idnits 2.17.1 draft-walker-ieee802-req-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. == The page length should not exceed 58 lines per page, but there was 6 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 7 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 242 has weird spacing: '...imed to perta...' == Line 286 has weird spacing: '...>, and expir...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'SIM' is mentioned on line 48, but not defined -- Looks like a reference, but probably isn't: '1' on line 89 -- Looks like a reference, but probably isn't: '2' on line 92 -- Looks like a reference, but probably isn't: '3' on line 96 -- Looks like a reference, but probably isn't: '4' on line 100 -- Looks like a reference, but probably isn't: '5' on line 104 -- Looks like a reference, but probably isn't: '6' on line 109 -- Looks like a reference, but probably isn't: '7' on line 114 -- Looks like a reference, but probably isn't: '8' on line 127 -- Looks like a reference, but probably isn't: '9' on line 139 -- Looks like a reference, but probably isn't: '10' on line 142 -- Looks like a reference, but probably isn't: '11' on line 146 == Unused Reference: 'EAPSIM' is defined on line 181, but no explicit reference was found in the text == Unused Reference: 'IEEE802' is defined on line 185, but no explicit reference was found in the text == Outdated reference: A later version (-09) exists of draft-ietf-eap-rfc2284bis-08 -- Obsolete informational reference (is this intentional?): RFC 2716 (Obsoleted by RFC 5216) == Outdated reference: A later version (-10) exists of draft-josefsson-pppext-eap-tls-eap-07 == Outdated reference: A later version (-05) exists of draft-ietf-pppext-eap-ttls-03 == Outdated reference: A later version (-16) exists of draft-haverinen-pppext-eap-sim-12 Summary: 4 errors (**), 0 flaws (~~), 12 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Dorothy Stanley 2 INTERNET-DRAFT Agere 3 Category: Informational Jesse Walker 4 Intel Corporation 5 3 February 2004 Bernard Aboba 6 Microsoft Corporation 8 EAP Method Requirements for Wireless LANs 10 This document is an Internet-Draft and is in full conformance with all 11 provisions of Section 10 of RFC 2026. 13 Internet-Drafts are working documents of the Internet Engineering Task 14 Force (IETF), its areas, and its working groups. Note that other groups 15 may also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference material 20 or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 Copyright Notice 30 Copyright (C) The Internet Society (2004). All Rights Reserved. 32 Abstract 34 The Draft IEEE 802.11i MAC Security Enhancements Amendment makes use of 35 IEEE 802.1X which in turn relies on the Extensible Authentication 36 Protocol (EAP). This document defines requirements for EAP methods used 37 in IEEE 802.11 wireless LAN deployments. The material in this document 38 has been approved by IEEE 802.11 and it is being presented as an IETF 39 RFC for informational purposes. 41 1. Introduction 43 The Draft IEEE 802.11i MAC Security Enhancements Amendment [IEEE802.11i] 44 makes use of IEEE 802.1X [IEEE8021X-REV] which in turn relies on the 45 Extensible Authentication Protocol (EAP), defined in [RFC2284bis]. 46 Deployments of IEEE 802.11 wireless LANs today are based on EAP, and use 47 several EAP methods, including EAP-TLS [RFC2716], EAP-TTLS [TTLS], PEAP 48 [PEAP] and EAP-SIM [SIM]. These methods support authentication 49 credentials that include digital certificates, user-names and passwords, 50 secure tokens, and SIM secrets. 52 This document defines requirements for EAP methods used in IEEE 802.11 53 wireless LAN deployments. 55 1.1. Requirements specification 57 In this document, several words are used to signify the requirements of 58 the specification. These words are often capitalized. The key words 59 "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD 60 NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be 61 interpreted as described in [RFC2119]. 63 An EAP authentication method is not compliant with this specification if 64 it fails to satisfy one or more of the MUST or MUST NOT requirements. 65 An EAP authentication method that satisfies all the MUST, MUST NOT, 66 SHOULD and SHOULD NOT requirements is said to be "unconditionally 67 compliant"; one that satisfies all the MUST and MUST NOT requirements 68 but not all the SHOULD or SHOULD NOT requirements is said to be 69 "conditionally compliant". 