summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5296.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5296.txt')
-rw-r--r--doc/rfc/rfc5296.txt2411
1 files changed, 2411 insertions, 0 deletions
diff --git a/doc/rfc/rfc5296.txt b/doc/rfc/rfc5296.txt
new file mode 100644
index 0000000..6f24b8f
--- /dev/null
+++ b/doc/rfc/rfc5296.txt
@@ -0,0 +1,2411 @@
+
+
+
+
+
+
+Network Working Group V. Narayanan
+Request for Comments: 5296 L. Dondeti
+Category: Standards Track Qualcomm, Inc.
+ August 2008
+
+
+ EAP Extensions for EAP Re-authentication Protocol (ERP)
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Abstract
+
+ The Extensible Authentication Protocol (EAP) is a generic framework
+ supporting multiple types of authentication methods. In systems
+ where EAP is used for authentication, it is desirable to not repeat
+ the entire EAP exchange with another authenticator. This document
+ specifies extensions to EAP and the EAP keying hierarchy to support
+ an EAP method-independent protocol for efficient re-authentication
+ between the peer and an EAP re-authentication server through any
+ authenticator. The re-authentication server may be in the home
+ network or in the local network to which the peer is connecting.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 1]
+
+RFC 5296 ERP August 2008
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3. ERP Description . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.1. ERP With the Home ER Server . . . . . . . . . . . . . . . 6
+ 3.2. ERP with a Local ER Server . . . . . . . . . . . . . . . . 8
+ 4. ER Key Hierarchy . . . . . . . . . . . . . . . . . . . . . . . 10
+ 4.1. rRK Derivation . . . . . . . . . . . . . . . . . . . . . . 11
+ 4.2. rRK Properties . . . . . . . . . . . . . . . . . . . . . . 12
+ 4.3. rIK Derivation . . . . . . . . . . . . . . . . . . . . . . 12
+ 4.4. rIK Properties . . . . . . . . . . . . . . . . . . . . . . 13
+ 4.5. rIK Usage . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 4.6. rMSK Derivation . . . . . . . . . . . . . . . . . . . . . 14
+ 4.7. rMSK Properties . . . . . . . . . . . . . . . . . . . . . 15
+ 5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . . 15
+ 5.1. ERP Bootstrapping . . . . . . . . . . . . . . . . . . . . 15
+ 5.2. Steps in ERP . . . . . . . . . . . . . . . . . . . . . . . 18
+ 5.2.1. Multiple Simultaneous Runs of ERP . . . . . . . . . . 20
+ 5.2.2. ERP Failure Handling . . . . . . . . . . . . . . . . . 21
+ 5.3. New EAP Packets . . . . . . . . . . . . . . . . . . . . . 22
+ 5.3.1. EAP-Initiate/Re-auth-Start Packet . . . . . . . . . . 23
+ 5.3.2. EAP-Initiate/Re-auth Packet . . . . . . . . . . . . . 25
+ 5.3.3. EAP-Finish/Re-auth Packet . . . . . . . . . . . . . . 26
+ 5.3.4. TV and TLV Attributes . . . . . . . . . . . . . . . . 29
+ 5.4. Replay Protection . . . . . . . . . . . . . . . . . . . . 30
+ 5.5. Channel Binding . . . . . . . . . . . . . . . . . . . . . 30
+ 6. Lower-Layer Considerations . . . . . . . . . . . . . . . . . . 31
+ 7. Transport of ERP Messages . . . . . . . . . . . . . . . . . . 32
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 33
+ 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37
+ 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 39
+ 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39
+ 11.1. Normative References . . . . . . . . . . . . . . . . . . . 39
+ 11.2. Informative References . . . . . . . . . . . . . . . . . . 40
+ Appendix A. Example ERP Exchange . . . . . . . . . . . . . . . . 42
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 2]
+
+RFC 5296 ERP August 2008
+
+
+1. Introduction
+
+ The Extensible Authentication Protocol (EAP) is a an authentication
+ framework that supports multiple authentication methods. The primary
+ purpose is network access authentication, and a key-generating method
+ is used when the lower layer wants to enforce access control. The
+ EAP keying hierarchy defines two keys to be derived by all key-
+ generating EAP methods: the Master Session Key (MSK) and the Extended
+ MSK (EMSK). In the most common deployment scenario, an EAP peer and
+ an EAP server authenticate each other through a third party known as
+ the EAP authenticator. The EAP authenticator or an entity controlled
+ by the EAP authenticator enforces access control. After successful
+ authentication, the EAP server transports the MSK to the EAP
+ authenticator; the EAP authenticator and the EAP peer establish
+ transient session keys (TSKs) using the MSK as the authentication
+ key, key derivation key, or a key transport key, and use the TSK for
+ per-packet access enforcement.
+
+ When a peer moves from one authenticator to another, it is desirable
+ to avoid a full EAP authentication to support fast handovers. The
+ full EAP exchange with another run of the EAP method can take several
+ round trips and significant time to complete, causing delays in
+ handover times. Some EAP methods specify the use of state from the
+ initial authentication to optimize re-authentications by reducing the
+ computational overhead, but method-specific re-authentication takes
+ at least 2 round trips with the original EAP server in most cases
+ (e.g., [6]). It is also important to note that several methods do
+ not offer support for re-authentication.
+
+ Key sharing across authenticators is sometimes used as a practical
+ solution to lower handover times. In that case, compromise of an
+ authenticator results in compromise of keying material established
+ via other authenticators. Other solutions for fast re-authentication
+ exist in the literature [7] [8].
+
+ In conclusion, to achieve low latency handovers, there is a need for
+ a method-independent re-authentication protocol that completes in
+ less than 2 round trips, preferably with a local server. The EAP
+ re-authentication problem statement is described in detail in [9].
+
+ This document specifies EAP Re-authentication Extensions (ERXs) for
+ efficient re-authentication using EAP. The protocol that uses these
+ extensions itself is referred to as the EAP Re-authentication
+ Protocol (ERP). It supports EAP method-independent re-authentication
+ for a peer that has valid, unexpired key material from a previously
+ performed EAP authentication. The protocol and the key hierarchy
+ required for EAP re-authentication are described in this document.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 3]
+
+RFC 5296 ERP August 2008
+
+
+ Note that to support ERP, lower-layer specifications may need to be
+ revised to allow carrying EAP messages that have a code value higher
+ than 4 and to accommodate the peer-initiated nature of ERP.
+ Specifically, the IEEE802.1x specification must be revised and RFC
+ 4306 must be updated to carry ERP messages.
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [1].
+
+ This document uses the basic EAP terminology [2] and EMSK keying
+ hierarchy terminology [3]. In addition, this document uses the
+ following terms:
+
+ ER Peer - An EAP peer that supports the EAP Re-authentication
+ Protocol. All references to "peer" in this document imply an ER
+ peer, unless specifically noted otherwise.
+
+ ER Authenticator - An entity that supports the authenticator
+ functionality for EAP re-authentication described in this
+ document. All references to "authenticator" in this document
+ imply an ER authenticator, unless specifically noted otherwise.
+
+ ER Server - An entity that performs the server portion of ERP
+ described here. This entity may or may not be an EAP server. All
+ references to "server" in this document imply an ER server, unless
+ specifically noted otherwise. An ER server is a logical entity;
+ the home ER server is located on the same backend authentication
+ server as the EAP server in the home domain. The local ER server
+ may not necessarily be a full EAP server.
+
+ ERX - EAP re-authentication extensions.
+
+ ERP - EAP Re-authentication Protocol that uses the
+ re-authentication extensions.
+
+ rRK - re-authentication Root Key, derived from the EMSK or DSRK.
+
+ rIK - re-authentication Integrity Key, derived from the rRK.
+
+ rMSK - re-authentication MSK. This is a per-authenticator key,
+ derived from the rRK.
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 4]
+
+RFC 5296 ERP August 2008
+
+
+ keyName-NAI - ERP messages are integrity protected with the rIK or
+ the DS-rIK. The use of rIK or DS-rIK for integrity protection of
+ ERP messages is indicated by the EMSKname [3]; the protocol, which
+ is ERP; and the realm, which indicates the domain name of the ER
+ server. The EMSKname is copied into the username part of the NAI.
+
+ Domain - Refers to a "key management domain" as defined in [3].
+ For simplicity, it is referred to as "domain" in this document.
+ The terms "home domain" and "local domain" are used to
+ differentiate between the originating key management domain that
+ performs the full EAP exchange with the peer and the local domain
+ to which a peer may be attached at a given time.
+
+3. ERP Description
+
+ ERP allows a peer and server to mutually verify proof of possession
+ of keying material from an earlier EAP method run and to establish a
+ security association between the peer and the authenticator. The
+ authenticator acts as a pass-through entity for the Re-authentication
+ Protocol in a manner similar to that of an EAP authenticator
+ described in RFC 3748 [2]. ERP is a single round-trip exchange
+ between the peer and the server; it is independent of the lower layer
+ and the EAP method used during the full EAP exchange. The ER server
+ may be in the home domain or in the same (visited) domain as the peer
+ and the authenticator.
+
+ Figure 2 shows the protocol exchange. The first time the peer
+ attaches to any network, it performs a full EAP exchange (shown in
+ Figure 1) with the EAP server; as a result, an MSK is distributed to
+ the EAP authenticator. The MSK is then used by the authenticator and
+ the peer to establish TSKs as needed. At the time of the initial EAP
+ exchange, the peer and the server also derive an EMSK, which is used
+ to derive a re-authentication Root Key (rRK). More precisely, a
+ re-authentication Root Key is derived from the EMSK or from a
+ Domain-Specific Root Key (DSRK), which itself is derived from the
+ EMSK. The rRK is only available to the peer and the ER server and is
+ never handed out to any other entity. Further, a re-authentication
+ Integrity Key (rIK) is derived from the rRK; the peer and the ER
+ server use the rIK to provide proof of possession while performing an
+ ERP exchange. The rIK is also never handed out to any entity and is
+ only available to the peer and server.
