idnits 2.17.1 draft-ietf-pana-statemachine-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 2576. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2553. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2560. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2566. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 30, 2006) is 6541 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-18) exists of draft-ietf-pana-pana-11 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-pana-mobopts' Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PANA Working Group V. Fajardo 3 Internet-Draft Y. Ohba 4 Expires: December 1, 2006 TARI 5 R. Lopez 6 Univ. of Murcia 7 May 30, 2006 9 State Machines for Protocol for Carrying Authentication for Network 10 Access (PANA) 11 draft-ietf-pana-statemachine-04 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on December 1, 2006. 38 Copyright Notice 40 Copyright (C) The Internet Society (2006). 42 Abstract 44 This document defines the conceptual state machines for the Protocol 45 for Carrying Authentication for Network Access (PANA). The state 46 machines consist of the PANA Client (PaC) state machine and the PANA 47 Authentication Agent (PAA) state machine. The two state machines 48 show how PANA can interface to EAP state machines and can be 49 implemented with supporting various features including separate NAP 50 and ISP authentications, ISP selection and mobility optimization. 51 The state machines and associated model are informative only. 52 Implementations may achieve the same results using different methods. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 58 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 59 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 60 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 61 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 62 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 63 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 64 5.4. Common Message Initialization Rules . . . . . . . . . . . 13 65 5.5. Common Error Handling Rules . . . . . . . . . . . . . . . 14 66 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 67 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 68 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 69 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 70 6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16 71 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 72 6.1.4. EAP Authentication Result Notification from EAP 73 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 74 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17 75 6.1.6. EAP Invalid Message Notification from EAP Peer to 76 PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 77 6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 78 6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 79 6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19 80 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 33 81 7.1. Interface between PAA and EAP Authenticator . . . . . . . 33 82 7.1.1. EAP Restart Notification from PAA to EAP 83 Authenticator . . . . . . . . . . . . . . . . . . . . 33 84 7.1.2. Delivering EAP Responses from PAA to EAP 85 Authenticator . . . . . . . . . . . . . . . . . . . . 33 86 7.1.3. Delivering EAP Messages from EAP Authenticator to 87 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 33 88 7.1.4. EAP Authentication Result Notification from EAP 89 Authenticator to PAA . . . . . . . . . . . . . . . . . 33 90 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 34 91 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 36 92 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 37 93 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 52 94 8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 52 95 8.2. PaC Mobility Optimization State Machine . . . . . . . . . 53 96 8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 53 97 8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 53 98 8.2.3. PaC Mobility Optimization State Transition Table 99 Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 100 8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 56 101 8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 56 102 8.3.2. PAA Mobility Optimization State Transition Table 103 Addendum . . . . . . . . . . . . . . . . . . . . . . . 56 104 9. Implementation Considerations . . . . . . . . . . . . . . . . 58 105 9.1. PAA and PaC Interface to Service Management Entity . . . . 58 106 9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 58 107 10. Security Considerations . . . . . . . . . . . . . . . . . . . 59 108 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 109 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 61 110 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 111 13.1. Normative References . . . . . . . . . . . . . . . . . . . 62 112 13.2. Informative References . . . . . . . . . . . . . . . . . . 62 113 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 63 114 Intellectual Property and Copyright Statements . . . . . . . . . . 64 116 1. Introduction 118 This document defines the state machines for Protocol Carrying 119 Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There 120 are state machines for the PANA client (PaC) and for the PANA 121 Authentication Agent (PAA). Each state machine is specified through 122 a set of variables, procedures and a state transition table. 124 A PANA protocol execution consists of several exchanges to carry 125 authentication information. Specifically, EAP PDUs are transported 126 inside PANA PDUs between PaC and PAA, that is PANA represents a lower 127 layer for EAP protocol. Thus, a PANA state machine bases its 128 execution on an EAP state machine execution and vice versa. Thus 129 this document also shows for each of PaC and PAA an interface between 130 an EAP state machine and a PANA state machine and how this interface 131 allows to exchange information between them. Thanks to this 132 interface, a PANA state machine can be informed about several events 133 generated in an EAP state machine and make its execution conditional 134 to its events. 136 The details of EAP state machines are out of the scope of this 137 document. Additional information can be found in [RFC4137]. 138 Nevertheless PANA state machines presented here have been coordinated 139 with state machines shown by [RFC4137]. 141 This document, apart from defining PaC and PAA state machines and 142 their interfaces to EAP state machines (running on top of PANA), 143 provides some implementation considerations, taking into account that 144 it is not a specification but an implementation guideline. 146 2. Interface Between PANA and EAP 148 PANA carries EAP messages exchanged between an EAP peer and an EAP 149 authenticator (see Figure 1). Thus a PANA state machine must 150 interact with an EAP state machine. 152 Two state machines are defined in this document : the PaC state 153 machine (see Section 6) and the PAA state machine (see Section 7). 154 The definition of each state machine consists of a set of variables, 155 procedures and a state transition table. A subset of these variables 156 and procedures defines the interface between a PANA state machine and 157 an EAP state machine and the state transition table defines the PANA 158 state machine behavior based on results obtained through them. 160 On the one hand, the PaC state machine interacts with an EAP peer 161 state machine in order to carry out the PANA protocol on the PaC 162 side. On the other hand, the PAA state machine interacts with an EAP 163 authenticator state machine to run the PANA protocol on the PAA side. 165 Peer |EAP Auth 166 EAP <---------|------------> EAP 167 ^ | | ^ | 168 EAP-Request | | | EAP-Response | | EAP-Request 169 EAP-Success | |EAP-Response | | |EAP-Success 170 EAP-Failure | v |PANA | vEAP-Failure 171 PaC <---------|------------> PAA 173 Figure 1: Interface between PANA and EAP 175 Thus two interfaces are needed between PANA state machines and EAP 176 state machines, namely: 178 o Interface between the PaC state machine and the EAP peer state 179 machine 181 o Interface between the PAA state machine and the EAP authenticator 182 state machine 184 In general, the PaC state machine presents EAP messages (EAP-Request, 185 EAP-Success and EAP-Failure messages) to the EAP peer state machine 186 through the interface. The EAP peer state machine processes these 187 messages and sends EAP messages (EAP-Response messages) through the 188 PaC state machine that is responsible for actually transmitting this 189 message. 191 On the other hand, the PAA state machine presents response messages 192 (EAP-Response messages) to the EAP authenticator state machine 193 through interface defined between them. The EAP authenticator 194 processes these messages and generate EAP messages (EAP-Request, EAP- 195 Success and EAP-Failure messages) that are send to the PAA state 196 machine to be sent. 198 For example, [RFC4137] specifies four interfaces to lower layers: (i) 199 an interface between the EAP peer state machine and a lower layer, 200 (ii) an interface between the EAP standalone authenticator state 201 machine and a lower layer, (iii) an interface between the EAP full 202 authenticator state machine and a lower layer and (iv) an interface 203 between the EAP backend authenticator state machine and a lower 204 layer. In this document, the PANA protocol is the lower layer of EAP 205 and only the first three interfaces are of interest to PANA. The 206 second and third interfaces are the same. In this regard, the EAP 207 standalone authenticator or the EAP full authenticator and its state 208 machine in [RFC4137] are referred to as the EAP authenticator and the 209 EAP authenticator state machine, respectively, in this document. If 210 an EAP peer and an EAP authenticator follow the state machines 211 defined in [RFC4137], the interfaces between PANA and EAP could be 212 based on that document. Detailed definition of interfaces between 213 PANA and EAP are described in the subsequent sections. 215 3. Document Authority 217 When a discrepancy occurs between any part of this document and any 218 of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-pana- 219 mobopts], [RFC4137] the latter (the other documents) are considered 220 authoritative and takes precedence. 222 4. Notations 224 The following state transition tables are completed mostly based on 225 the conventions specified in [RFC4137]. The complete text is 226 described below. 