idnits 2.17.1 draft-ietf-pana-statemachine-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 2481. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2458. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2465. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2471. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 447: '... variable MUST be set when a link...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 18, 2005) is 6764 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4058' is defined on line 2414, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-pana-snmp' is defined on line 2418, but no explicit reference was found in the text == Outdated reference: A later version (-18) exists of draft-ietf-pana-pana-10 ** Downref: Normative reference to an Informational draft: draft-ietf-eap-statemachine (ref. 'I-D.ietf-eap-statemachine') == Outdated reference: A later version (-01) exists of draft-ietf-pana-mobopts-00 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-pana-mobopts' == Outdated reference: A later version (-06) exists of draft-ietf-pana-snmp-04 Summary: 5 errors (**), 0 flaws (~~), 7 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PANA Working Group V. Fajardo 3 Internet-Draft Y. Ohba 4 Expires: April 21, 2006 TARI 5 R. Lopez 6 Univ. of Murcia 7 October 18, 2005 9 State Machines for Protocol for Carrying Authentication for Network 10 Access (PANA) 11 draft-ietf-pana-statemachine-02 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on April 21, 2006. 38 Copyright Notice 40 Copyright (C) The Internet Society (2005). 42 Abstract 44 This document defines the conceptual state machines for the Protocol 45 for Carrying Authentication for Network Access (PANA). The state 46 machines consist of the PANA Client (PaC) state machine and the PANA 47 Authentication Agent (PAA) state machine. The two state machines 48 show how PANA can interface to EAP state machines and can be 49 implemented with supporting various features including separate NAP 50 and ISP authentications, ISP selection and mobility optimization. 51 The state machines and associated model are informative only. 52 Implementations may achieve the same results using different methods. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 58 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 59 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 60 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 61 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 62 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 63 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 64 5.4. Common Message Initialization Rules . . . . . . . . . . . 13 65 5.5. Common Error Handling Rules . . . . . . . . . . . . . . . 14 66 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 67 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 68 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 69 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 70 6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16 71 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 72 6.1.4. EAP Authentication Result Notification from EAP 73 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 74 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17 75 6.1.6. EAP Invalid Message Notification from EAP Peer to 76 PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 77 6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 78 6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 79 6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19 80 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31 81 7.1. Interface between PAA and EAP Authenticator . . . . . . . 31 82 7.1.1. EAP Restart Notification from PAA to EAP 83 Authenticator . . . . . . . . . . . . . . . . . . . . 31 84 7.1.2. Delivering EAP Responses from PAA to EAP 85 Authenticator . . . . . . . . . . . . . . . . . . . . 31 86 7.1.3. Delivering EAP Messages from EAP Authenticator to 87 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31 88 7.1.4. EAP Authentication Result Notification from EAP 89 Authenticator to PAA . . . . . . . . . . . . . . . . . 31 90 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 91 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 92 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 34 93 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49 94 8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 49 95 8.2. PaC Mobility Optimization State Machine . . . . . . . . . 49 96 8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 49 97 8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 50 98 8.2.3. PaC Mobility Optimization State Transition Table 99 Addendum . . . . . . . . . . . . . . . . . . . . . . . 50 100 8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 53 101 8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 53 102 8.3.2. PAA Mobility Optimization State Transition Table 103 Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 104 9. Implementation Considerations . . . . . . . . . . . . . . . . 55 105 9.1. PAA and PaC Interface to Service Management Entity . . . . 55 106 9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 107 10. Security Considerations . . . . . . . . . . . . . . . . . . . 56 108 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 109 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58 110 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 59 111 13.1. Normative References . . . . . . . . . . . . . . . . . . . 59 112 13.2. Informative References . . . . . . . . . . . . . . . . . . 59 113 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 114 Intellectual Property and Copyright Statements . . . . . . . . . . 61 116 1. Introduction 118 This document defines the state machines for Protocol Carrying 119 Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There 120 are state machines for the PANA client (PaC) and for the PANA 121 Authentication Agent (PAA). Each state machine is specified through 122 a set of variables, procedures and a state transition table. 124 A PANA protocol execution consists of several exchanges to carry 125 authentication information. Specifically, EAP PDUs are transported 126 inside PANA PDUs between PaC and PAA, that is PANA represents a lower 127 layer for EAP protocol. Thus, a PANA state machine bases its 128 execution on an EAP state machine execution and vice versa. Thus 129 this document also shows for each of PaC and PAA an interface between 130 an EAP state machine and a PANA state machine and how this interface 131 allows to exchange information between them. Thanks to this 132 interface, a PANA state machine can be informed about several events 133 generated in an EAP state machine and make its execution conditional 134 to its events. 136 The details of EAP state machines are out of the scope of this 137 document. Additional information can be found in [I-D.ietf-eap- 138 statemachine]. Nevertheless PANA state machines presented here have 139 been coordinated with state machines shown by [I-D.ietf-eap- 140 statemachine]. 142 This document, apart from defining PaC and PAA state machines and 143 their interfaces to EAP state machines (running on top of PANA), 144 provides some implementation considerations, taking into account that 145 it is not a specification but an implementation guideline. 147 2. Interface Between PANA and EAP 149 PANA carries EAP messages exchanged between an EAP peer and an EAP 150 authenticator (see Figure 1). Thus a PANA state machine must 151 interact with an EAP state machine. 153 Two state machines are defined in this document : the PaC state 154 machine (see Section 6) and the PAA state machine (see Section 7). 155 The definition of each state machine consists of a set of variables, 156 procedures and a state transition table. A subset of these variables 157 and procedures defines the interface between a PANA state machine and 158 an EAP state machine and the state transition table defines the PANA 159 state machine behavior based on results obtained through them. 161 On the one hand, the PaC state machine interacts with an EAP peer 162 state machine in order to carry out the PANA protocol on the PaC 163 side. On the other hand, the PAA state machine interacts with an EAP 164 authenticator state machine to run the PANA protocol on the PAA side. 166 Peer |EAP Auth 167 EAP <---------|------------> EAP 168 ^ | | ^ | 169 EAP-Request | | | EAP-Response | | EAP-Request 170 EAP-Success | |EAP-Response | | |EAP-Success 171 EAP-Failure | v |PANA | vEAP-Failure 172 PaC <---------|------------> PAA 174 Figure 1: Interface between PANA and EAP 176 Thus two interfaces are needed between PANA state machines and EAP 177 state machines, namely: 179 o Interface between the PaC state machine and the EAP peer state 180 machine 182 o Interface between the PAA state machine and the EAP authenticator 183 state machine 185 In general, the PaC state machine presents EAP messages (EAP-Request, 186 EAP-Success and EAP-Failure messages) to the EAP peer state machine 187 through the interface. The EAP peer state machine processes these 188 messages and sends EAP messages (EAP-Response messages) through the 189 PaC state machine that is responsible for actually transmitting this 190 message. 192 On the other hand, the PAA state machine presents response messages 193 (EAP-Response messages) to the EAP authenticator state machine 194 through interface defined between them. The EAP authenticator 195 processes these messages and generate EAP messages (EAP-Request, EAP- 196 Success and EAP-Failure messages) that are send to the PAA state 197 machine to be sent. 199 For example, [I-D.ietf-eap-statemachine] specifies four interfaces to 200 lower layers: (i) an interface between the EAP peer state machine and 201 a lower layer, (ii) an interface between the EAP standalone 202 authenticator state machine and a lower layer, (iii) an interface 203 between the EAP full authenticator state machine and a lower layer 204 and (iv) an interface between the EAP backend authenticator state 205 machine and a lower layer. In this document, the PANA protocol is 206 the lower layer of EAP and only the first three interfaces are of 207 interest to PANA. The second and third interfaces are the same. In 208 this regard, the EAP standalone authenticator or the EAP full 209 authenticator and its state machine in [I-D.ietf-eap-statemachine] 210 are referred to as the EAP authenticator and the EAP authenticator 211 state machine, respectively, in this document. If an EAP peer and an 212 EAP authenticator follow the state machines defined in [I-D.ietf-eap- 213 statemachine], the interfaces between PANA and EAP could be based on 214 that document. Detailed definition of interfaces between PANA and 215 EAP are described in the subsequent sections. 217 3. Document Authority 219 When a discrepancy occurs between any part of this document and any 220 of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-pana- 221 mobopts], [I-D.ietf-eap-statemachine] the latter (the other 222 documents) are considered authoritative and takes precedence. 