Re: [Dime] Review of the Diameter ERP draft
Tina TSOU <tena@huawei.com> Sat, 10 January 2009 14:39 UTC
Return-Path: <dime-bounces@ietf.org>
X-Original-To: dime-archive@megatron.ietf.org
Delivered-To: ietfarch-dime-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 46AE83A67D7; Sat, 10 Jan 2009 06:39:02 -0800 (PST)
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A0D6A28C1BC for <dime@core3.amsl.com>; Sat, 10 Jan 2009 06:39:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.547
X-Spam-Level:
X-Spam-Status: No, score=-1.547 tagged_above=-999 required=5 tests=[AWL=-1.052, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YdLahzmVcUTv for <dime@core3.amsl.com>; Sat, 10 Jan 2009 06:38:58 -0800 (PST)
Received: from szxga04-in.huawei.com (unknown [119.145.14.67]) by core3.amsl.com (Postfix) with ESMTP id 6ED8928C19E for <dime@ietf.org>; Sat, 10 Jan 2009 06:38:57 -0800 (PST)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KD9008R4FC85U@szxga04-in.huawei.com> for dime@ietf.org; Sat, 10 Jan 2009 22:38:33 +0800 (CST)
Received: from huawei.com ([172.24.1.6]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KD900K3KFC8MX@szxga04-in.huawei.com> for dime@ietf.org; Sat, 10 Jan 2009 22:38:32 +0800 (CST)
Received: from [192.168.1.4] (102.175.60.58.broad.sz.gd.dynamic.163data.com.cn [58.60.175.102]) by szxml02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KD9003QAFC68Q@szxml02-in.huawei.com>; Sat, 10 Jan 2009 22:38:32 +0800 (CST)
Date: Sat, 10 Jan 2009 22:38:30 +0800
From: Tina TSOU <tena@huawei.com>
In-reply-to: <023801c97325$68712700$0201a8c0@nsnintra.net>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Message-id: <35BEB771-94A8-41AF-B28C-B1E25B78FFF9@huawei.com>
MIME-version: 1.0
X-Mailer: Apple Mail (2.929.2)
References: <7DBAFEC6A76F3E42817DF1EBE64CB026061E2759@ftrdmel2> <5e2406980901080218w746b69a7x320f1501aeb97266@mail.gmail.com> <C41BFCED3C088E40A8510B57B165C162F6F206@FIESEXC007.nsn-intra.net> <7DBAFEC6A76F3E42817DF1EBE64CB0260622C4DE@ftrdmel2> <C41BFCED3C088E40A8510B57B165C162F6F53B@FIESEXC007.nsn-intra.net> <5e2406980901090115m2fe2c097nee9854a9ed870127@mail.gmail.com> <49677A85.2030607@rogers.com> <E4FDB762-93D2-4085-9D1B-A274964573AF@huawei.com> <023801c97325$68712700$0201a8c0@nsnintra.net>
Cc: dime@ietf.org, diameter-routing@googlegroups.com
Subject: Re: [Dime] Review of the Diameter ERP draft
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"; DelSp="yes"
Sender: dime-bounces@ietf.org
Errors-To: dime-bounces@ietf.org
Hi Hannes, Al right, if Tom does not have clarification to your comments, I will not add it to draft-tsou-dime-routing-problem-statement-01. Anyway, other technical clarification needs to be added for problem 2. I will try to fix it before next DT meeting on next Thursday. B. R. Tina Messengers: MSN: tinatsou6@hotmail.com Yahoo: tina_tsou Skype: tinaTSOU Jabber: tina@jabber.org Google talk: tinatsou6@gmail.com +86-755-28971872 (Office) +86-13922884380(Mobile) On Jan 10, 2009, at 9:14 PM, Hannes Tschofenig wrote: > Hi Tom, Hi Tina, > > I believe you are misunderstanding the Diameter ERP usage (could > also be > me). > > We are not talking about "route-pinning" AAA routing but rather > whether the > definition of AVPs is sufficient for the design or whether a Diameter > application. > > Ciao > Hannes > >> -----Original Message----- >> From: diameter-routing@googlegroups.com >> [mailto:diameter-routing@googlegroups.com] On Behalf Of Tina TSOU >> Sent: 10 January, 2009 14:47 >> To: Tom Taylor >> Cc: Julien Bournelle; Tschofenig, Hannes (NSN - FI/Espoo); >> dime@ietf.org; diameter-routing@googlegroups.com >> Subject: Re: [Dime] Review of the Diameter ERP draft >> >> >> Hi Tom, >> Thanks for your comments. >> I will update the >> draft-tsou-dime-routing-problem-statement-01, adding this use >> case for the 2nd problem, hopefully before the design team >> meeting next Thursday. >> The design team discussion could be found in >> http://groups.google.com/group/diameter-routing?hl=en >> >> >> B. R. >> Tina >> Messengers: >> >> MSN: tinatsou6@hotmail.com Yahoo: tina_tsou Skype: tinaTSOU >> Jabber: tina@jabber.org Google talk: tinatsou6@gmail.com >> >> +86-755-28971872 (Office) +86-13922884380(Mobile) >> >> >> >> >> >> >> >> On