128 execution on an EAP state machine execution and vice versa. Thus 129 this document also shows for each of PaC and PAA an interface between 130 an EAP state machine and a PANA state machine and how this interface 131 allows to exchange information between them. Thanks to this 132 interface, a PANA state machine can be informed about several events 133 generated in an EAP state machine and make its execution conditional 134 to its events. 136 The details of EAP state machines are out of the scope of this 137 document. Additional information can be found in [I-D.ietf-eap- 138 statemachine]. Nevertheless PANA state machines presented here have 139 been coordinated with state machines shown by [I-D.ietf-eap- 140 statemachine]. 142 This document, apart from defining PaC and PAA state machines and 143 their interfaces to EAP state machines (running on top of PANA), 144 provides some implementation considerations, taking into account that 145 it is not a specification but an implementation guideline. 147 2. Interface Between PANA and EAP 149 PANA carries EAP messages exchanged between an EAP peer and an EAP 150 authenticator (see Figure 1). Thus a PANA state machine must 151 interact with an EAP state machine. 153 Two state machines are defined in this document : the PaC state 154 machine (see Section 6) and the PAA state machine (see Section 7). 155 The definition of each state machine consists of a set of variables, 156 procedures and a state transition table. A subset of these variables 157 and procedures defines the interface between a PANA state machine and 158 an EAP state machine and the state transition table defines the PANA 159 state machine behavior based on results obtained through them. 161 On the one hand, the PaC state machine interacts with an EAP peer 162 state machine in order to carry out the PANA protocol on the PaC 163 side. On the other hand, the PAA state machine interacts with an EAP 164 authenticator state machine to run the PANA protocol on the PAA side. 166 Peer |EAP Auth 167 EAP <---------|------------> EAP 168 ^ | | ^ | 169 EAP-Request | | | EAP-Response | | EAP-Request 170 EAP-Success | |EAP-Response | | |EAP-Success 171 EAP-Failure | v |PANA | vEAP-Failure 172 PaC <---------|------------> PAA 174 Figure 1: Interface between PANA and EAP 176 Thus two interfaces are needed between PANA state machines and EAP 177 state machines, namely: 179 o Interface between the PaC state machine and the EAP peer state 180 machine 182 o Interface between the PAA state machine and the EAP authenticator 183 state machine 185 In general, the PaC state machine presents EAP messages (EAP-Request, 186 EAP-Success and EAP-Failure messages) to the EAP peer state machine 187 through the interface. The EAP peer state machine processes these 188 messages and sends EAP messages (EAP-Response messages) through the 189 PaC state machine that is responsible for actually transmitting this 190 message. 192 On the other hand, the PAA state machine presents response messages 193 (EAP-Response messages) to the EAP authenticator state machine 194 through interface defined between them. The EAP authenticator 195 processes these messages and generate EAP messages (EAP-Request, EAP- 196 Success and EAP-Failure messages) that are send to the PAA state 197 machine to be sent. 199 For example, [I-D.ietf-eap-statemachine] specifies four interfaces to 200 lower layers: (i) an interface between the EAP peer state machine and 201 a lower layer, (ii) an interface between the EAP standalone 202 authenticator state machine and a lower layer, (iii) an interface 203 between the EAP full authenticator state machine and a lower layer 204 and (iv) an interface between the EAP backend authenticator state 205 machine and a lower layer. In this document, the PANA protocol is 206 the lower layer of EAP and only the first three interfaces are of 207 interest to PANA. The second and third interfaces are the same. In 208 this regard, the EAP standalone authenticator or the EAP full 209 authenticator and its state machine in [I-D.ietf-eap-statemachine] 210 are referred to as the EAP authenticator and the EAP authenticator 211 state machine, respectively, in this document. If an EAP peer and an 212 EAP authenticator follow the state machines defined in [I-D.ietf-eap- 213 statemachine], the interfaces between PANA and EAP could be based on 214 that document. Detailed definition of interfaces between PANA and 215 EAP are described in the subsequent sections. 217 3. Document Authority 219 When a discrepancy occurs between any part of this document and any 220 of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-pana- 221 mobopts], [I-D.ietf-eap-statemachine] the latter (the other 222 documents) are considered authoritative and takes precedence. 224 4. Notations 226 The following state transition tables are completed mostly based on 227 the conventions specified in [I-D.ietf-eap-statemachine]. The 228 complete text is described below. 230 State transition tables are used to represent the operation of the 231 protocol by a number of cooperating state machines each comprising a 232 group of connected, mutually exclusive states. Only one state of 233 each machine can be active at any given time. 235 All permissible transitions from a given state to other states and 236 associated actions performed when the transitions occur are 237 represented by using triplets of (exit condition, exit action, exit 238 state). All conditions are expressions that evaluate to TRUE or 239 FALSE; if a condition evaluates to TRUE, then the condition is met. 240 A state "ANY" is a wildcard state that matches the current state in 241 each state machine. The exit conditions of a wildcard state are 242 evaluated after all other exit conditions of specific to the current 243 state are met. 245 On exit from a state, the exit actions defined for the state and the 246 exit condition are executed exactly once, in the order that they 247 appear on the page. (Note that the procedures defined in [I-D.ietf- 248 eap-statemachine] are executed on entry to a state, which is one 249 major difference from this document.) Each exit action is deemed to 250 be atomic; i.e., execution of an exit action completes before the 251 next sequential exit action starts to execute. No exit action 252 execute outside of a state block. The exit actions in only one state 253 block execute at a time even if the conditions for execution of state 254 blocks in different state machines are satisfied. All exit actions 255 in an executing state block complete execution before the transition 256 to and execution of any other state blocks. The execution of any 257 state block appears to be atomic with respect to the execution of any 258 other state block and the transition condition to that state from the 259 previous state is TRUE when execution commences. The order of 260 execution of state blocks in different state machines is undefined 261 except as constrained by their transition conditions. A variable 262 that is set to a particular value in a state block retains this value 263 until a subsequent state block executes an exit action that modifies 264 the value. 266 On completion of the transition from the previous state to the 267 current state, all exit conditions occurring during the current state 268 (including exit conditions defined for the wildcard state) are 269 evaluated until an exit condition for that state is met. 271 Any event variable is set to TRUE when the corresponding event occurs 272 and set to FALSE immediately after completion of the action 273 associated with the current state and the event. 275 The interpretation of the special symbols and operators used is 276 defined in [I-D.ietf-eap-statemachine]. 278 5. Common Rules 280 There are following procedures, variables, message initializing rules 281 and state transitions that are common to both the PaC and PAA state 282 machines. 284 Throughout this document, the character string "PANA_MESSAGE_NAME" 285 matches any one of the abbreviated PANA message names, i.e., "PDI", 286 "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", 287 "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA". 289 5.1 Common Procedures 291 void None() 293 A null procedure, i.e., nothing is done. 295 void Disconnect() 297 A procedure to delete the PANA session as well as the 298 corresponding EAP session and authorization state. 300 boolean Authorize() 302 A procedure to create or modify authorization state. It returns 303 TRUE if authorization is successful. Otherwise, it returns FALSE. 304 It is assumed that Authorize() procedure of PaC state machine 305 always returns TRUE. 307 void Tx:PANA_MESSAGE_NAME() 309 A procedure to send a PANA message to its peering PANA entity. 311 void TxEAP() 313 A procedure to send an EAP message to the EAP state machine it 314 interfaces to. 316 void RtxTimerStart() 318 A procedure to start the retransmission timer, reset RTX_COUNTER 319 variable to zero and set an appropriate value to RTX_MAX_NUM 320 variable. 322 void RtxTimerStop() 323 A procedure to stop the retransmission timer. 325 void SessionTimerStart() 327 A procedure to start PANA session timer. 329 void SessionTimerStop() 331 A procedure to stop the PANA session timer. 333 void Retransmit() 335 A procedure to retransmit a PANA message and increment RTX_COUNTER 336 by one(1). 338 void EAP_Restart() 340 A procedure to (re)start an EAP conversation resulting in the re- 341 initialization of an existing EAP session. 343 void PANA_MESSAGE_NAME.insert_avp("AVP_NAME") 345 A procedure to insert an AVP of the specified AVP name in the 346 specified PANA message. 348 boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") 350 A procedure that checks whether an AVP of the specified AVP name 351 exists in the specified PANA message and returns TRUE if the 352 specified AVP is found, otherwise returns FALSE. 354 boolean key_available() 356 A procedure to check whether the PANA session has a PANA_MAC_KEY. 357 If the state machine already has a PANA_MAC_KEY, it returns TRUE. 358 If the state machine does not have a PANA_MAC_KEY, it tries to 359 retrieve a AAA-Key from the EAP entity. If a AAA-Key is 360 retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns 361 TRUE. Otherwise, it returns FALSE. 363 boolean fatal(int) 365 A procedure to check whether an integer result code value 366 indicates a fatal error. If the result code indicates a fatal 367 error, the procedure returns TRUE, otherwise, it return FALSE. A 368 fatal error would also result in the termination of the session 369 and release of all resources related to that session. 371 5.2 Common Variables 373 PANA_MESSAGE_NAME.S_flag 375 This variable contains the S-Flag value of the specified PANA 376 message. 378 PBR.RESULT_CODE 380 This variable contains the Result-Code AVP value in the PANA-Bind- 381 Request message in process. When this variable carries 382 PANA_SUCCESS when there is only once EAP run in the authentication 383 and authorization phase, it is assumed that the PBR message always 384 contains an EAP-Payload AVP which carries an EAP-Success message. 386 PFER.RESULT_CODE 388 This variable contains the Result-Code AVP value in the PANA- 389 FirstAuth-End-Request message in process. When this variable 390 carries PANA_SUCCESS, it is assumed that the PFER message always 391 contains an EAP-Payload AVP which carries an EAP-Success message. 393 PER.RESULT_CODE 395 This variable contains the Result-Code AVP value in the PANA- 396 Error-Request message in process. 398 RTX_COUNTER 400 This variable contains the current number of retransmissions of 401 the outstanding PANA message. 403 Rx:PANA_MESSAGE_NAME 405 This event variable is set to TRUE when the specified PANA message 406 is received from its peering PANA entity. 408 RTX_TIMEOUT 410 This event variable is set to TRUE when the retransmission timer 411 is expired. 413 REAUTH 415 This event variable is set to TRUE when an initiation of re- 416 authentication phase is triggered. 418 TERMINATE 420 This event variable is set to TRUE when initiation of PANA session 421 termination is triggered. 423 PANA_PING 425 This event variable is set to TRUE when initiation of liveness 426 test based on PPR-PPA exchange is triggered. 428 NOTIFY 430 This event variable is set to TRUE if the PaC or PAA wants to send 431 attribute updates or notifications. For attribute updates, 432 UPDATE_POPA should be used by the PaC. 434 SESS_TIMEOUT 436 This event is variable is set to TRUE when the session timer is 437 expired. 439 ABORT_ON_1ST_EAP_FAILURE 441 This variable indicates whether the PANA session is immediately 442 terminated when the 1st EAP authentication fails. 444 CARRY_DEVICE_ID 446 This variable indicates whether a Device-Id AVP is carried in a 447 PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this 448 variable MUST be set when a link-layer or IP address is used as 449 the device identifier of the PaC and a Protection-Capability AVP 450 is included in the PANA-Bind-Request message. 452 ANY 454 This event variable is set to TRUE when any event occurs. 456 5.3 Constants 458 RTX_MAX_NUM 460 Configurable maximum for how many retransmissions should be 461 attempted before aborting. 463 5.4 Common Message Initialization Rules 465 When a message is prepared for sending, it is initialized as follows: 467 o For a request message, R-flag of the header is set. Otherwise, 468 R-flag is not set. 470 o S-flag and N-flag of the header are not set. 472 o AVPs that are mandatory included in a message are inserted with 473 appropriate values set. 475 o A Notification AVP is inserted if there is some notification 476 string to send to the communicating peer. 478 5.5 Common Error Handling Rules 480 For simplicity, the PANA state machines defined in this document do 481 not support an optional feature of sending a PER message when an 482 invalid PANA message is received [I-D.ietf-pana-pana], while the 483 state machines support sending a PER message generated in other cases 484 as well as receiving and processing a PER message. It is left to 485 implementations as to whether they provide a means to send a PER 486 message when an invalid PANA message is received. 488 5.6 Common State Transitions 490 The following transitions can occur at any state. 492 ---------- 493 State: ANY 494 ---------- 496 Exit Condition Exit Action Exit State 497 ------------------------+--------------------------+------------ 498 - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - 499 RTX_TIMEOUT && Retransmit(); (no change) 500 RTX_COUNTER< 501 RTX_MAX_NUM 502 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 503 - - - - - - - (Reach maximum number of transmissions)- - - - - - 504 RTX_TIMEOUT && Disconnect(); CLOSED 505 RTX_COUNTER>= 506 RTX_MAX_NUM 508 SESS_TIMEOUT Disconnect(); CLOSED 509 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 510 - - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - - 511 Rx:PER && PEA.insert_avp("MAC"); CLOSED 512 fatal Tx:PEA(); 513 (PER.RESULT_CODE) && Disconnect(); 514 PER.exist_avp("MAC") && 515 key_available() 517 Rx:PER && Tx:PEA(); (no change) 518 !fatal 519 (PER.RESULT_CODE) || 520 !PER.exist_avp("MAC") || 521 !key_available() 522 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 524 The following transitions can occur on any exit condition within the 525 specified state. 527 ------------- 528 State: CLOSED 529 ------------- 531 Exit Condition Exit Action Exit State 532 ------------------------+--------------------------+------------ 533 - - - - - - - -(Session termination initiated by PaC) - - - - - 534 ANY None(); CLOSED 535 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 537 6. PaC State Machine 539 6.1 Interface between PaC and EAP Peer 541 This interface defines the interactions between a PaC and an EAP 542 peer. The interface serves as a mechanism to deliver EAP messages 543 for the EAP peer. It allows the EAP peer to receive EAP requests and 544 send EAP responses via the PaC. It also provides a mechanism to 545 notify the EAP peer of PaC events and a mechanism to receive 546 notification of EAP peer events. The EAP message delivery mechanism 547 as well as the event notification mechanism in this interface have 548 direct correlation with the PaC state transition table entries. 549 These message delivery and event notifications mechanisms occur only 550 within the context of their associated states or exit actions. 552 6.1.1 Delivering EAP Messages from PaC to EAP Peer 554 TxEAP() procedure in the PaC state machine serves as the mechanism to 555 deliver EAP request, EAP success and EAP failure messages contained 556 in PANA-Auth-Request messages to the EAP peer. This procedure is 557 enabled only after an EAP restart event is notified to the EAP peer 558 and before any event resulting in a termination of the EAP peer 559 session. In the case where the EAP peer follows the EAP peer state 560 machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure 561 sets eapReq variable of the EAP peer state machine and puts the EAP 562 request in eapReqData variable of the EAP peer state machine. 564 6.1.2 Delivering EAP Responses from EAP Peer to PaC 566 An EAP response is delivered from the EAP peer to the PaC via 567 EAP_RESPONSE event variable. The event variable is set when the EAP 568 peer passes the EAP response to its lower-layer. In the case where 569 the EAP peer follows the EAP peer state machine defined in [I-D.ietf- 570 eap-statemachine], EAP_RESPONSE event variable refers to eapResp 571 variable of the EAP peer state machine and the EAP response is 572 contained in eapRespData variable of the EAP peer state machine. 574 6.1.3 EAP Restart Notification from PaC to EAP Peer 576 The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has 577 an initialization procedure before receiving an EAP request. To 578 initialize the EAP state machine, the PaC state machine defines an 579 event notification mechanism to send an EAP (re)start event to the 580 EAP peer. The event notification is done via EAP_Restart() procedure 581 in the initialization action of the PaC state machine. 583 6.1.4 EAP Authentication Result Notification from EAP Peer to PaC 585 In order for the EAP peer to notify the PaC of an EAP authentication 586 result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In 587 the case where the EAP peer follows the EAP peer state machine 588 defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE 589 event variables refer to eapSuccess and eapFail variables of the EAP 590 peer state machine, respectively. In this case, if EAP_SUCCESS event 591 variable is set to TRUE and a AAA-Key is generated by the EAP 592 authentication method in use, eapKeyAvailable variable is set to TRUE 593 and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS 594 and EAP_FAILURE event variables may be set to TRUE even before the 595 PaC receives a PBR or a PFER from the PAA. 597 6.1.5 Alternate Failure Notification from PaC to EAP Peer 599 alt_reject() procedure in the PaC state machine serves as the 600 mechanism to deliver an authentication failure event to the EAP peer 601 without accompanying an EAP message. In the case where the EAP peer 602 follows the EAP peer state machine defined in [I-D.ietf-eap- 603 statemachine], alt_reject() procedure sets altReject variable of the 604 EAP peer state machine. Note that the EAP peer state machine in 605 [I-D.ietf-eap-statemachine] also defines altAccept variable, however, 606 it is never used in PANA in which EAP-Success messages are reliably 607 delivered by PANA-Bind exchange. 609 6.1.6 EAP Invalid Message Notification from EAP Peer to PaC 611 In order for the EAP peer to notify the PaC of a receipt of an 612 invalid EAP message, EAP_INVALID_MSG event variable is defined. In 613 the case where the EAP peer follows the EAP peer state machine 614 defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event 615 variable refers to eapNoResp variable of the EAP peer state machine. 617 6.2 Variables 619 SEPARATE 621 This variable indicates whether the PaC desires NAP/ISP separate 622 authentication. 624 1ST_EAP 626 This variable indicates whether the 1st EAP authentication is 627 success, failure or yet completed. 629 AUTH_USER 631 This event variable is set to TRUE when initiation of EAP-based 632 (re-)authentication is triggered by the application. 