+
+ When the ER server is in the home domain, the peer and the server use
+ the rIK and rRK derived from the EMSK; and when the ER server is not
+ in the home domain, they use the DS-rIK and DS-rRK corresponding to
+ the local domain. The domain of the ER server is identified by the
+ realm portion of the keyname-NAI in ERP messages.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 5]
+
+RFC 5296 ERP August 2008
+
+
+3.1. ERP With the Home ER Server
+
+ EAP Peer EAP Authenticator EAP Server
+ ======== ================= ==========
+
+ <--- EAP-Request/ ------
+ Identity
+
+ ----- EAP Response/ --->
+ Identity ---AAA(EAP Response/Identity)-->
+
+ <--- EAP Method -------> <------ AAA(EAP Method -------->
+ exchange exchange)
+
+ <----AAA(MSK, EAP-Success)------
+
+ <---EAP-Success---------
+
+ Figure 1: EAP Authentication
+
+
+ Peer Authenticator Server
+ ==== ============= ======
+
+ [<-- EAP-Initiate/ -----
+ Re-auth-Start]
+ [<-- EAP-Request/ ------
+ Identity]
+
+
+ ---- EAP-Initiate/ ----> ----AAA(EAP-Initiate/ ---------->
+ Re-auth/ Re-auth/
+ [Bootstrap] [Bootstrap])
+
+ <--- EAP-Finish/ ------> <---AAA(rMSK,EAP-Finish/---------
+ Re-auth/ Re-auth/
+ [Bootstrap] [Bootstrap])
+
+ Note: [] brackets indicate optionality.
+
+ Figure 2: ERP Exchange
+
+ Two new EAP codes, EAP-Initiate and EAP-Finish, are specified in this
+ document for the purpose of EAP re-authentication. When the peer
+ identifies a target authenticator that supports EAP
+ re-authentication, it performs an ERP exchange, as shown in Figure 2;
+ the exchange itself may happen when the peer attaches to a new
+ authenticator supporting EAP re-authentication, or prior to
+
+
+
+Narayanan & Dondeti Standards Track [Page 6]
+
+RFC 5296 ERP August 2008
+
+
+ attachment. The peer initiates ERP by itself; it may also do so in
+ response to an EAP-Initiate/Re-auth-Start message from the new
+ authenticator. The EAP-Initiate/Re-auth-Start message allows the
+ authenticator to trigger the ERP exchange.
+
+ It is plausible that the authenticator does not know whether the peer
+ supports ERP and whether the peer has performed a full EAP
+ authentication through another authenticator. The authenticator MAY
+ initiate the ERP exchange by sending the EAP-Initiate/Re-auth-Start
+ message, and if there is no response, it will send the EAP-Request/
+ Identity message. Note that this avoids having two EAP messages in
+ flight at the same time [2]. The authenticator may send the EAP-
+ Initiate/Re-auth-Start message and wait for a short, locally
+ configured amount of time. If the peer does not already know, this
+ message indicates to the peer that the authenticator supports ERP.
+ In response to this trigger from the authenticator, the peer can
+ initiate the ERP exchange by sending an EAP-Initiate/Re-auth message.
+ If there is no response from the peer after the necessary
+ retransmissions (see Section 6), the authenticator MUST initiate EAP
+ by sending an EAP-Request message, typically the EAP-Request/Identity
+ message. Note that the authenticator may receive an EAP-Initiate/
+ Re-auth message after it has sent an EAP-Request/Identity message.
+ If the authenticator supports ERP, it MUST proceed with the ERP
+ exchange. When the EAP-Request/Identity times out, the authenticator
+ MUST NOT close the connection if an ERP exchange is in progress or
+ has already succeeded in establishing a re-authentication MSK.
+
+ If the authenticator does not support ERP, it drops EAP-Initiate/
+ Re-auth messages [2] as the EAP code of those packets is greater than
+ 4. An ERP-capable peer will exhaust the EAP-Initiate/Re-auth message
+ retransmissions and fall back to EAP authentication by responding to
+ EAP Request/Identity messages from the authenticator. If the peer
+ does not support ERP or if it does not have unexpired key material
+ from a previous EAP authentication, it drops EAP-Initiate/
+ Re-auth-Start messages. If there is no response to the EAP-Initiate/
+ Re-auth-Start message, the authenticator SHALL send an EAP Request
+ message (typically EAP Request/Identity) to start EAP authentication.
+ From this stage onwards, RFC 3748 rules apply. Note that this may
+ introduce some delay in starting EAP. In some lower layers, the
+ delay can be minimized or even avoided by the peer initiating EAP by
+ sending messages such as EAPoL-Start in the IEEE 802.1X specification
+ [10].
+
+ The peer sends an EAP-Initiate/Re-auth message that contains the
+ keyName-NAI to identify the ER server's domain and the rIK used to
+ protect the message, and a sequence number for replay protection.
+ The EAP-Initiate/Re-auth message is integrity protected with the rIK.
+ The authenticator uses the realm in the keyName-NAI [4] field to send
+
+
+
+Narayanan & Dondeti Standards Track [Page 7]
+
+RFC 5296 ERP August 2008
+
+
+ the message to the appropriate ER server. The server uses the
+ keyName to look up the rIK. The server, after verifying proof of
+ possession of the rIK, and freshness of the message, derives a
+ re-authentication MSK (rMSK) from the rRK using the sequence number
+ as an input to the key derivation. The server updates the expected
+ sequence number to the received sequence number plus one.
+
+ In response to the EAP-Initiate/Re-auth message, the server sends an
+ EAP-Finish/Re-auth message; this message is integrity protected with
+ the rIK. The server transports the rMSK along with this message to
+ the authenticator. The rMSK is transported in a manner similar to
+ that of the MSK along with the EAP-Success message in a full EAP
+ exchange. Ongoing work in [11] describes an additional key
+ distribution protocol that can be used to transport the rRK from an
+ EAP server to one of many different ER servers that share a trust
+ relationship with the EAP server.
+
+ The peer MAY request the server for the rMSK lifetime. If so, the ER
+ server sends the rMSK lifetime in the EAP-Finish/Re-auth message.
+
+ In an ERP bootstrap exchange, the peer MAY request the server for the
+ rRK lifetime. If so, the ER server sends the rRK lifetime in the
+ EAP-Finish/Re-auth message.
+
+ The peer verifies the replay protection and the integrity of the
+ message. It then uses the sequence number in the EAP-Finish/Re-auth
+ message to compute the rMSK. The lower-layer security association
+ protocol is ready to be triggered after this point.
+
+3.2. ERP with a Local ER Server
+
+ The defined ER extensions allow executing the ERP with an ER server
+ in the local domain (access network). The local ER server may be co-
+ located with a local AAA server. The peer may learn about the
+ presence of a local ER server in the network and the local domain
+ name (or ER server name) either via the lower layer or by means of
+ ERP bootstrapping. The peer uses the domain name and the EMSK to
+ compute the DSRK and from that key, the DS-rRK; the peer also uses
+ the domain name in the realm portion of the keyName-NAI for using ERP
+ in the local domain. Figure 3 shows the full EAP and subsequent
+ local ERP exchange; Figure 4 shows it with a local ER server.
+
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 8]
+
+RFC 5296 ERP August 2008
+
+
+ Peer EAP Authenticator Local ER Server Home EAP Server
+ ==== ================= =============== ===============
+
+ <-- EAP-Request/ --
+ Identity
+
+ -- EAP Response/-->
+ Identity --AAA(EAP Response/-->
+ Identity) --AAA(EAP Response/ -->
+ Identity,
+ [DSRK Request,
+ domain name])
+
+ <------------------------ EAP Method exchange------------------>
+
+ <---AAA(MSK, DSRK, ----
+ EMSKname,
+ EAP-Success)
+
+ <--- AAA(MSK, -----
+ EAP-Success)
+
+ <---EAP-Success-----
+
+ Figure 3: Local ERP Exchange, Initial EAP Exchange
+
+
+ Peer ER Authenticator Local ER Server
+ ==== ================ ===============
+
+ [<-- EAP-Initiate/ --------
+ Re-auth-Start]
+ [<-- EAP-Request/ ---------
+ Identity]
+
+ ---- EAP-Initiate/ -------> ----AAA(EAP-Initiate/ -------->
+ Re-auth Re-auth)
+
+ <--- EAP-Finish/ ---------- <---AAA(rMSK,EAP-Finish/-------
+ Re-auth Re-auth)
+
+ Figure 4: Local ERP Exchange
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 9]
+
+RFC 5296 ERP August 2008
+
+
+ As shown in Figure 4, the local ER server may be present in the path
+ of the full EAP exchange (e.g., this may be one of the AAA entities,
+ such as AAA proxies, in the path between the authenticator and the
+ home EAP server of the peer). In that case, the ER server requests
+ the DSRK by sending the domain name to the EAP server. In response,
+ the EAP server computes the DSRK by following the procedure specified
+ in [3] and sends the DSRK and the key name, EMSKname, to the ER
+ server in the claimed domain. The local domain is responsible for
+ announcing that same domain name via the lower layer to the peer.
+
+ If the peer does not know the domain name (did not receive the domain
+ name via the lower-layer announcement, due to a missed announcement
+ or lack of support for domain name announcements in a specific lower
+ layer), it SHOULD initiate ERP bootstrap exchange with the home ER
+ server to obtain the domain name. The local ER server SHALL request
+ the home AAA server for the DSRK by sending the domain name in the
+ AAA message that carries the EAP-Initiate/Re-auth bootstrap message.
+ The local ER server MUST be in the path from the peer to the home ER
+ server. If it is not, it cannot request the DSRK.
+
+ After receiving the DSRK and the EMSKname, the local ER server
+ computes the DS-rRK and the DS-rIK from the DSRK as defined in
+ Sections 4.1 and 4.3 below. After receiving the domain name, the
+ peer also derives the DSRK, the DS-rRK, and the DS-rIK. These keys
+ are referred to by a keyName-NAI formed as follows: the username part
+ of the NAI is the EMSKname, the realm portion of the NAI is the
+ domain name. Both parties also maintain a sequence number
+ (initialized to zero) corresponding to the specific keyName-NAI.
+
+ Subsequently, when the peer attaches to an authenticator within the
+ local domain, it may perform an ERP exchange with the local ER server
+ to obtain an rMSK for the new authenticator.
+
+4. ER Key Hierarchy
+
+ Each time the peer re-authenticates to the network, the peer and the
+ authenticator establish an rMSK. The rMSK serves the same purposes
+ that an MSK, which is the result of full EAP authentication, serves.
+ To prove possession of the rRK, we specify the derivation of another
+ key, the rIK. These keys are derived from the rRK. Together they
+ constitute the ER key hierarchy.