71 2. Method requirements 73 2.1. Credential types 75 The Draft IEEE 802.11i MAC Security Enhancements Amendment requires that 76 EAP authentication methods are available. Wireless LAN deployments are 77 expected to use different credentials types, including digital 78 certificates, user-names and passwords, existing secure tokens, and 79 mobile network credentials (GSM and UMTS secrets). Other credential 80 types that may be used include public/private key (without necessarily 81 requiring certificates), and asymmetric credential support (password on 82 one side, public/private key on the other). 84 2.2. Mandatory requirements 86 EAP authentication methods suitable for use in wireless LAN 87 authentication MUST satisfy the following criteria: 89 [1] Generation of keying material. This corresponds to the "Key 90 derivation" security claim defined in [RFC2284bis], Section 7.2.1. 92 [2] Mutual authentication support. This corresponds to the "Mutual 93 authentication" security claim defined in [RFC2284bis], Section 94 7.2.1. 96 [3] Synchronization of state. This corresponds to the "Protected 97 result indication" security claim defined in [RFC2284bis], Section 98 7.2.1. 100 [4] Resistance to dictionary attacks. This corresponds to the 101 "Dictionary attack resistance" security claim defined in 102 [RFC2284bis], Section 7.2.1. 104 [5] Protection against man-in-the-middle attacks. This corresponds to 105 the "Cryptographic binding", "Integrity Protection", "Replay 106 protection", and "Session Independence" security claims defined in 107 [RFC2284bis], Section 7.2.1. 109 [6] Protected ciphersuite negotiation. If the method negotiates the 110 ciphersuite used to protect the EAP conversation, then it MUST 111 support the "Protected ciphersuite negotiation" security claim 112 defined in [RFC2284bis], Section 7.2.1. 114 [7] Key strength. An EAP method suitable for use with IEEE 802.11 MUST 115 be capable of generating keying material with 128-bits of effective 116 key strength, as defined in [RFC2284bis] Section 7.2.1. As noted 117 in [RFC2284bis] Section 7.10, an EAP method supporting key 118 derivation MUST export a Master Session Key (MSK) of at least 64 119 octets, and an Extended Master Session Key (EMSK) of at least 64 120 octets. 122 2.3. Recommended requirements 124 EAP authentication methods used for wireless LAN authentication SHOULD 125 support the following features: 127 [8] Fragmentation. [RFC2284bis] Section 3.1 states: "EAP methods can 128 assume a minimum EAP MTU of 1020 octets, in the absence of other 129 information. EAP methods SHOULD include support for fragmentation 130 and reassembly if their payloads can be larger than this minimum 131 EAP MTU." This implies support for the "Fragmentation" claim 132 defined in [RFC2284bis], Section 7.2.1. 134 2.4. Optional features 136 EAP authentication methods used for wireless LAN authentication MAY 137 support the following features: 139 [9] Channel binding. This corresponds to the "Channel binding" 140 security claim defined in [RFC2284bis], Section 7.2.1. 142 [10] End-user identity hiding. This corresponds to the 143 "Confidentiality" security claim defined in [RFC2284bis], Section 144 7.2.1. 146 [11] Fast reconnect. This corresponds to the "Fast reconnect" security 147 claim defined in [RFC2284bis], Section 7.2.1. 149 2.5. Non-compliant EAP authentication methods 151 EAP-MD5-Challenge (the current mandatory-to-implement EAP authentication 152 method), is defined in [RFC2284bis] Section 5.4. EAP-MD5-Challenge and 153 two EAP authentication methods defined in [RFC2284bis], One-Time 154 Password (Section 5.5) and Generic Token Card (Section 5.6), are non- 155 compliant with the requirements defined in this document. 157 3. References 159 3.1. Normative References 161 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 162 Requirement Levels", RFC 2119, March, 1997. 164 [RFC2284bis] Blunk, L. , et al., "Extensible Authentication Protocol 165 (EAP)", draft-ietf-eap-rfc2284bis-08.txt, Internet-Draft 166 (work in progress), February 2004. 168 3.2. Informative References 170 [RFC2716] Aboba, B. and D. Simon, "PPP EAP TLS Authentication 171 Protocol", RFC 2716, October 1999. 173 [PEAP] Palekar, A., et al., "Protected EAP Protocol (PEAP)", 174 draft-josefsson-pppext-eap-tls-eap-07.txt, Internet draft 175 (work in progress), November 2003. 177 [TTLS] Funk, P. and S. Blake-Wilson, "EAP Tunneled TLS 178 Authentication Protocol (EAP-TTLS)", draft-ietf-pppext- 179 eap-ttls-03.txt, August 2003. 