634 EAP_SUCCESS 636 This event variable is set to TRUE when the EAP peer determines 637 that EAP conversation completes with success. 639 EAP_FAILURE 641 This event variable is set to TRUE when the EAP peer determines 642 that EAP conversation completes with failure. 644 EAP_RESPONSE 646 This event variable is set to TRUE when the EAP peer delivers an 647 EAP Response to the PaC. This event accompanies an EAP-Response 648 message received from the EAP peer. 650 EAP_INVALID_MSG 652 This event variable is set to TRUE when the EAP peer silently 653 discards an EAP message. This event does not accompany any EAP 654 message. 656 UPDATE_POPA 658 This event variable is set to TRUE when there is a change in the 659 POPA of the PaC. 661 EAP_RESP_TIMEOUT 663 This event variable is set to TRUE when the PaC that has passed an 664 EAP-Request to the EAP-layer does not receive a corresponding EAP- 665 Response from the the EAP-layer in a given period. 667 6.3 Procedures 669 boolean choose_isp() 671 This procedure returns TRUE when the PaC chooses one ISP, 672 otherwise returns FALSE. 674 boolean ppac_available() 676 This procedure returns TRUE when the Post-PANA-Address- 677 Configuration method specified by the PAA is available in the PaC 678 and that the PaC will be able to comply. 680 boolean pcap_supported() 682 This procedure returns TRUE when the cryptographic data protection 683 supplied in the Protection-Capability AVP can be supported by the 684 PaC. 686 boolean eap_piggyback() 688 This procedures returns TRUE to indicate whether the next EAP 689 response will be carried in the pending PAN message for 690 optimization. 692 void alt_reject() 694 This procedure informs the EAP peer of an authentication failure 695 event without accompanying an EAP message. 697 void EAP_RespTimerStart() 699 A procedure to start a timer to receive an EAP-Response from the 700 EAP peer. 702 void EAP_RespTimerStop() 704 A procedure to stop a timer to receive an EAP-Response from the 705 EAP peer. 707 6.4 PaC State Transition Table 709 ------------------------------ 710 State: OFFLINE (Initial State) 711 ------------------------------ 713 Initialization Action: 715 SEPARATE=Set|Unset; 716 CARRY_DEVICE_ID=Unset; 717 1ST_EAP=Unset; 718 RtxTimerStop(); 720 Exit Condition Exit Action Exit State 721 ------------------------+--------------------------+-------------- 722 - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - 723 Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ 724 PSR.exist_avp EAP_Restart(); IN_DISC 725 ("EAP-Payload") TxEAP(); 726 SEPARATE=Unset; 728 Rx:PSR && RtxTimerStop(); WAIT_PAA 729 !PSR.exist_avp if (choose_isp()) 730 ("EAP-Payload") && PSA.insert_avp("ISP"); 731 PSR.S_flag==1 && PSA.S_flag=1; 732 SEPARATE==Set && PSA.insert_avp("Cookie"); 733 PSR.exist_avp Tx:PSA(); 734 ("Cookie") RtxTimerStart(); 735 EAP_Restart(); 737 Rx:PSR && RtxTimerStop(); WAIT_PAA 738 !PSR.exist_avp if (choose_isp()) 739 ("EAP-Payload") && PSA.insert_avp("ISP"); 740 PSR.S_flag==1 && PSA.S_flag=1; 741 SEPARATE==Set && Tx:PSA(); 742 !PSR.exist_avp EAP_Restart(); 743 ("Cookie") 745 Rx:PSR && RtxTimerStop(); WAIT_PAA 746 !PSR.exist_avp if (choose_isp()) 747 ("EAP-Payload") && PSA.insert_avp("ISP"); 748 (PSR.S_flag!=1 || PSA.insert_avp("Cookie"); 749 SEPARATE==Unset) && Tx:PSA(); 750 PSR.exist_avp RtxTimerStart(); 751 ("Cookie") SEPARATE=Unset; 752 EAP_Restart(); 754 Rx:PSR && RtxTimerStop(); WAIT_PAA 755 !PSR.exist_avp if (choose_isp()) 756 ("EAP-Payload") && PSA.insert_avp("ISP"); 757 (PSR.S_flag!=1 || Tx:PSA(); 758 SEPARATE==Unset) && SEPARATE=Unset; 759 !PSR.exist_avp EAP_Restart(); 760 ("Cookie") 762 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 763 - - - - - - - - -(Authentication trigger from application) - - - 764 AUTH_USER Tx:PDI(); OFFLINE 765 RtxTimerStart(); 766 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 767 --------------------------- 768 State: WAIT_EAP_MSG_IN_DISC 769 --------------------------- 771 Exit Condition Exit Action Exit State 772 ------------------------+--------------------------+------------ 773 - - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - 774 EAP_RESPONSE PSA.insert_avp WAIT_PAA 775 ("EAP-Payload") 776 if (choose_isp()) 777 PSA.insert_avp("ISP"); 778 Tx:PSA(); 780 EAP_RESP_TIMEOUT || None(); OFFLINE 781 EAP_INVALID_MSG 782 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 784 --------------- 785 State: WAIT_PAA 786 --------------- 788 Exit Condition Exit Action Exit State 789 ------------------------+--------------------------+------------ 790 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 791 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 792 !eap_piggyback() TxEAP(); 793 EAP_RespTimerStart(); 794 if (key_available()) 795 PAN.insert_avp("MAC"); 796 PAN.S_flag=PAR.S_flag; 797 PAN.N_flag=PAR.N_flag; 798 Tx:PAN(); 800 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 801 eap_piggyback() TxEAP(); 802 EAP_RespTimerStart(); 804 Rx:PAN RtxTimerStop(); WAIT_PAA 805 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 806 - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - 807 Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_ 808 1ST_EAP==Unset && TxEAP(); RESULT 809 SEPARATE==Set && 810 PFER.RESULT_CODE== 811 PANA_SUCCESS && 812 PFER.S_flag==1 814 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 815 1ST_EAP==Unset && TxEAP(); RESULT 816 SEPARATE==Set && 817 PFER.RESULT_CODE!= 818 PANA_SUCCESS && 819 PFER.S_flag==1 && 820 ABORT_ON_1ST_EAP_FAILURE 821 ==Unset && 822 PFER.exist_avp 823 ("EAP-Payload") 825 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 826 1ST_EAP==Unset && alt_reject(); RESULT 827 SEPARATE==Set && 828 PFER.RESULT_CODE!= 829 PANA_SUCCESS && 830 PFER.S_flag==1 && 831 ABORT_ON_1ST_EAP_FAILURE 832 ==Unset && 833 !PFER.exist_avp 834 ("EAP-Payload") 836 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 837 1ST_EAP==Unset && TxEAP(); RESULT_CLOSED 838 SEPARATE==Set && 839 PFER.RESULT_CODE!= 840 PANA_SUCCESS && 841 (PFER.S_flag==0 || 842 ABORT_ON_1ST_EAP_FAILURE 843 ==Set) && 844 PFER.exist_avp 845 ("EAP-Payload") 847 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 848 1ST_EAP==Unset && alt_reject(); RESULT_CLOSED 849 SEPARATE==Set && 850 PFER.RESULT_CODE!= 851 PANA_SUCCESS && 852 (PFER.S_flag==0 || 853 ABORT_ON_1ST_EAP_FAILURE 854 ==Set) && 855 !PFER.exist_avp 856 ("EAP-Payload") 858 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 859 1ST_EAP==Unset && if (PBR.exist_avp 860 SEPARATE==Unset && ("Device-Id")) 861 PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; 862 PANA_SUCCESS 864 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 865 1ST_EAP==Unset && CLOSE 866 SEPARATE==Unset && 867 PBR.RESULT_CODE!= 868 PANA_SUCCESS && 869 PBR.exist_avp 870 ("EAP-Payload") 872 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 873 1ST_EAP==Unset && CLOSE 874 SEPARATE==Unset && 875 PBR.RESULT_CODE!= 876 PANA_SUCCESS && 877 !PBR.exist_avp 878 ("EAP-Payload") 879 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 880 - - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - 881 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 882 1ST_EAP==Success && if (PBR.exist_avp 883 PBR.RESULT_CODE== ("Device-Id")) 884 PANA_SUCCESS && CARRY_DEVICE_ID=Set; 885 PBR.exist_avp 886 ("EAP-Payload") 888 Rx:PBR && alt_reject(); WAIT_EAP_RESULT 889 1ST_EAP==Success && if (PBR.exist_avp 890 PBR.RESULT_CODE== ("Device-Id")) 891 PANA_SUCCESS && CARRY_DEVICE_ID=Set; 892 !PBR.exist_avp 893 ("EAP-Payload") 895 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 896 1ST_EAP==Success && CLOSE 897 PBR.RESULT_CODE!= 898 PANA_SUCCESS && 899 PBR.exist_avp 900 ("EAP-Payload") 902 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 903 1ST_EAP==Success && CLOSE 904 PBR.RESULT_CODE!= 905 PANA_SUCCESS && 906 !PBR.exist_avp 907 ("EAP-Payload") 909 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 910 1ST_EAP==Failure && if (PBR.exist_avp 911 PBR.RESULT_CODE== ("Device-Id")) 912 PANA_SUCCESS CARRY_DEVICE_ID=Set; 914 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 915 1ST_EAP==Failure && CLOSE 916 PBR.RESULT_CODE!= 917 PANA_SUCCESS && 918 PBR.exist_avp 919 ("EAP-Payload") 921 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 922 1ST_EAP==Failure && CLOSE 923 PBR.RESULT_CODE!= 924 PANA_SUCCESS && 925 !PBR.exist_avp 926 ("EAP-Payload") 927 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 929 ------------------- 930 State: WAIT_EAP_MSG 931 ------------------- 933 Exit Condition Exit Action Exit State 934 ------------------------+--------------------------+------------ 935 - - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - - 936 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 937 eap_piggyback() PAN.insert_avp 938 ("EAP-Payload"); 939 if (key_available()) 940 PAN.insert_avp("MAC"); 941 PAN.S_flag=PAR.S_flag; 942 PAN.N_flag=PAR.N_flag; 943 Tx:PAN(); 945 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 946 !eap_piggyback() PAR.insert_avp 947 ("EAP-Payload"); 948 if (key_available()) 949 PAR.insert_avp("MAC"); 950 PAR.S_flag=PAN.S_flag; 951 PAR.N_flag=PAN.N_flag; 952 Tx:PAR(); 953 RtxTimerStart(); 955 EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA 956 PAN.insert_avp("MAC"); 957 PAN.S_flag=PAR.S_flag; 958 PAN.N_flag=PAR.N_flag; 959 Tx:PAN(); 961 EAP_INVALID_MSG || None(); WAIT_PAA 962 EAP_SUCCESS || 963 EAP_FAILURE 964 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 966 ---------------------- 967 State: WAIT_EAP_RESULT 968 ---------------------- 970 Exit Condition Exit Action Exit State 971 ------------------------+--------------------------+------------ 972 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 973 EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN 974 PBR.exist_avp PBA.insert_avp("Key-Id"); 975 ("Key-Id") && if (CARRY_DEVICE_ID) 976 ppac_available() && PBA.insert_avp 977 (!PBR.exist_avp ("Device-Id"); 978 ("Protection- PBA.insert_avp("PPAC"); 979 Capability") || Tx:PBA(); 980 (PBR.exist_avp Authorize(); 981 ("Protection- SessionTimerStart(); 982 Capability") && 983 pcap_supported())) 985 EAP_SUCCESS && if (key_available()) OPEN 986 !PBR.exist_avp