+
+ The rRK is derived from either the EMSK or a DSRK as specified in
+ Section 4.1. For the purpose of rRK derivation, this document
+ specifies derivation of a Usage-Specific Root Key (USRK) or a Domain-
+ Specific USRK (DSUSRK) in accordance with [3] for re-authentication.
+ The USRK designated for re-authentication is the re-authentication
+ root key (rRK). A DSUSRK designated for re-authentication is the DS-
+
+
+
+Narayanan & Dondeti Standards Track [Page 10]
+
+RFC 5296 ERP August 2008
+
+
+ rRK available to a local ER server in a particular domain. For
+ simplicity, the keys are referred to without the DS label in the rest
+ of the document. However, the scope of the various keys is limited
+ to just the respective domains they are derived for, in the case of
+ the domain specific keys. Based on the ER server with which the peer
+ performs the ERP exchange, it knows the corresponding keys that must
+ be used.
+
+ The rRK is used to derive an rIK, and rMSKs for one or more
+ authenticators. The figure below shows the key hierarchy with the
+ rRK, rIK, and rMSKs.
+
+ rRK
+ |
+ +--------+--------+
+ | | |
+ rIK rMSK1 ...rMSKn
+
+ Figure 5: Re-authentication Key Hierarchy
+
+ The derivations in this document are according to [3]. Key
+ derivations and field encodings, where unspecified, default to that
+ document.
+
+4.1. rRK Derivation
+
+ The rRK may be derived from the EMSK or DSRK. This section provides
+ the relevant key derivations for that purpose.
+
+ The rRK is derived as specified in [3].
+
+ rRK = KDF (K, S), where
+
+ K = EMSK or K = DSRK and
+
+ S = rRK Label | "\0" | length
+
+ The rRK Label is an IANA-assigned 8-bit ASCII string:
+
+ EAP Re-authentication Root Key@ietf.org
+
+ assigned from the "USRK key labels" name space in accordance with
+ [3].
+
+ The KDF and algorithm agility for the KDF are as defined in [3].
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 11]
+
+RFC 5296 ERP August 2008
+
+
+ An rRK derived from the DSRK is referred to as a DS-rRK in the rest
+ of the document. All the key derivation and properties specified in
+ this section remain the same.
+
+4.2. rRK Properties
+
+ The rRK has the following properties. These properties apply to the
+ rRK regardless of the parent key used to derive it.
+
+ o The length of the rRK MUST be equal to the length of the parent
+ key used to derive it.
+
+ o The rRK is to be used only as a root key for re-authentication and
+ never used to directly protect any data.
+
+ o The rRK is only used for derivation of rIK and rMSK as specified
+ in this document.
+
+ o The rRK MUST remain on the peer and the server that derived it and
+ MUST NOT be transported to any other entity.
+
+ o The lifetime of the rRK is never greater than that of its parent
+ key. The rRK is expired when the parent key expires and MUST be
+ removed from use at that time.
+
+4.3. rIK Derivation
+
+ The re-authentication Integrity Key (rIK) is used for integrity
+ protecting the ERP exchange. This serves as the proof of possession
+ of valid keying material from a previous full EAP exchange by the
+ peer to the server.
+
+ The rIK is derived as follows.
+
+ rIK = KDF (K, S), where
+
+ K = rRK and
+
+ S = rIK Label | "\0" | cryptosuite | length
+
+ The rIK Label is the 8-bit ASCII string:
+
+ Re-authentication Integrity Key@ietf.org
+
+ The length field refers to the length of the rIK in octets encoded as
+ specified in [3].
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 12]
+
+RFC 5296 ERP August 2008
+
+
+ The cryptosuite and length of the rIK are part of the input to the
+ key derivation function to ensure cryptographic separation of keys if
+ different rIKs of different lengths for use with different Message
+ Authentication Code (MAC) algorithms are derived from the same rRK.
+ The cryptosuite is encoded as an 8-bit number; see Section 5.3.2 for
+ the cryptosuite specification.
+
+ The rIK is referred to by EMSKname-NAI within the context of ERP
+ messages. The username part of EMSKname-NAI is the EMSKname; the
+ realm is the domain name of the ER server. In case of ERP with the
+ home ER server, the peer uses the realm from its original NAI; in
+ case of a local ER server, the peer uses the domain name received at
+ the lower layer or through an ERP bootstrapping exchange.
+
+ An rIK derived from a DS-rRK is referred to as a DS-rIK in the rest
+ of the document. All the key derivation and properties specified in
+ this section remain the same.
+
+4.4. rIK Properties
+
+ The rIK has the following properties.
+
+ o The length of the rIK MUST be equal to the length of the rRK.
+
+ o The rIK is only used for authentication of the ERP exchange as
+ specified in this document.
+
+ o The rIK MUST NOT be used to derive any other keys.
+
+ o The rIK must remain on the peer and the server and MUST NOT be
+ transported to any other entity.
+
+ o The rIK is cryptographically separate from any other keys derived
+ from the rRK.
+
+ o The lifetime of the rIK is never greater than that of its parent
+ key. The rIK MUST be expired when the EMSK expires and MUST be
+ removed from use at that time.
+
+4.5. rIK Usage
+
+ The rIK is the key whose possession is demonstrated by the peer and
+ the ERP server to the other party. The peer demonstrates possession
+ of the rIK by computing the integrity checksum over the EAP-Initiate/
+ Re-auth message. When the peer uses the rIK for the first time, it
+ can choose the integrity algorithm to use with the rIK. The peer and
+ the server MUST use the same integrity algorithm with a given rIK for
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 13]
+
+RFC 5296 ERP August 2008
+
+
+ all ERP messages protected with that key. The peer and the server
+ store the algorithm information after the first use, and they employ
+ the same algorithm for all subsequent uses of that rIK.
+
+ If the server's policy does not allow the use of the cryptosuite
+ selected by the peer, the server SHALL reject the EAP-Initiate/
+ Re-auth message and SHOULD send a list of acceptable cryptosuites in
+ the EAP-Finish/Re-auth message.
+
+ The rIK length may be different from the key length required by an
+ integrity algorithm. In case of hash-based MAC algorithms, the key
+ is first hashed to the required key length as specified in [5]. In
+ case of cipher-based MAC algorithms, if the required key length is
+ less than 32 octets, the rIK is hashed using HMAC-SHA256 and the
+ first k octets of the output are used, where k is the key length
+ required by the algorithm. If the required key length is more than
+ 32 octets, the first k octets of the rIK are used by the cipher-based
+ MAC algorithm.
+
+4.6. rMSK Derivation
+
+ The rMSK is derived at the peer and server and delivered to the
+ authenticator. The rMSK is derived following an EAP Re-auth Protocol
+ exchange.
+
+ The rMSK is derived as follows.
+
+ rMSK = KDF (K, S), where
+
+ K = rRK and
+
+ S = rMSK label | "\0" | SEQ | length
+
+ The rMSK label is the 8-bit ASCII string:
+
+ Re-authentication Master Session Key@ietf.org
+
+ The length field refers to the length of the rMSK in octets. The
+ length field is encoded as specified in [3].
+
+ SEQ is the sequence number sent by the peer in the EAP-Initiate/
+ Re-auth message. This field is encoded as a 16-bit number in network
+ byte order (see Section 5.3.2).
+
+ An rMSK derived from a DS-rRK is referred to as a DS-rIK in the rest
+ of the document. All the key derivation and properties specified in
+ this section remain the same.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 14]
+
+RFC 5296 ERP August 2008
+
+
+4.7. rMSK Properties
+
+ The rMSK has the following properties:
+
+ o The length of the rMSK MUST be equal to the length of the rRK.
+
+ o The rMSK is delivered to the authenticator and is used for the
+ same purposes that an MSK is used at an authenticator.
+
+ o The rMSK is cryptographically separate from any other keys derived
+ from the rRK.
+
+ o The lifetime of the rMSK is less than or equal to that of the rRK.
+ It MUST NOT be greater than the lifetime of the rRK.
+
+ o If a new rRK is derived, subsequent rMSKs MUST be derived from the
+ new rRK. Previously delivered rMSKs MAY still be used until the
+ expiry of the lifetime.
+
+ o A given rMSK MUST NOT be shared by multiple authenticators.
+
+5. Protocol Details
+
+5.1. ERP Bootstrapping
+
+ We identify two types of bootstrapping for ERP: explicit and implicit
+ bootstrapping. In implicit bootstrapping, the local ER server SHOULD
+ include its domain name and SHOULD request the DSRK from the home AAA
+ server during the initial EAP exchange, in the AAA message
+ encapsulating the first EAP Response message sent by the peer. If
+ the EAP exchange is successful, the server sends the DSRK for the
+ local ER server (derived using the EMSK and the domain name as
+ specified in [3]), EMSKname, and DSRK lifetime along with the EAP-
+ Success message. The local ER server MUST extract the DSRK,
+ EMSKname, and DSRK lifetime (if present) before forwarding the EAP-
+ Success message to the peer, as specified in [12]. Note that the MSK
+ (also present along with the EAP Success message) is extracted by the
+ EAP authenticator as usual. The peer learns the domain name through
+ the EAP-Initiate/Re-auth-Start message or via lower-layer
+ announcements. When the domain name is available to the peer during
+ or after the full EAP authentication, it attempts to use ERP when it
+ associates with a new authenticator.
+
+ If the peer does not know the domain name (did not receive the domain
+ name via the lower-layer announcement, due to a missed announcement
+ or lack of support for domain name announcements in a specific lower
+ layer), it SHOULD initiate ERP bootstrap exchange (ERP exchange with
+ the bootstrap flag turned on) with the home ER server to obtain the
+
+
+
+Narayanan & Dondeti Standards Track [Page 15]
+
+RFC 5296 ERP August 2008
+
+
+ domain name. The local ER server behavior is the same as described
+ above. The peer MAY also initiate bootstrapping to fetch information
+ such as the rRK lifetime from the AAA server.
+
+ The following steps describe the ERP explicit bootstrapping process:
+
+ o The peer sends the EAP-Initiate/Re-auth message with the
+ bootstrapping flag turned on. The bootstrap message is always
+ sent to the home AAA server, and the keyname-NAI attribute in the
+ bootstrap message is constructed as follows: the username portion
+ of the NAI contains the EMSKname, and the realm portion contains
+ the home domain name.