224 4. Notations 226 The following state transition tables are completed mostly based on 227 the conventions specified in [I-D.ietf-eap-statemachine]. The 228 complete text is described below. 230 State transition tables are used to represent the operation of the 231 protocol by a number of cooperating state machines each comprising a 232 group of connected, mutually exclusive states. Only one state of 233 each machine can be active at any given time. 235 All permissible transitions from a given state to other states and 236 associated actions performed when the transitions occur are 237 represented by using triplets of (exit condition, exit action, exit 238 state). All conditions are expressions that evaluate to TRUE or 239 FALSE; if a condition evaluates to TRUE, then the condition is met. 240 A state "ANY" is a wildcard state that matches the current state in 241 each state machine. The exit conditions of a wildcard state are 242 evaluated after all other exit conditions of specific to the current 243 state are met. 245 On exit from a state, the exit actions defined for the state and the 246 exit condition are executed exactly once, in the order that they 247 appear on the page. (Note that the procedures defined in [I-D.ietf- 248 eap-statemachine] are executed on entry to a state, which is one 249 major difference from this document.) Each exit action is deemed to 250 be atomic; i.e., execution of an exit action completes before the 251 next sequential exit action starts to execute. No exit action 252 execute outside of a state block. The exit actions in only one state 253 block execute at a time even if the conditions for execution of state 254 blocks in different state machines are satisfied. All exit actions 255 in an executing state block complete execution before the transition 256 to and execution of any other state blocks. The execution of any 257 state block appears to be atomic with respect to the execution of any 258 other state block and the transition condition to that state from the 259 previous state is TRUE when execution commences. The order of 260 execution of state blocks in different state machines is undefined 261 except as constrained by their transition conditions. A variable 262 that is set to a particular value in a state block retains this value 263 until a subsequent state block executes an exit action that modifies 264 the value. 266 On completion of the transition from the previous state to the 267 current state, all exit conditions occurring during the current state 268 (including exit conditions defined for the wildcard state) are 269 evaluated until an exit condition for that state is met. 271 Any event variable is set to TRUE when the corresponding event occurs 272 and set to FALSE immediately after completion of the action 273 associated with the current state and the event. 275 The interpretation of the special symbols and operators used is 276 defined in [I-D.ietf-eap-statemachine]. 278 5. Common Rules 280 There are following procedures, variables, message initializing rules 281 and state transitions that are common to both the PaC and PAA state 282 machines. 284 Throughout this document, the character string "PANA_MESSAGE_NAME" 285 matches any one of the abbreviated PANA message names, i.e., "PDI", 286 "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", 287 "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA". 289 5.1. Common Procedures 291 void None() 293 A null procedure, i.e., nothing is done. 295 void Disconnect() 297 A procedure to delete the PANA session as well as the 298 corresponding EAP session and authorization state. 300 boolean Authorize() 302 A procedure to create or modify authorization state. It returns 303 TRUE if authorization is successful. Otherwise, it returns FALSE. 304 It is assumed that Authorize() procedure of PaC state machine 305 always returns TRUE. 307 void Tx:PANA_MESSAGE_NAME() 309 A procedure to send a PANA message to its peering PANA entity. 311 void TxEAP() 313 A procedure to send an EAP message to the EAP state machine it 314 interfaces to. 316 void RtxTimerStart() 318 A procedure to start the retransmission timer, reset RTX_COUNTER 319 variable to zero and set an appropriate value to RTX_MAX_NUM 320 variable. 322 void RtxTimerStop() 323 A procedure to stop the retransmission timer. 325 void SessionTimerStart() 327 A procedure to start PANA session timer. 329 void SessionTimerStop() 331 A procedure to stop the PANA session timer. 333 void Retransmit() 335 A procedure to retransmit a PANA message and increment RTX_COUNTER 336 by one(1). 338 void EAP_Restart() 340 A procedure to (re)start an EAP conversation resulting in the re- 341 initialization of an existing EAP session. 343 void PANA_MESSAGE_NAME.insert_avp("AVP_NAME") 345 A procedure to insert an AVP of the specified AVP name in the 346 specified PANA message. 348 boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") 350 A procedure that checks whether an AVP of the specified AVP name 351 exists in the specified PANA message and returns TRUE if the 352 specified AVP is found, otherwise returns FALSE. 354 boolean key_available() 356 A procedure to check whether the PANA session has a PANA_MAC_KEY. 357 If the state machine already has a PANA_MAC_KEY, it returns TRUE. 358 If the state machine does not have a PANA_MAC_KEY, it tries to 359 retrieve a AAA-Key from the EAP entity. If a AAA-Key is 360 retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns 361 TRUE. Otherwise, it returns FALSE. 363 boolean fatal(int) 365 A procedure to check whether an integer result code value 366 indicates a fatal error. If the result code indicates a fatal 367 error, the procedure returns TRUE, otherwise, it return FALSE. A 368 fatal error would also result in the termination of the session 369 and release of all resources related to that session. 371 5.2. Common Variables 373 PANA_MESSAGE_NAME.S_flag 375 This variable contains the S-Flag value of the specified PANA 376 message. 378 PBR.RESULT_CODE 380 This variable contains the Result-Code AVP value in the PANA-Bind- 381 Request message in process. When this variable carries 382 PANA_SUCCESS when there is only once EAP run in the authentication 383 and authorization phase, it is assumed that the PBR message always 384 contains an EAP-Payload AVP which carries an EAP-Success message. 386 PFER.RESULT_CODE 388 This variable contains the Result-Code AVP value in the PANA- 389 FirstAuth-End-Request message in process. When this variable 390 carries PANA_SUCCESS, it is assumed that the PFER message always 391 contains an EAP-Payload AVP which carries an EAP-Success message. 393 PER.RESULT_CODE 395 This variable contains the Result-Code AVP value in the PANA- 396 Error-Request message in process. 398 RTX_COUNTER 400 This variable contains the current number of retransmissions of 401 the outstanding PANA message. 403 Rx:PANA_MESSAGE_NAME 405 This event variable is set to TRUE when the specified PANA message 406 is received from its peering PANA entity. 408 RTX_TIMEOUT 410 This event variable is set to TRUE when the retransmission timer 411 is expired. 413 REAUTH 415 This event variable is set to TRUE when an initiation of re- 416 authentication phase is triggered. 418 TERMINATE 420 This event variable is set to TRUE when initiation of PANA session 421 termination is triggered. 423 PANA_PING 425 This event variable is set to TRUE when initiation of liveness 426 test based on PPR-PPA exchange is triggered. 428 NOTIFY 430 This event variable is set to TRUE if the PaC or PAA wants to send 431 attribute updates or notifications. 433 SESS_TIMEOUT 435 This event is variable is set to TRUE when the session timer is 436 expired. 438 ABORT_ON_1ST_EAP_FAILURE 440 This variable indicates whether the PANA session is immediately 441 terminated when the 1st EAP authentication fails. 443 CARRY_DEVICE_ID 445 This variable indicates whether a Device-Id AVP is carried in a 446 PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this 447 variable MUST be set when a link-layer or IP address is used as 448 the device identifier of the PaC and a Protection-Capability AVP 449 is included in the PANA-Bind-Request message. 451 ANY 453 This event variable is set to TRUE when any event occurs. 455 5.3. Constants 457 RTX_MAX_NUM 459 Configurable maximum for how many retransmissions should be 460 attempted before aborting. 462 5.4. Common Message Initialization Rules 464 When a message is prepared for sending, it is initialized as follows: 466 o For a request message, R-flag of the header is set. Otherwise, 467 R-flag is not set. 469 o S-flag and N-flag of the header are not set. 471 o AVPs that are mandatory included in a message are inserted with 472 appropriate values set. 474 o A Notification AVP is inserted if there is some notification 475 string to send to the communicating peer. 477 5.5. Common Error Handling Rules 479 For simplicity, the PANA state machines defined in this document do 480 not support an optional feature of sending a PER message when an 481 invalid PANA message is received [I-D.ietf-pana-pana], while the 482 state machines support sending a PER message generated in other cases 483 as well as receiving and processing a PER message. It is left to 484 implementations as to whether they provide a means to send a PER 485 message when an invalid PANA message is received. 487 5.6. Common State Transitions 489 The following transitions can occur at any state. 491 ---------- 492 State: ANY 493 ---------- 495 Exit Condition Exit Action Exit State 496 ------------------------+--------------------------+------------ 497 - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - 498 RTX_TIMEOUT && Retransmit(); (no change) 499 RTX_COUNTER< 500 RTX_MAX_NUM 501 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 502 - - - - - - - (Reach maximum number of transmissions)- - - - - - 503 RTX_TIMEOUT && Disconnect(); CLOSED 504 RTX_COUNTER>= 505 RTX_MAX_NUM 507 SESS_TIMEOUT Disconnect(); CLOSED 508 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 509 - - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - - 510 Rx:PER && PEA.insert_avp("MAC"); CLOSED 511 fatal Tx:PEA(); 512 (PER.RESULT_CODE) && Disconnect(); 513 PER.exist_avp("MAC") && 514 key_available() 516 Rx:PER && Tx:PEA(); (no change) 517 !fatal 518 (PER.RESULT_CODE) || 519 !PER.exist_avp("MAC") || 520 !key_available() 521 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 523 The following transitions can occur on any exit condition within the 524 specified state. 