PBA.insert_avp("MAC"); 987 ("Key-Id") && if (CARRY_DEVICE_ID) 988 ppac_available() && PBA.insert_avp 989 (!PBR.exist_avp ("Device-Id"); 990 ("Protection- PBA.insert_avp("PPAC"); 991 Capability") || Tx:PBA(); 992 (PBR.exist_avp Authorize(); 993 ("Protection- SessionTimerStart(); 994 Capability") && 995 pcap_supported())) 997 EAP_SUCCESS && if (key_available()) WAIT_PEA 998 !ppac_available() PER.insert_avp("MAC"); 999 PER.RESULT_CODE= 1000 PANA_PPAC_CAPABILITY_ 1001 UNSUPPORTED 1002 Tx:PER(); 1003 RtxTimerStart(); 1005 EAP_SUCCESS && if (key_available()) WAIT_PEA 1006 (PBR.exist_avp PER.insert_avp("MAC"); 1007 ("Protection- PER.RESULT_CODE= 1008 Capability") && PANA_PROTECTION_ 1010 !pcap_supported()) CAPABILITY_UNSUPPORTED 1011 Tx:PER(); 1012 RtxTimerStart(); 1014 EAP_FAILURE && if (key_available()) OPEN 1015 (SEPARATE==Set) && PBA.insert_avp("MAC"); 1016 ppac_available() && if (CARRY_DEVICE_ID) 1017 (!PBR.exist_avp PBA.insert_avp 1018 ("Protection- ("Device-Id"); 1019 Capability") || PBA.insert_avp("PPAC"); 1020 (PBR.exist_avp Tx:PBA(); 1021 ("Protection- Authorize(); 1022 Capability") && SessionTimerStart(); 1023 pcap_supported())) 1025 EAP_FAILURE && if (key_available()) WAIT_PEA 1026 (SEPARATE==Set) && PER.insert_avp("MAC"); 1027 !ppac_available() PER.RESULT_CODE= 1028 PANA_PPAC_CAPABILITY_ 1029 UNSUPPORTED 1030 Tx:PER(); 1031 RtxTimerStart(); 1033 EAP_FAILURE && if (key_available()) WAIT_PEA 1034 (SEPARATE==Set) && PER.insert_avp("MAC"); 1035 (PBR.exist_avp PER.RESULT_CODE= 1036 ("Protection- PANA_PROTECTION_ 1037 Capability") && CAPABILITY_UNSUPPORTED 1038 !pcap_supported()) Tx:PER(); 1039 RtxTimerStart(); 1041 EAP_INVALID_MSG None(); WAIT_PAA 1042 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1044 ---------------------------- 1045 State: WAIT_EAP_RESULT_CLOSE 1046 ---------------------------- 1048 Exit Condition Exit Action Exit State 1049 ------------------------+--------------------------+------------ 1050 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 1051 EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED 1052 PBR.exist_avp PBA.insert_avp("Key-Id"); 1053 ("Key-Id") Tx:PBA(); 1054 Disconnect(); 1056 EAP_SUCCESS && if (key_available()) CLOSED 1057 !PBR.exist_avp PBA.insert_avp("MAC"); 1058 ("Key-Id") Tx:PBA(); 1059 Disconnect(); 1061 EAP_FAILURE Tx:PBA(); CLOSED 1062 Disconnect(); 1064 EAP_INVALID_MSG None(); WAIT_PAA 1065 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1067 -------------------------- 1068 State: WAIT_1ST_EAP_RESULT 1069 -------------------------- 1071 Exit Condition Exit Action Exit State 1072 ------------------------+--------------------------+------------ 1073 - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - 1074 EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA 1075 PFER.exist_avp PFEA.S_flag=1; 1076 ("Key-Id") PFEA.N_flag=PFER.N_flag; 1077 PFEA.insert_avp("MAC"); 1078 Tx:PFEA(); 1079 EAP_Restart(); 1081 (EAP_SUCCESS && if (key_available()) WAIT_PAA 1082 !PFER.exist_avp PFEA.insert_avp("MAC"); 1083 ("Key-Id")) || PFEA.S_flag=1; 1084 EAP_FAILURE PFEA.N_flag=PFER.N_flag; 1085 Tx:PFEA(); 1086 EAP_Restart(); 1088 EAP_INVALID_MSG EAP_Restart(); WAIT_PAA 1089 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1091 -------------------------------- 1092 State: WAIT_1ST_EAP_RESULT_CLOSE 1093 -------------------------------- 1095 Exit Condition Exit Action Exit State 1096 ------------------------+--------------------------+------------ 1097 - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - 1098 EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED 1099 PFER.exist_avp PFEA.S_flag=0; 1100 ("Key-Id") PFEA.N_flag=0; 1101 PFEA.insert_avp("MAC"); 1102 Tx:PFEA(); 1103 Disconnect(); 1105 (EAP_SUCCESS && if (key_available()) CLOSED 1106 !PFER.exist_avp PFEA.insert_avp("MAC"); 1107 ("Key-Id")) || PFEA.S_flag=0; 1108 EAP_FAILURE PFEA.N_flag=0; 1109 Tx:PFEA(); 1110 Disconnect(); 1112 EAP_INVALID_MSG None(); WAIT_PAA 1113 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1115 ----------- 1116 State: OPEN 1117 ----------- 1119 Exit Condition Exit Action Exit State 1120 ------------------------+--------------------------+------------ 1121 - - - - - - - - - - (liveness test initiated by PAA)- - - - - - 1122 Rx:PPR if (key_available()) OPEN 1123 PPA.insert_avp("MAC"); 1124 Tx:PPA(); 1125 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1126 - - - - - - - - - - (liveness test initiated by PaC)- - - - - - 1127 PANA_PING if (key_available()) WAIT_PPA 1128 PPR.insert_avp("MAC"); 1129 Tx:PPR(); 1130 RtxTimerStart(); 1131 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1132 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 1133 REAUTH SEPARATE=Set|Unset; WAIT_PRAA 1134 1ST_EAP=Unset; 1135 if (key_available()) 1136 PRAR.insert_avp("MAC"); 1137 Tx:PRAR(); 1138 RtxTimerStart(); 1139 SessionTimerStop(); 1140 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1141 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1142 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 1143 !eap_piggyback() 1ST_EAP=Unset; 1144 EAP_RespTimerStart(); 1145 TxEAP(); 1146 if (key_available()) 1147 PAN.insert_avp("MAC"); 1148 PAN.S_flag=PAR.S_flag; 1149 PAN.N_flag=PAR.N_flag; 1150 Tx:PAN(); 1151 SessionTimerStop(); 1153 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 1154 eap_piggyback() 1ST_EAP=Unset; 1155 EAP_RespTimerStart(); 1156 TxEAP(); 1157 SessionTimerStop(); 1158 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1159 - - - - - - - -(Session termination initiated by PAA) - - - - - - 1160 Rx:PTR if (key_available()) CLOSED 1161 PTA.insert_avp("MAC"); 1162 Tx:PTA(); 1163 Disconnect(); 1164 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1165 - - - - - - - -(Session termination initiated by PaC) - - - - - - 1166 TERMINATE if (key_available()) SESS_TERM 1167 PTR.insert_avp("MAC"); 1168 Tx:PTR(); 1169 RtxTimerStart(); 1170 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1171 - - - - - - - - - - - - -(Address update) - - - - - - - - - - - - 1172 UPDATE_POPA || if (key_available()) WAIT_PUA 1173 NOTIFY PUR.insert_avp("MAC"); 1174 Tx:PUR(); 1175 RtxTimerStart(); 1176 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1177 - - - - - - - - - - -(Notification update)- - - - - - - - - - - 1178 Rx:PUR if (key_available()) OPEN 1179 PUA.insert_avp("MAC"); 1180 Tx:PUA(); 1181 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1183 ---------------- 1184 State: WAIT_PRAA 1185 ---------------- 1187 Exit Condition Exit Action Exit State 1188 ------------------------+--------------------------+------------ 1189 - - - - - - - - -(re-authentication initiated by PaC) - - - - - 1190 Rx:PRAA RtxTimerStop(); WAIT_PAA 1191 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1193 --------------- 1194 State: WAIT_PPA 1195 --------------- 1197 Exit Condition Exit Action Exit State 1198 ------------------------+--------------------------+------------ 1199 - - - - - - - - -(liveness test initiated by PAA) - - - - - - - 1200 Rx:PPA RtxTimerStop(); OPEN 1201 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1202 --------------- 1203 State: WAIT_PUA 1204 --------------- 1206 Exit Condition Exit Action Exit State 1207 ------------------------+--------------------------+------------ 1208 - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - 1209 Rx:PUA RtxTimerStop(); OPEN 1210 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1212 ---------------- 1213 State: SESS_TERM 1214 ---------------- 1216 Exit Condition Exit Action Exit State 1217 ------------------------+--------------------------+------------ 1218 - - - - - - - -(Session termination initiated by PaC) - - - - - 1219 Rx:PTA Disconnect(); CLOSED 1220 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1222 --------------- 1223 State: WAIT_PEA 1224 --------------- 1226 Exit Condition Exit Action Exit State 1227 ------------------------+--------------------------+------------ 1228 - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - 1229 Rx:PEA RtxTimerStop(); CLOSED 1230 Disconnect(); 1231 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1233 7. PAA State Machine 1235 7.1 Interface between PAA and EAP Authenticator 1237 The interface between a PAA and an EAP authenticator provides a 1238 mechanism to deliver EAP messages for the EAP authenticator as well 1239 as a mechanism to notify the EAP authenticator of PAA events and to 1240 receive notification of EAP authenticator events. These message 1241 delivery and event notification mechanisms occur only within context 1242 of their associated states or exit actions. 1244 7.1.1 EAP Restart Notification from PAA to EAP Authenticator 1246 An EAP authenticator state machine defined in [I-D.ietf-eap- 1247 statemachine] has an initialization procedure before sending the 1248 first EAP request. To initialize the EAP state machine, the PAA 1249 state machine defines an event notification mechanism to send an EAP 1250 (re)start event to the EAP peer. The event notification is done via 1251 EAP_Restart() procedure in the initialization action of the PAA state 1252 machine. 1254 7.1.2 Delivering EAP Responses from PAA to EAP Authenticator 1256 TxEAP() procedure in the PAA state machine serves as the mechanism to 1257 deliver EAP-Responses contained in PANA-Auth-Answer messages to the 1258 EAP authenticator. This procedure is enabled only after an EAP 1259 restart event is notified to the EAP authenticator and before any 1260 event resulting in a termination of the EAP authenticator session. 1261 In the case where the EAP authenticator follows the EAP authenticator 1262 state machines defined in [I-D.ietf-eap-statemachine], TxEAP() 1263 procedure sets eapResp variable of the EAP authenticator state 1264 machine and puts the EAP response in eapRespData variable of the EAP 1265 authenticator state machine. 1267 7.1.3 Delivering EAP Messages from EAP Authenticator to PAA 1269 An EAP request is delivered from the EAP authenticator to the PAA via 1270 EAP_REQUEST event variable. The event variable is set when the EAP 1271 authenticator passes the EAP request to its lower-layer. In the case 1272 where the EAP authenticator follows the EAP authenticator state 1273 machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event 1274 variable refers to eapReq variable of the EAP authenticator state 1275 machine and the EAP request is contained in eapReqData variable of 1276 the EAP authenticator state machine. 