181 [EAPSIM] Haverinen, H. and J. Salowey, "EAP SIM Authentication", 182 draft-haverinen-pppext-eap-sim-12.txt, Internet draft 183 (work in progress), October 2003. 185 [IEEE802] IEEE Standards for Local and Metropolitan Area Networks: 186 Overview and Architecture, ANSI/IEEE Std 802, 1990. 188 [802.11] Information technology - Telecommunications and 189 information exchange between systems - Local and 190 metropolitan area networks - Specific Requirements Part 191 11: Wireless LAN Medium Access Control (MAC) and 192 Physical Layer (PHY) Specifications, IEEE Std. 193 802.11-1999, 1999. 195 [IEEE8021X-REV] 196 IEEE Standards for Local and Metropolitan Area Networks: 197 Port based Network Access Control, IEEE Std 802.1X-REV, 198 Draft 8, December 2003. 200 [IEEE802.11i] Institute of Electrical and Electronics Engineers, 201 "Unapproved Draft Supplement to Standard for 202 Telecommunications and Information Exchange Between 203 Systems - LAN/MAN Specific Requirements - Part 11: 204 Wireless LAN Medium Access Control (MAC) and Physical 205 Layer (PHY) Specifications: Specification for Enhanced 206 Security", IEEE Draft 802.11i (work in progress), 2003. 208 Acknowledgments 210 The authors would like to acknowledge members of the IEEE 802.11i task 211 group, including David Nelson of Enterasys Networks and Clint Chaplin of 212 Symbol Technologies for contributions to this document. 214 Authors' Addresses 216 Dorothy Stanley 217 Agere Systems 218 2000 North Naperville Rd. 219 Naperville, IL 60566 221 EMail: dstanley@agere.com 222 Phone: +1 630 979 1572 224 Jesse R. Walker 225 Intel Corporation 226 2111 N.E. 25th Avenue 227 Hillsboro, OR 97214 228 EMail: jesse.walker@intel.com 230 Bernard Aboba 231 Microsoft Corporation 232 One Microsoft Way 233 Redmond, WA 98052 235 EMail: bernarda@microsoft.com 236 Phone: +1 425 706 6605 237 Fax: +1 425 936 7329 239 Intellectual Property Statement 241 The IETF takes no position regarding the validity or scope of any 242 intellectual property or other rights that might be claimed to pertain 243 to the implementation or use of the technology described in this 244 document or the extent to which any license under such rights might or 245 might not be available; neither does it represent that it has made any 246 effort to identify any such rights. Information on the IETF's 247 procedures with respect to rights in standards-track and standards- 248 related documentation can be found in BCP-11. Copies of claims of 249 rights made available for publication and any assurances of licenses to 250 be made available, or the result of an attempt made to obtain a general 251 license or permission for the use of such proprietary rights by 252 implementors or users of this specification can be obtained from the 253 IETF Secretariat. 255 The IETF invites any interested party to bring to its attention any 256 copyrights, patents or patent applications, or other proprietary rights 257 which may cover technology that may be required to practice this 258 standard. Please address the information to the IETF Executive 259 Director. 261 Full Copyright Statement 263 Copyright (C) The Internet Society (2004). All Rights Reserved. 264 This document and translations of it may be copied and furnished to 265 others, and derivative works that comment on or otherwise explain it or 266 assist in its implementation may be prepared, copied, published and 267 distributed, in whole or in part, without restriction of any kind, 268 provided that the above copyright notice and this paragraph are included 269 on all such copies and derivative works. However, this document itself 270 may not be modified in any way, such as by removing the copyright notice 271 or references to the Internet Society or other Internet organizations, 272 except as needed for the purpose of developing Internet standards in 273 which case the procedures for copyrights defined in the Internet 274 Standards process must be followed, or as required to translate it into 275 languages other than English. The limited permissions granted above are 276 perpetual and will not be revoked by the Internet Society or its 277 successors or assigns. This document and the information contained 278 herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE 279 INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 280 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 281 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 282 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 284 Expiration Date 286 This memo is filed as , and expires 287 August 22, 2004.