526 ------------- 527 State: CLOSED 528 ------------- 530 Exit Condition Exit Action Exit State 531 ------------------------+--------------------------+------------ 532 - - - - - - - -(Session termination initiated by PaC) - - - - - 533 ANY None(); CLOSED 534 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 536 6. PaC State Machine 538 6.1. Interface between PaC and EAP Peer 540 This interface defines the interactions between a PaC and an EAP 541 peer. The interface serves as a mechanism to deliver EAP messages 542 for the EAP peer. It allows the EAP peer to receive EAP requests and 543 send EAP responses via the PaC. It also provides a mechanism to 544 notify the EAP peer of PaC events and a mechanism to receive 545 notification of EAP peer events. The EAP message delivery mechanism 546 as well as the event notification mechanism in this interface have 547 direct correlation with the PaC state transition table entries. 548 These message delivery and event notifications mechanisms occur only 549 within the context of their associated states or exit actions. 551 6.1.1. Delivering EAP Messages from PaC to EAP Peer 553 TxEAP() procedure in the PaC state machine serves as the mechanism to 554 deliver EAP request, EAP success and EAP failure messages contained 555 in PANA-Auth-Request messages to the EAP peer. This procedure is 556 enabled only after an EAP restart event is notified to the EAP peer 557 and before any event resulting in a termination of the EAP peer 558 session. In the case where the EAP peer follows the EAP peer state 559 machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure 560 sets eapReq variable of the EAP peer state machine and puts the EAP 561 request in eapReqData variable of the EAP peer state machine. 563 6.1.2. Delivering EAP Responses from EAP Peer to PaC 565 An EAP response is delivered from the EAP peer to the PaC via 566 EAP_RESPONSE event variable. The event variable is set when the EAP 567 peer passes the EAP response to its lower-layer. In the case where 568 the EAP peer follows the EAP peer state machine defined in [I-D.ietf- 569 eap-statemachine], EAP_RESPONSE event variable refers to eapResp 570 variable of the EAP peer state machine and the EAP response is 571 contained in eapRespData variable of the EAP peer state machine. 573 6.1.3. EAP Restart Notification from PaC to EAP Peer 575 The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has 576 an initialization procedure before receiving an EAP request. To 577 initialize the EAP state machine, the PaC state machine defines an 578 event notification mechanism to send an EAP (re)start event to the 579 EAP peer. The event notification is done via EAP_Restart() procedure 580 in the initialization action of the PaC state machine. 582 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC 584 In order for the EAP peer to notify the PaC of an EAP authentication 585 result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In 586 the case where the EAP peer follows the EAP peer state machine 587 defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE 588 event variables refer to eapSuccess and eapFail variables of the EAP 589 peer state machine, respectively. In this case, if EAP_SUCCESS event 590 variable is set to TRUE and a AAA-Key is generated by the EAP 591 authentication method in use, eapKeyAvailable variable is set to TRUE 592 and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS 593 and EAP_FAILURE event variables may be set to TRUE even before the 594 PaC receives a PBR or a PFER from the PAA. 596 6.1.5. Alternate Failure Notification from PaC to EAP Peer 598 alt_reject() procedure in the PaC state machine serves as the 599 mechanism to deliver an authentication failure event to the EAP peer 600 without accompanying an EAP message. In the case where the EAP peer 601 follows the EAP peer state machine defined in [I-D.ietf-eap- 602 statemachine], alt_reject() procedure sets altReject variable of the 603 EAP peer state machine. Note that the EAP peer state machine in 604 [I-D.ietf-eap-statemachine] also defines altAccept variable, however, 605 it is never used in PANA in which EAP-Success messages are reliably 606 delivered by PANA-Bind exchange. 608 6.1.6. EAP Invalid Message Notification from EAP Peer to PaC 610 In order for the EAP peer to notify the PaC of a receipt of an 611 invalid EAP message, EAP_INVALID_MSG event variable is defined. In 612 the case where the EAP peer follows the EAP peer state machine 613 defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event 614 variable refers to eapNoResp variable of the EAP peer state machine. 616 6.2. Variables 618 SEPARATE 620 This variable indicates whether the PaC desires NAP/ISP separate 621 authentication. 623 1ST_EAP 625 This variable indicates whether the 1st EAP authentication is 626 success, failure or yet completed. 628 AUTH_USER 630 This event variable is set to TRUE when initiation of EAP-based 631 (re-)authentication is triggered by the application. 633 EAP_SUCCESS 635 This event variable is set to TRUE when the EAP peer determines 636 that EAP conversation completes with success. 638 EAP_FAILURE 640 This event variable is set to TRUE when the EAP peer determines 641 that EAP conversation completes with failure. 643 EAP_RESPONSE 645 This event variable is set to TRUE when the EAP peer delivers an 646 EAP Response to the PaC. This event accompanies an EAP-Response 647 message received from the EAP peer. 649 EAP_INVALID_MSG 651 This event variable is set to TRUE when the EAP peer silently 652 discards an EAP message. This event does not accompany any EAP 653 message. 655 EAP_RESP_TIMEOUT 657 This event variable is set to TRUE when the PaC that has passed an 658 EAP-Request to the EAP-layer does not receive a corresponding EAP- 659 Response from the the EAP-layer in a given period. 661 6.3. Procedures 663 boolean choose_isp() 665 This procedure returns TRUE when the PaC chooses one ISP, 666 otherwise returns FALSE. 668 boolean ppac_available() 670 This procedure returns TRUE when the Post-PANA-Address- 671 Configuration method specified by the PAA is available in the PaC 672 and that the PaC will be able to comply. 674 boolean pcap_supported() 676 This procedure returns TRUE when the cryptographic data protection 677 supplied in the Protection-Capability AVP can be supported by the 678 PaC. 680 boolean eap_piggyback() 682 This procedures returns TRUE to indicate whether the next EAP 683 response will be carried in the pending PAN message for 684 optimization. 686 void alt_reject() 688 This procedure informs the EAP peer of an authentication failure 689 event without accompanying an EAP message. 691 void EAP_RespTimerStart() 693 A procedure to start a timer to receive an EAP-Response from the 694 EAP peer. 696 void EAP_RespTimerStop() 698 A procedure to stop a timer to receive an EAP-Response from the 699 EAP peer. 701 6.4. PaC State Transition Table 703 ------------------------------ 704 State: OFFLINE (Initial State) 705 ------------------------------ 707 Initialization Action: 709 SEPARATE=Set|Unset; 710 CARRY_DEVICE_ID=Unset; 711 1ST_EAP=Unset; 712 RtxTimerStop(); 714 Exit Condition Exit Action Exit State 715 ------------------------+--------------------------+-------------- 716 - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - 717 Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ 718 PSR.exist_avp EAP_Restart(); IN_DISC 719 ("EAP-Payload") TxEAP(); 720 SEPARATE=Unset; 722 Rx:PSR && RtxTimerStop(); WAIT_PAA 723 !PSR.exist_avp if (choose_isp()) 724 ("EAP-Payload") && PSA.insert_avp("ISP"); 725 PSR.S_flag==1 && PSA.S_flag=1; 726 SEPARATE==Set && PSA.insert_avp("Cookie"); 727 PSR.exist_avp Tx:PSA(); 728 ("Cookie") RtxTimerStart(); 729 EAP_Restart(); 731 Rx:PSR && RtxTimerStop(); WAIT_PAA 732 !PSR.exist_avp if (choose_isp()) 733 ("EAP-Payload") && PSA.insert_avp("ISP"); 734 PSR.S_flag==1 && PSA.S_flag=1; 735 SEPARATE==Set && Tx:PSA(); 736 !PSR.exist_avp EAP_Restart(); 737 ("Cookie") 739 Rx:PSR && RtxTimerStop(); WAIT_PAA 740 !PSR.exist_avp if (choose_isp()) 741 ("EAP-Payload") && PSA.insert_avp("ISP"); 742 (PSR.S_flag!=1 || PSA.insert_avp("Cookie"); 743 SEPARATE==Unset) && Tx:PSA(); 744 PSR.exist_avp RtxTimerStart(); 745 ("Cookie") SEPARATE=Unset; 746 EAP_Restart(); 748 Rx:PSR && RtxTimerStop(); WAIT_PAA 749 !PSR.exist_avp if (choose_isp()) 750 ("EAP-Payload") && PSA.insert_avp("ISP"); 751 (PSR.S_flag!=1 || Tx:PSA(); 752 SEPARATE==Unset) && SEPARATE=Unset; 753 !PSR.exist_avp EAP_Restart(); 754 ("Cookie") 756 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 757 - - - - - - - - -(Authentication trigger from application) - - - 758 AUTH_USER Tx:PDI(); OFFLINE 759 RtxTimerStart(); 760 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 762 --------------------------- 763 State: WAIT_EAP_MSG_IN_DISC 764 --------------------------- 766 Exit Condition Exit Action Exit State 767 ------------------------+--------------------------+------------ 768 - - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - 769 EAP_RESPONSE PSA.insert_avp WAIT_PAA 770 ("EAP-Payload") 771 if (choose_isp()) 772 PSA.insert_avp("ISP"); 773 Tx:PSA(); 775 EAP_RESP_TIMEOUT || None(); OFFLINE 776 EAP_INVALID_MSG 777 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 779 --------------- 780 State: WAIT_PAA 781 --------------- 783 Exit Condition Exit Action Exit State 784 ------------------------+--------------------------+------------ 785 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 786 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 787 !eap_piggyback() TxEAP(); 788 EAP_RespTimerStart(); 789 if (key_available()) 790 PAN.insert_avp("MAC"); 791 PAN.S_flag=PAR.S_flag; 792 PAN.N_flag=PAR.N_flag; 793 Tx:PAN(); 795 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 796 eap_piggyback() TxEAP(); 797 EAP_RespTimerStart(); 799 Rx:PAN RtxTimerStop(); WAIT_PAA 800 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 801 - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - 802 Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_ 803 1ST_EAP==Unset && TxEAP(); RESULT 804 SEPARATE==Set && 805 PFER.RESULT_CODE== 806 PANA_SUCCESS && 807 PFER.S_flag==1 809 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 810 1ST_EAP==Unset && TxEAP(); RESULT 811 SEPARATE==Set && 812 PFER.RESULT_CODE!= 813 PANA_SUCCESS && 814 PFER.S_flag==1 && 815 ABORT_ON_1ST_EAP_FAILURE 816 ==Unset && 817 PFER.exist_avp 818 ("EAP-Payload") 820 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 821 1ST_EAP==Unset && alt_reject(); RESULT 822 SEPARATE==Set && 823 PFER.RESULT_CODE!= 824 PANA_SUCCESS && 825 PFER.S_flag==1 && 826 ABORT_ON_1ST_EAP_FAILURE 827 ==Unset && 828 !PFER.exist_avp 829 ("EAP-Payload") 831 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 832 1ST_EAP==Unset && TxEAP(); RESULT_CLOSED 833 SEPARATE==Set && 834 PFER.RESULT_CODE!= 835 PANA_SUCCESS && 836 (PFER.S_flag==0 || 837 ABORT_ON_1ST_EAP_FAILURE 838 ==Set) && 839 PFER.exist_avp 840 ("EAP-Payload") 842 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 843 1ST_EAP==Unset && alt_reject(); RESULT_CLOSED 844 SEPARATE==Set && 845 PFER.RESULT_CODE!= 846 PANA_SUCCESS && 847 (PFER.S_flag==0 || 848 ABORT_ON_1ST_EAP_FAILURE 849 ==Set) && 850 !PFER.exist_avp 851 ("EAP-Payload") 853 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 854 1ST_EAP==Unset && if (PBR.exist_avp 855 SEPARATE==Unset && ("Device-Id")) 856 PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; 857 PANA_SUCCESS 859 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 860 1ST_EAP==Unset && CLOSE 861 SEPARATE==Unset && 862 PBR.RESULT_CODE!