EAP Extensions for EAP Re-authentication Protocol (ERP)
RFC 5296
Document Type RFC - Proposed Standard (August 2008; Errata)
Obsoleted by RFC 6696
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5296 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Tim Polk
Send notices to (None)
Email authors Email WG IPR 2 References Referenced by Nits 
Network Working Group                                       V. Narayanan
Request for Comments: 5296                                    L. Dondeti
Category: Standards Track                                 Qualcomm, Inc.
                                                             August 2008

        EAP Extensions for EAP Re-authentication Protocol (ERP)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   The Extensible Authentication Protocol (EAP) is a generic framework
   supporting multiple types of authentication methods.  In systems
   where EAP is used for authentication, it is desirable to not repeat
   the entire EAP exchange with another authenticator.  This document
   specifies extensions to EAP and the EAP keying hierarchy to support
   an EAP method-independent protocol for efficient re-authentication
   between the peer and an EAP re-authentication server through any
   authenticator.  The re-authentication server may be in the home
   network or in the local network to which the peer is connecting.

Narayanan & Dondeti         Standards Track                     [Page 1]
RFC 5296                          ERP                        August 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  ERP Description  . . . . . . . . . . . . . . . . . . . . . . .  5
     3.1.  ERP With the Home ER Server  . . . . . . . . . . . . . . .  6
     3.2.  ERP with a Local ER Server . . . . . . . . . . . . . . . .  8
   4.  ER Key Hierarchy . . . . . . . . . . . . . . . . . . . . . . . 10
     4.1.  rRK Derivation . . . . . . . . . . . . . . . . . . . . . . 11
     4.2.  rRK Properties . . . . . . . . . . . . . . . . . . . . . . 12
     4.3.  rIK Derivation . . . . . . . . . . . . . . . . . . . . . . 12
     4.4.  rIK Properties . . . . . . . . . . . . . . . . . . . . . . 13
     4.5.  rIK Usage  . . . . . . . . . . . . . . . . . . . . . . . . 13
     4.6.  rMSK Derivation  . . . . . . . . . . . . . . . . . . . . . 14
     4.7.  rMSK Properties  . . . . . . . . . . . . . . . . . . . . . 15
   5.  Protocol Details . . . . . . . . . . . . . . . . . . . . . . . 15
     5.1.  ERP Bootstrapping  . . . . . . . . . . . . . . . . . . . . 15
     5.2.  Steps in ERP . . . . . . . . . . . . . . . . . . . . . . . 18
       5.2.1.  Multiple Simultaneous Runs of ERP  . . . . . . . . . . 20
       5.2.2.  ERP Failure Handling . . . . . . . . . . . . . . . . . 21
     5.3.  New EAP Packets  . . . . . . . . . . . . . . . . . . . . . 22
       5.3.1.  EAP-Initiate/Re-auth-Start Packet  . . . . . . . . . . 23
       5.3.2.  EAP-Initiate/Re-auth Packet  . . . . . . . . . . . . . 25
       5.3.3.  EAP-Finish/Re-auth Packet  . . . . . . . . . . . . . . 26
       5.3.4.  TV and TLV Attributes  . . . . . . . . . . . . . . . . 29
     5.4.  Replay Protection  . . . . . . . . . . . . . . . . . . . . 30
     5.5.  Channel Binding  . . . . . . . . . . . . . . . . . . . . . 30
   6.  Lower-Layer Considerations . . . . . . . . . . . . . . . . . . 31
   7.  Transport of ERP Messages  . . . . . . . . . . . . . . . . . . 32
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 33
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 37
   10. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 39
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 39
     11.2. Informative References . . . . . . . . . . . . . . . . . . 40
   Appendix A.  Example ERP Exchange  . . . . . . . . . . . . . . . . 42

Narayanan & Dondeti         Standards Track                     [Page 2]
RFC 5296                          ERP                        August 2008

1.  Introduction

   The Extensible Authentication Protocol (EAP) is a an authentication
   framework that supports multiple authentication methods.  The primary
   purpose is network access authentication, and a key-generating method
   is used when the lower layer wants to enforce access control.  The
   EAP keying hierarchy defines two keys to be derived by all key-
   generating EAP methods: the Master Session Key (MSK) and the Extended
   MSK (EMSK).  In the most common deployment scenario, an EAP peer and
   an EAP server authenticate each other through a third party known as
   the EAP authenticator.  The EAP authenticator or an entity controlled
   by the EAP authenticator enforces access control.  After successful
   authentication, the EAP server transports the MSK to the EAP
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools