Re: [Dime] Review of the Diameter ERP draft
"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Sat, 10 January 2009 13:14 UTC
Return-Path: <dime-bounces@ietf.org>
X-Original-To: dime-archive@megatron.ietf.org
Delivered-To: ietfarch-dime-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8313028C19F; Sat, 10 Jan 2009 05:14:37 -0800 (PST)
X-Original-To: dime@core3.amsl.com
Delivered-To: dime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 868E128C19F for <dime@core3.amsl.com>; Sat, 10 Jan 2009 05:14:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.238
X-Spam-Level:
X-Spam-Status: No, score=-2.238 tagged_above=-999 required=5 tests=[AWL=0.361, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yUmWRQt9f3-4 for <dime@core3.amsl.com>; Sat, 10 Jan 2009 05:14:30 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id F19D328C19B for <dime@ietf.org>; Sat, 10 Jan 2009 05:14:29 -0800 (PST)
Received: (qmail invoked by alias); 10 Jan 2009 13:14:14 -0000
Received: from a91-154-105-43.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.105.43] by mail.gmx.net (mp048) with SMTP; 10 Jan 2009 14:14:14 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19qONZ2vZVqGCIcxUljfyeK7dfLCLo5+TMVef2E1r XFnAMqvpH30w4C
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: diameter-routing@googlegroups.com, 'Tom Taylor' <tom.taylor@rogers.com>
References: <7DBAFEC6A76F3E42817DF1EBE64CB026061E2759@ftrdmel2> <5e2406980901080218w746b69a7x320f1501aeb97266@mail.gmail.com> <C41BFCED3C088E40A8510B57B165C162F6F206@FIESEXC007.nsn-intra.net> <7DBAFEC6A76F3E42817DF1EBE64CB0260622C4DE@ftrdmel2> <C41BFCED3C088E40A8510B57B165C162F6F53B@FIESEXC007.nsn-intra.net> <5e2406980901090115m2fe2c097nee9854a9ed870127@mail.gmail.com> <49677A85.2030607@rogers.com> <E4FDB762-93D2-4085-9D1B-A274964573AF@huawei.com>
Date: Sat, 10 Jan 2009 15:14:45 +0200
Message-ID: <023801c97325$68712700$0201a8c0@nsnintra.net>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AclzIZlPqmOMn8kvTfuqJp9nxAV9xAAA4HHQ
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <E4FDB762-93D2-4085-9D1B-A274964573AF@huawei.com>
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.53
Cc: dime@ietf.org
Subject: Re: [Dime] Review of the Diameter ERP draft
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dime-bounces@ietf.org
Errors-To: dime-bounces@ietf.org
Hi Tom, Hi Tina, I believe you are misunderstanding the Diameter ERP usage (could also be me). We are not talking about "route-pinning" AAA routing but rather whether the definition of AVPs is sufficient for the design or whether a Diameter application. Ciao Hannes >-----Original Message----- >From: diameter-routing@googlegroups.com >[mailto:diameter-routing@googlegroups.com] On Behalf Of Tina TSOU >Sent: 10 January, 2009 14:47 >To: Tom Taylor >Cc: Julien Bournelle; Tschofenig, Hannes (NSN - FI/Espoo); >dime@ietf.org; diameter-routing@googlegroups.com >Subject: Re: [Dime] Review of the Diameter ERP draft > > >Hi Tom, >Thanks for your comments. >I will update the >draft-tsou-dime-routing-problem-statement-01, adding this use >case for the 2nd problem, hopefully before the design team >meeting next Thursday. >The design team discussion could be found in >http://groups.google.com/group/diameter-routing?hl=en > > >B. R. >Tina >Messengers: > >MSN: tinatsou6@hotmail.com Yahoo: tina_tsou Skype: tinaTSOU >Jabber: tina@jabber.org Google talk: tinatsou6@gmail.com > >+86-755-28971872 (Office) +86-13922884380(Mobile) > > > > > > > >On Jan 10, 2009, at 12:25 AM, Tom Taylor wrote: > >> An use case for the second problem talked about in the >routing design >> team! >> >> Julien Bournelle wrote: >>> Hi, >>> On Fri, Jan 9, 2009 at 8:57 AM, Tschofenig, Hannes (NSN - FI/Espoo) >>> <hannes.tschofenig@nsn.com> wrote: >>>> My reading of this text is that there is a way for the >peer and the >>>> authenticator to figure out whether to use EAP or ERP. >>> I don't see how a new App Id will help peer and authenticator to >>> figure out ERP support. I may miss something