228 State transition tables are used to represent the operation of the 229 protocol by a number of cooperating state machines each comprising a 230 group of connected, mutually exclusive states. Only one state of 231 each machine can be active at any given time. 233 All permissible transitions from a given state to other states and 234 associated actions performed when the transitions occur are 235 represented by using triplets of (exit condition, exit action, exit 236 state). All conditions are expressions that evaluate to TRUE or 237 FALSE; if a condition evaluates to TRUE, then the condition is met. 238 A state "ANY" is a wildcard state that matches the current state in 239 each state machine. The exit conditions of a wildcard state are 240 evaluated after all other exit conditions of specific to the current 241 state are met. 243 On exit from a state, the exit actions defined for the state and the 244 exit condition are executed exactly once, in the order that they 245 appear on the page. (Note that the procedures defined in [RFC4137] 246 are executed on entry to a state, which is one major difference from 247 this document.) Each exit action is deemed to be atomic; i.e., 248 execution of an exit action completes before the next sequential exit 249 action starts to execute. No exit action execute outside of a state 250 block. The exit actions in only one state block execute at a time 251 even if the conditions for execution of state blocks in different 252 state machines are satisfied. All exit actions in an executing state 253 block complete execution before the transition to and execution of 254 any other state blocks. The execution of any state block appears to 255 be atomic with respect to the execution of any other state block and 256 the transition condition to that state from the previous state is 257 TRUE when execution commences. The order of execution of state 258 blocks in different state machines is undefined except as constrained 259 by their transition conditions. A variable that is set to a 260 particular value in a state block retains this value until a 261 subsequent state block executes an exit action that modifies the 262 value. 264 On completion of the transition from the previous state to the 265 current state, all exit conditions occurring during the current state 266 (including exit conditions defined for the wildcard state) are 267 evaluated until an exit condition for that state is met. 269 Any event variable is set to TRUE when the corresponding event occurs 270 and set to FALSE immediately after completion of the action 271 associated with the current state and the event. 273 The interpretation of the special symbols and operators used is 274 defined in [RFC4137]. 276 5. Common Rules 278 There are following procedures, variables, message initializing rules 279 and state transitions that are common to both the PaC and PAA state 280 machines. 282 Throughout this document, the character string "PANA_MESSAGE_NAME" 283 matches any one of the abbreviated PANA message names, i.e., "PDI", 284 "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", 285 "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA". 287 5.1. Common Procedures 289 void None() 291 A null procedure, i.e., nothing is done. 293 void Disconnect() 295 A procedure to delete the PANA session as well as the 296 corresponding EAP session and authorization state. 298 boolean Authorize() 300 A procedure to create or modify authorization state. It returns 301 TRUE if authorization is successful. Otherwise, it returns FALSE. 302 It is assumed that Authorize() procedure of PaC state machine 303 always returns TRUE. 305 void Tx:PANA_MESSAGE_NAME() 307 A procedure to send a PANA message to its peering PANA entity. 309 void TxEAP() 311 A procedure to send an EAP message to the EAP state machine it 312 interfaces to. 314 void RtxTimerStart() 316 A procedure to start the retransmission timer, reset RTX_COUNTER 317 variable to zero and set an appropriate value to RTX_MAX_NUM 318 variable. 320 void RtxTimerStop() 321 A procedure to stop the retransmission timer. 323 void SessionTimerStart() 325 A procedure to start PANA session timer. 327 void SessionTimerStop() 329 A procedure to stop the PANA session timer. 331 void Retransmit() 333 A procedure to retransmit a PANA message and increment RTX_COUNTER 334 by one(1). 336 void EAP_Restart() 338 A procedure to (re)start an EAP conversation resulting in the re- 339 initialization of an existing EAP session. 341 void PANA_MESSAGE_NAME.insert_avp("AVP_NAME") 343 A procedure to insert an AVP of the specified AVP name in the 344 specified PANA message. 346 boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") 348 A procedure that checks whether an AVP of the specified AVP name 349 exists in the specified PANA message and returns TRUE if the 350 specified AVP is found, otherwise returns FALSE. 352 boolean key_available() 354 A procedure to check whether the PANA session has a PANA_AUTH_KEY. 355 If the state machine already has a PANA_AUTH_KEY, it returns TRUE. 356 If the state machine does not have a PANA_AUTH_KEY, it tries to 357 retrieve a AAA-Key from the EAP entity. If a AAA-Key is 358 retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and 359 returns TRUE. Otherwise, it returns FALSE. 361 boolean fatal(int) 363 A procedure to check whether an integer result code value 364 indicates a fatal error. If the result code indicates a fatal 365 error, the procedure returns TRUE, otherwise, it return FALSE. A 366 fatal error would also result in the termination of the session 367 and release of all resources related to that session. 369 5.2. Common Variables 371 PANA_MESSAGE_NAME.S_flag 373 This variable contains the S-Flag value of the specified PANA 374 message. 376 PBR.RESULT_CODE 378 This variable contains the Result-Code AVP value in the PANA-Bind- 379 Request message in process. When this variable carries 380 PANA_SUCCESS when there is only once EAP run in the authentication 381 and authorization phase, it is assumed that the PBR message always 382 contains an EAP-Payload AVP which carries an EAP-Success message. 384 PFER.RESULT_CODE 386 This variable contains the Result-Code AVP value in the PANA- 387 FirstAuth-End-Request message in process. When this variable 388 carries PANA_SUCCESS, it is assumed that the PFER message always 389 contains an EAP-Payload AVP which carries an EAP-Success message. 391 PER.RESULT_CODE 393 This variable contains the Result-Code AVP value in the PANA- 394 Error-Request message in process. 396 RTX_COUNTER 398 This variable contains the current number of retransmissions of 399 the outstanding PANA message. 401 Rx:PANA_MESSAGE_NAME 403 This event variable is set to TRUE when the specified PANA message 404 is received from its peering PANA entity. 406 RTX_TIMEOUT 408 This event variable is set to TRUE when the retransmission timer 409 is expired. 411 REAUTH 413 This event variable is set to TRUE when an initiation of re- 414 authentication phase is triggered. 416 TERMINATE 418 This event variable is set to TRUE when initiation of PANA session 419 termination is triggered. 421 PANA_PING 423 This event variable is set to TRUE when initiation of liveness 424 test based on PPR-PPA exchange is triggered. 426 NOTIFY 428 This event variable is set to TRUE if the PaC or PAA wants to send 429 attribute updates or notifications. 431 SESS_TIMEOUT 433 This event is variable is set to TRUE when the session timer is 434 expired. 436 ABORT_ON_1ST_EAP_FAILURE 438 This variable indicates whether the PANA session is immediately 439 terminated when the 1st EAP authentication fails. 441 CARRY_DEVICE_ID 443 This variable indicates whether a Device-Id AVP is carried in a 444 PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this 445 variable must be set when a link-layer or IP address is used as 446 the device identifier of the PaC and a Protection-Capability AVP 447 is included in the PANA-Bind-Request message. 449 ANY 451 This event variable is set to TRUE when any event occurs. 453 5.3. Constants 455 RTX_MAX_NUM 457 Configurable maximum for how many retransmissions should be 458 attempted before aborting. 460 5.4. Common Message Initialization Rules 462 When a message is prepared for sending, it is initialized as follows: 464 o For a request message, R-flag of the header is set. Otherwise, 465 R-flag is not set. 467 o S-flag and N-flag of the header are not set. 469 o AVPs that are mandatory included in a message are inserted with 470 appropriate values set. 472 o A Notification AVP is inserted if there is some notification 473 string to send to the communicating peer. 475 5.5. Common Error Handling Rules 477 For simplicity, the PANA state machines defined in this document do 478 not support an optional feature of sending a PER message when an 479 invalid PANA message is received [I-D.ietf-pana-pana], while the 480 state machines support sending a PER message generated in other cases 481 as well as receiving and processing a PER message. It is left to 482 implementations as to whether they provide a means to send a PER 483 message when an invalid PANA message is received. 485 5.6. Common State Transitions 487 The following transitions can occur at any state. 489 ---------- 490 State: ANY 491 ---------- 493 Exit Condition Exit Action Exit State 494 ------------------------+--------------------------+------------ 495 - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - 496 RTX_TIMEOUT && Retransmit(); (no change) 497 RTX_COUNTER< 498 RTX_MAX_NUM 499 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 500 - - - - - - - (Reach maximum number of transmissions)- - - - - - 501 RTX_TIMEOUT && Disconnect(); CLOSED 502 RTX_COUNTER>= 503 RTX_MAX_NUM 505 SESS_TIMEOUT Disconnect(); CLOSED 506 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 507 - - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - - 508 Rx:PER && PEA.insert_avp("AUTH"); CLOSED 509 fatal Tx:PEA(); 510 (PER.RESULT_CODE) && Disconnect(); 511 PER.exist_avp("AUTH") && 512 key_available() 514 Rx:PER && Tx:PEA(); (no change) 515 !fatal 516 (PER.RESULT_CODE) || 517 !PER.exist_avp("AUTH") || 518 !key_available() 519 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 521 The following transitions can occur on any exit condition within the 522 specified state. 524 ------------- 525 State: CLOSED 526 ------------- 528 Exit Condition Exit Action Exit State 529 ------------------------+--------------------------+------------ 530 - - - - - - - -(Session termination initiated by PaC) - - - - - 531 ANY None(); CLOSED 532 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 534 6. PaC State Machine 536 6.1. Interface between PaC and EAP Peer 538 This interface defines the interactions between a PaC and an EAP 539 peer. The interface serves as a mechanism to deliver EAP messages 540 for the EAP peer. It allows the EAP peer to receive EAP requests and 541 send EAP responses via the PaC. It also provides a mechanism to 542 notify the EAP peer of PaC events and a mechanism to receive 543 notification of EAP peer events. The EAP message delivery mechanism 544 as well as the event notification mechanism in this interface have 545 direct correlation with the PaC state transition table entries. 546 These message delivery and event notifications mechanisms occur only 547 within the context of their associated states or exit actions. 549 6.1.1. Delivering EAP Messages from PaC to EAP Peer 551 TxEAP() procedure in the PaC state machine serves as the mechanism to 552 deliver EAP request, EAP success and EAP failure messages contained 553 in PANA-Auth-Request messages to the EAP peer. This procedure is 554 enabled only after an EAP restart event is notified to the EAP peer 555 and before any event resulting in a termination of the EAP peer 556 session. In the case where the EAP peer follows the EAP peer state 557 machine defined in [RFC4137], TxEAP() procedure sets eapReq variable 558 of the EAP peer state machine and puts the EAP request in eapReqData 559 variable of the EAP peer state machine. 