Re: [Dime] Review of the Diameter ERP draft
Tina TSOU <tena@huawei.com> Sat, 10 January 2009 12:47 UTC
Return-Path: <dime-bounces@ietf.org>
X-Original-To: dime-archive@megatron.ietf.org
Delivered-To: ietfarch-dime-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AEB0728C184; Sat, 10 Jan 2009 04:47:47 -0800 (PST)
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA25128C184 for <dime@core3.amsl.com>; Sat, 10 Jan 2009 04:47:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xG9KA4ZM9LsP for <dime@core3.amsl.com>; Sat, 10 Jan 2009 04:47:44 -0800 (PST)
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [119.145.14.66]) by core3.amsl.com (Postfix) with ESMTP id 64A3428C0D9 for <dime@ietf.org>; Sat, 10 Jan 2009 04:47:43 -0800 (PST)
Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KD90099BA721H@szxga03-in.huawei.com> for dime@ietf.org; Sat, 10 Jan 2009 20:47:27 +0800 (CST)
Received: from huawei.com ([172.24.1.6]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KD900BATA72C7@szxga03-in.huawei.com> for dime@ietf.org; Sat, 10 Jan 2009 20:47:26 +0800 (CST)
Received: from [192.168.1.4] (102.175.60.58.broad.sz.gd.dynamic.163data.com.cn [58.60.175.102]) by szxml02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KD9003N0A708Q@szxml02-in.huawei.com>; Sat, 10 Jan 2009 20:47:26 +0800 (CST)
Date: Sat, 10 Jan 2009 20:47:24 +0800
From: Tina TSOU <tena@huawei.com>
In-reply-to: <49677A85.2030607@rogers.com>
To: Tom Taylor <tom.taylor@rogers.com>
Message-id: <E4FDB762-93D2-4085-9D1B-A274964573AF@huawei.com>
MIME-version: 1.0
X-Mailer: Apple Mail (2.929.2)
References: <7DBAFEC6A76F3E42817DF1EBE64CB026061E2759@ftrdmel2> <5e2406980901080218w746b69a7x320f1501aeb97266@mail.gmail.com> <C41BFCED3C088E40A8510B57B165C162F6F206@FIESEXC007.nsn-intra.net> <7DBAFEC6A76F3E42817DF1EBE64CB0260622C4DE@ftrdmel2> <C41BFCED3C088E40A8510B57B165C162F6F53B@FIESEXC007.nsn-intra.net> <5e2406980901090115m2fe2c097nee9854a9ed870127@mail.gmail.com> <49677A85.2030607@rogers.com>
Cc: dime@ietf.org, diameter-routing@googlegroups.com
Subject: Re: [Dime] Review of the Diameter ERP draft
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"; DelSp="yes"
Sender: dime-bounces@ietf.org
Errors-To: dime-bounces@ietf.org
Hi Tom, Thanks for your comments. I will update the draft-tsou-dime-routing-problem-statement-01, adding this use case for the 2nd problem, hopefully before the design team meeting next Thursday. The design team discussion could be found in http://groups.google.com/group/diameter-routing?hl=en B. R. Tina Messengers: MSN: tinatsou6@hotmail.com Yahoo: tina_tsou Skype: tinaTSOU Jabber: tina@jabber.org Google talk: tinatsou6@gmail.com +86-755-28971872 (Office) +86-13922884380(Mobile) On Jan 10, 2009, at 12:25 AM, Tom Taylor wrote: > An use case for the second problem talked about in the routing > design team! > > Julien Bournelle wrote: >> Hi, >> On Fri, Jan 9, 2009 at 8:57 AM, Tschofenig, Hannes (NSN - FI/Espoo) >> <hannes.tschofenig@nsn.com> wrote: >>> My reading of this text is that there is a way for the peer and >>> the authenticator to figure out whether to use EAP or ERP. >> I don't see how a new App Id will help peer and authenticator to >> figure out ERP support. I may miss something here. >> My understanding is that a new Appid would however help AAA entities >> (authenticator, proxy, server) figure out ERP support. >>> It, however, says very little about the further routing of AAA >>> messages in such a way that the messages traverse nodes >>> understanding the additionally required functionality. If I >>> understood ERP correctly then some key caching takes place in the >>> AAA proxies and hence one wants to make sure that the messages are >>> actually routed via these proxies. >> Yes, ideally, for a given peer, the same