= 863 PANA_SUCCESS && 864 PBR.exist_avp 865 ("EAP-Payload") 867 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 868 1ST_EAP==Unset && CLOSE 869 SEPARATE==Unset && 870 PBR.RESULT_CODE!= 871 PANA_SUCCESS && 872 !PBR.exist_avp 873 ("EAP-Payload") 874 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 875 - - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - 876 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 877 1ST_EAP==Success && if (PBR.exist_avp 878 PBR.RESULT_CODE== ("Device-Id")) 879 PANA_SUCCESS && CARRY_DEVICE_ID=Set; 880 PBR.exist_avp 881 ("EAP-Payload") 883 Rx:PBR && alt_reject(); WAIT_EAP_RESULT 884 1ST_EAP==Success && if (PBR.exist_avp 885 PBR.RESULT_CODE== ("Device-Id")) 886 PANA_SUCCESS && CARRY_DEVICE_ID=Set; 887 !PBR.exist_avp 888 ("EAP-Payload") 890 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 891 1ST_EAP==Success && CLOSE 892 PBR.RESULT_CODE!= 893 PANA_SUCCESS && 894 PBR.exist_avp 895 ("EAP-Payload") 897 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 898 1ST_EAP==Success && CLOSE 899 PBR.RESULT_CODE!= 900 PANA_SUCCESS && 901 !PBR.exist_avp 902 ("EAP-Payload") 904 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 905 1ST_EAP==Failure && if (PBR.exist_avp 906 PBR.RESULT_CODE== ("Device-Id")) 907 PANA_SUCCESS CARRY_DEVICE_ID=Set; 909 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 910 1ST_EAP==Failure && CLOSE 911 PBR.RESULT_CODE!= 912 PANA_SUCCESS && 914 PBR.exist_avp 915 ("EAP-Payload") 917 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 918 1ST_EAP==Failure && CLOSE 919 PBR.RESULT_CODE!= 920 PANA_SUCCESS && 921 !PBR.exist_avp 922 ("EAP-Payload") 923 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 925 ------------------- 926 State: WAIT_EAP_MSG 927 ------------------- 929 Exit Condition Exit Action Exit State 930 ------------------------+--------------------------+------------ 931 - - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - - 932 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 933 eap_piggyback() PAN.insert_avp 934 ("EAP-Payload"); 935 if (key_available()) 936 PAN.insert_avp("MAC"); 937 PAN.S_flag=PAR.S_flag; 938 PAN.N_flag=PAR.N_flag; 939 Tx:PAN(); 941 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 942 !eap_piggyback() PAR.insert_avp 943 ("EAP-Payload"); 944 if (key_available()) 945 PAR.insert_avp("MAC"); 946 PAR.S_flag=PAN.S_flag; 947 PAR.N_flag=PAN.N_flag; 948 Tx:PAR(); 949 RtxTimerStart(); 951 EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA 952 PAN.insert_avp("MAC"); 953 PAN.S_flag=PAR.S_flag; 954 PAN.N_flag=PAR.N_flag; 955 Tx:PAN(); 957 EAP_INVALID_MSG || None(); WAIT_PAA 958 EAP_SUCCESS || 959 EAP_FAILURE 960 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 961 ---------------------- 962 State: WAIT_EAP_RESULT 963 ---------------------- 965 Exit Condition Exit Action Exit State 966 ------------------------+--------------------------+------------ 967 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 968 EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN 969 PBR.exist_avp PBA.insert_avp("Key-Id"); 970 ("Key-Id") && if (CARRY_DEVICE_ID) 971 ppac_available() && PBA.insert_avp 972 (!PBR.exist_avp ("Device-Id"); 973 ("Protection- PBA.insert_avp("PPAC"); 974 Capability") || Tx:PBA(); 975 (PBR.exist_avp Authorize(); 976 ("Protection- SessionTimerStart(); 977 Capability") && 978 pcap_supported())) 980 EAP_SUCCESS && if (key_available()) OPEN 981 !PBR.exist_avp PBA.insert_avp("MAC"); 982 ("Key-Id") && if (CARRY_DEVICE_ID) 983 ppac_available() && PBA.insert_avp 984 (!PBR.exist_avp ("Device-Id"); 985 ("Protection- PBA.insert_avp("PPAC"); 986 Capability") || Tx:PBA(); 987 (PBR.exist_avp Authorize(); 988 ("Protection- SessionTimerStart(); 989 Capability") && 990 pcap_supported())) 992 EAP_SUCCESS && if (key_available()) WAIT_PEA 993 !ppac_available() PER.insert_avp("MAC"); 994 PER.RESULT_CODE= 995 PANA_PPAC_CAPABILITY_ 996 UNSUPPORTED 997 Tx:PER(); 998 RtxTimerStart(); 1000 EAP_SUCCESS && if (key_available()) WAIT_PEA 1001 (PBR.exist_avp PER.insert_avp("MAC"); 1002 ("Protection- PER.RESULT_CODE= 1003 Capability") && PANA_PROTECTION_ 1004 !pcap_supported()) CAPABILITY_UNSUPPORTED 1005 Tx:PER(); 1006 RtxTimerStart(); 1008 EAP_FAILURE && if (key_available()) OPEN 1009 (SEPARATE==Set) && PBA.insert_avp("MAC"); 1010 ppac_available() && if (CARRY_DEVICE_ID) 1011 (!PBR.exist_avp PBA.insert_avp 1012 ("Protection- ("Device-Id"); 1013 Capability") || PBA.insert_avp("PPAC"); 1014 (PBR.exist_avp Tx:PBA(); 1015 ("Protection- Authorize(); 1016 Capability") && SessionTimerStart(); 1017 pcap_supported())) 1019 EAP_FAILURE && if (key_available()) WAIT_PEA 1020 (SEPARATE==Set) && PER.insert_avp("MAC"); 1021 !ppac_available() PER.RESULT_CODE= 1022 PANA_PPAC_CAPABILITY_ 1023 UNSUPPORTED 1024 Tx:PER(); 1025 RtxTimerStart(); 1027 EAP_FAILURE && if (key_available()) WAIT_PEA 1028 (SEPARATE==Set) && PER.insert_avp("MAC"); 1029 (PBR.exist_avp PER.RESULT_CODE= 1030 ("Protection- PANA_PROTECTION_ 1031 Capability") && CAPABILITY_UNSUPPORTED 1032 !pcap_supported()) Tx:PER(); 1033 RtxTimerStart(); 1035 EAP_INVALID_MSG None(); WAIT_PAA 1036 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1038 ---------------------------- 1039 State: WAIT_EAP_RESULT_CLOSE 1040 ---------------------------- 1042 Exit Condition Exit Action Exit State 1043 ------------------------+--------------------------+------------ 1044 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 1045 EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED 1046 PBR.exist_avp PBA.insert_avp("Key-Id"); 1047 ("Key-Id") Tx:PBA(); 1048 Disconnect(); 1050 EAP_SUCCESS && if (key_available()) CLOSED 1051 !PBR.exist_avp PBA.insert_avp("MAC"); 1052 ("Key-Id") Tx:PBA(); 1053 Disconnect(); 1055 EAP_FAILURE Tx:PBA(); CLOSED 1056 Disconnect(); 1058 EAP_INVALID_MSG None(); WAIT_PAA 1059 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1061 -------------------------- 1062 State: WAIT_1ST_EAP_RESULT 1063 -------------------------- 1065 Exit Condition Exit Action Exit State 1066 ------------------------+--------------------------+------------ 1067 - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - 1068 EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA 1069 PFER.exist_avp PFEA.S_flag=1; 1070 ("Key-Id") PFEA.N_flag=PFER.N_flag; 1071 PFEA.insert_avp("MAC"); 1072 Tx:PFEA(); 1073 EAP_Restart(); 1075 (EAP_SUCCESS && if (key_available()) WAIT_PAA 1076 !PFER.exist_avp PFEA.insert_avp("MAC"); 1077 ("Key-Id")) || PFEA.S_flag=1; 1078 EAP_FAILURE PFEA.N_flag=PFER.N_flag; 1079 Tx:PFEA(); 1080 EAP_Restart(); 1082 EAP_INVALID_MSG EAP_Restart(); WAIT_PAA 1083 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1085 -------------------------------- 1086 State: WAIT_1ST_EAP_RESULT_CLOSE 1087 -------------------------------- 1089 Exit Condition Exit Action Exit State 1090 ------------------------+--------------------------+------------ 1091 - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - 1092 EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED 1093 PFER.exist_avp PFEA.S_flag=0; 1094 ("Key-Id") PFEA.N_flag=0; 1095 PFEA.insert_avp("MAC"); 1096 Tx:PFEA(); 1097 Disconnect(); 1099 (EAP_SUCCESS && if (key_available()) CLOSED 1100 !PFER.exist_avp PFEA.insert_avp("MAC"); 1101 ("Key-Id")) || PFEA.S_flag=0; 1102 EAP_FAILURE PFEA.N_flag=0; 1103 Tx:PFEA(); 1104 Disconnect(); 1106 EAP_INVALID_MSG None(); WAIT_PAA 1107 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1109 ----------- 1110 State: OPEN 1111 ----------- 1113 Exit Condition Exit Action Exit State 1114 ------------------------+--------------------------+------------ 1115 - - - - - - - - - - (liveness test initiated by PAA)- - - - - - 1116 Rx:PPR if (key_available()) OPEN 1117 PPA.insert_avp("MAC"); 1118 Tx:PPA(); 1119 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1120 - - - - - - - - - - (liveness test initiated by PaC)- - - - - - 1121 PANA_PING if (key_available()) WAIT_PPA 1122 PPR.insert_avp("MAC"); 1123 Tx:PPR(); 1124 RtxTimerStart(); 1125 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1126 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 1127 REAUTH SEPARATE=Set|Unset; WAIT_PRAA 1128 1ST_EAP=Unset; 1129 if (key_available()) 1130 PRAR.insert_avp("MAC"); 1131 Tx:PRAR(); 1132 RtxTimerStart(); 1133 SessionTimerStop(); 1134 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1135 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1136 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 1137 !eap_piggyback() 1ST_EAP=Unset; 1138 EAP_RespTimerStart(); 1139 TxEAP(); 1140 if (key_available()) 1141 PAN.insert_avp("MAC"); 1142 PAN.S_flag=PAR.S_flag; 1143 PAN.N_flag=PAR.N_flag; 1144 Tx:PAN(); 1145 SessionTimerStop(); 1147 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 1148 eap_piggyback() 1ST_EAP=Unset; 1149 EAP_RespTimerStart(); 1150 TxEAP(); 1151 SessionTimerStop(); 1152 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1153 - - - - - - - -(Session termination initiated by PAA) - - - - - - 1154 Rx:PTR if (key_available()) CLOSED 1155 PTA.insert_avp("MAC"); 1156 Tx:PTA(); 1157 Disconnect(); 1158 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1159 - - - - - - - -(Session termination initiated by PaC) - - - - - - 1160 TERMINATE if (key_available()) SESS_TERM 1161 PTR.insert_avp("MAC"); 1162 Tx:PTR(); 1163 RtxTimerStart(); 1164 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1165 - - - - - - - - - - - - -(Address update) - - - - - - - - - - - - 1166 NOTIFY if (key_available()) WAIT_PUA 1167 PUR.insert_avp("MAC"); 1168 Tx:PUR(); 1169 RtxTimerStart(); 1170 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1171 - - - - - - - - - - -(Notification update)- - - - - - - - - - - 1172 Rx:PUR if (key_available()) OPEN 1173 PUA.insert_avp("MAC"); 1174 Tx:PUA(); 1175 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1177 ---------------- 1178 State: WAIT_PRAA 1179 ---------------- 1181 Exit Condition Exit Action Exit State 1182 ------------------------+--------------------------+------------ 1183 - - - - - - - - -(re-authentication initiated by PaC) - - - - - 1184 Rx:PRAA RtxTimerStop(); WAIT_PAA 1185 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1187 --------------- 1188 State: WAIT_PPA 1189 --------------- 1191 Exit Condition Exit Action Exit State 1192 ------------------------+--------------------------+------------ 1193 - - - - - - - - -(liveness test initiated by PAA) - - - - - - - 1194 Rx:PPA RtxTimerStop(); OPEN 1195 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1197 --------------- 1198 State: WAIT_PUA 1199 --------------- 1201 Exit Condition Exit Action Exit State 1202 ------------------------+--------------------------+------------ 1203 - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - 1204 Rx:PUA RtxTimerStop(); OPEN 1205 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1207 ---------------- 1208 State: SESS_TERM 1209 ---------------- 1211 Exit Condition Exit Action Exit State 1212 ------------------------+--------------------------+------------ 1213 - - - - - - - -(Session termination initiated by PaC) - - - - - 1214 Rx:PTA Disconnect(); CLOSED 1215 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1217 --------------- 1218 State: WAIT_PEA 1219 --------------- 1221 Exit Condition Exit Action Exit State 1222 ------------------------+--------------------------+------------ 1223 - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - 1224 Rx:PEA RtxTimerStop(); CLOSED 1225 Disconnect(); 1226 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1228 7. PAA State Machine 1230 7.1. Interface between PAA and EAP Authenticator 1232 The interface between a PAA and an EAP authenticator provides a 1233 mechanism to deliver EAP messages for the EAP authenticator as well 1234 as a mechanism to notify the EAP authenticator of PAA events and to 1235 receive notification of EAP authenticator events. These message 1236 delivery and event notification mechanisms occur only within context 1237 of their associated states or exit actions. 