idnits 2.17.1 draft-ietf-pana-statemachine-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 20, 2009) is 5485 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'C' is mentioned on line 1168, but not defined == Missing Reference: 'S' is mentioned on line 1094, but not defined == Missing Reference: 'P' is mentioned on line 1210, but not defined == Missing Reference: 'A' is mentioned on line 1213, but not defined Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PANA Working Group V. Fajardo, Ed. 3 Internet-Draft Y. Ohba 4 Intended status: Informational TARI 5 Expires: October 22, 2009 R. Lopez 6 Univ. of Murcia 7 April 20, 2009 9 State Machines for Protocol for Carrying Authentication for Network 10 Access (PANA) 11 draft-ietf-pana-statemachine-11 13 Status of this Memo 15 This Internet-Draft is submitted to IETF in full conformance with the 16 provisions of BCP 78 and BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on October 22, 2009. 36 Copyright Notice 38 Copyright (c) 2009 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents in effect on the date of 43 publication of this document (http://trustee.ietf.org/license-info). 44 Please review these documents carefully, as they describe your rights 45 and restrictions with respect to this document. 47 Abstract 49 This document defines the conceptual state machines for the Protocol 50 for Carrying Authentication for Network Access (PANA). The state 51 machines consist of the PANA Client (PaC) state machine and the PANA 52 Authentication Agent (PAA) state machine. The two state machines 53 show how PANA can interface with the EAP state machines. The state 54 machines and associated model are informative only. Implementations 55 may achieve the same results using different methods. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 3. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 6 62 4. Document Authority . . . . . . . . . . . . . . . . . . . . . . 8 63 5. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 6. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 11 65 6.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 11 66 6.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 13 67 6.3. Configurable Values . . . . . . . . . . . . . . . . . . . 15 68 6.4. Common Message Initialization Rules . . . . . . . . . . . 15 69 6.5. Common Retransmition Rules . . . . . . . . . . . . . . . . 15 70 6.6. Common State Transitions . . . . . . . . . . . . . . . . . 15 71 7. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 18 72 7.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 18 73 7.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 18 74 7.1.2. Delivering EAP Messages from EAP Peer to PaC . . . . . 18 75 7.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 18 76 7.1.4. EAP Authentication Result Notification from EAP 77 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 19 78 7.1.5. Alternate Failure Notification from PaC to EAP Peer . 19 79 7.2. Configurable Values . . . . . . . . . . . . . . . . . . . 19 80 7.3. Variables . . . . . . . . . . . . . . . . . . . . . . . . 19 81 7.4. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 20 82 7.5. PaC State Transition Table . . . . . . . . . . . . . . . . 20 83 8. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 26 84 8.1. Interface between PAA and EAP Authenticator . . . . . . . 26 85 8.1.1. EAP Restart Notification from PAA to EAP 86 Authenticator . . . . . . . . . . . . . . . . . . . . 26 87 8.1.2. Delivering EAP Responses from PAA to EAP 88 Authenticator . . . . . . . . . . . . . . . . . . . . 26 89 8.1.3. Delivering EAP Messages from EAP Authenticator to 90 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 26 91 8.1.4. EAP Authentication Result Notification from EAP 92 Authenticator to PAA . . . . . . . . . . . . . . . . . 26 93 8.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 27 94 8.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 28 95 8.4. PAA State Transition Table . . . . . . . . . . . . . . . . 28 96 9. Implementation Considerations . . . . . . . . . . . . . . . . 34 97 9.1. PAA and PaC Interface to Service Management Entity . . . . 34 98 10. Security Considerations . . . . . . . . . . . . . . . . . . . 35 99 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 100 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 101 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38 102 13.1. Normative References . . . . . . . . . . . . . . . . . . . 38 103 13.2. Informative References . . . . . . . . . . . . . . . . . . 38 104 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 39 106 1. Introduction 108 This document defines the state machines for Protocol Carrying 109 Authentication for Network Access (PANA) [RFC5191]. There are state 110 machines for the PANA client (PaC) and for the PANA Authentication 111 Agent (PAA). Each state machine is specified through a set of 112 variables, procedures and a state transition table. The state 113 machines and associated models described in this document are 114 informative only. Implementations may achieve similar results using 115 different models and/or methods. 117 A PANA protocol execution consists of several exchanges to carry 118 authentication information. Specifically, EAP PDUs are transported 119 inside PANA PDUs between PaC and PAA, that is PANA represents a lower 120 layer for EAP protocol. Thus, a PANA state machine bases its 121 execution on an EAP state machine execution and vice versa. Thus 122 this document also shows for each of PaC and PAA an interface between 123 an EAP state machine and a PANA state machine and how this interface 124 allows to exchange information between them. Thanks to this 125 interface, a PANA state machine can be informed about several events 126 generated in an EAP state machine and make its execution conditional 127 to its events. 129 The details of EAP state machines are out of the scope of this 130 document. Additional information can be found in [RFC4137]. 131 Nevertheless PANA state machines presented here have been coordinated 132 with state machines shown by [RFC4137]. 134 This document, apart from defining PaC and PAA state machines and 135 their interfaces to EAP state machines (running on top of PANA), 136 provides some implementation considerations, taking into account that 137 it is not a specification but an implementation guideline. 