idnits 2.17.1 draft-ietf-pana-statemachine-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1284. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1295. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1302. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1308. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 22, 2008) is 5664 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'C' is mentioned on line 1107, but not defined == Missing Reference: 'S' is mentioned on line 1033, but not defined == Missing Reference: 'P' is mentioned on line 1149, but not defined == Missing Reference: 'A' is mentioned on line 1118, but not defined Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PANA Working Group V. Fajardo, Ed. 3 Internet-Draft Y. Ohba 4 Expires: April 25, 2009 TARI 5 R. Lopez 6 Univ. of Murcia 7 October 22, 2008 9 State Machines for Protocol for Carrying Authentication for Network 10 Access (PANA) 11 draft-ietf-pana-statemachine-07 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on April 25, 2009. 38 Abstract 40 This document defines the conceptual state machines for the Protocol 41 for Carrying Authentication for Network Access (PANA). The state 42 machines consist of the PANA Client (PaC) state machine and the PANA 43 Authentication Agent (PAA) state machine. The two state machines 44 show how PANA can interface with the EAP state machines. The state 45 machines and associated model are informative only. Implementations 46 may achieve the same results using different methods. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 51 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 52 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 53 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 54 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 55 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 56 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 57 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 14 58 5.4. Common Message Initialization Rules . . . . . . . . . . . 14 59 5.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 14 60 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 61 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 62 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 63 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 64 6.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 16 65 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 66 6.1.4. EAP Authentication Result Notification from EAP 67 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 68 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17 69 6.2. Constants . . . . . . . . . . . . . . . . . . . . . . . . 17 70 6.3. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 71 6.4. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 72 6.5. PaC State Transition Table . . . . . . . . . . . . . . . . 18 73 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 24 74 7.1. Interface between PAA and EAP Authenticator . . . . . . . 24 75 7.1.1. EAP Restart Notification from PAA to EAP 76 Authenticator . . . . . . . . . . . . . . . . . . . . 24 77 7.1.2. Delivering EAP Responses from PAA to EAP 78 Authenticator . . . . . . . . . . . . . . . . . . . . 24 79 7.1.3. Delivering EAP Messages from EAP Authenticator to 80 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 24 81 7.1.4. EAP Authentication Result Notification from EAP 82 Authenticator to PAA . . . . . . . . . . . . . . . . . 24 83 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 25 84 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 26 85 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 26 86 8. Implementation Considerations . . . . . . . . . . . . . . . . 31 87 8.1. PAA and PaC Interface to Service Management Entity . . . . 31 88 9. Security Considerations . . . . . . . . . . . . . . . . . . . 32 89 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 90 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34 91 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35 92 12.1. Normative References . . . . . . . . . . . . . . . . . . . 35 93 12.2. Informative References . . . . . . . . . . . . . . . . . . 35 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36 95 Intellectual Property and Copyright Statements . . . . . . . . . . 37 97 1. Introduction 99 This document defines the state machines for Protocol Carrying 100 Authentication for Network Access (PANA) [RFC5191]. There are state 101 machines for the PANA client (PaC) and for the PANA Authentication 102 Agent (PAA). Each state machine is specified through a set of 103 variables, procedures and a state transition table. 105 A PANA protocol execution consists of several exchanges to carry 106 authentication information. Specifically, EAP PDUs are transported 107 inside PANA PDUs between PaC and PAA, that is PANA represents a lower 108 layer for EAP protocol. Thus, a PANA state machine bases its 109 execution on an EAP state machine execution and vice versa. Thus 110 this document also shows for each of PaC and PAA an interface between 111 an EAP state machine and a PANA state machine and how this interface 112 allows to exchange information between them. Thanks to this 113 interface, a PANA state machine can be informed about several events 114 generated in an EAP state machine and make its execution conditional 115 to its events. 117 The details of EAP state machines are out of the scope of this 118 document. Additional information can be found in [RFC4137]. 119 Nevertheless PANA state machines presented here have been coordinated 120 with state machines shown by [RFC4137]. 122 This document, apart from defining PaC and PAA state machines and 123 their interfaces to EAP state machines (running on top of PANA), 124 provides some implementation considerations, taking into account that 125 it is not a specification but an implementation guideline. 127 2. Interface Between PANA and EAP 129 PANA carries EAP messages exchanged between an EAP peer and an EAP 130 authenticator (see Figure 1). Thus a PANA state machine interacts 131 with an EAP state machine. 