1278 7.1.4 EAP Authentication Result Notification from EAP Authenticator to 1279 PAA 1281 In order for the EAP authenticator to notify the PAA of the EAP 1282 authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event 1283 variables are defined. In the case where the EAP authenticator 1284 follows the EAP authenticator state machines defined in [I-D.ietf- 1285 eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event 1286 variables refer to eapSuccess, eapFail and eapTimeout variables of 1287 the EAP authenticator state machine, respectively. In this case, if 1288 EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is 1289 contained in eapReqData variable of the EAP authenticator state 1290 machine, and additionally, eapKeyAvailable variable is set to TRUE 1291 and eapKeyData variable contains a AAA-Key if the AAA-Key is 1292 generated as a result of successful authentication by the EAP 1293 authentication method in use. Similarly, if EAP_FAILURE event 1294 variable is set to TRUE, an EAP-Failure message is contained in 1295 eapReqData variable of the EAP authenticator state machine. The PAA 1296 uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a 1297 trigger to send a PBR or a PFER message to the PaC. 1299 7.2 Variables 1301 USE_COOKIE 1303 This variable indicates whether the PAA uses Cookie. 1305 EAP_PIGGYBACK 1307 This variable indicates whether the PAA is able to piggyback an 1308 EAP-Request in PANA-Start-Request. 1310 SEPARATE 1312 This variable indicates whether the PAA provides NAP/ISP separate 1313 authentication. 1315 1ST_EAP 1317 This variable indicates whether the 1st EAP authentication is a 1318 success, failure or yet completed. 1320 PSA.SESSION_ID 1322 This variable contains the Session-Id AVP value in the PANA-Start- 1323 Answer message in process. 1325 CARRY_LIFETIME 1326 This variable indicates whether a Session-Lifetime AVP is carried 1327 in PANA-Bind-Request message. 1329 PROTECTION_CAP_IN_PSR 1331 This variable indicates whether a Protection-Capability AVP is 1332 carried in a PANA-Start-Request message. 1334 PROTECTION_CAP_IN_PBR 1336 This variable indicates whether a Protection-Capability AVP is 1337 carried in a PANA-Bind-Request message. 1339 CARRY_NAP_INFO 1341 This variable indicates whether a NAP-Information AVP is carried 1342 in PANA-Start-Request message. 1344 CARRY_ISP_INFO 1346 This variable indicates whether an ISP-Information AVP is carried 1347 in PANA-Start-Request message. 1349 NAP_AUTH 1351 This variable indicates whether a NAP authentication is being 1352 performed or not. 1354 CARRY_PPAC 1356 This variable indicates whether a Post-PANA-Address-Configuration 1357 AVP is carried in PANA-Start-Request message. 1359 PAC_FOUND 1361 This variable is set to TRUE during the EP-to-PAA notification as 1362 a result of a traffic-driven PAA discovery or link-up event 1363 notification by the EP as a result of the presence of a new PaC. 1365 EAP_SUCCESS 1367 This event variable is set to TRUE when EAP conversation completes 1368 with success. This event accompanies an EAP- Success message 1369 passed from the EAP authenticator. 1371 EAP_FAILURE 1373 This event variable is set to TRUE when EAP conversation completes 1374 with failure. This event accompanies an EAP- Failure message 1375 passed from the EAP authenticator. 1377 EAP_REQUEST 1379 This event variable is set to TRUE when the EAP authenticator 1380 delivers an EAP Request to the PAA. This event accompanies an 1381 EAP-Request message received from the EAP authenticator. 1383 EAP_TIMEOUT 1385 This event variable is set to TRUE when EAP conversation times out 1386 without generating an EAP-Success or an EAP-Failure message. This 1387 event does not accompany any EAP message. 1389 7.3 Procedures 1391 boolean new_key_available() 1393 A procedure to check whether the PANA session has a new 1394 PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, 1395 it returns FALSE. If the state machine does not have a 1396 PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. 1397 If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from 1398 the AAA-Key and returns TRUE. Otherwise, it returns FALSE. 1400 boolean new_source_address() 1402 A procedure to check the PaC's source IP address from the current 1403 PUR message. If the source IP address of the message is different 1404 from the last known IP address stored in the PANA session, this 1405 procedure returns TRUE. Otherwise, it returns FALSE. 1407 void update_popa() 1409 A procedure to extract the PaC's source IP address from the 1410 current PUR message and update the PANA session with this new IP 1411 address. 1413 7.4 PAA State Transition Table 1415 ------------------------------ 1416 State: OFFLINE (Initial State) 1417 ------------------------------ 1419 Initialization Action: 1421 USE_COOKIE=Set|Unset; 1422 EAP_PIGGYBACK=Set|Unset; 1423 SEPARATE=Set|Unset; 1424 if (EAP_PIGGYBACK==Set) 1425 SEPARATE=Unset; 1426 1ST_EAP=Unset; 1427 ABORT_ON_1ST_EAP_FAILURE=Set|Unset; 1428 CARRY_LIFETIME=Set|Unset; 1429 CARRY_DEVICE_ID=Set|Unset; 1430 CARRY_NAP_INFO=Set|Unset; 1431 CARRY_ISP_INFO=Set|Unset; 1432 CARRY_PPAC=Set|Unset; 1433 PROTECTION_CAP_IN_PSR=Set|Unset; 1434 PROTECTION_CAP_IN_PBR=Set|Unset; 1435 if (PROTECTION_CAP_IN_PBR=Unset) 1436 PROTECTION_CAP_IN_PSR=Unset; 1437 else 1438 CARRY_DEVICE_ID=Set; 1439 NAP_AUTH=Unset; 1440 RTX_COUNTER=0; 1441 RtxTimerStop(); 1443 Exit Condition Exit Action Exit State 1444 ------------------------+--------------------------+------------ 1445 - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - 1446 (Rx:PDI || EAP_Restart(); WAIT_EAP_MSG_ 1447 PAC_FOUND) && IN_DISC 1448 USE_COOKIE==Unset && 1449 EAP_PIGGYBACK==Set 1451 (Rx:PDI || if (SEPARATE==Set) STATEFUL_DISC 1452 PAC_FOUND) && PSR.S_flag=1; 1453 USE_COOKIE==Unset && if (CARRY_NAP_INFO==Set) 1454 EAP_PIGGYBACK==Unset PSR.insert_avp 1455 ("NAP-Information"); 1456 if (CARRY_ISP_INFO==Set) 1457 PSR.insert_avp 1458 ("ISP-Information"); 1459 if (CARRY_PPAC==Set) 1460 PSR.insert_avp 1461 ("Post-PANA-Address- 1462 Configuration"); 1463 if (PROTECTION_CAP_IN_PSR 1464 ==Set) 1466 PSR.insert_avp 1467 ("Protection-Cap."); 1468 Tx:PSR(); 1469 RtxTimerStart(); 1470 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1471 - - - - - - - - - - - - - (Stateless discovery) - - - - - - - - 1472 (Rx:PDI || if (SEPARATE==Set) OFFLINE 1473 PAC_FOUND) && PSR.S_flag=1; 1474 USE_COOKIE==Set PSR.insert_avp 1475 ("Cookie"); 1476 if (CARRY_NAP_INFO==Set) 1477 PSR.insert_avp 1478 ("NAP-Information"); 1479 if (CARRY_ISP_INFO==Set) 1480 PSR.insert_avp 1481 ("ISP-Information"); 1482 if (CARRY_PPAC==Set) 1483 PSR.insert_avp 1484 ("Post-PANA-Address- 1485 Configuration"); 1486 if (PROTECTION_CAP_IN_PSR 1487 ==Set) 1488 PSR.insert_avp 1489 ("Protection-Cap."); 1490 Tx:PSR(); 1491 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1492 - - - - - - - - - - - - - - (PSA processing) - - - - - - - - - 1493 Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG 1494 USE_COOKIE==Set PSA.S_flag==0) 1495 SEPARATE=Unset; 1496 if (SEPARATE==Set) 1497 NAP_AUTH=Set|Unset; 1498 EAP_Restart(); 1499 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1501 --------------------------- 1502 State: WAIT_EAP_MSG_IN_DISC 1503 --------------------------- 1505 Exit Condition Exit Action Exit State 1506 ------------------------+--------------------------+------------ 1507 - - - - - - - - - - - (Send PSR with EAP-Request) - - - - - - - 1508 EAP_REQUEST PSR.insert_avp STATEFUL_DISC 1509 ("EAP-Payload"); 1510 if (CARRY_NAP_INFO==Set) 1511 PSR.insert_avp 1512 ("NAP-Information"); 1513 if (CARRY_ISP_INFO==Set) 1514 PSR.insert_avp 1515 ("ISP-Information"); 1516 if (CARRY_PPAC==Set) 1517 PSR.insert_avp 1518 ("Post-PANA-Address- 1519 Configuration"); 1520 Tx:PSR(); 1521 RtxTimerStart(); 1523 EAP_TIMEOUT None(); OFFLINE 1524 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1526 -------------------- 1527 State: STATEFUL_DISC 1528 -------------------- 1530 Exit Condition Action Exit State 1531 ------------------------+--------------------------+------------ 1532 - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - 1533 Rx:PSA if (SEPARATE==Set && WAIT_EAP_MSG 1534 PSA.S_flag==0) 1535 SEPARATE=Unset; 1536 if (PSA.exist_avp 1537 ("EAP-Payload")) 1538 TxEAP(); 1539 else { 1540 if (SEPARATE==Set) 1541 NAP_AUTH=Set|Unset; 1542 EAP_Restart(); 1543 } 1544 RtxTimerStop(); 1546 EAP_TIMEOUT if (key_available()) WAIT_PEA 1547 PER.insert_avp("MAC"); 1548 Tx:PER(); 1549 RtxTimerStart(); 1550 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1552 ------------------- 1553 State: WAIT_EAP_MSG 1554 ------------------- 1556 Exit Condition Exit Action Exit State 1557 ------------------------+--------------------------+------------ 1558 - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - 1559 EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR 1560 PAR.insert_avp("MAC"); 1561 if (SEPARATE==Set) { 1562 PAR.S_flag=1; 1563 if (NAP_AUTH==Set) 1564 PAR.N_flag=1; 1565 } 1566 Tx:PAR(); 1567 RtxTimerStart(); 1568 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1569 - - - - - - -(Receiving EAP-Success/Failure single EAP)- - - - 1570 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1571 1ST_EAP==Unset && ("EAP-Payload"); 1572 SEPARATE==Unset if (key_available()) 1573 PBR.insert_avp("MAC"); 1574 Tx:PBR(); 1575 RtxTimerStart(); 1577 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1578 1ST_EAP==Unset && ("EAP-Payload"); 1579 SEPARATE==Unset && if (CARRY_DEVICE_ID==Set) 1580 Authorize() PBR.insert_avp 1581 ("Device-Id"); 1582 if (CARRY_LIFETIME==Set) 1583 PBR.insert_avp 1584 ("Session-Lifetime"); 1585 if (PROTECTION_CAP_IN_PBR 1586 ==Set) 1587 PBR.insert_avp 1588 ("Protection-Cap."); 1589 if (new_key_available()) 1590 PBR.insert_avp 1591 ("Key-Id"); 1592 if (key_available()) 1593 PBR.insert_avp("MAC"); 1594 Tx:PBR(); 1595 RtxTimerStart(); 1597 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1598 