Jan 10, 2009, at 12:25 AM, Tom Taylor wrote: >> >>> An use case for the second problem talked about in the >> routing design >>> team! >>> >>> Julien Bournelle wrote: >>>> Hi, >>>> On Fri, Jan 9, 2009 at 8:57 AM, Tschofenig, Hannes (NSN - FI/Espoo) >>>> <hannes.tschofenig@nsn.com> wrote: >>>>> My reading of this text is that there is a way for the >> peer and the >>>>> authenticator to figure out whether to use EAP or ERP. >>>> I don't see how a new App Id will help peer and authenticator to >>>> figure out ERP support. I may miss something here. >>>> My understanding is that a new Appid would however help AAA >> entities >>>> (authenticator, proxy, server) figure out ERP support. >>>>> It, however, says very little about the further routing of AAA >>>>> messages in such a way that the messages traverse nodes >>>>> understanding the additionally required functionality. If I >>>>> understood ERP correctly then some key caching takes place in the >>>>> AAA proxies and hence one wants to make sure that the messages are >>>>> actually routed via these proxies. >>>> Yes, ideally, for a given peer, the same AAA proxy/local ERP server >>>> should be contacted by authenticators. At this point, I >> don't see how >>>> to ensure this. >>>> Regards, >>>> Julien >>>>> Ciao >>>>> Hannes >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: ext lionel.morand@orange-ftgroup.com >>>>>> [mailto:lionel.morand@orange-ftgroup.com] >>>>>> Sent: 08 January, 2009 22:26 >>>>>> To: Tschofenig, Hannes (NSN - FI/Espoo); >>>>>> julien.bournelle@gmail.com; sdecugis@hongo.wide.ad.jp; >>>>>> dime@ietf.org >>>>>> Subject: RE: [Dime] Review of the Diameter ERP draft >>>>>> >>>>>> According to the RFC 5296, it seems that it is not >> required to have >>>>>> a specific Appl-ID: >>>>>> >>>>>> "It is plausible that the authenticator does not know whether the >>>>>> peer supports ERP and whether the peer has performed a full EAP >>>>>> authentication through another authenticator. The authenticator >>>>>> MAY initiate the ERP exchange by sending the >> EAP-Initiate/Re-auth- >>>>>> Start message, and if there is no response, it will send >> the EAP- >>>>>> Request/ Identity message. Note that this avoids having two EAP >>>>>> messages in flight at the same time [2]. The authenticator may >>>>>> send the EAP- Initiate/Re-auth-Start message and wait >> for a short, >>>>>> locally configured amount of time. If the peer does not already >>>>>> know, this message indicates to the peer that the authenticator >>>>>> supports ERP. >>>>>> In response to this trigger from the authenticator, the >> peer can >>>>>> initiate the ERP exchange by sending an EAP-Initiate/Re-auth >>>>>> message. >>>>>> If there is no response from the peer after the necessary >>>>>> retransmissions (see Section 6), the authenticator MUST initiate >>>>>> EAP by sending an EAP-Request message, typically the >>>>>> EAP-Request/Identity message. Note that the authenticator may >>>>>> receive an EAP-Initiate/ Re-auth message after it has sent an >>>>>> EAP-Request/Identity message. >>>>>> If the authenticator supports ERP, it MUST proceed with the ERP >>>>>> exchange. When the EAP-Request/Identity times out, the >>>>>> authenticator MUST NOT close the connection if an ERP >> exchange is >>>>>> in progress or has already succeeded in establishing a >>>>>> re-authentication MSK. >>>>>> >>>>>> If the authenticator does not support ERP, it drops >> EAP-Initiate/ >>>>>> Re-auth messages [2] as the EAP code of those packets is greater >>>>>> than 4. An ERP-capable peer will exhaust the >> EAP-Initiate/Re-auth >>>>>> message retransmissions and fall back to EAP authentication by >>>>>> responding to EAP Request/Identity messages from the >>>>>> authenticator. If the peer does not support ERP or if >> it does not >>>>>> have unexpired key material from a previous EAP >> authentication, it >>>>>> drops EAP-Initiate/ Re-auth-Start messages. If there is no >>>>>> response to the EAP-Initiate/ Re-auth-Start message, the >>>>>> authenticator SHALL send an EAP Request message (typically EAP >>>>>> Request/Identity) to start EAP authentication. >>>>>> From this stage onwards, RFC 3748 rules apply. Note >> that