From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc3748.txt | 3755 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 3755 insertions(+) create mode 100644 doc/rfc/rfc3748.txt (limited to 'doc/rfc/rfc3748.txt') diff --git a/doc/rfc/rfc3748.txt b/doc/rfc/rfc3748.txt new file mode 100644 index 0000000..75600c1 --- /dev/null +++ b/doc/rfc/rfc3748.txt @@ -0,0 +1,3755 @@ + + + + + + +Network Working Group B. Aboba +Request for Comments: 3748 Microsoft +Obsoletes: 2284 L. Blunk +Category: Standards Track Merit Network, Inc + J. Vollbrecht + Vollbrecht Consulting LLC + J. Carlson + Sun + H. Levkowetz, Ed. + ipUnplugged + June 2004 + + + Extensible Authentication Protocol (EAP) + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2004). + +Abstract + + This document defines the Extensible Authentication Protocol (EAP), + an authentication framework which supports multiple authentication + methods. EAP typically runs directly over data link layers such as + Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP + provides its own support for duplicate elimination and + retransmission, but is reliant on lower layer ordering guarantees. + Fragmentation is not supported within EAP itself; however, individual + EAP methods may support this. + + This document obsoletes RFC 2284. A summary of the changes between + this document and RFC 2284 is available in Appendix A. + + + + + + + + + + + +Aboba, et al. Standards Track [Page 1] + +RFC 3748 EAP June 2004 + + +Table of Contents + + 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. Specification of Requirements . . . . . . . . . . . . . 4 + 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . 4 + 1.3. Applicability . . . . . . . . . . . . . . . . . . . . . 6 + 2. Extensible Authentication Protocol (EAP). . . . . . . . . . . 7 + 2.1. Support for Sequences . . . . . . . . . . . . . . . . . 9 + 2.2. EAP Multiplexing Model. . . . . . . . . . . . . . . . . 10 + 2.3. Pass-Through Behavior . . . . . . . . . . . . . . . . . 12 + 2.4. Peer-to-Peer Operation. . . . . . . . . . . . . . . . . 14 + 3. Lower Layer Behavior. . . . . . . . . . . . . . . . . . . . . 15 + 3.1. Lower Layer Requirements. . . . . . . . . . . . . . . . 15 + 3.2. EAP Usage Within PPP. . . . . . . . . . . . . . . . . . 18 + 3.2.1. PPP Configuration Option Format. . . . . . . . . 18 + 3.3. EAP Usage Within IEEE 802 . . . . . . . . . . . . . . . 19 + 3.4. Lower Layer Indications . . . . . . . . . . . . . . . . 19 + 4. EAP Packet Format . . . . . . . . . . . . . . . . . . . . . . 20 + 4.1. Request and Response. . . . . . . . . . . . . . . . . . 21 + 4.2. Success and Failure . . . . . . . . . . . . . . . . . . 23 + 4.3. Retransmission Behavior . . . . . . . . . . . . . . . . 26 + 5. Initial EAP Request/Response Types. . . . . . . . . . . . . . 27 + 5.1. Identity. . . . . . . . . . . . . . . . . . . . . . . . 28 + 5.2. Notification. . . . . . . . . . . . . . . . . . . . . . 29 + 5.3. Nak . . . . . . . . . . . . . . . . . . . . . . . . . . 31 + 5.3.1. Legacy Nak . . . . . . . . . . . . . . . . . . . 31 + 5.3.2. Expanded Nak . . . . . . . . . . . . . . . . . . 32 + 5.4. MD5-Challenge . . . . . . . . . . . . . . . . . . . . . 35 + 5.5. One-Time Password (OTP) . . . . . . . . . . . . . . . . 36 + 5.6. Generic Token Card (GTC). . . . . . . . . . . . . . . . 37 + 5.7. Expanded Types. . . . . . . . . . . . . . . . . . . . . 38 + 5.8. Experimental. . . . . . . . . . . . . . . . . . . . . . 40 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 + 6.1. Packet Codes. . . . . . . . . . . . . . . . . . . . . . 41 + 6.2. Method Types. . . . . . . . . . . . . . . . . . . . . . 41 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 42 + 7.1. Threat Model. . . . . . . . . . . . . . . . . . . . . . 42 + 7.2. Security Claims . . . . . . . . . . . . . . . . . . . . 43 + 7.2.1. Security Claims Terminology for EAP Methods. . . 44 + 7.3. Identity Protection . . . . . . . . . . . . . . . . . . 46 + 7.4. Man-in-the-Middle Attacks . . . . . . . . . . . . . . . 47 + 7.5. Packet Modification Attacks . . . . . . . . . . . . . . 48 + 7.6. Dictionary Attacks. . . . . . . . . . . . . . . . . . . 49 + 7.7. Connection to an Untrusted Network. . . . . . . . . . . 49 + 7.8. Negotiation Attacks . . . . . . . . . . . . . . . . . . 50 + 7.9. Implementation Idiosyncrasies . . . . . . . . . . . . . 50 + 7.10. Key Derivation. . . . . . . . . . . . . . . . . . . . . 51 + 7.11. Weak Ciphersuites . . . . . . . . . . . . . . . . . . . 53 + + + +Aboba, et al. Standards Track [Page 2] + +RFC 3748 EAP June 2004 + + + 7.12. Link Layer. . . . . . . . . . . . . . . . . . . . . . . 53 + 7.13. Separation of Authenticator and Backend Authentication + Server. . . . . . . . . . . . . . . . . . . . . . . . . 54 + 7.14. Cleartext Passwords . . . . . . . . . . . . . . . . . . 55 + 7.15. Channel Binding . . . . . . . . . . . . . . . . . . . . 55 + 7.16. Protected Result Indications. . . . . . . . . . . . . . 56 + 8. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . 58 + 9. References. . . . . . . . . . . . . . . . . . . . . . . . . . 59 + 9.1. Normative References. . . . . . . . . . . . . . . . . . 59 + 9.2. Informative References. . . . . . . . . . . . . . . . . 60 + Appendix A. Changes from RFC 2284. . . . . . . . . . . . . . . . . 64 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 66 + Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 67 + +1. Introduction + + This document defines the Extensible Authentication Protocol (EAP), + an authentication framework which supports multiple authentication + methods. EAP typically runs directly over data link layers such as + Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP + provides its own support for duplicate elimination and + retransmission, but is reliant on lower layer ordering guarantees. + Fragmentation is not supported within EAP itself; however, individual + EAP methods may support this. + + EAP may be used on dedicated links, as well as switched circuits, and + wired as well as wireless links. To date, EAP has been implemented + with hosts and routers that connect via switched circuits or dial-up + lines using PPP [RFC1661]. It has also been implemented with + switches and access points using IEEE 802 [IEEE-802]. EAP + encapsulation on IEEE 802 wired media is described in [IEEE-802.1X], + and encapsulation on IEEE wireless LANs in [IEEE-802.11i]. + + One of the advantages of the EAP architecture is its flexibility. + EAP is used to select a specific authentication mechanism, typically + after the authenticator requests more information in order to + determine the specific authentication method to be used. Rather than + requiring the authenticator to be updated to support each new + authentication method, EAP permits the use of a backend + authentication server, which may implement some or all authentication + methods, with the authenticator acting as a pass-through for some or + all methods and peers. + + Within this document, authenticator requirements apply regardless of + whether the authenticator is operating as a pass-through or not. + Where the requirement is meant to apply to either the authenticator + or backend authentication server, depending on where the EAP + authentication is terminated, the term "EAP server" will be used. + + + +Aboba, et al. Standards Track [Page 3] + +RFC 3748 EAP June 2004 + + +1.1. Specification of Requirements + + In this document, several words are used to signify the requirements + of the specification. The key words "MUST", "MUST NOT", "REQUIRED", + "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", + and "OPTIONAL" in this document are to be interpreted as described in + [RFC2119]. + +1.2. Terminology + + This document frequently uses the following terms: + + authenticator + The end of the link initiating EAP authentication. The term + authenticator is used in [IEEE-802.1X], and has the same meaning + in this document. + + peer + The end of the link that responds to the authenticator. In + [IEEE-802.1X], this end is known as the Supplicant. + + Supplicant + The end of the link that responds to the authenticator in [IEEE- + 802.1X]. In this document, this end of the link is called the + peer. + + backend authentication server + A backend authentication server is an entity that provides an + authentication service to an authenticator. When used, this + server typically executes EAP methods for the authenticator. This + terminology is also used in [IEEE-802.1X]. + + AAA + Authentication, Authorization, and Accounting. AAA protocols with + EAP support include RADIUS [RFC3579] and Diameter [DIAM-EAP]. In + this document, the terms "AAA server" and "backend authentication + server" are used interchangeably. + + Displayable Message + This is interpreted to be a human readable string of characters. + The message encoding MUST follow the UTF-8 transformation format + [RFC2279]. + + + + + + + + + +Aboba, et al. Standards Track [Page 4] + +RFC 3748 EAP June 2004 + + + EAP server + The entity that terminates the EAP authentication method with the + peer. In the case where no backend authentication server is used, + the EAP server is part of the authenticator. In the case where + the authenticator operates in pass-through mode, the EAP server is + located on the backend authentication server. + + Silently Discard + This means the implementation discards the packet without further + processing. The implementation SHOULD provide the capability of + logging the event, including the contents of the silently + discarded packet, and SHOULD record the event in a statistics + counter. + + Successful Authentication + In the context of this document, "successful authentication" is an + exchange of EAP messages, as a result of which the authenticator + decides to allow access by the peer, and the peer decides to use + this access. The authenticator's decision typically involves both + authentication and authorization aspects; the peer may + successfully authenticate to the authenticator, but access may be + denied by the authenticator due to policy reasons. + + Message Integrity Check (MIC) + A keyed hash function used for authentication and integrity + protection of data. This is usually called a Message + Authentication Code (MAC), but IEEE 802 specifications (and this + document) use the acronym MIC to avoid confusion with Medium + Access Control. + + Cryptographic Separation + Two keys (x and y) are "cryptographically separate" if an + adversary that knows all messages exchanged in the protocol cannot + compute x from y or y from x without "breaking" some cryptographic + assumption. In particular, this definition allows that the + adversary has the knowledge of all nonces sent in cleartext, as + well as all predictable counter values used in the protocol. + Breaking a cryptographic assumption would typically require + inverting a one-way function or predicting the outcome of a + cryptographic pseudo-random number generator without knowledge of + the secret state. In other words, if the keys are + cryptographically separate, there is no shortcut to compute x from + y or y from x, but the work an adversary must do to perform this + computation is equivalent to performing an exhaustive search for + the secret state value. + + + + + + +Aboba, et al. Standards Track [Page 5] + +RFC 3748 EAP June 2004 + + + Master Session Key (MSK) + Keying material that is derived between the EAP peer and server + and exported by the EAP method. The MSK is at least 64 octets in + length. In existing implementations, a AAA server acting as an + EAP server transports the MSK to the authenticator. + + Extended Master Session Key (EMSK) + Additional keying material derived between the EAP client and + server that is exported by the EAP method. The EMSK is at least + 64 octets in length. The EMSK is not shared with the + authenticator or any other third party. The EMSK is reserved for + future uses that are not defined yet. + + Result indications + A method provides result indications if after the method's last + message is sent and received: + + 1) The peer is aware of whether it has authenticated the server, + as well as whether the server has authenticated it. + + 2) The server is aware of whether it has authenticated the peer, + as well as whether the peer has authenticated it. + + In the case where successful authentication is sufficient to + authorize access, then the peer and authenticator will also know if + the other party is willing to provide or accept access. This may not + always be the case. An authenticated peer may be denied access due + to lack of authorization (e.g., session limit) or other reasons. + Since the EAP exchange is run between the peer and the server, other + nodes (such as AAA proxies) may also affect the authorization + decision. This is discussed in more detail in Section 7.16. + +1.3. Applicability + + EAP was designed for use in network access authentication, where IP + layer connectivity may not be available. Use of EAP for other + purposes, such as bulk data transport, is NOT RECOMMENDED. + + Since EAP does not require IP connectivity, it provides just enough + support for the reliable transport of authentication protocols, and + no more. + + EAP is a lock-step protocol which only supports a single packet in + flight. As a result, EAP cannot efficiently transport bulk data, + unlike transport protocols such as TCP [RFC793] or SCTP [RFC2960]. + + + + + + +Aboba, et al. Standards Track [Page 6] + +RFC 3748 EAP June 2004 + + + While EAP provides support for retransmission, it assumes ordering + guarantees provided by the lower layer, so out of order reception is + not supported. + + Since EAP does not support fragmentation and reassembly, EAP + authentication methods generating payloads larger than the minimum + EAP MTU need to provide fragmentation support. + + While authentication methods such as EAP-TLS [RFC2716] provide + support for fragmentation and reassembly, the EAP methods defined in + this document do not. As a result, if the EAP packet size exceeds + the EAP MTU of the link, these methods will encounter difficulties. + + EAP authentication is initiated by the server (authenticator), + whereas many authentication protocols are initiated by the client + (peer). As a result, it may be necessary for an authentication + algorithm to add one or two additional messages (at most one + roundtrip) in order to run over EAP. + + Where certificate-based authentication is supported, the number of + additional roundtrips may be much larger due to fragmentation of + certificate chains. In general, a fragmented EAP packet will require + as many round-trips to send as there are fragments. For example, a + certificate chain 14960 octets in size would require ten round-trips + to send with a 1496 octet EAP MTU. + + Where EAP runs over a lower layer in which significant packet loss is + experienced, or where the connection between the authenticator and + authentication server experiences significant packet loss, EAP + methods requiring many round-trips can experience difficulties. In + these situations, use of EAP methods with fewer roundtrips is + advisable. + +2. Extensible Authentication Protocol (EAP) + + The EAP authentication exchange proceeds as follows: + + [1] The authenticator sends a Request to authenticate the peer. The + Request has a Type field to indicate what is being requested. + Examples of Request Types include Identity, MD5-challenge, etc. + The MD5-challenge Type corresponds closely to the CHAP + authentication protocol [RFC1994]. Typically, the authenticator + will send an initial Identity Request; however, an initial + Identity Request is not required, and MAY be bypassed. For + example, the identity may not be required where it is determined + by the port to which the peer has connected (leased lines, + + + + + +Aboba, et al. Standards Track [Page 7] + +RFC 3748 EAP June 2004 + + + dedicated switch or dial-up ports), or where the identity is + obtained in another fashion (via calling station identity or MAC + address, in the Name field of the MD5-Challenge Response, etc.). + + [2] The peer sends a Response packet in reply to a valid Request. As + with the Request packet, the Response packet contains a Type + field, which corresponds to the Type field of the Request. + + [3] The authenticator sends an additional Request packet, and the + peer replies with a Response. The sequence of Requests and + Responses continues as long as needed. EAP is a 'lock step' + protocol, so that other than the initial Request, a new Request + cannot be sent prior to receiving a valid Response. The + authenticator is responsible for retransmitting requests as + described in Section 4.1. After a suitable number of + retransmissions, the authenticator SHOULD end the EAP + conversation. The authenticator MUST NOT send a Success or + Failure packet when retransmitting or when it fails to get a + response from the peer. + + [4] The conversation continues until the authenticator cannot + authenticate the peer (unacceptable Responses to one or more + Requests), in which case the authenticator implementation MUST + transmit an EAP Failure (Code 4). Alternatively, the + authentication conversation can continue until the authenticator + determines that successful authentication has occurred, in which + case the authenticator MUST transmit an EAP Success (Code 3). + + Advantages: + + o The EAP protocol can support multiple authentication mechanisms + without having to pre-negotiate a particular one. + + o Network Access Server (NAS) devices (e.g., a switch or access + point) do not have to understand each authentication method and + MAY act as a pass-through agent for a backend authentication + server. Support for pass-through is optional. An authenticator + MAY authenticate local peers, while at the same time acting as a + pass-through for non-local peers and authentication methods it + does not implement locally. + + o Separation of the authenticator from the backend authentication + server simplifies credentials management and policy decision + making. + + + + + + + +Aboba, et al. Standards Track [Page 8] + +RFC 3748 EAP June 2004 + + + Disadvantages: + + o For use in PPP, EAP requires the addition of a new authentication + Type to PPP LCP and thus PPP implementations will need to be + modified to use it. It also strays from the previous PPP + authentication model of negotiating a specific authentication + mechanism during LCP. Similarly, switch or access point + implementations need to support [IEEE-802.1X] in order to use EAP. + + o Where the authenticator is separate from the backend + authentication server, this complicates the security analysis and, + if needed, key distribution. + +2.1. Support for Sequences + + An EAP conversation MAY utilize a sequence of methods. A common + example of this is an Identity request followed by a single EAP + authentication method such as an MD5-Challenge. However, the peer + and authenticator MUST utilize only one authentication method (Type 4 + or greater) within an EAP conversation, after which the authenticator + MUST send a Success or Failure packet. + + Once a peer has sent a Response of the same Type as the initial + Request, an authenticator MUST NOT send a Request of a different Type + prior to completion of the final round of a given method (with the + exception of a Notification-Request) and MUST NOT send a Request for + an additional method of any Type after completion of the initial + authentication method; a peer receiving such Requests MUST treat them + as invalid, and silently discard them. As a result, Identity Requery + is not supported. + + A peer MUST NOT send a Nak (legacy or expanded) in reply to a Request + after an initial non-Nak Response has been sent. Since spoofed EAP + Request packets may be sent by an attacker, an authenticator + receiving an unexpected Nak SHOULD discard it and log the event. + + Multiple authentication methods within an EAP conversation are not + supported due to their vulnerability to man-in-the-middle attacks + (see Section 7.4) and incompatibility with existing implementations. + + Where a single EAP authentication method is utilized, but other + methods are run within it (a "tunneled" method), the prohibition + against multiple authentication methods does not apply. Such + "tunneled" methods appear as a single authentication method to EAP. + Backward compatibility can be provided, since a peer not supporting a + "tunneled" method can reply to the initial EAP-Request with a Nak + + + + + +Aboba, et al. Standards Track [Page 9] + +RFC 3748 EAP June 2004 + + + (legacy or expanded). To address security vulnerabilities, + "tunneled" methods MUST support protection against man-in-the-middle + attacks. + +2.2. EAP Multiplexing Model + + Conceptually, EAP implementations consist of the following + components: + + [a] Lower layer. The lower layer is responsible for transmitting and + receiving EAP frames between the peer and authenticator. EAP has + been run over a variety of lower layers including PPP, wired IEEE + 802 LANs [IEEE-802.1X], IEEE 802.11 wireless LANs [IEEE-802.11], + UDP (L2TP [RFC2661] and IKEv2 [IKEv2]), and TCP [PIC]. Lower + layer behavior is discussed in Section 3. + + [b] EAP layer. The EAP layer receives and transmits EAP packets via + the lower layer, implements duplicate detection and + retransmission, and delivers and receives EAP messages to and + from the EAP peer and authenticator layers. + + [c] EAP peer and authenticator layers. Based on the Code field, the + EAP layer demultiplexes incoming EAP packets to the EAP peer and + authenticator layers. Typically, an EAP implementation on a + given host will support either peer or authenticator + functionality, but it is possible for a host to act as both an + EAP peer and authenticator. In such an implementation both EAP + peer and authenticator layers will be present. + + [d] EAP method layers. EAP methods implement the authentication + algorithms and receive and transmit EAP messages via the EAP peer + and authenticator layers. Since fragmentation support is not + provided by EAP itself, this is the responsibility of EAP + methods, which are discussed in Section 5. + + The EAP multiplexing model is illustrated in Figure 1 below. Note + that there is no requirement that an implementation conform to this + model, as long as the on-the-wire behavior is consistent with it. + + + + + + + + + + + + + +Aboba, et al. Standards Track [Page 10] + +RFC 3748 EAP June 2004 + + + +-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+ + | | | | | | + | EAP method| EAP method| | EAP method| EAP method| + | Type = X | Type = Y | | Type = X | Type = Y | + | V | | | ^ | | + +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ + | ! | | ! | + | EAP ! Peer layer | | EAP ! Auth. layer | + | ! | | ! | + +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ + | ! | | ! | + | EAP ! layer | | EAP ! layer | + | ! | | ! | + +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ + | ! | | ! | + | Lower ! layer | | Lower ! layer | + | ! | | ! | + +-+-+-+-!-+-+-+-+-+-+-+-+ +-+-+-+-!-+-+-+-+-+-+-+-+ + ! ! + ! Peer ! Authenticator + +------------>-------------+ + + Figure 1: EAP Multiplexing Model + + Within EAP, the Code field functions much like a protocol number in + IP. It is assumed that the EAP layer demultiplexes incoming EAP + packets according to the Code field. Received EAP packets with + Code=1 (Request), 3 (Success), and 4 (Failure) are delivered by the + EAP layer to the EAP peer layer, if implemented. EAP packets with + Code=2 (Response) are delivered to the EAP authenticator layer, if + implemented. + + Within EAP, the Type field functions much like a port number in UDP + or TCP. It is assumed that the EAP peer and authenticator layers + demultiplex incoming EAP packets according to their Type, and deliver + them only to the EAP method corresponding to that Type. An EAP + method implementation on a host may register to receive packets from + the peer or authenticator layers, or both, depending on which role(s) + it supports. + + Since EAP authentication methods may wish to access the Identity, + implementations SHOULD make the Identity Request and Response + accessible to authentication methods (Types 4 or greater), in + addition to the Identity method. The Identity Type is discussed in + Section 5.1. + + + + + + +Aboba, et al. Standards Track [Page 11] + +RFC 3748 EAP June 2004 + + + A Notification Response is only used as confirmation that the peer + received the Notification Request, not that it has processed it, or + displayed the message to the user. It cannot be assumed that the + contents of the Notification Request or Response are available to + another method. The Notification Type is discussed in Section 5.2. + + Nak (Type 3) or Expanded Nak (Type 254) are utilized for the purposes + of method negotiation. Peers respond to an initial EAP Request for + an unacceptable Type with a Nak Response (Type 3) or Expanded Nak + Response (Type 254). It cannot be assumed that the contents of the + Nak Response(s) are available to another method. The Nak Type(s) are + discussed in Section 5.3. + + EAP packets with Codes of Success or Failure do not include a Type + field, and are not delivered to an EAP method. Success and Failure + are discussed in Section 4.2. + + Given these considerations, the Success, Failure, Nak Response(s), + and Notification Request/Response messages MUST NOT be used to carry + data destined for delivery to other EAP methods. + +2.3. Pass-Through Behavior + + When operating as a "pass-through authenticator", an authenticator + performs checks on the Code, Identifier, and Length fields as + described in Section 4.1. It forwards EAP packets received from the + peer and destined to its authenticator layer to the backend + authentication server; packets received from the backend + authentication server destined to the peer are forwarded to it. + + A host receiving an EAP packet may only do one of three things with + it: act on it, drop it, or forward it. The forwarding decision is + typically based only on examination of the Code, Identifier, and + Length fields. A pass-through authenticator implementation MUST be + capable of forwarding EAP packets received from the peer with Code=2 + (Response) to the backend authentication server. It also MUST be + capable of receiving EAP packets from the backend authentication + server and forwarding EAP packets of Code=1 (Request), Code=3 + (Success), and Code=4 (Failure) to the peer. + + Unless the authenticator implements one or more authentication + methods locally which support the authenticator role, the EAP method + layer header fields (Type, Type-Data) are not examined as part of the + forwarding decision. Where the authenticator supports local + authentication methods, it MAY examine the Type field to determine + whether to act on the packet itself or forward it. Compliant pass- + through authenticator implementations MUST by default forward EAP + packets of any Type. + + + +Aboba, et al. Standards Track [Page 12] + +RFC 3748 EAP June 2004 + + + EAP packets received with Code=1 (Request), Code=3 (Success), and + Code=4 (Failure) are demultiplexed by the EAP layer and delivered to + the peer layer. Therefore, unless a host implements an EAP peer + layer, these packets will be silently discarded. Similarly, EAP + packets received with Code=2 (Response) are demultiplexed by the EAP + layer and delivered to the authenticator layer. Therefore, unless a + host implements an EAP authenticator layer, these packets will be + silently discarded. The behavior of a "pass-through peer" is + undefined within this specification, and is unsupported by AAA + protocols such as RADIUS [RFC3579] and Diameter [DIAM-EAP]. + + The forwarding model is illustrated in Figure 2. + + Peer Pass-through Authenticator Authentication + Server + + +-+-+-+-+-+-+ +-+-+-+-+-+-+ + | | | | + |EAP method | |EAP method | + | V | | ^ | + +-+-+-!-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-!-+-+-+ + | ! | |EAP | EAP | | | ! | + | ! | |Peer | Auth.| EAP Auth. | | ! | + |EAP ! peer| | | +-----------+ | |EAP !Auth.| + | ! | | | ! | ! | | ! | + +-+-+-!-+-+-+ +-+-+-+-!-+-+-+-+-+-!-+-+-+-+ +-+-+-!-+-+-+ + | ! | | ! | ! | | ! | + |EAP !layer| | EAP !layer| EAP !layer | |EAP !layer| + | ! | | ! | ! | | ! | + +-+-+-!-+-+-+ +-+-+-+-!-+-+-+-+-+-!-+-+-+-+ +-+-+-!-+-+-+ + | ! | | ! | ! | | ! | + |Lower!layer| | Lower!layer| AAA ! /IP | | AAA ! /IP | + | ! | | ! | ! | | ! | + +-+-+-!-+-+-+ +-+-+-+-!-+-+-+-+-+-!-+-+-+-+ +-+-+-!-+-+-+ + ! ! ! ! + ! ! ! ! + +-------->--------+ +--------->-------+ + + + Figure 2: Pass-through Authenticator + + For sessions in which the authenticator acts as a pass-through, it + MUST determine the outcome of the authentication solely based on the + Accept/Reject indication sent by the backend authentication server; + the outcome MUST NOT be determined by the contents of an EAP packet + sent along with the Accept/Reject indication, or the absence of such + an encapsulated EAP packet. + + + + +Aboba, et al. Standards Track [Page 13] + +RFC 3748 EAP June 2004 + + +2.4. Peer-to-Peer Operation + + Since EAP is a peer-to-peer protocol, an independent and simultaneous + authentication may take place in the reverse direction (depending on + the capabilities of the lower layer). Both ends of the link may act + as authenticators and peers at the same time. In this case, it is + necessary for both ends to implement EAP authenticator and peer + layers. In addition, the EAP method implementations on both peers + must support both authenticator and peer functionality. + + Although EAP supports peer-to-peer operation, some EAP + implementations, methods, AAA protocols, and link layers may not + support this. Some EAP methods may support asymmetric + authentication, with one type of credential being required for the + peer and another type for the authenticator. Hosts supporting peer- + to-peer operation with such a method would need to be provisioned + with both types of credentials. + + For example, EAP-TLS [RFC2716] is a client-server protocol in which + distinct certificate profiles are typically utilized for the client + and server. This implies that a host supporting peer-to-peer + authentication with EAP-TLS would need to implement both the EAP peer + and authenticator layers, support both peer and authenticator roles + in the EAP-TLS implementation, and provision certificates appropriate + for each role. + + AAA protocols such as RADIUS/EAP [RFC3579] and Diameter EAP [DIAM- + EAP] only support "pass-through authenticator" operation. As noted + in [RFC3579] Section 2.6.2, a RADIUS server responds to an Access- + Request encapsulating an EAP-Request, Success, or Failure packet with + an Access-Reject. There is therefore no support for "pass-through + peer" operation. + + Even where a method is used which supports mutual authentication and + result indications, several considerations may dictate that two EAP + authentications (one in each direction) are required. These include: + + [1] Support for bi-directional session key derivation in the lower + layer. Lower layers such as IEEE 802.11 may only support uni- + directional derivation and transport of transient session keys. + For example, the group-key handshake defined in [IEEE-802.11i] is + uni-directional, since in IEEE 802.11 infrastructure mode, only + the Access Point (AP) sends multicast/broadcast traffic. In IEEE + 802.11 ad hoc mode, where either peer may send + multicast/broadcast traffic, two uni-directional group-key + + + + + + +Aboba, et al. Standards Track [Page 14] + +RFC 3748 EAP June 2004 + + + exchanges are required. Due to limitations of the design, this + also implies the need for unicast key derivations and EAP method + exchanges to occur in each direction. + + [2] Support for tie-breaking in the lower layer. Lower layers such + as IEEE 802.11 ad hoc do not support "tie breaking" wherein two + hosts initiating authentication with each other will only go + forward with a single authentication. This implies that even if + 802.11 were to support a bi-directional group-key handshake, then + two authentications, one in each direction, might still occur. + + [3] Peer policy satisfaction. EAP methods may support result + indications, enabling the peer to indicate to the EAP server + within the method that it successfully authenticated the EAP + server, as well as for the server to indicate that it has + authenticated the peer. However, a pass-through authenticator + will not be aware that the peer has accepted the credentials + offered by the EAP server, unless this information is provided to + the authenticator via the AAA protocol. The authenticator SHOULD + interpret the receipt of a key attribute within an Accept packet + as an indication that the peer has successfully authenticated the + server. + + However, it is possible that the EAP peer's access policy was not + satisfied during the initial EAP exchange, even though mutual + authentication occurred. For example, the EAP authenticator may not + have demonstrated authorization to act in both peer and authenticator + roles. As a result, the peer may require an additional + authentication in the reverse direction, even if the peer provided an + indication that the EAP server had successfully authenticated to it. + +3. Lower Layer Behavior + +3.1. Lower Layer Requirements + + EAP makes the following assumptions about lower layers: + + [1] Unreliable transport. In EAP, the authenticator retransmits + Requests that have not yet received Responses so that EAP does + not assume that lower layers are reliable. Since EAP defines its + own retransmission behavior, it is possible (though undesirable) + for retransmission to occur both in the lower layer and the EAP + layer when EAP is run over a reliable lower layer. + + + + + + + + +Aboba, et al. Standards Track [Page 15] + +RFC 3748 EAP June 2004 + + + Note that EAP Success and Failure packets are not retransmitted. + Without a reliable lower layer, and with a non-negligible error rate, + these packets can be lost, resulting in timeouts. It is therefore + desirable for implementations to improve their resilience to loss of + EAP Success or Failure packets, as described