+
+ o In addition, the message MUST contain a sequence number for replay
+ protection, a cryptosuite, and an integrity checksum. The
+ cryptosuite indicates the authentication algorithm. The integrity
+ checksum indicates that the message originated at the claimed
+ entity, the peer indicated by the Peer-ID, or the rIKname.
+
+ o The peer MAY additionally set the lifetime flag to request the key
+ lifetimes.
+
+ o When an ERP-capable authenticator receives the EAP-Initiate/
+ Re-auth message from a peer, it copies the contents of the
+ keyName-NAI into the User-Name attribute of RADIUS [13]. The rest
+ of the process is similar to that described in [14] and [12].
+
+ o If a local ER server is present, the local ER server MUST include
+ the DSRK request and its domain name in the AAA message
+ encapsulating the EAP-Initiate/Re-auth message sent by the peer.
+
+ o Upon receipt of an EAP-Initiate/Re-auth message, the server
+ verifies whether the message is fresh or is a replay by evaluating
+ whether the received sequence number is equal to or greater than
+ the expected sequence number for that rIK. The server then
+ verifies to ensure that the cryptosuite used by the peer is
+ acceptable. Next, it verifies the origin authentication of the
+ message by looking up the rIK. If any of the checks fail, the
+ server sends an EAP-Finish/Re-auth message with the Result flag
+ set to '1'. Please refer to Section 5.2.2 for details on failure
+ handling. This error MUST NOT have any correlation to any EAP-
+ Success message that may have been received by the EAP
+ authenticator and the peer earlier. If the EAP-Initiate/Re-auth
+ message is well-formed and valid, the server prepares the EAP-
+ Finish/Re-auth message. The bootstrap flag MUST be set to
+ indicate that this is a bootstrapping exchange. The message
+ contains the following fields:
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 16]
+
+RFC 5296 ERP August 2008
+
+
+ * A sequence number for replay protection.
+
+ * The same keyName-NAI as in the EAP-Initiate/Re-auth message.
+
+ * If the lifetime flag was set in the EAP-Initiate/Re-auth
+ message, the ER server SHOULD include the rRK lifetime and the
+ rMSK lifetime in the EAP-Finish/Re-auth message. The server
+ may have a local policy for the network to maintain and enforce
+ lifetime unilaterally. In such cases, the server need not
+ respond to the peer's request for the lifetime.
+
+ * If the bootstrap flag is set and a DSRK request is received,
+ the server MUST include the domain name to which the DSRK is
+ being sent.
+
+ * If the home ER server verifies the authorization of a local
+ domain server, it MAY include the Authorization Indication TLV
+ to indicate to the peer that the server (that received the DSRK
+ and that is advertising the domain included in the domain name
+ TLV) is authorized.
+
+ * An authentication tag MUST be included to prove that the EAP-
+ Finish/Re-auth message originates at a server that possesses
+ the rIK corresponding to the EMSKname-NAI.
+
+ o If the ERP exchange is successful, and the local ER server sent a
+ DSRK request, the home ER server MUST include the DSRK for the
+ local ER server (derived using the EMSK and the domain name as
+ specified in [3]), EMSKname, and DSRK lifetime along with the EAP-
+ Finish/Re-auth message.
+
+ o In addition, the rMSK is sent along with the EAP-Finish/Re-auth
+ message, in a AAA attribute [12].
+
+ o The local ER server MUST extract the DSRK, EMSKname, and DSRK
+ lifetime (if present), before forwarding the EAP-Finish/Re-auth
+ message to the peer, as specified in [12].
+
+ o The authenticator receives the rMSK.
+
+ o When the peer receives an EAP-Finish/Re-auth message with the
+ bootstrap flag set, if a local domain name is present, it MUST use
+ that to derive the appropriate DSRK, DS-rRK, DS-rIK, and keyName-
+ NAI, and initialize the replay counter for the DS-rIK. If not,
+ the peer SHOULD derive the domain-specific keys using the domain
+ name it learned via the lower layer or from the EAP-Initiate/
+ Re-auth-Start message. If the peer does not know the domain name,
+ it must assume that there is no local ER server available.
+
+
+
+Narayanan & Dondeti Standards Track [Page 17]
+
+RFC 5296 ERP August 2008
+
+
+ o The peer MAY also verify the Authorization Indication TLV.
+
+ o The procedures for encapsulating the ERP and obtaining relevant
+ keys using RADIUS and Diameter are specified in [12] and [15],
+ respectively.
+
+ Since the ER bootstrapping exchange is typically done immediately
+ following the full EAP exchange, it is feasible that the process is
+ completed through the same entity that served as the EAP
+ authenticator for the full EAP exchange. In this case, the lower
+ layer may already have established TSKs based on the MSK received
+ earlier. The lower layer may then choose to ignore the rMSK that was
+ received with the ER bootstrapping exchange. Alternatively, the
+ lower layer may choose to establish a new TSK using the rMSK. In
+ either case, the authenticator and the peer know which key is used
+ based on whether or not a TSK establishment exchange is initiated.
+ The bootstrapping exchange may also be carried out via a new
+ authenticator, in which case, the rMSK received SHOULD trigger a
+ lower layer TSK establishment exchange.
+
+5.2. Steps in ERP
+
+ When a peer that has an active rRK and rIK associates with a new
+ authenticator that supports ERP, it may perform an ERP exchange with
+ that authenticator. ERP is typically a peer-initiated exchange,
+ consisting of an EAP-Initiate/Re-auth and an EAP-Finish/Re-auth
+ message. The ERP exchange may be performed with a local ER server
+ (when one is present) or with the original EAP server.
+
+ It is plausible for the network to trigger the EAP re-authentication
+ process, however. An ERP-capable authenticator SHOULD send an EAP-
+ Initiate/Re-auth-Start message to indicate support for ERP. The peer
+ may or may not wait for these messages to arrive to initiate the EAP-
+ Initiate/Re-auth message.
+
+ The EAP-Initiate/Re-auth-Start message SHOULD be sent by an ERP-
+ capable authenticator. The authenticator may retransmit it a few
+ times until it receives an EAP-Initiate/Re-auth message in response
+ from the peer. The EAP-Initiate/Re-auth message from the peer may
+ have originated before the peer receives either an EAP-Request/
+ Identity or an EAP-Initiate/Re-auth-Start message from the
+ authenticator. Hence, the Identifier value in the EAP-Initiate/
+ Re-auth message is independent of the Identifier value in the EAP-
+ Initiate/Re-auth-Start or the EAP-Request/Identity messages.
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 18]
+
+RFC 5296 ERP August 2008
+
+
+ Operational Considerations at the Peer:
+
+ ERP requires that the peer maintain retransmission timers for
+ reliable transport of EAP re-authentication messages. The
+ reliability considerations of Section 4.3 of RFC 3748 apply with the
+ peer as the retransmitting entity.
+
+ The EAP Re-auth Protocol has the following steps:
+
+ The peer sends an EAP-Initiate/Re-auth message. At a minimum, the
+ message SHALL include the following fields:
+
+ a 16-bit sequence number for replay protection
+
+ keyName-NAI as a TLV attribute to identify the rIK used to
+ integrity protect the message.
+
+ cryptosuite to indicate the authentication algorithm used to
+ compute the integrity checksum.
+
+ authentication tag over the message.
+
+ When the peer is performing ERP with a local ER server, it MUST
+ use the corresponding DS-rIK it shares with the local ER server.
+ The peer SHOULD set the lifetime flag to request the key lifetimes
+ from the server. The peer can use the rRK lifetime to know when
+ to trigger an EAP method exchange and the rMSK lifetime to know
+ when to trigger another ERP exchange.
+
+ The authenticator copies the contents of the value field of the
+ keyName-NAI TLV into the User-Name RADIUS attribute in the AAA
+ message to the ER server.
+
+ The server uses the keyName-NAI to look up the rIK. It MUST first
+ verify whether the sequence number is equal to or greater than the
+ expected sequence number. If the server supports a sequence
+ number window size greater than 1, it MUST verify whether the
+ sequence number falls within the window and has not been received
+ before. The server MUST then verify to ensure that the
+ cryptosuite used by the peer is acceptable. The server then
+ proceeds to verify the integrity of the message using the rIK,
+ thereby verifying proof of possession of that key by the peer. If
+ any of these verifications fail, the server MUST send an EAP-
+ Finish/Re-auth message with the Result flag set to '1' (Failure).
+ Please refer to Section 5.2.2 for details on failure handling.
+ Otherwise, it MUST compute an rMSK from the rRK using the sequence
+ number as the additional input to the key derivation.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 19]
+
+RFC 5296 ERP August 2008
+
+
+ In response to a well-formed EAP Re-auth/Initiate message, the
+ server MUST send an EAP-Finish/Re-auth message with the following
+ considerations:
+
+ a 16-bit sequence number for replay protection, which MUST be
+ the same as the received sequence number. The local copy of
+ the sequence number MUST be incremented by 1. If the server
+ supports multiple simultaneous ERP exchanges, it MUST instead
+ update the sequence number window.
+
+ keyName-NAI as a TLV attribute to identify the rIK used to
+ integrity protect the message.
+
+ cryptosuite to indicate the authentication algorithm used to
+ compute the integrity checksum.
+
+ authentication tag over the message.
+
+ If the lifetime flag was set in the EAP-Initiate/Re-auth
+ message, the ER server SHOULD include the rRK lifetime and the
+ rMSK lifetime.
+
+ The server transports the rMSK along with this message to the
+ authenticator. The rMSK is transported in a manner similar to the
+ MSK transport along with the EAP-Success message in a regular EAP
+ exchange.
+
+ The peer looks up the sequence number to verify whether it is
+ expecting an EAP-Finish/Re-auth message with that sequence number
+ protected by the keyName-NAI. It then verifies the integrity of
+ the message. If the verifications fail, the peer logs an error
+ and stops the process; otherwise, it proceeds to the next step.
+
+ The peer uses the sequence number to compute the rMSK.
+
+ The lower-layer security association protocol can be triggered at
+ this point.
+
+5.2.1. Multiple Simultaneous Runs of ERP
+
+ When a peer is within the range of multiple authenticators, it may
+ choose to run ERP via all of them simultaneously to the same ER
+ server. In that case, it is plausible that the ERP messages may
+ arrive out of order, resulting in the ER server rejecting legitimate
+ EAP-Initiate/Re-auth messages.