this may >>>>>> introduce some delay in starting EAP. In some lower layers, the >>>>>> delay can be minimized or even avoided by the peer initiating EAP >>>>>> by sending messages such as EAPoL-Start in the IEEE 802.1X >>>>>> specification [10]." >>>>>> >>>>>> Both paragraphs assume (for me) that the ERP "option" may be >>>>>> supported by the peer and/or the network. If none of them >> (or only >>>>>> one of them) support ERP, the fallback mechanism is full EAP >>>>>> authentication. >>>>>> In that sense, knowing that the network supports ERP is not a >>>>>> pre-requisite. The minimum is to support EAP and ERP is an option >>>>>> available above EAP. That allows to deploy ERP above existing EAP >>>>>> deployment. >>>>>> >>>>>> Does it make sense? >>>>>> >>>>>> Best Regards, >>>>>> >>>>>> Lionel >>>>>> >>>>>> >>>>>>> -----Message d'origine----- >>>>>>> De : Tschofenig, Hannes (NSN - FI/Espoo) >>>>>>> [mailto:hannes.tschofenig@nsn.com] >>>>>>> Envoyé : jeudi 8 janvier 2009 13:55 À : ext Julien Bournelle; >>>>>>> MORAND Lionel RD-CORE-ISS; Sebastien Decugis; >> dime@ietf.org Objet >>>>>>> : RE: [Dime] Review of the Diameter ERP draft >>>>>>> >>>>>>> One of the things I was not quite sure with the current protocol >>>>>>> design is whether a Diameter application or just a bunch of AVPs >>>>>>> are required. >>>>>>> Based on the discussions a few of us when some of the HOKEY >>>>>> specs went >>>>>>> to the IESG / IETF Last Call I got the impression that >> one has to >>>>>>> define a new Diameter application (which would be based on >>>>>>> Diameter >>>>>>> EAP) since you assume that the messages are routed via a node in >>>>>>> the local network and the support for ERP has to be ensured. >>>>>>> >>>>>>> Ciao >>>>>>> Hannes >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: dime-bounces@ietf.org [mailto:dime-bounces@ietf.org] >>>>>>> On Behalf Of >>>>>>>> ext Julien Bournelle >>>>>>>> Sent: 08 January, 2009 12:18 >>>>>>>> To: lionel.morand@orange-ftgroup.com; Sebastien Decugis; >>>>>>> dime@ietf.org >>>>>>>> Subject: Re: [Dime] Review of the Diameter ERP draft >>>>>>>> >>>>>>>> Hi lionel, >>>>>>>> >>>>>>>> some comments inline. >>>>>>>> >>>>>>>> On Wed, Jan 7, 2009 at 12:03 PM, >>>>>>>> <lionel.morand@orange-ftgroup.com> wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Here is my review for the Diameter ERP draft. >>>>>>>>> >>>>>>>>> General comments: >>>>>>>>> >>>>>>>>> - About alignment with RFC 5296: >>>>>>>>> the draft needs to be updated according to the publication >>>>>>>> of the RFC 5296. Some proposals are provided below. >>>>>>>>> - About ER server/AAA agent co-location: >>>>>>>>> In my understanding, it is assumed in this document ER >>>>>>>> server and AAA proxy have to be co-located to be able >> to rely on >>>>>>>> Diameter to transport ERP specific AVPs. This doesn't maybe >>>>>> preclude >>>>>>>> other architectural choices but there are outside the scope of >>>>>>>> this document. It is necessary to clarify this point in this >>>>>>>> document. >>>>>>>>> - ERP support discovery: >>>>>>>>> As the ERP specific AVPs are introduced with the M-bit >>>>>>>> cleared, these AVPs are purely optional for the Diameter EAP >>>>>>>> application i.e. they can be silently ignored by Diameter >>>>>>> servers that >>>>>>>> do not understand this new AVPs. Some text should be >> provided to >>>>>>>> describe how the local ER server discovers that the Home EAP >>>>>>>> server doesn't support ERP and the behaviour of the local ER >>>>>> server in that >>>>>>>> case. >>>>>>>> >>>>>>>> >>>>>>>> I agree with these general comments. >>>>>>>> >>>>>>>> >>>>>>>>> Hereafter is the rest of my review with comments and >>>>>>>>> proposals. >>>>>>>>> >>>>>>>>> Best Regards, >>>>>>>>> >>>>>>>>> Lionel >>>>>>>>> >>>>>>>>> *************************************** >>>>>>>>> >>>>>>>>> Abstract >>>>>>>>> >>>>>>>>> An EAP extension, called "EAP Re-authentication Protocol >>>>>>>> (ERP)", has >>>>>>>>> been specified that supports an EAP method-independent >>>>>>> protocol for >>>>>>>>> efficient re-authentication between the peer and the >>>>>>> server through >>>>>>>>> an authenticator. This document specifies Diameter >>>>>>>> support for ERP. >>>>>>>>> The