Diameter Support for the EAP Re-authentication Protocol (ERP)
RFC 6942
Document | Type |
RFC
- Proposed Standard
(May 2013)
Was
draft-ietf-dime-erp
(dime WG)
|
|
---|---|---|---|
Authors | Julien Bournelle , Lionel Morand , Sebastien Decugis , Qin Wu , Glen Zorn | ||
Last updated | 2015-10-14 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
IESG | Responsible AD | Benoît Claise | |
Send notices to | (None) |
RFC 6942
Bournelle, et al. Standards Track [Page 12] RFC 6942 Diameter ERP Application May 2013 The primary use of the Diameter ERP Application Id is to ensure proper routing of the messages, and that the nodes that advertise the support for this application do understand the new AVPs defined in Section 8, although these AVPs have the 'M' flag cleared. 8. AVPs The following subsections discuss the AVPs used by the Diameter ERP application. 8.1. ERP-RK-Request AVP The ERP-RK-Request AVP (AVP Code 618) is of type Grouped AVP. This AVP is used by the ER server to indicate its willingness to act as the ER server for a particular session. This AVP has the 'M' and 'V' bits cleared. ERP-RK-Request ::= < AVP Header: 618 > { ERP-Realm } * [ AVP ] Figure 5: ERP-RK-Request ABNF 8.2. ERP-Realm AVP The ERP-Realm AVP (AVP Code 619) is of type DiameterIdentity. It contains the name of the realm in which the ER server is located. This AVP has the 'M' and 'V' bits cleared. 8.3. Key AVP The Key AVP [RFC6734] is of type Grouped and is used to carry the rRK or rMSK and associated attributes. The usage of the Key AVP and its constituent AVPs in this application is specified in the following subsections. 8.3.1. Key-Type AVP The value of the Key-Type AVP MUST be set to 1 for rRK or 2 for rMSK. 8.3.2. Keying-Material AVP The Keying-Material AVP contains the rRK sent by the home EAP server to the ER server, in answer to a request containing an ERP-RK-Request AVP, or the rMSK sent by the ER server to the authenticator. How this material is derived and used is specified in RFC 6696. Bournelle, et al. Standards Track [Page 13] RFC 6942 Diameter ERP Application May 2013 8.3.3. Key-Name AVP This AVP contains the EMSKname that identifies the keying material. The derivation of this name is specified in RFC 6696. 8.3.4. Key-Lifetime AVP The Key-Lifetime AVP contains the lifetime of the keying material in seconds. It MUST NOT be greater than the remaining lifetime of the EMSK from which the material was derived. 9. Result-Code AVP Values This section defines new Result-Code [RFC6733] values that MUST be supported by all Diameter implementations that conform to this specification. 9.1. Permanent Failures Errors that fall within the Permanent Failures category are used to inform the peer that the request failed and SHOULD NOT be attempted again. DIAMETER_ERROR_EAP_CODE_UNKNOWN (5048) This error code is used by the Diameter server to inform the peer that the received EAP-Payload AVP contains an EAP packet with an unknown EAP code. 10. IANA Considerations IANA has registered the following new elements in the Authentication, Authorization, and Accounting (AAA) Parameters registries [AAAPARAMS]. 10.1. Diameter Application Identifier IANA has allocated a new value "Diameter ERP" (code: 13) in the "Application IDs" registry from the "Standards Action" range of numbers using the "Specification Required" policy [RFC5226]; see Section 11.3 of RFC 3588 [RFC3588] for further details. Bournelle, et al. Standards Track [Page 14] RFC 6942 Diameter ERP Application May 2013 10.2. New AVPs IANA has allocated new values from the "AVP Codes" registry according to the policy specified in Section 11.1 of Fajardo, et al. [RFC6733] for the following AVPs: ERP-RK-Request (code: 618) ERP-Realm (code: 619) These AVPs are defined in Section 8. 10.3. New Permanent Failures Result-Code AVP Values IANA has allocated a new value from the "Result-Code AVP Values (code 268) - Permanent Failure" registry according to the policy specified in Section 11.3.2 of Fajardo, et al. [RFC6733] for the following Result-Code: DIAMETER_ERROR_EAP_CODE_UNKNOWN (code: 5048) This Result-Code value is defined in Section 9. 11. Security Considerations The security considerations from the following documents apply here: o Eronen, et al. [RFC4072] o Salowey, et al. [RFC5295] o Cao, et al. [RFC6696] o Fajardo, et al. [RFC6733] o Zorn, et al. [RFC6734] Because this application involves the transmission of sensitive data, including cryptographic keys, it MUST be protected using Transport Layer Security (TLS) [RFC5246], Datagram Transport Layer Security (DTLS) [RFC6347], or IP Encapsulating Security Payload (ESP) [RFC4303]. If TLS or DTLS is used, the bulk encryption algorithm negotiated MUST be non-null. If ESP is used, the encryption algorithm MUST be non-null. Bournelle, et al. Standards Track [Page 15] RFC 6942 Diameter ERP Application May 2013 12. Contributors Hannes Tschofenig wrote the initial draft of this document. Lakshminath Dondeti contributed to the early drafts of the document. 13. Acknowledgements Hannes Tschofenig, Zhen Cao, Benoit Claise, Elwyn Davies, Menachem Dodge, Vincent Roca, Stephen Farrell, Sean Turner, Pete Resnick, Russ Housley, Martin Stiemerling, and Jouni Korhonen provided useful reviews. Vidya Narayanan reviewed a rough draft version of the document and found some errors. Many thanks to these people! 14. References 14.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application", RFC 4072, August 2005. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC5295] Salowey, J., Dondeti, L., Narayanan, V., and M. Nakhjiri, "Specification for the Derivation of Root Keys from an Extended Master Session Key (EMSK)", RFC 5295, August 2008. [RFC6696] Cao, Z., He, B., Shi, Y., Wu, Q., and G. Zorn, "EAP Extensions for the EAP Re-authentication Protocol (ERP)", RFC 6696, July 2012. [RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, "Diameter Base Protocol", RFC 6733, October 2012. Bournelle, et al. Standards Track [Page 16] RFC 6942 Diameter ERP Application May 2013 [RFC6734] Zorn, G., Wu, Q., and V. Cakulev, "Diameter Attribute- Value Pairs for Cryptographic Key Transport", RFC 6734, October 2012. 14.2. Informative References [AAAPARAMS] Internet Assigned Numbers Authority, "Authentication, Authorization, and Accounting (AAA) Parameters", <http://www.iana.org/assignments/aaa-parameters/>. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. Bournelle, et al. Standards Track [Page 17] RFC 6942 Diameter ERP Application May 2013 Authors' Addresses Julien Bournelle Orange Labs 38-40 rue du general Leclerc Issy-Les-Moulineaux 92794 France EMail: julien.bournelle@orange.com Lionel Morand Orange Labs 38-40 rue du general Leclerc Issy-Les-Moulineaux 92794 France EMail: lionel.morand@orange.com Sebastien Decugis INSIDE Secure 41 Parc Club du Golf Aix-en-Provence 13856 France Phone: +33 (0)4 42 39 63 00 EMail: sdecugis@freediameter.net Qin Wu Huawei Technologies Co., Ltd. 101 Software Avenue, Yuhua District Nanjing, JiangSu 210012 China EMail: sunseawq@huawei.com Glen Zorn Network Zen 227/358 Thanon Sanphawut Bang Na, Bangkok 10260 Thailand EMail: glenzorn@gmail.com Bournelle, et al. Standards Track [Page 18]