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 20]
+
+RFC 5296 ERP August 2008
+
+
+ To facilitate such operation, an ER server MAY allow multiple
+ simultaneous ERP exchanges by accepting all EAP-Initiate/Re-auth
+ messages with SEQ number values within a window of allowed values.
+ Recall that the SEQ number allows replay protection. Replay window
+ maintenance mechanisms are a local matter.
+
+5.2.2. ERP Failure Handling
+
+ If the processing of the EAP-Initiate/Re-auth message results in a
+ failure, the ER server MUST send an EAP-Finish Re-auth message with
+ the Result flag set to '1'. If the server has a valid rIK for the
+ peer, it MUST integrity protect the EAP-Finish/Re-auth failure
+ message. If the failure is due to an unacceptable cryptosuite, the
+ server SHOULD send a list of acceptable cryptosuites (in a TLV of
+ Type 5) along with the EAP-Finish/Re-auth message. In this case, the
+ server MUST indicate the cryptosuite used to protect the EAP-Finish/
+ Re-auth message in the cryptosuite. The rIK used with the EAP-
+ Finish/Re-auth message in this case MUST be computed as specified in
+ Section 4.3 using the new cryptosuite. If the server does not have a
+ valid rIK for the peer, the EAP-Finish/Re-auth message indicating a
+ failure will be unauthenticated; the server MAY include a list of
+ acceptable cryptosuites in the message.
+
+ The peer, upon receiving an EAP-Finish/Re-auth message with the
+ Result flag set to '1', MUST verify the sequence number and the
+ Authentication Tag to determine the validity of the message. If the
+ peer supports the cryptosuite, it MUST verify the integrity of the
+ received EAP-Finish/Re-auth message. If the EAP-Finish message
+ contains a TLV of Type 5, the peer SHOULD retry the ERP exchange with
+ a cryptosuite picked from the list included by the server. The peer
+ MUST use the appropriate rIK for the subsequent ERP exchange, by
+ computing it with the corresponding cryptosuite, as specified in
+ Section 4.3. If the PRF in the chosen cryptosuite is different from
+ the PRF originally used by the peer, it MUST derive a new DSRK (if
+ required), rRK, and rIK before proceeding with the subsequent ERP
+ exchange.
+
+ If the peer cannot verify the integrity of the received message, it
+ MAY choose to retry the ERP exchange with one of the cryptosuites in
+ the TLV of Type 5, after a failure has been clearly determined
+ following the procedure in the next paragraph.
+
+ If the replay or integrity checks fail, the failure message may have
+ been sent by an attacker. It may also imply that the server and peer
+ do not support the same cryptosuites; however, the peer cannot
+ determine if that is the case. Hence, the peer SHOULD continue the
+ ERP exchange per the retransmission timers before declaring a
+ failure.
+
+
+
+Narayanan & Dondeti Standards Track [Page 21]
+
+RFC 5296 ERP August 2008
+
+
+ When the peer runs explicit bootstrapping (ERP with the bootstrapping
+ flag on), there may not be a local ER server available to send a DSRK
+ Request and the domain name. In that case, the server cannot send
+ the DSRK and MUST NOT include the domain name TLV. When the peer
+ receives a response in the bootstrapping exchange without a domain
+ name TLV, it assumes that there is no local ER server. The home ER
+ server sends an rMSK to the ER authenticator, however, and the peer
+ SHALL run the TSK establishment protocol as usual.
+
+5.3. New EAP Packets
+
+ Two new EAP Codes are defined for the purpose of ERP: EAP-Initiate
+ and EAP-Finish. The packet format for these messages follows the EAP
+ packet format defined in RFC 3748 [2].
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Code | Identifier | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Type-Data ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+
+ Figure 6: EAP Packet
+
+ Code
+
+ 5 Initiate
+
+ 6 Finish
+
+ Two new code values are defined for the purpose of ERP.
+
+ Identifier
+
+ The Identifier field is one octet. The Identifier field MUST
+ be the same if an EAP-Initiate packet is retransmitted due to a
+ timeout while waiting for a Finish message. Any new
+ (non-retransmission) Initiate message MUST use a new Identifier
+ field.
+
+ The Identifier field of the Finish message MUST match that of
+ the currently outstanding Initiate message. A peer or
+ authenticator receiving a Finish message whose Identifier value
+ does not match that of the currently outstanding Initiate
+ message MUST silently discard the packet.
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 22]
+
+RFC 5296 ERP August 2008
+
+
+ In order to avoid confusion between new EAP-Initiate messages
+ and retransmissions, the peer must choose an Identifier value
+ that is different from the previous EAP-Initiate message,
+ especially if that exchange has not finished. It is
+ RECOMMENDED that the authenticator clear EAP Re-auth state
+ after 300 seconds.
+
+ Type
+
+ This field indicates that this is an ERP exchange. Two type
+ values are defined in this document for this purpose --
+ Re-auth-Start (assigned Type 1) and Re-auth (assigned Type 2).
+
+ Type-Data
+
+ The Type-Data field varies with the Type of re-authentication
+ packet.
+
+5.3.1. EAP-Initiate/Re-auth-Start Packet
+
+ The EAP-Initiate/Re-auth-Start packet contains the parameters shown
+ in Figure 7.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Code | Identifier | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Reserved | 1 or more TVs or TLVs ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 7: EAP-Initiate/Re-auth-Start Packet
+
+ Type = 1.
+
+ Reserved, MUST be zero. Set to zero on transmission and ignored
+ on reception.
+
+ One or more TVs or TLVs are used to convey information to the
+ peer; for instance, the authenticator may send the domain name to
+ the peer.
+
+ TVs or TLVs: In the TV payloads, there is a 1-octet type payload
+ and a value with type-specific length. In the TLV payloads, there
+ is a 1-octet type payload and a 1-octet length payload. The
+ length field indicates the length of the value expressed in number
+ of octets.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 23]
+
+RFC 5296 ERP August 2008
+
+
+ Domain-Name: This is a TLV payload. The Type is 4. The domain
+ name is to be used as the realm in an NAI [4]. The Domain-Name
+ attribute SHOULD be present in an EAP-Initiate/Re-auth-Start
+ message.
+
+ In addition, channel binding information MAY be included; see
+ Section 5.5 for discussion. See Figure 11 for parameter
+ specification.
+
+5.3.1.1. Authenticator Operation
+
+ The authenticator MAY send the EAP-Initiate/Re-auth-Start message to
+ indicate support for ERP to the peer and to initiate ERP if the peer
+ has already performed full EAP authentication and has unexpired key
+ material. The authenticator SHOULD include the domain name TLV to
+ allow the peer to learn it without lower-layer support or the ERP
+ bootstrapping exchange.
+
+ The authenticator MAY include channel binding information so that the
+ peer can send the information to the server in the EAP-Initiate/
+ Re-auth message so that the server can verify whether the
+ authenticator is claiming the same identity to both parties.
+
+ The authenticator MAY re-transmit the EAP-Initiate/Re-auth-Start
+ message a few times for reliable transport.
+
+5.3.1.2. Peer Operation
+
+ The peer SHOULD send the EAP-Initiate/Re-auth message in response to
+ the EAP-Initiate/Re-auth-Start message from the authenticator. If
+ the peer does not recognize the Initiate code value, it silently
+ discards the message. If the peer has already sent the EAP-Initiate/
+ Re-auth message to begin the ERP exchange, it silently discards the
+ message.
+
+ If the EAP-Initiate/Re-auth-Start message contains the domain name,
+ and if the peer does not already have the domain information, the
+ peer SHOULD use the domain name to compute the DSRK and use the
+ corresponding DS-rIK to send an EAP-Initiate/Re-auth message to start
+ an ERP exchange with the local ER server. If the peer has already
+ initiated an ERP exchange with the home ER server, it MAY choose to
+ not start an ERP exchange with the local ER server.
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 24]
+
+RFC 5296 ERP August 2008
+
+
+5.3.2. EAP-Initiate/Re-auth Packet
+
+ The EAP-Initiate/Re-auth packet contains the parameters shown in
+ Figure 8.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Code | Identifier | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type |R|B|L| Reserved| SEQ |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 1 or more TVs or TLVs ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | cryptosuite | Authentication Tag ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 8: EAP-Initiate/Re-auth Packet
+
+ Type = 2.
+
+ Flags
+
+ 'R' - The R flag is set to 0 and ignored upon reception.
+
+ 'B' - The B flag is used as the bootstrapping flag. If the
+ flag is turned on, the message is a bootstrap message.
+
+ 'L' - The L flag is used to request the key lifetimes from the
+ server.
+
+ The rest of the 5 bits are set to 0 and ignored on reception.
+
+ SEQ: A 16-bit sequence number is used for replay protection. The
+ SEQ number field is initialized to 0 every time a new rRK is
+ derived.
+
+ TVs or TLVs: In the TV payloads, there is a 1-octet type payload
+ and a value with type-specific length. In the TLV payloads, there
+ is a 1-octet type payload and a 1-octet length payload. The
+ length field indicates the length of the value expressed in number
+ of octets.
+
+ keyName-NAI: This is carried in a TLV payload. The Type is 1.
+ The NAI is variable in length, not exceeding 253 octets. The
+ EMSKname is in the username part of the NAI and is encoded in
+ hexadecimal values. The EMSKname is 64 bits in length and so
+ the username portion takes up 128 octets. If the rIK is
+
+
+
+Narayanan & Dondeti Standards Track [Page 25]
+
+RFC 5296 ERP August 2008
+
+
+ derived from the EMSK, the realm part of the NAI is the home
+ domain name, and if the rIK is derived from a DSRK, the realm
+ part of the NAI is the domain name used in the derivation of
+ the DSRK. The NAI syntax follows [4]. Exactly one keyName-NAI
+ attribute SHALL be present in an EAP-Initiate/Re-auth packet.
+
+ In addition, channel binding information MAY be included; see
+ Section 5.5 for discussion. See Figure 11 for parameter
+ specification.
+
+ Cryptosuite: This field indicates the integrity algorithm used for
+ ERP. Key lengths and output lengths are either indicated or are
+ obvious from the cryptosuite name. We specify some cryptosuites
+ below:
+
+ * 0 RESERVED
+
+ * 1 HMAC-SHA256-64
+
+ * 2 HMAC-SHA256-128
+
+ * 3 HMAC-SHA256-256
+
+ HMAC-SHA256-128 is mandatory to implement and should be enabled in
+ the default configuration.