Diameter EAP application is re-used for >>>>>>> encapsulating the newly >>>>>>>>> defined EAP Initiate and EAP Finish messages specified >>>>>> in the ERP >>>>>>>>> specification. AVPs for request and delivery of Domain >>>>>>>> Specific Root >>>>>>>>> Keys from the AAA/EAP server to the ER server are also >>>>>> specified. >>>>>>>>> Additionally, this document also specifies Diameter >>>>>>>> processing rules >>>>>>>>> relevant to ERP. >>>>>>>>> >>>>>>>>> [LM] some abusive verbiage in the abstract: >>>>>>>>> >>>>>>>>> Proposal for new abstract: >>>>>>>>> >>>>>>>>> "EAP Re-authentication Protocol defines extensions of EAP >>>>>>>> to support >>>>>>>>> efficient re-authentication between the peer and an EAP >>>>>>>>> re-authentication server through any authenticator. >>>>>>>> I'm wondering if we should note that the authenticator may be >>>>>>>> ERP-aware. >>>>>>>> I'm thinking about the case where the authenticator sends the >>>>>>>> EAP-Initiate/Re-auth-Start (Figure 4 in RFC 5296) >>>>>>>> >>>>>>>> >>>>>>>>> This document >>>>>>>>> specifies Diameter support for ERP. The Diameter EAP >>>>>>> application is >>>>>>>>> re-used for encapsulating the newly defined EAP messages >>>>>>> specified >>>>>>>>> in the ERP specification. Additionally, this document >>>>>>> also defines >>>>>>>>> specific Diameter processing rules relevant to ERP." >>>>>>>> ok >>>>>>>> >>>>>>>>> >>>>>>>>> 1. Introduction >>>>>>>>> >>>>>>>>> RFC 4072 [1] specifies a Diameter application that >> carries EAP >>>>>>>>> packets between a Diameter client and the Diameter >>>>>>>> Server/EAP server. >>>>>>>>> [2] defines the EAP Re-authentication Protocol to allow >>>>>>> faster re- >>>>>>>>> authentication of a previously authenticated peer. >>>>>>>>> >>>>>>>>> [LM] s/[2] defines the EAP Re-authentication Protocol/RFC >>>>>> 5296 [2] >>>>>>>>> defines the EAP Re-authentication Protocol (ERP) >>>>>>>>> >>>>>>>>> In ERP, a peer >>>>>>>>> authenticates to the network by proving possession of >>>>>>> key material >>>>>>>>> derived during a previous EAP exchange. >>>>>>>>> >>>>>>>>> [LM] s/a peer authenticate to/a peer is authenticated by >>>>>>>>> >>>>>>>>> For this purpose, an >>>>>>>>> Extended Master Session Key (EMSK) based >> re-authentication key >>>>>>>>> hierarchy has been defined [5]. ERP may be executed >>>>>>> between the ER >>>>>>>>> peer and an ER server in the peer's home domain or the >>>>>>> local domain >>>>>>>>> visited by the peer. In the latter case, a Domain >>>>>>> Specific Root Key >>>>>>>>> (DSRK), derived from the EMSK, is provided to the local >>>>>> domain ER >>>>>>>>> server. >>>>>>>>> >>>>>>>>> [LM] s/is provided to/is provided by the Home ER server to >>>>>>>>> >>>>>>>>> The peer and the local server subsequently use the re- >>>>>>>>> authentication key hierarchy from the DSRK to authenticate >>>>>>>> and derive >>>>>>>>> authenticator specific keys within that domain. >>>>>>>>> >>>>>>>>> [LM] this information can be found in the RFC 5296. Remove >>>>>>>> the sentence above. >>>>>>>> >>>>>>>> It may help the reader to understand the purpose of this DRSK. >>>>>>>> >>>>>>>>> To accomplish the >>>>>>>>> reauthentication functionality, ERP defines two new EAP >>>>>>> codes - EAP >>>>>>>>> Initiate and EAP Finish. >>>>>>>>> >>>>>>>>> [LM] s/ERP defines two new EAP codes/ERP defines two new >>>>>>> EAP messages >>>>>>>> I would prefer to say that ERP defines two new EAP Codes >>>>>>> here. These >>>>>>>> newly EAP packets are then carried in messages >> (dependent of the >>>>>>>> protocol used). >>>>>>>> >>>>>>>>> This document specifies the reuse of Diameter EAP >> application >>>>>>>>> to carry these new EAP messages. >>>>>>>>> The DSRK can be obtained as part of the regular EAP >>>>>>> exchange or as >>>>>>>>> part of an ERP bootstrapping exchange. The local ER server >>>>>>>>> requesting the DSRK needs to be in the path of the EAP or ERP >>>>>>>>> bootstrapping exchange in order to request and obtain the >>>>>>>> DSRK. This >>>>>>>>> document also specifies how the DSRK is transported to >>>>>>> the local ER >>>>>>>>> server using Diameter. >>>>>>>>> >>>>>>>>> [LM] Finally, i would reorganize the last part as follow: >>>>>>>>> >>>>>>>>> ::::::::::: >>>>>>>>> >>>>>>>>> "In ERP, a peer is authenticated by the network thanks to >>>>>>>> keying material >>>>>>>>> obtained during a previous EAP exchange. This keying >>>>>>>> material is derived >>>>>>>>> from the Extended Master Session Key (EMSK) defined in the >>>>>>>> RFC 5295 [5]. >>>>>>>>> To accomplish the EAP reauthentication functionality, ERP >>>>>>>> defines two new >>>>>>>>> EAP messages - EAP Initiate and EAP Finish. This document >>>>>>>> specifies the >>>>>>>>> reuse of Diameter EAP Application to carry these new EAP >>>>>>> messages. >>>>>>>>> ERP is executed between the peer and a server located >>>>>>>> either in the peer's >>>>>>>>> home domain or in the local domain visited by the peer. In >>>>>>>> the latter case, >>>>>>>>> a Domain Specific Root Key (DSRK) is derived from the >>>>>>>> EMSK, as defined in >>>>>>>>> the RFC 5295 [5], and is provided by the Home EAP server >>>>>>>> to the local domain >>>>>>>>> server. For that purpose, this document specifies the >>>>>>>> transport of the DSRK >>>>>>>>> using the Diameter EAP Application." >>>>>>>> First paragraph is the old and second the new ? >>>>>>>> >>>>>>>>> :::::::::::::: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 2. Terminology >>>>>>>>> >>>>>>>>> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", >>>>>>> "SHALL NOT", >>>>>>>>> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and >>>>>>>> "OPTIONAL" in this >>>>>>>>> document are to be interpreted as described in RFC 2119 [3]. >>>>>>>>> >>>>>>>>> This document uses terminology defined in [6], [5], >>>>>> [2], and [1]. >>>>>>>>> >>>>>>>>> 3. Assumptions >>>>>>>>> >>>>>>>>> This document defines additional optional AVPs for >>>>>> usage with the >>>>>>>>> Diameter EAP application. Routing of these messages is >>>>>> therefore >>>>>>>>> provided via the Diameter Application Identifier >> (among other >>>>>>>>> elements), as specified by the Diameter Base protocol [4]. >>>>>>>>> >>>>>>>>> [LM] To avoid any ambiguity I would say: >>>>>>>>> >>>>>>>>> "This document defines only additional optional AVPs for >>>>>>> usage with >>>>>>>>> the Diameter EAP application. This document does not defined >>>>>>>>> a new Diameter application and a new Application ID is >>>>>>>> therefore not >>>>>>>>> required, as described in the Diameter Base protocol [4]." >>>>>>>> ok >>>>>>>> >>>>>>>>> Based on >>>>>>>>> the deployment of ERP, a local Diameter server (the >> same entity >>>>>>>>> serves as a Diameter proxy during the full EAP >>>>>>> authentication) may >>>>>>>>> play the role of the ER server for future >>>>>>>> re-authentication attempts. >>>>>>>>> As such, the local Diameter server requesting the DSRK >>>>>>>> needs to be in >>>>>>>>> the path of the current EAP exchange between the peer >>>>>> and the EAP >>>>>>>>> server and also along in the future. The Diameter client is >>>>>>>>> furthermore assumed to be able to route the re-authentication >>>>>>>>> messages to the ER server. >>>>>>>>> >>>>>>>>> [LM] I think that the assumption all along this document is >>>>>>>> that the local ER server and the AAA agent are co-located, >>>>>>> to be able >>>>>>>> to rely on DEA for the transport of DSRK. In that case, I >>>>>> would say >>>>>>>> something like: >>>>>>>>> "In this document, when EAP re-authentication is performed >>>>>>>> in the domain >>>>>>>>> visited by the peer, it is assumed that the local ER >>>>>>>> server is co-located >>>>>>>>> with a Diameter agent in the visited domain present in >>>>>>>> the path of the full >>>>>>>>> EAP exchange." >>>>>>>> ok >>>>>>>> >>>>>>>>> >>>>>>>>> 4. Diameter Support for ERP >>>>>>>>> >>>>>>>>> 4.1. Protocol Overview >>>>>>>>> >>>>>>>>> Diameter may be used to transport ERP messages between the NAS >>>>>>>>> (authenticator) and an authentication server (ER server). >>>>>>>>> >>>>>>>>> [LM] s/may/is (the use of Diameter is a pre-requisite in >>>>>>> this draft) >>>>>>>>> In ERP, the peer sends an EAP Initiate Reauth message >> to the ER >>>>>>>>> server via the authenticator. >>>>>>>>> >>>>>>>>> [LM] s/"EAP Initiate Reauth message"/"EAP-Initiate/Re-auth >>>>>>> message" >>>>>>>>> (same all along the document) >>>>>>>>> >>>>>>>>> Alternatively, the NAS may