139 2. Terminology 141 This document reuses the terminology used in [RFC5191]. 143 3. Interface Between PANA and EAP 145 PANA carries EAP messages exchanged between an EAP peer and an EAP 146 authenticator (see Figure 1). Thus a PANA state machine interacts 147 with an EAP state machine. 149 Two state machines are defined in this document : the PaC state 150 machine (see Section 7) and the PAA state machine (see Section 8). 151 The definition of each state machine consists of a set of variables, 152 procedures and a state transition table. A subset of these variables 153 and procedures defines the interface between a PANA state machine and 154 an EAP state machine and the state transition table defines the PANA 155 state machine behavior based on results obtained through them. 157 On the one hand, the PaC state machine interacts with an EAP peer 158 state machine in order to carry out the PANA protocol on the PaC 159 side. On the other hand, the PAA state machine interacts with an EAP 160 authenticator state machine to run the PANA protocol on the PAA side. 162 Peer |EAP Auth 163 EAP <---------|------------> EAP 164 ^ | | ^ | 165 | | | EAP-Message | | EAP-Message 166 EAP-Message | |EAP-Message | | | 167 | v |PANA | v 168 PaC <---------|------------> PAA 170 Figure 1: Interface between PANA and EAP 172 Thus two interfaces are needed between PANA state machines and EAP 173 state machines, namely: 175 o Interface between the PaC state machine and the EAP peer state 176 machine 178 o Interface between the PAA state machine and the EAP authenticator 179 state machine 181 In general, the PaC and PAA state machines present EAP messages to 182 the EAP peer and authenticator state machines through the interface, 183 respectively. The EAP peer and authenticator state machines process 184 these messages and sends EAP messages through the PaC and PAA state 185 machines that is responsible for actually transmitting this message, 186 respectively. 188 For example, [RFC4137] specifies four interfaces to lower layers: (i) 189 an interface between the EAP peer state machine and a lower layer, 190 (ii) an interface between the EAP standalone authenticator state 191 machine and a lower layer, (iii) an interface between the EAP full 192 authenticator state machine and a lower layer and (iv) an interface 193 between the EAP backend authenticator state machine and a lower 194 layer. In this document, the PANA protocol is the lower layer of EAP 195 and only the first three interfaces are of interest to PANA. The 196 second and third interfaces are the same. In this regard, the EAP 197 standalone authenticator or the EAP full authenticator and its state 198 machine in [RFC4137] are referred to as the EAP authenticator and the 199 EAP authenticator state machine, respectively, in this document. If 200 an EAP peer and an EAP authenticator follow the state machines 201 defined in [RFC4137], the interfaces between PANA and EAP could be 202 based on that document. Detailed definition of interfaces between 203 PANA and EAP are described in the subsequent sections. 205 4. Document Authority 207 This document is intended to comply with the technical contents of 208 any of the related documents ([RFC5191] and [RFC4137]). When there 209 is a discrepancy, the related documents are considered authoritative 210 and they take precedence over this document. 212 5. Notations 214 The following state transition tables are completed mostly based on 215 the conventions specified in [RFC4137]. The complete text is 216 described below. 218 State transition tables are used to represent the operation of the 219 protocol by a number of cooperating state machines each comprising a 220 group of connected, mutually exclusive states. Only one state of 221 each machine can be active at any given time. 223 All permissible transitions from a given state to other states and 224 associated actions performed when the transitions occur are 225 represented by using triplets of (exit condition, exit action, exit 226 state). All conditions are expressions that evaluate to TRUE or 227 FALSE; if a condition evaluates to TRUE, then the condition is met. 228 A state "ANY" is a wildcard state that matches any state in each 229 state machine except those explicity enumerated as exception states. 230 The exit conditions of a wildcard state are evaluated after all other 231 exit conditions of specific to the current state are met. 233 On exit from a state, the exit actions defined for the state and the 234 exit condition are executed exactly once, in the order that they 235 appear. (Note that the procedures defined in [RFC4137] are executed 236 on entry to a state, which is one major difference from this 237 document.) Each exit action is deemed to be atomic; i.e., execution 238 of an exit action completes before the next sequential exit action 239 starts to execute. No exit action execute outside of a state block. 240 The exit actions in only one state block execute at a time even if 241 the conditions for execution of state blocks in different state 242 machines are satisfied. All exit actions in an executing state block 243 complete execution before the transition to and execution of any 244 other state blocks. The execution of any state block appears to be 245 atomic with respect to the execution of any other state block and the 246 transition condition to that state from the previous state is TRUE 247 when execution commences. The order of execution of state blocks in 248 different state machines is undefined except as constrained by their 249 transition conditions. A variable that is set to a particular value 250 in a state block retains this value until a subsequent state block 251 executes an exit action that modifies the value. 253 On completion of the transition from the previous state to the 254 current state, all exit conditions occurring during the current state 255 (including exit conditions defined for the wildcard state) are 256 evaluated until an exit condition for that state is met. 258 Any event variable is set to TRUE when the corresponding event occurs 259 and set to FALSE immediately after completion of the action 260 associated with the current state and the event. 