133 Two state machines are defined in this document : the PaC state 134 machine (see Section 6) and the PAA state machine (see Section 7). 135 The definition of each state machine consists of a set of variables, 136 procedures and a state transition table. A subset of these variables 137 and procedures defines the interface between a PANA state machine and 138 an EAP state machine and the state transition table defines the PANA 139 state machine behavior based on results obtained through them. 141 On the one hand, the PaC state machine interacts with an EAP peer 142 state machine in order to carry out the PANA protocol on the PaC 143 side. On the other hand, the PAA state machine interacts with an EAP 144 authenticator state machine to run the PANA protocol on the PAA side. 146 Peer |EAP Auth 147 EAP <---------|------------> EAP 148 ^ | | ^ | 149 | | | EAP-Message | | EAP-Message 150 EAP-Message | |EAP-Message | | | 151 | v |PANA | v 152 PaC <---------|------------> PAA 154 Figure 1: Interface between PANA and EAP 156 Thus two interfaces are needed between PANA state machines and EAP 157 state machines, namely: 159 o Interface between the PaC state machine and the EAP peer state 160 machine 162 o Interface between the PAA state machine and the EAP authenticator 163 state machine 165 In general, the PaC and PAA state machines present EAP messages to 166 the EAP peer and authenticator state machines through the interface, 167 respectively. The EAP peer and authenticator state machines process 168 these messages and sends EAP messages through the PaC and PAA state 169 machines that is responsible for actually transmitting this message, 170 respectively. 172 For example, [RFC4137] specifies four interfaces to lower layers: (i) 173 an interface between the EAP peer state machine and a lower layer, 174 (ii) an interface between the EAP standalone authenticator state 175 machine and a lower layer, (iii) an interface between the EAP full 176 authenticator state machine and a lower layer and (iv) an interface 177 between the EAP backend authenticator state machine and a lower 178 layer. In this document, the PANA protocol is the lower layer of EAP 179 and only the first three interfaces are of interest to PANA. The 180 second and third interfaces are the same. In this regard, the EAP 181 standalone authenticator or the EAP full authenticator and its state 182 machine in [RFC4137] are referred to as the EAP authenticator and the 183 EAP authenticator state machine, respectively, in this document. If 184 an EAP peer and an EAP authenticator follow the state machines 185 defined in [RFC4137], the interfaces between PANA and EAP could be 186 based on that document. Detailed definition of interfaces between 187 PANA and EAP are described in the subsequent sections. 189 3. Document Authority 191 When a discrepancy occurs between any part of this document and any 192 of the related documents ([RFC5191], [RFC4137] the latter (the other 193 documents) are considered authoritative and takes precedence. 195 4. Notations 197 The following state transition tables are completed mostly based on 198 the conventions specified in [RFC4137]. The complete text is 199 described below. 201 State transition tables are used to represent the operation of the 202 protocol by a number of cooperating state machines each comprising a 203 group of connected, mutually exclusive states. Only one state of 204 each machine can be active at any given time. 206 All permissible transitions from a given state to other states and 207 associated actions performed when the transitions occur are 208 represented by using triplets of (exit condition, exit action, exit 209 state). All conditions are expressions that evaluate to TRUE or 210 FALSE; if a condition evaluates to TRUE, then the condition is met. 211 A state "ANY" is a wildcard state that matches the current state in 212 each state machine. The exit conditions of a wildcard state are 213 evaluated after all other exit conditions of specific to the current 214 state are met. 216 On exit from a state, the exit actions defined for the state and the 217 exit condition are executed exactly once, in the order that they 218 appear on the page. (Note that the procedures defined in [RFC4137] 219 are executed on entry to a state, which is one major difference from 220 this document.) Each exit action is deemed to be atomic; i.e., 221 execution of an exit action completes before the next sequential exit 222 action starts to execute. No exit action execute outside of a state 223 block. The exit actions in only one state block execute at a time 224 even if the conditions for execution of state blocks in different 225 state machines are satisfied. All exit actions in an executing state 226 block complete execution before the transition to and execution of 227 any other state blocks. The execution of any state block appears to 228 be atomic with respect to the execution of any other state block and 229 the transition condition to that state from the previous state is 230 TRUE when execution commences. The order of execution of state 231 blocks in different state machines is undefined except as constrained 232 by their transition conditions. A variable that is set to a 233 particular value in a state block retains this value until a 234 subsequent state block executes an exit action that modifies the 235 value. 237 On completion of the transition from the previous state to the 238 current state, all exit conditions occurring during the current state 239 (including exit conditions defined for the wildcard state) are 240 evaluated until an exit condition for that state is met. 242 Any event variable is set to TRUE when the corresponding event occurs 243 and set to FALSE immediately after completion of the action 244 associated with the current state and the event. 246 The interpretation of the special symbols and operators used is 247 defined in [RFC4137]. 249 5. Common Rules 251 There are following procedures, variables, message initializing rules 252 and state transitions that are common to both the PaC and PAA state 253 machines. 