Extensible Authentication Protocol (EAP) Session-Id Derivation for EAP Subscriber Identity Module (EAP-SIM), EAP Authentication and Key Agreement (EAP-AKA), and Protected EAP (PEAP)
RFC 8940

Document Type RFC - Proposed Standard (October 2020; No errata)
Updates RFC 5247
Author Alan DeKok 
Last updated 2020-10-23
Replaces draft-dekok-emu-eap-session-id
Stream IETF
Formats plain text html xml pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication (wg milestone: Nov 2019 - WG last call on defi... )
Document shepherd Mohit Sethi
Shepherd write-up Show (last changed 2020-01-08)
IESG IESG state RFC 8940 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Roman Danyliw
Send notices to Mohit Sethi <mohit.m.sethi@ericsson.com>
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions


Internet Engineering Task Force (IETF)                          A. DeKok
Request for Comments: 8940                                    FreeRADIUS
Updates: 5247                                               October 2020
Category: Standards Track                                               
ISSN: 2070-1721

 Extensible Authentication Protocol (EAP) Session-Id Derivation for EAP
    Subscriber Identity Module (EAP-SIM), EAP Authentication and Key
             Agreement (EAP-AKA), and Protected EAP (PEAP)

Abstract

   RFC 5247 is updated to define and clarify EAP Session-Id derivation
   for multiple Extensible Authentication Protocol (EAP) methods.  The
   derivation of Session-Id was not given for EAP Subscriber Identity
   Module (EAP-SIM) or EAP Authentication and Key Agreement (EAP-AKA)
   when using the fast reconnect exchange instead of full
   authentication.  The derivation of Session-Id for full authentication
   is clarified for both EAP-SIM and EAP-AKA.  The derivation of
   Session-Id for Protected EAP (PEAP) is also given.  The definition
   for PEAP follows the definition for other TLS-based EAP methods.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8940.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
   2.  Updates to RFC 5247, Appendix A
     2.1.  EAP-AKA
     2.2.  EAP-SIM
     2.3.  Rationale for EAP-AKA and EAP-SIM Updates
   3.  Session-Id for PEAP
   4.  Security Considerations
   5.  IANA Considerations
   6.  References
     6.1.  Normative References
     6.2.  Informative References
   Acknowledgments
   Author's Address

1.  Introduction

   EAP [RFC3748] Session-Id derivation has not been defined for EAP-SIM
   and EAP-AKA when using the fast reconnect exchange instead of full
   authentication.  [RFC5247] defines the Session-Id for these EAP
   methods, but that derivation is only applicable for the full
   authentication case.  The Session-Id derivation was not defined for
   EAP-AKA', but [AKAP] now defines it, along with other updates.  As
   such, the definition for EAP-AKA' is not included here.

   Further, the derivation of Session-Id for full authentication is
   clarified, as the text in [RFC5247] is ambiguous.

   The IEEE has defined Fast Initial Link Setup (FILS) authentication
   [FILS], which needs the EAP Session-Id in order for the EAP Re-
   authentication Protocol (ERP) [RFC6696] to work.  It is therefore
   important to address the existing deficiencies in the definition of
   EAP Session-Id.

   Finally, [RFC5247] did not define Session-Id for PEAP [MS-PEAP]
   [PEAP].  We correct these deficiencies here by updating [RFC5247]
   with the Session-Id derivation during fast-reconnect exchange for
   EAP-SIM and EAP-AKA; clarifying the Session-Id derivation during full
   authentication for EAP-SIM and EAP-AKA; and defining the Session-Id
   derivation for PEAP, which is the same for both full authentication
   and fast reconnect.

2.  Updates to RFC 5247, Appendix A

   This section updates [RFC5247], Appendix A to define Session-Id for
   fast reconnect exchange for EAP-AKA and EAP-SIM.

2.1.  EAP-AKA

   For EAP-AKA, [RFC5247], Appendix A says:

   |  EAP-AKA
   |     EAP-AKA is defined in [RFC4187].  The EAP-AKA Session-Id is the
   |     concatenation of the EAP Type Code (0x17) with the contents of
   |     the RAND field from the AT_RAND attribute, followed by the
   |     contents of the AUTN field in the AT_AUTN attribute:
   |  
   |        Session-Id = 0x17 || RAND || AUTN

   It should say:

   |  EAP-AKA
   |     EAP-AKA is defined in [RFC4187].  When using full
   |     authentication, the EAP-AKA Session-Id is the concatenation of
   |     the EAP Type Code (0x17) with the contents of the RAND field
   |     from the AT_RAND attribute, followed by the contents of the
Show full document text