1239 7.1.1. EAP Restart Notification from PAA to EAP Authenticator 1241 An EAP authenticator state machine defined in [I-D.ietf-eap- 1242 statemachine] has an initialization procedure before sending the 1243 first EAP request. To initialize the EAP state machine, the PAA 1244 state machine defines an event notification mechanism to send an EAP 1245 (re)start event to the EAP peer. The event notification is done via 1246 EAP_Restart() procedure in the initialization action of the PAA state 1247 machine. 1249 7.1.2. Delivering EAP Responses from PAA to EAP Authenticator 1251 TxEAP() procedure in the PAA state machine serves as the mechanism to 1252 deliver EAP-Responses contained in PANA-Auth-Answer messages to the 1253 EAP authenticator. This procedure is enabled only after an EAP 1254 restart event is notified to the EAP authenticator and before any 1255 event resulting in a termination of the EAP authenticator session. 1256 In the case where the EAP authenticator follows the EAP authenticator 1257 state machines defined in [I-D.ietf-eap-statemachine], TxEAP() 1258 procedure sets eapResp variable of the EAP authenticator state 1259 machine and puts the EAP response in eapRespData variable of the EAP 1260 authenticator state machine. 1262 7.1.3. Delivering EAP Messages from EAP Authenticator to PAA 1264 An EAP request is delivered from the EAP authenticator to the PAA via 1265 EAP_REQUEST event variable. The event variable is set when the EAP 1266 authenticator passes the EAP request to its lower-layer. In the case 1267 where the EAP authenticator follows the EAP authenticator state 1268 machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event 1269 variable refers to eapReq variable of the EAP authenticator state 1270 machine and the EAP request is contained in eapReqData variable of 1271 the EAP authenticator state machine. 1273 7.1.4. EAP Authentication Result Notification from EAP Authenticator to 1274 PAA 1276 In order for the EAP authenticator to notify the PAA of the EAP 1277 authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event 1278 variables are defined. In the case where the EAP authenticator 1279 follows the EAP authenticator state machines defined in [I-D.ietf- 1280 eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event 1281 variables refer to eapSuccess, eapFail and eapTimeout variables of 1282 the EAP authenticator state machine, respectively. In this case, if 1283 EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is 1284 contained in eapReqData variable of the EAP authenticator state 1285 machine, and additionally, eapKeyAvailable variable is set to TRUE 1286 and eapKeyData variable contains a AAA-Key if the AAA-Key is 1287 generated as a result of successful authentication by the EAP 1288 authentication method in use. Similarly, if EAP_FAILURE event 1289 variable is set to TRUE, an EAP-Failure message is contained in 1290 eapReqData variable of the EAP authenticator state machine. The PAA 1291 uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a 1292 trigger to send a PBR or a PFER message to the PaC. 1294 7.2. Variables 1296 USE_COOKIE 1298 This variable indicates whether the PAA uses Cookie. 1300 EAP_PIGGYBACK 1302 This variable indicates whether the PAA is able to piggyback an 1303 EAP-Request in PANA-Start-Request. 1305 SEPARATE 1307 This variable indicates whether the PAA provides NAP/ISP separate 1308 authentication. 1310 1ST_EAP 1312 This variable indicates whether the 1st EAP authentication is a 1313 success, failure or yet completed. 1315 PSA.SESSION_ID 1317 This variable contains the Session-Id AVP value in the PANA-Start- 1318 Answer message in process. 1320 CARRY_LIFETIME 1321 This variable indicates whether a Session-Lifetime AVP is carried 1322 in PANA-Bind-Request message. 1324 PROTECTION_CAP_IN_PSR 1326 This variable indicates whether a Protection-Capability AVP is 1327 carried in a PANA-Start-Request message. 1329 PROTECTION_CAP_IN_PBR 1331 This variable indicates whether a Protection-Capability AVP is 1332 carried in a PANA-Bind-Request message. 1334 CARRY_NAP_INFO 1336 This variable indicates whether a NAP-Information AVP is carried 1337 in PANA-Start-Request message. 1339 CARRY_ISP_INFO 1341 This variable indicates whether an ISP-Information AVP is carried 1342 in PANA-Start-Request message. 1344 NAP_AUTH 1346 This variable indicates whether a NAP authentication is being 1347 performed or not. 1349 CARRY_PPAC 1351 This variable indicates whether a Post-PANA-Address-Configuration 1352 AVP is carried in PANA-Start-Request message. 1354 PAC_FOUND 1356 This variable is set to TRUE during the EP-to-PAA notification as 1357 a result of a traffic-driven PAA discovery or link-up event 1358 notification by the EP as a result of the presence of a new PaC. 1360 EAP_SUCCESS 1362 This event variable is set to TRUE when EAP conversation completes 1363 with success. This event accompanies an EAP- Success message 1364 passed from the EAP authenticator. 1366 EAP_FAILURE 1368 This event variable is set to TRUE when EAP conversation completes 1369 with failure. This event accompanies an EAP- Failure message 1370 passed from the EAP authenticator. 1372 EAP_REQUEST 1374 This event variable is set to TRUE when the EAP authenticator 1375 delivers an EAP Request to the PAA. This event accompanies an 1376 EAP-Request message received from the EAP authenticator. 1378 EAP_TIMEOUT 1380 This event variable is set to TRUE when EAP conversation times out 1381 without generating an EAP-Success or an EAP-Failure message. This 1382 event does not accompany any EAP message. 1384 7.3. Procedures 1386 boolean new_key_available() 1388 A procedure to check whether the PANA session has a new 1389 PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, 1390 it returns FALSE. If the state machine does not have a 1391 PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. 1392 If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from 1393 the AAA-Key and returns TRUE. Otherwise, it returns FALSE. 1395 boolean new_source_address() 1397 A procedure to check the PaC's source IP address from the current 1398 PUR message. If the source IP address of the message is different 1399 from the last known IP address stored in the PANA session, this 1400 procedure returns TRUE. Otherwise, it returns FALSE. 1402 void update_popa() 1404 A procedure to extract the PaC's source IP address from the 1405 current PUR message and update the PANA session with this new IP 1406 address. 1408 7.4. PAA State Transition Table 1410 ------------------------------ 1411 State: OFFLINE (Initial State) 1412 ------------------------------ 1413 Initialization Action: 1415 USE_COOKIE=Set|Unset; 1416 EAP_PIGGYBACK=Set|Unset; 1417 SEPARATE=Set|Unset; 1418 if (USE_COOKIE==Unset && EAP_PIGGYBACK==Set) 1419 SEPARATE=Unset; 1420 1ST_EAP=Unset; 1421 ABORT_ON_1ST_EAP_FAILURE=Set|Unset; 1422 CARRY_LIFETIME=Set|Unset; 1423 CARRY_DEVICE_ID=Set|Unset; 1424 CARRY_NAP_INFO=Set|Unset; 1425 CARRY_ISP_INFO=Set|Unset; 1426 CARRY_PPAC=Set|Unset; 1427 PROTECTION_CAP_IN_PSR=Set|Unset; 1428 PROTECTION_CAP_IN_PBR=Set|Unset; 1429 if (PROTECTION_CAP_IN_PBR=Unset) 1430 PROTECTION_CAP_IN_PSR=Unset; 1431 else 1432 CARRY_DEVICE_ID=Set; 1433 NAP_AUTH=Unset; 1434 RTX_COUNTER=0; 1435 RtxTimerStop(); 1437 Exit Condition Exit Action Exit State 1438 ------------------------+--------------------------+------------ 1439 - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - 1440 (Rx:PDI || EAP_Restart(); WAIT_EAP_MSG_ 1441 PAC_FOUND) && IN_DISC 1442 USE_COOKIE==Unset && 1443 EAP_PIGGYBACK==Set 1445 (Rx:PDI || if (SEPARATE==Set) STATEFUL_DISC 1446 PAC_FOUND) && PSR.S_flag=1; 1447 USE_COOKIE==Unset && if (CARRY_NAP_INFO==Set) 1448 EAP_PIGGYBACK==Unset PSR.insert_avp 1449 ("NAP-Information"); 1450 if (CARRY_ISP_INFO==Set) 1451 PSR.insert_avp 1452 ("ISP-Information"); 1453 if (CARRY_PPAC==Set) 1454 PSR.insert_avp 1455 ("Post-PANA-Address- 1456 Configuration"); 1457 if (PROTECTION_CAP_IN_PSR 1458 ==Set) 1459 PSR.insert_avp 1460 ("Protection-Cap."); 1462 Tx:PSR(); 1463 RtxTimerStart(); 1464 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1465 - - - - - - - - - - - - - (Stateless discovery) - - - - - - - - 1466 (Rx:PDI || if (SEPARATE==Set) OFFLINE 1467 PAC_FOUND) && PSR.S_flag=1; 1468 USE_COOKIE==Set PSR.insert_avp 1469 ("Cookie"); 1470 if (CARRY_NAP_INFO==Set) 1471 PSR.insert_avp 1472 ("NAP-Information"); 1473 if (CARRY_ISP_INFO==Set) 1474 PSR.insert_avp 1475 ("ISP-Information"); 1476 if (CARRY_PPAC==Set) 1477 PSR.insert_avp 1478 ("Post-PANA-Address- 1479 Configuration"); 1480 if (PROTECTION_CAP_IN_PSR 1481 ==Set) 1482 PSR.insert_avp 1483 ("Protection-Cap."); 1484 Tx:PSR(); 1485 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1486 - - - - - - - - - - - - - - (PSA processing) - - - - - - - - - 1487 Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG 1488 USE_COOKIE==Set PSA.S_flag==0) 1489 SEPARATE=Unset; 1490 if (SEPARATE==Set) 1491 NAP_AUTH=Set|Unset; 1492 EAP_Restart(); 1493 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1495 --------------------------- 1496 State: WAIT_EAP_MSG_IN_DISC 1497 --------------------------- 1499 Exit Condition Exit Action Exit State 1500 ------------------------+--------------------------+------------ 1501 - - - - - - - - - - - (Send PSR with EAP-Request) - - - - - - - 1502 EAP_REQUEST PSR.insert_avp STATEFUL_DISC 1503 ("EAP-Payload"); 1504 if (CARRY_NAP_INFO==Set) 1505 PSR.insert_avp 1506 ("NAP-Information"); 1507 if (CARRY_ISP_INFO==Set) 1508 PSR.insert_avp 1509 ("ISP-Information"); 1511 if (CARRY_PPAC==Set) 1512 PSR.insert_avp 1513 ("Post-PANA-Address- 1514 Configuration"); 1515 Tx:PSR(); 1516 RtxTimerStart(); 1518 EAP_TIMEOUT None(); OFFLINE 1519 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1521 -------------------- 1522 State: STATEFUL_DISC 1523 -------------------- 1525 Exit Condition Action Exit State 1526 ------------------------+--------------------------+------------ 1527 - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - 1528 Rx:PSA if (SEPARATE==Set && WAIT_EAP_MSG 