255 Throughout this document, the character string "PANA_MESSAGE_NAME" 256 matches any one of the abbreviated PANA message names, i.e., "PCI", 257 "PAR", "PAN", "PTR", "PTA", "PNR", "PNA". 259 5.1. Common Procedures 261 void None() 263 A null procedure, i.e., nothing is done. 265 void Disconnect() 267 A procedure to delete the PANA session as well as the 268 corresponding EAP session and authorization state. 270 boolean Authorize() 272 A procedure to create or modify authorization state. It returns 273 TRUE if authorization is successful. Otherwise, it returns FALSE. 274 It is assumed that Authorize() procedure of PaC state machine 275 always returns TRUE. In the case that a non-key-generating EAP 276 method is used but a PANA SA is required after successful 277 authentication (generate_pana_sa() returns TRUE), Authorize() 278 procedure must return FALSE. 280 void Tx:PANA_MESSAGE_NAME[flag](AVPs) 282 A procedure to send a PANA message to its peering PANA entity. 283 The "flag" argment contains a flag (e.g., Tx:PAR[C]) to be set to 284 the message, except for 'R' (Request) flag. The "AVPs" contains a 285 list of names of optional AVPs to be inserted in the message, 286 except for AUTH AVP. 288 This procedure includes the following action before actual 289 transmission: 291 if (flag==S) 292 PANA_MESSAGE_NAME.S_flag=Set; 293 if (flag==C) 294 PANA_MESSAGE_NAME.C_flag=Set; 295 if (flag==A) 296 PANA_MESSAGE_NAME.A_flag=Set; 297 if (flag==P) 298 PANA_MESSAGE_NAME.P_flag=Set; 299 PANA_MESSAGE_NAME.insert_avp(AVPs); 300 if (key_availble()) 301 PANA_MESSAGE_NANE.insert_avp("AUTH"); 303 void TxEAP() 305 A procedure to send an EAP message to the EAP state machine it 306 interfaces to. 308 void RtxTimerStart() 310 A procedure to start the retransmission timer, reset RTX_COUNTER 311 variable to zero and set an appropriate value to RTX_MAX_NUM 312 variable. 314 void RtxTimerStop() 316 A procedure to stop the retransmission timer. 318 void SessionTimerReStart(TIMEOUT) 320 A procedure to (re)start PANA session timer. TIMEOUT specifies 321 the expiration time associated of the session timer. Expiration 322 of TIMEOUT will trigger a SESS_TIMEOUT event. 324 void SessionTimerStop() 326 A procedure to stop the current PANA session timer. 328 void Retransmit() 330 A procedure to retransmit a PANA message and increment RTX_COUNTER 331 by one(1). 333 void EAP_Restart() 335 A procedure to (re)start an EAP conversation resulting in the re- 336 initialization of an existing EAP session. 338 void PANA_MESSAGE_NAME.insert_avp("AVP_NAME1", "AVP_NAME2",...) 340 A procedure to insert AVPs for each specified AVP name in the list 341 of AVP names in the PANA message. When an AVP name ends with "*", 342 zero, one or more AVPs are inserted, otherwise one AVP is 343 inserted. 345 boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") 347 A procedure that checks whether an AVP of the specified AVP name 348 exists in the specified PANA message and returns TRUE if the 349 specified AVP is found, otherwise returns FALSE. 351 boolean generate_pana_sa() 353 A procedure to check whether the EAP method being used generates 354 keys and that a PANA SA will be established on successful 355 authentication. For the PaC, the procedure is also used to check 356 and match the PRF and Integrity algorithm AVPs advertised by the 357 PAA in PAR[S] message. For the PAA, it is used to indicate 358 whether a PRF and Integrity algorithm AVPs will be sent in the 359 PAR[S]. This procedure will return true if a PANA SA will be 360 generated. Otherwise, it returns FALSE. 362 boolean key_available() 364 A procedure to check whether the PANA session has a PANA_AUTH_KEY. 365 If the state machine already has a PANA_AUTH_KEY, it returns TRUE. 366 If the state machine does not have a PANA_AUTH_KEY, it tries to 367 retrieve a AAA-Key from the EAP entity. If a AAA-Key is 368 retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and 369 returns TRUE. Otherwise, it returns FALSE. 371 5.2. Common Variables 373 PAR.RESULT_CODE 375 This variable contains the Result-Code AVP value in the PANA-Auth- 376 Request message in process. When this variable carries 377 PANA_SUCCESS it is assumed that the PAR message always contains an 378 EAP-Payload AVP which carries an EAP-Success message. 380 NONCE_SENT 382 This variable is set to TRUE to indicate that a Nonce-AVP has 383 already been sent. Otherwise it is set to FALSE. 385 RTX_COUNTER 387 This variable contains the current number of retransmissions of 388 the outstanding PANA message. 390 Rx:PANA_MESSAGE_NAME[flag] 392 This event variable is set to TRUE when the specified PANA message 393 is received from its peering PANA entity. The "flag" contains a 394 flag (e.g., Rx:PAR[C]), except for 'R' (Request) flag. 396 RTX_TIMEOUT 398 This event variable is set to TRUE when the retransmission timer 399 is expired. 401 REAUTH 403 This event variable is set to TRUE when an initiation of re- 404 authentication phase is triggered. 406 TERMINATE 408 This event variable is set to TRUE when initiation of PANA session 409 termination is triggered. 411 PANA_PING 413 This event variable is set to TRUE when initiation of liveness 414 test based on PANA-Notification exchange is triggered. 416 SESS_TIMEOUT 418 This event is variable is set to TRUE when the session timer has 419 expired. 421 LIFETIME_SESS_TIMEOUT 423 Configurable value used by the PaC and PAA to close or disconnect 424 an established session in the access phase. This variable 425 indicates the expiration of the session and is set to the value of 426 Session-Lifetime AVP if present in the last PANA-Auth-Request 427 message in the case of the PaC. Otherwise, it is assumed that the 428 value is infinite and therefore has no expiration. Expiration of 429 LIFETIME_SESS_TIMEOUT will cause the event variable SESS_TIMEOUT 430 to be set. 432 ANY 434 This event variable is set to TRUE when any event occurs. 436 5.3. Constants 438 RTX_MAX_NUM 440 Configurable maximum for how many retransmissions should be 441 attempted before aborting. 443 5.4. Common Message Initialization Rules 445 When a message is prepared for sending, it is initialized as follows: 447 o For a request message, R-flag of the header is set. Otherwise, 448 R-flag is not set. 450 o Other message header flags are not set. They are set explicitly 451 by specific state machine actions. 