+
+ Authentication Tag: This field contains the integrity checksum
+ over the ERP packet, excluding the authentication tag field
+ itself. The length of the field is indicated by the Cryptosuite.
+
+5.3.3. EAP-Finish/Re-auth Packet
+
+ The EAP-Finish/Re-auth packet contains the parameters shown in
+ Figure 9.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Code | Identifier | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type |R|B|L| Reserved | SEQ ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 1 or more TVs or TLVs ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | cryptosuite | Authentication Tag ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 9: EAP-Finish/Re-auth Packet
+
+
+
+Narayanan & Dondeti Standards Track [Page 26]
+
+RFC 5296 ERP August 2008
+
+
+ Type = 2.
+
+ Flags
+
+ 'R' - The R flag is used as the Result flag. When set to 0, it
+ indicates success, and when set to '1', it indicates a failure.
+
+ 'B' - The B flag is used as the bootstrapping flag. If the
+ flag is turned on, the message is a bootstrap message.
+
+ 'L' - The L flag is used to indicate the presence of the rRK
+ lifetime TLV.
+
+ The rest of the 5 bits are set to 0 and ignored on reception.
+
+ SEQ: A 16-bit sequence number is used for replay protection. The
+ SEQ number field is initialized to 0 every time a new rRK is
+ derived.
+
+ TVs or TLVs: In the TV payloads, there is a 1-octet type payload
+ and a value with type-specific length. In the TLV payloads, there
+ is a 1-octet type payload and a 1-octet length payload. The
+ length field indicates the length of the value expressed in number
+ of octets.
+
+ keyName-NAI: This is carried in a TLV payload. The Type is 1.
+ The NAI is variable in length, not exceeding 253 octets.
+ EMSKname is in the username part of the NAI and is encoded in
+ hexadecimal values. The EMSKname is 64 bits in length and so
+ the username portion takes up 16 octets. If the rIK is derived
+ from the EMSK, the realm part of the NAI is the home domain
+ name, and if the rIK is derived from a DSRK, the realm part of
+ the NAI is the domain name used in the derivation of the DSRK.
+ The NAI syntax follows [4]. Exactly one instance of the
+ keyName-NAI attribute SHALL be present in an EAP-Finish/Re-auth
+ message.
+
+ rRK Lifetime: This is a TV payload. The Type is 2. The value
+ field is a 32-bit field and contains the lifetime of the rRK in
+ seconds. If the 'L' flag is set, the rRK Lifetime attribute
+ SHOULD be present.
+
+ rMSK Lifetime: This is a TV payload. The Type is 3. The value
+ field is a 32-bit field and contains the lifetime of the rMSK
+ in seconds. If the 'L' flag is set, the rMSK Lifetime
+ attribute SHOULD be present.
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 27]
+
+RFC 5296 ERP August 2008
+
+
+ Domain-Name: This is a TLV payload. The Type is 4. The domain
+ name is to be used as the realm in an NAI [4]. Domain-Name
+ attribute MUST be present in an EAP-Finish/Re-auth message if
+ the bootstrapping flag is set and if the local ER server sent a
+ DSRK request.
+
+ List of cryptosuites: This is a TLV payload. The Type is 5.
+ The value field contains a list of cryptosuites, each of size 1
+ octet. The cryptosuite values are as specified in Figure 8.
+ The server SHOULD include this attribute if the cryptosuite
+ used in the EAP-Initiate/Re-auth message was not acceptable and
+ the message is being rejected. The server MAY include this
+ attribute in other cases. The server MAY use this attribute to
+ signal to the peer about its cryptographic algorithm
+ capabilities.
+
+ Authorization Indication: This is a TLV payload. The Type is
+ 6. This attribute MAY be included in the EAP-Finish/Re-auth
+ message when a DSRK is delivered to a local ER server and if
+ the home ER server can verify the authorization of the local ER
+ server to advertise the domain name included in the domain TLV
+ in the same message. The value field in the TLV contains an
+ authentication tag computed over the entire packet, starting
+ from the first bit of the code field to the last bit of the
+ cryptosuite field, with the value field of the Authorization
+ Indication TLV filled with all 0s for the computation. The key
+ used for the computation MUST be derived from the EMSK with key
+ label "DSRK Delivery Authorized Key@ietf.org" and optional data
+ containing an ASCII string representing the key management
+ domain that the DSRK is being derived for.
+
+ In addition, channel binding information MAY be included: see
+ Section 5.5 for discussion. See Figure 11 for parameter
+ specification. The server sends this information so that the
+ peer can verify the information seen at the lower layer, if
+ channel binding is to be supported.
+
+ Cryptosuite: This field indicates the integrity algorithm and the
+ PRF used for ERP. Key lengths and output lengths are either
+ indicated or are obvious from the cryptosuite name.
+
+ Authentication Tag: This field contains the integrity checksum
+ over the ERP packet, excluding the authentication tag field
+ itself. The length of the field is indicated by the Cryptosuite.
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 28]
+
+RFC 5296 ERP August 2008
+
+
+5.3.4. TV and TLV Attributes
+
+ The TV attributes that may be present in the EAP-Initiate or EAP-
+ Finish messages are of the following format:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Value ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 10: TV Attribute Format
+
+ The TLV attributes that may be present in the EAP-Initiate or EAP-
+ Finish messages are of the following format:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 11: TLV Attribute Format
+
+ The following Types are defined in this document:
+
+ '1' - keyName-NAI: This is a TLV payload.
+
+ '2' - rRK Lifetime: This is a TV payload.
+
+ '3' - rMSK Lifetime: This is a TV payload.
+
+ '4' - domain name: This is a TLV payload.
+
+ '5' - cryptosuite list: This is a TLV payload.
+
+ '6' - Authorization Indication: This is a TLV payload.
+
+ The TLV type range of 128-191 is reserved to carry channel binding
+ information in the EAP-Initiate and Finish/Re-auth messages.
+ Below are the current assignments (all of them are TLVs):
+
+ '128' - Called-Station-Id [13]
+
+ '129' - Calling-Station-Id [13]
+
+ '130' - NAS-Identifier [13]
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 29]
+
+RFC 5296 ERP August 2008
+
+
+ '131' - NAS-IP-Address [13]
+
+ '132' - NAS-IPv6-Address [16]
+
+ The length field indicates the length of the value part of the
+ attribute in octets.
+
+5.4. Replay Protection
+
+ For replay protection, ERP uses sequence numbers. The sequence
+ number is maintained per rIK and is initialized to zero in both
+ directions. In the first EAP-Initiate/Re-auth message, the peer uses
+ the sequence number zero or higher. Note that the when the sequence
+ number rotates, the rIK MUST be changed by running EAP
+ authentication. The server expects a sequence number of zero or
+ higher. When the server receives an EAP-Initiate/Re-auth message, it
+ uses the same sequence number in the EAP-Finish/Re-auth message. The
+ server then sets the expected sequence number to the received
+ sequence number plus 1. The server accepts sequence numbers greater
+ than or equal to the expected sequence number.
+
+ If the peer sends an EAP-Initiate/Re-auth message, but does not
+ receive a response, it retransmits the request (with no changes to
+ the message itself) a pre-configured number of times before giving
+ up. However, it is plausible that the server itself may have
+ responded to the message and it was lost in transit. Thus, the peer
+ MUST increment the sequence number and use the new sequence number to
+ send subsequent EAP re-authentication messages. The peer SHOULD
+ increment the sequence number by 1; however, it may choose to
+ increment by a larger number. When the sequence number rotates, the
+ peer MUST run full EAP authentication.
+
+5.5. Channel Binding
+
+ ERP provides a protected facility to carry channel binding (CB)
+ information, according to the guidelines in Section 7.15 of [2]. The
+ TLV type range of 128-191 is reserved to carry CB information in the
+ EAP-Initiate/Re-auth and EAP-Finish/Re-auth messages. Called-
+ Station-Id, Calling-Station-Id, NAS-Identifier, NAS-IP-Address, and
+ NAS-IPv6-Address are some examples of channel binding information
+ listed in RFC 3748, and they are assigned values 128-132. Additional
+ values are IANA managed based on IETF Consensus [17].
+
+ The authenticator MAY provide CB information to the peer via the EAP-
+ Initiate/Re-auth-Start message. The peer sends the information to
+ the server in the EAP-Initiate/Re-auth message; the server verifies
+ whether the authenticator identity available via AAA attributes is
+ the same as the identity provided to the peer.
+
+
+
+Narayanan & Dondeti Standards Track [Page 30]
+
+RFC 5296 ERP August 2008
+
+
+ If the peer does not include the CB information in the EAP-Initiate/
+ Re-auth message, and if the local ER server's policy requires channel
+ binding support, it SHALL send the CB attributes for the peer's
+ verification. The peer attempts to verify the CB information if the
+ authenticator has sent the CB parameters, and it proceeds with the
+ lower-layer security association establishment if the attributes
+ match. Otherwise, the peer SHALL NOT proceed with the lower-layer
+ security association establishment.
+
+6. Lower-Layer Considerations
+
+ The authenticator is responsible for retransmission of EAP-Initiate/
+ Re-auth-Start messages. The authenticator MAY retransmit the message
+ a few times or until it receives an EAP-Initiate/Re-auth message from
+ the peer. The authenticator may not know whether the peer supports
+ ERP; in those cases, the peer may be silently dropping the EAP-
+ Initiate/Re-auth-Start packets. Thus, retransmission of these
+ packets should be kept to a minimum. The exact number is up to each
+ lower layer.
+
+ The Identifier value in the EAP-Initiate/Re-auth packet is
+ independent of the Identifier value in the EAP-Initiate/Re-auth-Start
+ packet.
+
+ The peer is responsible for retransmission of EAP-Initiate/Re-auth
+ messages.
+
+ Retransmitted packets MUST be sent with the same Identifier value in
+ order to distinguish them from new packets. By default, where the
+ EAP-Initiate message is sent over an unreliable lower layer, the
+ retransmission timer SHOULD be dynamically estimated. A maximum of
+ 3-5 retransmissions is suggested (this is based on the recommendation
+ of [2]). Where the EAP-Initiate message is sent over a reliable
+ lower layer, the retransmission timer SHOULD be set to an infinite
+ value, so that retransmissions do not occur at the EAP layer. Please
+ refer to RFC 3748 [2] for additional guidance on setting timers.
+
+ The Identifier value in the EAP-Finish/Re-auth packet is the same as
+ the Identifier value in the EAP-Initiate/Re-auth packet.
