summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5904.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5904.txt')
-rw-r--r--doc/rfc/rfc5904.txt843
1 files changed, 843 insertions, 0 deletions
diff --git a/doc/rfc/rfc5904.txt b/doc/rfc/rfc5904.txt
new file mode 100644
index 0000000..7a93410
--- /dev/null
+++ b/doc/rfc/rfc5904.txt
@@ -0,0 +1,843 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) G. Zorn
+Request for Comments: 5904 Network Zen
+Category: Informational June 2010
+ISSN: 2070-1721
+
+
+ RADIUS Attributes for IEEE 802.16
+ Privacy Key Management Version 1 (PKMv1) Protocol Support
+
+Abstract
+
+ This document defines a set of Remote Authentication Dial-In User
+ Service (RADIUS) Attributes that are designed to provide RADIUS
+ support for IEEE 802.16 Privacy Key Management Version 1.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc5904.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+Zorn Informational [Page 1]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+ This document may contain material from IETF Documents or IETF
+ Contributions published or made publicly available before November
+ 10, 2008. The person(s) controlling the copyright in some of this
+ material may not have granted the IETF Trust the right to allow
+ modifications of such material outside the IETF Standards Process.
+ Without obtaining an adequate license from the person(s) controlling
+ the copyright in such materials, this document may not be modified
+ outside the IETF Standards Process, and derivative works of it may
+ not be created outside the IETF Standards Process, except to format
+ it for publication as an RFC or to translate it into languages other
+ than English.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3.1. PKM-SS-Cert . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3.2. PKM-CA-Cert . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.3. PKM-Config-Settings . . . . . . . . . . . . . . . . . . . 6
+ 3.4. PKM-Cryptosuite-List . . . . . . . . . . . . . . . . . . . 8
+ 3.5. PKM-SAID . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 3.6. PKM-SA-Descriptor . . . . . . . . . . . . . . . . . . . . 9
+ 3.7. PKM-AUTH-Key . . . . . . . . . . . . . . . . . . . . . . . 10
+ 3.7.1. AUTH-Key Protection . . . . . . . . . . . . . . . . . 12
+ 4. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 12
+ 5. Diameter Considerations . . . . . . . . . . . . . . . . . . . 13
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
+ 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
+ 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14
+ 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . . 14
+ 10.2. Informative References . . . . . . . . . . . . . . . . . . 14
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zorn Informational [Page 2]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+1. Introduction
+
+ Privacy Key Management Version 1 (PKMv1) [IEEE.802.16-2004] is a
+ public-key-based authentication and key establishment protocol
+ typically used in fixed wireless broadband network deployments. The
+ protocol utilizes X.509 v3 certificates [RFC2459], RSA encryption
+ [RFC2437], and a variety of secret key cryptographic methods to allow
+ an 802.16 Base Station (BS) to authenticate a Subscriber Station (SS)
+ and perform key establishment and maintenance between an SS and BS.
+
+ This document defines a set of RADIUS Attributes that are designed to
+ provide support for PKMv1. The target audience for this document
+ consists of those developers implementing RADIUS support for PKMv1;
+ therefore, familiarity with both RADIUS [RFC2865] and the IEEE
+ 802.16-2004 standard is assumed.
+
+ Please note that this document relies on IEEE.802.16-2004, which
+ references RFC 2437 and RFC 2459, rather than any more recent RFCs on
+ RSA and X.509 certificates (e.g., RFC 3447 and RFC 5280).
+
+2. Acronyms
+
+ CA
+ Certification Authority; a trusted party issuing and signing X.509
+ certificates.
+
+ For further information on the following terms, please see Section 7
+ of [IEEE.802.16-2004].
+
+ SA
+ Security Association
+
+ SAID
+ Security Association Identifier
+
+ TEK
+ Traffic Encryption Key
+
+3. Attributes
+
+ The following subsections describe the Attributes defined by this
+ document. This specification concerns the following values:
+
+ 137 PKM-SS-Cert
+
+ 138 PKM-CA-Cert
+
+ 139 PKM-Config-Settings
+
+
+
+Zorn Informational [Page 3]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+ 140 PKM-Cryptosuite-List
+
+ 141 PKM-SAID
+
+ 142 PKM-SA-Descriptor
+
+ 143 PKM-Auth-Key
+
+3.1. PKM-SS-Cert
+
+ Description
+
+ The PKM-SS-Cert Attribute is variable length and MAY be
+ transmitted in the Access-Request message. The Value field is of
+ type string and contains the X.509 certificate [RFC2459] binding a
+ public key to the identifier of the Subscriber Station.