561 6.1.2. Delivering EAP Responses from EAP Peer to PaC 563 An EAP response is delivered from the EAP peer to the PaC via 564 EAP_RESPONSE event variable. The event variable is set when the EAP 565 peer passes the EAP response to its lower-layer. In the case where 566 the EAP peer follows the EAP peer state machine defined in [RFC4137], 567 EAP_RESPONSE event variable refers to eapResp variable of the EAP 568 peer state machine and the EAP response is contained in eapRespData 569 variable of the EAP peer state machine. 571 6.1.3. EAP Restart Notification from PaC to EAP Peer 573 The EAP peer state machine defined in [RFC4137] has an initialization 574 procedure before receiving an EAP request. To initialize the EAP 575 state machine, the PaC state machine defines an event notification 576 mechanism to send an EAP (re)start event to the EAP peer. The event 577 notification is done via EAP_Restart() procedure in the 578 initialization action of the PaC state machine. 580 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC 582 In order for the EAP peer to notify the PaC of an EAP authentication 583 result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In 584 the case where the EAP peer follows the EAP peer state machine 585 defined in [RFC4137], EAP_SUCCESS and EAP_FAILURE event variables 586 refer to eapSuccess and eapFail variables of the EAP peer state 587 machine, respectively. In this case, if EAP_SUCCESS event variable 588 is set to TRUE and a AAA-Key is generated by the EAP authentication 589 method in use, eapKeyAvailable variable is set to TRUE and eapKeyData 590 variable contains the AAA-Key. Note that EAP_SUCCESS and EAP_FAILURE 591 event variables may be set to TRUE even before the PaC receives a PBR 592 or a PFER from the PAA. 594 6.1.5. Alternate Failure Notification from PaC to EAP Peer 596 alt_reject() procedure in the PaC state machine serves as the 597 mechanism to deliver an authentication failure event to the EAP peer 598 without accompanying an EAP message. In the case where the EAP peer 599 follows the EAP peer state machine defined in [RFC4137], alt_reject() 600 procedure sets altReject variable of the EAP peer state machine. 601 Note that the EAP peer state machine in [RFC4137] also defines 602 altAccept variable, however, it is never used in PANA in which EAP- 603 Success messages are reliably delivered by PANA-Bind exchange. 605 6.1.6. EAP Invalid Message Notification from EAP Peer to PaC 607 In order for the EAP peer to notify the PaC of a receipt of an 608 invalid EAP message, EAP_INVALID_MSG event variable is defined. In 609 the case where the EAP peer follows the EAP peer state machine 610 defined in [RFC4137], EAP_INVALID_MSG event variable refers to 611 eapNoResp variable of the EAP peer state machine. 613 6.2. Variables 615 SEPARATE 617 This variable indicates whether the PaC desires NAP/ISP separate 618 authentication. 620 1ST_EAP 622 This variable indicates whether the 1st EAP authentication is 623 success, failure or yet completed. 625 AUTH_USER 627 This event variable is set to TRUE when initiation of EAP-based 628 (re-)authentication is triggered by the application. 630 EAP_SUCCESS 632 This event variable is set to TRUE when the EAP peer determines 633 that EAP conversation completes with success. 635 EAP_FAILURE 637 This event variable is set to TRUE when the EAP peer determines 638 that EAP conversation completes with failure. 640 EAP_RESPONSE 642 This event variable is set to TRUE when the EAP peer delivers an 643 EAP Response to the PaC. This event accompanies an EAP-Response 644 message received from the EAP peer. 646 EAP_INVALID_MSG 648 This event variable is set to TRUE when the EAP peer silently 649 discards an EAP message. This event does not accompany any EAP 650 message. 652 EAP_RESP_TIMEOUT 654 This event variable is set to TRUE when the PaC that has passed an 655 EAP-Request to the EAP-layer does not receive a corresponding EAP- 656 Response from the the EAP-layer in a given period. 658 6.3. Procedures 660 boolean choose_isp() 662 This procedure returns TRUE when the PaC chooses one ISP, 663 otherwise returns FALSE. 665 boolean ppac_available() 667 This procedure returns TRUE when the Post-PANA-Address- 668 Configuration method specified by the PAA is available in the PaC 669 and that the PaC will be able to comply. 671 boolean pcap_supported() 673 This procedure returns TRUE when the cryptographic data protection 674 supplied in the Protection-Capability AVP can be supported by the 675 PaC. 677 boolean algorithm_supported() 679 This procedure returns TRUE when the integrity algorithm supplied 680 in the Algorithm AVP can be supported by the PaC. 682 boolean eap_piggyback() 684 This procedures returns TRUE to indicate whether the next EAP 685 response will be carried in the pending PAN message for 686 optimization. 688 void alt_reject() 690 This procedure informs the EAP peer of an authentication failure 691 event without accompanying an EAP message. 693 void EAP_RespTimerStart() 695 A procedure to start a timer to receive an EAP-Response from the 696 EAP peer. 698 void EAP_RespTimerStop() 700 A procedure to stop a timer to receive an EAP-Response from the 701 EAP peer. 703 6.4. PaC State Transition Table 705 ------------------------------ 706 State: OFFLINE (Initial State) 707 ------------------------------ 709 Initialization Action: 711 SEPARATE=Set|Unset; 712 CARRY_DEVICE_ID=Unset; 713 1ST_EAP=Unset; 714 RtxTimerStop(); 716 Exit Condition Exit Action Exit State 717 ------------------------+--------------------------+-------------- 718 - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - 719 Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ 720 PSR.exist_avp EAP_Restart(); IN_DISC 721 ("EAP-Payload") && TxEAP(); 722 (!PSR.exist_avp SEPARATE=Unset; 723 ("Protection-Cap.") || 724 (PSR.exist_avp 725 ("Protection-Cap.") && 726 pcap_supported())) && 727 (!PSR.exist_avp 728 ("Algorithm") || 729 (PSR.exist_avp 730 ("Algorithm") && 731 algorithm_supported())) 733 Rx:PSR && RtxTimerStop(); WAIT_PAA 734 !PSR.exist_avp if (choose_isp()) 735 ("EAP-Payload") && PSA.insert_avp("ISP"); 736 PSR.S_flag==1 && PSA.S_flag=1; 737 SEPARATE==Set && PSA.insert_avp("Cookie"); 738 PSR.exist_avp Tx:PSA(); 739 ("Cookie") && RtxTimerStart(); 740 (!PSR.exist_avp EAP_Restart(); 741 ("Protection-Cap.") || 742 (PSR.exist_avp 743 ("Protection-Cap.") && 744 pcap_supported())) && 745 (!PSR.exist_avp 746 ("Algorithm") || 747 (PSR.exist_avp 748 ("Algorithm") && 749 algorithm_supported())) 751 Rx:PSR && RtxTimerStop(); WAIT_PAA 752 !PSR.exist_avp if (choose_isp()) 753 ("EAP-Payload") && PSA.insert_avp("ISP"); 754 PSR.S_flag==1 && PSA.S_flag=1; 755 SEPARATE==Set && Tx:PSA(); 756 !PSR.exist_avp EAP_Restart(); 757 ("Cookie") && 758 (!PSR.exist_avp 759 ("Protection-Cap.") || 760 (PSR.exist_avp 761 ("Protection-Cap.") && 762 pcap_supported())) && 763 (!PSR.exist_avp 764 ("Algorithm") || 765 (PSR.exist_avp 766 ("Algorithm") && 767 algorithm_supported())) 769 Rx:PSR && RtxTimerStop(); WAIT_PAA 770 !PSR.exist_avp if (choose_isp()) 771 ("EAP-Payload") && PSA.insert_avp("ISP"); 772 (PSR.S_flag!=1 || PSA.insert_avp("Cookie"); 773 SEPARATE==Unset) && Tx:PSA(); 774 PSR.exist_avp RtxTimerStart(); 775 ("Cookie") && SEPARATE=Unset; 776 (!PSR.exist_avp EAP_Restart(); 777 ("Protection-Cap.") || 778 (PSR.exist_avp 779 ("Protection-Cap.") && 780 pcap_supported())) && 781 (!PSR.exist_avp 782 ("Algorithm") || 783 (PSR.exist_avp 784 ("Algorithm") && 785 algorithm_supported())) 787 Rx:PSR && RtxTimerStop(); WAIT_PAA 788 !PSR.exist_avp if (choose_isp()) 789 ("EAP-Payload") && PSA.insert_avp("ISP"); 790 (PSR.S_flag!=1 || Tx:PSA(); 791 SEPARATE==Unset) && SEPARATE=Unset; 792 !PSR.exist_avp EAP_Restart(); 793 ("Cookie") && 794 (!PSR.exist_avp 795 ("Protection-Cap.") || 796 (PSR.exist_avp 797 ("Protection-Cap.") && 798 pcap_supported())) && 799 (!PSR.exist_avp 800 ("Algorithm") || 801 (PSR.exist_avp 802 ("Algorithm") && 803 algorithm_supported())) 805 Rx:PSR && None(); OFFLINE 806 (PSR.exist_avp 807 ("Protection-Cap.") && 808 !pcap_supported()) || 809 (PSR.exist_avp 810 ("Algorithm") && 811 algorithm_supported()) 813 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 814 - - - - - - - - -(Authentication trigger from application) - - - 815 AUTH_USER Tx:PDI(); OFFLINE 816 RtxTimerStart(); 817 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 819 --------------------------- 820 State: WAIT_EAP_MSG_IN_DISC 821 --------------------------- 823 Exit Condition Exit Action Exit State 824 ------------------------+--------------------------+------------ 825 - - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - 826 EAP_RESPONSE PSA.insert_avp WAIT_PAA 827 ("EAP-Payload") 828 if (choose_isp()) 829 PSA.insert_avp("ISP"); 830 Tx:PSA(); 832 EAP_RESP_TIMEOUT || None(); OFFLINE 833 EAP_INVALID_MSG 834 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 836 --------------- 837 State: WAIT_PAA 838 --------------- 840 Exit Condition Exit Action Exit State 841 ------------------------+--------------------------+------------ 842 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 843 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 844 !eap_piggyback() TxEAP(); 845 EAP_RespTimerStart(); 846 if (key_available()) 847 PAN.insert_avp("AUTH"); 848 PAN.S_flag=PAR.S_flag; 849 PAN.N_flag=PAR.N_flag; 850 Tx:PAN(); 852 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 853 eap_piggyback() TxEAP(); 854 EAP_RespTimerStart(); 856 Rx:PAN RtxTimerStop(); WAIT_PAA 857 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 858 - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - 859 Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_ 860 1ST_EAP==Unset && TxEAP(); RESULT 861 SEPARATE==Set && 862 PFER.RESULT_CODE== 863 PANA_SUCCESS && 864 PFER.S_flag==1 && 865 (!PSR.exist_avp 866 ("Algorithm") || 867 (PSR.exist_avp 868 ("Algorithm") && 869 algorithm_supported())) 871 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 872 1ST_EAP==Unset && TxEAP(); RESULT 873 SEPARATE==Set && 874 PFER.RESULT_CODE!= 875 PANA_SUCCESS && 876 PFER.S_flag==1 && 877 ABORT_ON_1ST_EAP_FAILURE 878 ==Unset && 879 PFER.exist_avp 880 ("EAP-Payload") 882 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 883 1ST_EAP==Unset && alt_reject(); RESULT 884 SEPARATE==Set && 885 PFER.RESULT_CODE!= 886 PANA_SUCCESS && 887 PFER.S_flag==1 && 888 ABORT_ON_1ST_EAP_FAILURE 889 ==Unset && 890 !PFER.exist_avp 891 ("EAP-Payload") 893 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 894 1ST_EAP==Unset && TxEAP(); RESULT_CLOSED 895 SEPARATE==Set && 896 PFER.RESULT_CODE!= 897 PANA_SUCCESS && 898 (PFER.S_flag==0 || 899 ABORT_ON_1ST_EAP_FAILURE 900 ==Set) && 901 PFER.exist_avp 902 ("EAP-Payload") 904 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 905 1ST_EAP==Unset && alt_reject(); RESULT_CLOSED 906 SEPARATE==Set && 907 PFER.RESULT_CODE!= 908 PANA_SUCCESS && 909 (PFER.S_flag==0 || 910 ABORT_ON_1ST_EAP_FAILURE 911 ==Set) && 912 !PFER.exist_avp 913 ("EAP-Payload") 915 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 916 1ST_EAP==Unset && if (PBR.exist_avp 917 SEPARATE==Unset && ("Device-Id")) 918 PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; 919 PANA_SUCCESS && 920 (!PSR.exist_avp 921 ("Algorithm") || 922 (PSR.exist_avp 923 ("Algorithm") && 924 algorithm_supported())) 926 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 927 1ST_EAP==Unset && CLOSE 928 SEPARATE==Unset && 929 PBR.RESULT_CODE!= 930 PANA_SUCCESS && 931 PBR.exist_avp 932 ("EAP-Payload") 934 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 935 1ST_EAP==Unset && CLOSE 936 SEPARATE==Unset && 937 PBR.RESULT_CODE!= 938 PANA_SUCCESS && 939 !PBR.exist_avp 940 ("EAP-Payload") 941 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 942 - - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - 943 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 944 1ST_EAP==Success && if (PBR.exist_avp 945 PBR.RESULT_CODE== ("Device-Id")) 946 PANA_SUCCESS && CARRY_DEVICE_ID=Set; 947 PBR.exist_avp 948 ("EAP-Payload") && 949 (!PSR.exist_avp 950 ("Algorithm") || 951 (PSR.exist_avp 952 ("Algorithm") && 953 algorithm_supported())) 955 Rx:PBR && alt_reject(); WAIT_EAP_RESULT 956 1ST_EAP==Success && if (PBR.exist_avp 957 PBR.RESULT_CODE== ("Device-Id")) 958 PANA_SUCCESS && CARRY_DEVICE_ID=Set; 959 !PBR.exist_avp 960 ("EAP-Payload") && 961 (!PSR.exist_avp 962 ("Algorithm") || 963 (PSR.exist_avp 964 ("Algorithm") && 965 algorithm_supported())) 967 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 968 1ST_EAP==Success && CLOSE 969 PBR.RESULT_CODE!= 970 PANA_SUCCESS && 971 PBR.exist_avp 972 ("EAP-Payload") 974 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 975 1ST_EAP==Success && CLOSE 976 PBR.RESULT_CODE!= 977 PANA_SUCCESS && 978 !PBR.exist_avp 979 ("EAP-Payload") 981 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 982 1ST_EAP==Failure && if (PBR.exist_avp 983 PBR.RESULT_CODE== ("Device-Id")) 984 PANA_SUCCESS && CARRY_DEVICE_ID=Set; 985 (!PSR.exist_avp 986 ("Algorithm") || 987 (PSR.exist_avp 988 ("Algorithm") && 989 algorithm_supported())) 991 Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 992 1ST_EAP==Failure && CLOSE 993 PBR.RESULT_CODE!= 994 PANA_SUCCESS && 995 PBR.exist_avp 996 ("EAP-Payload") 998 Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 999 1ST_EAP==Failure && CLOSE 1000 PBR.RESULT_CODE!= 1001 PANA_SUCCESS && 1002 !PBR.exist_avp 1003 ("EAP-Payload") 1004 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1005 ------------------- 1006 State: WAIT_EAP_MSG 1007 ------------------- 1009 Exit Condition Exit Action Exit State 1010 ------------------------+--------------------------+------------ 1011 - - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - - 1012 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 1013 eap_piggyback() PAN.insert_avp 1014 ("EAP-Payload"); 1015 if (key_available()) 1016 PAN.insert_avp("AUTH"); 1017 PAN.S_flag=PAR.S_flag; 1018 PAN.N_flag=PAR.N_flag; 1019 Tx:PAN(); 1021 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 1022 !eap_piggyback() PAR.insert_avp 1023 ("EAP-Payload"); 1024 if (key_available()) 1025 PAR.insert_avp("AUTH"); 1026 PAR.S_flag=PAN.S_flag; 1027 PAR.N_flag=PAN.N_flag; 1028 Tx:PAR(); 1029 RtxTimerStart(); 1031 EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA 1032 PAN.insert_avp("AUTH"); 1033 PAN.S_flag=PAR.S_flag; 1034 PAN.N_flag=PAR.N_flag; 1035 Tx:PAN(); 1037 EAP_INVALID_MSG || None(); WAIT_PAA 1038 EAP_SUCCESS || 1039 EAP_FAILURE 1040 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1042 ---------------------- 1043 State: WAIT_EAP_RESULT 1044 ---------------------- 1046 Exit Condition Exit Action Exit State 1047 ------------------------+--------------------------+------------ 1048 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 1049 EAP_SUCCESS && PBA.insert_avp("AUTH"); OPEN 1050 PBR.exist_avp PBA.insert_avp("Key-Id"); 1051 ("Key-Id") && if (CARRY_DEVICE_ID) 1052 ppac_available() && PBA.insert_avp 1053 (!PBR.exist_avp ("Device-Id"); 1054 ("Protection- PBA.insert_avp("PPAC"); 1055 Capability") || Tx:PBA(); 1056 (PBR.exist_avp Authorize(); 1057 ("Protection- SessionTimerStart(); 1058 Capability") && 1059 pcap_supported())) 1061 EAP_SUCCESS && if (key_available()) OPEN 1062 !PBR.exist_avp PBA.insert_avp("AUTH"); 1063 ("Key-Id") && if (CARRY_DEVICE_ID) 1064 ppac_available() && PBA.insert_avp 1065 (!PBR.exist_avp ("Device-Id"); 1066 ("Protection- PBA.insert_avp("PPAC"); 1067 Capability") || Tx:PBA(); 1068 (PBR.exist_avp Authorize(); 1069 ("Protection- SessionTimerStart(); 1070 Capability") && 1071 pcap_supported())) 1073 EAP_SUCCESS && if (key_available()) WAIT_PEA 1074 !ppac_available() PER.insert_avp("AUTH"); 1075 PER.RESULT_CODE= 1076 PANA_PPAC_CAPABILITY_ 1077 UNSUPPORTED 1078 Tx:PER(); 1079 RtxTimerStart(); 1081 EAP_SUCCESS && if (key_available()) WAIT_PEA 1082 (PBR.exist_avp PER.insert_avp("AUTH"); 1083 ("Protection- PER.RESULT_CODE= 1084 Capability") && PANA_PROTECTION_ 1085 !pcap_supported()) CAPABILITY_UNSUPPORTED 1086 Tx:PER(); 1087 RtxTimerStart(); 1089 EAP_FAILURE && if (key_available()) OPEN 1090 (SEPARATE==Set) && PBA.insert_avp("AUTH"); 1091 ppac_available() && if (CARRY_DEVICE_ID) 1092 (!PBR.exist_avp PBA.insert_avp 1093 ("Protection- ("Device-Id"); 1094 Capability") || PBA.insert_avp("PPAC"); 1095 (PBR.exist_avp Tx:PBA(); 1096 ("Protection- Authorize(); 1097 Capability") && SessionTimerStart(); 1098 pcap_supported())) 1100 EAP_FAILURE && if (key_available()) WAIT_PEA 1101 (SEPARATE==Set) && PER.insert_avp("AUTH"); 1102 !ppac_available() PER.RESULT_CODE= 1103 PANA_PPAC_CAPABILITY_ 1104 UNSUPPORTED 1105 Tx:PER(); 1106 RtxTimerStart(); 1108 EAP_FAILURE && if (key_available()) WAIT_PEA 1109 (SEPARATE==Set) && PER.insert_avp("AUTH"); 1110 (PBR.exist_avp PER.RESULT_CODE= 1111 ("Protection- PANA_PROTECTION_ 1112 Capability") && CAPABILITY_UNSUPPORTED 1113 !pcap_supported()) Tx:PER(); 1114 RtxTimerStart(); 1116 EAP_INVALID_MSG None(); WAIT_PAA 1117 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1119 ---------------------------- 1120 State: WAIT_EAP_RESULT_CLOSE 1121 ---------------------------- 1123 Exit Condition Exit Action Exit State 1124 ------------------------+--------------------------+------------ 1125 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 1126 EAP_SUCCESS && PBA.insert_avp("AUTH"); CLOSED 1127 PBR.exist_avp PBA.insert_avp("Key-Id"); 1128 ("Key-Id") Tx:PBA(); 1129 Disconnect(); 1131 EAP_SUCCESS && if (key_available()) CLOSED 1132 !PBR.exist_avp PBA.insert_avp("AUTH"); 1133 ("Key-Id") Tx:PBA(); 1134 Disconnect(); 1136 EAP_FAILURE Tx:PBA(); CLOSED 1137 Disconnect(); 1139 EAP_INVALID_MSG None(); WAIT_PAA 1140 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1142 -------------------------- 1143 State: WAIT_1ST_EAP_RESULT 1144 -------------------------- 1146 Exit Condition Exit Action Exit State 1147 ------------------------+--------------------------+------------ 1148 - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - 1149 EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA 1150 PFER.exist_avp PFEA.S_flag=1; 1151 ("Key-Id") PFEA.N_flag=PFER.N_flag; 1152 PFEA.insert_avp("AUTH"); 1153 Tx:PFEA(); 1154 EAP_Restart(); 1156 (EAP_SUCCESS && if (key_available()) WAIT_PAA 1157 !PFER.exist_avp PFEA.insert_avp("AUTH"); 1158 ("Key-Id")) || PFEA.S_flag=1; 1159 EAP_FAILURE PFEA.N_flag=PFER.N_flag; 1160 Tx:PFEA(); 1161 EAP_Restart(); 1163 EAP_INVALID_MSG EAP_Restart(); WAIT_PAA 1164 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1166 -------------------------------- 1167 State: WAIT_1ST_EAP_RESULT_CLOSE 1168 -------------------------------- 1170 Exit Condition Exit Action Exit State 1171 ------------------------+--------------------------+------------ 1172 - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - 1173 EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED 1174 PFER.exist_avp PFEA.S_flag=0; 1175 ("Key-Id") PFEA.N_flag=0; 1176 PFEA.insert_avp("AUTH"); 1177 Tx:PFEA(); 1178 Disconnect(); 1180 (EAP_SUCCESS && if (key_available()) CLOSED 1181 !PFER.exist_avp PFEA.insert_avp("AUTH"); 1182 ("Key-Id")) || PFEA.S_flag=0; 1183 EAP_FAILURE PFEA.N_flag=0; 1184 Tx:PFEA(); 1185 Disconnect(); 1187 EAP_INVALID_MSG None(); WAIT_PAA 1188 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1190 ----------- 1191 State: OPEN 1192 ----------- 1194 Exit Condition Exit Action Exit State 1195 ------------------------+--------------------------+------------ 1196 - - - - - - - - - - (liveness test initiated by PAA)- - - - - - 1197 Rx:PPR if (key_available()) OPEN 1198 PPA.insert_avp("AUTH"); 1199 Tx:PPA(); 1200 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1201 - - - - - - - - - - (liveness test initiated by PaC)- - - - - - 1202 PANA_PING if (key_available()) WAIT_PPA 1203 PPR.insert_avp("AUTH"); 1204 Tx:PPR(); 1205 RtxTimerStart(); 1206 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1207 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 1208 REAUTH SEPARATE=Set|Unset; WAIT_PRAA 1209 1ST_EAP=Unset; 1210 if (key_available()) 1211 PRAR.insert_avp("AUTH"); 1212 Tx:PRAR(); 1213 RtxTimerStart(); 1214 SessionTimerStop(); 1215 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1216 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1217 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 1218 !eap_piggyback() 1ST_EAP=Unset; 1219 EAP_RespTimerStart(); 1220 TxEAP(); 1221 if (key_available()) 1222 PAN.insert_avp("AUTH"); 1223 PAN.S_flag=PAR.S_flag; 1224 PAN.N_flag=PAR.N_flag; 1225 Tx:PAN(); 1226 SessionTimerStop(); 1228 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 1229 eap_piggyback() 1ST_EAP=Unset; 1230 EAP_RespTimerStart(); 1231 TxEAP(); 1232 SessionTimerStop(); 1233 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1234 - - - - - - - -(Session termination initiated by PAA) - - - - - - 1235 Rx:PTR if (key_available()) CLOSED 1236 PTA.insert_avp("AUTH"); 1237 Tx:PTA(); 1238 Disconnect(); 1239 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1240 - - - - - - - -(Session termination initiated by PaC) - - - - - - 1241 TERMINATE if (key_available()) SESS_TERM 1242 PTR.insert_avp("AUTH"); 1243 Tx:PTR(); 1244 RtxTimerStart(); 1246 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1247 - - - - - - - - - - - - -(Address update) - - - - - - - - - - - - 1248 NOTIFY if (key_available()) WAIT_PUA 1249 PUR.insert_avp("AUTH"); 1250 Tx:PUR(); 1251 RtxTimerStart(); 1252 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1253 - - - - - - - - - - -(Notification update)- - - - - - - - - - - 1254 Rx:PUR if (key_available()) OPEN 1255 PUA.insert_avp("AUTH"); 1256 Tx:PUA(); 1257 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1259 ---------------- 1260 State: WAIT_PRAA 1261 ---------------- 1263 Exit Condition Exit Action Exit State 1264 ------------------------+--------------------------+------------ 1265 - - - - - - - - -(re-authentication initiated by PaC) - - - - - 1266 Rx:PRAA RtxTimerStop(); WAIT_PAA 1267 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1269 --------------- 1270 State: WAIT_PPA 1271 --------------- 1273 Exit Condition Exit Action Exit State 1274 ------------------------+--------------------------+------------ 1275 - - - - - - - - -(liveness test initiated by PAA) - - - - - - - 1276 Rx:PPA RtxTimerStop(); OPEN 1277 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1279 --------------- 1280 State: WAIT_PUA 1281 --------------- 1283 Exit Condition Exit Action Exit State 1284 ------------------------+--------------------------+------------ 1285 - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - 1286 Rx:PUA RtxTimerStop(); OPEN 1287 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1289 ---------------- 1290 State: SESS_TERM 1291 ---------------- 1293 Exit Condition Exit Action Exit State 1294 ------------------------+--------------------------+------------ 1295 - - - - - - - -(Session termination initiated by PaC) - - - - - 1296 Rx:PTA Disconnect(); CLOSED 1297 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1299 --------------- 1300 State: WAIT_PEA 1301 --------------- 1303 Exit Condition Exit Action Exit State 1304 ------------------------+--------------------------+------------ 1305 - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - 1306 Rx:PEA RtxTimerStop(); CLOSED 1307 Disconnect(); 1308 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1310 7. PAA State Machine 1312 7.1. Interface between PAA and EAP Authenticator 1314 The interface between a PAA and an EAP authenticator provides a 1315 mechanism to deliver EAP messages for the EAP authenticator as well 1316 as a mechanism to notify the EAP authenticator of PAA events and to 1317 receive notification of EAP authenticator events. These message 1318 delivery and event notification mechanisms occur only within context 1319 of their associated states or exit actions. 