AAA proxy/local ERP server >> should be contacted by authenticators. At this point, I don't see how >> to ensure this. >> Regards, >> Julien >>> Ciao >>> Hannes >>> >>> >>>> -----Original Message----- >>>> From: ext lionel.morand@orange-ftgroup.com >>>> [mailto:lionel.morand@orange-ftgroup.com] >>>> Sent: 08 January, 2009 22:26 >>>> To: Tschofenig, Hannes (NSN - FI/Espoo); >>>> julien.bournelle@gmail.com; sdecugis@hongo.wide.ad.jp; >>>> dime@ietf.org >>>> Subject: RE: [Dime] Review of the Diameter ERP draft >>>> >>>> According to the RFC 5296, it seems that it is not required to >>>> have a specific Appl-ID: >>>> >>>> "It is plausible that the authenticator does not know >>>> whether the peer >>>> supports ERP and whether the peer has performed a full EAP >>>> authentication through another authenticator. The authenticator >>>> MAY >>>> initiate the ERP exchange by sending the EAP-Initiate/Re-auth- >>>> Start >>>> message, and if there is no response, it will send the EAP- >>>> Request/ >>>> Identity message. Note that this avoids having two EAP messages >>>> in >>>> flight at the same time [2]. The authenticator may send the EAP- >>>> Initiate/Re-auth-Start message and wait for a short, locally >>>> configured amount of time. If the peer does not already know, >>>> this >>>> message indicates to the peer that the authenticator supports ERP. >>>> In response to this trigger from the authenticator, the peer can >>>> initiate the ERP exchange by sending an >>>> EAP-Initiate/Re-auth message. >>>> If there is no response from the peer after the necessary >>>> retransmissions (see Section 6), the authenticator MUST initiate >>>> EAP >>>> by sending an EAP-Request message, typically the >>>> EAP-Request/Identity >>>> message. Note that the authenticator may receive an EAP-Initiate/ >>>> Re-auth message after it has sent an EAP-Request/Identity message. >>>> If the authenticator supports ERP, it MUST proceed with the ERP >>>> exchange. When the EAP-Request/Identity times out, the >>>> authenticator >>>> MUST NOT close the connection if an ERP exchange is in progress or >>>> has already succeeded in establishing a re-authentication MSK. >>>> >>>> If the authenticator does not support ERP, it drops EAP-Initiate/ >>>> Re-auth messages [2] as the EAP code of those packets is >>>> greater than >>>> 4. An ERP-capable peer will exhaust the >>>> EAP-Initiate/Re-auth message >>>> retransmissions and fall back to EAP authentication by >>>> responding to >>>> EAP Request/Identity messages from the authenticator. If the peer >>>> does not support ERP or if it does not have unexpired key material >>>> from a previous EAP authentication, it drops EAP-Initiate/ >>>> Re-auth-Start messages. If there is no response to the >>>> EAP-Initiate/ >>>> Re-auth-Start message, the authenticator SHALL send an EAP Request >>>> message (typically EAP Request/Identity) to start EAP >>>> authentication. >>>> From this stage onwards, RFC 3748 rules apply. Note that this may >>>> introduce some delay in starting EAP. In some lower layers, the >>>> delay can be minimized or even avoided by the peer initiating >>>> EAP by >>>> sending messages such as EAPoL-Start in the IEEE 802.1X >>>> specification >>>> [10]." >>>> >>>> Both paragraphs assume (for me) that the ERP "option" may be >>>> supported by the peer and/or the network. If none of them (or >>>> only one of them) support ERP, the fallback mechanism is full >>>> EAP authentication. >>>> In that sense, knowing that the network supports ERP is not a >>>> pre-requisite. The minimum is to support EAP and ERP is an >>>> option available above EAP. That allows to deploy ERP above >>>> existing EAP deployment. >>>> >>>> Does it make sense? >>>> >>>> Best Regards, >>>> >>>> Lionel >>>> >>>> >>>>> -----Message