here. >>> My understanding is that a new Appid would however help AAA >entities >>> (authenticator, proxy, server) figure out ERP support. >>>> It, however, says very little about the further routing of AAA >>>> messages in such a way that the messages traverse nodes >>>> understanding the additionally required functionality. If I >>>> understood ERP correctly then some key caching takes place in the >>>> AAA proxies and hence one wants to make sure that the messages are >>>> actually routed via these proxies. >>> Yes, ideally, for a given peer, the same AAA proxy/local ERP server >>> should be contacted by authenticators. At this point, I >don't see how >>> to ensure this. >>> Regards, >>> Julien >>>> Ciao >>>> Hannes >>>> >>>> >>>>> -----Original Message----- >>>>> From: ext lionel.morand@orange-ftgroup.com >>>>> [mailto:lionel.morand@orange-ftgroup.com] >>>>> Sent: 08 January, 2009 22:26 >>>>> To: Tschofenig, Hannes (NSN - FI/Espoo); >>>>> julien.bournelle@gmail.com; sdecugis@hongo.wide.ad.jp; >>>>> dime@ietf.org >>>>> Subject: RE: [Dime] Review of the Diameter ERP draft >>>>> >>>>> According to the RFC 5296, it seems that it is not >required to have >>>>> a specific Appl-ID: >>>>> >>>>> "It is plausible that the authenticator does not know whether the >>>>> peer supports ERP and whether the peer has performed a full EAP >>>>> authentication through another authenticator. The authenticator >>>>> MAY initiate the ERP exchange by sending the >EAP-Initiate/Re-auth- >>>>> Start message, and if there is no response, it will send >the EAP- >>>>> Request/ Identity message. Note that this avoids having two EAP >>>>> messages in flight at the same time [2]. The authenticator may >>>>> send the EAP- Initiate/Re-auth-Start message and wait >for a short, >>>>> locally configured amount of time. If the peer does not already >>>>> know, this message indicates to the peer that the authenticator >>>>> supports ERP. >>>>> In response to this trigger from the authenticator, the >peer can >>>>> initiate the ERP exchange by sending an EAP-Initiate/Re-auth >>>>> message. >>>>> If there is no response from the peer after the necessary >>>>> retransmissions (see Section 6), the authenticator MUST initiate >>>>> EAP by sending an EAP-Request message, typically the >>>>> EAP-Request/Identity message. Note that the authenticator may >>>>> receive an EAP-Initiate/ Re-auth message after it has sent an >>>>> EAP-Request/Identity message. >>>>> If the authenticator supports ERP, it MUST proceed with the ERP >>>>> exchange. When the EAP-Request/Identity times out, the >>>>> authenticator MUST NOT close the connection if an ERP >exchange is >>>>> in progress or has already succeeded in establishing a >>>>> re-authentication MSK. >>>>> >>>>> If the authenticator does not support ERP, it drops >EAP-Initiate/ >>>>> Re-auth messages [2] as the EAP code of those packets is greater >>>>> than 4. An ERP-capable peer will exhaust the >EAP-Initiate/Re-auth >>>>> message retransmissions and fall back to EAP authentication by >>>>> responding to EAP Request/Identity messages from the >>>>> authenticator. If the peer does not support ERP or if >it does not >>>>> have unexpired key material from a previous EAP >authentication, it >>>>> drops EAP-Initiate/ Re-auth-Start messages. If there is no >>>>> response to the EAP-Initiate/ Re-auth-Start message, the >>>>> authenticator SHALL send an EAP Request message (typically EAP >>>>> Request/Identity) to start EAP authentication. >>>>> From this stage onwards, RFC 3748 rules apply. Note >that this may >>>>> introduce some delay in starting EAP. In some lower layers, the >>>>> delay can be minimized or even avoided by the peer initiating EAP >>>>> by sending messages such as EAPoL-Start in the IEEE 802.1X >>>>> specification [10]." >>>>> >>>>> Both paragraphs assume (for me) that the ERP "option" may be >>>>> supported by the peer and/or the network. If none of them >(or only >>>>> one of them) support ERP, the fallback mechanism is full