in Section 4.2. + + [2] Lower layer error detection. While EAP does not assume that the + lower layer is reliable, it does rely on lower layer error + detection (e.g., CRC, Checksum, MIC, etc.). EAP methods may not + include a MIC, or if they do, it may not be computed over all the + fields in the EAP packet, such as the Code, Identifier, Length, + or Type fields. As a result, without lower layer error + detection, undetected errors could creep into the EAP layer or + EAP method layer header fields, resulting in authentication + failures. + + For example, EAP TLS [RFC2716], which computes its MIC over the + Type-Data field only, regards MIC validation failures as a fatal + error. Without lower layer error detection, this method, and + others like it, will not perform reliably. + + [3] Lower layer security. EAP does not require lower layers to + provide security services such as per-packet confidentiality, + authentication, integrity, and replay protection. However, where + these security services are available, EAP methods supporting Key + Derivation (see Section 7.2.1) can be used to provide dynamic + keying material. This makes it possible to bind the EAP + authentication to subsequent data and protect against data + modification, spoofing, or replay. See Section 7.1 for details. + + [4] Minimum MTU. EAP is capable of functioning on lower layers that + provide an EAP MTU size of 1020 octets or greater. + + EAP does not support path MTU discovery, and fragmentation and + reassembly is not supported by EAP, nor by the methods defined in + this specification: Identity (1), Notification (2), Nak Response + (3), MD5-Challenge (4), One Time Password (5), Generic Token Card + (6), and expanded Nak Response (254) Types. + + Typically, the EAP peer obtains information on the EAP MTU from + the lower layers and sets the EAP frame size to an appropriate + value. Where the authenticator operates in pass-through mode, + the authentication server does not have a direct way of + determining the EAP MTU, and therefore relies on the + authenticator to provide it with this information, such as via + the Framed-MTU attribute, as described in [RFC3579], Section 2.4. + + + + + +Aboba, et al. Standards Track [Page 16] + +RFC 3748 EAP June 2004 + + + While methods such as EAP-TLS [RFC2716] support fragmentation and + reassembly, EAP methods originally designed for use within PPP + where a 1500 octet MTU is guaranteed for control frames (see + [RFC1661], Section 6.1) may lack fragmentation and reassembly + features. + + EAP methods can assume a minimum EAP MTU of 1020 octets in the + absence of other information. EAP methods SHOULD include support + for fragmentation and reassembly if their payloads can be larger + than this minimum EAP MTU. + + EAP is a lock-step protocol, which implies a certain inefficiency + when handling fragmentation and reassembly. Therefore, if the + lower layer supports fragmentation and reassembly (such as where + EAP is transported over IP), it may be preferable for + fragmentation and reassembly to occur in the lower layer rather + than in EAP. This can be accomplished by providing an + artificially large EAP MTU to EAP, causing fragmentation and + reassembly to be handled within the lower layer. + + [5] Possible duplication. Where the lower layer is reliable, it will + provide the EAP layer with a non-duplicated stream of packets. + However, while it is desirable that lower layers provide for + non-duplication, this is not a requirement. The Identifier field + provides both the peer and authenticator with the ability to + detect duplicates. + + [6] Ordering guarantees. EAP does not require the Identifier to be + monotonically increasing, and so is reliant on lower layer + ordering guarantees for correct operation. EAP was originally + defined to run on PPP, and [RFC1661] Section 1 has an ordering + requirement: + + "The Point-to-Point Protocol is designed for simple links + which transport packets between two peers. These links + provide full-duplex simultaneous bi-directional operation, + and are assumed to deliver packets in order." + + Lower layer transports for EAP MUST preserve ordering between a + source and destination at a given priority level (the ordering + guarantee provided by [IEEE-802]). + + Reordering, if it occurs, will typically result in an EAP + authentication failure, causing EAP authentication to be re-run. + In an environment in which reordering is likely, it is therefore + expected that EAP authentication failures will be common. It is + RECOMMENDED that EAP only be run over lower layers that provide + ordering guarantees; running EAP over raw IP or UDP transport is + + + +Aboba, et al. Standards Track [Page 17] + +RFC 3748 EAP June 2004 + + + NOT RECOMMENDED. Encapsulation of EAP within RADIUS [RFC3579] + satisfies ordering requirements, since RADIUS is a "lockstep" + protocol that delivers packets in order. + +3.2. EAP Usage Within PPP + + In order to establish communications over a point-to-point link, each + end of the PPP link first sends LCP packets to configure the data + link during the Link Establishment phase. After the link has been + established, PPP provides for an optional Authentication phase before + proceeding to the Network-Layer Protocol phase. + + By default, authentication is not mandatory. If authentication of + the link is desired, an implementation MUST specify the + Authentication Protocol Configuration Option during the Link + Establishment phase. + + If the identity of the peer has been established in the + Authentication phase, the server can use that identity in the + selection of options for the following network layer negotiations. + + When implemented within PPP, EAP does not select a specific + authentication mechanism at the PPP Link Control Phase, but rather + postpones this until the Authentication Phase. This allows the + authenticator to request more information before determining the + specific authentication mechanism. This also permits the use of a + "backend" server which actually implements the various mechanisms + while the PPP authenticator merely passes through the authentication + exchange. The PPP Link Establishment and Authentication phases, and + the Authentication Protocol Configuration Option, are defined in The + Point-to-Point Protocol (PPP) [RFC1661]. + +3.2.1. PPP Configuration Option Format + + A summary of the PPP Authentication Protocol Configuration Option + format to negotiate EAP follows. The fields are transmitted from + left to right. + + Exactly one EAP packet is encapsulated in the Information field of a + PPP Data Link Layer frame where the protocol field indicates type hex + C227 (PPP EAP). + + + + + + + + + + +Aboba, et al. Standards Track [Page 18] + +RFC 3748 EAP June 2004 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Authentication Protocol | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 3 + + Length + + 4 + + Authentication Protocol + + C227 (Hex) for Extensible Authentication Protocol (EAP) + +3.3. EAP Usage Within IEEE 802 + + The encapsulation of EAP over IEEE 802 is defined in [IEEE-802.1X]. + The IEEE 802 encapsulation of EAP does not involve PPP, and IEEE + 802.1X does not include support for link or network layer + negotiations. As a result, within IEEE 802.1X, it is not possible to + negotiate non-EAP authentication mechanisms, such as PAP or CHAP + [RFC1994]. + +3.4. Lower Layer Indications + + The reliability and security of lower layer indications is dependent + on the lower layer. Since EAP is media independent, the presence or + absence of lower layer security is not taken into account in the + processing of EAP messages. + + To improve reliability, if a peer receives a lower layer success + indication as defined in Section 7.2, it MAY conclude that a Success + packet has been lost, and behave as if it had actually received a + Success packet. This includes choosing to ignore the Success in some + circumstances as described in Section 4.2. + + A discussion of some reliability and security issues with lower layer + indications in PPP, IEEE 802 wired networks, and IEEE 802.11 wireless + LANs can be found in the Security Considerations, Section 7.12. + + After EAP authentication is complete, the peer will typically + transmit and receive data via the authenticator. It is desirable to + provide assurance that the entities transmitting data are the same + ones that successfully completed EAP authentication. To accomplish + + + +Aboba, et al. Standards Track [Page 19] + +RFC 3748 EAP June 2004 + + + this, it is necessary for the lower layer to provide per-packet + integrity, authentication and replay protection, and to bind these + per-packet services to the keys derived during EAP authentication. + Otherwise, it is possible for subsequent data traffic to be modified, + spoofed, or replayed. + + Where keying material for the lower layer ciphersuite is itself + provided by EAP, ciphersuite negotiation and key activation are + controlled by the lower layer. In PPP, ciphersuites are negotiated + within ECP so that it is not possible to use keys derived from EAP + authentication until the completion of ECP. Therefore, an initial + EAP exchange cannot be protected by a PPP ciphersuite, although EAP + re-authentication can be protected. + + In IEEE 802 media, initial key activation also typically occurs after + completion of EAP authentication. Therefore an initial EAP exchange + typically cannot be protected by the lower layer ciphersuite, + although an EAP re-authentication or pre-authentication exchange can + be protected. + +4. EAP Packet Format + + A summary of the EAP packet format is shown below. The fields are + transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Data ... + +-+-+-+-+ + + Code + + The Code field is one octet and identifies the Type of EAP packet. + EAP Codes are assigned as follows: + + 1 Request + 2 Response + 3 Success + 4 Failure + + Since EAP only defines Codes 1-4, EAP packets with other codes + MUST be silently discarded by both authenticators and peers. + + + + + + +Aboba, et al. Standards Track [Page 20] + +RFC 3748 EAP June 2004 + + + Identifier + + The Identifier field is one octet and aids in matching Responses + with Requests. + + Length + + The Length field is two octets and indicates the length, in + octets, of the EAP packet including the Code, Identifier, Length, + and Data fields. Octets outside the range of the Length field + should be treated as Data Link Layer padding and MUST be ignored + upon reception. A message with the Length field set to a value + larger than the number of received octets MUST be silently + discarded. + + Data + + The Data field is zero or more octets. The format of the Data + field is determined by the Code field. + +4.1. Request and Response + + Description + + The Request packet (Code field set to 1) is sent by the + authenticator to the peer. Each Request has a Type field which + serves to indicate what is being requested. Additional Request + packets MUST be sent until a valid Response packet is received, an + optional retry counter expires, or a lower layer failure + indication is received. + + Retransmitted Requests MUST be sent with the same Identifier value + in order to distinguish them from new Requests. The content of + the data field is dependent on the Request Type. The peer MUST + send a Response packet in reply to a valid Request packet. + Responses MUST only be sent in reply to a valid Request and never + be retransmitted on a timer. + + If a peer receives a valid duplicate Request for which it has + already sent a Response, it MUST resend its original Response + without reprocessing the Request. Requests MUST be processed in + the order that they are received, and MUST be processed to their + completion before inspecting the next Request. + + A summary of the Request and Response packet format follows. The + fields are transmitted from left to right. + + + + + +Aboba, et al. Standards Track [Page 21] + +RFC 3748 EAP June 2004 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Type-Data ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Code + + 1 for Request + 2 for Response + + Identifier + + The Identifier field is one octet. The Identifier field MUST be + the same if a Request packet is retransmitted due to a timeout + while waiting for a Response. Any new (non-retransmission) + Requests MUST modify the Identifier field. + + The Identifier field of the Response MUST match that of the + currently outstanding Request. An authenticator receiving a + Response whose Identifier value does not match that of the + currently outstanding Request MUST silently discard the Response. + + In order to avoid confusion between new Requests and + retransmissions, the Identifier value chosen for each new Request + need only be different from the previous Request, but need not be + unique within the conversation. One way to achieve this is to + start the Identifier at an initial value and increment it for each + new Request. Initializing the first Identifier with a random + number rather than starting from zero is recommended, since it + makes sequence attacks somewhat more difficult. + + Since the Identifier space is unique to each session, + authenticators are not restricted to only 256 simultaneous + authentication conversations. Similarly, with re-authentication, + an EAP conversation might continue over a long period of time, and + is not limited to only 256 roundtrips. + + Implementation Note: The authenticator is responsible for + retransmitting Request messages. If the Request message is obtained + from elsewhere (such as from a backend authentication server), then + the authenticator will need to save a copy of the Request in order to + accomplish this. The peer is responsible for detecting and handling + duplicate Request messages before processing them in any way, + including passing them on to an outside party. The authenticator is + also responsible for discarding Response messages with a non-matching + + + +Aboba, et al. Standards Track [Page 22] + +RFC 3748 EAP June 2004 + + + Identifier value before acting on them in any way, including passing + them on to the backend authentication server for verification. Since + the authenticator can retransmit before receiving a Response from the + peer, the authenticator can receive multiple Responses, each with a + matching Identifier. Until a new Request is received by the + authenticator, the Identifier value is not updated, so that the + authenticator forwards Responses to the backend authentication + server, one at a time. + + Length + + The Length field is two octets and indicates the length of the EAP + packet including the Code, Identifier, Length, Type, and Type-Data + fields. Octets outside the range of the Length field should be + treated as Data Link Layer padding and MUST be ignored upon + reception. A message with the Length field set to a value larger + than the number of received octets MUST be silently discarded. + + Type + + The Type field is one octet. This field indicates the Type of + Request or Response. A single Type MUST be specified for each EAP + Request or Response. An initial specification of Types follows in + Section 5 of this document. + + The Type field of a Response MUST either match that of the + Request, or correspond to a legacy or Expanded Nak (see Section + 5.3) indicating that a Request Type is unacceptable to the peer. + A peer MUST NOT send a Nak (legacy or expanded) in response to a + Request, after an initial non-Nak Response has been sent. An EAP + server receiving a Response not meeting these requirements MUST + silently discard it. + + Type-Data + + The Type-Data field varies with the Type of Request and the + associated Response. + +4.2. Success and Failure + + The Success packet is sent by the authenticator to the peer after + completion of an EAP authentication method (Type 4 or greater) to + indicate that the peer has authenticated successfully to the + authenticator. The authenticator MUST transmit an EAP packet with + the Code field set to 3 (Success). If the authenticator cannot + authenticate the peer (unacceptable Responses to one or more + Requests), then after unsuccessful completion of the EAP method in + progress, the implementation MUST transmit an EAP packet with the + + + +Aboba, et al. Standards Track [Page 23] + +RFC 3748 EAP June 2004 + + + Code field set to 4 (Failure). An authenticator MAY wish to issue + multiple Requests before sending a Failure response in order to allow + for human typing mistakes. Success and Failure packets MUST NOT + contain additional data. + + Success and Failure packets MUST NOT be sent by an EAP authenticator + if the specification of the given method does not explicitly permit + the method to finish at that point. A peer EAP implementation + receiving a Success or Failure packet where sending one is not + explicitly permitted MUST silently discard it. By default, an EAP + peer MUST silently discard a "canned" Success packet (a Success + packet sent immediately upon connection). This ensures that a rogue + authenticator will not be able to bypass mutual authentication by + sending a Success packet prior to conclusion of the EAP method + conversation. + + Implementation Note: Because the Success and Failure packets are not + acknowledged, they are not retransmitted by the authenticator, and + may be potentially lost. A peer MUST allow for this circumstance as + described in this note. See also Section 3.4 for guidance on the + processing of lower layer success and failure indications. + + As described in Section 2.1, only a single EAP authentication method + is allowed within an EAP conversation. EAP methods may implement + result indications. After the authenticator sends a failure result + indication to the peer, regardless of the response from the peer, it + MUST subsequently send a Failure packet. After the authenticator + sends a success result indication to the peer and receives a success + result indication from the peer, it MUST subsequently send a Success + packet. + + On the peer, once the method completes unsuccessfully (that is, + either the authenticator sends a failure result indication, or the + peer decides that it does not want to continue the conversation, + possibly after sending a failure result indication), the peer MUST + terminate the conversation and indicate failure to the lower layer. + The peer MUST silently discard Success packets and MAY silently + discard Failure packets. As a result, loss of a Failure packet need + not result in a timeout. + + On the peer, after success result indications have been exchanged by + both sides, a Failure packet MUST be silently discarded. The peer + MAY, in the event that an EAP Success is not received, conclude that + the EAP Success packet was lost and that authentication concluded + successfully. + + + + + + +Aboba, et al. Standards Track [Page 24] + +RFC 3748 EAP June 2004 + + + If the authenticator has not sent a result indication, and the peer + is willing to continue the conversation, the peer waits for a Success + or Failure packet once the method completes, and MUST NOT silently + discard either of them. In the event that neither a Success nor + Failure packet is received, the peer SHOULD terminate the + conversation to avoid lengthy timeouts in case the lost packet was an + EAP Failure. + + If the peer attempts to authenticate to the authenticator and fails + to do so, the authenticator MUST send a Failure packet and MUST NOT + grant access by sending a Success packet. However, an authenticator + MAY omit having the peer authenticate to it in situations where + limited access is offered (e.g., guest access). In this case, the + authenticator MUST send a Success packet. + + Where the peer authenticates successfully to the authenticator, but + the authenticator does not send a result indication, the + authenticator MAY deny access by sending a Failure packet where the + peer is not currently authorized for network access. + + A summary of the Success and Failure packet format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Code + + 3 for Success + 4 for Failure + + Identifier + + The Identifier field is one octet and aids in matching replies to + Responses. The Identifier field MUST match the Identifier field + of the Response packet that it is sent in response to. + + Length + + 4 + + + + + + + + +Aboba, et al. Standards Track [Page 25] + +RFC 3748 EAP June 2004 + + +4.3. Retransmission Behavior + + Because the authentication process will often involve user input, + some care must be taken when deciding upon retransmission strategies + and authentication timeouts. By default, where EAP is run over an + unreliable lower layer, the EAP retransmission timer SHOULD be + dynamically estimated. A maximum of 3-5 retransmissions is + suggested. + + When run over a reliable lower layer (e.g., EAP over ISAKMP/TCP, as + within [PIC]), the authenticator retransmission timer SHOULD be set + to an infinite value, so that retransmissions do not occur at the EAP + layer. The peer may still maintain a timeout value so as to avoid + waiting indefinitely for a Request. + + Where the authentication process requires user input, the measured + round trip times may be determined by user responsiveness rather than + network characteristics, so that dynamic RTO estimation may not be + helpful. Instead, the retransmission timer SHOULD be set so as to + provide sufficient time for the user to respond, with longer timeouts + required in certain cases, such as where Token Cards (see Section + 5.6) are involved. + + In order to provide the EAP authenticator with guidance as to the + appropriate timeout value, a hint can be communicated to the + authenticator by the backend authentication server (such as via the + RADIUS Session-Timeout attribute). + + In order to dynamically estimate the EAP retransmission timer, the + algorithms for the estimation of SRTT, RTTVAR, and RTO described in + [RFC2988] are RECOMMENDED, including use of Karn's algorithm, with + the following potential modifications: + + [a] In order to avoid synchronization behaviors that can occur with + fixed timers among distributed systems, the retransmission timer + is calculated with a jitter by using the RTO value and randomly + adding a value drawn between -RTOmin/2 and RTOmin/2. Alternative + calculations to create jitter MAY be used. These MUST be + pseudo-random. For a discussion of pseudo-random number + generation, see [RFC1750]. + + [b] When EAP is transported over a single link (as opposed to over + the Internet), smaller values of RTOinitial, RTOmin, and RTOmax + MAY be used. Recommended values are RTOinitial=1 second, + RTOmin=200ms, and RTOmax=20 seconds. + + + + + + +Aboba, et al. Standards Track [Page 26] + +RFC 3748 EAP June 2004 + + + [c] When EAP is transported over a single link (as opposed to over + the Internet), estimates MAY be done on a per-authenticator + basis, rather than a per-session basis. This enables the + retransmission estimate to make the most use of information on + link-layer behavior. + + [d] An EAP implementation MAY clear SRTT and RTTVAR after backing off + the timer multiple times, as it is likely that the current SRTT + and RTTVAR are bogus in this situation. Once SRTT and RTTVAR are + cleared, they should be initialized with the next RTT sample + taken as described in [RFC2988] equation 2.2. + +5. Initial EAP Request/Response Types + + This section defines the initial set of EAP Types used in Request/ + Response exchanges. More Types may be defined in future documents. + The Type field is one octet and identifies the structure of an EAP + Request or Response packet. The first 3 Types are considered special + case Types. + + The remaining Types define authentication exchanges. Nak (Type 3) or + Expanded Nak (Type 254) are valid only for Response packets, they + MUST NOT be sent in a Request. + + All EAP implementations MUST support Types 1-4, which are defined in + this document, and SHOULD support Type 254. Implementations MAY + support other Types defined here or in future RFCs. + + 1 Identity + 2 Notification + 3 Nak (Response only) + 4 MD5-Challenge + 5 One Time Password (OTP) + 6 Generic Token Card (GTC) + 254 Expanded Types + 255 Experimental use + + EAP methods MAY support authentication based on shared secrets. If + the shared secret is a passphrase entered by the user, + implementations MAY support entering passphrases with non-ASCII + characters. In this case, the input should be processed using an + appropriate stringprep [RFC3454] profile, and encoded in octets using + UTF-8 encoding [RFC2279]. A preliminary version of a possible + stringprep profile is described in [SASLPREP]. + + + + + + + +Aboba, et al. Standards Track [Page 27] + +RFC 3748 EAP June 2004 + + +5.1. Identity + + Description + + The Identity Type is used to query the identity of the peer. + Generally, the authenticator will issue this as the initial + Request. An optional displayable message MAY be included to + prompt the peer in the case where there is an expectation of + interaction with a user. A Response of Type 1 (Identity) SHOULD + be sent in Response to a Request with a Type of 1 (Identity). + + Some EAP implementations piggy-back various options into the + Identity Request after a NUL-character. By default, an EAP + implementation SHOULD NOT assume that an Identity Request or + Response can be larger than 1020 octets. + + It is RECOMMENDED that the Identity Response be used primarily for + routing purposes and selecting which EAP method to use. EAP + Methods SHOULD include a method-specific mechanism for obtaining + the identity, so that they do not have to rely on the Identity + Response. Identity Requests and Responses are sent in cleartext, + so an attacker may snoop on the identity, or even modify or spoof + identity exchanges. To address these threats, it is preferable + for an EAP method to include an identity exchange that supports + per-packet authentication, integrity and replay protection, and + confidentiality. The Identity Response may not be the appropriate + identity for the method; it may have been truncated or obfuscated + so as to provide privacy, or it may have been decorated for + routing purposes. Where the peer is configured to only accept + authentication methods supporting protected identity exchanges, + the peer MAY provide an abbreviated Identity Response (such as + omitting the peer-name portion of the NAI [RFC2486]). For further + discussion of identity protection, see Section 7.3. + + Implementation Note: The peer MAY obtain the Identity via user input. + It is suggested that the authenticator retry the Identity Request in + the case of an invalid Identity or authentication failure to allow + for potential typos on the part of the user. It is suggested that + the Identity Request be retried a minimum of 3 times before + terminating the authentication. The Notification Request MAY be used + to indicate an invalid authentication attempt prior to transmitting a + new Identity Request (optionally, the failure MAY be indicated within + the message of the new Identity Request itself). + + + + + + + + +Aboba, et al. Standards Track [Page 28] + +RFC 3748 EAP June 2004 + + + Type + + 1 + + Type-Data + + This field MAY contain a displayable message in the Request, + containing UTF-8 encoded ISO 10646 characters [RFC2279]. Where + the Request contains a null, only the portion of the field prior + to the null is displayed. If the Identity is unknown, the + Identity Response field should be zero bytes in length. The + Identity Response field MUST NOT be null terminated. In all + cases, the length of the Type-Data field is derived from the + Length field of the Request/Response packet. + + Security Claims (see Section 7.2): + + Auth. mechanism: None + Ciphersuite negotiation: No + Mutual authentication: No + Integrity protection: No + Replay protection: No + Confidentiality: No + Key derivation: No + Key strength: N/A + Dictionary attack prot.: N/A + Fast reconnect: No + Crypt. binding: N/A + Session independence: N/A + Fragmentation: No + Channel binding: No + +5.2. Notification + + Description + + The Notification Type is optionally used to convey a displayable + message from the authenticator to the peer. An authenticator MAY + send a Notification Request to the peer at any time when there is + no outstanding Request, prior to completion of an EAP + authentication method. The peer MUST respond to a Notification + Request with a Notification Response unless the EAP authentication + method specification prohibits the use of Notification messages. + In any case, a Nak Response MUST NOT be sent in response to a + Notification Request. Note that the default maximum length of a + Notification Request is 1020 octets. By default, this leaves at + most 1015 octets for the human readable message. + + + + +Aboba, et al. Standards Track [Page 29] + +RFC 3748 EAP June 2004 + + + An EAP method MAY indicate within its specification that + Notification messages must not be sent during that method. In + this case, the peer MUST silently discard Notification Requests + from the point where an initial Request for that Type is answered + with a Response of the same Type. + + The peer SHOULD display this message to the user or log it if it + cannot be displayed. The Notification Type is intended to provide + an acknowledged notification of some imperative nature, but it is + not an error indication, and therefore does not change the state + of the peer. Examples include a password with an expiration time + that is about to expire, an OTP sequence integer which is nearing + 0, an authentication failure warning, etc. In most circumstances, + Notification should not be required. + + Type + + 2 + + Type-Data + + The Type-Data field in the Request contains a displayable message + greater than zero octets in length, containing UTF-8 encoded ISO + 10646 characters [RFC2279]. The length of the message is + determined by the Length field of the Request packet. The message + MUST NOT be null terminated. A Response MUST be sent in reply to + the Request with a Type field of 2 (Notification). The Type-Data + field of the Response is zero octets in length. The Response + should be sent immediately (independent of how the message is + displayed or logged). + + Security Claims (see Section 7.2): + + Auth. mechanism: None + Ciphersuite negotiation: No + Mutual authentication: No + Integrity protection: No + Replay protection: No + Confidentiality: No + Key derivation: No + Key strength: N/A + Dictionary attack prot.: N/A + Fast reconnect: No + Crypt. binding: N/A + Session independence: N/A + Fragmentation: No + Channel binding: No + + + + +Aboba, et al. Standards Track [Page 30] + +RFC 3748 EAP June 2004 + + +5.3. Nak + +5.3.1. Legacy Nak + + Description + + The legacy Nak Type is valid only in Response messages. It is + sent in reply to a Request where the desired authentication Type + is unacceptable. Authentication Types are numbered 4 and above. + The Response contains one or more authentication Types desired by + the Peer. Type zero (0) is used to indicate that the sender has + no viable alternatives, and therefore the authenticator SHOULD NOT + send another Request after receiving a Nak Response containing a + zero value. + + Since the legacy Nak Type is valid only in Responses and has very + limited functionality, it MUST NOT be used as a general purpose + error indication, such as for communication of error messages, or + negotiation of parameters specific to a particular EAP method. + + Code + + 2 for Response. + + Identifier + + The Identifier field is one octet and aids in matching Responses + with Requests. The Identifier field of a legacy Nak Response MUST + match the Identifier field of the Request packet that it is sent + in response to. + + Length + + >=6 + + Type + + 3 + + Type-Data + + Where a peer receives a Request for an unacceptable authentication + Type (4-253,255), or a peer lacking support for Expanded Types + receives a Request for Type 254, a Nak Response (Type 3) MUST be + sent. The Type-Data field of the Nak Response (Type 3) MUST + contain one or more octets indicating the desired authentication + Type(s), one octet per Type, or the value zero (0) to indicate no + proposed alternative. A peer supporting Expanded Types that + + + +Aboba, et al. Standards Track [Page 31] + +RFC 3748 EAP June 2004 + + + receives a Request for an unacceptable authentication Type (4-253, + 255) MAY include the value 254 in the Nak Response (Type 3) to + indicate the desire for an Expanded authentication Type. If the + authenticator can accommodate this preference, it will respond + with an Expanded Type Request (Type 254). + + Security Claims (see Section 7.2): + + Auth. mechanism: None + Ciphersuite negotiation: No + Mutual authentication: No + Integrity protection: No + Replay protection: No + Confidentiality: No + Key derivation: No + Key strength: N/A + Dictionary attack prot.: N/A + Fast reconnect: No + Crypt. binding: N/A + Session independence: N/A + Fragmentation: No + Channel binding: No + + +5.3.2. Expanded Nak + + Description + + The Expanded Nak Type is valid only in Response messages. It MUST + be sent only in reply to a Request of Type 254 (Expanded Type) + where the authentication Type is unacceptable. The Expanded Nak + Type uses the Expanded Type format itself, and the Response + contains one or more authentication Types desired by the peer, all + in Expanded Type format. Type zero (0) is used to indicate that + the sender has no viable alternatives. The general format of the + Expanded Type is described in Section 5.7. + + Since the Expanded Nak Type is valid only in Responses and has + very limited functionality, it MUST NOT be used as a general + purpose error indication, such as for communication of error + messages, or negotiation of parameters specific to a particular + EAP method. + + Code + + 2 for Response. + + + + + +Aboba, et al. Standards Track [Page 32] + +RFC 3748 EAP June 2004 + + + Identifier + + The Identifier field is one octet and aids in matching Responses + with Requests. The Identifier field of an Expanded Nak Response + MUST match the Identifier