453 o AVPs that are mandatory included in a message are inserted with 454 appropriate values set. 456 5.5. Common Retransmition Rules 458 The state machines defined in this document assumes that the PaC and 459 the PAA caches the last transmitted answer message. This scheme is 460 described in Sec 5.2 of [RFC5191]. When the PaC or PAA receives a 461 re-transmitted or duplicate request, it would be able to re-send the 462 corresponding answer without any aid from the EAP layer. However, to 463 simplify the state machine description, this caching scheme is 464 omitted in the state machines below. In the case that there is not 465 corresponding answer to a re-transmitted request, the request will be 466 handled by the corresponding statemachine. 468 5.6. Common State Transitions 470 The following transitions can occur at any state with exemptions 471 explicitly noted. 473 ---------- 474 State: ANY 475 ---------- 477 Exit Condition Exit Action Exit State 478 ------------------------+--------------------------+------------ 479 - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - 480 RTX_TIMEOUT && Retransmit(); (no change) 481 RTX_COUNTER< 482 RTX_MAX_NUM 483 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 484 - - - - - - - (Reach maximum number of transmissions)- - - - - - 485 (RTX_TIMEOUT && Disconnect(); CLOSED 486 RTX_COUNTER>= 487 RTX_MAX_NUM) || 488 SESS_TIMEOUT 489 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 491 ------------------------- 492 State: ANY except INITIAL 493 ------------------------- 495 Exit Condition Exit Action Exit State 496 ------------------------+--------------------------+------------ 497 - - - - - - - - - - (liveness test initiated by peer)- - - - - - 498 Rx:PNR[P] Tx:PNA[P](); (no change) 500 The following transitions can occur on any exit condition within the 501 specified state. 503 ------------- 504 State: CLOSED 505 ------------- 507 Exit Condition Exit Action Exit State 508 ------------------------+--------------------------+------------ 509 - - - - - - - -(Catch all event on closed state) - - - - - - - - 510 ANY None(); CLOSED 511 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 513 6. PaC State Machine 515 6.1. Interface between PaC and EAP Peer 517 This interface defines the interactions between a PaC and an EAP 518 peer. The interface serves as a mechanism to deliver EAP messages 519 for the EAP peer. It allows the EAP peer to receive EAP requests and 520 send EAP responses via the PaC. It also provides a mechanism to 521 notify the EAP peer of PaC events and a mechanism to receive 522 notification of EAP peer events. The EAP message delivery mechanism 523 as well as the event notification mechanism in this interface have 524 direct correlation with the PaC state transition table entries. 525 These message delivery and event notifications mechanisms occur only 526 within the context of their associated states or exit actions. 528 6.1.1. Delivering EAP Messages from PaC to EAP Peer 530 TxEAP() procedure in the PaC state machine serves as the mechanism to 531 deliver EAP messages contained in PANA-Auth-Request messages to the 532 EAP peer. This procedure is enabled only after an EAP restart event 533 is notified to the EAP peer and before any event resulting in a 534 termination of the EAP peer session. In the case where the EAP peer 535 follows the EAP peer state machine defined in [RFC4137], TxEAP() 536 procedure sets eapReq variable of the EAP peer state machine and puts 537 the EAP request in eapReqData variable of the EAP peer state machine. 539 6.1.2. Delivering EAP Messages from EAP Peer to PaC 541 An EAP message is delivered from the EAP peer to the PaC via 542 EAP_RESPONSE event variable. The event variable is set when the EAP 543 peer passes the EAP message to its lower-layer. In the case where 544 the EAP peer follows the EAP peer state machine defined in [RFC4137], 545 EAP_RESPONSE event variable refers to eapResp variable of the EAP 546 peer state machine and the EAP message is contained in eapRespData 547 variable of the EAP peer state machine. 549 6.1.3. EAP Restart Notification from PaC to EAP Peer 551 The EAP peer state machine defined in [RFC4137] has an initialization 552 procedure before receiving an EAP message. To initialize the EAP 553 state machine, the PaC state machine defines an event notification 554 mechanism to send an EAP (re)start event to the EAP peer. The event 555 notification is done via EAP_Restart() procedure in the 556 initialization action of the PaC state machine. 558 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC 560 In order for the EAP peer to notify the PaC of an EAP authentication 561 result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In 562 the case where the EAP peer follows the EAP peer state machine 563 defined in [RFC4137], EAP_SUCCESS and EAP_FAILURE event variables 564 refer to eapSuccess and eapFail variables of the EAP peer state 565 machine, respectively. In this case, if EAP_SUCCESS event variable 566 is set to TRUE and a AAA-Key is generated by the EAP authentication 567 method in use, eapKeyAvailable variable is set to TRUE and eapKeyData 568 variable contains the AAA-Key. Note that EAP_SUCCESS and EAP_FAILURE 569 event variables may be set to TRUE even before the PaC receives a PAR 570 with a 'Complete' flag set from the PAA. 572 6.1.5. Alternate Failure Notification from PaC to EAP Peer 574 alt_reject() procedure in the PaC state machine serves as the 575 mechanism to deliver an authentication failure event to the EAP peer 576 without accompanying an EAP message. In the case where the EAP peer 577 follows the EAP peer state machine defined in [RFC4137], alt_reject() 578 procedure sets altReject variable of the EAP peer state machine. 579 Note that the EAP peer state machine in [RFC4137] also defines 580 altAccept variable, however, it is never used in PANA in which EAP- 581 Success messages are reliably delivered by the last PANA-Auth 582 exchange. 