+
+ If an authenticator receives a valid duplicate EAP-Initiate/Re-auth
+ message for which it has already sent an EAP-Finish/Re-auth message,
+ it MUST resend the EAP-Finish/Re-auth message without reprocessing
+ the EAP-Initiate/Re-auth message. To facilitate this, the
+ authenticator SHALL store a copy of the EAP-Finish/Re-auth message
+ for a finite amount of time. The actual value of time is a local
+ matter; this specification recommends a value of 100 milliseconds.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 31]
+
+RFC 5296 ERP August 2008
+
+
+ The lower layer may provide facilities for exchanging information
+ between the peer and the authenticator about support for ERP, for the
+ authenticator to send the domain name information and channel binding
+ information to the peer
+
+ Note that to support ERP, lower-layer specifications may need to be
+ revised. Specifically, the IEEE802.1x specification must be revised
+ to allow carrying EAP messages of the new codes defined in this
+ document in order to support ERP. Similarly, RFC 4306 must be
+ updated to include EAP code values higher than 4 in order to use ERP
+ with Internet Key Exchange Protocol version 2 (IKEv2). IKEv2 may
+ also be updated to support peer-initiated ERP for optimized
+ operation. Other lower layers may need similar revisions.
+
+ Our analysis indicates that some EAP implementations are not RFC 3748
+ compliant in that instead of silently dropping EAP packets with code
+ values higher than 4, they may consider it an error. To accommodate
+ such non-compliant EAP implementations, additional guidance has been
+ provided below. Furthermore, it may not be easy to upgrade all the
+ peers in some cases. In such cases, authenticators may be configured
+ to not send EAP-Initiate/Re-auth-Start; peers may learn whether an
+ authenticator supports ERP via configuration, from advertisements at
+ the lower layer.
+
+ In order to accommodate implementations that are not compliant to RFC
+ 3748, such lower layers SHOULD ensure that both parties support ERP;
+ this is trivial for an instance when using a lower layer that is
+ known to always support ERP. For lower layers where ERP support is
+ not guaranteed, ERP support may be indicated through signaling (e.g.,
+ piggy-backed on a beacon) or through negotiation. Alternatively,
+ clients may recognize environments where ERP is available based on
+ pre-configuration. Other similar mechanisms may also be used. When
+ ERP support cannot be verified, lower layers may mandate falling back
+ to full EAP authentication to accommodate EAP implementations that
+ are not compliant to RFC 3748.
+
+7. Transport of ERP Messages
+
+ AAA Transport of ERP messages is specified in [11] and [12].
+
+
+
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 32]
+
+RFC 5296 ERP August 2008
+
+
+8. Security Considerations
+
+ This section provides an analysis of the protocol in accordance with
+ the AAA key management requirements specified in [18].
+
+ Cryptographic algorithm independence
+
+ The EAP Re-auth Protocol satisfies this requirement. The
+ algorithm chosen by the peer for the MAC generation is
+ indicated in the EAP-Initiate/Re-auth message. If the chosen
+ algorithm is unacceptable, the EAP server returns an EAP-
+ Finish/Re-auth message with Failure indication. Algorithm
+ agility for the KDF is specified in [3]. Only when the
+ algorithms used are acceptable, the server proceeds with
+ derivation of keys and verification of the proof of possession
+ of relevant keying material by the peer. A full-blown
+ negotiation of algorithms cannot be provided in a single round
+ trip protocol. Hence, while the protocol provides algorithm
+ agility, it does not provide true negotiation.
+
+ Strong, fresh session keys
+
+ ERP results in the derivation of strong, fresh keys that are
+ unique for the given session. An rMSK is always derived
+ on-demand when the peer requires a key with a new
+ authenticator. The derivation ensures that the compromise of
+ one rMSK does not result in the compromise of a different rMSK
+ at any time.
+
+ Limit key scope
+
+ The scope of all the keys derived by ERP is well defined. The
+ rRK and rIK are never shared with any entity and always remain
+ on the peer and the server. The rMSK is provided only to the
+ authenticator through which the peer performs the ERP exchange.
+ No other authenticator is authorized to use that rMSK.
+
+ Replay detection mechanism
+
+ For replay protection of ERP messages, a sequence number
+ associated with the rIK is used. The sequence number is
+ maintained by the peer and the server, and initialized to zero
+ when the rIK is generated. The peer increments the sequence
+ number by one after it sends an ERP message. The server sets
+ the expected sequence number to the received sequence number
+ plus one after verifying the validity of the received message
+ and responds to the message.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 33]
+
+RFC 5296 ERP August 2008
+
+
+ Authenticate all parties
+
+ The EAP Re-auth Protocol provides mutual authentication of the
+ peer and the server. Both parties need to possess the keying
+ material that resulted from a previous EAP exchange in order to
+ successfully derive the required keys. Also, both the EAP
+ re-authentication Response and the EAP re-authentication
+ Information messages are integrity protected so that the peer
+ and the server can verify each other. When the ERP exchange is
+ executed with a local ER server, the peer and the local server
+ mutually authenticate each other via that exchange in the same
+ manner. The peer and the authenticator authenticate each other
+ in the secure association protocol executed by the lower layer,
+ just as in the case of a regular EAP exchange.
+
+ Peer and authenticator authorization
+
+ The peer and authenticator demonstrate possession of the same
+ key material without disclosing it, as part of the lower-layer
+ secure association protocol. Channel binding with ERP may be
+ used to verify consistency of the identities exchanged, when
+ the identities used in the lower layer differ from that
+ exchanged within the AAA protocol.
+
+ Keying material confidentiality
+
+ The peer and the server derive the keys independently using
+ parameters known to each entity. The AAA server sends the DSRK
+ of a domain to the corresponding local ER server via the AAA
+ protocol. Likewise, the ER server sends the rMSK to the
+ authenticator via the AAA protocol.
+
+ Note that compromise of the DSRK results in compromise of all
+ keys derived from it. Moreover, there is no forward secrecy
+ within ERP. Thus, compromise of an DSRK retroactively
+ compromises all ERP keys.
+
+ It is RECOMMENDED that the AAA protocol be protected using
+ IPsec or TLS so that the keys are protected in transit. Note,
+ however, that keys may be exposed to AAA proxies along the way
+ and compromise of any of those proxies may result in compromise
+ of keys being transported through them.
+
+ The home ER server MUST NOT hand out a given DSRK to a local
+ domain server more than once, unless it can verify that the
+ entity receiving the DSRK after the first time is the same as
+ that received the DSRK originally. If the home ER server
+ verifies authorization of a local domain server, it MAY hand
+
+
+
+Narayanan & Dondeti Standards Track [Page 34]
+
+RFC 5296 ERP August 2008
+
+
+ out the DSRK to that domain more than once. In this case, the
+ home ER server includes the Authorization Indication TLV to
+ assure the peer that DSRK delivery is secure.
+
+ Confirm cryptosuite selection
+
+ Crypto algorithms for integrity and key derivation in the
+ context of ERP MAY be the same as that used by the EAP method.
+ In that case, the EAP method is responsible for confirming the
+ cryptosuite selection. Furthermore, the cryptosuite is
+ included in the ERP exchange by the peer and confirmed by the
+ server. The protocol allows the server to reject the
+ cryptosuite selected by the peer and provide alternatives.
+ When a suitable rIK is not available for the peer, the
+ alternatives may be sent in an unprotected fashion. The peer
+ is allowed to retry the exchange using one of the allowed
+ cryptosuites. However, in this case, any en route
+ modifications to the list sent by the server will go
+ undetected. If the server does have an rIK available for the
+ peer, the list will be provided in a protected manner and this
+ issue does not apply.
+
+ Uniquely named keys
+
+ All keys produced within the ERP context can be referred to
+ uniquely as specified in this document. Also, the key names do
+ not reveal any part of the keying material.
+
+ Prevent the domino effect
+
+ The compromise of one peer does not result in the compromise of
+ keying material held by any other peer in the system. Also,
+ the rMSK is meant for a single authenticator and is not shared
+ with any other authenticator. Hence, the compromise of one
+ authenticator does not lead to the compromise of sessions or
+ keys held by any other authenticator in the system. Hence, the
+ EAP Re-auth Protocol allows prevention of the domino effect by
+ appropriately defining key scope.
+
+ However, if keys are transported using hop-by-hop protection,
+ compromise of a proxy may result in compromise of key material,
+ i.e., the DSRK being sent to a local ER server.
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 35]
+
+RFC 5296 ERP August 2008
+
+
+ Bind key to its context
+
+ All the keys derived for ERP are bound to the appropriate
+ context using appropriate key labels. Lifetime of a child key
+ is less than or equal to that of its parent key as specified in
+ RFC 4962 [18]. The key usage, lifetime and the parties that
+ have access to the keys are specified.
+
+ Confidentiality of identity
+
+ Deployments where privacy is a concern may find the use of
+ rIKname-NAI to route ERP messages serves their privacy
+ requirements. Note that it is plausible to associate multiple
+ runs of ERP messages since the rIKname is not changed as part
+ of the ERP protocol. There was no consensus for that
+ requirement at the time of development of this specification.
+ If the rIKname is not used and the Peer-ID is used instead, the
+ ERP exchange will reveal the Peer-ID over the wire.
+
+ Authorization restriction
+
+ All the keys derived are limited in lifetime by that of the
+ parent key or by server policy. Any domain-specific keys are
+ further restricted for use only in the domain for which the
+ keys are derived. All the keys specified in this document are
+ meant for use in ERP only. Any other restrictions of session
+ keys may be imposed by the specific lower layer and are out of
+ scope for this specification.
+
+ A denial-of-service (DoS) attack on the peer may be possible when
+ using the EAP Initiate/Re-auth message. An attacker may send a bogus
+ EAP-Initiate/Re-auth message, which may be carried by the
+ authenticator in a RADIUS-Access-Request to the server; in response,
+ the server may send an EAP-Finish/Re-auth with Failure indication in
+ a RADIUS Access-Reject message. Note that such attacks may be
+ plausible with the EAPoL-Start capability of IEEE 802.11 and other
+ similar facilities in other link layers and where the peer can
+ initiate EAP authentication. An attacker may use such messages to
+ start an EAP method run, which fails and may result in the server
+ sending a RADIUS Access-Reject message, thus resulting in the link-
+ layer connections being terminated.
