1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
|
Internet Engineering Task Force (IETF) G. Zorn
Request for Comments: 5904 Network Zen
Category: Informational June 2010
ISSN: 2070-1721
RADIUS Attributes for IEEE 802.16
Privacy Key Management Version 1 (PKMv1) Protocol Support
Abstract
This document defines a set of Remote Authentication Dial-In User
Service (RADIUS) Attributes that are designed to provide RADIUS
support for IEEE 802.16 Privacy Key Management Version 1.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5904.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Zorn Informational [Page 1]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. PKM-SS-Cert . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. PKM-CA-Cert . . . . . . . . . . . . . . . . . . . . . . . 5
3.3. PKM-Config-Settings . . . . . . . . . . . . . . . . . . . 6
3.4. PKM-Cryptosuite-List . . . . . . . . . . . . . . . . . . . 8
3.5. PKM-SAID . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.6. PKM-SA-Descriptor . . . . . . . . . . . . . . . . . . . . 9
3.7. PKM-AUTH-Key . . . . . . . . . . . . . . . . . . . . . . . 10
3.7.1. AUTH-Key Protection . . . . . . . . . . . . . . . . . 12
4. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 12
5. Diameter Considerations . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
10.1. Normative References . . . . . . . . . . . . . . . . . . . 14
10.2. Informative References . . . . . . . . . . . . . . . . . . 14
Zorn Informational [Page 2]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
1. Introduction
Privacy Key Management Version 1 (PKMv1) [IEEE.802.16-2004] is a
public-key-based authentication and key establishment protocol
typically used in fixed wireless broadband network deployments. The
protocol utilizes X.509 v3 certificates [RFC2459], RSA encryption
[RFC2437], and a variety of secret key cryptographic methods to allow
an 802.16 Base Station (BS) to authenticate a Subscriber Station (SS)
and perform key establishment and maintenance between an SS and BS.
This document defines a set of RADIUS Attributes that are designed to
provide support for PKMv1. The target audience for this document
consists of those developers implementing RADIUS support for PKMv1;
therefore, familiarity with both RADIUS [RFC2865] and the IEEE
802.16-2004 standard is assumed.
Please note that this document relies on IEEE.802.16-2004, which
references RFC 2437 and RFC 2459, rather than any more recent RFCs on
RSA and X.509 certificates (e.g., RFC 3447 and RFC 5280).
2. Acronyms
CA
Certification Authority; a trusted party issuing and signing X.509
certificates.
For further information on the following terms, please see Section 7
of [IEEE.802.16-2004].
SA
Security Association
SAID
Security Association Identifier
TEK
Traffic Encryption Key
3. Attributes
The following subsections describe the Attributes defined by this
document. This specification concerns the following values:
137 PKM-SS-Cert
138 PKM-CA-Cert
139 PKM-Config-Settings
Zorn Informational [Page 3]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
140 PKM-Cryptosuite-List
141 PKM-SAID
142 PKM-SA-Descriptor
143 PKM-Auth-Key
3.1. PKM-SS-Cert
Description
The PKM-SS-Cert Attribute is variable length and MAY be
transmitted in the Access-Request message. The Value field is of
type string and contains the X.509 certificate [RFC2459] binding a
public key to the identifier of the Subscriber Station.
The minimum size of an SS certificate exceeds the maximum size of
a RADIUS attribute. Therefore, the client MUST encapsulate the
certificate in the Value fields of two or more instances of the
PKM-SS-Cert Attribute, each (except possibly the last) having a
length of 255 octets. These multiple PKM-SS-Cert Attributes MUST
appear consecutively and in order within the packet. Upon
receipt, the RADIUS server MUST recover the original certificate
by concatenating the Value fields of the received PKM-SS-Cert
Attributes in order.
A summary of the PKM-SS-Cert Attribute format is shown below. The
fields are transmitted from left to right.
1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
137 for PKM-SS-Cert
Len
> 2
Value
The Value field is variable length and contains a (possibly
complete) portion of an X.509 certificate.
Zorn Informational [Page 4]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
3.2. PKM-CA-Cert
Description
The PKM-CA-Cert Attribute is variable length and MAY be
transmitted in the Access-Request message. The Value field is of
type string and contains the X.509 certificate [RFC2459] used by
the CA to sign the SS certificate carried in the PKM-SS-Cert
attribute (Section 3.1) in the same message.