584 6.2. Constants 586 FAILED_SESS_TIMEOUT 588 Configurable value that allows the PaC to determine whether a PaC 589 authentication and authorization phase has stalled without an 590 explicit EAP success or failure notification. 592 6.3. Variables 594 AUTH_USER 596 This event variable is set to TRUE when initiation of EAP-based 597 (re-)authentication is triggered by the application. 599 EAP_SUCCESS 601 This event variable is set to TRUE when the EAP peer determines 602 that EAP conversation completes with success. 604 EAP_FAILURE 606 This event variable is set to TRUE when the EAP peer determines 607 that EAP conversation completes with failure. 609 EAP_RESPONSE 611 This event variable is set to TRUE when the EAP peer delivers an 612 EAP message to the PaC. This event accompanies an EAP message 613 received from the EAP peer. 615 EAP_RESP_TIMEOUT 617 This event variable is set to TRUE when the PaC that has passed an 618 EAP message to the EAP-layer does not receive a subsequent EAP 619 message from the the EAP-layer in a given period. This provides a 620 time limit for certain EAP methods where user interaction maybe 621 required. 623 6.4. Procedures 625 boolean eap_piggyback() 627 This procedures returns TRUE to indicate whether the next EAP 628 response will be carried in the pending PAN message for 629 optimization. 631 void alt_reject() 633 This procedure informs the EAP peer of an authentication failure 634 event without accompanying an EAP message. 636 void EAP_RespTimerStart() 638 A procedure to start a timer to receive an EAP-Response from the 639 EAP peer. 641 void EAP_RespTimerStop() 643 A procedure to stop a timer to receive an EAP-Response from the 644 EAP peer. 646 6.5. PaC State Transition Table 648 ------------------------------ 649 State: INITIAL (Initial State) 650 ------------------------------ 651 Initialization Action: 653 NONCE_SENT=Unset; 654 RTX_COUNTER=0; 655 RtxTimerStop(); 657 Exit Condition Exit Action Exit State 658 ------------------------+--------------------------+----------- 659 - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - - 660 AUTH_USER Tx:PCI[](); INITIAL 661 RtxTimerStart(); 662 SessionTimerReStart 663 (FAILED_SESS_TIMEOUT); 664 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 666 - - - - - - -(PAA-initiated Handshake, not optimized) - - - - - 667 Rx:PAR[S] && EAP_Restart(); WAIT_PAA 668 !PAR.exist_avp SessionTimerReStart 669 ("EAP-Payload") (FAILED_SESS_TIMEOUT); 670 if (generate_pana_sa()) 671 Tx:PAN[S]("PRF-Algorithm", 672 "Integrity-Algorithm"); 673 else 674 Tx:PAN[S](); 675 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 677 - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - - 678 Rx:PAR[S] && EAP_Restart(); INITIAL 679 PAR.exist_avp TxEAP(); 680 ("EAP-Payload") && SessionTimerReStart 681 eap_piggyback() (FAILED_SESS_TIMEOUT); 683 Rx:PAR[S] && EAP_Restart(); WAIT_EAP_MSG 684 PAR.exist_avp TxEAP(); 685 ("EAP-Payload") && SessionTimerReStart 686 !eap_piggyback() (FAILED_SESS_TIMEOUT); 687 if (generate_pana_sa()) 688 Tx:PAN[S]("PRF-Algorithm", 689 "Integrity-Algorithm"); 690 else 691 Tx:PAN[S](); 693 EAP_RESPONSE if (generate_pana_sa()) WAIT_PAA 694 Tx:PAN[S]("EAP-Payload", 695 "PRF-Algorithm", 696 "Integrity-Algorithm"); 697 else 698 Tx:PAN[S]("EAP-Payload"); 700 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 702 --------------- 703 State: WAIT_PAA 704 --------------- 706 Exit Condition Exit Action Exit State 707 ------------------------+--------------------------+------------ 708 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 709 Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG 710 !eap_piggyback() TxEAP(); 711 EAP_RespTimerStart(); 712 if (NONCE_SENT==Unset) { 713 NONCE_SENT=Set; 714 Tx:PAN[]("Nonce"); 715 } 716 else 717 Tx:PAN[](); 719 Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG 720 eap_piggyback() TxEAP(); 721 EAP_RespTimerStart(); 723 Rx:PAN[] RtxTimerStop(); WAIT_PAA 725 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 726 - - - - - - - - - - - - - - -(PANA result) - - - - - - - - - - 727 Rx:PAR[C] && TxEAP(); WAIT_EAP_RESULT 728 PAR.RESULT_CODE== 729 PANA_SUCCESS 731 Rx:PAR[C] && if (PAR.exist_avp WAIT_EAP_RESULT_ 732 PAR.RESULT_CODE!= ("EAP-Payload")) CLOSE 733 PANA_SUCCESS TxEAP(); 734 else 735 alt_reject(); 736 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 738 ------------------- 739 State: WAIT_EAP_MSG 740 ------------------- 742 Exit Condition Exit Action Exit State 743 ------------------------+--------------------------+------------ 744 - - - - - - - - - - (Return PAN/PAR from EAP) - - - - - - - - - 745 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 746 eap_piggyback() if (NONCE_SENT==Unset) { 747 Tx:PAN[]("EAP-Payload", 748 "Nonce"); 749 NONCE_SENT=Set; 750 } 751 else 752 Tx:PAN[]("EAP-Payload"); 754 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 755 !eap_piggyback() Tx:PAR[]("EAP-Payload"); 756 RtxTimerStart(); 758 EAP_RESP_TIMEOUT && Tx:PAN[](); WAIT_PAA 759 eap_piggyback() 761 EAP_FAILURE SessionTimerStop(); CLOSED 762 Disconnect(); 763 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 765 ---------------------- 766 State: WAIT_EAP_RESULT 767 ---------------------- 769 Exit Condition Exit Action Exit State 770 ------------------------+--------------------------+------------ 771 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 772 EAP_SUCCESS if (PAR.exist_avp OPEN 773 ("Key-Id")) 774 Tx:PAN[C]("Key-Id"); 775 else 776 Tx:PAN[C](); 777 Authorize(); 778 SessionTimerReStart 779 (LIFETIME_SESS_TIMEOUT); 781 EAP_FAILURE Tx:PAN[C](); CLOSED 782 SessionTimerStop(); 783 Disconnect(); 784 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 786 ---------------------------- 787 State: WAIT_EAP_RESULT_CLOSE 788 ---------------------------- 790 Exit Condition Exit Action Exit State 791 ------------------------+--------------------------+------------ 792 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 793 EAP_SUCCESS || if (EAP_SUCCESS && CLOSED 794 EAP_FAILURE PAR.exist_avp("Key-Id")) 795 Tx:PAN[C]("Key-Id"); 797 else 798 Tx:PAN[C](); 799 SessionTimerStop(); 800 Disconnect(); 801 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 803 ----------- 804 State: OPEN 805 ----------- 807 Exit Condition Exit Action