1ST_EAP==Unset && ("EAP-Payload"); 1599 SEPARATE==Unset && if (new_key_available()) 1600 !Authorize() PBR.insert_avp 1601 ("Key-Id"); 1602 if (key_available()) 1603 PBR.insert_avp("MAC"); 1604 Tx:PBR(); 1605 RtxTimerStart(); 1607 EAP_TIMEOUT && if (key_available()) WAIT_PEA 1608 1ST_EAP==Unset && PER.insert_avp("MAC"); 1609 SEPARATE==Unset Tx:PER(); 1610 RtxTimerStart(); 1612 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1613 - - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - - 1614 EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA 1615 1ST_EAP==Unset && PFER.insert_avp 1616 SEPARATE==Set && ("EAP-Payload"); 1617 ABORT_ON_1ST_EAP_FAILURE if (key_available()) 1618 ==Unset PFER.insert_avp("MAC"); 1619 PFER.S_flag=1; 1620 if (NAP_AUTH) 1621 PFER.N_flag=1; 1622 Tx:PFER(); 1623 RtxTimerStart(); 1625 EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA 1626 1ST_EAP==Unset && PFER.insert_avp 1627 SEPARATE==Set && ("EAP-Payload"); 1628 ABORT_ON_1ST_EAP_FAILURE if (key_available()) 1629 ==Set PFER.insert_avp("MAC"); 1630 PFER.S_flag=0; 1631 Tx:PFER(); 1632 RtxTimerStart(); 1634 EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA 1635 1ST_EAP==Unset && PFER.insert_avp 1636 SEPARATE==Set ("EAP-Payload"); 1637 if (new_key_available()) 1638 PFER.insert_avp 1639 ("Key-Id"); 1640 if (key_available()) 1641 PFER.insert_avp("MAC"); 1642 PFER.S_flag=1; 1643 if (NAP_AUTH) 1644 PFER.N_flag=1; 1645 Tx:PFER(); 1646 RtxTimerStart(); 1648 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1649 1ST_EAP==Unset && if (key_available()) 1650 SEPARATE==Set && PFER.insert_avp("MAC"); 1651 ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; 1652 ==Unset if (NAP_AUTH) 1653 PFER.N_flag=1; 1654 Tx:PFER(); 1655 RtxTimerStart(); 1657 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1658 1ST_EAP==Unset && if (key_available()) 1659 SEPARATE==Set && PFER.insert_avp("MAC"); 1660 ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; 1661 ==Set PFER.S_flag=0; 1662 Tx:PFER(); 1663 RtxTimerStart(); 1664 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1665 - - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - 1666 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1667 1ST_EAP==Failure && ("EAP-Payload"); 1668 SEPARATE==Set if (key_available()) 1669 PBR.insert_avp("MAC"); 1670 PBR.S_flag=1; 1671 if (NAP_AUTH) 1672 PBR.N_flag=1; 1673 Tx:PBR(); 1674 RtxTimerStart(); 1676 EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA 1677 1ST_EAP==Success && ("EAP-Payload"); 1678 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1679 Authorize() PBR.insert_avp 1680 ("Device-Id"); 1681 if (CARRY_LIFETIME==Set) 1682 PBR.insert_avp 1683 ("Session-Lifetime"); 1684 if (PROTECTION_CAP_IN_PBR 1685 ==Set) 1686 PBR.insert_avp 1687 ("Protection-Cap."); 1688 if (new_key_available()) 1689 PBR.insert_avp 1690 ("Key-Id"); 1691 if (key_available()) 1692 PBR.insert_avp("MAC"); 1693 PBR.S_flag=1; 1694 if (NAP_AUTH) 1695 PBR.N_flag=1; 1696 Tx:PBR(); 1697 RtxTimerStart(); 1699 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1700 1ST_EAP==Success && ("EAP-Payload"); 1701 SEPARATE==Set && if (key_available()) 1702 !Authorize() PBR.insert_avp("MAC"); 1703 PBR.S_flag=1; 1704 if (NAP_AUTH) 1705 PBR.N_flag=1; 1706 Tx:PBR(); 1707 RtxTimerStart(); 1709 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1710 1ST_EAP==Success && ("EAP-Payload"); 1711 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1712 Authorize() PBR.insert_avp 1713 ("Device-Id"); 1714 if (CARRY_LIFETIME==Set) 1715 PBR.insert_avp 1716 ("Session-Lifetime"); 1717 if (PROTECTION_CAP_IN_PBR 1718 ==Set) 1719 PBR.insert_avp 1720 ("Protection-Cap."); 1721 if (new_key_available()) 1722 PBR.insert_avp 1723 ("Key-Id"); 1724 if (key_available()) 1725 PBR.insert_avp("MAC"); 1726 PBR.S_flag=1; 1727 if (NAP_AUTH) 1728 PBR.N_flag=1; 1729 Tx:PBR(); 1730 RtxTimerStart(); 1732 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1733 1ST_EAP==Success && ("EAP-Payload"); 1734 SEPARATE==Set && if (new_key_available()) 1735 !Authorize() PBR.insert_avp 1736 ("Key-Id"); 1737 if (key_available()) 1738 PBR.insert_avp("MAC"); 1739 PBR.S_flag=1; 1740 if (NAP_AUTH) 1741 PBR.N_flag=1; 1742 Tx:PBR(); 1743 RtxTimerStart(); 1745 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1746 1ST_EAP==Failure && ("EAP-Payload"); 1747 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1748 Authorize() PBR.insert_avp 1749 ("Device-Id"); 1750 if (CARRY_LIFETIME==Set) 1751 PBR.insert_avp 1752 ("Session-Lifetime"); 1754 if (PROTECTION_CAP_IN_PBR 1755 ==Set) 1756 PBR.insert_avp 1757 ("Protection-Cap."); 1758 if (new_key_available()) 1759 PBR.insert_avp 1760 ("Key-Id"); 1761 if (key_available()) 1762 PBR.insert_avp("MAC"); 1763 PBR.S_flag=1; 1764 if (NAP_AUTH) 1765 PBR.N_flag=1; 1766 Tx:PBR(); 1767 RtxTimerStart(); 1769 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1770 1ST_EAP==Failure && ("EAP-Payload"); 1771 SEPARATE==Set && if (key_available()) 1772 !Authorize() PBR.insert_avp("MAC"); 1773 PBR.S_flag=1; 1774 if (NAP_AUTH) 1775 PBR.N_flag=1; 1776 Tx:PBR(); 1777 RtxTimerStart(); 1779 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1780 1ST_EAP==Failure && PBR.insert_avp("MAC"); 1781 SEPARATE==Set PBR.S_flag=1; 1782 if (NAP_AUTH) 1783 PBR.N_flag=1; 1784 Tx:PBR(); 1785 RtxTimerStart(); 1787 EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 1788 1ST_EAP==Success && PBR.insert_avp 1789 SEPARATE==Set && ("Device-Id"); 1790 Authorize() if (CARRY_LIFETIME==Set) 1791 PBR.insert_avp 1792 ("Session-Lifetime"); 1793 if (PROTECTION_CAP_IN_PBR 1794 ==Set) 1795 PBR.insert_avp 1796 ("Protection-Cap."); 1797 if (new_key_available()) 1798 PBR.insert_avp 1799 ("Key-Id"); 1800 if (key_available()) 1801 PBR.insert_avp("MAC"); 1802 PBR.S_flag=1; 1803 if (NAP_AUTH) 1804 PBR.N_flag=1; 1805 Tx:PBR(); 1806 RtxTimerStart(); 1808 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1809 1ST_EAP==Success && PBR.insert_avp("MAC"); 1810 SEPARATE==Set && PBR.S_flag=1; 1811 !Authorize() if (NAP_AUTH) 1812 PBR.N_flag=1; 1813 Tx:PBR(); 1814 RtxTimerStart(); 1815 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1817 ---------------- 1818 State: WAIT_PFEA 1819 ---------------- 1821 Event/Condition Action Exit State 1822 ------------------------+--------------------------+------------ 1823 - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - - 1824 Rx:PFEA && RtxTimerStop(); WAIT_EAP_MSG 1825 (1ST_EAP==Success || EAP_Restart(); 1826 (PFEA.S_flag==1 && if (NAP_AUTH==Set) 1827 1ST_EAP==Failure)) NAP_AUTH=Unset; 1828 else 1829 NAP_AUTH=Set; 1831 Rx:PFEA && RtxTimerStop(); CLOSED 1832 PFEA.S_flag==0 && Disconnect(); 1833 1ST_EAP==Failure 1834 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1836 --------------------- 1837 State: WAIT_FAIL_PFEA 1838 --------------------- 1840 Event/Condition Action Exit State 1841 ------------------------+--------------------------+------------ 1842 - - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - 1843 Rx:PFEA RtxTimerStop(); CLOSED 1844 Disconnect(); 1845 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1847 -------------------- 1848 State: WAIT_SUCC_PBA 1849 -------------------- 1851 Event/Condition Action Exit State 1852 ------------------------+--------------------------+------------ 1853 - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - 1854 Rx:PBA && SessionTimerStart(); OPEN 1855 (CARRY_DEVICE_ID==Unset || 1856 (CARRY_DEVICE_ID==Set && 1857 PBA.exit_avp("Device-Id"))) 1859 Rx:PBA && PER.RESULT_CODE= WAIT_PEA 1860 CARRY_DEVICE_ID==Set && PANA_MISSING_AVP 1861 !PBA.exit_avp Tx:PER(); 1862 ("Device-Id") RtxTimerStart(); 1863 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1865 -------------------- 1866 State: WAIT_FAIL_PBA 1867 -------------------- 1869 Exit Condition Exit Action Exit State 1870 ------------------------+--------------------------+------------ 1871 - - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - 1872 Rx:PBA RtxTimerStop(); CLOSED 1873 Disconnect(); 1874 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1876 ----------- 1877 State: OPEN 1878 ----------- 1880 Event/Condition Action Exit State 1881 ------------------------+--------------------------+------------ 1882 - - - - - - - - (re-authentication initiated by PaC) - - - - - - 1883 Rx:PRAR if (key_available()) WAIT_EAP_MSG 1884 PRAA.insert_avp("MAC"); 1885 EAP_Restart(); 1886 1ST_EAP=Unset; 1887 NAP_AUTH=Set|Unset; 1888 Tx:PRAA(); 1889 SessionTimerStop(); 1890 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1891 - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1892 REAUTH EAP_Restart(); WAIT_EAP_MSG 1893 1ST_EAP=Unset; 1894 NAP_AUTH=Set|Unset; 1895 SessionTimerStop(); 1896 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1897 - - (liveness test based on PPR-PPA exchange initiated by PAA)- 1898 PANA_PING Tx:PPR(); WAIT_PPA 1899 RtxTimerStart(); 1900 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1901 - - (liveness test based on PPR-PPA exchange initiated by PaC)- 1902 Rx:PPR if (key_available()) OPEN 1903 PPA.insert_avp("MAC"); 1904 Tx:PPA(); 1905 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1906 - - - - - - - - (Session termination initated from PAA) - - - - 1907 TERMINATE if (key_available()) SESS_TERM 1908 PTR.insert_avp("MAC"); 1909 Tx:PTR(); 1910 RtxTimerStart(); 1911 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1912 - - - - - - - - (Session termination initated from PaC) - - - - 1913 Rx:PTR if (key_available()) CLOSED 1914 PTA.insert_avp("MAC"); 1915 Tx:PTA(); 1916 Disconnect(); 1917 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1918 - - - - - - - - - -(Notification message) - - - - - - - - - - - 1919 NOTIFY if (key_available()) WAIT_PUA 1920 PUR.insert_avp("MAC"); 1921 Tx:PUR(); 1922 RtxTimerStart(); 1923 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1924 - - - - - - - -(Notification/Address update) - - - - - - - - - 1925 Rx:PUR If (key_avaialble()) OPEN 1926 PUA.insert_avp("MAC"); 1927 Tx:PUA(); 1928 if (new_source_address()) 1929 update_popa(); 1930 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1932 --------------- 1933 State: WAIT_PPA 1934 --------------- 1936 Exit Condition Exit Action Exit State 1937 ------------------------+--------------------------+------------ 1938 - - - - - - - - - - - - - -(PPA processing) - - - - - - - - - - 1939 Rx:PPA RtxTimerStop(); OPEN 1940 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1942 ---------------------- 1943 State: WAIT_PAN_OR_PAR 1944 ---------------------- 1946 Exit Condition Exit Action Exit State 1947 ------------------------+--------------------------+------------ 1948 - - - - - - (Pass EAP Response to the EAP authenticator)- - - - 1949 Rx:PAN && TxEAP(); WAIT_EAP_MSG 1950 PAN.exist_avp 1951 ("EAP-Payload") 1953 Rx:PAR TxEAP(); WAIT_EAP_MSG 1954 if (key_available()) 1955 PAN.insert_avp("MAC"); 1956 if (SEPARATE==Set) { 1957 PAN.S_flag=1; 1958 if (NAP_AUTH==Set) 1959 PAN.N_flag=1; 1960 } 1961 RtxTimerStop(); 1962 Tx:PAN(); 1963 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1964 - - - - - - - - - - (PAN without an EAP response) - - - - - - - 1965 Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR 1966 !PAN.exist_avp 1967 ("EAP-Payload") 1968 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1969 - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - 1970 EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR 1971 PAR.insert_avp("MAC"); 1972 if (SEPARATE==Set) { 1973 PAR.S_flag=1; 1974 if (NAP_AUTH==Set) 1975 PAR.N_flag=1; 1976 } 1977 Tx:PAR(); 1978 RtxTimerStart(); 1979 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1980 - - - - - - - - -(EAP authentication timeout)- - - - - - - - - 1981 EAP_TIMEOUT && if (key_available()) WAIT_PEA 1982 1ST_EAP==Unset && PER.insert_avp("MAC"); 1983 SEPARATE==Unset Tx:PER(); 1984 RtxTimerStart(); 1985 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1986 - - - - - -(EAP authentication timeout for 1st EAP)- - - - - - 1987 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1988 1ST_EAP==Unset && if (key_available()) 1989 SEPARATE==Set && PFER.insert_avp("MAC"); 1990 ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; 1991 ==Unset if (NAP_AUTH) 1992 PFER.N_flag=1; 1993 Tx:PFER(); 1994 RtxTimerStart(); 1996 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1997 1ST_EAP==Unset && if (key_available()) 1998 SEPARATE==Set && PFER.insert_avp("MAC"); 1999 ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; 2000 ==Set PFER.S_flag=0; 2001 Tx:PFER(); 2002 RtxTimerStart(); 2003 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2004 - - - - - -(EAP authentication timeout for 2nd EAP)- - - - - - 2005 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 2006 1ST_EAP==Failure && PBR.insert_avp("MAC"); 2007 SEPARATE==Set PBR.S_flag=1; 2008 if (NAP_AUTH) 2009 PBR.N_flag=1; 2010 Tx:PBR(); 2011 RtxTimerStart(); 2013 EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 2014 1ST_EAP==Success && PBR.insert_avp 2015 SEPARATE==Set && ("Device-Id"); 2016 Authorize() if (CARRY_LIFETIME==Set) 2017 PBR.insert_avp 2018 ("Session-Lifetime"); 2019 if (PROTECTION_CAP_IN_PBR 2020 ==Set) 2021 PBR.insert_avp 2022 ("Protection-Cap."); 2023 if (new_key_available()) 2024 PBR.insert_avp 2025 ("Key-Id"); 2026 if (key_available()) 2027 PBR.insert_avp("MAC"); 2028 PBR.S_flag=1; 2029 if (NAP_AUTH) 2030 PBR.N_flag=1; 2031 Tx:PBR(); 2032 RtxTimerStart(); 2034 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 2035 1ST_EAP==Success && PBR.insert_avp("MAC"); 2036 SEPARATE==Set && PBR.S_flag=1; 2037 !Authorize() if (NAP_AUTH) 2038 PBR.N_flag=1; 2040 Tx:PBR(); 2041 RtxTimerStart(); 2043 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2045 --------------- 2046 State: WAIT_PUA 2047 --------------- 2049 Exit Condition Exit Action Exit State 2050 ------------------------+--------------------------+------------ 2051 - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - 2052 Rx:PUA RtxTimerStop(); OPEN 2053 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2055 ---------------- 2056 State: SESS_TERM 2057 ---------------- 2059 Exit Condition Exit Action Exit State 2060 ------------------------+--------------------------+------------ 2061 - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - 2062 Rx:PTA RtxTimerStop(); CLOSED 2063 Disconnect(); 2064 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2066 --------------- 2067 State: WAIT_PEA 2068 --------------- 2070 Exit Condition Exit Action Exit State 2071 ------------------------+--------------------------+------------ 2072 - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - 2073 Rx:PEA RtxTimerStop(); CLOSED 2074 Disconnect(); 2075 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2077 8. Mobility Optimization Support 2079 The state machines outlined in preceeding sections provide only PANA 2080 base protocol functionality. In order to support PANA mobility 2081 optimization outlined in [I-D.ietf-pana-mobopts], additions and 2082 changes to the PaC and PAA state machines is required. The additions 2083 and changes provides only basic mobility optimization and is not 2084 explicit on integration of other mobility functionality such as 2085 context-transfer mechanisms. However, it does provide enough 2086 flexibility to accomodate future inclusion of such mechanisms. 2088 The variables, procedures and state transition described in this 2089 section is designed to be seamlessly integrated into the appropriate 2090 base protocol state machines. They should be treated as a mobility 2091 optimization addendum to the base protocol state machine. In this 2092 addendum, no additional states has been defined but some 2093 modifications to the base protocol state machine is required. The 2094 modifications are to accomodate the mobility variables and procedures 2095 as they relate to existing state transition actions and events. 2096 These modifications to existing state transition are noted in state 2097 transition tables in this section. These modified state transitions 2098 are intended to replace thier base protocol counterpart. Addition of 2099 new state transitions specific to mobility optimization is also 2100 present. Variable initialization also need to be added to the 2101 appropriate base protocol state to complete the mobility optimization 2102 support. 2104 8.1 Common Variables 2106 MOBILITY 2108 This variable indicates whether the mobility handling feature 2109 described in [I-D.ietf-pana-mobopts] is supported. This should be 2110 present in both PaC and PAA state machine. Existing state 2111 transitions in the base protocol state machine that can be 2112 affected by mobility optimization must treat this variable as 2113 being Unset unless the state transitions is explicitly redefined 2114 in this section. 2116 8.2 PaC Mobility Optimization State Machine 2118 8.2.1 Variables 2120 PANA_SA_RESUMED 2121 This variable indicates whether the PANA SA of a previous PANA 2122 session was resumed during the discovery and initial handshake. 2124 8.2.2 Procedures 2126 boolean resume_pana_sa() 2128 This procedure returns TRUE when a PANA SA for a previously 2129 established PANA Session is resumed, otherwise returns FALSE. 2130 Once a PANA SA is resumed, key_available() procedure must return 2131 TRUE. Existing state transitions in the base protocol state 2132 machine that can be affected by mobility optimization must assume 2133 that this procedure always returns FALSE unless the state 2134 transition is explicitly redefined in this section. 2136 8.2.3 PaC Mobility Optimization State Transition Table Addendum 2138 ------------------------------ 2139 State: OFFLINE (Initial State) 2140 ------------------------------ 2142 Initialization Action: 2144 MOBILITY=Set|Unset; 2145 PANA_SA_RESUMED=Unset; 2147 Exit Condition Exit Action Exit State 2148 ------------------------+--------------------------+------------ 2149 - - - - - - - - (PSR processing with mobility support)- - - - - 2150 - The following state transitions are intended to be added - 2151 - to the OFFLINE state of the PaC base protocol state - 2152 - machine. - 2153 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2154 Rx:PSR && RtxTimerStop(); WAIT_PAA 2155 !PSR.exist_avp PSA.insert_avp 2156 ("EAP-Payload") && ("Session-Id"); 2157 MOBILITY==Set && SEPARATE=Unset; 2158 resume_pana_sa() && PANA_SA_RESUMED=Set; 2159 PSR.exist_avp PSA.insert_avp("Cookie"); 2160 ("Cookie") PSA.insert_avp("MAC"); 2161 Tx:PSA(); 2162 RtxTimerStart(); 2164 Rx:PSR && RtxTimerStop(); WAIT_PAA 2165 !PSR.exist_avp PSA.insert_avp 2166 ("EAP-Payload") && ("Session-Id"); 2167 MOBILITY==Set && PSA.insert_avp("MAC"); 2168 resume_pana_sa() && Tx:PSA(); 2169 !PSR.exist_avp PANA_SA_RESUMED=Set; 2170 ("Cookie") 2172 --------------- 2173 State: WAIT_PAA 2174 --------------- 2176 Exit Condition Exit Action Exit State 2177 ------------------------+--------------------------+------------ 2178 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 2179 - The following state transitions are intended to replace - 2180 - existing base protocol state transitions. Original base - 2181 - protocol state transitions can be referenced by the same - 2182 - exit conditions that exist in the WAIT_PAA state of the PaC - 2183 - base protocol state machine. - 2184 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2185 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 2186 !eap_piggyback() TxEAP(); 2187 PANA_SA_RESUMED=Unset; 2188 EAP_RespTimerStart(); 2189 if (key_available()) 2190 PAN.insert_avp("MAC"); 2191 PAN.S_flag=PAR.S_flag; 2192 PAN.N_flag=PAR.N_flag; 2193 Tx:PAN(); 2195 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 2196 eap_piggyback() TxEAP(); 2197 PANA_SA_RESUMED=Unset; 2198 EAP_RespTimerStart(); 2200 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2201 - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - 2202 - The following state transitions are intended to replace - 2203 - existing base protocol state transitions. Original base - 2204 - protocol state transitions can be referenced by exit - 2205 - conditions that excludes PANA_SA_RESUMED variable checks. - 2206 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2207 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 2208 1ST_EAP==Unset && if (PBR.exist_avp 2209 SEPARATE==Unset && ("Device-Id")) 2210 PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; 2211 PANA_SUCCESS && 2212 PANA_SA_RESUMED!