field of the Request packet that it is + sent in response to. + + Length + + >=20 + + Type + + 254 + + Vendor-Id + + 0 (IETF) + + Vendor-Type + + 3 (Nak) + + Vendor-Data + + The Expanded Nak Type is only sent when the Request contains an + Expanded Type (254) as defined in Section 5.7. The Vendor-Data + field of the Nak Response MUST contain one or more authentication + Types (4 or greater), all in expanded format, 8 octets per Type, + or the value zero (0), also in Expanded Type format, to indicate + no proposed alternative. The desired authentication Types may + include a mixture of Vendor-Specific and IETF Types. For example, + an Expanded Nak Response indicating a preference for OTP (Type 5), + and an MIT (Vendor-Id=20) Expanded Type of 6 would appear as + follows: + + + + + + + + + + + + + + + + +Aboba, et al. Standards Track [Page 33] + +RFC 3748 EAP June 2004 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 2 | Identifier | Length=28 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type=254 | 0 (IETF) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 3 (Nak) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type=254 | 0 (IETF) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 5 (OTP) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type=254 | 20 (MIT) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 6 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + An Expanded Nak Response indicating a no desired alternative would + appear as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 2 | Identifier | Length=20 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type=254 | 0 (IETF) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 3 (Nak) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type=254 | 0 (IETF) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 0 (No alternative) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Security Claims (see Section 7.2): + + Auth. mechanism: None + Ciphersuite negotiation: No + Mutual authentication: No + Integrity protection: No + Replay protection: No + Confidentiality: No + Key derivation: No + Key strength: N/A + Dictionary attack prot.: N/A + Fast reconnect: No + Crypt. binding: N/A + + + +Aboba, et al. Standards Track [Page 34] + +RFC 3748 EAP June 2004 + + + Session independence: N/A + Fragmentation: No + Channel binding: No + + +5.4. MD5-Challenge + + Description + + The MD5-Challenge Type is analogous to the PPP CHAP protocol + [RFC1994] (with MD5 as the specified algorithm). The Request + contains a "challenge" message to the peer. A Response MUST be + sent in reply to the Request. The Response MAY be either of Type + 4 (MD5-Challenge), Nak (Type 3), or Expanded Nak (Type 254). The + Nak reply indicates the peer's desired authentication Type(s). + EAP peer and EAP server implementations MUST support the MD5- + Challenge mechanism. An authenticator that supports only pass- + through MUST allow communication with a backend authentication + server that is capable of supporting MD5-Challenge, although the + EAP authenticator implementation need not support MD5-Challenge + itself. However, if the EAP authenticator can be configured to + authenticate peers locally (e.g., not operate in pass-through), + then the requirement for support of the MD5-Challenge mechanism + applies. + + Note that the use of the Identifier field in the MD5-Challenge + Type is different from that described in [RFC1994]. EAP allows + for retransmission of MD5-Challenge Request packets, while + [RFC1994] states that both the Identifier and Challenge fields + MUST change each time a Challenge (the CHAP equivalent of the + MD5-Challenge Request packet) is sent. + + Note: [RFC1994] treats the shared secret as an octet string, and + does not specify how it is entered into the system (or if it is + handled by the user at all). EAP MD5-Challenge implementations + MAY support entering passphrases with non-ASCII characters. See + Section 5 for instructions how the input should be processed and + encoded into octets. + + Type + + 4 + + Type-Data + + The contents of the Type-Data field is summarized below. For + reference on the use of these fields, see the PPP Challenge + Handshake Authentication Protocol [RFC1994]. + + + +Aboba, et al. Standards Track [Page 35] + +RFC 3748 EAP June 2004 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Value-Size | Value ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Name ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Security Claims (see Section 7.2): + + Auth. mechanism: Password or pre-shared key. + Ciphersuite negotiation: No + Mutual authentication: No + Integrity protection: No + Replay protection: No + Confidentiality: No + Key derivation: No + Key strength: N/A + Dictionary attack prot.: No + Fast reconnect: No + Crypt. binding: N/A + Session independence: N/A + Fragmentation: No + Channel binding: No + +5.5. One-Time Password (OTP) + + Description + + The One-Time Password system is defined in "A One-Time Password + System" [RFC2289] and "OTP Extended Responses" [RFC2243]. The + Request contains an OTP challenge in the format described in + [RFC2289]. A Response MUST be sent in reply to the Request. The + Response MUST be of Type 5 (OTP), Nak (Type 3), or Expanded Nak + (Type 254). The Nak Response indicates the peer's desired + authentication Type(s). The EAP OTP method is intended for use + with the One-Time Password system only, and MUST NOT be used to + provide support for cleartext passwords. + + Type + + 5 + + + + + + + + + +Aboba, et al. Standards Track [Page 36] + +RFC 3748 EAP June 2004 + + + Type-Data + + The Type-Data field contains the OTP "challenge" as a displayable + message in the Request. In the Response, this field is used for + the 6 words from the OTP dictionary [RFC2289]. The messages MUST + NOT be null terminated. The length of the field is derived from + the Length field of the Request/Reply packet. + + Note: [RFC2289] does not specify how the secret pass-phrase is + entered by the user, or how the pass-phrase is converted into + octets. EAP OTP implementations MAY support entering passphrases + with non-ASCII characters. See Section 5 for instructions on how + the input should be processed and encoded into octets. + + Security Claims (see Section 7.2): + + Auth. mechanism: One-Time Password + Ciphersuite negotiation: No + Mutual authentication: No + Integrity protection: No + Replay protection: Yes + Confidentiality: No + Key derivation: No + Key strength: N/A + Dictionary attack prot.: No + Fast reconnect: No + Crypt. binding: N/A + Session independence: N/A + Fragmentation: No + Channel binding: No + + +5.6. Generic Token Card (GTC) + + Description + + The Generic Token Card Type is defined for use with various Token + Card implementations which require user input. The Request + contains a displayable message and the Response contains the Token + Card information necessary for authentication. Typically, this + would be information read by a user from the Token card device and + entered as ASCII text. A Response MUST be sent in reply to the + Request. The Response MUST be of Type 6 (GTC), Nak (Type 3), or + Expanded Nak (Type 254). The Nak Response indicates the peer's + desired authentication Type(s). The EAP GTC method is intended + for use with the Token Cards supporting challenge/response + + + + + +Aboba, et al. Standards Track [Page 37] + +RFC 3748 EAP June 2004 + + + authentication and MUST NOT be used to provide support for + cleartext passwords in the absence of a protected tunnel with + server authentication. + + Type + + 6 + + Type-Data + + The Type-Data field in the Request contains a displayable message + greater than zero octets in length. The length of the message is + determined by the Length field of the Request packet. The message + MUST NOT be null terminated. A Response MUST be sent in reply to + the Request with a Type field of 6 (Generic Token Card). The + Response contains data from the Token Card required for + authentication. The length of the data is determined by the + Length field of the Response packet. + + EAP GTC implementations MAY support entering a response with non- + ASCII characters. See Section 5 for instructions how the input + should be processed and encoded into octets. + + Security Claims (see Section 7.2): + + Auth. mechanism: Hardware token. + Ciphersuite negotiation: No + Mutual authentication: No + Integrity protection: No + Replay protection: No + Confidentiality: No + Key derivation: No + Key strength: N/A + Dictionary attack prot.: No + Fast reconnect: No + Crypt. binding: N/A + Session independence: N/A + Fragmentation: No + Channel binding: No + + +5.7. Expanded Types + + Description + + Since many of the existing uses of EAP are vendor-specific, the + Expanded method Type is available to allow vendors to support + their own Expanded Types not suitable for general usage. + + + +Aboba, et al. Standards Track [Page 38] + +RFC 3748 EAP June 2004 + + + The Expanded Type is also used to expand the global Method Type + space beyond the original 255 values. A Vendor-Id of 0 maps the + original 255 possible Types onto a space of 2^32-1 possible Types. + (Type 0 is only used in a Nak Response to indicate no acceptable + alternative). + + An implementation that supports the Expanded attribute MUST treat + EAP Types that are less than 256 equivalently, whether they appear + as a single octet or as the 32-bit Vendor-Type within an Expanded + Type where Vendor-Id is 0. Peers not equipped to interpret the + Expanded Type MUST send a Nak as described in Section 5.3.1, and + negotiate a more suitable authentication method. + + A summary of the Expanded Type format is shown below. The fields + are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Vendor-Id | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Vendor-Type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Vendor data... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 254 for Expanded Type + + Vendor-Id + + The Vendor-Id is 3 octets and represents the SMI Network + Management Private Enterprise Code of the Vendor in network byte + order, as allocated by IANA. A Vendor-Id of zero is reserved for + use by the IETF in providing an expanded global EAP Type space. + + Vendor-Type + + The Vendor-Type field is four octets and represents the vendor- + specific method Type. + + If the Vendor-Id is zero, the Vendor-Type field is an extension + and superset of the existing namespace for EAP Types. The first + 256 Types are reserved for compatibility with single-octet EAP + Types that have already been assigned or may be assigned in the + future. Thus, EAP Types from 0 through 255 are semantically + identical, whether they appear as single octet EAP Types or as + + + +Aboba, et al. Standards Track [Page 39] + +RFC 3748 EAP June 2004 + + + Vendor-Types when Vendor-Id is zero. There is one exception to + this rule: Expanded Nak and Legacy Nak packets share the same + Type, but must be treated differently because they have a + different format. + + Vendor-Data + + The Vendor-Data field is defined by the vendor. Where a Vendor-Id + of zero is present, the Vendor-Data field will be used for + transporting the contents of EAP methods of Types defined by the + IETF. + +5.8. Experimental + + Description + + The Experimental Type has no fixed format or content. It is + intended for use when experimenting with new EAP Types. This Type + is intended for experimental and testing purposes. No guarantee + is made for interoperability between peers using this Type, as + outlined in [RFC3692]. + + Type + + 255 + + Type-Data + + Undefined + +6. IANA Considerations + + This section provides guidance to the Internet Assigned Numbers + Authority (IANA) regarding registration of values related to the EAP + protocol, in accordance with BCP 26, [RFC2434]. + + There are two name spaces in EAP that require registration: Packet + Codes and method Types. + + EAP is not intended as a general-purpose protocol, and allocations + SHOULD NOT be made for purposes unrelated to authentication. + + The following terms are used here with the meanings defined in BCP + 26: "name space", "assigned value", "registration". + + The following policies are used here with the meanings defined in BCP + 26: "Private Use", "First Come First Served", "Expert Review", + "Specification Required", "IETF Consensus", "Standards Action". + + + +Aboba, et al. Standards Track [Page 40] + +RFC 3748 EAP June 2004 + + + For registration requests where a Designated Expert should be + consulted, the responsible IESG area director should appoint the + Designated Expert. The intention is that any allocation will be + accompanied by a published RFC. But in order to allow for the + allocation of values prior to the RFC being approved for publication, + the Designated Expert can approve allocations once it seems clear + that an RFC will be published. The Designated expert will post a + request to the EAP WG mailing list (or a successor designated by the + Area Director) for comment and review, including an Internet-Draft. + Before a period of 30 days has passed, the Designated Expert will + either approve or deny the registration request and publish a notice + of the decision to the EAP WG mailing list or its successor, as well + as informing IANA. A denial notice must be justified by an + explanation, and in the cases where it is possible, concrete + suggestions on how the request can be modified so as to become + acceptable should be provided. + +6.1. Packet Codes + + Packet Codes have a range from 1 to 255, of which 1-4 have been + allocated. Because a new Packet Code has considerable impact on + interoperability, a new Packet Code requires Standards Action, and + should be allocated starting at 5. + +6.2. Method Types + + The original EAP method Type space has a range from 1 to 255, and is + the scarcest resource in EAP, and thus must be allocated with care. + Method Types 1-45 have been allocated, with 20 available for re-use. + Method Types 20 and 46-191 may be allocated on the advice of a + Designated Expert, with Specification Required. + + Allocation of blocks of method Types (more than one for a given + purpose) should require IETF Consensus. EAP Type Values 192-253 are + reserved and allocation requires Standards Action. + + Method Type 254 is allocated for the Expanded Type. Where the + Vendor-Id field is non-zero, the Expanded Type is used for functions + specific only to one vendor's implementation of EAP, where no + interoperability is deemed useful. When used with a Vendor-Id of + zero, method Type 254 can also be used to provide for an expanded + IETF method Type space. Method Type values 256-4294967295 may be + allocated after Type values 1-191 have been allocated, on the advice + of a Designated Expert, with Specification Required. + + Method Type 255 is allocated for Experimental use, such as testing of + new EAP methods before a permanent Type is allocated. + + + + +Aboba, et al. Standards Track [Page 41] + +RFC 3748 EAP June 2004 + + +7. Security Considerations + + This section defines a generic threat model as well as the EAP method + security claims mitigating those threats. + + It is expected that the generic threat model and corresponding + security claims will used to define EAP method requirements for use + in specific environments. An example of such a requirements analysis + is provided in [IEEE-802.11i-req]. A security claims section is + required in EAP method specifications, so that EAP methods can be + evaluated against the requirements. + +7.1. Threat Model + + EAP was developed for use with PPP [RFC1661] and was later adapted + for use in wired IEEE 802 networks [IEEE-802] in [IEEE-802.1X]. + Subsequently, EAP has been proposed for use on wireless LAN networks + and over the Internet. In all these situations, it is possible for + an attacker to gain access to links over which EAP packets are + transmitted. For example, attacks on telephone infrastructure are + documented in [DECEPTION]. + + An attacker with access to the link may carry out a number of + attacks, including: + + [1] An attacker may try to discover user identities by snooping + authentication traffic. + + [2] An attacker may try to modify or spoof EAP packets. + + [3] An attacker may launch denial of service attacks by spoofing + lower layer indications or Success/Failure packets, by replaying + EAP packets, or by generating packets with overlapping + Identifiers. + + [4] An attacker may attempt to recover the pass-phrase by mounting + an offline dictionary attack. + + [5] An attacker may attempt to convince the peer to connect to an + untrusted network by mounting a man-in-the-middle attack. + + [6] An attacker may attempt to disrupt the EAP negotiation in order + cause a weak authentication method to be selected. + + [7] An attacker may attempt to recover keys by taking advantage of + weak key derivation techniques used within EAP methods. + + + + + +Aboba, et al. Standards Track [Page 42] + +RFC 3748 EAP June 2004 + + + [8] An attacker may attempt to take advantage of weak ciphersuites + subsequently used after the EAP