1529 PSA.S_flag==0) 1530 SEPARATE=Unset; 1531 if (PSA.exist_avp 1532 ("EAP-Payload")) 1533 TxEAP(); 1534 else { 1535 if (SEPARATE==Set) 1536 NAP_AUTH=Set|Unset; 1537 EAP_Restart(); 1538 } 1539 RtxTimerStop(); 1541 EAP_TIMEOUT if (key_available()) WAIT_PEA 1542 PER.insert_avp("MAC"); 1543 Tx:PER(); 1544 RtxTimerStart(); 1545 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1547 ------------------- 1548 State: WAIT_EAP_MSG 1549 ------------------- 1551 Exit Condition Exit Action Exit State 1552 ------------------------+--------------------------+------------ 1553 - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - 1554 EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR 1555 PAR.insert_avp("MAC"); 1556 if (SEPARATE==Set) { 1557 PAR.S_flag=1; 1558 if (NAP_AUTH==Set) 1559 PAR.N_flag=1; 1560 } 1561 Tx:PAR(); 1562 RtxTimerStart(); 1563 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1564 - - - - - - -(Receiving EAP-Success/Failure single EAP)- - - - 1565 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1566 1ST_EAP==Unset && ("EAP-Payload"); 1567 SEPARATE==Unset if (key_available()) 1568 PBR.insert_avp("MAC"); 1569 Tx:PBR(); 1570 RtxTimerStart(); 1572 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1573 1ST_EAP==Unset && ("EAP-Payload"); 1574 SEPARATE==Unset && if (CARRY_DEVICE_ID==Set) 1575 Authorize() PBR.insert_avp 1576 ("Device-Id"); 1577 if (CARRY_LIFETIME==Set) 1578 PBR.insert_avp 1579 ("Session-Lifetime"); 1580 if (PROTECTION_CAP_IN_PBR 1581 ==Set) 1582 PBR.insert_avp 1583 ("Protection-Cap."); 1584 if (new_key_available()) 1585 PBR.insert_avp 1586 ("Key-Id"); 1587 if (key_available()) 1588 PBR.insert_avp("MAC"); 1589 Tx:PBR(); 1590 RtxTimerStart(); 1592 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1593 1ST_EAP==Unset && ("EAP-Payload"); 1594 SEPARATE==Unset && if (new_key_available()) 1595 !Authorize() PBR.insert_avp 1596 ("Key-Id"); 1597 if (key_available()) 1598 PBR.insert_avp("MAC"); 1599 Tx:PBR(); 1600 RtxTimerStart(); 1602 EAP_TIMEOUT && if (key_available()) WAIT_PEA 1603 1ST_EAP==Unset && PER.insert_avp("MAC"); 1604 SEPARATE==Unset Tx:PER(); 1605 RtxTimerStart(); 1607 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1608 - - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - - 1609 EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA 1610 1ST_EAP==Unset && PFER.insert_avp 1611 SEPARATE==Set && ("EAP-Payload"); 1612 ABORT_ON_1ST_EAP_FAILURE if (key_available()) 1613 ==Unset PFER.insert_avp("MAC"); 1614 PFER.S_flag=1; 1615 if (NAP_AUTH) 1616 PFER.N_flag=1; 1617 Tx:PFER(); 1618 RtxTimerStart(); 1620 EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA 1621 1ST_EAP==Unset && PFER.insert_avp 1622 SEPARATE==Set && ("EAP-Payload"); 1623 ABORT_ON_1ST_EAP_FAILURE if (key_available()) 1624 ==Set PFER.insert_avp("MAC"); 1625 PFER.S_flag=0; 1626 Tx:PFER(); 1627 RtxTimerStart(); 1629 EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA 1630 1ST_EAP==Unset && PFER.insert_avp 1631 SEPARATE==Set ("EAP-Payload"); 1632 if (new_key_available()) 1633 PFER.insert_avp 1634 ("Key-Id"); 1635 if (key_available()) 1636 PFER.insert_avp("MAC"); 1637 PFER.S_flag=1; 1638 if (NAP_AUTH) 1639 PFER.N_flag=1; 1640 Tx:PFER(); 1641 RtxTimerStart(); 1643 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1644 1ST_EAP==Unset && if (key_available()) 1645 SEPARATE==Set && PFER.insert_avp("MAC"); 1646 ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; 1647 ==Unset if (NAP_AUTH) 1648 PFER.N_flag=1; 1649 Tx:PFER(); 1650 RtxTimerStart(); 1652 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1653 1ST_EAP==Unset && if (key_available()) 1654 SEPARATE==Set && PFER.insert_avp("MAC"); 1655 ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; 1656 ==Set PFER.S_flag=0; 1657 Tx:PFER(); 1658 RtxTimerStart(); 1659 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1660 - - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - 1661 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1662 1ST_EAP==Failure && ("EAP-Payload"); 1663 SEPARATE==Set if (key_available()) 1664 PBR.insert_avp("MAC"); 1665 PBR.S_flag=1; 1666 if (NAP_AUTH) 1667 PBR.N_flag=1; 1668 Tx:PBR(); 1669 RtxTimerStart(); 1671 EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA 1672 1ST_EAP==Success && ("EAP-Payload"); 1673 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1674 Authorize() PBR.insert_avp 1675 ("Device-Id"); 1676 if (CARRY_LIFETIME==Set) 1677 PBR.insert_avp 1678 ("Session-Lifetime"); 1679 if (PROTECTION_CAP_IN_PBR 1680 ==Set) 1681 PBR.insert_avp 1682 ("Protection-Cap."); 1683 if (key_available()) 1684 PBR.insert_avp("MAC"); 1685 PBR.S_flag=1; 1686 if (NAP_AUTH) 1687 PBR.N_flag=1; 1688 Tx:PBR(); 1689 RtxTimerStart(); 1691 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1692 1ST_EAP==Success && ("EAP-Payload"); 1693 SEPARATE==Set && if (key_available()) 1694 !Authorize() PBR.insert_avp("MAC"); 1695 PBR.S_flag=1; 1696 if (NAP_AUTH) 1697 PBR.N_flag=1; 1698 Tx:PBR(); 1699 RtxTimerStart(); 1701 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1702 1ST_EAP==Success && ("EAP-Payload"); 1703 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1704 Authorize() PBR.insert_avp 1705 ("Device-Id"); 1706 if (CARRY_LIFETIME==Set) 1707 PBR.insert_avp 1708 ("Session-Lifetime"); 1709 if (PROTECTION_CAP_IN_PBR 1710 ==Set) 1711 PBR.insert_avp 1712 ("Protection-Cap."); 1713 if (new_key_available()) 1714 PBR.insert_avp 1715 ("Key-Id"); 1716 if (key_available()) 1717 PBR.insert_avp("MAC"); 1718 PBR.S_flag=1; 1719 if (NAP_AUTH) 1720 PBR.N_flag=1; 1721 Tx:PBR(); 1722 RtxTimerStart(); 1724 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1725 1ST_EAP==Success && ("EAP-Payload"); 1726 SEPARATE==Set && if (new_key_available()) 1727 !Authorize() PBR.insert_avp 1728 ("Key-Id"); 1729 if (key_available()) 1730 PBR.insert_avp("MAC"); 1731 PBR.S_flag=1; 1732 if (NAP_AUTH) 1733 PBR.N_flag=1; 1734 Tx:PBR(); 1735 RtxTimerStart(); 1737 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1738 1ST_EAP==Failure && ("EAP-Payload"); 1739 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1740 Authorize() PBR.insert_avp 1741 ("Device-Id"); 1742 if (CARRY_LIFETIME==Set) 1743 PBR.insert_avp 1744 ("Session-Lifetime"); 1745 if (PROTECTION_CAP_IN_PBR 1746 ==Set) 1747 PBR.insert_avp 1748 ("Protection-Cap."); 1750 if (new_key_available()) 1751 PBR.insert_avp 1752 ("Key-Id"); 1753 if (key_available()) 1754 PBR.insert_avp("MAC"); 1755 PBR.S_flag=1; 1756 if (NAP_AUTH) 1757 PBR.N_flag=1; 1758 Tx:PBR(); 1759 RtxTimerStart(); 1761 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1762 1ST_EAP==Failure && ("EAP-Payload"); 1763 SEPARATE==Set && if (new_key_available()) 1764 !Authorize() PBR.insert_avp 1765 ("Key-Id"); 1766 if (key_available()) 1767 PBR.insert_avp("MAC"); 1768 PBR.S_flag=1; 1769 if (NAP_AUTH) 1770 PBR.N_flag=1; 1771 Tx:PBR(); 1772 RtxTimerStart(); 1774 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1775 1ST_EAP==Failure && PBR.insert_avp("MAC"); 1776 SEPARATE==Set PBR.S_flag=1; 1777 if (NAP_AUTH) 1778 PBR.N_flag=1; 1779 Tx:PBR(); 1780 RtxTimerStart(); 1782 EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 1783 1ST_EAP==Success && PBR.insert_avp 1784 SEPARATE==Set && ("Device-Id"); 1785 Authorize() if (CARRY_LIFETIME==Set) 1786 PBR.insert_avp 1787 ("Session-Lifetime"); 1788 if (PROTECTION_CAP_IN_PBR 1789 ==Set) 1790 PBR.insert_avp 1791 ("Protection-Cap."); 1792 if (new_key_available()) 1793 PBR.insert_avp 1794 ("Key-Id"); 1795 if (key_available()) 1796 PBR.insert_avp("MAC"); 1797 PBR.S_flag=1; 1798 if (NAP_AUTH) 1799 PBR.N_flag=1; 1800 Tx:PBR(); 1801 RtxTimerStart(); 1803 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1804 1ST_EAP==Success && PBR.insert_avp("MAC"); 1805 SEPARATE==Set && PBR.S_flag=1; 1806 !Authorize() if (NAP_AUTH) 1807 PBR.N_flag=1; 1808 Tx:PBR(); 1809 RtxTimerStart(); 1810 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1812 ---------------- 1813 State: WAIT_PFEA 1814 ---------------- 1816 Event/Condition Action Exit State 1817 ------------------------+--------------------------+------------ 1818 - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - - 1819 Rx:PFEA && RtxTimerStop(); WAIT_EAP_MSG 1820 (1ST_EAP==Success || EAP_Restart(); 1821 (PFEA.S_flag==1 && if (NAP_AUTH==Set) 1822 1ST_EAP==Failure)) NAP_AUTH=Unset; 1823 else 1824 NAP_AUTH=Set; 1826 Rx:PFEA && RtxTimerStop(); CLOSED 1827 PFEA.S_flag==0 && Disconnect(); 1828 1ST_EAP==Failure 1829 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1831 --------------------- 1832 State: WAIT_FAIL_PFEA 1833 --------------------- 1835 Event/Condition Action Exit State 1836 ------------------------+--------------------------+------------ 1837 - - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - 1838 Rx:PFEA RtxTimerStop(); CLOSED 1839 Disconnect(); 1840 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1842 -------------------- 1843 State: WAIT_SUCC_PBA 1844 -------------------- 1845 Event/Condition Action Exit State 1846 ------------------------+--------------------------+------------ 1847 - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - 1848 Rx:PBA && SessionTimerStart(); OPEN 1849 (CARRY_DEVICE_ID==Unset || 1850 (CARRY_DEVICE_ID==Set && 1851 PBA.exit_avp("Device-Id"))) 1853 Rx:PBA && PER.RESULT_CODE= WAIT_PEA 1854 CARRY_DEVICE_ID==Set && PANA_MISSING_AVP 1855 !PBA.exit_avp Tx:PER(); 1856 ("Device-Id") RtxTimerStart(); 1857 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1859 -------------------- 1860 State: WAIT_FAIL_PBA 1861 -------------------- 1863 Exit Condition Exit Action Exit State 1864 ------------------------+--------------------------+------------ 1865 - - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - 1866 Rx:PBA RtxTimerStop(); CLOSED 1867 Disconnect(); 1868 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1870 ----------- 1871 State: OPEN 1872 ----------- 1874 Event/Condition Action Exit State 1875 ------------------------+--------------------------+------------ 1876 - - - - - - - - (re-authentication initiated by PaC) - - - - - - 1877 Rx:PRAR if (key_available()) WAIT_EAP_MSG 1878 PRAA.insert_avp("MAC"); 1879 EAP_Restart(); 1880 1ST_EAP=Unset; 1881 NAP_AUTH=Set|Unset; 1882 Tx:PRAA(); 1883 SessionTimerStop(); 1884 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1885 - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1886 REAUTH EAP_Restart(); WAIT_EAP_MSG 1887 1ST_EAP=Unset; 1888 NAP_AUTH=Set|Unset; 1889 SessionTimerStop(); 1890 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1891 - - (liveness test based on PPR-PPA exchange initiated by PAA)- 1892 PANA_PING Tx:PPR(); WAIT_PPA 1893 RtxTimerStart(); 1894 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1895 - - (liveness test based on PPR-PPA exchange initiated by PaC)- 1896 Rx:PPR if (key_available()) OPEN 1897 PPA.insert_avp("MAC"); 1898 Tx:PPA(); 1899 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1900 - - - - - - - - (Session termination initated from PAA) - - - - 1901 TERMINATE if (key_available()) SESS_TERM 1902 PTR.insert_avp("MAC"); 1903 Tx:PTR(); 1904 RtxTimerStart(); 1905 