=Set 2214 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2215 - - - - - - - - (PBR processing with mobility support)- - - - - 2216 - The following state transitions are intended to be added - 2217 - to the WAIT_PAA state of the PaC base protocol state - 2218 - machine. - 2219 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2220 Rx:PBR && PBA.insert_avp("Key-Id"); OPEN 2221 1ST_EAP==Unset && PBA.insert_avp("MAC"); 2222 SEPARATE==Unset && if (PBR.exist_avp 2223 PBR.RESULT_CODE== ("Device-Id")) 2224 PANA_SUCCESS && PBA.insert("Device-Id"); 2225 PANA_SA_RESUMED==Set && Tx:PBA(); 2226 PBR.exist_avp Authorize(); 2227 ("Key-Id") && SessionTimerStart(); 2228 PBR.exist_avp 2229 ("MAC") 2231 ----------- 2232 State: OPEN 2233 ----------- 2235 Exit Condition Exit Action Exit State 2236 ------------------------+--------------------------+------------- 2237 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 2238 - The following state transitions are intended to replace - 2239 - existing base protocol state transitions. Original base - 2240 - protocol state transitions can be referenced by the same - 2241 - exit conditions that exist in the OPEN state of the PaC - 2242 - base protocol state machine. - 2243 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2244 REAUTH SEPARATE=Set|Unset; WAIT_PRAA 2245 1ST_EAP=Unset; 2246 PANA_SA_RESUMED=Unset; 2247 if (key_available()) 2248 PRAR.insert_avp("MAC"); 2249 Tx:PRAR(); 2250 RtxTimerStart(); 2251 SessionTimerStop(); 2252 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2253 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 2254 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 2255 !eap_piggyback() 1ST_EAP=Unset; 2256 PANA_SA_RESUMED=Unset; 2257 EAP_RespTimerStart(); 2258 TxEAP(); 2259 if (key_available()) 2260 PAN.insert_avp("MAC"); 2261 PAN.S_flag=PAR.S_flag; 2262 PAN.N_flag=PAR.N_flag; 2263 Tx:PAN(); 2264 SessionTimerStop(); 2266 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 2267 eap_piggyback() 1ST_EAP=Unset; 2268 PANA_SA_RESUMED=Unset; 2269 EAP_RespTimerStart(); 2270 TxEAP(); 2271 SessionTimerStop(); 2273 8.3 PAA Mobility Optimization 2275 8.3.1 Procedures 2277 boolean retrieve_pana_sa(Session-Id) 2279 This procedure returns TRUE when a PANA SA for the PANA Session 2280 corresponds to the specified Session-Id has been retrieved, 2281 otherwise returns FALSE. 2283 8.3.2 PAA Mobility Optimization State Transition Table Addendum 2284 ------------------------------ 2285 State: OFFLINE (Initial State) 2286 ------------------------------ 2288 Initialization Action: 2290 MOBILITY=Set|Unset; 2292 Exit Condition Exit Action Exit State 2293 ------------------------+--------------------------+------------ 2294 - - - - - - - (PSA processing without mobility support) - - - - 2295 - The following state transitions are intended to replace - 2296 - existing base protocol state transitions. Original base - 2297 - protocol state transitions can be referenced by exit - 2298 - conditions that excludes MOBILITY variable checks and - 2299 - retrieve_pana_sa() procedure calls. - 2300 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2301 Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG 2302 USE_COOKIE==Set && PSA.S_flag==0) 2303 (!PSA.exist_avp SEPARATE=Unset; 2304 ("Session-Id") || if (SEPARATE==Set) 2305 MOBILITY==Unset || NAP_AUTH=Set|Unset; 2306 (MOBILITY==Set && EAP_Restart(); 2307 !retrieve_pana_sa 2308 (PSA.SESSION_ID))) 2309 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2310 - - - - - - - - (PSA processing with mobility support)- - - - - 2311 Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA 2312 USE_COOKIE==Set && PBR.insert_avp("Key-Id"); 2313 PSA.exist_avp if (CARRY_DEVICE_ID==Set) 2314 ("Session-Id") && PBR.insert_avp 2315 MOBILITY==Set && ("Device-Id"); 2316 retrieve_pana_sa if (PROTECTION_CAP_IN_PBR 2317 (PSA.SESSION_ID) ==Set) 2318 PBR.insert_avp 2319 ("Protection-Cap."); 2320 Tx:PBR(); 2321 RtxTimerStart(); 2322 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2324 9. Implementation Considerations 2326 9.1 PAA and PaC Interface to Service Management Entity 2328 In general, it is assumed in each device that has a PANA protocol 2329 stack that there is a Service Management Entity (SME) that manages 2330 the PANA protocol stack. It is recommended that a generic interface 2331 (i.e., the SME-PANA interface) between the SME and the PANA protocol 2332 stack be provided by the implementation. Especially, common 2333 procedures such as startup, shutdown, re-authenticate signals and 2334 provisions for extracting keying material should be provided by such 2335 an interface. The SME-PANA interface in a PAA device should also 2336 provide a method for communicating filtering parameters to the EP(s). 2337 When cryptographic filtering is used, the filtering parameters 2338 include keying material used for bootstrapping per-packet ciphering. 2339 When a PAA device interacts with the backend authentication server 2340 using a AAA protocol, its SME may also have an interface to the AAA 2341 protocol to obtain authorization parameters such as the authorization 2342 lifetime and additional filtering parameters. 2344 9.2 Multicast Traffic 2346 In general, binding a UDP socket to a multicast address and/or port 2347 is system dependent. In most systems, a socket can be bound to any 2348 address and a specific port. This allows the socket to receive all 2349 packets destined for the local host (on all it's local addresses) for 2350 that port. If the host subscribes to a multicast addresses then this 2351 socket will also receive multicast traffic as well. In some systems, 2352 this would also result in the socket receiving all multicast traffic 2353 even though it has subscribed to only one multicast address. This is 2354 because most physical interfaces has either multicast traffic enabled 2355 or disabled and does not provide specific address filtering. 2356 Normally, it is not possible to filter out specific traffic on a 2357 socket from the user level. Most environments provides lower layer 2358 filtering that allows the use of only one socket to receive both 2359 unicast and specific multicast address. However it might introduce 2360 portability problems. 2362 10. Security Considerations 2364 This document's intent is to describe the PANA state machines fully. 2365 To this end, any security concerns with this document are likely a 2366 reflection of security concerns with PANA itself. 2368 11. IANA Considerations 2370 This document has no actions for IANA. 2372 12. Acknowledgments 2374 This work was started from state machines originally made by Dan 2375 Forsberg. 2377 13. References 2379 13.1 Normative References 2381 [I-D.ietf-pana-pana] 2382 Forsberg, D., "Protocol for Carrying Authentication for 2383 Network Access (PANA)", draft-ietf-pana-pana-08 (work in 2384 progress), May 2005. 2386 [I-D.ietf-eap-statemachine] 2387 Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, 2388 "State Machines for Extensible Authentication Protocol 2389 (EAP) Peer and Authenticator", 2390 draft-ietf-eap-statemachine-06 (work in progress), 2391 December 2004. 2393 [I-D.ietf-pana-mobopts] 2394 Forsberg, D., "PANA Mobility Optimizations", 2395 draft-ietf-pana-mobopts-00 (work in progress), 2396 January 2005. 2398 13.2 Informative References 2400 [RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang, 2401 "Protocol for Carrying Authentication for Network Access 2402 (PANA) Requirements", RFC 4058, May 2005. 2404 [I-D.ietf-pana-snmp] 2405 Mghazli, Y., "SNMP usage for PAA-EP interface", 2406 draft-ietf-pana-snmp-04 (work in progress), July 2005. 2408 Authors' Addresses 2410 Victor Fajardo 2411 Toshiba America Research, Inc. 2412 1 Telcordia Drive 2413 Piscataway, NJ 08854 2414 USA 2416 Phone: +1 732 699 5368 2417 Email: vfajardo@tari.toshiba.com 2418 Yoshihiro Ohba 2419 Toshiba America Research, Inc. 2420 1 Telcordia Drive 2421 Piscataway, NJ 08854 2422 USA 2424 Phone: +1 732 699 5305 2425 Email: yohba@tari.toshiba.com 2427 Rafa Marin Lopez 2428 University of Murcia 2429 30071 Murcia 2430 Spain 2432 Email: rafa@dif.um.es 2434 Intellectual Property Statement 2436 The IETF takes no position regarding the validity or scope of any 2437 Intellectual Property Rights or other rights that might be claimed to 2438 pertain to the implementation or use of the technology described in 2439 this document or the extent to which any license under such rights 2440 might or might not be available; nor does it represent that it has 2441 made any independent effort to identify any such rights. Information 2442 on the procedures with respect to rights in RFC documents can be 2443 found in BCP 78 and BCP 79. 2445 Copies of IPR disclosures made to the IETF Secretariat and any 2446 assurances of licenses to be made available, or the result of an 2447 attempt made to obtain a general license or permission for the use of 2448 such proprietary rights by implementers or users of this 2449 specification can be obtained from the IETF on-line IPR repository at 2450 http://www.ietf.org/ipr. 2452 The IETF invites any interested party to bring to its attention any 2453 copyrights, patents or patent applications, or other proprietary 2454 rights that may cover technology that may be required to implement 2455 this standard. Please address the information to the IETF at 2456 ietf-ipr@ietf.org. 2458 Disclaimer of Validity 2460 This document and the information contained herein are provided on an 2461 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2462 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 2463 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 2464 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 2465 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2466 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2468 Copyright Statement 2470 Copyright (C) The Internet Society (2005). This document is subject 2471 to the rights, licenses and restrictions contained in BCP 78, and 2472 except as set forth therein, the authors retain all their rights. 2474 Acknowledgment 2476 Funding for the RFC Editor function is currently provided by the 2477 Internet Society.