PANA Working Group Y. Ohba Internet-Draft V. Fajardo Expires: January 9, 2005 TARI R. Lopez Univ. of Murcia July 11, 2004 State Machines for Protocol for Carrying Authentication for Network Access (PANA) draft-ohba-pana-statemachine-00 Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 9, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document defines the conceptual state machines for the Protocol for Carrying Authentication for Network Access (PANA). The state machines consist of the PANA Client (PaC) state machine and the PANA Authentication Agent (PAA) state machine. The two state machines show how PANA can interface to EAP state machines and can be implemented with supporting various features including separate NAP Ohba, et al. Expires January 9, 2005 [Page 1] Internet-Draft PANA State Machines July 2004 and ISP authentications, ISP selection and mobility optimization. The state machines and associated model are informative only. Implementations may achieve the same results using different methods. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10 5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 11 5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 12 5.4 Common Message Initialization Rules . . . . . . . . . . . 13 5.5 Common State Transitions . . . . . . . . . . . . . . . . . 13 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 14 6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 14 6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 14 6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 14 6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 14 6.1.4 EAP Authentication Result Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . 14 6.1.5 Alternate Failure Notification from PaC to EAP Peer . 15 6.1.6 EAP Invalid Message Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 15 6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 17 6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 17 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 27 7.1 Interface between PAA and EAP Authenticator . . . . . . . 27 7.1.1 EAP Restart Notification from PAA to EAP Authenticator . . . . . . . . . . . . . . . . . . . . 27 7.1.2 Delivering EAP Responses from PAA to EAP Authenticator . . . . . . . . . . . . . . . . . . . . 27 7.1.3 Delivering EAP Messages from EAP Authenticator to PAA . . . . . . . . . . . . . . . . . . . . . . . . . 27 7.1.4 EAP Authentication Result Notification from EAP Authenticator to PAA . . . . . . . . . . . . . . . . . 27 7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 28 7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 30 7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 31 8. Implementation Considerations . . . . . . . . . . . . . . . . 41 8.1 Interface exposed by PANA to the Host System . . . . . . . 41 8.2 PAA Interface to EP . . . . . . . . . . . . . . . . . . . 41 8.3 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 42 9. Security Considerations . . . . . . . . . . . . . . . . . . . 43 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 44 Ohba, et al. Expires January 9, 2005 [Page 2] Internet-Draft PANA State Machines July 2004 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 45 11.1 Normative References . . . . . . . . . . . . . . . . . . . . 45 11.2 Informative References . . . . . . . . . . . . . . . . . . . 45 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 45 Intellectual Property and Copyright Statements . . . . . . . . 47 Ohba, et al. Expires January 9, 2005 [Page 3] Internet-Draft PANA State Machines July 2004 1. Introduction This document defines the state machines for Protocol Carrying Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There are state machines for the PANA client (PaC) and for the PANA Authentication Agent (PAA). Each state machine is specified through a set of variables, procedures and a state transition table. A PANA protocol execution consists of several exchanges to carry authentication information. Specifically, EAP PDUs are transported inside PANA PDUs between PaC and PAA, that is PANA represents a lower layer for EAP protocol. Thus, a PANA state machine bases its execution on an EAP state machine execution and vice versa. Thus this document also shows for each of PaC and PAA an interface between