+
+ To prevent such DoS attacks, an ERP failure should not result in
+ deletion of any authorization state established by a full EAP
+ exchange. Alternatively, the lower layers and AAA protocols may
+ define mechanisms to allow two link-layer security associations (SAs)
+ derived from different EAP keying materials for the same peer to
+ exist so that smooth migration from the current link layer SA to the
+
+
+
+Narayanan & Dondeti Standards Track [Page 36]
+
+RFC 5296 ERP August 2008
+
+
+ new one is possible during rekey. These mechanisms prevent the link
+ layer connections from being terminated when a re-authentication
+ procedure fails due to the bogus EAP-Initiate/Re-auth message.
+
+ When a DSRK is sent from a home ER server to a local domain server or
+ when a rMSK is sent from an ER server to an authenticator, in the
+ absence of end-to-end security between the entity that is sending the
+ key and the entity receiving the key, it is plausible for other
+ entities to get access to keys being sent to an ER server in another
+ domain. This mode of key transport is similar to that of MSK
+ transport in the context of EAP authentication. We further observe
+ that ERP is for access authentication and does not support end-to-end
+ data security. In typical implementations, the traffic is in the
+ clear beyond the access control enforcement point (the authenticator
+ or an entity delegated by the authenticator for access control
+ enforcement). The model works as long as entities in the middle of
+ the network do not use keys intended for other parties to steal
+ service from an access network. If that is not achievable, key
+ delivery must be protected in an end-to-end manner.
+
+9. IANA Considerations
+
+ This document specifies IANA registration of two new 'Packet Codes'
+ from the EAP registry:
+
+ o 5 (Initiate)
+
+ o 6 (Finish)
+
+ These values are in accordance with [2].
+
+ This document also specifies creation of a new table, Message Types,
+ in the EAP registry with the following assigned numbers:
+
+ o 0 Reserved
+
+ o 1 (Re-auth-Start, applies to Initiate Code only)
+
+ o 2 (Re-auth, applies to Initiate and Finish Codes)
+
+ o 3-191 IANA managed and assigned based on IETF Consensus [17]
+
+ o 192-255 Private use
+
+ Next, we specify creation of a new table, EAP Initiate and Finish
+ Attributes, associated with EAP Initiate and Finish messages in the
+ EAP registry with the following assigned numbers.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 37]
+
+RFC 5296 ERP August 2008
+
+
+ o 0: Reserved
+
+ o keyName-NAI: This is a TLV payload. The Type is 1.
+
+ o rRK Lifetime: This is a TV payload. The Type is 2.
+
+ o rMSK Lifetime: This is a TV payload. The Type is 3.
+
+ o Domain name: This is a TLV payload. The Type is 4.
+
+ o Cryptosuite list: This is a TLV payload. The Type is 5.
+
+ o Authorization Indication: This is a TLV payload. The Type is 6.
+
+ o 7-127: Used to carry other non-channel-binding-related attributes.
+ IANA managed and assigned based on IETF Consensus [17].
+
+ o The TLV type range of 128-191 is reserved to carry CB information
+ in the EAP-Initiate/Re-auth and EAP-Finish/Re-auth messages.
+ Below are the current assignments (all of them are TLVs):
+
+ * Called-Station-Id: 128
+
+ * Calling-Station-Id: 129
+
+ * NAS-Identifier: 130
+
+ * NAS-IP-Address: 131
+
+ * NAS-IPv6-Address: 132
+
+ 133-191: Used to carry other channel-binding-related attributes.
+ IANA managed and assigned based on IETF Consensus [17].
+
+ o 192-255: Reserved for Private use.
+
+ We specify creation of another registry, 'Re-authentication
+ Cryptosuites', with the following assigned numbers:
+
+ o 0: Reserved
+
+ o 1: HMAC-SHA256-64
+
+ o 2: HMAC-SHA256-128
+
+ o 3: HMAC-SHA256-256
+
+ o 4-191: IANA managed and assigned based on IETF consensus [17]
+
+
+
+Narayanan & Dondeti Standards Track [Page 38]
+
+RFC 5296 ERP August 2008
+
+
+ o 192-255: Reserved for Private use.
+
+ Further, this document registers a Re-auth usage label from the "USRK
+ Key Labels" name space with a value
+
+ EAP Re-authentication Root Key@ietf.org
+
+ and DSRK-authorized delivery key from the "USRK Key Labels" name
+ space
+
+ DSRK Delivery Authorized Key@ietf.org
+
+ in accordance with [3].
+
+10. Acknowledgments
+
+ In writing this document, we benefited from discussing the problem
+ space and the protocol itself with a number of folks including
+ Bernard Aboba, Jari Arkko, Sam Hartman, Russ Housley, Joe Salowey,
+ Jesse Walker, Charles Clancy, Michaela Vanderveen, Kedar Gaonkar,
+ Parag Agashe, Dinesh Dharmaraju, Pasi Eronen, Dan Harkins, Yoshi
+ Ohba, Glen Zorn, Alan DeKok, Katrin Hoeper, and other participants of
+ the HOKEY working group. The credit for the idea to use EAP-
+ Initiate/Re-auth-Start goes to Charles Clancy, and the multiple link-
+ layer SAs idea to mitigate the DoS attack goes to Yoshi Ohba. Katrin
+ Hoeper suggested the use of the windowing technique to handle
+ multiple simultaneous ER exchanges. Many thanks to Pasi Eronen for
+ the suggestion to use hexadecimal encoding for rIKname when sent as
+ part of keyName-NAI field. Thanks to Bernard Aboba for suggestions
+ in clarifying the EAP lock-step operation, and Joe Salowey and Glen
+ Zorn for help in specifying AAA transport of ERP messages. Thanks to
+ Sam Hartman for the DSRK Authorization Indication mechanism.
+
+11. References
+
+11.1. Normative References
+
+ [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [2] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
+ Levkowetz, "Extensible Authentication Protocol (EAP)",
+ RFC 3748, June 2004.
+
+ [3] Salowey, J., Dondeti, L., Narayanan, V., and M. Nakhjiri,
+ "Specification for the Derivation of Root Keys from an Extended
+ Master Session Key (EMSK)", RFC 5295, August 2008.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 39]
+
+RFC 5296 ERP August 2008
+
+
+ [4] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network
+ Access Identifier", RFC 4282, December 2005.
+
+ [5] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
+ for Message Authentication", RFC 2104, February 1997.
+
+11.2. Informative References
+
+ [6] Arkko, J. and H. Haverinen, "Extensible Authentication Protocol
+ Method for 3rd Generation Authentication and Key Agreement
+ (EAP-AKA)", RFC 4187, January 2006.
+
+ [7] Lopez, R., Skarmeta, A., Bournelle, J., Laurent-Maknavicus, M.,
+ and J. Combes, "Improved EAP keying framework for a secure
+ mobility access service", IWCMC '06, Proceedings of the 2006
+ International Conference on Wireless Communications and Mobile
+ Computing, New York, NY, USA, 2006.
+
+ [8] Arbaugh, W. and B. Aboba, "Handoff Extension to RADIUS", Work
+ in Progress, October 2003.
+
+ [9] Clancy, T., Nakhjiri, M., Narayanan, V., and L. Dondeti,
+ "Handover Key Management and Re-Authentication Problem
+ Statement", RFC 5169, March 2008.
+
+ [10] Institute of Electrical and Electronics Engineers, "IEEE
+ Standards for Local and Metropolitan Area Networks: Port based
+ Network Access Control, IEEE Std 802.1X-2004", December 2004.
+
+ [11] Nakhjiri, M. and Y. Ohba, "Derivation, delivery and management
+ of EAP based keys for handover and re-authentication", Work
+ in Progress, February 2008.
+
+ [12] Gaonkar, K., Dondeti, L., Narayanan, V., and G. Zorn, "RADIUS
+ Support for EAP Re-authentication Protocol", Work in Progress,
+ February 2008.
+
+ [13] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote
+ Authentication Dial In User Service (RADIUS)", RFC 2865,
+ June 2000.
+
+ [14] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial
+ In User Service) Support For Extensible Authentication Protocol
+ (EAP)", RFC 3579, September 2003.
+
+ [15] Dondeti, L. and H. Tschofenig, "Diameter Support for EAP Re-
+ authentication Protocol", Work in Progress, November 2007.
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 40]
+
+RFC 5296 ERP August 2008
+
+
+ [16] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
+ RFC 3162, August 2001.
+
+ [17] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+ Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.
+
+ [18] Housley, R. and B. Aboba, "Guidance for Authentication,
+ Authorization, and Accounting (AAA) Key Management", BCP 132,
+ RFC 4962, July 2007.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 41]
+
+RFC 5296 ERP August 2008
+
+
+Appendix A. Example ERP Exchange
+
+ 0. Authenticator --> Peer: [EAP-Initiate/Re-auth-Start]
+
+ 1. Peer --> Authenticator: EAP Initiate/Re-auth(SEQ, keyName-NAI,
+ cryptosuite,Auth-tag*)
+
+ 1a. Authenticator --> Re-auth-Server: AAA-Request{Authenticator-Id,
+ EAP Initiate/Re-auth(SEQ,keyName-NAI,
+ cryptosuite,Auth-tag*)
+
+ 2. ER-Server --> Authenticator: AAA-Response{rMSK,
+ EAP-Finish/Re-auth(SEQ,keyName-NAI,
+ cryptosuite,[CB-Info],Auth-tag*)
+
+ 2b. Authenticator --> Peer: EAP-Finish/Re-auth(SEQ,keyName-NAI,
+ cryptosuite,[CB-Info],Auth-tag*)
+
+ * Auth-tag computation is over the entire EAP Initiate/Finish
+ message; the code values for Initiate and Finish are different and
+ thus reflection attacks are mitigated.
+
+Authors' Addresses
+
+ Vidya Narayanan
+ Qualcomm, Inc.
+ 5775 Morehouse Dr.
+ San Diego, CA 92121
+ USA
+
+ Phone: +1 858-845-2483
+ EMail: vidyan@qualcomm.com
+
+
+ Lakshminath Dondeti
+ Qualcomm, Inc.
+ 5775 Morehouse Dr.
+ San Diego, CA 92121
+ USA
+
+ Phone: +1 858-845-1267
+ EMail: ldondeti@qualcomm.com
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 42]
+
+RFC 5296 ERP August 2008
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2008).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+Narayanan & Dondeti Standards Track [Page 43]
+