conversation is complete. + + [9] An attacker may attempt to perform downgrading attacks on lower + layer ciphersuite negotiation in order to ensure that a weaker + ciphersuite is used subsequently to EAP authentication. + + [10] An attacker acting as an authenticator may provide incorrect + information to the EAP peer and/or server via out-of-band + mechanisms (such as via a AAA or lower layer protocol). This + includes impersonating another authenticator, or providing + inconsistent information to the peer and EAP server. + + Depending on the lower layer, these attacks may be carried out + without requiring physical proximity. Where EAP is used over + wireless networks, EAP packets may be forwarded by authenticators + (e.g., pre-authentication) so that the attacker need not be within + the coverage area of an authenticator in order to carry out an attack + on it or its peers. Where EAP is used over the Internet, attacks may + be carried out at an even greater distance. + +7.2. Security Claims + + In order to clearly articulate the security provided by an EAP + method, EAP method specifications MUST include a Security Claims + section, including the following declarations: + + [a] Mechanism. This is a statement of the authentication technology: + certificates, pre-shared keys, passwords, token cards, etc. + + [b] Security claims. This is a statement of the claimed security + properties of the method, using terms defined in Section 7.2.1: + mutual authentication, integrity protection, replay protection, + confidentiality, key derivation, dictionary attack resistance, + fast reconnect, cryptographic binding. The Security Claims + section of an EAP method specification SHOULD provide + justification for the claims that are made. This can be + accomplished by including a proof in an Appendix, or including a + reference to a proof. + + [c] Key strength. If the method derives keys, then the effective key + strength MUST be estimated. This estimate is meant for potential + users of the method to determine if the keys produced are strong + enough for the intended application. + + + + + + + +Aboba, et al. Standards Track [Page 43] + +RFC 3748 EAP June 2004 + + + The effective key strength SHOULD be stated as a number of bits, + defined as follows: If the effective key strength is N bits, the + best currently known methods to recover the key (with non- + negligible probability) require, on average, an effort comparable + to 2^(N-1) operations of a typical block cipher. The statement + SHOULD be accompanied by a short rationale, explaining how this + number was derived. This explanation SHOULD include the + parameters required to achieve the stated key strength based on + current knowledge of the algorithms. + + (Note: Although it is difficult to define what "comparable + effort" and "typical block cipher" exactly mean, reasonable + approximations are sufficient here. Refer to e.g. [SILVERMAN] + for more discussion.) + + The key strength depends on the methods used to derive the keys. + For instance, if keys are derived from a shared secret (such as a + password or a long-term secret), and possibly some public + information such as nonces, the effective key strength is limited + by the strength of the long-term secret (assuming that the + derivation procedure is computationally simple). To take another + example, when using public key algorithms, the strength of the + symmetric key depends on the strength of the public keys used. + + [d] Description of key hierarchy. EAP methods deriving keys MUST + either provide a reference to a key hierarchy specification, or + describe how Master Session Keys (MSKs) and Extended Master + Session Keys (EMSKs) are to be derived. + + [e] Indication of vulnerabilities. In addition to the security + claims that are made, the specification MUST indicate which of + the security claims detailed in Section 7.2.1 are NOT being made. + +7.2.1. Security Claims Terminology for EAP Methods + + These terms are used to describe the security properties of EAP + methods: + + Protected ciphersuite negotiation + This refers to the ability of an EAP method to negotiate the + ciphersuite used to protect the EAP conversation, as well as to + integrity protect the negotiation. It does not refer to the + ability to negotiate the ciphersuite used to protect data. + + + + + + + + +Aboba, et al. Standards Track [Page 44] + +RFC 3748 EAP June 2004 + + + Mutual authentication + This refers to an EAP method in which, within an interlocked + exchange, the authenticator authenticates the peer and the peer + authenticates the authenticator. Two independent one-way methods, + running in opposite directions do not provide mutual + authentication as defined here. + + Integrity protection + This refers to providing data origin authentication and protection + against unauthorized modification of information for EAP packets + (including EAP Requests and Responses). When making this claim, a + method specification MUST describe the EAP packets and fields + within the EAP packet that are protected. + + Replay protection + This refers to protection against replay of an EAP method or its + messages, including success and failure result indications. + + Confidentiality + This refers to encryption of EAP messages, including EAP Requests + and Responses, and success and failure result indications. A + method making this claim MUST support identity protection (see + Section 7.3). + + Key derivation + This refers to the ability of the EAP method to derive exportable + keying material, such as the Master Session Key (MSK), and + Extended Master Session Key (EMSK). The MSK is used only for + further key derivation, not directly for protection of the EAP + conversation or subsequent data. Use of the EMSK is reserved. + + Key strength + If the effective key strength is N bits, the best currently known + methods to recover the key (with non-negligible probability) + require, on average, an effort comparable to 2^(N-1) operations of + a typical block cipher. + + Dictionary attack resistance + Where password authentication is used, passwords are commonly + selected from a small set (as compared to a set of N-bit keys), + which raises a concern about dictionary attacks. A method may be + said to provide protection against dictionary attacks if, when it + uses a password as a secret, the method does not allow an offline + attack that has a work factor based on the number of passwords in + an attacker's dictionary. + + + + + + +Aboba, et al. Standards Track [Page 45] + +RFC 3748 EAP June 2004 + + + Fast reconnect + The ability, in the case where a security association has been + previously established, to create a new or refreshed security + association more efficiently or in a smaller number of round- + trips. + + Cryptographic binding + The demonstration of the EAP peer to the EAP server that a single + entity has acted as the EAP peer for all methods executed within a + tunnel method. Binding MAY also imply that the EAP server + demonstrates to the peer that a single entity has acted as the EAP + server for all methods executed within a tunnel method. If + executed correctly, binding serves to mitigate man-in-the-middle + vulnerabilities. + + Session independence + The demonstration that passive attacks (such as capture of the EAP + conversation) or active attacks (including compromise of the MSK + or EMSK) does not enable compromise of subsequent or prior MSKs or + EMSKs. + + Fragmentation + This refers to whether an EAP method supports fragmentation and + reassembly. As noted in Section 3.1, EAP methods should support + fragmentation and reassembly if EAP packets can exceed the minimum + MTU of 1020 octets. + + Channel binding + The communication within an EAP method of integrity-protected + channel properties such as endpoint identifiers which can be + compared to values communicated via out of band mechanisms (such + as via a AAA or lower layer protocol). + + Note: This list of security claims is not exhaustive. Additional + properties, such as additional denial-of-service protection, may be + relevant as well. + +7.3. Identity Protection + + An Identity exchange is optional within the EAP conversation. + Therefore, it is possible to omit the Identity exchange entirely, or + to use a method-specific identity exchange once a protected channel + has been established. + + However, where roaming is supported as described in [RFC2607], it may + be necessary to locate the appropriate backend authentication server + before the authentication conversation can proceed. The realm + portion of the Network Access Identifier (NAI) [RFC2486] is typically + + + +Aboba, et al. Standards Track [Page 46] + +RFC 3748 EAP June 2004 + + + included within the EAP-Response/Identity in order to enable the + authentication exchange to be routed to the appropriate backend + authentication server. Therefore, while the peer-name portion of the + NAI may be omitted in the EAP-Response/Identity where proxies or + relays are present, the realm portion may be required. + + It is possible for the identity in the identity response to be + different from the identity authenticated by the EAP method. This + may be intentional in the case of identity privacy. An EAP method + SHOULD use the authenticated identity when making access control + decisions. + +7.4. Man-in-the-Middle Attacks + + Where EAP is tunneled within another protocol that omits peer + authentication, there exists a potential vulnerability to a man-in- + the-middle attack. For details, see [BINDING] and [MITM]. + + As noted in Section 2.1, EAP does not permit untunneled sequences of + authentication methods. Were a sequence of EAP authentication + methods to be permitted, the peer might not have proof that a single + entity has acted as the authenticator for all EAP methods within the + sequence. For example, an authenticator might terminate one EAP + method, then forward the next method in the sequence to another party + without the peer's knowledge or consent. Similarly, the + authenticator might not have proof that a single entity has acted as + the peer for all EAP methods within the sequence. + + Tunneling EAP within another protocol enables an attack by a rogue + EAP authenticator tunneling EAP to a legitimate server. Where the + tunneling protocol is used for key establishment but does not require + peer authentication, an attacker convincing a legitimate peer to + connect to it will be able to tunnel EAP packets to a legitimate + server, successfully authenticating and obtaining the key. This + allows the attacker to successfully establish itself as a man-in- + the-middle, gaining access to the network, as well as the ability to + decrypt data traffic between the legitimate peer and server. + + This attack may be mitigated by the following measures: + + [a] Requiring mutual authentication within EAP tunneling mechanisms. + + [b] Requiring cryptographic binding between the EAP tunneling + protocol and the tunneled EAP methods. Where cryptographic + binding is supported, a mechanism is also needed to protect + against downgrade attacks that would bypass it. For further + details on cryptographic binding, see [BINDING]. + + + + +Aboba, et al. Standards Track [Page 47] + +RFC 3748 EAP June 2004 + + + [c] Limiting the EAP methods authorized for use without protection, + based on peer and authenticator policy. + + [d] Avoiding the use of tunnels when a single, strong method is + available. + +7.5. Packet Modification Attacks + + While EAP methods may support per-packet data origin authentication, + integrity, and replay protection, support is not provided within the + EAP layer. + + Since the Identifier is only a single octet, it is easy to guess, + allowing an attacker to successfully inject or replay EAP packets. + An attacker may also modify EAP headers (Code, Identifier, Length, + Type) within EAP packets where the header is unprotected. This could + cause packets to be inappropriately discarded or misinterpreted. + + To protect EAP packets against modification, spoofing, or replay, + methods supporting protected ciphersuite negotiation, mutual + authentication, and key derivation, as well as integrity and replay + protection, are recommended. See Section 7.2.1 for definitions of + these security claims. + + Method-specific MICs may be used to provide protection. If a per- + packet MIC is employed within an EAP method, then peers, + authentication servers, and authenticators not operating in pass- + through mode MUST validate the MIC. MIC validation failures SHOULD + be logged. Whether a MIC validation failure is considered a fatal + error or not is determined by the EAP method specification. + + It is RECOMMENDED that methods providing integrity protection of EAP + packets include coverage of all the EAP header fields, including the + Code, Identifier, Length, Type, and Type-Data fields. + + Since EAP messages of Types Identity, Notification, and Nak do not + include their own MIC, it may be desirable for the EAP method MIC to + cover information contained within these messages, as well as the + header of each EAP message. + + To provide protection, EAP also may be encapsulated within a + protected channel created by protocols such as ISAKMP [RFC2408], as + is done in [IKEv2] or within TLS [RFC2246]. However, as noted in + Section 7.4, EAP tunneling may result in a man-in-the-middle + vulnerability. + + + + + + +Aboba, et al. Standards Track [Page 48] + +RFC 3748 EAP June 2004 + + + Existing EAP methods define message integrity checks (MICs) that + cover more than one EAP packet. For example, EAP-TLS [RFC2716] + defines a MIC over a TLS record that could be split into multiple + fragments; within the FINISHED message, the MIC is computed over + previous messages. Where the MIC covers more than one EAP packet, a + MIC validation failure is typically considered a fatal error. + + Within EAP-TLS [RFC2716], a MIC validation failure is treated as a + fatal error, since that is what is specified in TLS [RFC2246]. + However, it is also possible to develop EAP methods that support + per-packet MICs, and respond to verification failures by silently + discarding the offending packet. + + In this document, descriptions of EAP message handling assume that + per-packet MIC validation, where it occurs, is effectively performed + as though it occurs before sending any responses or changing the + state of the host which received the packet. + +7.6. Dictionary Attacks + + Password authentication algorithms such as EAP-MD5, MS-CHAPv1 + [RFC2433], and Kerberos V [RFC1510] are known to be vulnerable to + dictionary attacks. MS-CHAPv1 vulnerabilities are documented in + [PPTPv1]; MS-CHAPv2 vulnerabilities are documented in [PPTPv2]; + Kerberos vulnerabilities are described in [KRBATTACK], [KRBLIM], and + [KERB4WEAK]. + + In order to protect against dictionary attacks, authentication + methods resistant to dictionary attacks (as defined in Section 7.2.1) + are recommended. + + If an authentication algorithm is used that is known to be vulnerable + to dictionary attacks, then the conversation may be tunneled within a + protected channel in order to provide additional protection. + However, as noted in Section 7.4, EAP tunneling may result in a man- + in-the-middle vulnerability, and therefore dictionary attack + resistant methods are preferred. + +7.7. Connection to an Untrusted Network + + With EAP methods supporting one-way authentication, such as EAP-MD5, + the peer does not authenticate the authenticator, making the peer + vulnerable to attack by a rogue authenticator. Methods supporting + mutual authentication (as defined in Section 7.2.1) address this + vulnerability. + + In EAP there is no requirement that authentication be full duplex or + that the same protocol be used in both directions. It is perfectly + + + +Aboba, et al. Standards Track [Page 49] + +RFC 3748 EAP June 2004 + + + acceptable for different protocols to be used in each direction. + This will, of course, depend on the specific protocols negotiated. + However, in general, completing a single unitary mutual + authentication is preferable to two one-way authentications, one in + each direction. This is because separate authentications that are + not bound cryptographically so as to demonstrate they are part of the + same session are subject to man-in-the-middle attacks, as discussed + in Section 7.4. + +7.8. Negotiation Attacks + + In a negotiation attack, the attacker attempts to convince the peer + and authenticator to negotiate a less secure EAP method. EAP does + not provide protection for Nak Response packets, although it is + possible for a method to include coverage of Nak Responses within a + method-specific MIC. + + Within or associated with each authenticator, it is not anticipated + that a particular named peer will support a choice of methods. This + would make the peer vulnerable to attacks that negotiate the least + secure method from among a set. Instead, for each named peer, there + SHOULD be an indication of exactly one method used to authenticate + that peer name. If a peer needs to make use of different + authentication methods under different circumstances, then distinct + identities SHOULD be employed, each of which identifies exactly one + authentication method. + +7.9. Implementation Idiosyncrasies + + The interaction of EAP with lower layers such as PPP and IEEE 802 are + highly implementation dependent. + + For example, upon failure of authentication, some PPP implementations + do not terminate the link, instead limiting traffic in Network-Layer + Protocols to a filtered subset, which in turn allows the peer the + opportunity to update secrets or send mail to the network + administrator indicating a problem. Similarly, while an + authentication failure will result in denied access to the controlled + port in [IEEE-802.1X], limited traffic may be permitted on the + uncontrolled port. + + In EAP there is no provision for retries of failed authentication. + However, in PPP the LCP state machine can renegotiate the + authentication protocol at any time, thus allowing a new attempt. + Similarly, in IEEE 802.1X the Supplicant or Authenticator can re- + authenticate at any time. It is recommended that any counters used + for authentication failure not be reset until after successful + authentication, or subsequent termination of the failed link. + + + +Aboba, et al. Standards Track [Page 50] + +RFC 3748 EAP June 2004 + + +7.10. Key Derivation + + It is possible for the peer and EAP server to mutually authenticate + and derive keys. In order to provide keying material for use in a + subsequently negotiated ciphersuite, an EAP method supporting key + derivation MUST export a Master Session Key (MSK) of at least 64 + octets, and an Extended Master Session Key (EMSK) of at least 64 + octets. EAP Methods deriving keys MUST provide for mutual + authentication between the EAP peer and the EAP Server. + + The MSK and EMSK MUST NOT be used directly to protect data; however, + they are of sufficient size to enable derivation of a AAA-Key + subsequently used to derive Transient Session Keys (TSKs) for use + with the selected ciphersuite. Each ciphersuite is responsible for + specifying how to derive the TSKs from the AAA-Key. + + The AAA-Key is derived from the keying material exported by the EAP + method (MSK and EMSK). This derivation occurs on the AAA server. In + many existing protocols that use EAP, the AAA-Key and MSK are + equivalent, but more complicated mechanisms are possible (see + [KEYFRAME] for details). + + EAP methods SHOULD ensure the freshness of the MSK and EMSK, even in + cases where one party may not have a high quality random number + generator. A RECOMMENDED method is for each party to provide a nonce + of at least 128 bits, used in the derivation of the MSK and EMSK. + + EAP methods export the MSK and EMSK, but not Transient Session Keys + so as to allow EAP methods to be ciphersuite and media independent. + Keying material exported by EAP methods MUST be independent of the + ciphersuite negotiated to protect data. + + Depending on the lower layer, EAP methods may run before or after + ciphersuite negotiation, so that the selected ciphersuite may not be + known to the EAP method. By providing keying material usable with + any ciphersuite, EAP methods can used with a wide range of + ciphersuites and media. + + In order to preserve algorithm independence, EAP methods deriving + keys SHOULD support (and document) the protected negotiation of the + ciphersuite used to protect the EAP conversation between the peer and + server. This is distinct from the ciphersuite negotiated between the + peer and authenticator, used to protect data. + + The strength of Transient Session Keys (TSKs) used to protect data is + ultimately dependent on the strength of keys generated by the EAP + method. If an EAP method cannot produce keying material of + sufficient strength, then the TSKs may be subject to a brute force + + + +Aboba, et al. Standards Track [Page 51] + +RFC 3748 EAP June 2004 + + + attack. In order to enable deployments requiring strong keys, EAP + methods supporting key derivation SHOULD be capable of generating an + MSK and EMSK, each with an effective key strength of at least 128 + bits. + + Methods supporting key derivation MUST demonstrate cryptographic + separation between the MSK and EMSK branches of the EAP key + hierarchy. Without violating a fundamental cryptographic assumption + (such as the non-invertibility of a one-way function), an attacker + recovering the MSK or EMSK MUST NOT be able to recover the other + quantity with a level of effort less than brute force. + + Non-overlapping substrings of the MSK MUST be cryptographically + separate from each other, as defined in Section 7.2.1. That is, + knowledge of one substring MUST NOT help in recovering some other + substring without breaking some hard cryptographic assumption. This + is required because some existing ciphersuites form TSKs by simply + splitting the AAA-Key to pieces of appropriate length. Likewise, + non-overlapping substrings of the EMSK MUST be cryptographically + separate from each other, and from substrings of the MSK. + + The EMSK is reserved for future use and MUST remain on the EAP peer + and EAP server where it is derived; it MUST NOT be transported to, or + shared with, additional parties, or used to derive any other keys. + (This restriction will be relaxed in a future document that specifies + how the EMSK can be used.) + + Since EAP does not provide for explicit key lifetime negotiation, EAP + peers, authenticators, and authentication servers MUST be prepared + for situations in which one of the parties discards the key state, + which remains valid on another party. + + This specification does not provide detailed guidance on how EAP + methods derive the MSK and EMSK, how the AAA-Key is derived from the + MSK and/or EMSK, or how the TSKs are derived from the AAA-Key. + + The development and validation of key derivation algorithms is + difficult, and as a result, EAP methods SHOULD re-use well + established and analyzed mechanisms for key derivation (such as those + specified in IKE [RFC2409] or TLS [RFC2246]), rather than inventing + new ones. EAP methods SHOULD also utilize well established and + analyzed mechanisms for MSK and EMSK derivation. Further details on + EAP Key Derivation are provided within [KEYFRAME]. + + + + + + + + +Aboba, et al. Standards Track [Page 52] + +RFC 3748 EAP June 2004 + + +7.11. Weak Ciphersuites + + If after the initial EAP authentication, data packets are sent + without per-packet authentication, integrity, and replay protection, + an attacker with access to the media can inject packets, "flip bits" + within existing packets, replay packets, or even hijack the session + completely. Without per-packet confidentiality, it is possible to + snoop data packets. + + To protect against data modification, spoofing, or snooping, it is + recommended that EAP methods supporting mutual authentication and key + derivation (as defined by Section 7.2.1) be used, along with lower + layers providing per-packet confidentiality, authentication, + integrity, and replay protection. + + Additionally, if the lower layer performs ciphersuite negotiation, it + should be understood that EAP does not provide by itself integrity + protection of that negotiation. Therefore, in order to avoid + downgrading attacks which would lead to weaker ciphersuites being + used, clients implementing lower layer ciphersuite negotiation SHOULD + protect against negotiation downgrading. + + This can be done by enabling users to configure which ciphersuites + are acceptable as a matter of security policy, or the ciphersuite + negotiation MAY be authenticated using keying material derived from + the EAP authentication and a MIC algorithm agreed upon in advance by + lower-layer peers. + +7.12. Link Layer + + There are reliability and security issues with link layer indications + in PPP, IEEE 802 LANs, and IEEE 802.11 wireless LANs: + + [a] PPP. In PPP, link layer indications such as LCP-Terminate (a + link failure indication) and NCP (a link success indication) are + not authenticated or integrity protected. They can therefore be + spoofed by an attacker with access to the link. + + [b] IEEE 802. IEEE 802.1X EAPOL-Start and EAPOL-Logoff frames are + not authenticated or integrity protected. They can therefore be + spoofed by an attacker with access to the link. + + [c] IEEE 802.11. In IEEE 802.11, link layer indications include + Disassociate and Deauthenticate frames (link failure + indications), and the first message of the 4-way handshake (link + success indication). These messages are not authenticated or + integrity protected, and although they are not forwardable, they + are spoofable by an attacker within range. + + + +Aboba, et al. Standards Track [Page 53] + +RFC 3748 EAP June 2004 + + + In IEEE 802.11, IEEE 802.1X data frames may be sent as Class 3 + unicast data frames, and are therefore forwardable. This implies + that while EAPOL-Start and EAPOL-Logoff messages may be authenticated + and integrity protected, they can be spoofed by an authenticated + attacker far from the target when "pre-authentication" is enabled. + + In IEEE 802.11, a "link down" indication is an unreliable indication + of link failure, since wireless signal strength can come and go and + may be influenced by radio frequency interference generated by an + attacker. To avoid unnecessary resets, it is advisable to damp these + indications, rather than passing them directly to the EAP. Since EAP + supports retransmission, it is robust against transient connectivity + losses. + +7.13. Separation of Authenticator and Backend Authentication Server + + It is possible for the EAP peer and EAP server to mutually + authenticate and derive a AAA-Key for a ciphersuite used to protect + subsequent data traffic. This does not present an issue on the peer, + since the peer and EAP client reside on the same machine; all that is + required is for the client to derive the AAA-Key from the MSK and + EMSK exported by the EAP method, and to subsequently pass a Transient + Session Key (TSK) to the ciphersuite module. + + However, in the case where the authenticator and authentication + server reside on different machines, there are several implications + for security. + + [a] Authentication will occur between the peer and the authentication + server, not between the peer and the authenticator. This means + that it is not possible for the peer to validate the identity of + the authenticator that it is speaking to, using EAP alone. + + [b] As discussed in [RFC3579], the authenticator is dependent on the + AAA protocol in order to know the outcome of an authentication + conversation, and does not look at the encapsulated EAP packet + (if one is present) to determine the outcome. In practice, this + implies that the AAA protocol spoken between the authenticator + and authentication server MUST support per-packet authentication, + integrity, and replay protection. + + [c] After completion of the EAP conversation, where lower layer + security services such as per-packet confidentiality, + authentication, integrity, and replay protection will be enabled, + a secure association protocol SHOULD be run between the peer and + authenticator in order to provide mutual authentication between + + + + + +Aboba, et al. Standards Track [Page 54] + +RFC 3748 EAP June 2004 + + + the peer and authenticator, guarantee liveness of transient + session keys, provide protected ciphersuite and capabilities + negotiation for subsequent data, and synchronize key usage. + + [d] A AAA-Key derived from the MSK and/or EMSK negotiated between the + peer and authentication server MAY be transmitted to the + authenticator. Therefore, a mechanism needs to be provided to + transmit the AAA-Key from the authentication server to the + authenticator that needs it. The specification of the AAA-key + derivation, transport, and wrapping mechanisms is outside the + scope of this document. Further details on AAA-Key Derivation + are provided within [KEYFRAME]. + +7.14. Cleartext Passwords + + This specification does not define a mechanism for cleartext password + authentication. The omission is intentional. Use of cleartext + passwords would allow the password to be captured by an attacker with + access to a link over which EAP packets are transmitted. + + Since protocols encapsulating EAP, such as RADIUS [RFC3579], may not + provide confidentiality, EAP packets may be subsequently encapsulated + for transport over the Internet where they may be captured by an + attacker. + + As a result, cleartext passwords cannot be securely used within EAP, + except where encapsulated within a protected tunnel with server + authentication. Some of the same risks apply to EAP methods without + dictionary attack resistance, as defined in Section 7.2.1. For + details, see Section 7.6. + +7.15. Channel Binding + + It is possible for a compromised or poorly implemented EAP + authenticator to communicate incorrect information to the EAP peer + and/or server. This may enable an authenticator to impersonate + another authenticator or communicate incorrect information via out- + of-band mechanisms (such as via a AAA or lower layer protocol). + + Where EAP is used in pass-through mode, the EAP peer typically does + not verify the identity of the pass-through authenticator, it only + verifies that the pass-through authenticator is trusted by the EAP + server. This creates a potential security vulnerability. + + Section 4.3.7 of [RFC3579] describes how an EAP pass-through + authenticator acting as a AAA client can be detected if it attempts + to impersonate another authenticator (such by sending incorrect NAS- + Identifier [RFC2865], NAS-IP-Address [RFC2865] or NAS-IPv6-Address + + + +Aboba, et al. Standards Track [Page 55] + +RFC 3748 EAP June 2004 + + + [RFC3162] attributes via the AAA protocol). However, it is possible + for a pass-through authenticator acting as a AAA client to provide + correct information to the AAA server while communicating misleading + information to the EAP peer via a lower layer protocol. + + For example, it is possible for a compromised authenticator to + utilize another authenticator's Called-Station-Id or NAS-Identifier + in communicating with the EAP peer via a lower layer protocol, or for + a pass-through authenticator acting as a AAA client to provide an + incorrect peer Calling-Station-Id [RFC2865][RFC3580] to the AAA + server via the AAA protocol. + + In order to address this vulnerability, EAP methods may support a + protected exchange of channel properties such as endpoint + identifiers, including (but not limited to): Called-Station-Id + [RFC2865][RFC3580], Calling-Station-Id [RFC2865][RFC3580], NAS- + Identifier [RFC2865], NAS-IP-Address [RFC2865], and NAS-IPv6-Address + [RFC3162]. + + Using such a protected exchange, it is possible to match the channel + properties provided by the authenticator via out-of-band mechanisms + against those exchanged within the EAP method. Where discrepancies + are found, these SHOULD be logged; additional actions MAY also be + taken, such as denying access. + +7.16. Protected Result Indications + + Within EAP, Success and Failure packets are neither acknowledged nor + integrity protected. Result indications improve resilience to loss + of Success and Failure packets when EAP is run over lower layers + which do not support retransmission or synchronization of the + authentication state. In media such as IEEE 802.11, which provides + for retransmission, as well as synchronization of authentication + state via the 4-way handshake defined in [IEEE-802.11i], additional + resilience is typically of marginal benefit. + + Depending on the method and circumstances, result indications can be + spoofable by an attacker. A method is said to provide protected + result indications if it supports result indications, as well as the + "integrity protection" and "replay protection" claims. A method + supporting protected result indications MUST indicate which result + indications are protected, and which are not. + + Protected result indications are not required to protect against + rogue authenticators. Within a mutually authenticating method, + requiring that the server authenticate to the peer before the peer + will accept a Success packet prevents an attacker from acting as a + rogue authenticator. + + + +Aboba, et al. Standards Track [Page 56] + +RFC 3748 EAP June 2004 + + + However, it is possible for an attacker to forge a Success packet + after the server has authenticated to the peer, but before the peer + has authenticated to the server. If the peer were to accept the + forged Success packet and attempt to access the network when it had + not yet successfully authenticated to the server, a denial of service + attack could be mounted against the peer. After such an attack, if + the lower layer supports failure indications, the authenticator can + synchronize state with the peer by providing a lower layer failure + indication. See Section 7.12 for details. + + If a server were to authenticate the peer and send a Success packet + prior to determining