an EAP state machine and a PANA state machine and how this interface allows to exchange information between them. Thanks to this interface, a PANA state machine can be informed about several events generated in an EAP state machine and make its execution conditional to its events. The details of EAP state machines are out of the scope of this document. Additional information can be found in [I-D.ietf-eap-statemachine]. Nevertheless PANA state machines presented here have been coordinated with state machines shown by [I-D.ietf-eap-statemachine]. This document, apart from defining PaC and PAA state machines and their interfaces to EAP state machines (running on top of PANA), provides some implementation considerations, taking into account that it is not a specification but an implementation guideline. Ohba, et al. Expires January 9, 2005 [Page 4] Internet-Draft PANA State Machines July 2004 2. Interface Between PANA and EAP PANA carries EAP messages exchanged between an EAP peer and an EAP authenticator (see Figure 1). Thus a PANA state machine must interact with an EAP state machine. Two state machines are defined in this document : the PaC state machine (see Section 6) and the PAA state machine (see Section 7). The definition of each state machine consists of a set of variables, procedures and a state transition table. A subset of these variables and procedures defines the interface between a PANA state machine and an EAP state machine and the state transition table defines the PANA state machine behavior based on results obtained through them. On the one hand, the PaC state machine interacts with an EAP peer state machine in order to carry out the PANA protocol on the PaC side. On the other hand, the PAA state machine interacts with an EAP authenticator state machine to run the PANA protocol on the PAA side. Peer |EAP Auth EAP <---------|------------> EAP ^ | | ^ | EAP-Request | | | EAP-Response | | EAP-Request EAP-Success | |EAP-Response | | |EAP-Success EAP-Failure | v |PANA | vEAP-Failure PaC <---------|------------> PAA Figure 1: Interface between PANA and EAP Thus two interfaces are needed between PANA state machines and EAP state machines, namely: o Interface between the PaC state machine and the EAP peer state machine o Interface between the PAA state machine and the EAP authenticator state machine In general, the PaC state machine presents EAP messages (EAP-Request, EAP-Success and EAP-Failure messages) to the EAP peer state machine through the interface. The EAP peer state machine processes these messages and sends EAP messages (EAP-Response messages) through the PaC state machine that is responsible for actually transmitting this message. On the other hand, the PAA state machine presents response messages (EAP-Response messages) to the EAP authenticator state machine through interface defined between them. The EAP authenticator Ohba, et al. Expires January 9, 2005 [Page 5] Internet-Draft PANA State Machines July 2004 processes these messages and generate EAP messages (EAP-Request, EAP-Success and EAP-Failure messages) that are send to the PAA state machine to be sent. For example, [I-D.ietf-eap-statemachine] specifies four interfaces to lower layers: (i) an interface between the EAP peer state machine and a lower layer, (ii) an interface between the EAP standalone authenticator state machine and a lower layer, (iii) an interface between the EAP full authenticator state machine and a lower layer and (iv) an interface between the EAP backend authenticator state machine and a lower layer. In this document, the PANA protocol is the lower layer of EAP and only the first three interfaces are of interest to PANA. The second and third interfaces are the same. In this regard, the EAP standalone authenticator or the EAP full authenticator and its state machine in [I-D.ietf-eap-statemachine] are referred to as the EAP authenticator and the EAP authenticator state machine, respectively, in this document. If an EAP peer and an EAP authenticator follow the state machines defined in [I-D.ietf-eap-statemachine], the interfaces between PANA and EAP could be based on that document. Detailed definition of interfaces between PANA and EAP are described in the subsequent sections. Ohba, et al. Expires January 9, 2005 [Page 6] Internet-Draft