EAP >>>>> authentication. >>>>> In that sense, knowing that the network supports ERP is not a >>>>> pre-requisite. The minimum is to support EAP and ERP is an option >>>>> available above EAP. That allows to deploy ERP above existing EAP >>>>> deployment. >>>>> >>>>> Does it make sense? >>>>> >>>>> Best Regards, >>>>> >>>>> Lionel >>>>> >>>>> >>>>>> -----Message d'origine----- >>>>>> De : Tschofenig, Hannes (NSN - FI/Espoo) >>>>>> [mailto:hannes.tschofenig@nsn.com] >>>>>> Envoyé : jeudi 8 janvier 2009 13:55 À : ext Julien Bournelle; >>>>>> MORAND Lionel RD-CORE-ISS; Sebastien Decugis; >dime@ietf.org Objet >>>>>> : RE: [Dime] Review of the Diameter ERP draft >>>>>> >>>>>> One of the things I was not quite sure with the current protocol >>>>>> design is whether a Diameter application or just a bunch of AVPs >>>>>> are required. >>>>>> Based on the discussions a few of us when some of the HOKEY >>>>> specs went >>>>>> to the IESG / IETF Last Call I got the impression that >one has to >>>>>> define a new Diameter application (which would be based on >>>>>> Diameter >>>>>> EAP) since you assume that the messages are routed via a node in >>>>>> the local network and the support for ERP has to be ensured. >>>>>> >>>>>> Ciao >>>>>> Hannes >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: dime-bounces@ietf.org [mailto:dime-bounces@ietf.org] >>>>>> On Behalf Of >>>>>>> ext Julien Bournelle >>>>>>> Sent: 08 January, 2009 12:18 >>>>>>> To: lionel.morand@orange-ftgroup.com; Sebastien Decugis; >>>>>> dime@ietf.org >>>>>>> Subject: Re: [Dime] Review of the Diameter ERP draft >>>>>>> >>>>>>> Hi lionel, >>>>>>> >>>>>>> some comments inline. >>>>>>> >>>>>>> On Wed, Jan 7, 2009 at 12:03 PM, >>>>>>> <lionel.morand@orange-ftgroup.com> wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Here is my review for the Diameter ERP draft. >>>>>>>> >>>>>>>> General comments: >>>>>>>> >>>>>>>> - About alignment with RFC 5296: >>>>>>>> the draft needs to be updated according to the publication >>>>>>> of the RFC 5296. Some proposals are provided below. >>>>>>>> - About ER server/AAA agent co-location: >>>>>>>> In my understanding, it is assumed in this document ER >>>>>>> server and AAA proxy have to be co-located to be able >to rely on >>>>>>> Diameter to transport ERP specific AVPs. This doesn't maybe >>>>> preclude >>>>>>> other architectural choices but there are outside the scope of >>>>>>> this document. It is necessary to clarify this point in this >>>>>>> document. >>>>>>>> - ERP support discovery: >>>>>>>> As the ERP specific AVPs are introduced with the M-bit >>>>>>> cleared, these AVPs are purely optional for the Diameter EAP >>>>>>> application i.e. they can be silently ignored by Diameter >>>>>> servers that >>>>>>> do not understand this new AVPs. Some text should be >provided to >>>>>>> describe how the local ER server discovers that the Home EAP >>>>>>> server doesn't support ERP and the behaviour of the local ER >>>>> server in that >>>>>>> case. >>>>>>> >>>>>>> >>>>>>> I agree with these general comments. >>>>>>> >>>>>>> >>>>>>>> Hereafter is the rest of my review with comments and proposals. >>>>>>>> >>>>>>>> Best Regards, >>>>>>>> >>>>>>>> Lionel >>>>>>>> >>>>>>>> *************************************** >>>>>>>> >>>>>>>> Abstract >>>>>>>> >>>>>>>> An EAP extension, called "EAP Re-authentication Protocol >>>>>>> (ERP)", has >>>>>>>> been specified that supports an EAP method-independent >>>>>> protocol for >>>>>>>> efficient re-authentication between the peer and the >>>>>> server through >>>>>>>> an authenticator. This document specifies Diameter >>>>>>> support for ERP. >>>>>>>> The Diameter EAP application is re-used for >>>>>> encapsulating the newly >>>>>>>> defined EAP Initiate and EAP Finish messages specified >>>>> in the ERP >>>>>>>> specification. AVPs for request and delivery of Domain >>>>>>> Specific Root >>>>>>>> Keys from the AAA/EAP server to the ER server are also >>>>> specified. >>>>>>>> Additionally, this document also