+
+ The minimum size of an SS certificate exceeds the maximum size of
+ a RADIUS attribute. Therefore, the client MUST encapsulate the
+ certificate in the Value fields of two or more instances of the
+ PKM-SS-Cert Attribute, each (except possibly the last) having a
+ length of 255 octets. These multiple PKM-SS-Cert Attributes MUST
+ appear consecutively and in order within the packet. Upon
+ receipt, the RADIUS server MUST recover the original certificate
+ by concatenating the Value fields of the received PKM-SS-Cert
+ Attributes in order.
+
+ A summary of the PKM-SS-Cert Attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Len | Value...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 137 for PKM-SS-Cert
+
+ Len
+
+ > 2
+
+ Value
+
+ The Value field is variable length and contains a (possibly
+ complete) portion of an X.509 certificate.
+
+
+
+Zorn Informational [Page 4]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+3.2. PKM-CA-Cert
+
+ Description
+
+ The PKM-CA-Cert Attribute is variable length and MAY be
+ transmitted in the Access-Request message. The Value field is of
+ type string and contains the X.509 certificate [RFC2459] used by
+ the CA to sign the SS certificate carried in the PKM-SS-Cert
+ attribute (Section 3.1) in the same message.
+
+ The minimum size of a CA certificate exceeds the maximum size of a
+ RADIUS attribute. Therefore, the client MUST encapsulate the
+ certificate in the Value fields of two or more instances of the
+ PKM-CA-Cert Attribute, each (except possibly the last) having a
+ length of 255 octets. These multiple PKM-CA-Cert Attributes MUST
+ appear consecutively and in order within the packet. Upon
+ receipt, the RADIUS server MUST recover the original certificate
+ by concatenating the Value fields of the received PKM-CA-Cert
+ Attributes in order.
+
+ A summary of the PKM-CA-Cert Attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Len | Value...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 138 for PKM-CA-Cert
+
+ Len
+
+ > 2
+
+ Value
+
+ The Value field is variable length and contains a (possibly
+ complete) portion of an X.509 certificate.
+
+
+
+
+
+
+
+
+
+
+Zorn Informational [Page 5]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+3.3. PKM-Config-Settings
+
+ Description
+
+ The PKM-Config-Settings Attribute is of type string [RFC2865]. It
+ is 30 octets in length and consists of seven independent fields,
+ each of which is conceptually an unsigned integer. Each of the
+ fields contains a timeout value and corresponds to a Type-Length-
+ Value (TLV) tuple encapsulated in the IEEE 802.16 "PKM
+ configuration settings" attribute; for details on the contents of
+ each field, see Section 11.9.19 of [IEEE.802.16-2004]. One
+ instance of the PKM-Config-Settings Attribute MAY be included in
+ the Access-Accept message.
+
+ A summary of the PKM-Config-Settings Attribute format is shown below.
+ The fields are transmitted from left to right.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Len | Auth Wait Timeout
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Auth Wait Timeout (cont.) | Reauth Wait Timeout
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Reauth Wait Timeout (cont.) | Auth Grace Time
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Auth Grace Time (cont.) | Op Wait Timeout
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Op Wait Timeout (cont.) | Rekey Wait Timeout
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Rekey Wait Timeout (cont.) | TEK Grace Time
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ TEK Grace Time (cont.) | Auth Rej Wait Timeout
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Auth Rej Wait Timeout (cont.) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 139 for PKM-Config-Settings
+
+ Len
+
+ 30
+
+
+
+
+
+
+
+Zorn Informational [Page 6]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+ Auth Wait Timeout
+
+ The Auth Wait Timeout field is 4 octets in length and corresponds
+ to the "Authorize wait timeout" field of the 802.16 "PKM
+ configuration settings" attribute.
+
+ Reauth Wait Timeout
+
+ The Reauth Wait Timeout field is 4 octets in length and
+ corresponds to the "Reauthorize wait timeout" field of the 802.16
+ "PKM configuration settings" attribute.