Exit State 808 ------------------------+--------------------------+------------ 809 - - - - - - - - - - (liveness test initiated by PaC)- - - - - - 810 PANA_PING Tx:PNR[P](); WAIT_PNA 811 RtxTimerStart(); 812 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 813 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 814 REAUTH NONCE_SENT=Unset; WAIT_PNA 815 Tx:PNR[A](); 816 RtxTimerStart(); 817 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 818 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 819 Rx:PAR[] EAP_RespTimerStart(); WAIT_EAP_MSG 820 TxEAP(); 821 if (!eap_piggyback()) 822 Tx:PAN[]("Nonce"); 823 else 824 NONCE_SENT=Unset; 825 SessionTimerReStart 826 (FAILED_SESS_TIMEOUT); 827 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 828 - - - - - - - -(Session termination initiated by PAA) - - - - - - 829 Rx:PTR[] Tx:PTA[](); CLOSED 830 SessionTimerStop(); 831 Disconnect(); 832 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 833 - - - - - - - -(Session termination initiated by PaC) - - - - - - 834 TERMINATE Tx:PTR[](); SESS_TERM 835 RtxTimerStart(); 836 SessionTimerStop(); 837 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 839 --------------- 840 State: WAIT_PNA 841 --------------- 843 Exit Condition Exit Action Exit State 844 ------------------------+--------------------------+------------ 845 - - - - - - - - -(re-authentication initiated by PaC) - - - - - 846 Rx:PNA[A] RtxTimerStop(); WAIT_PAA 847 SessionTimerReStart 848 (FAILED_SESS_TIMEOUT); 849 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 850 - - - - - - - - -(liveness test initiated by PaC) - - - - - - - 851 Rx:PNA[P] RtxTimerStop(); OPEN 852 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 854 ---------------- 855 State: SESS_TERM 856 ---------------- 858 Exit Condition Exit Action Exit State 859 ------------------------+--------------------------+------------ 860 - - - - - - - -(Session termination initiated by PaC) - - - - - 861 Rx:PTA[] Disconnect(); CLOSED 862 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 864 7. PAA State Machine 866 7.1. Interface between PAA and EAP Authenticator 868 The interface between a PAA and an EAP authenticator provides a 869 mechanism to deliver EAP messages for the EAP authenticator as well 870 as a mechanism to notify the EAP authenticator of PAA events and to 871 receive notification of EAP authenticator events. These message 872 delivery and event notification mechanisms occur only within context 873 of their associated states or exit actions. 875 7.1.1. EAP Restart Notification from PAA to EAP Authenticator 877 An EAP authenticator state machine defined in [RFC4137] has an 878 initialization procedure before sending the first EAP request. To 879 initialize the EAP state machine, the PAA state machine defines an 880 event notification mechanism to send an EAP (re)start event to the 881 EAP peer. The event notification is done via EAP_Restart() procedure 882 in the initialization action of the PAA state machine. 884 7.1.2. Delivering EAP Responses from PAA to EAP Authenticator 886 TxEAP() procedure in the PAA state machine serves as the mechanism to 887 deliver EAP-Responses contained in PANA-Auth-Answer messages to the 888 EAP authenticator. This procedure is enabled only after an EAP 889 restart event is notified to the EAP authenticator and before any 890 event resulting in a termination of the EAP authenticator session. 891 In the case where the EAP authenticator follows the EAP authenticator 892 state machines defined in [RFC4137], TxEAP() procedure sets eapResp 893 variable of the EAP authenticator state machine and puts the EAP 894 response in eapRespData variable of the EAP authenticator state 895 machine. 897 7.1.3. Delivering EAP Messages from EAP Authenticator to PAA 899 An EAP request is delivered from the EAP authenticator to the PAA via 900 EAP_REQUEST event variable. The event variable is set when the EAP 901 authenticator passes the EAP request to its lower-layer. In the case 902 where the EAP authenticator follows the EAP authenticator state 903 machines defined in [RFC4137], EAP_REQUEST event variable refers to 904 eapReq variable of the EAP authenticator state machine and the EAP 905 request is contained in eapReqData variable of the EAP authenticator 906 state machine. 908 7.1.4. EAP Authentication Result Notification from EAP Authenticator to 909 PAA 911 In order for the EAP authenticator to notify the PAA of the EAP 912 authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event 913 variables are defined. In the case where the EAP authenticator 914 follows the EAP authenticator state machines defined in [RFC4137], 915 EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables refer to 916 eapSuccess, eapFail and eapTimeout variables of the EAP authenticator 917 state machine, respectively. In this case, if EAP_SUCCESS event 918 variable is set to TRUE, an EAP-Success message is contained in 919 eapReqData variable of the EAP authenticator state machine, and 920 additionally, eapKeyAvailable variable is set to TRUE and eapKeyData 921 variable contains a AAA-Key if the AAA-Key is generated as a result 922 of successful authentication by the EAP authentication method in use. 923 Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP- 924 Failure message is contained in eapReqData variable of the EAP 925 authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE 926 and EAP_TIMEOUT event variables as a trigger to send a PAR message to 927 the PaC. 929 7.2. Variables 931 OPTIMIZED_INIT 933 This variable indicates whether the PAA is able to piggyback an 934 EAP-Request in the initial PANA-Auth-Request. Otherwise it is set 935 to FALSE. 937 PAC_FOUND 939 This variable is set to TRUE as a result of a PAA initiated 940 handshake. 942 REAUTH_TIMEOUT 944 This event variable is set to TRUE to indicate that the PAA 945 initiates a re-authentication with the PaC. The re-authentication 946 timeout should be set to a value less than the session timeout 947 carried in the Session-Lifetime AVP if present. 949 EAP_SUCCESS 951 This event variable is set to TRUE when EAP conversation completes 952 with success. This event accompanies an EAP- Success message 953 passed from the EAP authenticator. 