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1906 - - - - - - - - (Session termination initated from PaC) - - - - 1907 Rx:PTR if (key_available()) CLOSED 1908 PTA.insert_avp("MAC"); 1909 Tx:PTA(); 1910 Disconnect(); 1911 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1912 - - - - - - - - - -(Notification message) - - - - - - - - - - - 1913 NOTIFY if (key_available()) WAIT_PUA 1914 PUR.insert_avp("MAC"); 1915 Tx:PUR(); 1916 RtxTimerStart(); 1917 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1918 - - - - - - - -(Notification/Address update) - - - - - - - - - 1919 Rx:PUR If (key_avaialble()) OPEN 1920 PUA.insert_avp("MAC"); 1921 Tx:PUA(); 1922 if (new_source_address()) 1923 update_popa(); 1924 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1926 --------------- 1927 State: WAIT_PPA 1928 --------------- 1930 Exit Condition Exit Action Exit State 1931 ------------------------+--------------------------+------------ 1932 - - - - - - - - - - - - - -(PPA processing) - - - - - - - - - - 1933 Rx:PPA RtxTimerStop(); OPEN 1934 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1936 ---------------------- 1937 State: WAIT_PAN_OR_PAR 1938 ---------------------- 1939 Exit Condition Exit Action Exit State 1940 ------------------------+--------------------------+------------ 1941 - - - - - - (Pass EAP Response to the EAP authenticator)- - - - 1942 Rx:PAN && TxEAP(); WAIT_EAP_MSG 1943 PAN.exist_avp 1944 ("EAP-Payload") 1946 Rx:PAR TxEAP(); WAIT_EAP_MSG 1947 if (key_available()) 1948 PAN.insert_avp("MAC"); 1949 if (SEPARATE==Set) { 1950 PAN.S_flag=1; 1951 if (NAP_AUTH==Set) 1952 PAN.N_flag=1; 1953 } 1954 RtxTimerStop(); 1955 Tx:PAN(); 1956 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1957 - - - - - - - - - - (PAN without an EAP response) - - - - - - - 1958 Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR 1959 !PAN.exist_avp 1960 ("EAP-Payload") 1961 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1962 - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - 1963 EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR 1964 PAR.insert_avp("MAC"); 1965 if (SEPARATE==Set) { 1966 PAR.S_flag=1; 1967 if (NAP_AUTH==Set) 1968 PAR.N_flag=1; 1969 } 1970 Tx:PAR(); 1971 RtxTimerStart(); 1972 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1973 - - - - - - - - -(EAP authentication timeout)- - - - - - - - - 1974 EAP_TIMEOUT && if (key_available()) WAIT_PEA 1975 1ST_EAP==Unset && PER.insert_avp("MAC"); 1976 SEPARATE==Unset Tx:PER(); 1977 RtxTimerStart(); 1978 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1979 - - - - - -(EAP authentication timeout for 1st EAP)- - - - - - 1980 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1981 1ST_EAP==Unset && if (key_available()) 1982 SEPARATE==Set && PFER.insert_avp("MAC"); 1983 ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; 1984 ==Unset if (NAP_AUTH) 1985 PFER.N_flag=1; 1986 Tx:PFER(); 1987 RtxTimerStart(); 1989 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1990 1ST_EAP==Unset && if (key_available()) 1991 SEPARATE==Set && PFER.insert_avp("MAC"); 1992 ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; 1993 ==Set PFER.S_flag=0; 1994 Tx:PFER(); 1995 RtxTimerStart(); 1996 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1997 - - - - - -(EAP authentication timeout for 2nd EAP)- - - - - - 1998 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1999 1ST_EAP==Failure && PBR.insert_avp("MAC"); 2000 SEPARATE==Set PBR.S_flag=1; 2001 if (NAP_AUTH) 2002 PBR.N_flag=1; 2003 Tx:PBR(); 2004 RtxTimerStart(); 2006 EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 2007 1ST_EAP==Success && PBR.insert_avp 2008 SEPARATE==Set && ("Device-Id"); 2009 Authorize() if (CARRY_LIFETIME==Set) 2010 PBR.insert_avp 2011 ("Session-Lifetime"); 2012 if (PROTECTION_CAP_IN_PBR 2013 ==Set) 2014 PBR.insert_avp 2015 ("Protection-Cap."); 2016 if (new_key_available()) 2017 PBR.insert_avp 2018 ("Key-Id"); 2019 if (key_available()) 2020 PBR.insert_avp("MAC"); 2021 PBR.S_flag=1; 2022 if (NAP_AUTH) 2023 PBR.N_flag=1; 2024 Tx:PBR(); 2025 RtxTimerStart(); 2027 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 2028 1ST_EAP==Success && PBR.insert_avp("MAC"); 2029 SEPARATE==Set && PBR.S_flag=1; 2030 !Authorize() if (NAP_AUTH) 2031 PBR.N_flag=1; 2032 Tx:PBR(); 2033 RtxTimerStart(); 2035 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2037 --------------- 2038 State: WAIT_PUA 2039 --------------- 2041 Exit Condition Exit Action Exit State 2042 ------------------------+--------------------------+------------ 2043 - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - 2044 Rx:PUA RtxTimerStop(); OPEN 2045 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2047 ---------------- 2048 State: SESS_TERM 2049 ---------------- 2051 Exit Condition Exit Action Exit State 2052 ------------------------+--------------------------+------------ 2053 - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - 2054 Rx:PTA RtxTimerStop(); CLOSED 2055 Disconnect(); 2056 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2058 --------------- 2059 State: WAIT_PEA 2060 --------------- 2062 Exit Condition Exit Action Exit State 2063 ------------------------+--------------------------+------------ 2064 - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - 2065 Rx:PEA RtxTimerStop(); CLOSED 2066 Disconnect(); 2067 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2069 8. Mobility Optimization Support 2071 The state machines outlined in preceeding sections provide only PANA 2072 base protocol functionality. In order to support PANA mobility 2073 optimization outlined in [I-D.ietf-pana-mobopts], additions and 2074 changes to the PaC and PAA state machines is required. The additions 2075 and changes provides only basic mobility optimization and is not 2076 explicit on integration of other mobility functionality such as 2077 context-transfer mechanisms. However, it does provide enough 2078 flexibility to accomodate future inclusion of such mechanisms. 2080 The variables, procedures and state transition described in this 2081 section is designed to be seamlessly integrated into the appropriate 2082 base protocol state machines. They should be treated as a mobility 2083 optimization addendum to the base protocol state machine. In this 2084 addendum, no additional states has been defined but some 2085 modifications to the base protocol state machine is required. The 2086 modifications are to accomodate the mobility variables and procedures 2087 as they relate to existing state transition actions and events. 2088 These modifications to existing state transition are noted in state 2089 transition tables in this section. These modified state transitions 2090 are intended to replace thier base protocol counterpart. Addition of 2091 new state transitions specific to mobility optimization is also 2092 present. Variable initialization also need to be added to the 2093 appropriate base protocol state to complete the mobility optimization 2094 support. 2096 8.1. Common Variables 2098 MOBILITY 2100 This variable indicates whether the mobility handling feature 2101 described in [I-D.ietf-pana-mobopts] is supported. This should be 2102 present in both PaC and PAA state machine. Existing state 2103 transitions in the base protocol state machine that can be 2104 affected by mobility optimization must treat this variable as 2105 being Unset unless the state transitions is explicitly redefined 2106 in this section. 2108 8.2. PaC Mobility Optimization State Machine 2110 8.2.1. Variables 2112 PANA_SA_RESUMED 2113 This variable indicates whether the PANA SA of a previous PANA 2114 session was resumed during the discovery and initial handshake. 2116 8.2.2. Procedures 2118 boolean resume_pana_sa() 2120 This procedure returns TRUE when a PANA SA for a previously 2121 established PANA Session is resumed, otherwise returns FALSE. 2122 Once a PANA SA is resumed, key_available() procedure must return 2123 TRUE. Existing state transitions in the base protocol state 2124 machine that can be affected by mobility optimization must assume 2125 that this procedure always returns FALSE unless the state 2126 transition is explicitly redefined in this section. 2128 8.2.3. PaC Mobility Optimization State Transition Table Addendum 2130 ------------------------------ 2131 State: OFFLINE (Initial State) 2132 ------------------------------ 2134 Initialization Action: 2136 MOBILITY=Set|Unset; 2137 PANA_SA_RESUMED=Unset; 2139 Exit Condition Exit Action Exit State 2140 ------------------------+--------------------------+------------ 2141 - - - - - - - - (PSR processing with mobility support)- - - - - 2142 - The following state transitions are intended to be added - 2143 - to the OFFLINE state of the PaC base protocol state - 2144 - machine. - 2145 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2146 Rx:PSR && RtxTimerStop(); WAIT_PAA 2147 !PSR.exist_avp PSA.insert_avp 2148 ("EAP-Payload") && ("Session-Id"); 2149 MOBILITY==Set && SEPARATE=Unset; 2150 resume_pana_sa() && PANA_SA_RESUMED=Set; 2151 PSR.exist_avp PSA.insert_avp("Cookie"); 2152 ("Cookie") PSA.insert_avp("MAC"); 2153 Tx:PSA(); 2154 RtxTimerStart(); 2156 Rx:PSR && RtxTimerStop(); WAIT_PAA 2157 !PSR.exist_avp PSA.insert_avp 2158 ("EAP-Payload") && ("Session-Id"); 2159 MOBILITY==Set && PSA.insert_avp("MAC"); 2160 resume_pana_sa() && Tx:PSA(); 2161 !PSR.exist_avp PANA_SA_RESUMED=Set; 2162 ("Cookie") 2164 --------------- 2165 State: WAIT_PAA 2166 --------------- 2168 Exit Condition Exit Action Exit State 2169 ------------------------+--------------------------+------------ 2170 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 2171 - The following state transitions are intended to replace - 2172 - existing base protocol state transitions. Original base - 2173 - protocol state transitions can be referenced by the same - 2174 - exit conditions that exist in the WAIT_PAA state of the PaC - 2175 - base protocol state machine. - 2176 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2177 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 2178 !eap_piggyback() TxEAP(); 2179 PANA_SA_RESUMED=Unset; 2180 EAP_RespTimerStart(); 2181 if (key_available()) 2182 PAN.insert_avp("MAC"); 2183 PAN.S_flag=PAR.S_flag; 2184 PAN.N_flag=PAR.N_flag; 2185 Tx:PAN(); 2187 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 2188 eap_piggyback() TxEAP(); 2189 PANA_SA_RESUMED=Unset; 2190 EAP_RespTimerStart(); 2192 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2193 - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - 2194 - The following state transitions are intended to replace - 2195 - existing base protocol state transitions. Original base - 2196 - protocol state transitions can be referenced by exit - 2197 - conditions that excludes PANA_SA_RESUMED variable checks. - 2198 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2199 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 2200 1ST_EAP==Unset && if (PBR.exist_avp 2201 SEPARATE==Unset && ("Device-Id")) 2202 PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; 2203 PANA_SUCCESS && 2204 PANA_SA_RESUMED!