262 The interpretation of the special symbols and operators used is 263 defined in [RFC4137]. 265 6. Common Rules 267 There are following procedures, variables, message initializing rules 268 and state transitions that are common to both the PaC and PAA state 269 machines. 271 Throughout this document, the character string "PANA_MESSAGE_NAME" 272 matches any one of the abbreviated PANA message names, i.e., "PCI", 273 "PAR", "PAN", "PTR", "PTA", "PNR", "PNA". 275 6.1. Common Procedures 277 void None() 279 A null procedure, i.e., nothing is done. 281 void Disconnect() 283 A procedure to delete the PANA session as well as the 284 corresponding EAP session and authorization state. 286 boolean Authorize() 288 A procedure to create or modify authorization state. It returns 289 TRUE if authorization is successful. Otherwise, it returns FALSE. 290 It is assumed that Authorize() procedure of PaC state machine 291 always returns TRUE. In the case that a non-key-generating EAP 292 method is used but a PANA SA is required after successful 293 authentication (generate_pana_sa() returns TRUE), Authorize() 294 procedure must return FALSE. 296 void Tx:PANA_MESSAGE_NAME[flag](AVPs) 298 A procedure to send a PANA message to its peering PANA entity. 299 The "flag" argument contains one or more flag (e.g., Tx:PAR[C]) to 300 be set to the message, except for 'R' (Request) flag. The "AVPs" 301 contains a list of names of optional AVPs to be inserted in the 302 message, except for AUTH AVP. 304 This procedure includes the following action before actual 305 transmission: 307 if (flag==S) 308 PANA_MESSAGE_NAME.S_flag=Set; 309 if (flag==C) 310 PANA_MESSAGE_NAME.C_flag=Set; 311 if (flag==A) 312 PANA_MESSAGE_NAME.A_flag=Set; 313 if (flag==P) 314 PANA_MESSAGE_NAME.P_flag=Set; 315 PANA_MESSAGE_NAME.insert_avp(AVPs); 316 if (key_available()) 317 PANA_MESSAGE_NANE.insert_avp("AUTH"); 319 void TxEAP() 321 A procedure to send an EAP message to the EAP state machine it 322 interfaces to. 324 void RtxTimerStart() 326 A procedure to start the retransmission timer, reset RTX_COUNTER 327 variable to zero and set an appropriate value to RTX_MAX_NUM 328 variable. Note that RTX_MAX_NUM is assumed to be set to the same 329 default value for all messages. However, implementations may also 330 reset RTX_MAX_NUM in this procedure and its value may vary 331 depending on the message that was sent. 333 void RtxTimerStop() 335 A procedure to stop the retransmission timer. 337 void SessionTimerReStart(TIMEOUT) 339 A procedure to (re)start PANA session timer. TIMEOUT specifies 340 the expiration time associated of the session timer. Expiration 341 of TIMEOUT will trigger a SESS_TIMEOUT event. 343 void SessionTimerStop() 345 A procedure to stop the current PANA session timer. 347 void Retransmit() 349 A procedure to retransmit a PANA message and increment RTX_COUNTER 350 by one(1). 352 void EAP_Restart() 354 A procedure to (re)start an EAP conversation resulting in the re- 355 initialization of an existing EAP session. 357 void PANA_MESSAGE_NAME.insert_avp("AVP_NAME1", "AVP_NAME2",...) 359 A procedure to insert AVPs for each specified AVP name in the list 360 of AVP names in the PANA message. When an AVP name ends with "*", 361 zero, one or more AVPs are inserted, otherwise one AVP is 362 inserted. 364 boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") 366 A procedure that checks whether an AVP of the specified AVP name 367 exists in the specified PANA message and returns TRUE if the 368 specified AVP is found, otherwise returns FALSE. 370 boolean generate_pana_sa() 372 A procedure to check whether the EAP method being used generates 373 keys and that a PANA SA will be established on successful 374 authentication. For the PaC, the procedure is also used to check 375 and match the PRF and Integrity algorithm AVPs advertised by the 376 PAA in PAR[S] message. For the PAA, it is used to indicate 377 whether a PRF and Integrity algorithm AVPs will be sent in the 378 PAR[S]. This procedure will return true if a PANA SA will be 379 generated. Otherwise, it returns FALSE. 381 boolean key_available() 383 A procedure to check whether the PANA session has a PANA_AUTH_KEY. 384 If the state machine already has a PANA_AUTH_KEY, it returns TRUE. 385 If the state machine does not have a PANA_AUTH_KEY, it tries to 386 retrieve an MSK from the EAP entity. If an MSK is retrieved, it 387 computes a PANA_AUTH_KEY from the MSK and returns TRUE. 388 Otherwise, it returns FALSE. 390 6.2. Common Variables 392 PAR.RESULT_CODE 394 This variable contains the Result-Code AVP value in the PANA-Auth- 395 Request message in process. When this variable carries 396 PANA_SUCCESS it is assumed that the PAR message always contains an 397 EAP-Payload AVP which carries an EAP-Success message. 399 NONCE_SENT 401 This variable is set to TRUE to indicate that a Nonce-AVP has 402 already been sent. Otherwise it is set to FALSE. 404 RTX_COUNTER 406 This variable contains the current number of retransmissions of 407 the outstanding PANA message. 409 Rx:PANA_MESSAGE_NAME[flag] 411 This event variable is set to TRUE when the specified PANA message 412 is received from its peering PANA entity. The "flag" contains a 413 flag (e.g., Rx:PAR[C]), except for 'R' (Request) flag. 415 RTX_TIMEOUT 417 This event variable is set to TRUE when the retransmission timer 418 is expired. 420 REAUTH 422 This event variable is set to TRUE when an initiation of re- 423 authentication phase is triggered. This event variable can only 424 be set while in the OPEN state. 426 TERMINATE 428 This event variable is set to TRUE when initiation of PANA session 429 termination is triggered. This event variable can only be set 430 while in the OPEN state. 432 PANA_PING 434 This event variable is set to TRUE when initiation of liveness 435 test based on PANA-Notification exchange is triggered. This event 436 variable can only be set while in the OPEN state. 438 SESS_TIMEOUT 440 This event is variable is set to TRUE when the session timer has 441 expired. 443 LIFETIME_SESS_TIMEOUT 445 Configurable value used by the PaC and PAA to close or disconnect 446 an established session in the access phase. This variable 447 indicates the expiration of the session and is set to the value of 448 Session-Lifetime AVP if present in the last PANA-Auth-Request 449 message in the case of the PaC. Otherwise, it is assumed that the 450 value is infinite and therefore has no expiration. Expiration of 451 LIFETIME_SESS_TIMEOUT will cause the event variable SESS_TIMEOUT 452 to be set. 454 ANY 456 This event variable is set to TRUE when any event occurs. 