1321 7.1.1. EAP Restart Notification from PAA to EAP Authenticator 1323 An EAP authenticator state machine defined in [RFC4137] has an 1324 initialization procedure before sending the first EAP request. To 1325 initialize the EAP state machine, the PAA state machine defines an 1326 event notification mechanism to send an EAP (re)start event to the 1327 EAP peer. The event notification is done via EAP_Restart() procedure 1328 in the initialization action of the PAA state machine. 1330 7.1.2. Delivering EAP Responses from PAA to EAP Authenticator 1332 TxEAP() procedure in the PAA state machine serves as the mechanism to 1333 deliver EAP-Responses contained in PANA-Auth-Answer messages to the 1334 EAP authenticator. This procedure is enabled only after an EAP 1335 restart event is notified to the EAP authenticator and before any 1336 event resulting in a termination of the EAP authenticator session. 1337 In the case where the EAP authenticator follows the EAP authenticator 1338 state machines defined in [RFC4137], TxEAP() procedure sets eapResp 1339 variable of the EAP authenticator state machine and puts the EAP 1340 response in eapRespData variable of the EAP authenticator state 1341 machine. 1343 7.1.3. Delivering EAP Messages from EAP Authenticator to PAA 1345 An EAP request is delivered from the EAP authenticator to the PAA via 1346 EAP_REQUEST event variable. The event variable is set when the EAP 1347 authenticator passes the EAP request to its lower-layer. In the case 1348 where the EAP authenticator follows the EAP authenticator state 1349 machines defined in [RFC4137], EAP_REQUEST event variable refers to 1350 eapReq variable of the EAP authenticator state machine and the EAP 1351 request is contained in eapReqData variable of the EAP authenticator 1352 state machine. 1354 7.1.4. EAP Authentication Result Notification from EAP Authenticator to 1355 PAA 1357 In order for the EAP authenticator to notify the PAA of the EAP 1358 authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event 1359 variables are defined. In the case where the EAP authenticator 1360 follows the EAP authenticator state machines defined in [RFC4137], 1361 EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables refer to 1362 eapSuccess, eapFail and eapTimeout variables of the EAP authenticator 1363 state machine, respectively. In this case, if EAP_SUCCESS event 1364 variable is set to TRUE, an EAP-Success message is contained in 1365 eapReqData variable of the EAP authenticator state machine, and 1366 additionally, eapKeyAvailable variable is set to TRUE and eapKeyData 1367 variable contains a AAA-Key if the AAA-Key is generated as a result 1368 of successful authentication by the EAP authentication method in use. 1369 Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP- 1370 Failure message is contained in eapReqData variable of the EAP 1371 authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE 1372 and EAP_TIMEOUT event variables as a trigger to send a PBR or a PFER 1373 message to the PaC. 1375 7.2. Variables 1377 USE_COOKIE 1379 This variable indicates whether the PAA uses Cookie. 1381 EAP_PIGGYBACK 1383 This variable indicates whether the PAA is able to piggyback an 1384 EAP-Request in PANA-Start-Request. 1386 SEPARATE 1388 This variable indicates whether the PAA provides NAP/ISP separate 1389 authentication. 1391 1ST_EAP 1393 This variable indicates whether the 1st EAP authentication is a 1394 success, failure or yet completed. 1396 PSA.SESSION_ID 1398 This variable contains the Session-Id AVP value in the PANA-Start- 1399 Answer message in process. 1401 CARRY_LIFETIME 1402 This variable indicates whether a Session-Lifetime AVP is carried 1403 in PANA-Bind-Request message. 1405 PROTECTION_CAP_IN_PSR 1407 This variable indicates whether a Protection-Capability AVP is 1408 carried in a PANA-Start-Request message. 1410 AUTH_ALGORITHM_IN_PSR 1412 This variable indicates whether a Algorithm AVP is carried in a 1413 PANA-Start-Request message. 1415 PROTECTION_CAP_IN_PBR 1417 This variable indicates whether a Protection-Capability AVP is 1418 carried in a PANA-Bind-Request message. 1420 CARRY_NAP_INFO 1422 This variable indicates whether a NAP-Information AVP is carried 1423 in PANA-Start-Request message. 1425 CARRY_ISP_INFO 1427 This variable indicates whether an ISP-Information AVP is carried 1428 in PANA-Start-Request message. 1430 NAP_AUTH 1432 This variable indicates whether a NAP authentication is being 1433 performed or not. 1435 CARRY_PPAC 1437 This variable indicates whether a Post-PANA-Address-Configuration 1438 AVP is carried in PANA-Start-Request message. 1440 PAC_FOUND 1442 This variable is set to TRUE during the EP-to-PAA notification as 1443 a result of a traffic-driven PAA discovery or link-up event 1444 notification by the EP as a result of the presence of a new PaC. 1446 EAP_SUCCESS 1447 This event variable is set to TRUE when EAP conversation completes 1448 with success. This event accompanies an EAP- Success message 1449 passed from the EAP authenticator. 1451 EAP_FAILURE 1453 This event variable is set to TRUE when EAP conversation completes 1454 with failure. This event accompanies an EAP- Failure message 1455 passed from the EAP authenticator. 1457 EAP_REQUEST 1459 This event variable is set to TRUE when the EAP authenticator 1460 delivers an EAP Request to the PAA. This event accompanies an 1461 EAP-Request message received from the EAP authenticator. 1463 EAP_TIMEOUT 1465 This event variable is set to TRUE when EAP conversation times out 1466 without generating an EAP-Success or an EAP-Failure message. This 1467 event does not accompany any EAP message. 1469 7.3. Procedures 1471 boolean new_key_available() 1473 A procedure to check whether the PANA session has a new 1474 PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY, 1475 it returns FALSE. If the state machine does not have a 1476 PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity. 1477 If a AAA-Key has been retrieved, it computes a PANA_AUTH_KEY from 1478 the AAA-Key and returns TRUE. Otherwise, it returns FALSE. 1480 boolean new_source_address() 1482 A procedure to check the PaC's source IP address from the current 1483 PUR message. If the source IP address of the message is different 1484 from the last known IP address stored in the PANA session, this 1485 procedure returns TRUE. Otherwise, it returns FALSE. 1487 void update_popa() 1489 A procedure to extract the PaC's source IP address from the 1490 current PUR message and update the PANA session with this new IP 1491 address. 1493 7.4. PAA State Transition Table 1495 ------------------------------ 1496 State: OFFLINE (Initial State) 1497 ------------------------------ 1499 Initialization Action: 1501 USE_COOKIE=Set|Unset; 1502 EAP_PIGGYBACK=Set|Unset; 1503 SEPARATE=Set|Unset; 1504 if (EAP_PIGGYBACK==Set) 1505 SEPARATE=Unset; 1506 1ST_EAP=Unset; 1507 ABORT_ON_1ST_EAP_FAILURE=Set|Unset; 1508 CARRY_LIFETIME=Set|Unset; 1509 CARRY_DEVICE_ID=Set|Unset; 1510 CARRY_NAP_INFO=Set|Unset; 1511 CARRY_ISP_INFO=Set|Unset; 1512 CARRY_PPAC=Set|Unset; 1513 PROTECTION_CAP_IN_PSR=Set|Unset; 1514 PROTECTION_CAP_IN_PBR=Set|Unset; 1515 if (PROTECTION_CAP_IN_PBR=Unset) 1516 PROTECTION_CAP_IN_PSR=Unset; 1517 else 1518 CARRY_DEVICE_ID=Set; 1519 NAP_AUTH=Unset; 1520 RTX_COUNTER=0; 1521 RtxTimerStop(); 1523 Exit Condition Exit Action Exit State 1524 ------------------------+--------------------------+------------ 1525 - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - 1526 (Rx:PDI || EAP_Restart(); WAIT_EAP_MSG_ 1527 PAC_FOUND) && IN_DISC 1528 USE_COOKIE==Unset && 1529 EAP_PIGGYBACK==Set 1531 (Rx:PDI || if (SEPARATE==Set) STATEFUL_DISC 1532 PAC_FOUND) && PSR.S_flag=1; 1533 USE_COOKIE==Unset && if (CARRY_NAP_INFO==Set) 1534 EAP_PIGGYBACK==Unset PSR.insert_avp 1535 ("NAP-Information"); 1536 if (CARRY_ISP_INFO==Set) 1537 PSR.insert_avp 1538 ("ISP-Information"); 1539 if (CARRY_PPAC==Set) 1540 PSR.insert_avp 1541 ("Post-PANA-Address- 1542 Configuration"); 1543 if (PROTECTION_CAP_IN_PSR 1544 ==Set) 1545 PSR.insert_avp 1546 ("Protection-Cap."); 1547 if (AUTH_ALGORITHM_IN_PSR 1548 ==Set) 1549 PSR.insert_avp 1550 ("Algorithm"); 1551 Tx:PSR(); 1552 RtxTimerStart(); 1553 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1554 - - - - - - - - - - - - - (Stateless discovery) - - - - - - - - 1555 (Rx:PDI || if (SEPARATE==Set) OFFLINE 1556 PAC_FOUND) && PSR.S_flag=1; 1557 USE_COOKIE==Set PSR.insert_avp 1558 ("Cookie"); 1559 if (CARRY_NAP_INFO==Set) 1560 PSR.insert_avp 1561 ("NAP-Information"); 1562 if (CARRY_ISP_INFO==Set) 1563 PSR.insert_avp 1564 ("ISP-Information"); 1565 if (CARRY_PPAC==Set) 1566 PSR.insert_avp 1567 ("Post-PANA-Address- 1568 Configuration"); 1569 if (PROTECTION_CAP_IN_PSR 1570 ==Set) 1571 PSR.insert_avp 1572 ("Protection-Cap."); 1573 Tx:PSR(); 1574 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1575 - - - - - - - - - - - - - - (PSA processing) - - - - - - - - - 1576 Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG 1577 USE_COOKIE==Set PSA.S_flag==0) 1578 SEPARATE=Unset; 1579 if (SEPARATE==Set) 1580 NAP_AUTH=Set|Unset; 1581 EAP_Restart(); 1582 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1584 --------------------------- 1585 State: WAIT_EAP_MSG_IN_DISC 1586 --------------------------- 1588 Exit Condition Exit Action Exit State 1589 ------------------------+--------------------------+------------ 1590 - - - - - - - - - - - (Send PSR with EAP-Request) - - - - - - - 1591 EAP_REQUEST PSR.insert_avp STATEFUL_DISC 1592 ("EAP-Payload"); 1593 if (CARRY_NAP_INFO==Set) 1594 PSR.insert_avp 1595 ("NAP-Information"); 1596 if (CARRY_ISP_INFO==Set) 1597 PSR.insert_avp 1598 ("ISP-Information"); 1599 if (CARRY_PPAC==Set) 1600 