send an EAP Initiate Reauth-Start >>>>>>>>> message to the peer to trigger >>>>>> the start of >>>>>>>>> ERP; the peer then responds with an EAP Initiate Reauth >>>>>>> message to >>>>>>>>> the NAS. >>>>>>>>> >>>>>>>>> [LM] s/"EAP Initiate Reauth-Start >>>>>>>> message"/"EAP-Initiate/Re-auth-Start >>>>>>>>> message" (same all along the document) >>>>>>>>> >>>>>>>>> The general guidelines for encapsulating EAP messages >>>>>> in Diameter >>>>>>>>> from RFC 4072 [1] apply to the new EAP messages defined >>>>>>> for ERP as >>>>>>>>> well. The EAP Initiate Reauth message is encapsulated >>>>>> in an EAP- >>>>>>>>> Payload AVP of a Diameter EAP-Request message by the NAS >>>>>>>> and sent to >>>>>>>>> the Diameter server. The NAS MUST copy the contents of >>>>>> the value >>>>>>>>> field of the 'rIKName as NAI' TLV or the peer-id TLV (when >>>>>>>> the former >>>>>>>>> is not present) of the EAP Initiate Reauth message into >>>>>>> a User-Name >>>>>>>>> AVP of the Diameter EAP-Request. >>>>>>>>> >>>>>>>>> [LM] I think that we are talking about the 'keyName-NAI' TLV >>>>>>>> and not anymore the 'rIKName as NAI' TLV. >>>>>>>> >>>>>>>> Considering section 5.3.2 of RFC 5296. I agree. >>>>>>>> >>>>>>>>> Moreover, in which case the peer-id TLV would not be >>>>>>> present for ERP? >>>>>>>> Privacy ? >>>>>>>> >>>>>>>>> The ER server processes the EAP Initiate Reauth message in >>>>>>>> accordance >>>>>>>>> with [2], and if that is successful, it responds with an >>>>>>> EAP Finish >>>>>>>>> Reauth message indicating a success ('R' flag set to >> 0). The >>>>>>>>> Diameter server MUST encapsulate the EAP Finish Reauth >>>>>>> message with >>>>>>>>> the R flag set to zero in an EAP-Payload AVP attribute of >>>>>>>> a Diameter >>>>>>>>> EAP-Answer message. An EAP-Master-Session-Key AVP >>>>>>> included in the >>>>>>>>> Diameter EAP-Answer contains the Re-authentication Master >>>>>>>> Session Key >>>>>>>>> (rMSK). The Diameter Result Code, if any, SHOULD be a >>>>>>>> success Result >>>>>>>>> Code. >>>>>>>>> >>>>>>>>> If the processing of the EAP Initiate Reauth message >>>>>>> resulted in a >>>>>>>>> failure, the Diameter server MUST encapsulate an EAP >>>>>>> Finish Reauth >>>>>>>>> message indicating failure ('R' flag set to 1) in an >>>>>>>> EAP-Payload AVP >>>>>>>>> of a Diameter EAP-Answer message. The Diameter Result >>>>>>>> Code, if any, >>>>>>>>> SHOULD be a failure Result Code. Whether an EAP >> Finish Reauth >>>>>>>>> message is sent at all is specified in [2]. >>>>>>>>> >>>>>>>>> [LM] the use of the 'R' flag is not relevant for Diameter EAP. >>>>>>>>> [LM] according to the RFC, the EAP-Finish/Re-auth is sent >>>>>>>> back in any case, success or failure. >>>>>>>>> [LM] according to the above comments, I would rephrase the >>>>>>>> text as follow: >>>>>>>>> >>>>>>>>> "The ER server processes the EAP Initiate Reauth message >>>>>>>> in accordance >>>>>>>>> with [2] and responds with an EAP-Finish/Re-auth message. >>>>>>>> The Diameter >>>>>>>>> server MUST encapsulate the EAP-Finish/Re-auth message within >>>>>>>>> an EAP-Payload AVP of a Diameter EAP-Answer message. >>>>>>>>> In an EAP re-authentication successful case, an >>>>>>>> EAP-Master-Session-Key >>>>>>>>> AVP is included in the Diameter EAP-Answer message that >>>>>>>> contains the >>>>>>>>> Re-authentication Master Session Key (rMSK). The Diameter >>>>>>>> Result-Code >>>>>>>>> SHOULD be a success Result-Code. >>>>>>>>> In an EAP re-authentication failure case, the Diameter >>>>>>>> Result-Code of >>>>>>>>> the a Diameter EAP-Answer message SHOULD be a failure >>>>>>>> Result-Code and >>>>>>>>> no EAP-Master-Session-Key AVP is present." >>>>>>>>> >>>>>>>>> [LM] By the way, I don't understand the "SHOULD" for the >>>>>>>> result-code. Any reason not to use "MUST" here? >>>>>>>> >>>>>>>> I think a MUST would be better. Different views ? >>>>>>>> >>>>>>>>> [LM] a figure could be added for illustration here. >>>>>>>>> >>>>>>>>> 4.2. DSRK Request and Delivery >>>>>>>>> >>>>>>>>> A local ER server, collocated with a Diameter proxy in >>>>>> the peer's >>>>>>>>> visited domain, >>>>>>>>> >>>>>>>>> [LM] s/in the peer's visited domain/in the domain visited >>>>>>> by the peer >>>>>>>>> may