+
+ Auth Grace Time
+
+ The Auth Grace Time field is 4 octets in length and corresponds to
+ the "Authorize grace time" field of the 802.16 "PKM configuration
+ settings" attribute.
+
+ Op Wait Timeout
+
+ The Op Wait Timeout field is 4 octets in length and corresponds to
+ the "Operational wait timeout" field of the 802.16 "PKM
+ configuration settings" attribute.
+
+ Rekey Wait Timeout
+
+ The Rekey Wait Timeout field is 4 octets in length and corresponds
+ to the "Rekey wait timeout" field of the 802.16 "PKM configuration
+ settings" attribute.
+
+ TEK Grace Time
+
+ The TEK Grace Time field is 4 octets in length and corresponds to
+ the "TEK grace time" field of the 802.16 "PKM configuration
+ settings" attribute.
+
+ Auth Rej Wait Timeout
+
+ The Auth Rej Wait Timeout field is 4 octets in length and
+ corresponds to the "Authorize reject wait timeout" field of the
+ 802.16 "PKM configuration settings" attribute.
+
+
+
+
+
+
+
+
+
+
+Zorn Informational [Page 7]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+3.4. PKM-Cryptosuite-List
+
+ Description
+
+ The PKM-Cryptosuite-List Attribute is of type string [RFC2865] and
+ is variable length; it corresponds roughly to the "Cryptographic-
+ Suite-List" 802.16 attribute (see Section 11.19.15 of
+ [IEEE.802.16-2004]), the difference being that the RADIUS
+ Attribute contains only the list of 3-octet cryptographic suite
+ identifiers, omitting the IEEE Type and Length fields.
+
+ The PKM-Cryptosuite-List Attribute MAY be present in an Access-
+ Request message. Any message in which the PKM-Cryptosuite-List
+ Attribute is present MUST also contain an instance of the Message-
+ Authenticator Attribute [RFC3579].
+
+ Implementation Note
+
+ The PKM-Cryptosuite-List Attribute is used as a building block
+ to create the 802.16 "Security-Capabilities" attribute
+ ([IEEE.802.16-2004], Section 11.9.13); since this document only
+ pertains to PKM version 1, the "Version" sub-attribute in that
+ structure MUST be set to 0x01 when the RADIUS client constructs
+ it.
+
+ A summary of the PKM-Cryptosuite-List Attribute format is shown
+ below. The fields are transmitted from left to right.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Len | Value...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 140 for PKM-Cryptosuite-List
+
+ Len
+
+ 2 + 3n < 39, where 'n' is the number of cryptosuite identifiers in
+ the list.
+
+
+
+
+
+
+
+
+
+Zorn Informational [Page 8]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+ Value
+
+ The Value field is variable length and contains a sequence of one
+ or more cryptosuite identifiers, each of which is 3 octets in
+ length and corresponds to the Value field of an IEEE 802.16
+ Cryptographic-Suite attribute.
+
+3.5. PKM-SAID
+
+ Description
+
+ The PKM-SAID Attribute is of type string [RFC2865]. It is 4
+ octets in length and contains a PKM Security Association
+ Identifier ([IEEE.802.16-2004], Section 11.9.7). It MAY be
+ included in an Access-Request message.
+
+ A summary of the PKM-SAID Attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Len | SAID |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 141 for PKM-SAID
+
+ Len
+
+ 4
+
+ SAID
+
+ The SAID field is two octets in length and corresponds to the
+ Value field of the 802.16 PKM SAID attribute
+
+3.6. PKM-SA-Descriptor
+
+ Description
+
+ The PKM-SA-Descriptor Attribute is of type string and is 8 octets
+ in length. It contains three fields, described below, which
+ together specify the characteristics of a PKM security
+ association. One or more instances of the PKM-SA-Descriptor
+ Attribute MAY occur in an Access-Accept message.
+
+
+
+
+Zorn Informational [Page 9]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+ A summary of the PKM-SA-Descriptor Attribute format is shown below.
+ The fields are transmitted from left to right.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Len | SAID |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | SA Type | Cryptosuite |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 142 for PKM-SA-Descriptor
+
+ Len
+
+ 8
+
+ SAID
+
+ The SAID field is two octets in length and contains a PKM SAID
+ (Section 3.5).