PANA State Machines July 2004 3. Document Authority When a discrepancy occurs between any part of this document and any of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-eap-statemachine] the latter (the other documents) are considered authoritative and takes precedence. Ohba, et al. Expires January 9, 2005 [Page 7] Internet-Draft PANA State Machines July 2004 4. Notations The following state transition tables are completed mostly based on the conventions specified in [I-D.ietf-eap-statemachine]. The complete text is described below. State transition tables are used to represent the operation of the protocol by a number of cooperating state machines each comprising a group of connected, mutually exclusive states. Only one state of each machine can be active at any given time. All permissible transitions from a given state to other states and associated actions performed when the transitions occur are represented by using triplets of (exit condition, exit action, exit state). All conditions are expressions that evaluate to TRUE or FALSE; if a condition evaluates to TRUE, then the condition is met. A state "ANY" is a wildcard state that matches the current state in each state machine. The exit conditions of a wildcard state are evaluated after all other exit conditions of specific to the current state are met. On exit from a state, the procedures defined for the state and the exit condition are executed exactly once, in the order that they appear on the page. (Note that the procedures defined in [I-D.ietf-eap-statemachine] are executed on entry to a state, which is one major difference from this document.) Each procedure is deemed to be atomic; i.e., execution of a procedure completes before the next sequential procedure starts to execute. No procedures execute outside of a state block. The procedures in only one state block execute at a time, even if the conditions for execution of state blocks in different state machines are satisfied, and all procedures in an executing state block complete execution before the transition to and execution of any other state block occurs, i.e., the execution of any state block appears to be atomic with respect to the execution of any other state block and the transition condition to that state from the previous state is TRUE when execution commences. The order of execution of state blocks in different state machines is undefined except as constrained by their transition conditions. A variable that is set to a particular value in a state block retains this value until a subsequent state block executes a procedure that modifies the value. On completion of the transition from the previous state to the current state, all exit conditions for the current state (including exit conditions defined for the wildcard state) are evaluated continuously until one of the conditions is met. Any event variable is set to TRUE when the corresponding event occurs Ohba, et al. Expires January 9, 2005 [Page 8] Internet-Draft PANA State Machines July 2004 and set to FALSE immediately after completion of the action associated with the current state and the event. The interpretation of the special symbols and operators used is defined in [I-D.ietf-eap-statemachine]. Ohba, et al. Expires January 9, 2005 [Page 9] Internet-Draft PANA State Machines July 2004 5. Common Rules There are following procedures, variables, message initializing rules and state transitions that are common to both the PaC and PAA state machines. Throughout this document, the character string "PANA_MESSAGE_NAME" matches any one of the abbreviated PANA message names, i.e., "PDI", "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", "PTA", "PRAR", "PRAA", "PAUR", "PAUA" and "PER". 