d'origine----- >>>>> De : Tschofenig, Hannes (NSN - FI/Espoo) >>>>> [mailto:hannes.tschofenig@nsn.com] >>>>> Envoyé : jeudi 8 janvier 2009 13:55 >>>>> À : ext Julien Bournelle; MORAND Lionel RD-CORE-ISS; Sebastien >>>>> Decugis; dime@ietf.org Objet : RE: [Dime] Review of the Diameter >>>>> ERP >>>>> draft >>>>> >>>>> One of the things I was not quite sure with the current protocol >>>>> design is whether a Diameter application or just a bunch of AVPs >>>>> are >>>>> required. >>>>> Based on the discussions a few of us when some of the HOKEY >>>> specs went >>>>> to the IESG / IETF Last Call I got the impression that one has to >>>>> define a new Diameter application (which would be based on >>>>> Diameter >>>>> EAP) since you assume that the messages are routed via a node in >>>>> the >>>>> local network and the support for ERP has to be ensured. >>>>> >>>>> Ciao >>>>> Hannes >>>>> >>>>>> -----Original Message----- >>>>>> From: dime-bounces@ietf.org [mailto:dime-bounces@ietf.org] >>>>> On Behalf Of >>>>>> ext Julien Bournelle >>>>>> Sent: 08 January, 2009 12:18 >>>>>> To: lionel.morand@orange-ftgroup.com; Sebastien Decugis; >>>>> dime@ietf.org >>>>>> Subject: Re: [Dime] Review of the Diameter ERP draft >>>>>> >>>>>> Hi lionel, >>>>>> >>>>>> some comments inline. >>>>>> >>>>>> On Wed, Jan 7, 2009 at 12:03 PM, >>>>>> <lionel.morand@orange-ftgroup.com> wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Here is my review for the Diameter ERP draft. >>>>>>> >>>>>>> General comments: >>>>>>> >>>>>>> - About alignment with RFC 5296: >>>>>>> the draft needs to be updated according to the publication >>>>>> of the RFC 5296. Some proposals are provided below. >>>>>>> - About ER server/AAA agent co-location: >>>>>>> In my understanding, it is assumed in this document ER >>>>>> server and AAA proxy have to be co-located to be able to rely on >>>>>> Diameter to transport ERP specific AVPs. This doesn't maybe >>>> preclude >>>>>> other architectural choices but there are outside the scope of >>>>>> this >>>>>> document. It is necessary to clarify this point in this document. >>>>>>> - ERP support discovery: >>>>>>> As the ERP specific AVPs are introduced with the M-bit >>>>>> cleared, these AVPs are purely optional for the Diameter EAP >>>>>> application i.e. they can be silently ignored by Diameter >>>>> servers that >>>>>> do not understand this new AVPs. Some text should be provided to >>>>>> describe how the local ER server discovers that the Home EAP >>>>>> server >>>>>> doesn't support ERP and the behaviour of the local ER >>>> server in that >>>>>> case. >>>>>> >>>>>> >>>>>> I agree with these general comments. >>>>>> >>>>>> >>>>>>> Hereafter is the rest of my review with comments and proposals. >>>>>>> >>>>>>> Best Regards, >>>>>>> >>>>>>> Lionel >>>>>>> >>>>>>> *************************************** >>>>>>> >>>>>>> Abstract >>>>>>> >>>>>>> An EAP extension, called "EAP Re-authentication Protocol >>>>>> (ERP)", has >>>>>>> been specified that supports an EAP method-independent >>>>> protocol for >>>>>>> efficient re-authentication between the peer and the >>>>> server through >>>>>>> an authenticator. This document specifies Diameter >>>>>> support for ERP. >>>>>>> The Diameter EAP application is re-used for >>>>> encapsulating the newly >>>>>>> defined EAP Initiate and EAP Finish messages specified >>>> in the ERP >>>>>>> specification. AVPs for request and delivery of Domain >>>>>> Specific Root >>>>>>> Keys from the AAA/EAP server to the ER server are also >>>> specified. >>>>>>> Additionally, this document also specifies Diameter >>>>>> processing rules >>>>>>> relevant to ERP. >>>>>>> >>>>>>> [LM] some abusive verbiage in the abstract: >>>>>>> >>>>>>> Proposal for new abstract: >>>>>>> >>>>>>> "EAP