whether the peer has authenticated the + authenticator, an idle timeout can occur if the authenticator is not + authenticated by the peer. Where supported by the lower layer, an + authenticator sensing the absence of the peer can free resources. + + In a method supporting result indications, a peer that has + authenticated the server does not consider the authentication + successful until it receives an indication that the server + successfully authenticated it. Similarly, a server that has + successfully authenticated the peer does not consider the + authentication successful until it receives an indication that the + peer has authenticated the server. + + In order to avoid synchronization problems, prior to sending a + success result indication, it is desirable for the sender to verify + that sufficient authorization exists for granting access, though, as + discussed below, this is not always possible. + + While result indications may enable synchronization of the + authentication result between the peer and server, this does not + guarantee that the peer and authenticator will be synchronized in + terms of their authorization or that timeouts will not occur. For + example, the EAP server may not be aware of an authorization decision + made by a AAA proxy; the AAA server may check authorization only + after authentication has completed successfully, to discover that + authorization cannot be granted, or the AAA server may grant access + but the authenticator may be unable to provide it due to a temporary + lack of resources. In these situations, synchronization may only be + achieved via lower layer result indications. + + Success indications may be explicit or implicit. For example, where + a method supports error messages, an implicit success indication may + be defined as the reception of a specific message without a preceding + error message. Failures are typically indicated explicitly. As + described in Section 4.2, a peer silently discards a Failure packet + received at a point where the method does not explicitly permit this + + + + +Aboba, et al. Standards Track [Page 57] + +RFC 3748 EAP June 2004 + + + to be sent. For example, a method providing its own error messages + might require the peer to receive an error message prior to accepting + a Failure packet. + + Per-packet authentication, integrity, and replay protection of result + indications protects against spoofing. Since protected result + indications require use of a key for per-packet authentication and + integrity protection, methods supporting protected result indications + MUST also support the "key derivation", "mutual authentication", + "integrity protection", and "replay protection" claims. + + Protected result indications address some denial-of-service + vulnerabilities due to spoofing of Success and Failure packets, + though not all. EAP methods can typically provide protected result + indications only in some circumstances. For example, errors can + occur prior to key derivation, and so it may not be possible to + protect all failure indications. It is also possible that result + indications may not be supported in both directions or that + synchronization may not be achieved in all modes of operation. + + For example, within EAP-TLS [RFC2716], in the client authentication + handshake, the server authenticates the peer, but does not receive a + protected indication of whether the peer has authenticated it. In + contrast, the peer authenticates the server and is aware of whether + the server has authenticated it. In the session resumption + handshake, the peer authenticates the server, but does not receive a + protected indication of whether the server has authenticated it. In + this mode, the server authenticates the peer and is aware of whether + the peer has authenticated it. + +8. Acknowledgements + + This protocol derives much of its inspiration from Dave Carrel's AHA + document, as well as the PPP CHAP protocol [RFC1994]. Valuable + feedback was provided by Yoshihiro Ohba of Toshiba America Research, + Jari Arkko of Ericsson, Sachin Seth of Microsoft, Glen Zorn of Cisco + Systems, Jesse Walker of Intel, Bill Arbaugh, Nick Petroni and Bryan + Payne of the University of Maryland, Steve Bellovin of AT&T Research, + Paul Funk of Funk Software, Pasi Eronen of Nokia, Joseph Salowey of + Cisco, Paul Congdon of HP, and members of the EAP working group. + + The use of Security Claims sections for EAP methods, as required by + Section 7.2 and specified for each EAP method described in this + document, was inspired by Glen Zorn through [EAP-EVAL]. + + + + + + + +Aboba, et al. Standards Track [Page 58] + +RFC 3748 EAP June 2004 + + +9. References + +9.1. Normative References + + [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", + STD 51, RFC 1661, July 1994. + + [RFC1994] Simpson, W., "PPP Challenge Handshake + Authentication Protocol (CHAP)", RFC 1994, August + 1996. + + [RFC2119] Bradner, S., "Key words for use in RFCs to + Indicate Requirement Levels", BCP 14, RFC 2119, + March 1997. + + [RFC2243] Metz, C., "OTP Extended Responses", RFC 2243, + November 1997. + + [RFC2279] Yergeau, F., "UTF-8, a transformation format of + ISO 10646", RFC 2279, January 1998. + + [RFC2289] Haller, N., Metz, C., Nesser, P. and M. Straw, "A + One-Time Password System", RFC 2289, February + 1998. + + [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for + Writing an IANA Considerations Section in RFCs", + BCP 26, RFC 2434, October 1998. + + [RFC2988] Paxson, V. and M. Allman, "Computing TCP's + Retransmission Timer", RFC 2988, November 2000. + + [IEEE-802] Institute of Electrical and Electronics Engineers, + "Local and Metropolitan Area Networks: Overview + and Architecture", IEEE Standard 802, 1990. + + [IEEE-802.1X] Institute of Electrical and Electronics Engineers, + "Local and Metropolitan Area Networks: Port-Based + Network Access Control", IEEE Standard 802.1X, + September 2001. + + + + + + + + + + + +Aboba, et al. Standards Track [Page 59] + +RFC 3748 EAP June 2004 + + +9.2. Informative References + + [RFC793] Postel, J., "Transmission Control Protocol", STD + 7, RFC 793, September 1981. + + [RFC1510] Kohl, J. and B. Neuman, "The Kerberos Network + Authentication Service (V5)", RFC 1510, September + 1993. + + [RFC1750] Eastlake, D., Crocker, S. and J. Schiller, + "Randomness Recommendations for Security", RFC + 1750, December 1994. + + [RFC2246] Dierks, T., Allen, C., Treese, W., Karlton, P., + Freier, A. and P. Kocher, "The TLS Protocol + Version 1.0", RFC 2246, January 1999. + + [RFC2284] Blunk, L. and J. Vollbrecht, "PPP Extensible + Authentication Protocol (EAP)", RFC 2284, March + 1998. + + [RFC2486] Aboba, B. and M. Beadles, "The Network Access + Identifier", RFC 2486, January 1999. + + [RFC2408] Maughan, D., Schneider, M. and M. Schertler, + "Internet Security Association and Key Management + Protocol (ISAKMP)", RFC 2408, November 1998. + + [RFC2409] Harkins, D. and D. Carrel, "The Internet Key + Exchange (IKE)", RFC 2409, November 1998. + + [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP + Extensions", RFC 2433, October 1998. + + [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and + Policy Implementation in Roaming", RFC 2607, June + 1999. + + [RFC2661] Townsley, W., Valencia, A., Rubens, A., Pall, G., + Zorn, G. and B. Palter, "Layer Two Tunneling + Protocol "L2TP"", RFC 2661, August 1999. + + [RFC2716] Aboba, B. and D. Simon, "PPP EAP TLS + Authentication Protocol", RFC 2716, October 1999. + + [RFC2865] Rigney, C., Willens, S., Rubens, A. and W. + Simpson, "Remote Authentication Dial In User + Service (RADIUS)", RFC 2865, June 2000. + + + +Aboba, et al. Standards Track [Page 60] + +RFC 3748 EAP June 2004 + + + [RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C., + Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, + M., Zhang, L. and V. Paxson, "Stream Control + Transmission Protocol", RFC 2960, October 2000. + + [RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and + IPv6", RFC 3162, August 2001. + + [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of + Internationalized Strings ("stringprep")", RFC + 3454, December 2002. + + [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote + Authentication Dial In User Service) Support For + Extensible Authentication Protocol (EAP)", RFC + 3579, September 2003. + + [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G. and J. + Roese, "IEEE 802.1X Remote Authentication Dial In + User Service (RADIUS) Usage Guidelines", RFC 3580, + September 2003. + + [RFC3692] Narten, T., "Assigning Experimental and Testing + Numbers Considered Useful", BCP 82, RFC 3692, + January 2004. + + [DECEPTION] Slatalla, M. and J. Quittner, "Masters of + Deception", Harper-Collins, New York, 1995. + + [KRBATTACK] Wu, T., "A Real-World Analysis of Kerberos + Password Security", Proceedings of the 1999 ISOC + Network and Distributed System Security Symposium, + http://www.isoc.org/isoc/conferences/ndss/99/ + proceedings/papers/wu.pdf. + + [KRBLIM] Bellovin, S. and M. Merrit, "Limitations of the + Kerberos authentication system", Proceedings of + the 1991 Winter USENIX Conference, pp. 253-267, + 1991. + + [KERB4WEAK] Dole, B., Lodin, S. and E. Spafford, "Misplaced + trust: Kerberos 4 session keys", Proceedings of + the Internet Society Network and Distributed + System Security Symposium, pp. 60-70, March 1997. + + + + + + + +Aboba, et al. Standards Track [Page 61] + +RFC 3748 EAP June 2004 + + + [PIC] Aboba, B., Krawczyk, H. and Y. Sheffer, "PIC, A + Pre-IKE Credential Provisioning Protocol", Work in + Progress, October 2002. + + [IKEv2] Kaufman, C., "Internet Key Exchange (IKEv2) + Protocol", Work in Progress, January 2004. + + [PPTPv1] Schneier, B. and Mudge, "Cryptanalysis of + Microsoft's Point-to- Point Tunneling Protocol", + Proceedings of the 5th ACM Conference on + Communications and Computer Security, ACM Press, + November 1998. + + [IEEE-802.11] Institute of Electrical and Electronics Engineers, + "Wireless LAN Medium Access Control (MAC) and + Physical Layer (PHY) Specifications", IEEE + Standard 802.11, 1999. + + [SILVERMAN] Silverman, Robert D., "A Cost-Based Security + Analysis of Symmetric and Asymmetric Key Lengths", + RSA Laboratories Bulletin 13, April 2000 (Revised + November 2001), + http://www.rsasecurity.com/rsalabs/bulletins/ + bulletin13.html. + + [KEYFRAME] Aboba, B., "EAP Key Management Framework", Work in + Progress, October 2003. + + [SASLPREP] Zeilenga, K., "SASLprep: Stringprep profile for + user names and passwords", Work in Progress, March + 2004. + + [IEEE-802.11i] Institute of Electrical and Electronics Engineers, + "Unapproved Draft Supplement to Standard for + Telecommunications and Information Exchange + Between Systems - LAN/MAN Specific Requirements - + Part 11: Wireless LAN Medium Access Control (MAC) + and Physical Layer (PHY) Specifications: + Specification for Enhanced Security", IEEE Draft + 802.11i (work in progress), 2003. + + [DIAM-EAP] Eronen, P., Hiller, T. and G. Zorn, "Diameter + Extensible Authentication Protocol (EAP) + Application", Work in Progress, February 2004. + + [EAP-EVAL] Zorn, G., "Specifying Security Claims for EAP + Authentication Types", Work in Progress, October + 2002. + + + +Aboba, et al. Standards Track [Page 62] + +RFC 3748 EAP June 2004 + + + [BINDING] Puthenkulam, J., "The Compound Authentication + Binding Problem", Work in Progress, October 2003. + + [MITM] Asokan, N., Niemi, V. and K. Nyberg, "Man-in-the- + Middle in Tunneled Authentication Protocols", IACR + ePrint Archive Report 2002/163, October 2002, + . + + [IEEE-802.11i-req] Stanley, D., "EAP Method Requirements for Wireless + LANs", Work in Progress, February 2004. + + [PPTPv2] Schneier, B. and Mudge, "Cryptanalysis of + Microsoft's PPTP Authentication Extensions (MS- + CHAPv2)", CQRE 99, Springer-Verlag, 1999, pp. + 192-203. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Aboba, et al. Standards Track [Page 63] + +RFC 3748 EAP June 2004 + + +Appendix A. Changes from RFC 2284 + + This section lists the major changes between [RFC2284] and this + document. Minor changes, including style, grammar, spelling, and + editorial changes are not mentioned here. + + o The Terminology section (Section 1.2) has been expanded, defining + more concepts and giving more exact definitions. + + o The concepts of Mutual Authentication, Key Derivation, and Result + Indications are introduced and discussed throughout the document + where appropriate. + + o In Section 2, it is explicitly specified that more than one + exchange of Request and Response packets may occur as part of the + EAP authentication exchange. How this may be used and how it may + not be used is specified in detail in Section 2.1. + + o Also in Section 2, some requirements have been made explicit for + the authenticator when acting in pass-through mode. + + o An EAP multiplexing model (Section 2.2) has been added to + illustrate a typical implementation of EAP. There is no + requirement that an implementation conform to this model, as long + as the on-the-wire behavior is consistent with it. + + o As EAP is now in use with a variety of lower layers, not just PPP + for which it was first designed, Section 3 on lower layer behavior + has been added. + + o In the description of the EAP Request and Response interaction + (Section 4.1), both the behavior on receiving duplicate requests, + and when packets should be silently discarded has been more + exactly specified. The implementation notes in this section have + been substantially expanded. + + o In Section 4.2, it has been clarified that Success and Failure + packets must not contain additional data, and the implementation + note has been expanded. A subsection giving requirements on + processing of success and failure packets has been added. + + o Section 5 on EAP Request/Response Types lists two new Type values: + the Expanded Type (Section 5.7), which is used to expand the Type + value number space, and the Experimental Type. In the Expanded + Type number space, the new Expanded Nak (Section 5.3.2) Type has + been added. Clarifications have been made in the description of + most of the existing Types. Security claims summaries have been + added for authentication methods. + + + +Aboba, et al. Standards Track [Page 64] + +RFC 3748 EAP June 2004 + + + o In Sections 5, 5.1, and 5.2, a requirement has been added such + that fields with displayable messages should contain UTF-8 encoded + ISO 10646 characters. + + o It is now required in Section 5.1 that if the Type-Data field of + an Identity Request contains a NUL-character, only the part before + the null is displayed. RFC 2284 prohibits the null termination of + the Type-Data field of Identity messages. This rule has been + relaxed for Identity Request messages and the Identity Request + Type-Data field may now be null terminated. + + o In Section 5.5, support for OTP Extended Responses [RFC2243] has + been added to EAP OTP. + + o An IANA Considerations section (Section 6) has been added, giving + registration policies for the numbering spaces defined for EAP. + + o The Security Considerations (Section 7) have been greatly + expanded, giving a much more comprehensive coverage of possible + threats and other security considerations. + + o In Section 7.5, text has been added on method-specific behavior, + providing guidance on how EAP method-specific integrity checks + should be processed. Where possible, it is desirable for a + method-specific MIC to be computed over the entire EAP packet, + including the EAP layer header (Code, Identifier, Length) and EAP + method layer header (Type, Type-Data). + + o In Section 7.14 the security risks involved in use of cleartext + passwords with EAP are described. + + o In Section 7.15 text has been added relating to detection of rogue + NAS behavior. + + + + + + + + + + + + + + + + + + +Aboba, et al. Standards Track [Page 65] + +RFC 3748 EAP June 2004 + + +Authors' Addresses + + Bernard Aboba + Microsoft Corporation + One Microsoft Way + Redmond, WA 98052 + USA + + Phone: +1 425 706 6605 + Fax: +1 425 936 6605 + EMail: bernarda@microsoft.com + + Larry J. Blunk + Merit Network, Inc + 4251 Plymouth Rd., Suite 2000 + Ann Arbor, MI 48105-2785 + USA + + Phone: +1 734-647-9563 + Fax: +1 734-647-3185 + EMail: ljb@merit.edu + + John R. Vollbrecht + Vollbrecht Consulting LLC + 9682 Alice Hill Drive + Dexter, MI 48130 + USA + + EMail: jrv@umich.edu + + James Carlson + Sun Microsystems, Inc + 1 Network Drive + Burlington, MA 01803-2757 + USA + + Phone: +1 781 442 2084 + Fax: +1 781 442 1677 + EMail: james.d.carlson@sun.com + + Henrik Levkowetz + ipUnplugged AB + Arenavagen 33 + Stockholm S-121 28 + SWEDEN + + Phone: +46 708 32 16 08 + EMail: henrik@levkowetz.com + + + +Aboba, et al. Standards Track [Page 66] + +RFC 3748 EAP June 2004 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2004). This document is subject + to the rights, licenses and restrictions contained in BCP 78, and + except as set forth therein, the authors retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + +Aboba, et al. Standards Track [Page 67] + -- cgit v1.2.3