The minimum size of a CA certificate exceeds the maximum size of a
RADIUS attribute. Therefore, the client MUST encapsulate the
certificate in the Value fields of two or more instances of the
PKM-CA-Cert Attribute, each (except possibly the last) having a
length of 255 octets. These multiple PKM-CA-Cert Attributes MUST
appear consecutively and in order within the packet. Upon
receipt, the RADIUS server MUST recover the original certificate
by concatenating the Value fields of the received PKM-CA-Cert
Attributes in order.
A summary of the PKM-CA-Cert Attribute format is shown below. The
fields are transmitted from left to right.
1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
138 for PKM-CA-Cert
Len
> 2
Value
The Value field is variable length and contains a (possibly
complete) portion of an X.509 certificate.
Zorn Informational [Page 5]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
3.3. PKM-Config-Settings
Description
The PKM-Config-Settings Attribute is of type string [RFC2865]. It
is 30 octets in length and consists of seven independent fields,
each of which is conceptually an unsigned integer. Each of the
fields contains a timeout value and corresponds to a Type-Length-
Value (TLV) tuple encapsulated in the IEEE 802.16 "PKM
configuration settings" attribute; for details on the contents of
each field, see Section 11.9.19 of [IEEE.802.16-2004]. One
instance of the PKM-Config-Settings Attribute MAY be included in
the Access-Accept message.
A summary of the PKM-Config-Settings Attribute format is shown below.
The fields are transmitted from left to right.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Auth Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Wait Timeout (cont.) | Reauth Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Reauth Wait Timeout (cont.) | Auth Grace Time
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Grace Time (cont.) | Op Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Op Wait Timeout (cont.) | Rekey Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Rekey Wait Timeout (cont.) | TEK Grace Time
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TEK Grace Time (cont.) | Auth Rej Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Rej Wait Timeout (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
139 for PKM-Config-Settings
Len
30
Zorn Informational [Page 6]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
Auth Wait Timeout
The Auth Wait Timeout field is 4 octets in length and corresponds
to the "Authorize wait timeout" field of the 802.16 "PKM
configuration settings" attribute.
Reauth Wait Timeout
The Reauth Wait Timeout field is 4 octets in length and
corresponds to the "Reauthorize wait timeout" field of the 802.16
"PKM configuration settings" attribute.
Auth Grace Time
The Auth Grace Time field is 4 octets in length and corresponds to
the "Authorize grace time" field of the 802.16 "PKM configuration
settings" attribute.
Op Wait Timeout
The Op Wait Timeout field is 4 octets in length and corresponds to
the "Operational wait timeout" field of the 802.16 "PKM
configuration settings" attribute.
Rekey Wait Timeout
The Rekey Wait Timeout field is 4 octets in length and corresponds
to the "Rekey wait timeout" field of the 802.16 "PKM configuration
settings" attribute.
TEK Grace Time
The TEK Grace Time field is 4 octets in length and corresponds to
the "TEK grace time" field of the 802.16 "PKM configuration
settings" attribute.
Auth Rej Wait Timeout
The Auth Rej Wait Timeout field is 4 octets in length and
corresponds to the "Authorize reject wait timeout" field of the
802.16 "PKM configuration settings" attribute.
Zorn Informational [Page 7]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
3.4. PKM-Cryptosuite-List
Description
The PKM-Cryptosuite-List Attribute is of type string [RFC2865] and
is variable length; it corresponds roughly to the "Cryptographic-
Suite-List" 802.16 attribute (see Section 11.19.15 of
[IEEE.802.16-2004]), the difference being that the RADIUS
Attribute contains only the list of 3-octet cryptographic suite
identifiers, omitting the IEEE Type and Length fields.
The PKM-Cryptosuite-List Attribute MAY be present in an Access-
Request message. Any message in which the PKM-Cryptosuite-List
Attribute is present MUST also contain an instance of the Message-
Authenticator Attribute [RFC3579].
Implementation Note
The PKM-Cryptosuite-List Attribute is used as a building block
to create the 802.16 "Security-Capabilities" attribute
([IEEE.802.16-2004], Section 11.9.13); since this document only
pertains to PKM version 1, the "Version" sub-attribute in that
structure MUST be set to 0x01 when the RADIUS client constructs
it.