Re-authentication Protocol defines extensions of EAP >>>>>> to support >>>>>>> efficient re-authentication between the peer and an EAP >>>>>>> re-authentication server through any authenticator. >>>>>> I'm wondering if we should note that the authenticator may be >>>>>> ERP-aware. >>>>>> I'm thinking about the case where the authenticator sends the >>>>>> EAP-Initiate/Re-auth-Start (Figure 4 in RFC 5296) >>>>>> >>>>>> >>>>>>> This document >>>>>>> specifies Diameter support for ERP. The Diameter EAP >>>>> application is >>>>>>> re-used for encapsulating the newly defined EAP messages >>>>> specified >>>>>>> in the ERP specification. Additionally, this document >>>>> also defines >>>>>>> specific Diameter processing rules relevant to ERP." >>>>>> ok >>>>>> >>>>>>> >>>>>>> 1. Introduction >>>>>>> >>>>>>> RFC 4072 [1] specifies a Diameter application that carries EAP >>>>>>> packets between a Diameter client and the Diameter >>>>>> Server/EAP server. >>>>>>> [2] defines the EAP Re-authentication Protocol to allow >>>>> faster re- >>>>>>> authentication of a previously authenticated peer. >>>>>>> >>>>>>> [LM] s/[2] defines the EAP Re-authentication Protocol/RFC >>>> 5296 [2] >>>>>>> defines the EAP Re-authentication Protocol (ERP) >>>>>>> >>>>>>> In ERP, a peer >>>>>>> authenticates to the network by proving possession of >>>>> key material >>>>>>> derived during a previous EAP exchange. >>>>>>> >>>>>>> [LM] s/a peer authenticate to/a peer is authenticated by >>>>>>> >>>>>>> For this purpose, an >>>>>>> Extended Master Session Key (EMSK) based re-authentication key >>>>>>> hierarchy has been defined [5]. ERP may be executed >>>>> between the ER >>>>>>> peer and an ER server in the peer's home domain or the >>>>> local domain >>>>>>> visited by the peer. In the latter case, a Domain >>>>> Specific Root Key >>>>>>> (DSRK), derived from the EMSK, is provided to the local >>>> domain ER >>>>>>> server. >>>>>>> >>>>>>> [LM] s/is provided to/is provided by the Home ER server to >>>>>>> >>>>>>> The peer and the local server subsequently use the re- >>>>>>> authentication key hierarchy from the DSRK to authenticate >>>>>> and derive >>>>>>> authenticator specific keys within that domain. >>>>>>> >>>>>>> [LM] this information can be found in the RFC 5296. Remove >>>>>> the sentence above. >>>>>> >>>>>> It may help the reader to understand the purpose of this DRSK. >>>>>> >>>>>>> To accomplish the >>>>>>> reauthentication functionality, ERP defines two new EAP >>>>> codes - EAP >>>>>>> Initiate and EAP Finish. >>>>>>> >>>>>>> [LM] s/ERP defines two new EAP codes/ERP defines two new >>>>> EAP messages >>>>>> I would prefer to say that ERP defines two new EAP Codes >>>>> here. These >>>>>> newly EAP packets are then carried in messages (dependent of the >>>>>> protocol used). >>>>>> >>>>>>> This document specifies the reuse of >>>>>>> Diameter EAP application to carry these new EAP messages. >>>>>>> The DSRK can be obtained as part of the regular EAP >>>>> exchange or as >>>>>>> part of an ERP bootstrapping exchange. The local ER server >>>>>>> requesting the DSRK needs to be in the path of the EAP or ERP >>>>>>> bootstrapping exchange in order to request and obtain the >>>>>> DSRK. This >>>>>>> document also specifies how the DSRK is transported to >>>>> the local ER >>>>>>> server using Diameter. >>>>>>> >>>>>>> [LM] Finally, i would reorganize the last part as follow: >>>>>>> >>>>>>> ::::::::::: >>>>>>> >>>>>>> "In ERP, a peer is authenticated by the network thanks to >>>>>> keying material >>>>>>> obtained during a previous EAP exchange. This keying >>>>>> material is derived >>>>>>> from the Extended Master Session Key (EMSK) defined in the >>>>>> RFC 5295 [5]. >>>>>>> To accomplish the EAP reauthentication