PSR.insert_avp 1601 ("Post-PANA-Address- 1602 Configuration"); 1603 Tx:PSR(); 1604 RtxTimerStart(); 1606 EAP_TIMEOUT None(); OFFLINE 1607 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1609 -------------------- 1610 State: STATEFUL_DISC 1611 -------------------- 1613 Exit Condition Action Exit State 1614 ------------------------+--------------------------+------------ 1615 - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - 1616 Rx:PSA if (SEPARATE==Set && WAIT_EAP_MSG 1617 PSA.S_flag==0) 1618 SEPARATE=Unset; 1619 if (PSA.exist_avp 1620 ("EAP-Payload")) 1621 TxEAP(); 1622 else { 1623 if (SEPARATE==Set) 1624 NAP_AUTH=Set|Unset; 1625 EAP_Restart(); 1626 } 1627 RtxTimerStop(); 1629 EAP_TIMEOUT if (key_available()) WAIT_PEA 1630 PER.insert_avp("AUTH"); 1631 Tx:PER(); 1632 RtxTimerStart(); 1633 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1634 ------------------- 1635 State: WAIT_EAP_MSG 1636 ------------------- 1638 Exit Condition Exit Action Exit State 1639 ------------------------+--------------------------+------------ 1640 - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - 1641 EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR 1642 PAR.insert_avp("AUTH"); 1643 if (SEPARATE==Set) { 1644 PAR.S_flag=1; 1645 if (NAP_AUTH==Set) 1646 PAR.N_flag=1; 1647 } 1648 Tx:PAR(); 1649 RtxTimerStart(); 1650 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1651 - - - - - - -(Receiving EAP-Success/Failure single EAP)- - - - 1652 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1653 1ST_EAP==Unset && ("EAP-Payload"); 1654 SEPARATE==Unset if (key_available()) 1655 PBR.insert_avp("AUTH"); 1656 Tx:PBR(); 1657 RtxTimerStart(); 1659 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1660 1ST_EAP==Unset && ("EAP-Payload"); 1661 SEPARATE==Unset && if (CARRY_DEVICE_ID==Set) 1662 Authorize() PBR.insert_avp 1663 ("Device-Id"); 1664 if (CARRY_LIFETIME==Set) 1665 PBR.insert_avp 1666 ("Session-Lifetime"); 1667 if (PROTECTION_CAP_IN_PBR 1668 ==Set) 1669 PBR.insert_avp 1670 ("Protection-Cap."); 1671 if (new_key_available()) 1672 PBR.insert_avp 1673 ("Key-Id"); 1674 PBR.insert_avp 1675 ("Algorithm"); 1676 if (key_available()) 1677 PBR.insert_avp("AUTH"); 1678 Tx:PBR(); 1679 RtxTimerStart(); 1681 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1682 1ST_EAP==Unset && ("EAP-Payload"); 1683 SEPARATE==Unset && if (new_key_available()) 1684 !Authorize() PBR.insert_avp 1685 ("Key-Id"); 1686 PBR.insert_avp 1687 ("Algorithm"); 1688 if (key_available()) 1689 PBR.insert_avp("AUTH"); 1690 Tx:PBR(); 1691 RtxTimerStart(); 1693 EAP_TIMEOUT && if (key_available()) WAIT_PEA 1694 1ST_EAP==Unset && PER.insert_avp("AUTH"); 1695 SEPARATE==Unset Tx:PER(); 1696 RtxTimerStart(); 1698 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1699 - - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - - 1700 EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA 1701 1ST_EAP==Unset && PFER.insert_avp 1702 SEPARATE==Set && ("EAP-Payload"); 1703 ABORT_ON_1ST_EAP_FAILURE if (key_available()) 1704 ==Unset PFER.insert_avp("AUTH"); 1705 PFER.S_flag=1; 1706 if (NAP_AUTH) 1707 PFER.N_flag=1; 1708 Tx:PFER(); 1709 RtxTimerStart(); 1711 EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA 1712 1ST_EAP==Unset && PFER.insert_avp 1713 SEPARATE==Set && ("EAP-Payload"); 1714 ABORT_ON_1ST_EAP_FAILURE if (key_available()) 1715 ==Set PFER.insert_avp("AUTH"); 1716 PFER.S_flag=0; 1717 Tx:PFER(); 1718 RtxTimerStart(); 1720 EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA 1721 1ST_EAP==Unset && PFER.insert_avp 1722 SEPARATE==Set ("EAP-Payload"); 1723 if (new_key_available()) 1724 PFER.insert_avp 1725 ("Key-Id"); 1726 PFER.insert_avp 1727 ("Algorithm"); 1728 if (key_available()) 1729 PFER.insert_avp("AUTH"); 1731 PFER.S_flag=1; 1732 if (NAP_AUTH) 1733 PFER.N_flag=1; 1734 Tx:PFER(); 1735 RtxTimerStart(); 1737 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1738 1ST_EAP==Unset && if (key_available()) 1739 SEPARATE==Set && PFER.insert_avp("AUTH"); 1740 ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; 1741 ==Unset if (NAP_AUTH) 1742 PFER.N_flag=1; 1743 Tx:PFER(); 1744 RtxTimerStart(); 1746 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1747 1ST_EAP==Unset && if (key_available()) 1748 SEPARATE==Set && PFER.insert_avp("AUTH"); 1749 ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; 1750 ==Set PFER.S_flag=0; 1751 Tx:PFER(); 1752 RtxTimerStart(); 1753 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1754 - - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - 1755 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1756 1ST_EAP==Failure && ("EAP-Payload"); 1757 SEPARATE==Set if (key_available()) 1758 PBR.insert_avp("AUTH"); 1759 PBR.S_flag=1; 1760 if (NAP_AUTH) 1761 PBR.N_flag=1; 1762 Tx:PBR(); 1763 RtxTimerStart(); 1765 EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA 1766 1ST_EAP==Success && ("EAP-Payload"); 1767 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1768 Authorize() PBR.insert_avp 1769 ("Device-Id"); 1770 if (CARRY_LIFETIME==Set) 1771 PBR.insert_avp 1772 ("Session-Lifetime"); 1773 if (PROTECTION_CAP_IN_PBR 1774 ==Set) 1775 PBR.insert_avp 1776 ("Protection-Cap."); 1777 if (key_available()) 1778 PBR.insert_avp("AUTH"); 1780 PBR.S_flag=1; 1781 if (NAP_AUTH) 1782 PBR.N_flag=1; 1783 Tx:PBR(); 1784 RtxTimerStart(); 1786 EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1787 1ST_EAP==Success && ("EAP-Payload"); 1788 SEPARATE==Set && if (key_available()) 1789 !Authorize() PBR.insert_avp("AUTH"); 1790 PBR.S_flag=1; 1791 if (NAP_AUTH) 1792 PBR.N_flag=1; 1793 Tx:PBR(); 1794 RtxTimerStart(); 1796 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1797 1ST_EAP==Success && ("EAP-Payload"); 1798 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1799 Authorize() PBR.insert_avp 1800 ("Device-Id"); 1801 if (CARRY_LIFETIME==Set) 1802 PBR.insert_avp 1803 ("Session-Lifetime"); 1804 if (PROTECTION_CAP_IN_PBR 1805 ==Set) 1806 PBR.insert_avp 1807 ("Protection-Cap."); 1808 if (new_key_available()) 1809 PBR.insert_avp 1810 ("Key-Id"); 1811 PBR.insert_avp 1812 ("Algorithm"); 1813 if (key_available()) 1814 PBR.insert_avp("AUTH"); 1815 PBR.S_flag=1; 1816 if (NAP_AUTH) 1817 PBR.N_flag=1; 1818 Tx:PBR(); 1819 RtxTimerStart(); 1821 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1822 1ST_EAP==Success && ("EAP-Payload"); 1823 SEPARATE==Set && if (new_key_available()) 1824 !Authorize() PBR.insert_avp 1825 ("Key-Id"); 1826 PBR.insert_avp 1827 ("Algorithm"); 1829 if (key_available()) 1830 PBR.insert_avp("AUTH"); 1831 PBR.S_flag=1; 1832 if (NAP_AUTH) 1833 PBR.N_flag=1; 1834 Tx:PBR(); 1835 RtxTimerStart(); 1837 EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1838 1ST_EAP==Failure && ("EAP-Payload"); 1839 SEPARATE==Set && if (CARRY_DEVICE_ID==Set) 1840 Authorize() PBR.insert_avp 1841 ("Device-Id"); 1842 if (CARRY_LIFETIME==Set) 1843 PBR.insert_avp 1844 ("Session-Lifetime"); 1845 if (PROTECTION_CAP_IN_PBR 1846 ==Set) 1847 PBR.insert_avp 1848 ("Protection-Cap."); 1849 if (new_key_available()) 1850 PBR.insert_avp 1851 ("Key-Id"); 1852 PBR.insert_avp 1853 ("Algorithm"); 1854 if (key_available()) 1855 PBR.insert_avp("AUTH"); 1856 PBR.S_flag=1; 1857 if (NAP_AUTH) 1858 PBR.N_flag=1; 1859 Tx:PBR(); 1860 RtxTimerStart(); 1862 EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1863 1ST_EAP==Failure && ("EAP-Payload"); 1864 SEPARATE==Set && if (new_key_available()) 1865 !Authorize() PBR.insert_avp 1866 ("Key-Id"); 1867 PBR.insert_avp 1868 ("Algorithm"); 1869 if (key_available()) 1870 PBR.insert_avp("AUTH"); 1871 PBR.S_flag=1; 1872 if (NAP_AUTH) 1873 PBR.N_flag=1; 1874 Tx:PBR(); 1875 RtxTimerStart(); 1877 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1878 1ST_EAP==Failure && PBR.insert_avp("AUTH"); 1879 SEPARATE==Set PBR.S_flag=1; 1880 if (NAP_AUTH) 1881 PBR.N_flag=1; 1882 Tx:PBR(); 1883 RtxTimerStart(); 1885 EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 1886 1ST_EAP==Success && PBR.insert_avp 1887 SEPARATE==Set && ("Device-Id"); 1888 Authorize() if (CARRY_LIFETIME==Set) 1889 PBR.insert_avp 1890 ("Session-Lifetime"); 1891 if (PROTECTION_CAP_IN_PBR 1892 ==Set) 1893 PBR.insert_avp 1894 ("Protection-Cap."); 1895 if (new_key_available()) 1896 PBR.insert_avp 1897 ("Key-Id"); 1898 PBR.insert_avp 1899 ("Algorithm"); 1900 if (key_available()) 1901 PBR.insert_avp("AUTH"); 1902 PBR.S_flag=1; 1903 if (NAP_AUTH) 1904 PBR.N_flag=1; 1905 Tx:PBR(); 1906 RtxTimerStart(); 1908 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1909 1ST_EAP==Success && PBR.insert_avp("AUTH"); 1910 SEPARATE==Set && PBR.S_flag=1; 1911 !Authorize() if (NAP_AUTH) 1912 PBR.N_flag=1; 1913 Tx:PBR(); 1914 RtxTimerStart(); 1915 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1917 ---------------- 1918 State: WAIT_PFEA 1919 ---------------- 1921 Event/Condition Action Exit State 1922 ------------------------+--------------------------+------------ 1923 - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - - 1924 Rx:PFEA && RtxTimerStop(); WAIT_EAP_MSG 1925 (1ST_EAP==Success || EAP_Restart(); 1926 (PFEA.S_flag==1 && if (NAP_AUTH==Set) 1927 1ST_EAP==Failure)) NAP_AUTH=Unset; 1928 else 1929 NAP_AUTH=Set; 1931 Rx:PFEA && RtxTimerStop(); CLOSED 1932 PFEA.S_flag==0 && Disconnect(); 1933 1ST_EAP==Failure 1934 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1936 --------------------- 1937 State: WAIT_FAIL_PFEA 1938 --------------------- 1940 Event/Condition Action Exit State 1941 ------------------------+--------------------------+------------ 1942 - - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - 1943 Rx:PFEA RtxTimerStop(); CLOSED 1944 Disconnect(); 1945 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1947 -------------------- 1948 State: WAIT_SUCC_PBA 1949 -------------------- 1951 Event/Condition Action Exit State 1952 ------------------------+--------------------------+------------ 1953 - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - 1954 Rx:PBA && SessionTimerStart(); OPEN 1955 (CARRY_DEVICE_ID==Unset || 1956 (CARRY_DEVICE_ID==Set && 1957 PBA.exit_avp("Device-Id"))) 1959 Rx:PBA && PER.RESULT_CODE= WAIT_PEA 1960 CARRY_DEVICE_ID==Set && PANA_MISSING_AVP 1961 !PBA.exit_avp Tx:PER(); 1962 ("Device-Id") RtxTimerStart(); 1963 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1965 -------------------- 1966 State: WAIT_FAIL_PBA 1967 -------------------- 1969 Exit Condition Exit Action Exit State 1970 ------------------------+--------------------------+------------ 1971 - - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - 1972 Rx:PBA RtxTimerStop(); CLOSED 1973 Disconnect(); 1974 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1976 ----------- 1977 State: OPEN 1978 ----------- 1980 Event/Condition Action Exit State 1981 ------------------------+--------------------------+------------ 1982 - - - - - - - - (re-authentication initiated by PaC) - - - - - - 1983 Rx:PRAR if (key_available()) WAIT_EAP_MSG 1984 PRAA.insert_avp("AUTH"); 1985 EAP_Restart(); 1986 1ST_EAP=Unset; 1987 NAP_AUTH=Set|Unset; 1988 Tx:PRAA(); 1989 SessionTimerStop(); 1990 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1991 - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1992 REAUTH EAP_Restart(); WAIT_EAP_MSG 1993 1ST_EAP=Unset; 1994 NAP_AUTH=Set|Unset; 1995 SessionTimerStop(); 1996 