=Set 2206 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2207 - - - - - - - - (PBR processing with mobility support)- - - - - 2208 - The following state transitions are intended to be added - 2209 - to the WAIT_PAA state of the PaC base protocol state - 2210 - machine. - 2211 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2212 Rx:PBR && PBA.insert_avp("Key-Id"); OPEN 2213 1ST_EAP==Unset && PBA.insert_avp("MAC"); 2214 SEPARATE==Unset && if (PBR.exist_avp 2215 PBR.RESULT_CODE== ("Device-Id")) 2216 PANA_SUCCESS && PBA.insert("Device-Id"); 2217 PANA_SA_RESUMED==Set && Tx:PBA(); 2218 PBR.exist_avp Authorize(); 2219 ("Key-Id") && SessionTimerStart(); 2220 PBR.exist_avp 2221 ("MAC") 2223 ----------- 2224 State: OPEN 2225 ----------- 2227 Exit Condition Exit Action Exit State 2228 ------------------------+--------------------------+------------- 2229 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 2230 - The following state transitions are intended to replace - 2231 - existing base protocol state transitions. Original base - 2232 - protocol state transitions can be referenced by the same - 2233 - exit conditions that exist in the OPEN state of the PaC - 2234 - base protocol state machine. - 2235 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2236 REAUTH SEPARATE=Set|Unset; WAIT_PRAA 2237 1ST_EAP=Unset; 2238 PANA_SA_RESUMED=Unset; 2239 if (key_available()) 2240 PRAR.insert_avp("MAC"); 2241 Tx:PRAR(); 2242 RtxTimerStart(); 2243 SessionTimerStop(); 2244 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2245 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 2246 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 2247 !eap_piggyback() 1ST_EAP=Unset; 2248 PANA_SA_RESUMED=Unset; 2249 EAP_RespTimerStart(); 2250 TxEAP(); 2251 if (key_available()) 2252 PAN.insert_avp("MAC"); 2253 PAN.S_flag=PAR.S_flag; 2254 PAN.N_flag=PAR.N_flag; 2255 Tx:PAN(); 2256 SessionTimerStop(); 2258 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 2259 eap_piggyback() 1ST_EAP=Unset; 2260 PANA_SA_RESUMED=Unset; 2261 EAP_RespTimerStart(); 2262 TxEAP(); 2263 SessionTimerStop(); 2265 ------------------------+--------------------------+------------ 2266 - - - - - - - - (PSR processing with mobility support)- - - - - 2267 - The following state transitions are intended to be added - 2268 - to the OPEN state of the PaC base protocol state machine - 2269 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2270 Rx:PSR && RtxTimerStop(); WAIT_PAA 2271 !PSR.exist_avp PSA.insert_avp 2272 ("EAP-Payload") && ("Session-Id"); 2273 MOBILITY==Set && SEPARATE=Unset; 2274 resume_pana_sa() && PANA_SA_RESUMED=Set; 2275 PSR.exist_avp PSA.insert_avp("Cookie"); 2276 ("Cookie") PSA.insert_avp("MAC"); 2277 Tx:PSA(); 2278 RtxTimerStart(); 2280 Rx:PSR && RtxTimerStop(); WAIT_PAA 2281 !PSR.exist_avp PSA.insert_avp 2282 ("EAP-Payload") && ("Session-Id"); 2283 MOBILITY==Set && PSA.insert_avp("MAC"); 2284 resume_pana_sa() && Tx:PSA(); 2285 !PSR.exist_avp PANA_SA_RESUMED=Set; 2286 ("Cookie") 2288 8.3. PAA Mobility Optimization 2290 8.3.1. Procedures 2292 boolean retrieve_pana_sa(Session-Id) 2294 This procedure returns TRUE when a PANA SA for the PANA Session 2295 corresponds to the specified Session-Id has been retrieved, 2296 otherwise returns FALSE. 2298 8.3.2. PAA Mobility Optimization State Transition Table Addendum 2299 ------------------------------ 2300 State: OFFLINE (Initial State) 2301 ------------------------------ 2303 Initialization Action: 2305 MOBILITY=Set|Unset; 2307 Exit Condition Exit Action Exit State 2308 ------------------------+--------------------------+------------ 2309 - - - - - - - (PSA processing with mobility support) - - - - - - 2310 - The following state transitions are intended to replace - 2311 - existing base protocol state transitions. Original base - 2312 - protocol state transitions can be referenced by exit - 2313 - conditions that excludes MOBILITY variable checks and - 2314 - retrieve_pana_sa() procedure calls. - 2315 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2316 Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG 2317 (!PSA.exist_avp PSA.S_flag==0) 2318 ("Session-Id") || SEPARATE=Unset; 2319 MOBILITY==Unset || if (SEPARATE==Set) 2320 (MOBILITY==Set && NAP_AUTH=Set|Unset; 2321 !retrieve_pana_sa EAP_Restart(); 2322 (PSA.SESSION_ID))) 2323 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2324 - - - - - - - - (PSA processing with mobility support)- - - - - 2325 Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA 2326 PSA.exist_avp PBR.insert_avp("Key-Id"); 2327 ("Session-Id") && if (CARRY_DEVICE_ID==Set) 2328 MOBILITY==Set && PBR.insert_avp 2329 retrieve_pana_sa ("Device-Id"); 2330 (PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR 2331 ==Set) 2332 PBR.insert_avp 2333 ("Protection-Cap."); 2334 Tx:PBR(); 2335 RtxTimerStart(); 2336 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2338 9. Implementation Considerations 2340 9.1. PAA and PaC Interface to Service Management Entity 2342 In general, it is assumed in each device that has a PANA protocol 2343 stack that there is a Service Management Entity (SME) that manages 2344 the PANA protocol stack. It is recommended that a generic interface 2345 (i.e., the SME-PANA interface) between the SME and the PANA protocol 2346 stack be provided by the implementation. Especially, common 2347 procedures such as startup, shutdown, re-authenticate signals and 2348 provisions for extracting keying material should be provided by such 2349 an interface. The SME-PANA interface in a PAA device should also 2350 provide a method for communicating filtering parameters to the EP(s). 2351 When cryptographic filtering is used, the filtering parameters 2352 include keying material used for bootstrapping per-packet ciphering. 2353 When a PAA device interacts with the backend authentication server 2354 using a AAA protocol, its SME may also have an interface to the AAA 2355 protocol to obtain authorization parameters such as the authorization 2356 lifetime and additional filtering parameters. 2358 9.2. Multicast Traffic 2360 In general, binding a UDP socket to a multicast address and/or port 2361 is system dependent. In most systems, a socket can be bound to any 2362 address and a specific port. This allows the socket to receive all 2363 packets destined for the local host (on all it's local addresses) for 2364 that port. If the host subscribes to a multicast addresses then this 2365 socket will also receive multicast traffic as well. In some systems, 2366 this would also result in the socket receiving all multicast traffic 2367 even though it has subscribed to only one multicast address. This is 2368 because most physical interfaces has either multicast traffic enabled 2369 or disabled and does not provide specific address filtering. 2370 Normally, it is not possible to filter out specific traffic on a 2371 socket from the user level. Most environments provides lower layer 2372 filtering that allows the use of only one socket to receive both 2373 unicast and specific multicast address. However it might introduce 2374 portability problems. 2376 10. Security Considerations 2378 This document's intent is to describe the PANA state machines fully. 2379 To this end, any security concerns with this document are likely a 2380 reflection of security concerns with PANA itself. 2382 11. IANA Considerations 2384 This document has no actions for IANA. 2386 12. Acknowledgments 2388 This work was started from state machines originally made by Dan 2389 Forsberg. 2391 13. References 2393 13.1. Normative References 2395 [I-D.ietf-pana-pana] 2396 Forsberg, D., "Protocol for Carrying Authentication for 2397 Network Access (PANA)", draft-ietf-pana-pana-10 (work in 2398 progress), July 2005. 2400 [I-D.ietf-eap-statemachine] 2401 Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, 2402 "State Machines for Extensible Authentication Protocol 2403 (EAP) Peer and Authenticator", 2404 draft-ietf-eap-statemachine-06 (work in progress), 2405 December 2004. 2407 [I-D.ietf-pana-mobopts] 2408 Forsberg, D., "PANA Mobility Optimizations", 2409 draft-ietf-pana-mobopts-00 (work in progress), 2410 January 2005. 2412 13.2. Informative References 2414 [RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang, 2415 "Protocol for Carrying Authentication for Network Access 2416 (PANA) Requirements", RFC 4058, May 2005. 2418 [I-D.ietf-pana-snmp] 2419 Mghazli, Y., "SNMP usage for PAA-EP interface", 2420 draft-ietf-pana-snmp-04 (work in progress), July 2005. 2422 Authors' Addresses 2424 Victor Fajardo 2425 Toshiba America Research, Inc. 2426 1 Telcordia Drive 2427 Piscataway, NJ 08854 2428 USA 2430 Phone: +1 732 699 5368 2431 Email: vfajardo@tari.toshiba.com 2433 Yoshihiro Ohba 2434 Toshiba America Research, Inc. 2435 1 Telcordia Drive 2436 Piscataway, NJ 08854 2437 USA 2439 Phone: +1 732 699 5305 2440 Email: yohba@tari.toshiba.com 2442 Rafa Marin Lopez 2443 University of Murcia 2444 30071 Murcia 2445 Spain 2447 Email: rafa@dif.um.es 2449 Intellectual Property Statement 2451 The IETF takes no position regarding the validity or scope of any 2452 Intellectual Property Rights or other rights that might be claimed to 2453 pertain to the implementation or use of the technology described in 2454 this document or the extent to which any license under such rights 2455 might or might not be available; nor does it represent that it has 2456 made any independent effort to identify any such rights. Information 2457 on the procedures with respect to rights in RFC documents can be 2458 found in BCP 78 and BCP 79. 2460 Copies of IPR disclosures made to the IETF Secretariat and any 2461 assurances of licenses to be made available, or the result of an 2462 attempt made to obtain a general license or permission for the use of 2463 such proprietary rights by implementers or users of this 2464 specification can be obtained from the IETF on-line IPR repository at 2465 http://www.ietf.org/ipr. 2467 The IETF invites any interested party to bring to its attention any 2468 copyrights, patents or patent applications, or other proprietary 2469 rights that may cover technology that may be required to implement 2470 this standard. Please address the information to the IETF at 2471 ietf-ipr@ietf.org. 2473 Disclaimer of Validity 2475 This document and the information contained herein are provided on an 2476 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2477 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 2478 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 2479 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 2480 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2481 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2483 Copyright Statement 2485 Copyright (C) The Internet Society (2005). This document is subject 2486 to the rights, licenses and restrictions contained in BCP 78, and 2487 except as set forth therein, the authors retain all their rights. 2489 Acknowledgment 2491 Funding for the RFC Editor function is currently provided by the 2492 Internet Society.