functionality, ERP >>>>>> defines two new >>>>>>> EAP messages - EAP Initiate and EAP Finish. This document >>>>>> specifies the >>>>>>> reuse of Diameter EAP Application to carry these new EAP >>>>> messages. >>>>>>> ERP is executed between the peer and a server located >>>>>> either in the peer's >>>>>>> home domain or in the local domain visited by the peer. In >>>>>> the latter case, >>>>>>> a Domain Specific Root Key (DSRK) is derived from the >>>>>> EMSK, as defined in >>>>>>> the RFC 5295 [5], and is provided by the Home EAP server >>>>>> to the local domain >>>>>>> server. For that purpose, this document specifies the >>>>>> transport of the DSRK >>>>>>> using the Diameter EAP Application." >>>>>> First paragraph is the old and second the new ? >>>>>> >>>>>>> :::::::::::::: >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2. Terminology >>>>>>> >>>>>>> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", >>>>> "SHALL NOT", >>>>>>> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and >>>>>> "OPTIONAL" in this >>>>>>> document are to be interpreted as described in RFC 2119 [3]. >>>>>>> >>>>>>> This document uses terminology defined in [6], [5], >>>> [2], and [1]. >>>>>>> >>>>>>> 3. Assumptions >>>>>>> >>>>>>> This document defines additional optional AVPs for >>>> usage with the >>>>>>> Diameter EAP application. Routing of these messages is >>>> therefore >>>>>>> provided via the Diameter Application Identifier (among other >>>>>>> elements), as specified by the Diameter Base protocol [4]. >>>>>>> >>>>>>> [LM] To avoid any ambiguity I would say: >>>>>>> >>>>>>> "This document defines only additional optional AVPs for >>>>> usage with >>>>>>> the Diameter EAP application. This document does not defined >>>>>>> a new Diameter application and a new Application ID is >>>>>> therefore not >>>>>>> required, as described in the Diameter Base protocol [4]." >>>>>> ok >>>>>> >>>>>>> Based on >>>>>>> the deployment of ERP, a local Diameter server (the same entity >>>>>>> serves as a Diameter proxy during the full EAP >>>>> authentication) may >>>>>>> play the role of the ER server for future >>>>>> re-authentication attempts. >>>>>>> As such, the local Diameter server requesting the DSRK >>>>>> needs to be in >>>>>>> the path of the current EAP exchange between the peer >>>> and the EAP >>>>>>> server and also along in the future. The Diameter client is >>>>>>> furthermore assumed to be able to route the re-authentication >>>>>>> messages to the ER server. >>>>>>> >>>>>>> [LM] I think that the assumption all along this document is >>>>>> that the local ER server and the AAA agent are co-located, >>>>> to be able >>>>>> to rely on DEA for the transport of DSRK. In that case, I >>>> would say >>>>>> something like: >>>>>>> "In this document, when EAP re-authentication is performed >>>>>> in the domain >>>>>>> visited by the peer, it is assumed that the local ER >>>>>> server is co-located >>>>>>> with a Diameter agent in the visited domain present in >>>>>> the path of the full >>>>>>> EAP exchange." >>>>>> ok >>>>>> >>>>>>> >>>>>>> 4. Diameter Support for ERP >>>>>>> >>>>>>> 4.1. Protocol Overview >>>>>>> >>>>>>> Diameter may be used to transport ERP messages between the NAS >>>>>>> (authenticator) and an authentication server (ER server). >>>>>>> >>>>>>> [LM] s/may/is (the use of Diameter is a pre-requisite in >>>>> this draft) >>>>>>> In ERP, the peer sends an EAP Initiate Reauth message to the ER >>>>>>> server via the authenticator. >>>>>>> >>>>>>> [LM] s/"EAP Initiate Reauth message"/"EAP-Initiate/Re-auth >>>>> message" >>>>>>> (same all along the document) >>>>>>> >>>>>>> Alternatively, the NAS may send an EAP >>>>>>> Initiate Reauth-Start message to the peer to trigger >>>> the start of >>>>>>> ERP; the peer then responds with an EAP Initiate Reauth >>>>> message to >>>>>>> the NAS. >>>>>>> >>>>>>> [LM] s/"EAP Initiate Reauth-Start >>>>>> message"/"EAP-Initiate/Re-auth-Start >>>>>>> message" (same all along the document) >>>>>>> >>>>>>> The general guidelines for encapsulating EAP messages >>>> in Diameter >>>>>>> from RFC 4072 [1] apply to the new EAP messages defined >>>>> for ERP as >>>>>>> well. The EAP Initiate Reauth message is encapsulated >>>> in an EAP- >>>>>>> Payload AVP of a Diameter EAP-Request message by the NAS >>>>>> and sent to >>>>>>> the Diameter server. The NAS MUST copy the contents of >>>> the value >>>>>>> field of the 'rIKName as NAI' TLV or the peer-id TLV (when >>>>>> the former >>>>>>> is not present) of the EAP Initiate Reauth message into >>>>> a User-Name >>>>>>> AVP of the Diameter EAP-Request. >>>>>>> >>>>>>> [LM] I think that we are talking about the 'keyName-NAI' TLV >>>>>> and not anymore the 'rIKName as NAI' TLV. >>>>>> >>>>>> Considering section 5.3.2 of RFC 5296. I agree. >>>>>> >>>>>>> Moreover, in which case the peer-id TLV would not be >>>>> present for ERP? >>>>>> Privacy ? >>>>>> >>>>>>> The ER server processes the EAP Initiate Reauth message in >>>>>> accordance >>>>>>> with [2], and if that is successful, it responds with an >>>>> EAP Finish >>>>>>> Reauth message indicating a success ('R' flag set to 0). The >>>>>>> Diameter server MUST encapsulate the EAP Finish Reauth >>>>> message with >>>>>>> the R flag set to zero in an EAP-Payload AVP attribute of >>>>>> a Diameter >>>>>>> EAP-Answer message. An EAP-Master-Session-Key AVP >>>>> included in the >>>>>>> Diameter EAP-Answer contains the Re-authentication Master >>>>>> Session Key >>>>>>> (rMSK). The Diameter Result Code, if any, SHOULD be a >>>>>> success Result >>>>>>> Code. >>>>>>> >>>>>>> If the processing of the EAP Initiate Reauth message >>>>> resulted in a >>>>>>> failure, the Diameter server MUST encapsulate an EAP >>>>> Finish Reauth >>>>>>> message indicating failure ('R' flag set to 1) in an >>>>>> EAP-Payload AVP >>>>>>> of a Diameter EAP-Answer message. The Diameter Result >>>>>> Code, if any, >>>>>>> SHOULD be a failure Result Code. Whether an EAP Finish Reauth >>>>>>> message is sent at all is specified in [2]. >>>>>>> >>>>>>> [LM] the use of the 'R' flag is not relevant for Diameter EAP. >>>>>>> [LM] according to the RFC, the EAP-Finish/Re-auth is sent >>>>>> back in any case, success or failure. >>>>>>> [LM] according to the above comments, I would rephrase the >>>>>> text as follow: >>>>>>> >>>>>>> "The ER server processes the EAP Initiate Reauth message >>>>>> in accordance >>>>>>> with [2] and responds with an EAP-Finish/Re-auth message. >>>>>> The Diameter >>>>>>> server MUST encapsulate the EAP-Finish/Re-auth message within >>>>>>> an >>>>>>> EAP-Payload AVP of a Diameter EAP-Answer message. >>>>>>> In an EAP re-authentication successful case, an >>>>>> EAP-Master-Session-Key >>>>>>> AVP is included in the Diameter EAP-Answer message that >>>>>> contains the >>>>>>> Re-authentication Master Session Key (rMSK). The Diameter >>>>>> Result-Code >>>>>>> SHOULD be a success Result-Code. >>>>>>> In an EAP re-authentication failure case, the Diameter >>>>>> Result-Code of >>>>>>> the a Diameter EAP-Answer message SHOULD be a failure >>>>>> Result-Code and >>>>>>> no EAP-Master-Session-Key AVP is present." >>>>>>> >>>>>>> [LM] By the way, I don't understand the "SHOULD" for the >>>>>> result-code. Any reason not to use "MUST" here? >>>>>> >>>>>> I think a MUST would be better. Different views ? >>>>>> >>>>>>> [LM] a figure could be added for illustration here. >>>>>>> >>>>>>> 4.2. DSRK Request and Delivery >>>>>>> >>>>>>> A local ER server, collocated with a Diameter proxy in >>>> the