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1997 - - (liveness test based on PPR-PPA exchange initiated by PAA)- 1998 PANA_PING Tx:PPR(); WAIT_PPA 1999 RtxTimerStart(); 2000 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2001 - - (liveness test based on PPR-PPA exchange initiated by PaC)- 2002 Rx:PPR if (key_available()) OPEN 2003 PPA.insert_avp("AUTH"); 2004 Tx:PPA(); 2005 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2006 - - - - - - - - (Session termination initated from PAA) - - - - 2007 TERMINATE if (key_available()) SESS_TERM 2008 PTR.insert_avp("AUTH"); 2009 Tx:PTR(); 2010 RtxTimerStart(); 2011 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2012 - - - - - - - - (Session termination initated from PaC) - - - - 2013 Rx:PTR if (key_available()) CLOSED 2014 PTA.insert_avp("AUTH"); 2015 Tx:PTA(); 2016 Disconnect(); 2017 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2018 - - - - - - - - - -(Notification message) - - - - - - - - - - - 2019 NOTIFY if (key_available()) WAIT_PUA 2020 PUR.insert_avp("AUTH"); 2022 Tx:PUR(); 2023 RtxTimerStart(); 2024 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2025 - - - - - - - -(Notification/Address update) - - - - - - - - - 2026 Rx:PUR If (key_avaialble()) OPEN 2027 PUA.insert_avp("AUTH"); 2028 Tx:PUA(); 2029 if (new_source_address()) 2030 update_popa(); 2031 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2033 --------------- 2034 State: WAIT_PPA 2035 --------------- 2037 Exit Condition Exit Action Exit State 2038 ------------------------+--------------------------+------------ 2039 - - - - - - - - - - - - - -(PPA processing) - - - - - - - - - - 2040 Rx:PPA RtxTimerStop(); OPEN 2041 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2043 ---------------------- 2044 State: WAIT_PAN_OR_PAR 2045 ---------------------- 2047 Exit Condition Exit Action Exit State 2048 ------------------------+--------------------------+------------ 2049 - - - - - - (Pass EAP Response to the EAP authenticator)- - - - 2050 Rx:PAN && TxEAP(); WAIT_EAP_MSG 2051 PAN.exist_avp 2052 ("EAP-Payload") 2054 Rx:PAR TxEAP(); WAIT_EAP_MSG 2055 if (key_available()) 2056 PAN.insert_avp("AUTH"); 2057 if (SEPARATE==Set) { 2058 PAN.S_flag=1; 2059 if (NAP_AUTH==Set) 2060 PAN.N_flag=1; 2061 } 2062 RtxTimerStop(); 2063 Tx:PAN(); 2064 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2065 - - - - - - - - - - (PAN without an EAP response) - - - - - - - 2066 Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR 2067 !PAN.exist_avp 2068 ("EAP-Payload") 2069 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2070 - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - 2071 EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR 2072 PAR.insert_avp("AUTH"); 2073 if (SEPARATE==Set) { 2074 PAR.S_flag=1; 2075 if (NAP_AUTH==Set) 2076 PAR.N_flag=1; 2077 } 2078 Tx:PAR(); 2079 RtxTimerStart(); 2080 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2081 - - - - - - - - -(EAP authentication timeout)- - - - - - - - - 2082 EAP_TIMEOUT && if (key_available()) WAIT_PEA 2083 1ST_EAP==Unset && PER.insert_avp("AUTH"); 2084 SEPARATE==Unset Tx:PER(); 2085 RtxTimerStart(); 2086 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2087 - - - - - -(EAP authentication timeout for 1st EAP)- - - - - - 2088 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 2089 1ST_EAP==Unset && if (key_available()) 2090 SEPARATE==Set && PFER.insert_avp("AUTH"); 2091 ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; 2092 ==Unset if (NAP_AUTH) 2093 PFER.N_flag=1; 2094 Tx:PFER(); 2095 RtxTimerStart(); 2097 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 2098 1ST_EAP==Unset && if (key_available()) 2099 SEPARATE==Set && PFER.insert_avp("AUTH"); 2100 ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; 2101 ==Set PFER.S_flag=0; 2102 Tx:PFER(); 2103 RtxTimerStart(); 2104 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2105 - - - - - -(EAP authentication timeout for 2nd EAP)- - - - - - 2106 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 2107 1ST_EAP==Failure && PBR.insert_avp("AUTH"); 2108 SEPARATE==Set PBR.S_flag=1; 2109 if (NAP_AUTH) 2110 PBR.N_flag=1; 2111 Tx:PBR(); 2112 RtxTimerStart(); 2114 EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 2115 1ST_EAP==Success && PBR.insert_avp 2116 SEPARATE==Set && ("Device-Id"); 2117 Authorize() if (CARRY_LIFETIME==Set) 2118 PBR.insert_avp 2119 ("Session-Lifetime"); 2120 if (PROTECTION_CAP_IN_PBR 2121 ==Set) 2122 PBR.insert_avp 2123 ("Protection-Cap."); 2124 if (new_key_available()) 2125 PBR.insert_avp 2126 ("Key-Id"); 2127 PBR.insert_avp 2128 ("Algorithm"); 2129 if (key_available()) 2130 PBR.insert_avp("AUTH"); 2131 PBR.S_flag=1; 2132 if (NAP_AUTH) 2133 PBR.N_flag=1; 2134 Tx:PBR(); 2135 RtxTimerStart(); 2137 EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 2138 1ST_EAP==Success && PBR.insert_avp("AUTH"); 2139 SEPARATE==Set && PBR.S_flag=1; 2140 !Authorize() if (NAP_AUTH) 2141 PBR.N_flag=1; 2142 Tx:PBR(); 2143 RtxTimerStart(); 2145 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2147 --------------- 2148 State: WAIT_PUA 2149 --------------- 2151 Exit Condition Exit Action Exit State 2152 ------------------------+--------------------------+------------ 2153 - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - 2154 Rx:PUA RtxTimerStop(); OPEN 2155 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2157 ---------------- 2158 State: SESS_TERM 2159 ---------------- 2161 Exit Condition Exit Action Exit State 2162 ------------------------+--------------------------+------------ 2163 - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - 2164 Rx:PTA RtxTimerStop(); CLOSED 2165 Disconnect(); 2166 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2168 --------------- 2169 State: WAIT_PEA 2170 --------------- 2172 Exit Condition Exit Action Exit State 2173 ------------------------+--------------------------+------------ 2174 - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - 2175 Rx:PEA RtxTimerStop(); CLOSED 2176 Disconnect(); 2177 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2179 8. Mobility Optimization Support 2181 The state machines outlined in preceeding sections provide only PANA 2182 base protocol functionality. In order to support PANA mobility 2183 optimization outlined in [I-D.ietf-pana-mobopts], additions and 2184 changes to the PaC and PAA state machines is required. The additions 2185 and changes provides only basic mobility optimization and is not 2186 explicit on integration of other mobility functionality such as 2187 context-transfer mechanisms. However, it does provide enough 2188 flexibility to accomodate future inclusion of such mechanisms. 2190 The model depicted by [I-D.ietf-pana-mobopts] generally involves the 2191 PaC changing its point of attachment during an active PANA session. 2192 Mobility optimization is achieved by avoiding a full EAP 2193 authentication sequence during this change. To support this, state 2194 transitions described in this section assume that the PaC state 2195 machine reverts to the OFFLINE state but maintains the session 2196 information including security association from the previous active 2197 session. It is also assumed that the PAA state machine initializes 2198 to the OFFLINE state as normal but must also have access to session 2199 information and security association from the previous active 2200 session. A method of how a PAA session context is transferred can be 2201 found in [I-D.ietf-pana-cxtp]. 2203 The variables, procedures and state transition described in this 2204 section is designed to be seamlessly integrated into the appropriate 2205 base protocol state machines. They should be treated as a mobility 2206 optimization addendum to the base protocol state machine. In this 2207 addendum, no additional states has been defined but some 2208 modifications to the base protocol state machine is required. The 2209 modifications are to accomodate the mobility variables and procedures 2210 as they relate to existing state transition actions and events. 2211 These modifications to existing state transition are noted in state 2212 transition tables in this section. These modified state transitions 2213 are intended to replace thier base protocol counterpart. Addition of 2214 new state transitions specific to mobility optimization is also 2215 present. Variable initialization also need to be added to the 2216 appropriate base protocol state to complete the mobility optimization 2217 support. 2219 8.1. Common Variables 2221 MOBILITY 2223 This variable indicates whether the mobility handling feature 2224 described in [I-D.ietf-pana-mobopts] is supported. This should be 2225 present in both PaC and PAA state machine. Existing state 2226 transitions in the base protocol state machine that can be 2227 affected by mobility optimization must treat this variable as 2228 being Unset unless the state transitions is explicitly redefined 2229 in this section. 2231 8.2. PaC Mobility Optimization State Machine 2233 8.2.1. Variables 2235 PANA_SA_RESUMED 2237 This variable indicates whether the PANA SA of a previous PANA 2238 session was resumed during the discovery and initial handshake. 2240 8.2.2. Procedures 2242 boolean resume_pana_sa() 2244 This procedure returns TRUE when a PANA SA for a previously 2245 established PANA Session is resumed, otherwise returns FALSE. 2246 Once a PANA SA is resumed, key_available() procedure must return 2247 TRUE. Existing state transitions in the base protocol state 2248 machine that can be affected by mobility optimization must assume 2249 that this procedure always returns FALSE unless the state 2250 transition is explicitly redefined in this section. 2252 8.2.3. PaC Mobility Optimization State Transition Table Addendum 2254 ------------------------------ 2255 State: OFFLINE (Initial State) 2256 ------------------------------ 2258 Initialization Action: 2260 MOBILITY=Set|Unset; 2261 PANA_SA_RESUMED=Unset; 2263 Exit Condition Exit Action Exit State 2264 ------------------------+--------------------------+------------ 2265 - - - - - - - - (PSR processing with mobility support)- - - - - 2266 - The following state transitions are intended to be added - 2267 - to the OFFLINE state of the PaC base protocol state - 2268 - machine. - 2269 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2270 Rx:PSR && RtxTimerStop(); WAIT_PAA 2271 !PSR.exist_avp PSA.insert_avp 2272 ("EAP-Payload") && ("Session-Id"); 2273 MOBILITY==Set && SEPARATE=Unset; 2274 resume_pana_sa() && PANA_SA_RESUMED=Set; 2275 PSR.exist_avp PSA.insert_avp("Cookie"); 2276 ("Cookie") PSA.insert_avp("AUTH"); 2277 Tx:PSA(); 2278 RtxTimerStart(); 2280 Rx:PSR && RtxTimerStop(); WAIT_PAA 2281 !PSR.exist_avp PSA.insert_avp 2282 ("EAP-Payload") && ("Session-Id"); 2283 MOBILITY==Set && PSA.insert_avp("AUTH"); 2284 resume_pana_sa() && Tx:PSA(); 2285 !PSR.exist_avp PANA_SA_RESUMED=Set; 2286 ("Cookie") 2288 --------------- 2289 State: WAIT_PAA 2290 --------------- 2292 Exit Condition Exit Action Exit State 2293 ------------------------+--------------------------+------------ 2294 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 2295 - The following state transitions are intended to replace - 2296 - existing base protocol state transitions. Original base - 2297 - protocol state transitions can be referenced by the same - 2298 - exit conditions that exist in the WAIT_PAA state of the PaC - 2299 - base protocol state machine. - 2300 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2301 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 2302 !eap_piggyback() TxEAP(); 2303 PANA_SA_RESUMED=Unset; 2304 EAP_RespTimerStart(); 2305 if (key_available()) 2306 PAN.insert_avp("AUTH"); 2307 PAN.S_flag=PAR.S_flag; 2308 PAN.N_flag=PAR.N_flag; 2309 Tx:PAN(); 2311 Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG 2312 eap_piggyback() TxEAP(); 2313 PANA_SA_RESUMED=Unset; 2314 EAP_RespTimerStart(); 2316 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2317 - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - 2318 - The following state transitions are intended to replace - 2319 - existing base protocol state transitions. Original base - 2320 - protocol state transitions can be referenced by exit - 2321 - conditions that excludes PANA_SA_RESUMED variable checks. - 2322 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2323 Rx:PBR && TxEAP(); WAIT_EAP_RESULT 2324 1ST_EAP==Unset && if (PBR.exist_avp 2325 SEPARATE==Unset && ("Device-Id")) 2326 PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; 2327 PANA_SUCCESS && 2328 PANA_SA_RESUMED!