458 6.3. Configurable Values 460 RTX_MAX_NUM 462 Configurable maximum for how many retransmissions should be 463 attempted before aborting. 465 6.4. Common Message Initialization Rules 467 When a message is prepared for sending, it is initialized as follows: 469 o For a request message, R-flag of the header is set. Otherwise, 470 R-flag is not set. 472 o Other message header flags are not set. They are set explicitly 473 by specific state machine actions. 475 o AVPs that are mandatory included in a message are inserted with 476 appropriate values set. 478 6.5. Common Retransmition Rules 480 The state machines defined in this document assumes that the PaC and 481 the PAA caches the last transmitted answer message. This scheme is 482 described in Sec 5.2 of [RFC5191]. When the PaC or PAA receives a 483 re-transmitted or duplicate request, it would be able to re-send the 484 corresponding answer without any aid from the EAP layer. However, to 485 simplify the state machine description, this caching scheme is 486 omitted in the state machines below. In the case that there is not 487 corresponding answer to a re-transmitted request, the request will be 488 handled by the corresponding statemachine. 490 6.6. Common State Transitions 492 The following transitions can occur at any state with exemptions 493 explicitly noted. 495 ---------- 496 State: ANY 497 ---------- 499 Exit Condition Exit Action Exit State 500 ------------------------+--------------------------+------------ 501 - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - 502 RTX_TIMEOUT && Retransmit(); (no change) 503 RTX_COUNTER< 504 RTX_MAX_NUM 505 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 506 - - - - - - - (Reach maximum number of transmissions)- - - - - - 507 (RTX_TIMEOUT && Disconnect(); CLOSED 508 RTX_COUNTER>= 509 RTX_MAX_NUM) || 510 SESS_TIMEOUT 511 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 513 ------------------------- 514 State: ANY except INITIAL 515 ------------------------- 517 Exit Condition Exit Action Exit State 518 ------------------------+--------------------------+------------ 519 - - - - - - - - - - (liveness test initiated by peer)- - - - - - 520 Rx:PNR[P] Tx:PNA[P](); (no change) 522 ------------------------------- 523 State: ANY except WAIT_PNA_PING 524 ------------------------------- 526 Exit Condition Exit Action Exit State 527 ------------------------+--------------------------+------------ 528 - - - - - - - - - - - - (liveness test response) - - - - - - - - 529 Rx:PNA[P] None(); (no change) 531 The following transitions can occur on any exit condition within the 532 specified state. 534 ------------- 535 State: CLOSED 536 ------------- 538 Exit Condition Exit Action Exit State 539 ------------------------+--------------------------+------------ 540 - - - - - - - -(Catch all event on closed state) - - - - - - - - 541 ANY None(); CLOSED 542 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 544 7. PaC State Machine 546 7.1. Interface between PaC and EAP Peer 548 This interface defines the interactions between a PaC and an EAP 549 peer. The interface serves as a mechanism to deliver EAP messages 550 for the EAP peer. It allows the EAP peer to receive EAP requests and 551 send EAP responses via the PaC. It also provides a mechanism to 552 notify the EAP peer of PaC events and a mechanism to receive 553 notification of EAP peer events. The EAP message delivery mechanism 554 as well as the event notification mechanism in this interface have 555 direct correlation with the PaC state transition table entries. 556 These message delivery and event notifications mechanisms occur only 557 within the context of their associated states or exit actions. 559 7.1.1. Delivering EAP Messages from PaC to EAP Peer 561 TxEAP() procedure in the PaC state machine serves as the mechanism to 562 deliver EAP messages contained in PANA-Auth-Request messages to the 563 EAP peer. This procedure is enabled only after an EAP restart event 564 is notified to the EAP peer and before any event resulting in a 565 termination of the EAP peer session. In the case where the EAP peer 566 follows the EAP peer state machine defined in [RFC4137], TxEAP() 567 procedure sets eapReq variable of the EAP peer state machine and puts 568 the EAP request in eapReqData variable of the EAP peer state machine. 570 7.1.2. Delivering EAP Messages from EAP Peer to PaC 572 An EAP message is delivered from the EAP peer to the PaC via 573 EAP_RESPONSE event variable. The event variable is set when the EAP 574 peer passes the EAP message to its lower-layer. In the case where 575 the EAP peer follows the EAP peer state machine defined in [RFC4137], 576 EAP_RESPONSE event variable refers to eapResp variable of the EAP 577 peer state machine and the EAP message is contained in eapRespData 578 variable of the EAP peer state machine. 580 7.1.3. EAP Restart Notification from PaC to EAP Peer 582 The EAP peer state machine defined in [RFC4137] has an initialization 583 procedure before receiving an EAP message. To initialize the EAP 584 state machine, the PaC state machine defines an event notification 585 mechanism to send an EAP (re)start event to the EAP peer. The event 586 notification is done via EAP_Restart() procedure in the 587 initialization action of the PaC state machine. 589 7.1.4. EAP Authentication Result Notification from EAP Peer to PaC 591 In order for the EAP peer to notify the PaC of an EAP authentication 592 result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In 593 the case where the EAP peer follows the EAP peer state machine 594 defined in [RFC4137], EAP_SUCCESS and EAP_FAILURE event variables 595 refer to eapSuccess and eapFail variables of the EAP peer state 596 machine, respectively. In this case, if EAP_SUCCESS event variable 597 is set to TRUE and an MSK is generated by the EAP authentication 598 method in use, eapKeyAvailable variable is set to TRUE and eapKeyData 599 variable contains the MSK. Note that EAP_SUCCESS and EAP_FAILURE 600 event variables may be set to TRUE even before the PaC receives a PAR 601 with a 'Complete' flag set from the PAA. 603 7.1.5. Alternate Failure Notification from PaC to EAP Peer 605 alt_reject() procedure in the PaC state machine serves as the 606 mechanism to deliver an authentication failure event to the EAP peer 607 without accompanying an EAP message. In the case where the EAP peer 608 follows the EAP peer state machine defined in [RFC4137], alt_reject() 609 procedure sets altReject variable of the EAP peer state machine. 