EAP Extensions for EAP Re-authentication Protocol (ERP)
RFC 5296
Document | Type |
RFC - Proposed Standard
(August 2008; Errata)
Obsoleted by RFC 6696
Was draft-ietf-hokey-erx (hokey WG)
|
|
---|---|---|---|
Authors | Lakshminath Dondeti , Vidya Narayanan | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5296 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Tim Polk | ||
Send notices to | (None) |
Network Working Group V. Narayanan Request for Comments: 5296 L. Dondeti Category: Standards Track Qualcomm, Inc. August 2008 EAP Extensions for EAP Re-authentication Protocol (ERP) Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract The Extensible Authentication Protocol (EAP) is a generic framework supporting multiple types of authentication methods. In systems where EAP is used for authentication, it is desirable to not repeat the entire EAP exchange with another authenticator. This document specifies extensions to EAP and the EAP keying hierarchy to support an EAP method-independent protocol for efficient re-authentication between the peer and an EAP re-authentication server through any authenticator. The re-authentication server may be in the home network or in the local network to which the peer is connecting. Narayanan & Dondeti Standards Track [Page 1] RFC 5296 ERP August 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. ERP Description . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. ERP With the Home ER Server . . . . . . . . . . . . . . . 6 3.2. ERP with a Local ER Server . . . . . . . . . . . . . . . . 8 4. ER Key Hierarchy . . . . . . . . . . . . . . . . . . . . . . . 10 4.1. rRK Derivation . . . . . . . . . . . . . . . . . . . . . . 11 4.2. rRK Properties . . . . . . . . . . . . . . . . . . . . . . 12 4.3. rIK Derivation . . . . . . . . . . . . . . . . . . . . . . 12 4.4. rIK Properties . . . . . . . . . . . . . . . . . . . . . . 13 4.5. rIK Usage . . . . . . . . . . . . . . . . . . . . . . . . 13 4.6. rMSK Derivation . . . . . . . . . . . . . . . . . . . . . 14 4.7. rMSK Properties . . . . . . . . . . . . . . . . . . . . . 15 5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . . 15 5.1. ERP Bootstrapping . . . . . . . . . . . . . . . . . . . . 15 5.2. Steps in ERP . . . . . . . . . . . . . . . . . . . . . . . 18 5.2.1. Multiple Simultaneous Runs of ERP . . . . . . . . . . 20 5.2.2. ERP Failure Handling . . . . . . . . . . . . . . . . . 21 5.3. New EAP Packets . . . . . . . . . . . . . . . . . . . . . 22 5.3.1. EAP-Initiate/Re-auth-Start Packet . . . . . . . . . . 23 5.3.2. EAP-Initiate/Re-auth Packet . . . . . . . . . . . . . 25 5.3.3. EAP-Finish/Re-auth Packet . . . . . . . . . . . . . . 26 5.3.4. TV and TLV Attributes . . . . . . . . . . . . . . . . 29 5.4. Replay Protection . . . . . . . . . . . . . . . . . . . . 30 5.5. Channel Binding . . . . . . . . . . . . . . . . . . . . . 30 6. Lower-Layer Considerations . . . . . . . . . . . . . . . . . . 31 7. Transport of ERP Messages . . . . . . . . . . . . . . . . . . 32 8. Security Considerations . . . . . . . . . . . . . . . . . . . 33 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 39 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39 11.1. Normative References . . . . . . . . . . . . . . . . . . . 39 11.2. Informative References . . . . . . . . . . . . . . . . . . 40 Appendix A. Example ERP Exchange . . . . . . . . . . . . . . . . 42 Narayanan & Dondeti Standards Track [Page 2] RFC 5296 ERP August 2008 1. Introduction The Extensible Authentication Protocol (EAP) is a an authentication framework that supports multiple authentication methods. The primary purpose is network access authentication, and a key-generating method is used when the lower layer wants to enforce access control. The EAP keying hierarchy defines two keys to be derived by all key- generating EAP methods: the Master Session Key (MSK) and the Extended MSK (EMSK). In the most common deployment scenario, an EAP peer and an EAP server authenticate each other through a third party known as the EAP authenticator. The EAP authenticator or an entity controlled by the EAP authenticator enforces access control. After successful authentication, the EAP server transports the MSK to the EAPShow full document text