5.1 Common Procedures None() A null procedure, i.e., nothing is done. Disconnect() A procedure to delete the PANA session as well as the corresponding EAP session and authorization state. boolean Authorize() A procedure to create or modify authorization state. It returns TRUE if authorization is successful. Otherwise, it returns FALSE. It is assumed that Authorize() procedure of PaC state machine always returns TRUE. Tx:PANA_MESSAGE_NAME() A procedure to send a PANA message to its peering PANA entity. TxEAP() A procedure to send an EAP message to the EAP state machine it interfaces to. RtxTimerStart() A procedure to start the retransmission timer, reset RTX_COUNTER variable to zero and set an appropriate value to RTX_MAX_NUM variable. Ohba, et al. Expires January 9, 2005 [Page 10] Internet-Draft PANA State Machines July 2004 RtxTimerStop() A procedure to stop the retransmission timer. SessionTimerStart() A procedure to start PANA session timer. Retransmit() A procedure to retransmit a PANA message and increment RTX_COUNTER by one(1). EAP_Restart() A procedure to (re)start an EAP conversation. void PANA_MESSAGE_NAME.insert_avp("AVP_NAME") A procedure to insert an AVP of the specified AVP name in the specified PANA message. boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") A procedure that checks whether an AVP of the specified AVP name exists in the specified PANA message and returns TRUE if the specified AVP is found, otherwise returns FALSE. boolean key_available() A procedure to check whether the PANA session has a PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, it returns TRUE. If the state machine does not have a PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. If a AAA-Key is retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns TRUE. Otherwise, it returns FALSE. 5.2 Common Variables PANA_MESSAGE_NAME.S_flag This variable contains the S-Flag value of the specified PANA message. PBR.RESULT_CODE Ohba, et al. Expires January 9, 2005 [Page 11] Internet-Draft PANA State Machines July 2004 This variable contains the Result-Code AVP value in the PANA-Bind-Request message in process. RTX_COUNTER This variable contains the current number of retransmissions of the outstanding PANA message. Rx:PANA_MESSAGE_NAME This event variable is set to TRUE when the specified PANA message is received from its peering PANA entity. RTX_TIMEOUT This event variable is set to TRUE when the retransmission timer is expired. EAP_REAUTH This event variable is set to TRUE when an initiation of EAP-based re-authentication is triggered. FAST_REAUTH This event variable is set to TRUE when initiation of re-authentication based on PRAR-PRAA exchange is triggered. SESS_TIMEOUT This event is variable is set to TRUE when the session timer is expired. ABORT_ON_1ST_EAP_FAILURE This variable indicates whether the PANA session is immediately terminated when the 1st EAP authentication fails. ANY This event variable is set to TRUE when any event occurs. 5.3 Constants RTX_MAX_NUM Ohba, et al. Expires January 9, 2005 [Page 12] Internet-Draft PANA State Machines July 2004 Configurable maximum for how many retransmissions should be attempted before aborting. 5.4 Common Message Initialization Rules When a message is prepared for sending, it is initialized as follows: o For a request message, R-flag of the header is set. Otherwise, R-flag is not set. o S-flag and N-flag of the header are not set. o AVPs that are mandatory included in a message are inserted with appropriate values set. 5.5 Common State Transitions The following transitions can occur at any state. ---------- State: ANY ---------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - (Reach maximum number of retransmission)- - RTX_TIMEOUT && Retransmit(); (no change) RTX_COUNTER< RTX_MAX_NUM RTX_TIMEOUT && Disconnect(); CLOSED RTX_COUNTER>= RTX_MAX_NUM SESS_TIMEOUT Disconnect(); CLOSED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------- State: CLOSED ------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - -(Session termination initiated by PaC) - - - - - ANY None(); CLOSED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Ohba, et al. Expires January 9, 2005 [Page 13] Internet-Draft PANA State Machines July 2004 6. PaC State Machine 6.1 Interface between PaC and EAP Peer This interface defines the interactions between a PaC and an EAP peer. The interface serves as a mechanism to deliver EAP messages for the EAP peer. It allows the EAP peer to receive EAP requests and send EAP responses via the PaC. It also provides a mechanism to notify the EAP peer of PaC events and a mechanism to receive notification of EAP peer events. The EAP message delivery mechanism as well as the event notification mechanism in this interface have direct correlation with the PaC state transition table entries. These message delivery and event notifications mechanisms occur only within the context of their associated states or exit actions. 6.1.1 Delivering EAP Messages from PaC to EAP Peer TxEAP() procedure in the PaC state machine serves as the mechanism to deliver EAP requests contained in PANA-Auth-Request messages to the EAP peer. This procedure is enabled only after an EAP restart event is notified to the EAP peer. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure sets eapReq variable of the EAP peer state machine and puts the EAP request in eapReqData variable of the EAP peer state machine. 6.1.2 Delivering EAP Responses from EAP Peer to PaC An EAP response is delivered from the EAP peer to the PaC via EAP_RESPONSE event variable. The event variable is set when the EAP peer passes the EAP response to its lower-layer. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf-eap-statemachine], EAP_RESPONSE event variable refers to eapResp variable of the EAP peer state machine and the EAP response is contained in eapRespData variable of the EAP peer state machine. 6.1.3 EAP Restart Notification from PaC to EAP Peer The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has an initialization procedure before receiving an EAP request. To initialize the EAP state machine, the PaC state machine defines an event notification mechanism to send an EAP (re)start event to the EAP peer. The event notification is done via EAP_Restart() procedure in the initialization action of the PaC state machine. 6.1.4 EAP Authentication Result Notification from EAP Peer to PaC In order for the EAP peer to notify the PaC of an EAP authentication Ohba, et al. Expires January 9, 2005 [Page 14] Internet-Draft PANA State Machines July 2004 result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE event variables refer to eapSuccess and eapFail variables of the EAP peer state machine, respectively. In this case, if EAP_SUCCESS event variable is set to TRUE and a AAA-Key is generated by the EAP authentication method in use, eapKeyAvailable variable is set to TRUE and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS and EAP_FAILURE event variables may be set to TRUE even before the PaC receives a PBR or a PFER from the PAA. 6.1.5 Alternate Failure Notification from PaC to EAP Peer alt_reject() procedure in the PaC state machine serves as the mechanism to deliver an authentication failure event to the EAP peer without accompanying an EAP message. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf-eap-statemachine], alt_reject() procedure sets altReject variable of the EAP peer state machine. Note that the EAP peer state machine in [I-D.ietf-eap-statemachine] also defines altAccept variable, however, it is never used in PANA in which EAP-Success messages are reliably delivered by PANA-Bind exchange. 6.1.6 EAP Invalid Message Notification from EAP Peer to PaC In order for the EAP peer to notify the PaC of a receipt of an invalid EAP message, EAP_INVALID_MSG event variable is defined. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event variable refers to eapNoResp variable of the EAP peer state machine. 6.2 Variables SEPARATE This variable indicates whether the PaC desires NAP/ISP separate authentication. 1ST_EAP This variable indicates whether the 1st EAP authentication is success, failure or yet completed. TERMINATE Ohba, et al. Expires January 9, 2005 [Page 15] Internet-Draft PANA State Machines July 2004 This event variable is set to TRUE when initiation of PANA session termination is triggered. AUTH_USER This event variable is set to TRUE when initiation of EAP-based (re-)authentication is triggered by the application. MOBILITY This variable indicates whether the mobility handling feature described in [I-D.ietf-pana-pana] is supported. PANA_SA_RESUMED This variable indicates whether the PANA SA of a previous PANA session was resumed during the discovery and initial handshake. EAP_SUCCESS This event variable is set to TRUE when the EAP peer determines that EAP conversation completes with success. EAP_FAILURE This event variable is set to TRUE when the EAP peer determines that EAP conversation completes with failure. EAP_RESPONSE This event variable is set to TRUE when the EAP peer delivers an EAP Response to the PaC. This event accompanies an EAP-Response message received from the EAP peer. EAP_INVALID_MSG This event variable is set to TRUE when the EAP peer silently discards an EAP message. This event does not accompany any EAP message. UPDATE_DEVICE_ID This event variable is set to TRUE when there is a change in the device identifier of the PaC. Ohba, et al. Expires January 9, 2005 [Page 16] Internet-Draft PANA State Machines July 2004 UPDATE_POPA This event variable is set to TRUE when there is a change in the POPA of the PaC. 6.3 Procedures boolean choose_isp() This procedure returns TRUE when the PaC chooses one ISP, otherwise returns FALSE. boolean resume_pana_sa() This procedure returns TRUE when a PANA SA for a previously established PANA Session is resumed, otherwise returns FALSE. Once a PANA SA is resumed, key_available() procedure must return TRUE. void alt_reject() This procedure informs the EAP peer of an authentication failure event without accompanying an EAP message. 6.4 PaC State Transition Table ------------------------------ State: OFFLINE (Initial State) ------------------------------ Initialization Action: SEPARATE=Set|Unset; 1ST_EAP=Unset; RtxTimerStop(); PANA_SA_RESUMED=Unset; EAP_Restart(); Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ PSR.exist_avp TxEAP(); IN_DISC ("EAP-Payload") SEPARATE=Unset; Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp PSA.insert_avp ("EAP-Payload") && ("Session-Id"); Ohba, et al. Expires January 9, 2005 [Page 17] Internet-Draft PANA State Machines July 2004 MOBILITY==Set && PSA.insert_avp("Nonce"); resume_pana_sa() && PANA_SA_RESUMED=Set; PSR.exist_avp PSA.insert_avp("Cookie"); ("Cookie") PSA.insert_avp("MAC"); Tx:PSA(); RtxTimerStart(); SEPARATE=Unset; Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp PSA.insert_avp ("EAP-Payload") && ("Session-Id"); MOBILITY==Set && PSA.insert_avp("Nonce"); resume_pana_sa() && PSA.insert_avp("MAC"); !PSR.exist_avp Tx:PSA(); ("Cookie") PANA_SA_RESUMED=Set; Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp if (choose_isp()) ("EAP-Payload") && PSA.insert_avp("ISP"); (MOBILITY==Unset || PSA.S_flag=1; !resume_pana_sa()) && PSA.insert_avp("Cookie"); PSR.S_flag==1 && Tx:PSA(); SEPARATE==Set && RtxTimerStart(); PSR.exist_avp ("Cookie") Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp if (choose_isp()) ("EAP-Payload") && PSA.insert_avp("ISP"); (MOBILITY==Unset || PSA.S_flag=1; !resume_pana_sa()) && Tx:PSA(); PSR.S_flag==1 && SEPARATE==Set && !PSR.exist_avp ("Cookie") Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp if (choose_isp()) ("EAP-Payload") && PSA.insert_avp("ISP"); (MOBILITY==Unset || PSA.insert_avp("Cookie"); !resume_pana_sa()) && Tx:PSA(); (PSA.S_flag!=1 || RtxTimerStart(); SEPARATE==Unset) && SEPARATE=Unset; PSR.exist_avp ("Cookie") Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp if (choose_isp()) Ohba, et al. Expires January 9, 2005 [Page 18] Internet-Draft PANA State Machines July 2004 ("EAP-Payload") && PSA.insert_avp("ISP"); (MOBILITY==Unset || Tx:PSA(); !resume_pana_sa()) && SEPARATE=Unset; (PSA.S_flag!=1 || SEPARATE==Unset) && !PSR.exist_avp ("Cookie") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Authentication trigger from application) - - - AUTH_USER Tx:PDI(); OFFLINE RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------------------- State: WAIT_EAP_MSG_IN_DISC --------------------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - EAP_RESPONSE PSA.insert_avp WAIT_PAA ("EAP-Payload")) Tx:PSA(); EAP_INVALID_MSG None(); OFFLINE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- State: WAIT_PAA --------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - Rx:PAR RtxTimerStop(); WAIT_EAP_MSG TxEAP(); PANA_SA_RESUMED=Unset; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_RESULT 1ST_EAP==Unset && TxEAP(); SEPARATE==Set && PFER.RESULT_CODE== PANA_SUCCESS && PFER.S_flag==1 Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_RESULT Ohba, et al. Expires January 9, 2005 [Page 19] Internet-Draft PANA State Machines July 2004 1ST_EAP==Unset && TxEAP(); SEPARATE==Set && PFER.RESULT_CODE!= PANA_SUCCESS && PFER.S_flag==1 && ABORT_ON_1ST_EAP_FAILURE ==Unset && PFER.exit_avp ("EAP-Payload") Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_RESULT 1ST_EAP==Unset && alt_reject(); SEPARATE==Set && PFER.RESULT_CODE!