610 Note that the EAP peer state machine in [RFC4137] also defines 611 altAccept variable, however, it is never used in PANA in which EAP- 612 Success messages are reliably delivered by the last PANA-Auth 613 exchange. 615 7.2. Configurable Values 617 FAILED_SESS_TIMEOUT 619 Configurable value that allows the PaC to determine whether a PaC 620 authentication and authorization phase has stalled without an 621 explicit EAP success or failure notification. 623 7.3. Variables 625 AUTH_USER 627 This event variable is set to TRUE when initiation of EAP-based 628 (re-)authentication is triggered by the application. 630 EAP_SUCCESS 632 This event variable is set to TRUE when the EAP peer determines 633 that EAP conversation completes with success. 635 EAP_FAILURE 637 This event variable is set to TRUE when the EAP peer determines 638 that EAP conversation completes with failure. 640 EAP_RESPONSE 642 This event variable is set to TRUE when the EAP peer delivers an 643 EAP message to the PaC. This event accompanies an EAP message 644 received from the EAP peer. 646 EAP_RESP_TIMEOUT 648 This event variable is set to TRUE when the PaC that has passed an 649 EAP message to the EAP-layer does not receive a subsequent EAP 650 message from the the EAP-layer in a given period. This provides a 651 time limit for certain EAP methods where user interaction maybe 652 required. 654 7.4. Procedures 656 boolean eap_piggyback() 658 This procedures returns TRUE to indicate whether the next EAP 659 response will be carried in the pending PAN message for 660 optimization. 662 void alt_reject() 664 This procedure informs the EAP peer of an authentication failure 665 event without accompanying an EAP message. 667 void EAP_RespTimerStart() 669 A procedure to start a timer to receive an EAP-Response from the 670 EAP peer. 672 void EAP_RespTimerStop() 674 A procedure to stop a timer to receive an EAP-Response from the 675 EAP peer. 677 7.5. PaC State Transition Table 679 ------------------------------ 680 State: INITIAL (Initial State) 681 ------------------------------ 682 Initialization Action: 684 NONCE_SENT=Unset; 685 RTX_COUNTER=0; 686 RtxTimerStop(); 688 Exit Condition Exit Action Exit State 689 ------------------------+--------------------------+----------- 690 - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - - 691 AUTH_USER Tx:PCI[](); INITIAL 692 RtxTimerStart(); 693 SessionTimerReStart 694 (FAILED_SESS_TIMEOUT); 695 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 697 - - - - - - -(PAA-initiated Handshake, not optimized) - - - - - 698 Rx:PAR[S] && EAP_Restart(); WAIT_PAA 699 !PAR.exist_avp SessionTimerReStart 700 ("EAP-Payload") (FAILED_SESS_TIMEOUT); 701 if (generate_pana_sa()) 702 Tx:PAN[S]("PRF-Algorithm", 703 "Integrity-Algorithm"); 704 else 705 Tx:PAN[S](); 706 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 708 - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - - 709 Rx:PAR[S] && EAP_Restart(); INITIAL 710 PAR.exist_avp TxEAP(); 711 ("EAP-Payload") && SessionTimerReStart 712 eap_piggyback() (FAILED_SESS_TIMEOUT); 714 Rx:PAR[S] && EAP_Restart(); WAIT_EAP_MSG 715 PAR.exist_avp TxEAP(); 716 ("EAP-Payload") && SessionTimerReStart 717 !eap_piggyback() (FAILED_SESS_TIMEOUT); 718 if (generate_pana_sa()) 719 Tx:PAN[S]("PRF-Algorithm", 720 "Integrity-Algorithm"); 721 else 722 Tx:PAN[S](); 724 EAP_RESPONSE if (generate_pana_sa()) WAIT_PAA 725 Tx:PAN[S]("EAP-Payload", 726 "PRF-Algorithm", 727 "Integrity-Algorithm"); 728 else 729 Tx:PAN[S]("EAP-Payload"); 731 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 733 --------------- 734 State: WAIT_PAA 735 --------------- 737 Exit Condition Exit Action Exit State 738 ------------------------+--------------------------+------------ 739 - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - 740 Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG 741 !eap_piggyback() TxEAP(); 742 EAP_RespTimerStart(); 743 if (NONCE_SENT==Unset) { 744 NONCE_SENT=Set; 745 Tx:PAN[]("Nonce"); 746 } 747 else 748 Tx:PAN[](); 750 Rx:PAR[] && RtxTimerStop(); WAIT_EAP_MSG 751 eap_piggyback() TxEAP(); 752 EAP_RespTimerStart(); 754 Rx:PAN[] RtxTimerStop(); WAIT_PAA 756 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 757 - - - - - - - - - - - - - - -(PANA result) - - - - - - - - - - 758 Rx:PAR[C] && TxEAP(); WAIT_EAP_RESULT 759 PAR.RESULT_CODE== 760 PANA_SUCCESS 762 Rx:PAR[C] && if (PAR.exist_avp WAIT_EAP_RESULT_ 763 PAR.RESULT_CODE!= ("EAP-Payload")) CLOSE 764 PANA_SUCCESS TxEAP(); 765 else 766 alt_reject(); 767 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 769 ------------------- 770 State: WAIT_EAP_MSG 771 ------------------- 773 Exit Condition Exit Action Exit State 774 ------------------------+--------------------------+------------ 775 - - - - - - - - - - (Return PAN/PAR from EAP) - - - - - - - - - 776 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 777 eap_piggyback() if (NONCE_SENT==Unset) { 778 Tx:PAN[]("EAP-Payload", 779 "Nonce"); 780 NONCE_SENT=Set; 781 } 782 else 783 Tx:PAN[]("EAP-Payload"); 785 EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA 786 !eap_piggyback() Tx:PAR[]("EAP-Payload"); 787 RtxTimerStart(); 789 EAP_RESP_TIMEOUT && Tx:PAN[](); WAIT_PAA 790 eap_piggyback() 792 EAP_FAILURE SessionTimerStop(); CLOSED 793 Disconnect(); 794 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 796 ---------------------- 797 State: WAIT_EAP_RESULT 798 ---------------------- 800 Exit Condition Exit Action Exit State 801 ------------------------+--------------------------+------------ 802 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 803 EAP_SUCCESS if (PAR.exist_avp OPEN 804 ("Key-Id")) 805 Tx:PAN[C]("Key-Id"); 806 else 807 Tx:PAN[C](); 808 Authorize(); 809 SessionTimerReStart 810 (LIFETIME_SESS_TIMEOUT); 812 EAP_FAILURE Tx:PAN[C](); CLOSED 813 SessionTimerStop(); 814 Disconnect(); 815 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 817 ---------------------------- 818 State: WAIT_EAP_RESULT_CLOSE 819 ---------------------------- 821 Exit Condition Exit Action Exit State 822 ------------------------+--------------------------+------------ 823 - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - 824 EAP_SUCCESS || if (EAP_SUCCESS && CLOSED 825 EAP_FAILURE PAR.exist_avp("Key-Id")) 826 Tx:PAN[C]("Key-Id"); 828 else 829 Tx:PAN[C](); 830 SessionTimerStop(); 831 Disconnect(); 832 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 834 ----------- 835 State: OPEN 836 ----------- 838 Exit Condition Exit Action Exit State 839 ------------------------+--------------------------+------------ 840 - - - - - - - - - - (liveness test initiated by PaC)- - - - - - 841 PANA_PING Tx:PNR[P](); WAIT_PNA_PING 842 RtxTimerStart(); 843 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 844 - - - - - - - - - (re-authentication initiated by PaC)- - - - - - 845 REAUTH NONCE_SENT=Unset; WAIT_PNA_REAUTH 846 Tx:PNR[A](); 847 RtxTimerStart(); 848 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 849 - - - - - - - - - (re-authentication initiated by PAA)- - - - - - 850 Rx:PAR[] EAP_RespTimerStart(); WAIT_EAP_MSG 851 TxEAP(); 852 if (!eap_piggyback()) 853 Tx:PAN[]("Nonce"); 854 else 855 NONCE_SENT=Unset; 856 SessionTimerReStart 857 (FAILED_SESS_TIMEOUT); 858 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 859 - - - - - - - -(Session termination initiated by PAA) - - - - - - 860 Rx:PTR[] Tx:PTA[](); CLOSED 861 SessionTimerStop(); 862 Disconnect(); 863 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 864 - - - - - - - -(Session termination initiated by PaC) - - - - - - 865 TERMINATE Tx:PTR[](); SESS_TERM 866 RtxTimerStart(); 867 SessionTimerStop(); 868 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 870 ---------------------- 871 State: WAIT_PNA_REAUTH 872 ---------------------- 874 Exit Condition Exit Action Exit State 875 ------------------------+--------------------------+------------ 876 - - - - - - - - -(re-authentication initiated by PaC) - - - - - 877 Rx:PNA[A] RtxTimerStop(); WAIT_PAA 878 SessionTimerReStart 879 (FAILED_SESS_TIMEOUT); 880 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 881 - - - - - - - -(Session termination initiated by PAA) - - - - - - 882 Rx:PTR[] RtxTimerStop(); CLOSED 883 Tx:PTA[](); 884 SessionTimerStop(); 885 Disconnect(); 886 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 888 -------------------- 889 State: WAIT_PNA_PING 890 -------------------- 892 Exit Condition Exit Action Exit State 893 ------------------------+--------------------------+------------ 894 - - - - - - - - -(liveness test initiated by PaC) - - - - - - - 895 Rx:PNA[P] RtxTimerStop(); OPEN 896 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 897 - - - - - - - - - (re-authentication initiated by PAA)- - - - - 898 Rx:PAR[] RtxTimerStop(); WAIT_EAP_MSG 899 EAP_RespTimerStart(); 900 TxEAP(); 901 if (!eap_piggyback()) 902 Tx:PAN[]("Nonce"); 903 else 904 NONCE_SENT=Unset; 905 SessionTimerReStart 906 (FAILED_SESS_TIMEOUT); 907 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 908 - - - - - - - -(Session termination initiated by PAA) - - - - - - 909 Rx:PTR[] RtxTimerStop(); CLOSED 910 Tx:PTA[](); 911 SessionTimerStop(); 912 Disconnect(); 913 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 915 ---------------- 916 State: SESS_TERM 917 ---------------- 919 Exit Condition Exit Action Exit State 920 ------------------------+--------------------------+------------ 921 - - - - - - - -(Session termination initiated by PaC) - - - - - 922 Rx:PTA[] Disconnect(); CLOSED 923 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 925 8. PAA State Machine 927 8.1. Interface between PAA and EAP Authenticator 929 The interface between a PAA and an EAP authenticator provides a 930 mechanism to deliver EAP messages for the EAP authenticator as well 931 as a mechanism to notify the EAP authenticator of PAA events and to 932 receive notification of EAP authenticator events. These message 933 delivery and event notification mechanisms occur only within context 934 of their associated states or exit actions. 936 8.1.1. EAP Restart Notification from PAA to EAP Authenticator 938 An EAP authenticator state machine defined in [RFC4137] has an 939 initialization procedure before sending the first EAP request. To 940 initialize the EAP state machine, the PAA state machine defines an 941 event notification mechanism to send an EAP (re)start event to the 942 EAP authenticator. The event notification is done via EAP_Restart() 943 procedure in the initialization action of the PAA state machine. 945 8.1.2. Delivering EAP Responses from PAA to EAP Authenticator 947 TxEAP() procedure in the PAA state machine serves as the mechanism to 948 deliver EAP-Responses contained in PANA-Auth-Answer messages to the 949 EAP authenticator. This procedure is enabled only after an EAP 950 restart event is notified to the EAP authenticator and before any 951 event resulting in a termination of the EAP authenticator session. 952 In the case where the EAP authenticator follows the EAP authenticator 953 state machines defined in [RFC4137], TxEAP() procedure sets eapResp 954 variable of the EAP authenticator state machine and puts the EAP 955 response in eapRespData variable of the EAP authenticator state 956 machine. 958 8.1.3. Delivering EAP Messages from EAP Authenticator to PAA 960 An EAP request is delivered from the EAP authenticator to the PAA via 961 EAP_REQUEST event variable. The event variable is set when the EAP 962 authenticator passes the EAP request to its lower-layer. In the case 963 where the EAP authenticator follows the EAP authenticator state 964 machines defined in [RFC4137], EAP_REQUEST event variable refers to 965 eapReq variable of the EAP authenticator state machine and the EAP 966 request is contained in eapReqData variable of the EAP authenticator 967 state machine. 