=Set 2330 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2331 - - - - - - - - (PBR processing with mobility support)- - - - - 2332 - The following state transitions are intended to be added - 2333 - to the WAIT_PAA state of the PaC base protocol state - 2334 - machine. - 2335 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2336 Rx:PBR && PBA.insert_avp("Key-Id"); OPEN 2337 1ST_EAP==Unset && PBA.insert_avp("AUTH"); 2338 SEPARATE==Unset && if (PBR.exist_avp 2339 PBR.RESULT_CODE== ("Device-Id")) 2340 PANA_SUCCESS && PBA.insert("Device-Id"); 2341 PANA_SA_RESUMED==Set && Tx:PBA(); 2342 PBR.exist_avp Authorize(); 2343 ("Key-Id") && SessionTimerStart(); 2344 PBR.exist_avp 2345 ("AUTH") 2347 ----------- 2348 State: OPEN 2349 ----------- 2351 Exit Condition Exit Action Exit State 2352 ------------------------+--------------------------+------------- 2353 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 2354 - The following state transitions are intended to replace - 2355 - existing base protocol state transitions. Original base - 2356 - protocol state transitions can be referenced by the same - 2357 - exit conditions that exist in the OPEN state of the PaC - 2358 - base protocol state machine. - 2359 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2360 REAUTH SEPARATE=Set|Unset; WAIT_PRAA 2361 1ST_EAP=Unset; 2362 PANA_SA_RESUMED=Unset; 2363 if (key_available()) 2364 PRAR.insert_avp("AUTH"); 2365 Tx:PRAR(); 2366 RtxTimerStart(); 2367 SessionTimerStop(); 2368 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2369 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 2370 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 2371 !eap_piggyback() 1ST_EAP=Unset; 2372 PANA_SA_RESUMED=Unset; 2373 EAP_RespTimerStart(); 2374 TxEAP(); 2375 if (key_available()) 2376 PAN.insert_avp("AUTH"); 2377 PAN.S_flag=PAR.S_flag; 2378 PAN.N_flag=PAR.N_flag; 2379 Tx:PAN(); 2380 SessionTimerStop(); 2382 Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG 2383 eap_piggyback() 1ST_EAP=Unset; 2384 PANA_SA_RESUMED=Unset; 2385 EAP_RespTimerStart(); 2386 TxEAP(); 2387 SessionTimerStop(); 2389 8.3. PAA Mobility Optimization 2391 8.3.1. Procedures 2393 boolean retrieve_pana_sa(Session-Id) 2395 This procedure returns TRUE when a PANA SA for the PANA Session 2396 corresponds to the specified Session-Id has been retrieved, 2397 otherwise returns FALSE. 2399 8.3.2. PAA Mobility Optimization State Transition Table Addendum 2400 ------------------------------ 2401 State: OFFLINE (Initial State) 2402 ------------------------------ 2404 Initialization Action: 2406 MOBILITY=Set|Unset; 2408 Exit Condition Exit Action Exit State 2409 ------------------------+--------------------------+------------ 2410 - - - - - - - (PSA processing with mobility support) - - - - - - 2411 - The following state transitions are intended to replace - 2412 - existing base protocol state transitions. Original base - 2413 - protocol state transitions can be referenced by exit - 2414 - conditions that excludes MOBILITY variable checks and - 2415 - retrieve_pana_sa() procedure calls. - 2416 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2417 Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG 2418 (!PSA.exist_avp PSA.S_flag==0) 2419 ("Session-Id") || SEPARATE=Unset; 2420 MOBILITY==Unset || if (SEPARATE==Set) 2421 (MOBILITY==Set && NAP_AUTH=Set|Unset; 2422 !retrieve_pana_sa EAP_Restart(); 2423 (PSA.SESSION_ID))) 2424 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2425 - - - - - - - - (PSA processing with mobility support)- - - - - 2426 Rx:PSA && PBR.insert_avp("AUTH"); WAIT_SUCC_PBA 2427 PSA.exist_avp PBR.insert_avp("Key-Id"); 2428 ("Session-Id") && if (CARRY_DEVICE_ID==Set) 2429 MOBILITY==Set && PBR.insert_avp 2430 retrieve_pana_sa ("Device-Id"); 2431 (PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR 2432 ==Set) 2433 PBR.insert_avp 2434 ("Protection-Cap."); 2435 Tx:PBR(); 2436 RtxTimerStart(); 2437 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2439 9. Implementation Considerations 2441 9.1. PAA and PaC Interface to Service Management Entity 2443 In general, it is assumed in each device that has a PANA protocol 2444 stack that there is a Service Management Entity (SME) that manages 2445 the PANA protocol stack. It is recommended that a generic interface 2446 (i.e., the SME-PANA interface) between the SME and the PANA protocol 2447 stack be provided by the implementation. Especially, common 2448 procedures such as startup, shutdown, re-authenticate signals and 2449 provisions for extracting keying material should be provided by such 2450 an interface. The SME-PANA interface in a PAA device should also 2451 provide a method for communicating filtering parameters to the EP(s). 2452 When cryptographic filtering is used, the filtering parameters 2453 include keying material used for bootstrapping per-packet ciphering. 2454 When a PAA device interacts with the backend authentication server 2455 using a AAA protocol, its SME may also have an interface to the AAA 2456 protocol to obtain authorization parameters such as the authorization 2457 lifetime and additional filtering parameters. 2459 9.2. Multicast Traffic 2461 In general, binding a UDP socket to a multicast address and/or port 2462 is system dependent. In most systems, a socket can be bound to any 2463 address and a specific port. This allows the socket to receive all 2464 packets destined for the local host (on all it's local addresses) for 2465 that port. If the host subscribes to a multicast addresses then this 2466 socket will also receive multicast traffic as well. In some systems, 2467 this would also result in the socket receiving all multicast traffic 2468 even though it has subscribed to only one multicast address. This is 2469 because most physical interfaces has either multicast traffic enabled 2470 or disabled and does not provide specific address filtering. 2471 Normally, it is not possible to filter out specific traffic on a 2472 socket from the user level. Most environments provides lower layer 2473 filtering that allows the use of only one socket to receive both 2474 unicast and specific multicast address. However it might introduce 2475 portability problems. 2477 10. Security Considerations 2479 This document's intent is to describe the PANA state machines fully. 2480 To this end, any security concerns with this document are likely a 2481 reflection of security concerns with PANA itself. 2483 11. IANA Considerations 2485 This document has no actions for IANA. 2487 12. Acknowledgments 2489 This work was started from state machines originally made by Dan 2490 Forsberg. 2492 13. References 2494 13.1. Normative References 2496 [I-D.ietf-pana-pana] 2497 Forsberg, D., "Protocol for Carrying Authentication for 2498 Network Access (PANA)", draft-ietf-pana-pana-11 (work in 2499 progress), March 2006. 2501 [I-D.ietf-pana-mobopts] 2502 Forsberg, D., "PANA Mobility Optimizations", 2503 draft-ietf-pana-mobopts-01 (work in progress), 2504 October 2005. 2506 13.2. Informative References 2508 [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, 2509 "State Machines for Extensible Authentication Protocol 2510 (EAP) Peer and Authenticator", RFC 4137, August 2005. 2512 [I-D.ietf-pana-cxtp] 2513 Bournelle, J., "Use of Context Transfer Protocol (CXTP) 2514 for PANA", draft-ietf-pana-cxtp-01 (work in progress), 2515 March 2006. 2517 Authors' Addresses 2519 Victor Fajardo 2520 Toshiba America Research, Inc. 2521 1 Telcordia Drive 2522 Piscataway, NJ 08854 2523 USA 2525 Phone: +1 732 699 5368 2526 Email: vfajardo@tari.toshiba.com 2528 Yoshihiro Ohba 2529 Toshiba America Research, Inc. 2530 1 Telcordia Drive 2531 Piscataway, NJ 08854 2532 USA 2534 Phone: +1 732 699 5305 2535 Email: yohba@tari.toshiba.com 2537 Rafa Marin Lopez 2538 University of Murcia 2539 30071 Murcia 2540 Spain 2542 Email: rafa@dif.um.es 2544 Intellectual Property Statement 2546 The IETF takes no position regarding the validity or scope of any 2547 Intellectual Property Rights or other rights that might be claimed to 2548 pertain to the implementation or use of the technology described in 2549 this document or the extent to which any license under such rights 2550 might or might not be available; nor does it represent that it has 2551 made any independent effort to identify any such rights. Information 2552 on the procedures with respect to rights in RFC documents can be 2553 found in BCP 78 and BCP 79. 2555 Copies of IPR disclosures made to the IETF Secretariat and any 2556 assurances of licenses to be made available, or the result of an 2557 attempt made to obtain a general license or permission for the use of 2558 such proprietary rights by implementers or users of this 2559 specification can be obtained from the IETF on-line IPR repository at 2560 http://www.ietf.org/ipr. 2562 The IETF invites any interested party to bring to its attention any 2563 copyrights, patents or patent applications, or other proprietary 2564 rights that may cover technology that may be required to implement 2565 this standard. Please address the information to the IETF at 2566 ietf-ipr@ietf.org. 2568 Disclaimer of Validity 2570 This document and the information contained herein are provided on an 2571 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2572 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 2573 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 2574 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 2575 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2576 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2578 Copyright Statement 2580 Copyright (C) The Internet Society (2006). This document is subject 2581 to the rights, licenses and restrictions contained in BCP 78, and 2582 except as set forth therein, the authors retain all their rights. 2584 Acknowledgment 2586 Funding for the RFC Editor function is currently provided by the 2587 Internet Society.