+
+ SA Type
+
+ The SA Type field is one octet in length. The contents correspond
+ to those of the Value field of an IEEE 802.16 SA-Type attribute.
+
+ Cryptosuite
+
+ The Cryptosuite field is 3 octets in length. The contents
+ correspond to those of the Value field of an IEEE 802.16
+ Cryptographic-Suite attribute.
+
+3.7. PKM-AUTH-Key
+
+ Description
+
+ The PKM-AUTH-Key Attribute is of type string, 135 octets in
+ length. It consists of 3 fields, described below, which together
+ specify the characteristics of a PKM authorization key. The PKM-
+ AUTH-Key Attribute MAY occur in an Access-Accept message. Any
+ packet that contains an instance of the PKM-AUTH-Key Attribute
+ MUST also contain an instance of the Message-Authenticator
+ Attribute [RFC3579].
+
+
+
+
+
+Zorn Informational [Page 10]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+ A summary of the PKM-AUTH-Key Attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Len | Lifetime
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Lifetime (cont.) | Sequence | Key...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 143 for PKM-AUTH-Key
+
+ Len
+
+ 135
+
+ Lifetime
+
+ The Lifetime field is 4 octets in length and represents the
+ lifetime, in seconds, of the authorization key. For more
+ information, see Section 11.9.4 of [IEEE.802.16-2004].
+
+ Sequence
+
+ The Sequence field is one octet in length. The contents
+ correspond to those of the Value field of an IEEE 802.16 Key-
+ Sequence-Number attribute (see [IEEE.802.16-2004], Section
+ 11.9.5).
+
+ Key
+
+ The Key field is 128 octets in length. The contents correspond to
+ those of the Value field of an IEEE 802.16 AUTH-Key attribute.
+ The Key field MUST be encrypted under the public key from the
+ Subscriber Station certificate (Section 3.1) using RSA encryption
+ [RFC2437]; see Section 7.5 of [IEEE.802.16-2004] for further
+ details.
+
+ Implementation Note
+
+ It is necessary that a plaintext copy of this field be returned
+ in the Access-Accept message; appropriate precautions MUST be
+ taken to ensure the confidentiality of the key.
+
+
+
+
+
+Zorn Informational [Page 11]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+3.7.1. AUTH-Key Protection
+
+ The PKM-AUTH-Key Attribute (Section 3.7) contains the AUTH-Key
+ encrypted with the SS's public key. The BS also needs the AK, so a
+ second copy of the AK needs to be returned in the Access-Accept
+ message.
+
+ It is RECOMMENDED that the AK is encapsulated in an instance of the
+ MS-MPPE-Send-Key Attribute [RFC2548]. However, see Section 4.3.4 of
+ RFC 3579 [RFC3579] for details regarding weaknesses in the encryption
+ scheme used.
+
+ If better means for protecting the Auth-Key are available (such as
+ RADIUS key attributes with better security properties, or means of
+ protecting the whole Access-Accept message), they SHOULD be used
+ instead of (or in addition to) the MS-MPPE-Send-Key Attribute.
+
+4. Table of Attributes
+
+ The following table provides a guide to which attributes may be found
+ in which kinds of packets, and in what quantity.
+
+ Request Accept Reject Challenge Acct-Req # Attribute
+ 0+ 0 0 0 0 137 PKM-SS-Cert [Note 1]
+ 0+ 0 0 0 0 138 PKM-CA-Cert [Note 2]
+ 0 0-1 0 0 0 139 PKM-Config-Settings
+ 0-1 0 0 0 0 140 PKM-Cryptosuite-List
+ 0-1 0 0 0 0 141 PKM-SAID
+ 0 0+ 0 0 0 142 PKM-SA-Descriptor
+ 0 0-1 0 0 0 143 PKM-Auth-Key
+ 0 0-1 0 0 0 MS-MPPE-Send-Key
+ [Note 3]
+
+ [Note 1]
+ No more than one Subscriber Station Certificate may be transferred
+ in an Access-Request packet.
+
+ [Note 2]
+ No more than one CA Certificate may be transferred in an Access-
+ Request packet.