955 EAP_FAILURE 957 This event variable is set to TRUE when EAP conversation completes 958 with failure. This event accompanies an EAP- Failure message 959 passed from the EAP authenticator. 961 EAP_REQUEST 963 This event variable is set to TRUE when the EAP authenticator 964 delivers an EAP Request to the PAA. This event accompanies an 965 EAP-Request message received from the EAP authenticator. 967 EAP_TIMEOUT 969 This event variable is set to TRUE when EAP conversation times out 970 without generating an EAP-Success or an EAP-Failure message. This 971 event does not accompany any EAP message. 973 7.3. Procedures 975 boolean new_key_available() 977 A procedure to check whether the PANA session has a new 978 PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY, 979 it returns FALSE. If the state machine does not have a 980 PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity. 981 If a AAA-Key has been retrieved, it computes a PANA_AUTH_KEY from 982 the AAA-Key and returns TRUE. Otherwise, it returns FALSE. 984 7.4. PAA State Transition Table 986 ------------------------------ 987 State: INITIAL (Initial State) 988 ------------------------------ 990 Initialization Action: 992 OPTIMIZED_INIT=Set|Unset; 993 NONCE_SENT=Unset; 994 RTX_COUNTER=0; 995 RtxTimerStop(); 997 Exit Condition Exit Action Exit State 998 ------------------------+--------------------------+------------ 999 - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - - 1000 (Rx:PCI[] || if (OPTIMIZED_INIT == INITIAL 1001 PAC_FOUND) Set) { 1002 EAP_Restart(); 1003 SessionTimerReStart 1004 (FAILED_SESS_TIMEOUT); 1005 } 1006 else { 1007 if (generate_pana_sa()) 1008 Tx:PAR[S]("PRF-Algorithm", 1009 "Integrity-Algorithm"); 1010 else 1011 Tx:PAR[S](); 1012 } 1014 EAP_REQUEST if (generate_pana_sa()) INITIAL 1015 Tx:PAR[S]("EAP-Payload", 1016 "PRF-Algorithm", 1017 "Integrity-Algorithm"); 1018 else 1019 Tx:PAR[S]("EAP-Payload"); 1020 RtxTimerStart(); 1021 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1023 - - - - - - - - - - - - - - (PAN Handling) - - - - - - - - - - 1024 Rx:PAN[S] && if (PAN.exist_avp WAIT_EAP_MSG 1025 ((OPTIMIZED_INIT == ("EAP-Payload")) 1026 Unset) || TxEAP(); 1027 PAN.exist_avp else { 1028 ("EAP-Payload")) EAP_Restart(); 1029 SessionTimerReStart 1030 (FAILED_SESS_TIMEOUT); 1031 } 1033 Rx:PAN[S] && None(); WAIT_PAN_OR_PAR 1034 (OPTIMIZED_INIT == 1035 Set) && 1036 ! PAN.exist_avp 1037 ("EAP-Payload") 1039 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1041 ------------------- 1042 State: WAIT_EAP_MSG 1043 ------------------- 1045 Exit Condition Exit Action Exit State 1046 ------------------------+--------------------------+------------ 1047 - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - 1048 EAP_REQUEST if (NONCE_SENT==Unset) { WAIT_PAN_OR_PAR 1049 Tx:PAR[]("Nonce", 1050 "EAP-Payload"); 1051 NONCE_SENT=Set; 1052 } 1053 else 1054 Tx:PAR[]("EAP-Payload"); 1055 RtxTimerStart(); 1056 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1057 - - - - - - - - - - -(Receiving EAP-Success/Failure) - - - - - 1058 EAP_FAILURE PAR.RESULT_CODE = WAIT_FAIL_PAN 1059 PANA_AUTHENTICATION_ 1060 REJECTED; 1061 Tx:PAR[C]("EAP-Payload"); 1062 RtxTimerStart(); 1063 SessionTimerStop(); 1065 EAP_SUCCESS && PAR.RESULT_CODE = WAIT_SUCC_PAN 1066 Authorize() PANA_SUCCESS; 1067 if (new_key_available()) 1068 Tx:PAR[C]("EAP-Payload", 1069 "Key-Id"); 1070 else 1071 Tx:PAR[C]("EAP-Payload"); 1072 RtxTimerStart(); 1074 EAP_SUCCESS && PAR.RESULT_CODE = WAIT_FAIL_PAN 1075 !Authorize() PANA_AUTHORIZATION_ 1076 REJECTED; 1077 if (new_key_available()) 1078 Tx:PAR[C]("EAP-Payload", 1079 "Key-Id"); 1080 else 1081 Tx:PAR[C]("EAP-Payload"); 1082 RtxTimerStart(); 1083 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1084 - - - - - (Receiving EAP-Timeout or invalid message) - - - - - 1085 EAP_TIMEOUT SessionTimerStop(); CLOSED 1086 Disconnect(); 1087 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1089 -------------------- 1090 State: WAIT_SUCC_PAN 1091 -------------------- 1093 Event/Condition Action Exit State 1094 ------------------------+--------------------------+------------ 1095 - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - - 1096 Rx:PAN[C] RtxTimerStop(); OPEN 1097 SessionTimerReStart 1098 (LIFETIME_SESS_TIMEOUT); 1099 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1101 -------------------- 1102 State: WAIT_FAIL_PAN 1103 -------------------- 1104 Exit Condition Exit Action Exit State 1105 ------------------------+--------------------------+------------ 1106 - - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - 1107 Rx:PAN[C] RtxTimerStop(); CLOSED 1108 Disconnect(); 1109 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1111 ----------- 1112 State: OPEN 1113 ----------- 1115 Event/Condition Action Exit State 1116 ------------------------+--------------------------+------------ 1117 - - - - - - - - (re-authentication initiated by PaC) - - - - - - 1118 Rx:PNR[A] NONCE_SENT=Unset; WAIT_EAP_MSG 1119 EAP_Restart(); 1120 Tx:PNA[A](); 1121 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1122 - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1123 REAUTH || NONCE_SENT=Unset; WAIT_EAP_MSG 1124 REAUTH_TIMEOUT EAP_Restart(); 1126 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1127 - - (liveness test based on PNR-PNA exchange initiated by PAA)- 1128 PANA_PING Tx:PNR[P](); WAIT_PNA_PING 1129 RtxTimerStart(); 1130 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1131 - - - - - - - - (Session termination initated from PAA) - - - - 1132 TERMINATE Tx:PTR[](); SESS_TERM 1133 SessionTimerStop(); 1134 RtxTimerStart(); 1135 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1136 - - - - - - - - (Session termination initated from PaC) - - - - 1137 Rx:PTR[] Tx:PTA[](); CLOSED 1138 SessionTimerStop(); 1139 Disconnect(); 1140 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1142 -------------------- 1143 State: WAIT_PNA_PING 1144 -------------------- 1146 Exit Condition Exit Action Exit State 1147 ------------------------+--------------------------+------------ 1148 - - - - - - - - - - - - - -(PNA