specifies Diameter >>>>>>> processing rules >>>>>>>> relevant to ERP. >>>>>>>> >>>>>>>> [LM] some abusive verbiage in the abstract: >>>>>>>> >>>>>>>> Proposal for new abstract: >>>>>>>> >>>>>>>> "EAP Re-authentication Protocol defines extensions of EAP >>>>>>> to support >>>>>>>> efficient re-authentication between the peer and an EAP >>>>>>>> re-authentication server through any authenticator. >>>>>>> I'm wondering if we should note that the authenticator may be >>>>>>> ERP-aware. >>>>>>> I'm thinking about the case where the authenticator sends the >>>>>>> EAP-Initiate/Re-auth-Start (Figure 4 in RFC 5296) >>>>>>> >>>>>>> >>>>>>>> This document >>>>>>>> specifies Diameter support for ERP. The Diameter EAP >>>>>> application is >>>>>>>> re-used for encapsulating the newly defined EAP messages >>>>>> specified >>>>>>>> in the ERP specification. Additionally, this document >>>>>> also defines >>>>>>>> specific Diameter processing rules relevant to ERP." >>>>>>> ok >>>>>>> >>>>>>>> >>>>>>>> 1. Introduction >>>>>>>> >>>>>>>> RFC 4072 [1] specifies a Diameter application that >carries EAP >>>>>>>> packets between a Diameter client and the Diameter >>>>>>> Server/EAP server. >>>>>>>> [2] defines the EAP Re-authentication Protocol to allow >>>>>> faster re- >>>>>>>> authentication of a previously authenticated peer. >>>>>>>> >>>>>>>> [LM] s/[2] defines the EAP Re-authentication Protocol/RFC >>>>> 5296 [2] >>>>>>>> defines the EAP Re-authentication Protocol (ERP) >>>>>>>> >>>>>>>> In ERP, a peer >>>>>>>> authenticates to the network by proving possession of >>>>>> key material >>>>>>>> derived during a previous EAP exchange. >>>>>>>> >>>>>>>> [LM] s/a peer authenticate to/a peer is authenticated by >>>>>>>> >>>>>>>> For this purpose, an >>>>>>>> Extended Master Session Key (EMSK) based >re-authentication key >>>>>>>> hierarchy has been defined [5]. ERP may be executed >>>>>> between the ER >>>>>>>> peer and an ER server in the peer's home domain or the >>>>>> local domain >>>>>>>> visited by the peer. In the latter case, a Domain >>>>>> Specific Root Key >>>>>>>> (DSRK), derived from the EMSK, is provided to the local >>>>> domain ER >>>>>>>> server. >>>>>>>> >>>>>>>> [LM] s/is provided to/is provided by the Home ER server to >>>>>>>> >>>>>>>> The peer and the local server subsequently use the re- >>>>>>>> authentication key hierarchy from the DSRK to authenticate >>>>>>> and derive >>>>>>>> authenticator specific keys within that domain. >>>>>>>> >>>>>>>> [LM] this information can be found in the RFC 5296. Remove >>>>>>> the sentence above. >>>>>>> >>>>>>> It may help the reader to understand the purpose of this DRSK. >>>>>>> >>>>>>>> To accomplish the >>>>>>>> reauthentication functionality, ERP defines two new EAP >>>>>> codes - EAP >>>>>>>> Initiate and EAP Finish. >>>>>>>> >>>>>>>> [LM] s/ERP defines two new EAP codes/ERP defines two new >>>>>> EAP messages >>>>>>> I would prefer to say that ERP defines two new EAP Codes >>>>>> here. These >>>>>>> newly EAP packets are then carried in messages >(dependent of the >>>>>>> protocol used). >>>>>>> >>>>>>>> This document specifies the reuse of Diameter EAP >application >>>>>>>> to carry these new EAP messages. >>>>>>>> The DSRK can be obtained as part of the regular EAP >>>>>> exchange or as >>>>>>>> part of an ERP bootstrapping exchange. The local ER server >>>>>>>> requesting the DSRK needs to be in the path of the EAP or ERP >>>>>>>> bootstrapping exchange in order to request and obtain the >>>>>>> DSRK. This >>>>>>>> document also specifies how the DSRK is transported to >>>>>> the local ER >>>>>>>> server using Diameter. >>>>>>>> >>>>>>>> [LM] Finally, i would reorganize the last part as follow: >>>>>>>> >>>>>>>> ::::::::::: >>>>>>>> >>>>>>>> "In ERP, a peer is authenticated by the network thanks to >>>>>>> keying material >>>>>>>> obtained during a previous EAP exchange. This keying >>>>>>> material is derived >>>>>>>> from the Extended Master Session Key (EMSK) defined in the >>>>>>> RFC 