A summary of the PKM-Cryptosuite-List Attribute format is shown
below. The fields are transmitted from left to right.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
140 for PKM-Cryptosuite-List
Len
2 + 3n < 39, where 'n' is the number of cryptosuite identifiers in
the list.
Zorn Informational [Page 8]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
Value
The Value field is variable length and contains a sequence of one
or more cryptosuite identifiers, each of which is 3 octets in
length and corresponds to the Value field of an IEEE 802.16
Cryptographic-Suite attribute.
3.5. PKM-SAID
Description
The PKM-SAID Attribute is of type string [RFC2865]. It is 4
octets in length and contains a PKM Security Association
Identifier ([IEEE.802.16-2004], Section 11.9.7). It MAY be
included in an Access-Request message.
A summary of the PKM-SAID Attribute format is shown below. The
fields are transmitted from left to right.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | SAID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
141 for PKM-SAID
Len
4
SAID
The SAID field is two octets in length and corresponds to the
Value field of the 802.16 PKM SAID attribute
3.6. PKM-SA-Descriptor
Description
The PKM-SA-Descriptor Attribute is of type string and is 8 octets
in length. It contains three fields, described below, which
together specify the characteristics of a PKM security
association. One or more instances of the PKM-SA-Descriptor
Attribute MAY occur in an Access-Accept message.
Zorn Informational [Page 9]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
A summary of the PKM-SA-Descriptor Attribute format is shown below.
The fields are transmitted from left to right.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | SAID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SA Type | Cryptosuite |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
142 for PKM-SA-Descriptor
Len
8
SAID
The SAID field is two octets in length and contains a PKM SAID
(Section 3.5).
SA Type
The SA Type field is one octet in length. The contents correspond
to those of the Value field of an IEEE 802.16 SA-Type attribute.
Cryptosuite
The Cryptosuite field is 3 octets in length. The contents
correspond to those of the Value field of an IEEE 802.16
Cryptographic-Suite attribute.
3.7. PKM-AUTH-Key
Description
The PKM-AUTH-Key Attribute is of type string, 135 octets in
length. It consists of 3 fields, described below, which together
specify the characteristics of a PKM authorization key. The PKM-
AUTH-Key Attribute MAY occur in an Access-Accept message. Any
packet that contains an instance of the PKM-AUTH-Key Attribute
MUST also contain an instance of the Message-Authenticator
Attribute [RFC3579].
Zorn Informational [Page 10]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
A summary of the PKM-AUTH-Key Attribute format is shown below. The
fields are transmitted from left to right.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Lifetime
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Lifetime (cont.) | Sequence | Key...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
143 for PKM-AUTH-Key
Len
135
Lifetime
The Lifetime field is 4 octets in length and represents the
lifetime, in seconds, of the authorization key. For more
information, see Section 11.9.4 of [IEEE.802.16-2004].
Sequence
The Sequence field is one octet in length. The contents
correspond to those of the Value field of an IEEE 802.16 Key-
Sequence-Number attribute (see [IEEE.802.16-2004], Section
11.9.5).
Key
The Key field is 128 octets in length. The contents correspond to
those of the Value field of an IEEE 802.16 AUTH-Key attribute.
The Key field MUST be encrypted under the public key from the
Subscriber Station certificate (Section 3.1) using RSA encryption
[RFC2437]; see Section 7.5 of [IEEE.802.16-2004] for further
details.
Implementation Note
It is necessary that a plaintext copy of this field be returned
in the Access-Accept message; appropriate precautions MUST be
taken to ensure the confidentiality of the key.
Zorn Informational [Page 11]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
3.7.1. AUTH-Key Protection
The PKM-AUTH-Key Attribute (Section 3.7) contains the AUTH-Key
encrypted with the SS's public key. The BS also needs the AK, so a
second copy of the AK needs to be returned in the Access-Accept
message.
It is RECOMMENDED that the AK is encapsulated in an instance of the
MS-MPPE-Send-Key Attribute [RFC2548]. However, see Section 4.3.4 of
RFC 3579 [RFC3579] for details regarding weaknesses in the encryption
scheme used.
If better means for protecting the Auth-Key are available (such as
RADIUS key attributes with better security properties, or means of
protecting the whole Access-Accept message), they SHOULD be used
instead of (or in addition to) the MS-MPPE-Send-Key Attribute.