peer's >>>>>>> visited domain, >>>>>>> >>>>>>> [LM] s/in the peer's visited domain/in the domain visited >>>>> by the peer >>>>>>> may request a DSRK from the EAP server, either in the >>>>>>> initial EAP exchange (implicit bootstrapping) or in an ERP >>>>>>> bootstrapping exchange (explicit bootstrapping). It >>>> does this by >>>>>>> including the EAP-DSRK-Request AVP in the Diameter EAP-Response >>>>>>> message. The EAP-DSRK-Request AVP contains the domain or >>>>>>> server >>>>>>> identity required to derive the DSRK. >>>>>>> >>>>>>> [LM] the EAP-DSRK-Request AVP is included in the Diameter >>>>>> EAP-Request >>>>>>> (and not in the response) >>>>>> yes. >>>>>> >>>>>>> An EAP server MAY send the DSRK when it receives a >>>> valid Diameter >>>>>>> EAP-Request message containing an EAP-DSRK-Request AVP. >>>>>> An ER server >>>>>>> MUST send the DSRK (or send a failure result) when it >>>>>>> receives a >>>>>>> valid Diameter EAP-Request message containing an >>>>>> EAP-DSRK-Request AVP >>>>>>> along with a valid EAP Initiate Re-auth packet with the >>>>>> bootstrapping >>>>>>> flag turned on. If an EAP-DSRK-Request AVP is included in >>>>>> any other >>>>>>> Diameter EAP-Request message, the Diameter server MUST >>>>> reply with a >>>>>>> failure result. An EAP-DSRK AVP MUST be used to send a >>>>>> DSRK; an EAP- >>>>>>> DSRK-Name AVP MUST be used to send the DSRK's keyname; >>>>> and an EAP- >>>>>>> DSRK-Lifetime AVP MUST be used to send the DSRK's lifetime. >>>>>>> >>>>>>> [LM] I don't understand the intention of the above text. >>>>>> Could it be enough to say: >>>>>>> In successful case, the DSRK is carried by the EAP-DSRK >>>>> AVP in the >>>>>>> Diameter EAP response message. Along with the EAP-DSRK AVP, an >>>>>>> EAP-DSRK-Name AVP MUST be used to send the DSRK's keyname and >>>>>>> an >>>>>>> EAP-DSRK-Lifetime AVP MUST be used to send the DSRK's lifetime. >>>>>> Agree. >>>>>> >>>>>>> [LM] a figure could be added for illustration here. >>>>>>> >>>>>>> 5. Command Codes >>>>>>> >>>>>>> [LM] this section is not required as there is nothing >>>>>> specific for ERP. We should skip it. >>>>>>> [SKIP] >>>>>>> >>>>>>> >>>>>>> 6. Attribute Value Pair Definitions >>>>>>> >>>>>>> 6.1. EAP-DSRK-Request AVP >>>>>>> >>>>>>> The EAP-DSRK AVP (AVP Code TBD) is of type DiameterIdentity. >>>>>>> >>>>>>> [LM] s/EAP-DSRK AVP/EAP-DSRK-Request AVP >>>>>>> >>>>>>> This >>>>>>> AVP fulfills two purposes: First, it indicates that a ER >>>>> server is >>>>>>> located in the local domain that is willing to play the >>>>>> role of an ER >>>>>>> server for a particular session. Second, it conveys >>>>>>> information >>>>>>> about the domain and ER server identity to the >>>>> Diameter/EAP server. >>>>>>> [LM] the use of this AVP is explained above. There is no >>>>>> need to explain again. >>>>>> >>>>>> As we are in the AVP Definitions, I think it is better to >>>> keep some >>>>>> text explaining it. No ? >>>>>> >>>>>>> Moreover, if a DiameterIdentity is used, it is to indicate a >>>>>> server and not a domain. Right? >>>>>> >>>>>> In my understanding the local ER server only sends the Domain >>>>>> Name >>>>>> which will then be used to compute keys. Maybe the type >>>>>> DiameterIdentity is not appropriated and we should use UTF8String >>>>>> instead. What do you think ? >>>>>> >>>>>> >>>>>>> 6.2. EAP-DSRK AVP >>>>>>> >>>>>>> The EAP-DSRK AVP (AVP Code TBD) is of type OctetString. >>>>> The Domain >>>>>>> Specific Root Key (DSRK) is carried in this payload. >>>>>>> >>>>>>> 6.3. EAP-DSRK-Name AVP >>>>>>> >>>>>>> The EAP-DSRK-Name AVP (AVP Code TBD) is of type >>>>> OctetString. This >>>>>>> AVP contains the name of the DSRK key that is later used >>>>> during the >>>>>>> re-authentication exchange to select the correct