request a DSRK from the EAP server, either in the >> initial >>>>>>>>> EAP exchange (implicit bootstrapping) or in an ERP >>>>>>>>> bootstrapping exchange (explicit bootstrapping). It >>>>>> does this by >>>>>>>>> including the EAP-DSRK-Request AVP in the Diameter >> EAP-Response >>>>>>>>> message. The EAP-DSRK-Request AVP contains the domain >> or server >>>>>>>>> identity required to derive the DSRK. >>>>>>>>> >>>>>>>>> [LM] the EAP-DSRK-Request AVP is included in the Diameter >>>>>>>> EAP-Request >>>>>>>>> (and not in the response) >>>>>>>> yes. >>>>>>>> >>>>>>>>> An EAP server MAY send the DSRK when it receives a >>>>>> valid Diameter >>>>>>>>> EAP-Request message containing an EAP-DSRK-Request AVP. >>>>>>>> An ER server >>>>>>>>> MUST send the DSRK (or send a failure result) when it >> receives >>>>>>>>> a valid Diameter EAP-Request message containing an >>>>>>>> EAP-DSRK-Request AVP >>>>>>>>> along with a valid EAP Initiate Re-auth packet with the >>>>>>>> bootstrapping >>>>>>>>> flag turned on. If an EAP-DSRK-Request AVP is included in >>>>>>>> any other >>>>>>>>> Diameter EAP-Request message, the Diameter server MUST >>>>>>> reply with a >>>>>>>>> failure result. An EAP-DSRK AVP MUST be used to send a >>>>>>>> DSRK; an EAP- >>>>>>>>> DSRK-Name AVP MUST be used to send the DSRK's keyname; >>>>>>> and an EAP- >>>>>>>>> DSRK-Lifetime AVP MUST be used to send the DSRK's lifetime. >>>>>>>>> >>>>>>>>> [LM] I don't understand the intention of the above text. >>>>>>>> Could it be enough to say: >>>>>>>>> In successful case, the DSRK is carried by the EAP-DSRK >>>>>>> AVP in the >>>>>>>>> Diameter EAP response message. Along with the >> EAP-DSRK AVP, an >>>>>>>>> EAP-DSRK-Name AVP MUST be used to send the DSRK's >> keyname and an >>>>>>>>> EAP-DSRK-Lifetime AVP MUST be used to send the DSRK's >>>>>>>>> lifetime. >>>>>>>> Agree. >>>>>>>> >>>>>>>>> [LM] a figure could be added for illustration here. >>>>>>>>> >>>>>>>>> 5. Command Codes >>>>>>>>> >>>>>>>>> [LM] this section is not required as there is nothing >>>>>>>> specific for ERP. We should skip it. >>>>>>>>> [SKIP] >>>>>>>>> >>>>>>>>> >>>>>>>>> 6. Attribute Value Pair Definitions >>>>>>>>> >>>>>>>>> 6.1. EAP-DSRK-Request AVP >>>>>>>>> >>>>>>>>> The EAP-DSRK AVP (AVP Code TBD) is of type DiameterIdentity. >>>>>>>>> >>>>>>>>> [LM] s/EAP-DSRK AVP/EAP-DSRK-Request AVP >>>>>>>>> >>>>>>>>> This >>>>>>>>> AVP fulfills two purposes: First, it indicates that a ER >>>>>>> server is >>>>>>>>> located in the local domain that is willing to play the >>>>>>>> role of an ER >>>>>>>>> server for a particular session. Second, it conveys >>>>>>>>> information about the domain and ER server identity to the >>>>>>> Diameter/EAP server. >>>>>>>>> [LM] the use of this AVP is explained above. There is no >>>>>>>> need to explain again. >>>>>>>> >>>>>>>> As we are in the AVP Definitions, I think it is better to >>>>>> keep some >>>>>>>> text explaining it. No ? >>>>>>>> >>>>>>>>> Moreover, if a DiameterIdentity is used, it is to indicate a >>>>>>>> server and not a domain. Right? >>>>>>>> >>>>>>>> In my understanding the local ER server only sends the Domain >>>>>>>> Name which will then be used to compute keys. Maybe the type >>>>>>>> DiameterIdentity is not appropriated and we should use >> UTF8String >>>>>>>> instead. What do you think ? >>>>>>>> >>>>>>>> >>>>>>>>> 6.2. EAP-DSRK AVP >>>>>>>>> >>>>>>>>> The EAP-DSRK AVP (AVP Code TBD) is of type OctetString. >>>>>>> The Domain >>>>>>>>> Specific Root Key (DSRK) is carried in this payload. >>>>>>>>> >>>>>>>>> 6.3. EAP-DSRK-Name AVP >>>>>>>>> >>>>>>>>> The EAP-DSRK-Name AVP (AVP Code TBD) is of type >>>>>>> OctetString. This >>>>>>>>> AVP contains the name of the DSRK key that is later used >>>>>>> during the >>>>>>>>> re-authentication exchange to select the correct DSRK. >>>>>>>>> >>>>>>>>> [LM] skip the part starting by "that is..." >>>>>>>> ok >>>>>>>> >>>>>>>>> 6.4. EAP-DSRK-Lifetime AVP >>>>>>>>> >>>>>>>>> The EAP-DSRK-Lifetime AVP (AVP Code TBD) is of type >>>>>>> Unsigned64 and >>>>>>>>> contains the DSRK lifetime in seconds. >>>>>>>>> >>>>>>>>> >>>>>>>>> 7. AVP Occurrence Table >>>>>>>>> >>>>>>>>> The following table lists the AVPs that may optionally be >>>>>>>> present in >>>>>>>>> the DER and DEA commands [1]. >>>>>>>>> >>>>>>>>> >>>>>>>>> +---------------+ >>>>>>>>> | Command-Code | >>>>>>>>> +-+-----+-----+-+ >>>>>>>>> Attribute Name | DER | DEA | >>>>>>>>> -------------------------------|-----+-----+ >>>>>>>>> EAP-DSRK-Request | 0-1 | 0 | >>>>>>>>> EAP-DSRK | 0 | 0-1 | >>>>>>>>> EAP-DSRK-Name | 0 | 0-1 | >>>>>>>>> EAP-DSRK-Lifetime | 0 | 0-1 | >>>>>>>>> +-----+-----+ >>>>>>>>> >>>>>>>>> Figure 4: DER and DEA Commands AVP Table >>>>>>>>> >>>>>>>>> When the EAP-DSRK AVP is present in the DEA then the >>>>>>> EAP-DSRK-Name >>>>>>>>> and the EAP-DSRK-Lifetime MUST also be present. >>>>>>>>> >>>>>>>>> >>>>>>>>> 8. AVP Flag Rules >>>>>>>>> >>>>>>>>> The following table describes the Diameter AVPs, >> their AVP Code >>>>>>>>> values, types, possible flag values, and whether the >> AVP MAY be >>>>>>>>> encrypted. The Diameter base [4] specifies the AVP Flag >>>>>>> rules for >>>>>>>>> AVPs in Section 4.5. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> +---------------------+ >>>>>>>>> | AVP Flag >>>>>>>>> Rules | >>>>>>>>> >>>>>>>> +----+-----+----+-----+----+ >>>>>>>>> AVP Section | | >>>>>>>> |SHLD|MUST | | >>>>>>>>> Attribute Name Code Defined Data Type |MUST| MAY |NOT >>>>>>>> |NOT |Encr| >>>>>>>> ------------------------------------------+----+-----+----+-- >>>>>>> ---+----+ >>>>>>>>> EAP-DSRK-Request TBD 4.7.1 DiamIdent | | P | | >>>>>>>> V,M | Y | >>>>>>>>> EAP-DSRK TBD 4.7.2 OctetString| | P | | >>>>>>>> V,M | Y | >>>>>>>>> EAP-DSRK-Name TBD 4.7.3 OctetString| | P | | >>>>>>>> V,M | Y | >>>>>>>>> EAP-DSRK-Lifetime TBD 4.7.4 Unsigned64 | | P | | >>>>>>>> V,M | Y | >>>>>>>>> >>>>>>>> ------------------------------------------+----+-----+----+-- >>>>>>> ---+----+ >>>>>>>>> Due to space constraints, the short form DiamIdent is used to >>>>>>>>> represent DiameterIdentity. >>>>>>>>> >>>>>>>>> Figure 5: AVP Flag Rules Table >>>>>>>>> >>>>>>>>> [LM] this table is ok according to the current RFC 3588. I >>>>>>>> don't know how to deal with it regarding the RFC3588bis... >>>>>>>> >>>>>>>> >>>>>>>> That's indeed a good question :). >>>>>>>> >>>>>>>> And that's all for my comments of your comments. >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> --Julien-- >>>>>>>> _______________________________________________ >>>>>>>> DiME mailing list >>>>>>>> DiME@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/dime >>>>>>>> >>>> _______________________________________________ >>>> DiME mailing list >>>> DiME@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dime >> >> >> --~--~---------~--~----~------------~-------~--~----~ >> You received this message because you are subscribed to the >> Google Groups "diameter-routing" group. >> To post to this group, send email to >> diameter-routing@googlegroups.com To unsubscribe from this >> group, send email to diameter-routing+unsubscribe@googlegroups.com >> For more options, visit this group at >> http://groups.google.com/group/diameter-routing?hl=en >> -~----------~----~----~----~------~----~------~--~--- >> > > _______________________________________________ > DiME mailing list > DiME@ietf.org > https://www.ietf.org/mailman/listinfo/dime _______________________________________________ DiME mailing list DiME@ietf.org https://www.ietf.org/mailman/listinfo/dime
- [Dime] Review of the Diameter ERP draft lionel.morand
- Re: [Dime] Review of the Diameter ERP draft Julien Bournelle
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Dime] Review of the Diameter ERP draft lionel.morand
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Dime] Review of the Diameter ERP draft lionel.morand
- Re: [Dime] Review of the Diameter ERP draft Julien Bournelle
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Dime] Review of the Diameter ERP draft Tom Taylor
- Re: [Dime] Review of the Diameter ERP draft Tina TSOU
- Re: [Dime] Review of the Diameter ERP draft Hannes Tschofenig
- Re: [Dime] Review of the Diameter ERP draft Tina TSOU
- Re: [Dime] Review of the Diameter ERP draft Tom Taylor
- Re: [Dime] Review of the Diameter ERP draft Tina TSOU
- Re: [Dime] Review of the Diameter ERP draft Glen Zorn
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)