+
+ [Note 3]
+ MS-MPPE-Send-Key is one possible attribute that can be used to
+ convey the AK to the BS; other attributes can be used instead (see
+ Section 3.7.1).
+
+
+
+
+
+
+Zorn Informational [Page 12]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+ The following table defines the meaning of the above table entries.
+
+ 0 This attribute MUST NOT be present in packet
+ 0+ Zero or more instances of this attribute MAY be present in packet
+ 0-1 Zero or one instance of this attribute MAY be present in packet
+ 1 Exactly one instance of this attribute MUST be present in packet
+
+5. Diameter Considerations
+
+ Since the Attributes defined in this document are allocated from the
+ standard RADIUS type space (see Section 7), no special handling is
+ required by Diameter nodes.
+
+6. Security Considerations
+
+ Section 4 of RFC 3579 [RFC3579] discusses vulnerabilities of the
+ RADIUS protocol.
+
+ Section 3 of the paper "Security Enhancements for Privacy and Key
+ Management Protocol in IEEE 802.16e-2005" [SecEn] discusses the
+ operation and vulnerabilities of the PKMv1 protocol.
+
+ If the Access-Request message is not subject to strong integrity
+ protection, an attacker may be able to modify the contents of the
+ PKM-Cryptosuite-List Attribute, weakening 802.16 security or
+ disabling data encryption altogether.
+
+ If the Access-Accept message is not subject to strong integrity
+ protection, an attacker may be able to modify the contents of the
+ PKM-Auth-Key Attribute. For example, the Key field could be replaced
+ with a key known to the attacker.
+
+ See Section 3.7.1 for security considerations of sending the
+ authorization key to the BS.
+
+7. IANA Considerations
+
+ IANA has assigned numbers for the following Attributes:
+
+ 137 PKM-SS-Cert
+
+ 138 PKM-CA-Cert
+
+ 139 PKM-Config-Settings
+
+ 140 PKM-Cryptosuite-List
+
+ 141 PKM-SAID
+
+
+
+Zorn Informational [Page 13]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+ 142 PKM-SA-Descriptor
+
+ 143 PKM-Auth-Key
+
+ The Attribute numbers are to be allocated from the standard RADIUS
+ Attribute type space according to the "IETF Review" policy [RFC5226].
+
+8. Contributors
+
+ Pasi Eronen provided most of the text in Section 3.7.1.
+
+9. Acknowledgements
+
+ Thanks (in no particular order) to Bernard Aboba, Donald Eastlake,
+ Dan Romascanu, Avshalom Houri, Juergen Quittek, Pasi Eronen, and Alan
+ DeKok for their mostly useful reviews of this document.
+
+10. References
+
+10.1. Normative References
+
+ [IEEE.802.16-2004]
+ Institute of Electrical and Electronics Engineers, "IEEE
+ Standard for Local and metropolitan area networks, Part
+ 16: Air Interface for Fixed Broadband Wireless Access
+ Systems", IEEE Standard 802.16, October 2004.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
+ Dial In User Service) Support For Extensible
+ Authentication Protocol (EAP)", RFC 3579, September 2003.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ May 2008.
+
+10.2. Informative References
+
+ [RFC2437] Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography
+ Specifications Version 2.0", RFC 2437, October 1998.
+
+ [RFC2459] Housley, R., Ford, W., Polk, T., and D. Solo, "Internet
+ X.509 Public Key Infrastructure Certificate and CRL
+ Profile", RFC 2459, January 1999.
+
+
+
+
+Zorn Informational [Page 14]
+
+RFC 5904 RADIUS Attributes for PKMv1 June 2010
+
+
+ [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes",
+ RFC 2548, March 1999.
+
+ [SecEn] Altaf, A., Jawad, M., and A. Ahmed, "Security Enhancements
+ for Privacy and Key Management Protocol in IEEE 802.16e-
+ 2005", Ninth ACIS International Conference on Software
+ Engineering, Artificial Intelligence, Networking, and
+ Parallel/Distributed Computing, 2008.
+
+Author's Address
+
+ Glen Zorn
+ Network Zen
+ 1463 East Republican Street
+ #358
+ Seattle, WA 98112
+ US
+
+ EMail: gwz@net-zen.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zorn Informational [Page 15]
+