DSRK. >>>>>>> >>>>>>> [LM] skip the part starting by "that is..." >>>>>> ok >>>>>> >>>>>>> 6.4. EAP-DSRK-Lifetime AVP >>>>>>> >>>>>>> The EAP-DSRK-Lifetime AVP (AVP Code TBD) is of type >>>>> Unsigned64 and >>>>>>> contains the DSRK lifetime in seconds. >>>>>>> >>>>>>> >>>>>>> 7. AVP Occurrence Table >>>>>>> >>>>>>> The following table lists the AVPs that may optionally be >>>>>> present in >>>>>>> the DER and DEA commands [1]. >>>>>>> >>>>>>> >>>>>>> +---------------+ >>>>>>> | Command-Code | >>>>>>> +-+-----+-----+-+ >>>>>>> Attribute Name | DER | DEA | >>>>>>> -------------------------------|-----+-----+ >>>>>>> EAP-DSRK-Request | 0-1 | 0 | >>>>>>> EAP-DSRK | 0 | 0-1 | >>>>>>> EAP-DSRK-Name | 0 | 0-1 | >>>>>>> EAP-DSRK-Lifetime | 0 | 0-1 | >>>>>>> +-----+-----+ >>>>>>> >>>>>>> Figure 4: DER and DEA Commands AVP Table >>>>>>> >>>>>>> When the EAP-DSRK AVP is present in the DEA then the >>>>> EAP-DSRK-Name >>>>>>> and the EAP-DSRK-Lifetime MUST also be present. >>>>>>> >>>>>>> >>>>>>> 8. AVP Flag Rules >>>>>>> >>>>>>> The following table describes the Diameter AVPs, their AVP Code >>>>>>> values, types, possible flag values, and whether the AVP MAY be >>>>>>> encrypted. The Diameter base [4] specifies the AVP Flag >>>>> rules for >>>>>>> AVPs in Section 4.5. >>>>>>> >>>>>>> >>>>>>> >>>>>>> +---------------------+ >>>>>>> | AVP Flag >>>>>>> Rules | >>>>>>> >>>>>> +----+-----+----+-----+----+ >>>>>>> AVP Section | | >>>>>> |SHLD|MUST | | >>>>>>> Attribute Name Code Defined Data Type |MUST| MAY |NOT >>>>>> |NOT |Encr| >>>>>> ------------------------------------------+----+-----+----+-- >>>>> ---+----+ >>>>>>> EAP-DSRK-Request TBD 4.7.1 DiamIdent | | P | | >>>>>> V,M | Y | >>>>>>> EAP-DSRK TBD 4.7.2 OctetString| | P | | >>>>>> V,M | Y | >>>>>>> EAP-DSRK-Name TBD 4.7.3 OctetString| | P | | >>>>>> V,M | Y | >>>>>>> EAP-DSRK-Lifetime TBD 4.7.4 Unsigned64 | | P | | >>>>>> V,M | Y | >>>>>>> >>>>>> ------------------------------------------+----+-----+----+-- >>>>> ---+----+ >>>>>>> Due to space constraints, the short form DiamIdent is used to >>>>>>> represent DiameterIdentity. >>>>>>> >>>>>>> Figure 5: AVP Flag Rules Table >>>>>>> >>>>>>> [LM] this table is ok according to the current RFC 3588. I >>>>>> don't know how to deal with it regarding the RFC3588bis... >>>>>> >>>>>> >>>>>> That's indeed a good question :). >>>>>> >>>>>> And that's all for my comments of your comments. >>>>>> >>>>>> Regards, >>>>>> >>>>>> --Julien-- >>>>>> _______________________________________________ >>>>>> DiME mailing list >>>>>> DiME@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/dime >>>>>> >> _______________________________________________ >> DiME mailing list >> DiME@ietf.org >> https://www.ietf.org/mailman/listinfo/dime _______________________________________________ DiME mailing list DiME@ietf.org https://www.ietf.org/mailman/listinfo/dime
- [Dime] Review of the Diameter ERP draft lionel.morand
- Re: [Dime] Review of the Diameter ERP draft Julien Bournelle
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Dime] Review of the Diameter ERP draft lionel.morand
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Dime] Review of the Diameter ERP draft lionel.morand
- Re: [Dime] Review of the Diameter ERP draft Julien Bournelle
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Dime] Review of the Diameter ERP draft Tom Taylor
- Re: [Dime] Review of the Diameter ERP draft Tina TSOU
- Re: [Dime] Review of the Diameter ERP draft Hannes Tschofenig
- Re: [Dime] Review of the Diameter ERP draft Tina TSOU
- Re: [Dime] Review of the Diameter ERP draft Tom Taylor
- Re: [Dime] Review of the Diameter ERP draft Tina TSOU
- Re: [Dime] Review of the Diameter ERP draft Glen Zorn
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)