5295 [5]. >>>>>>>> To accomplish the EAP reauthentication functionality, ERP >>>>>>> defines two new >>>>>>>> EAP messages - EAP Initiate and EAP Finish. This document >>>>>>> specifies the >>>>>>>> reuse of Diameter EAP Application to carry these new EAP >>>>>> messages. >>>>>>>> ERP is executed between the peer and a server located >>>>>>> either in the peer's >>>>>>>> home domain or in the local domain visited by the peer. In >>>>>>> the latter case, >>>>>>>> a Domain Specific Root Key (DSRK) is derived from the >>>>>>> EMSK, as defined in >>>>>>>> the RFC 5295 [5], and is provided by the Home EAP server >>>>>>> to the local domain >>>>>>>> server. For that purpose, this document specifies the >>>>>>> transport of the DSRK >>>>>>>> using the Diameter EAP Application." >>>>>>> First paragraph is the old and second the new ? >>>>>>> >>>>>>>> :::::::::::::: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2. Terminology >>>>>>>> >>>>>>>> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", >>>>>> "SHALL NOT", >>>>>>>> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and >>>>>>> "OPTIONAL" in this >>>>>>>> document are to be interpreted as described in RFC 2119 [3]. >>>>>>>> >>>>>>>> This document uses terminology defined in [6], [5], >>>>> [2], and [1]. >>>>>>>> >>>>>>>> 3. Assumptions >>>>>>>> >>>>>>>> This document defines additional optional AVPs for >>>>> usage with the >>>>>>>> Diameter EAP application. Routing of these messages is >>>>> therefore >>>>>>>> provided via the Diameter Application Identifier >(among other >>>>>>>> elements), as specified by the Diameter Base protocol [4]. >>>>>>>> >>>>>>>> [LM] To avoid any ambiguity I would say: >>>>>>>> >>>>>>>> "This document defines only additional optional AVPs for >>>>>> usage with >>>>>>>> the Diameter EAP application. This document does not defined >>>>>>>> a new Diameter application and a new Application ID is >>>>>>> therefore not >>>>>>>> required, as described in the Diameter Base protocol [4]." >>>>>>> ok >>>>>>> >>>>>>>> Based on >>>>>>>> the deployment of ERP, a local Diameter server (the >same entity >>>>>>>> serves as a Diameter proxy during the full EAP >>>>>> authentication) may >>>>>>>> play the role of the ER server for future >>>>>>> re-authentication attempts. >>>>>>>> As such, the local Diameter server requesting the DSRK >>>>>>> needs to be in >>>>>>>> the path of the current EAP exchange between the peer >>>>> and the EAP >>>>>>>> server and also along in the future. The Diameter client is >>>>>>>> furthermore assumed to be able to route the re-authentication >>>>>>>> messages to the ER server. >>>>>>>> >>>>>>>> [LM] I think that the assumption all along this document is >>>>>>> that the local ER server and the AAA agent are co-located, >>>>>> to be able >>>>>>> to rely on DEA for the transport of DSRK. In that case, I >>>>> would say >>>>>>> something like: >>>>>>>> "In this document, when EAP re-authentication is performed >>>>>>> in the domain >>>>>>>> visited by the peer, it is assumed that the local ER >>>>>>> server is co-located >>>>>>>> with a Diameter agent in the visited domain present in >>>>>>> the path of the full >>>>>>>> EAP exchange." >>>>>>> ok >>>>>>> >>>>>>>> >>>>>>>> 4. Diameter Support for ERP >>>>>>>> >>>>>>>> 4.1. Protocol Overview >>>>>>>> >>>>>>>> Diameter may be used to transport ERP messages between the NAS >>>>>>>> (authenticator) and an authentication server (ER server). >>>>>>>> >>>>>>>> [LM] s/may/is (the use of Diameter is a pre-requisite in >>>>>> this draft) >>>>>>>> In ERP, the peer sends an EAP Initiate Reauth message >to the ER >>>>>>>> server via the authenticator. >>>>>>>> >>>>>>>> [LM] s/"EAP Initiate Reauth message"/"EAP-Initiate/Re-auth >>>>>> message" >>>>>>>> (same all along the document) >>>>>>>> >>>>>>>> Alternatively, the NAS may send an EAP Initiate Reauth-Start >>>>>>>> message to the peer to trigger >>>>> the start of >>>>>>>> ERP; the peer then responds with an EAP Initiate Reauth >>>>>> message to >>>>>>>> the NAS. >>>>>>>> >>>>>>>> [LM] s/"EAP Initiate Reauth-Start >>>>>>> message"/"EAP-Initiate/Re-auth-Start >>>>>>>> message" (same all along the document) >>>>>>>> >>>>>>>> The general guidelines for encapsulating EAP messages >>>>> in Diameter >>>>>>>> from RFC 4072 [1] apply to the new EAP messages defined >>>>>> for ERP as >>>>>>>> well. The EAP Initiate Reauth message is encapsulated >>>>> in an EAP- >>>>>>>> Payload AVP of a Diameter EAP-Request message by the NAS >>>>>>> and sent to >>>>>>>> the Diameter server. The NAS MUST copy the contents of >>>>> the value >>>>>>>> field of the 'rIKName as NAI' TLV or the peer-id TLV (when >>>>>>> the former >>>>>>>> is not present) of the EAP Initiate Reauth message into >>>>>> a User-Name >>>>>>>> AVP of the Diameter EAP-Request. >>>>>>>> >>>>>>>> [LM] I think that we are talking about the 'keyName-NAI' TLV >>>>>>> and not anymore the 'rIKName as NAI' TLV. >>>>>>> >>>>>>> Considering section 5.3.2 of RFC 5296. I agree. >>>>>>> >>>>>>>> Moreover, in which case the peer-id TLV would not be >>>>>> present for ERP? >>>>>>> Privacy ? >>>>>>> >>>>>>>> The ER server processes the EAP Initiate Reauth message in >>>>>>> accordance >>>>>>>> with [2], and if that is successful, it responds with an >>>>>> EAP Finish >>>>>>>> Reauth message indicating a success ('R' flag set to >0). The >>>>>>>> Diameter server MUST encapsulate the EAP Finish Reauth >>>>>> message with >>>>>>>> the R flag set to zero in an EAP-Payload AVP attribute of >>>>>>> a Diameter >>>>>>>> EAP-Answer message. An EAP-Master-Session-Key AVP >>>>>> included in the >>>>>>>> Diameter EAP-Answer contains the Re-authentication Master >>>>>>> Session Key >>>>>>>> (rMSK). The Diameter Result Code, if any, SHOULD be a >>>>>>> success Result >>>>>>>> Code. >>>>>>>> >>>>>>>> If the processing of the EAP Initiate Reauth message >>>>>> resulted in a >>>>>>>> failure, the Diameter server MUST encapsulate an EAP >>>>>> Finish Reauth >>>>>>>> message indicating failure ('R' flag set to 1) in an >>>>>>> EAP-Payload AVP >>>>>>>> of a Diameter EAP-Answer message. The Diameter Result >>>>>>> Code, if any, >>>>>>>> SHOULD be a failure Result Code. Whether an EAP >Finish Reauth >>>>>>>> message is sent at all is specified in [2]. >>>>>>>> >>>>>>>> [LM] the use of the 'R' flag is not relevant for Diameter EAP. >>>>>>>> [LM] according to the RFC, the EAP-Finish/Re-auth is sent >>>>>>> back in any case, success or failure. >>>>>>>> [LM] according to the above comments, I would rephrase the >>>>>>> text as follow: >>>>>>>> >>>>>>>> "The ER server processes the EAP Initiate Reauth message >>>>>>> in accordance >>>>>>>> with [2] and responds with an EAP-Finish/Re-auth message. >>>>>>> The Diameter >>>>>>>> server MUST encapsulate the EAP-Finish/Re-auth message within >>>>>>>> an EAP-Payload AVP of a Diameter EAP-Answer message. >>>>>>>> In an EAP re-authentication successful case, an >>>>>>> EAP-Master-Session-Key >>>>>>>> AVP is included in the Diameter EAP-Answer message that >>>>>>> contains the >>>>>>>> Re-authentication Master Session Key (rMSK). The Diameter >>>>>>> Result-Code >>>>>>>> SHOULD be a success Result-Code. >>>>>>>> In an EAP re-authentication failure case, the Diameter >>>>>>> Result-Code of >>>>>>>> the a Diameter EAP-Answer message SHOULD be a failure >>>>>>> Result-Code and >>>>>>>> no EAP-Master-Session-Key AVP is present." >>>>>>>> >>>>>>>> [LM] By the way, I don't understand the "SHOULD" for the >>>>>>> result-code. Any reason not to use "MUST" here? >>>>>>> >>>>>>> I think a MUST would be better. Different views ? >>>>>>> >>>>>>>> [LM] a figure could be added for illustration here. >>>>>>>> >>>>>>>> 4.2. DSRK Request and Delivery >>>>>>>> >>>>>>>> A local ER server, collocated with a Diameter proxy in >>>>> the peer's >>>>>>>> visited domain, >>>>>>>> >>>>>>>> [LM] s/in the peer's visited domain/in the domain visited >>>>>> by the peer >>>>>>>> may request a DSRK from the EAP server, either in the > initial >>>>>>>> EAP exchange (implicit bootstrapping) or in an ERP >>>>>>>> bootstrapping exchange (explicit bootstrapping). It >>>>> does this by >>>>>>>> including the EAP-DSRK-Request AVP in the Diameter >EAP-Response >>>>>>>> message. The EAP-DSRK-Request AVP contains the domain >or server >>>>>>>> identity required to derive the DSRK. >>>>>>>> >>>>>>>> [LM] the EAP-DSRK-Request AVP is included in the Diameter >>>>>>> EAP-Request >>>>>>>> (and not in the response) >>>>>>> yes. >>>>>>> >>>>>>>> An EAP server MAY send the DSRK when it receives a >>>>> valid Diameter >>>>>>>> EAP-Request message containing an EAP-DSRK-Request AVP. >>>>>>> An ER server >>>>>>>> MUST send the DSRK (or send a failure result) when it >receives >>>>>>>> a valid Diameter EAP-Request message containing an >>>>>>> EAP-DSRK-Request AVP >>>>>>>> along with a valid EAP Initiate Re-auth packet with the >>>>>>> bootstrapping >>>>>>>> flag turned on. If an EAP-DSRK-Request AVP is included in >>>>>>> any other >>>>>>>> Diameter EAP-Request message, the Diameter server MUST >>>>>> reply with a >>>>>>>> failure result. An EAP-DSRK AVP MUST be used to send a >>>>>>> DSRK; an EAP- >>>>>>>> DSRK-Name AVP MUST be used to send the DSRK's keyname; >>>>>> and an EAP- >>>>>>>> DSRK-Lifetime AVP MUST be used to send the DSRK's lifetime. >>>>>>>> >>>>>>>> [LM] I don't understand the intention of the above text. >>>>>>> Could it be enough to say: >>>>>>>> In successful case, the DSRK is carried by the EAP-DSRK >>>>>> AVP in the >>>>>>>> Diameter EAP response message. Along with the >EAP-DSRK AVP, an >>>>>>>> EAP-DSRK-Name AVP MUST be used to send the DSRK's >keyname and an >>>>>>>> EAP-DSRK-Lifetime AVP MUST be used to send the DSRK's lifetime. >>>>>>> Agree. >>>>>>> >>>>>>>> [LM] a figure could be added for illustration here. >>>>>>>> >>>>>>>> 5. Command Codes >>>>>>>> >>>>>>>> [LM] this section is not required as there is nothing >>>>>>> specific for ERP. We should skip it. >>>>>>>> [SKIP] >>>>>>>> >>>>>>>> >>>>>>>> 6. Attribute Value Pair Definitions >>>>>>>> >>>>>>>> 6.1. EAP-DSRK-Request AVP >>>>>>>> >>>>>>>> The EAP-DSRK AVP (AVP Code TBD) is of type DiameterIdentity. >>>>>>>> >>>>>>>> [LM] s/EAP-DSRK AVP/EAP-DSRK-Request AVP >>>>>>>> >>>>>>>> This >>>>>>>> AVP fulfills two purposes: First, it indicates that a ER >>>>>> server is >>>>>>>> located in the local domain that is willing to play the >>>>>>> role of an ER >>>>>>>> server for a particular session. Second, it conveys >>>>>>>> information about the domain and ER server identity to the >>>>>> Diameter/EAP server. >>>>>>>> [LM] the use of this AVP is explained above. There is no >>>>>>> need to explain again. >>>>>>> >>>>>>> As we are in the AVP Definitions, I think it is better to >>>>> keep some >>>>>>> text explaining it. No ? >>>>>>> >>>>>>>> Moreover, if a DiameterIdentity is used, it is to indicate a >>>>>>> server and not a domain. Right? >>>>>>> >>>>>>> In my understanding the local ER server only sends the Domain >>>>>>> Name which will then be used to compute keys. Maybe the type >>>>>>> DiameterIdentity is not appropriated and we should use >UTF8String >>>>>>> instead. What do you think ? >>>>>>> >>>>>>> >>>>>>>> 6.2. EAP-DSRK AVP >>>>>>>> >>>>>>>> The EAP-DSRK AVP (AVP Code TBD) is of type OctetString. >>>>>> The Domain >>>>>>>> Specific Root Key (DSRK) is carried in this payload. >>>>>>>> >>>>>>>> 6.3. EAP-DSRK-Name AVP >>>>>>>> >>>>>>>> The EAP-DSRK-Name AVP (AVP Code TBD) is of type >>>>>> OctetString. This >>>>>>>> AVP contains the name of the DSRK key that is later used >>>>>> during the >>>>>>>> re-authentication exchange to select the correct DSRK. >>>>>>>> >>>>>>>> [LM] skip the part starting by "that is..." >>>>>>> ok >>>>>>> >>>>>>>> 6.4. EAP-DSRK-Lifetime AVP >>>>>>>> >>>>>>>> The EAP-DSRK-Lifetime AVP (AVP Code TBD) is of type >>>>>> Unsigned64 and >>>>>>>> contains the DSRK lifetime in seconds. >>>>>>>> >>>>>>>> >>>>>>>> 7. AVP Occurrence Table >>>>>>>> >>>>>>>> The following table lists the AVPs that may optionally be >>>>>>> present in >>>>>>>> the DER and DEA commands [1]. >>>>>>>> >>>>>>>> >>>>>>>> +---------------+ >>>>>>>> | Command-Code | >>>>>>>> +-+-----+-----+-+ >>>>>>>> Attribute Name | DER | DEA | >>>>>>>> -------------------------------|-----+-----+ >>>>>>>> EAP-DSRK-Request | 0-1 | 0 | >>>>>>>> EAP-DSRK | 0 | 0-1 | >>>>>>>> EAP-DSRK-Name | 0 | 0-1 | >>>>>>>> EAP-DSRK-Lifetime | 0 | 0-1 | >>>>>>>> +-----+-----+ >>>>>>>> >>>>>>>> Figure 4: DER and DEA Commands AVP Table >>>>>>>> >>>>>>>> When the EAP-DSRK AVP is present in the DEA then the >>>>>> EAP-DSRK-Name >>>>>>>> and the EAP-DSRK-Lifetime MUST also be present. >>>>>>>> >>>>>>>> >>>>>>>> 8. AVP Flag Rules >>>>>>>> >>>>>>>> The following table describes the Diameter AVPs, >their AVP Code >>>>>>>> values, types, possible flag values, and whether the >AVP MAY be >>>>>>>> encrypted. The Diameter base [4] specifies the AVP Flag >>>>>> rules for >>>>>>>> AVPs in Section 4.5. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> +---------------------+ >>>>>>>> | AVP Flag >>>>>>>> Rules | >>>>>>>> >>>>>>> +----+-----+----+-----+----+ >>>>>>>> AVP Section | | >>>>>>> |SHLD|MUST | | >>>>>>>> Attribute Name Code Defined Data Type |MUST| MAY |NOT >>>>>>> |NOT |Encr| >>>>>>> ------------------------------------------+----+-----+----+-- >>>>>> ---+----+ >>>>>>>> EAP-DSRK-Request TBD 4.7.1 DiamIdent | | P | | >>>>>>> V,M | Y | >>>>>>>> EAP-DSRK TBD 4.7.2 OctetString| | P | | >>>>>>> V,M | Y | >>>>>>>> EAP-DSRK-Name TBD 4.7.3 OctetString| | P | | >>>>>>> V,M | Y | >>>>>>>> EAP-DSRK-Lifetime TBD 4.7.4 Unsigned64 | | P | | >>>>>>> V,M | Y | >>>>>>>> >>>>>>> ------------------------------------------+----+-----+----+-- >>>>>> ---+----+ >>>>>>>> Due to space constraints, the short form DiamIdent is used to >>>>>>>> represent DiameterIdentity. >>>>>>>> >>>>>>>> Figure 5: AVP Flag Rules Table >>>>>>>> >>>>>>>> [LM] this table is ok according to the current RFC 3588. I >>>>>>> don't know how to deal with it regarding the RFC3588bis... >>>>>>> >>>>>>> >>>>>>> That's indeed a good question :). >>>>>>> >>>>>>> And that's all for my comments of your comments. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> --Julien-- >>>>>>> _______________________________________________ >>>>>>> DiME mailing list >>>>>>> DiME@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/dime >>>>>>> >>> _______________________________________________ >>> DiME mailing list >>> DiME@ietf.org >>> https://www.ietf.org/mailman/listinfo/dime > > >--~--~---------~--~----~------------~-------~--~----~ >You received this message because you are subscribed to the >Google Groups "diameter-routing" group. >To post to this group, send email to >diameter-routing@googlegroups.com To unsubscribe from this >group, send email to diameter-routing+unsubscribe@googlegroups.com >For more options, visit this group at >http://groups.google.com/group/diameter-routing?hl=en >-~----------~----~----~----~------~----~------~--~--- > _______________________________________________ DiME mailing list DiME@ietf.org https://www.ietf.org/mailman/listinfo/dime
- [Dime] Review of the Diameter ERP draft lionel.morand
- Re: [Dime] Review of the Diameter ERP draft Julien Bournelle
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Dime] Review of the Diameter ERP draft lionel.morand
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Dime] Review of the Diameter ERP draft lionel.morand
- Re: [Dime] Review of the Diameter ERP draft Julien Bournelle
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [Dime] Review of the Diameter ERP draft Tom Taylor
- Re: [Dime] Review of the Diameter ERP draft Tina TSOU
- Re: [Dime] Review of the Diameter ERP draft Hannes Tschofenig
- Re: [Dime] Review of the Diameter ERP draft Tina TSOU
- Re: [Dime] Review of the Diameter ERP draft Tom Taylor
- Re: [Dime] Review of the Diameter ERP draft Tina TSOU
- Re: [Dime] Review of the Diameter ERP draft Glen Zorn
- Re: [Dime] Review of the Diameter ERP draft Tschofenig, Hannes (NSN - FI/Espoo)