processing) - - - - - - - - - - 1149 Rx:PNA[P] RtxTimerStop(); OPEN 1150 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1151 ---------------------- 1152 State: WAIT_PAN_OR_PAR 1153 ---------------------- 1155 Exit Condition Exit Action Exit State 1156 ------------------------+--------------------------+------------ 1157 - - - - - - - - - - - - - (PAR Processing)- - - - - - - - - - - 1158 Rx:PAR[] TxEAP(); WAIT_EAP_MSG 1159 RtxTimerStop(); 1160 Tx:PAN[](); 1161 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1162 - - - - - - (Pass EAP Response to the EAP authenticator)- - - - 1163 Rx:PAN[] && TxEAP(); WAIT_EAP_MSG 1164 PAN.exist_avp RtxTimerStop(); 1165 ("EAP-Payload") 1166 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1167 - - - - - - - - - - (PAN without an EAP response) - - - - - - - 1168 Rx:PAN[] && RtxTimerStop(); WAIT_PAN_OR_PAR 1169 !PAN.exist_avp 1170 ("EAP-Payload") 1171 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1172 - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - 1173 EAP_REQUEST RtxTimerStop(); WAIT_PAN_OR_PAR 1174 Tx:PAR[]("EAP-Payload"); 1175 RtxTimerStart(); 1176 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1177 - - - - - - - (EAP authentication timeout or failure)- - - - - 1178 EAP_FAILURE || RtxTimerStop(); CLOSED 1179 EAP_TIMEOUT SessionTimerStop(); 1180 Disconnect(); 1181 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1183 ---------------- 1184 State: SESS_TERM 1185 ---------------- 1187 Exit Condition Exit Action Exit State 1188 ------------------------+--------------------------+------------ 1189 - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - 1190 Rx:PTA[] RtxTimerStop(); CLOSED 1191 Disconnect(); 1192 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1194 8. Implementation Considerations 1196 8.1. PAA and PaC Interface to Service Management Entity 1198 In general, it is assumed in each device that has a PANA protocol 1199 stack that there is a Service Management Entity (SME) that manages 1200 the PANA protocol stack. It is recommended that a generic interface 1201 (i.e., the SME-PANA interface) between the SME and the PANA protocol 1202 stack be provided by the implementation. Especially, common 1203 procedures such as startup, shutdown, re-authenticate signals and 1204 provisions for extracting keying material should be provided by such 1205 an interface. The SME-PANA interface in a PAA device should also 1206 provide a method for communicating filtering parameters to the EP(s). 1207 When cryptographic filtering is used, the filtering parameters 1208 include keying material used for bootstrapping per-packet ciphering. 1209 When a PAA device interacts with the backend authentication server 1210 using a AAA protocol, its SME may also have an interface to the AAA 1211 protocol to obtain authorization parameters such as the authorization 1212 lifetime and additional filtering parameters. 1214 9. Security Considerations 1216 This document's intent is to describe the PANA state machines fully. 1217 To this end, any security concerns with this document are likely a 1218 reflection of security concerns with PANA itself. 1220 10. IANA Considerations 1222 This document has no actions for IANA. 1224 11. Acknowledgments 1226 This work was started from state machines originally made by Dan 1227 Forsberg. 1229 12. References 1231 12.1. Normative References 1233 [RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. 1234 Yegin, "Protocol for Carrying Authentication for Network 1235 Access (PANA)", RFC 5191, May 2008. 1237 12.2. Informative References 1239 [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, 1240 "State Machines for Extensible Authentication Protocol 1241 (EAP) Peer and Authenticator", RFC 4137, August 2005. 1243 Authors' Addresses 1245 Victor Fajardo (editor) 1246 Toshiba America Research, Inc. 1247 1 Telcordia Drive 1248 Piscataway, NJ 08854 1249 USA 1251 Phone: +1 732 699 5368 1252 Email: vfajardo@tari.toshiba.com 1254 Yoshihiro Ohba 1255 Toshiba America Research, Inc. 1256 1 Telcordia Drive 1257 Piscataway, NJ 08854 1258 USA 1260 Phone: +1 732 699 5305 1261 Email: yohba@tari.toshiba.com 1263 Rafa Marin Lopez 1264 University of Murcia 1265 30071 Murcia 1266 Spain 1268 Email: rafa@dif.um.es 1270 Full Copyright Statement 1272 Copyright (C) The IETF Trust (2008). 1274 This document is subject to the rights, licenses and restrictions 1275 contained in BCP 78, and except as set forth therein, the authors 1276 retain all their rights. 1278 This document and the information contained herein are provided on an 1279 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1280 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1281 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1282 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1283 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1284 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1286 Intellectual Property 1288 The IETF takes no position regarding the validity or scope of any 1289 Intellectual Property Rights or other rights that might be claimed to 1290 pertain to the implementation or use of the technology described in 1291 this document or the extent to which any license under such rights 1292 might or might not be available; nor does it represent that it has 1293 made any independent effort to identify any such rights. Information 1294 on the procedures with respect to rights in RFC documents can be 1295 found in BCP 78 and BCP 79. 1297 Copies of IPR disclosures made to the IETF Secretariat and any 1298 assurances of licenses to be made available, or the result of an 1299 attempt made to obtain a general license or permission for the use of 1300 such proprietary rights by implementers or users of this 1301 specification can be obtained from the IETF on-line IPR repository at 1302 http://www.ietf.org/ipr. 1304 The IETF invites any interested party to bring to its attention any 1305 copyrights, patents or patent applications, or other proprietary 1306 rights that may cover technology that may be required to implement 1307 this standard. Please address the information to the IETF at 1308 ietf-ipr@ietf.org.