4. Table of Attributes
The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity.
Request Accept Reject Challenge Acct-Req # Attribute
0+ 0 0 0 0 137 PKM-SS-Cert [Note 1]
0+ 0 0 0 0 138 PKM-CA-Cert [Note 2]
0 0-1 0 0 0 139 PKM-Config-Settings
0-1 0 0 0 0 140 PKM-Cryptosuite-List
0-1 0 0 0 0 141 PKM-SAID
0 0+ 0 0 0 142 PKM-SA-Descriptor
0 0-1 0 0 0 143 PKM-Auth-Key
0 0-1 0 0 0 MS-MPPE-Send-Key
[Note 3]
[Note 1]
No more than one Subscriber Station Certificate may be transferred
in an Access-Request packet.
[Note 2]
No more than one CA Certificate may be transferred in an Access-
Request packet.
[Note 3]
MS-MPPE-Send-Key is one possible attribute that can be used to
convey the AK to the BS; other attributes can be used instead (see
Section 3.7.1).
Zorn Informational [Page 12]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet
0+ Zero or more instances of this attribute MAY be present in packet
0-1 Zero or one instance of this attribute MAY be present in packet
1 Exactly one instance of this attribute MUST be present in packet
5. Diameter Considerations
Since the Attributes defined in this document are allocated from the
standard RADIUS type space (see Section 7), no special handling is
required by Diameter nodes.
6. Security Considerations
Section 4 of RFC 3579 [RFC3579] discusses vulnerabilities of the
RADIUS protocol.
Section 3 of the paper "Security Enhancements for Privacy and Key
Management Protocol in IEEE 802.16e-2005" [SecEn] discusses the
operation and vulnerabilities of the PKMv1 protocol.
If the Access-Request message is not subject to strong integrity
protection, an attacker may be able to modify the contents of the
PKM-Cryptosuite-List Attribute, weakening 802.16 security or
disabling data encryption altogether.
If the Access-Accept message is not subject to strong integrity
protection, an attacker may be able to modify the contents of the
PKM-Auth-Key Attribute. For example, the Key field could be replaced
with a key known to the attacker.
See Section 3.7.1 for security considerations of sending the
authorization key to the BS.
7. IANA Considerations
IANA has assigned numbers for the following Attributes:
137 PKM-SS-Cert
138 PKM-CA-Cert
139 PKM-Config-Settings
140 PKM-Cryptosuite-List
141 PKM-SAID
Zorn Informational [Page 13]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
142 PKM-SA-Descriptor
143 PKM-Auth-Key
The Attribute numbers are to be allocated from the standard RADIUS
Attribute type space according to the "IETF Review" policy [RFC5226].
8. Contributors
Pasi Eronen provided most of the text in Section 3.7.1.
9. Acknowledgements
Thanks (in no particular order) to Bernard Aboba, Donald Eastlake,
Dan Romascanu, Avshalom Houri, Juergen Quittek, Pasi Eronen, and Alan
DeKok for their mostly useful reviews of this document.
10. References
10.1. Normative References
[IEEE.802.16-2004]
Institute of Electrical and Electronics Engineers, "IEEE
Standard for Local and metropolitan area networks, Part
16: Air Interface for Fixed Broadband Wireless Access
Systems", IEEE Standard 802.16, October 2004.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
10.2. Informative References
[RFC2437] Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography
Specifications Version 2.0", RFC 2437, October 1998.
[RFC2459] Housley, R., Ford, W., Polk, T., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and CRL
Profile", RFC 2459, January 1999.
Zorn Informational [Page 14]
^L
RFC 5904 RADIUS Attributes for PKMv1 June 2010
[RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes",
RFC 2548, March 1999.
[SecEn] Altaf, A., Jawad, M., and A. Ahmed, "Security Enhancements
for Privacy and Key Management Protocol in IEEE 802.16e-
2005", Ninth ACIS International Conference on Software
Engineering, Artificial Intelligence, Networking, and
Parallel/Distributed Computing, 2008.
Author's Address
Glen Zorn
Network Zen
1463 East Republican Street
#358
Seattle, WA 98112
US
EMail: gwz@net-zen.net
Zorn Informational [Page 15]
^L
|