969 8.1.4. EAP Authentication Result Notification from EAP Authenticator to 970 PAA 972 In order for the EAP authenticator to notify the PAA of the EAP 973 authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event 974 variables are defined. In the case where the EAP authenticator 975 follows the EAP authenticator state machines defined in [RFC4137], 976 EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables refer to 977 eapSuccess, eapFail and eapTimeout variables of the EAP authenticator 978 state machine, respectively. In this case, if EAP_SUCCESS event 979 variable is set to TRUE, an EAP-Success message is contained in 980 eapReqData variable of the EAP authenticator state machine, and 981 additionally, eapKeyAvailable variable is set to TRUE and eapKeyData 982 variable contains an MSK if the MSK is generated as a result of 983 successful authentication by the EAP authentication method in use. 984 Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP- 985 Failure message is contained in eapReqData variable of the EAP 986 authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE 987 and EAP_TIMEOUT event variables as a trigger to send a PAR message to 988 the PaC. 990 8.2. Variables 992 OPTIMIZED_INIT 994 This variable indicates whether the PAA is able to piggyback an 995 EAP-Request in the initial PANA-Auth-Request. Otherwise it is set 996 to FALSE. 998 PAC_FOUND 1000 This variable is set to TRUE as a result of a PAA initiated 1001 handshake. 1003 REAUTH_TIMEOUT 1005 This event variable is set to TRUE to indicate that the PAA 1006 initiates a re-authentication with the PaC. The re-authentication 1007 timeout should be set to a value less than the session timeout 1008 carried in the Session-Lifetime AVP if present. 1010 EAP_SUCCESS 1012 This event variable is set to TRUE when EAP conversation completes 1013 with success. This event accompanies an EAP- Success message 1014 passed from the EAP authenticator. 1016 EAP_FAILURE 1018 This event variable is set to TRUE when EAP conversation completes 1019 with failure. This event accompanies an EAP- Failure message 1020 passed from the EAP authenticator. 1022 EAP_REQUEST 1024 This event variable is set to TRUE when the EAP authenticator 1025 delivers an EAP Request to the PAA. This event accompanies an 1026 EAP-Request message received from the EAP authenticator. 1028 EAP_TIMEOUT 1030 This event variable is set to TRUE when EAP conversation times out 1031 without generating an EAP-Success or an EAP-Failure message. This 1032 event does not accompany any EAP message. 1034 8.3. Procedures 1036 boolean new_key_available() 1038 A procedure to check whether the PANA session has a new 1039 PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY, 1040 it returns FALSE. If the state machine does not have a 1041 PANA_AUTH_KEY, it tries to retrieve an MSK from the EAP entity. 1042 If an MSK has been retrieved, it computes a PANA_AUTH_KEY from the 1043 MSK and returns TRUE. Otherwise, it returns FALSE. 1045 8.4. PAA State Transition Table 1047 ------------------------------ 1048 State: INITIAL (Initial State) 1049 ------------------------------ 1051 Initialization Action: 1053 OPTIMIZED_INIT=Set|Unset; 1054 NONCE_SENT=Unset; 1055 RTX_COUNTER=0; 1056 RtxTimerStop(); 1058 Exit Condition Exit Action Exit State 1059 ------------------------+--------------------------+------------ 1060 - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - - 1061 (Rx:PCI[] || if (OPTIMIZED_INIT == INITIAL 1062 PAC_FOUND) Set) { 1063 EAP_Restart(); 1064 SessionTimerReStart 1065 (FAILED_SESS_TIMEOUT); 1066 } 1067 else { 1068 if (generate_pana_sa()) 1069 Tx:PAR[S]("PRF-Algorithm", 1070 "Integrity-Algorithm"); 1071 else 1072 Tx:PAR[S](); 1073 } 1075 EAP_REQUEST if (generate_pana_sa()) INITIAL 1076 Tx:PAR[S]("EAP-Payload", 1077 "PRF-Algorithm", 1078 "Integrity-Algorithm"); 1079 else 1080 Tx:PAR[S]("EAP-Payload"); 1081 RtxTimerStart(); 1082 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1084 - - - - - - - - - - - - - - (PAN Handling) - - - - - - - - - - 1085 Rx:PAN[S] && if (PAN.exist_avp WAIT_EAP_MSG 1086 ((OPTIMIZED_INIT == ("EAP-Payload")) 1087 Unset) || TxEAP(); 1088 PAN.exist_avp else { 1089 ("EAP-Payload")) EAP_Restart(); 1090 SessionTimerReStart 1091 (FAILED_SESS_TIMEOUT); 1092 } 1094 Rx:PAN[S] && None(); WAIT_PAN_OR_PAR 1095 (OPTIMIZED_INIT == 1096 Set) && 1097 ! PAN.exist_avp 1098 ("EAP-Payload") 1100 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1102 ------------------- 1103 State: WAIT_EAP_MSG 1104 ------------------- 1106 Exit Condition Exit Action Exit State 1107 ------------------------+--------------------------+------------ 1108 - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - 1109 EAP_REQUEST if (NONCE_SENT==Unset) { WAIT_PAN_OR_PAR 1110 Tx:PAR[]("Nonce", 1111 "EAP-Payload"); 1112 NONCE_SENT=Set; 1113 } 1114 else 1115 Tx:PAR[]("EAP-Payload"); 1116 RtxTimerStart(); 1117 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1118 - - - - - - - - - - -(Receiving EAP-Success/Failure) - - - - - 1119 EAP_FAILURE PAR.RESULT_CODE = WAIT_FAIL_PAN 1120 PANA_AUTHENTICATION_ 1121 REJECTED; 1122 Tx:PAR[C]("EAP-Payload"); 1123 RtxTimerStart(); 1124 SessionTimerStop(); 1126 EAP_SUCCESS && PAR.RESULT_CODE = WAIT_SUCC_PAN 1127 Authorize() PANA_SUCCESS; 1128 if (new_key_available()) 1129 Tx:PAR[C]("EAP-Payload", 1130 "Key-Id"); 1131 else 1132 Tx:PAR[C]("EAP-Payload"); 1133 RtxTimerStart(); 1135 EAP_SUCCESS && PAR.RESULT_CODE = WAIT_FAIL_PAN 1136 !Authorize() PANA_AUTHORIZATION_ 1137 REJECTED; 1138 if (new_key_available()) 1139 Tx:PAR[C]("EAP-Payload", 1140 "Key-Id"); 1141 else 1142 Tx:PAR[C]("EAP-Payload"); 1143 RtxTimerStart(); 1144 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1145 - - - - - (Receiving EAP-Timeout or invalid message) - - - - - 1146 EAP_TIMEOUT SessionTimerStop(); CLOSED 1147 Disconnect(); 1148 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1150 -------------------- 1151 State: WAIT_SUCC_PAN 1152 -------------------- 1154 Event/Condition Action Exit State 1155 ------------------------+--------------------------+------------ 1156 - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - - 1157 Rx:PAN[C] RtxTimerStop(); OPEN 1158 SessionTimerReStart 1159 (LIFETIME_SESS_TIMEOUT); 1160 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1162 -------------------- 1163 State: WAIT_FAIL_PAN 1164 -------------------- 1165 Exit Condition Exit Action Exit State 1166 ------------------------+--------------------------+------------ 1167 - - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - 1168 Rx:PAN[C] RtxTimerStop(); CLOSED 1169 Disconnect(); 1170 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1172 ----------- 1173 State: OPEN 1174 ----------- 1176 Event/Condition Action Exit State 1177 ------------------------+--------------------------+------------ 1178 - - - - - - - - (re-authentication initiated by PaC) - - - - - - 1179 Rx:PNR[A] NONCE_SENT=Unset; WAIT_EAP_MSG 1180 EAP_Restart(); 1181 Tx:PNA[A](); 1182 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1183 - - - - - - - - (re-authentication initiated by PAA)- - - - - - 1184 REAUTH || NONCE_SENT=Unset; WAIT_EAP_MSG 1185 REAUTH_TIMEOUT EAP_Restart(); 1187 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1188 - - (liveness test based on PNR-PNA exchange initiated by PAA)- 1189 PANA_PING Tx:PNR[P](); WAIT_PNA_PING 1190 RtxTimerStart(); 1191 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1192 - - - - - - - - (Session termination initated from PAA) - - - - 1193 TERMINATE Tx:PTR[](); SESS_TERM 1194 SessionTimerStop(); 1195 RtxTimerStart(); 1196 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1197 - - - - - - - - (Session termination initated from PaC) - - - - 1198 Rx:PTR[] Tx:PTA[](); CLOSED 1199 SessionTimerStop(); 1200 Disconnect(); 1201 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1203 -------------------- 1204 State: WAIT_PNA_PING 1205 -------------------- 1207 Exit Condition Exit Action Exit State 1208 ------------------------+--------------------------+------------ 1209 - - - - - - - - - - - - - -(PNA processing) - - - - - - - - - - 1210 Rx:PNA[P] RtxTimerStop(); OPEN 1211 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1212 - - - - - - - - (re-authentication initiated by PaC) - - - - - - 1213 Rx:PNR[A] RtxTimerStop(); WAIT_EAP_MSG 1214 NONCE_SENT=Unset; 1215 EAP_Restart(); 1216 Tx:PNA[A](); 1217 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1218 - - - - - - - - (Session termination initated from PaC) - - - - 1219 Rx:PTR[] RtxTimerStop(); CLOSED 1220 Tx:PTA[](); 1221 SessionTimerStop(); 1222 Disconnect(); 1223 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1225 ---------------------- 1226 State: WAIT_PAN_OR_PAR 1227 ---------------------- 1229 Exit Condition Exit Action Exit State 1230 ------------------------+--------------------------+------------ 1231 - - - - - - - - - - - - - (PAR Processing)- - - - - - - - - - - 1232 Rx:PAR[] TxEAP(); WAIT_EAP_MSG 1233 RtxTimerStop(); 1234 Tx:PAN[](); 1235 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1236 - - - - - - (Pass EAP Response to the EAP authenticator)- - - - 1237 Rx:PAN[] && TxEAP(); WAIT_EAP_MSG 1238 PAN.exist_avp RtxTimerStop(); 1239 ("EAP-Payload") 1240 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1241 - - - - - - - - - - (PAN without an EAP response) - - - - - - - 1242 Rx:PAN[] && RtxTimerStop(); WAIT_PAN_OR_PAR 1243 !PAN.exist_avp 1244 ("EAP-Payload") 1245 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1246 - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - 1247 EAP_REQUEST RtxTimerStop(); WAIT_PAN_OR_PAR 1248 Tx:PAR[]("EAP-Payload"); 1249 RtxTimerStart(); 1250 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1251 - - - - - - - (EAP authentication timeout or failure)- - - - - 1252 EAP_FAILURE || RtxTimerStop(); CLOSED 1253 EAP_TIMEOUT SessionTimerStop(); 1254 Disconnect(); 1255 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1257 ---------------- 1258 State: SESS_TERM 1259 ---------------- 1260 Exit Condition Exit Action Exit State 1261 ------------------------+--------------------------+------------ 1262 - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - 1263 Rx:PTA[] RtxTimerStop(); CLOSED 1264 Disconnect(); 1265 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1267 9. Implementation Considerations 1269 9.1. PAA and PaC Interface to Service Management Entity 1271 In general, it is assumed each device or network equipment has a PANA 1272 protocol stack available for use by other modules within the device 1273 or network equipment. One such module is the Service Management 1274 Entity (SME). The SME is a generic term for modules that manages 1275 different services (including network protocols) that installed on a 1276 device or equipment. To integrate PANA protocol with the SME, it is 1277 recommended that a generic interface (i.e., the SME-PANA interface) 1278 between the SME and the PANA protocol stack be provided by the 1279 implementation. This interface should include common procedures such 1280 as startup, shutdown and re-authenticate signals. It should also 1281 provision for extracting keying material. For the PAA, the SME-PANA 1282 interface should also provide a method for communicating filtering 1283 parameters to the EP(s) when cryptographic filtering is used. The 1284 filtering parameters include keying material used for bootstrapping 1285 secured transport such as IPsec. When a PAA device interacts with 1286 the backend authentication server using a AAA protocol, its SME may 1287 also provide an interface to the AAA protocol to obtain authorization 1288 parameters such as the authorization lifetime and additional 1289 filtering parameters. 1291 10. Security Considerations 1293 This document's intent is to describe the PANA state machines fully. 1294 To this end, any security concerns with this document are likely a 1295 reflection of security concerns with PANA itself. 1297 11. IANA Considerations 1299 This document has no actions for IANA. 1301 12. Acknowledgments 1303 This work was started from state machines originally made by Dan 1304 Forsberg. 1306 13. References 1308 13.1. Normative References 1310 [RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. 1311 Yegin, "Protocol for Carrying Authentication for Network 1312 Access (PANA)", RFC 5191, May 2008. 1314 13.2. Informative References 1316 [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, 1317 "State Machines for Extensible Authentication Protocol 1318 (EAP) Peer and Authenticator", RFC 4137, August 2005. 1320 Authors' Addresses 1322 Victor Fajardo (editor) 1323 Toshiba America Research, Inc. 1324 1 Telcordia Drive 1325 Piscataway, NJ 08854 1326 USA 1328 Phone: +1 732 699 5368 1329 Email: vfajardo@tari.toshiba.com 1331 Yoshihiro Ohba 1332 Toshiba America Research, Inc. 1333 1 Telcordia Drive 1334 Piscataway, NJ 08854 1335 USA 1337 Phone: +1 732 699 5305 1338 Email: yohba@tari.toshiba.com 1340 Rafa Marin Lopez 1341 University of Murcia 1342 30071 Murcia 1343 Spain 1345 Email: rafa@dif.um.es