= PANA_SUCCESS && PFER.S_flag==1 && ABORT_ON_1ST_EAP_FAILURE ==Unset && !PFER.exit_avp ("EAP-Payload") Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 1ST_EAP==Unset && TxEAP(); RESULT_CLOSED SEPARATE==Set && PFER.RESULT_CODE!= PANA_SUCCESS && (PFER.S_flag==0 || ABORT_ON_1ST_EAP_FAILURE ==Set) && PFER.exist_avp ("EAP-Payload") Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 1ST_EAP==Unset && alt_reject(); RESULT_CLOSED SEPARATE==Set && PFER.RESULT_CODE!= PANA_SUCCESS && (PFER.S_flag==0 || ABORT_ON_1ST_EAP_FAILURE ==Set) && !PFER.exist_avp ("EAP-Payload") Rx:PBR && TxEAP(); WAIT_EAP_RESULT 1ST_EAP==Unset && SEPARATE==Unset && PBR.RESULT_CODE== PANA_SUCCESS && Ohba, et al. Expires January 9, 2005 [Page 20] Internet-Draft PANA State Machines July 2004 PANA_SA_RESUMED!=Set Rx:PBR && PBA.insert_avp("Key-Id"); OPEN 1ST_EAP==Unset && PBA.insert_avp("MAC"); SEPARATE==Unset && TxPBA(); PBR.RESULT_CODE== Authorize(); PANA_SUCCESS && SessionTimerStart(); PANA_SA_RESUMED==Set && PBR.exist_avp ("Nonce") && PBR.exist_avp ("Key-Id") && PBR.exist_avp ("MAC") Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 1ST_EAP==Unset && CLOSE SEPARATE==Unset && PBR.RESULT_CODE!= PANA_SUCCESS && PBR.exist_avp ("EAP-Payload") Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 1ST_EAP==Unset && CLOSE SEPARATE==Unset && PBR.RESULT_CODE!= PANA_SUCCESS && !PBR.exist_avp ("EAP-Payload") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - Rx:PBR && TxEAP(); WAIT_EAP_RESULT 1ST_EAP==Success && PBR.RESULT_CODE== PANA_SUCCESS && PBR.exist_avp ("EAP-Payload"); Rx:PBR && alt_reject(); WAIT_EAP_RESULT 1ST_EAP==Success && PBR.RESULT_CODE== PANA_SUCCESS && !PBR.exist_avp ("EAP-Payload"); Rx:PBR && TxEAP(); WAIT_EAP_RESULT 1ST_EAP==Success && Ohba, et al. Expires January 9, 2005 [Page 21] Internet-Draft PANA State Machines July 2004 PBR.RESULT_CODE!= PANA_SUCCESS && PBR.exist_avp ("EAP-Payload") Rx:PBR && alt_reject(); WAIT_EAP_RESULT 1ST_EAP==Success && PBR.RESULT_CODE!= PANA_SUCCESS && !PBR.exist_avp ("EAP-Payload") Rx:PBR && TxEAP(); WAIT_EAP_RESULT 1ST_EAP==Failure && PBR.RESULT_CODE== PANA_SUCCESS Rx:PBR && TxEAP() WAIT_EAP_RESULT_ 1ST_EAP==Failure && CLOSE PBR.RESULT_CODE!= PANA_SUCCESS && PBR.exist_avp ("EAP-Payload") Rx:PBR && alt_reject() WAIT_EAP_RESULT_ 1ST_EAP==Failure && CLOSE PBR.RESULT_CODE!= PANA_SUCCESS && !PBR.exist_avp ("EAP-Payload") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------- State: WAIT_EAP_MSG ------------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - EAP_RESPONSE if (key_available()) WAIT_PAA PAN.insert_avp("MAC"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); EAP_INVALID_MSG || None(); WAIT_PAA EAP_SUCCESS || EAP_FAILURE Ohba, et al. Expires January 9, 2005 [Page 22] Internet-Draft PANA State Machines July 2004 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------------- State: WAIT_EAP_RESULT ---------------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN PBR.exist_avp PBA.insert_avp("Key-Id"); ("Key-Id") Tx:PBA(); Authorize(); SessionTimerStart(); EAP_SUCCESS && if (key_available()) OPEN !PBR.exist_avp PBA.insert_avp("MAC"); ("Key-Id") Tx:PBA(); SessionTimerStart(); Authorize(); EAP_FAILURE if (key_available()) OPEN PBA.insert_avp("MAC"); Tx:PBA(); EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------------------- State: WAIT_EAP_RESULT_CLOSE ---------------------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED PBR.exist_avp PBA.insert_avp("Key-Id"); ("Key-Id") Tx:PBA(); Disconnect(); EAP_SUCCESS && if (key_available()) CLOSED !PBR.exist_avp PBA.insert_avp("MAC"); ("Key-Id") Tx:PBA(); Disconnect(); EAP_FAILURE Tx:PBA(); CLOSED Disconnect(); Ohba, et al. Expires January 9, 2005 [Page 23] Internet-Draft PANA State Machines July 2004 EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------------- State: WAIT_1ST_EAP_RESULT -------------------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA PFER.exist_avp PFEA.S_flag=1; ("Key-Id") PFEA.N_flag=PFER.N_flag; PFEA.insert_avp("MAC"); Tx:PFEA(); (EAP_SUCCESS && if (key_available()) WAIT_PAA !PFER.exist_avp PFEA.insert_avp("MAC"); ("Key-Id")) || PFEA.S_flag=1; EAP_FAILURE PFEA.N_flag=PFER.N_flag; Tx:PFEA(); EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------------------- State: WAIT_1ST_EAP_RESULT_CLOSE -------------------------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED PFER.exist_avp PFEA.S_flag=0; ("Key-Id") PFEA.N_flag=0; PFEA.insert_avp("MAC"); Tx:PFEA(); Disconnect(); (EAP_SUCCESS && if (key_available()) CLOSED !PFER.exist_avp PFEA.insert_avp("MAC"); ("Key-Id")) || PFEA.S_flag=0; EAP_FAILURE PFEA.N_flag=0; Tx:PFEA(); Disconnect(); EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Ohba, et al. Expires January 9, 2005 [Page 24] Internet-Draft PANA State Machines July 2004 ----------- State: OPEN ----------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - (re-authentication based on PRAR-PRAA exchange initiated by PAA) Rx:PRAR if (key_available()) OPEN PRAA.insert_avp("MAC"); Tx:PRAA(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication based on PRAR-PRAA exchange initiated by PaC) FAST_REAUTH if (key_available()) WAIT_PRAA PRAR.insert_avp("MAC"); Tx:PRAR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (EAP-based re-authentication initiated by PaC)- - - - - EAP_REAUTH PDI.insert_avp WAIT_PAA ("Session-Id"); RtxTimerStart(); 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; Tx:PDI(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP-based re-authentication initiated by PAA) - - Rx:PAR SEPARATE=Set|Unset; WAIT_EAP_MSG 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; TxEAP(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Session termination initiated by PAA) - - - - - - Rx:PTR if (key_available()) CLOSED PTA.insert_avp("MAC"); Tx:PTA(); Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - - TERMINATE if (key_available()) SESS_TERM PTR.insert_avp("MAC"); Tx:PTR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Address update) - - - - - - - - - - - UPDATE_DEVICE_ID || if (UPDATE_DEVICE_ID) WAIT_PAUA UPDATE_POPA PAUR.insert_avp ("Device-Id"); Ohba, et al. Expires January 9, 2005 [Page 25] Internet-Draft PANA State Machines July 2004 if (UPDATE_POPA) PAUR.insert_avp ("IP-Address"); if (key_available()) PAUR.insert_avp("MAC"); Tx:PAUR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: WAIT_PRAA ---------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - (re-authentication based on PRAR-PRAA exchange initiated by PAA) Rx:PRAA None(); OPEN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: WAIT_PAUA ---------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (PAUA processing) - - - - - - - - - - Rx:PAUA RtxTimerStop(); OPEN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: SESS_TERM ---------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - -(Session termination initiated by PaC) - - - - - Rx:PTA Disconnect(); CLOSED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Ohba, et al. Expires January 9, 2005 [Page 26] Internet-Draft PANA State Machines July 2004 7. PAA State Machine 7.1 Interface between PAA and EAP Authenticator The interface between a PAA and an EAP authenticator provides a mechanism to deliver EAP messages for the EAP authenticator as well as a mechanism to notify the EAP authenticator of PAA events and to receive notification of EAP authenticator events. These message delivery and event notification mechanisms occur only within context of their associated states or exit actions. 7.1.1 EAP Restart Notification from PAA to EAP Authenticator An EAP authenticator state machine defined in [I-D.ietf-eap-statemachine] has an initialization procedure before sending the first EAP request. To initialize the EAP state machine, the PAA state machine defines an event notification mechanism to send an EAP (re)start event to the EAP peer. The event notification is done via EAP_Restart() procedure in the initialization action of the PAA state machine. 7.1.2 Delivering EAP Responses from PAA to EAP Authenticator TxEAP() procedure in the PAA state machine serves as the mechanism to deliver EAP-Responses contained in PANA-Auth-Answer messages to the EAP authenticator. This procedure is enabled only after an EAP restart event is notified to the EAP authenticator. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [I-D.ietf-eap-statemachine], TxEAP() procedure sets eapResp variable of the EAP authenticator state machine and puts the EAP response in eapRespData variable of the EAP authenticator state machine. 7.1.3 Delivering EAP Messages from EAP Authenticator to PAA An EAP request is delivered from the EAP authenticator to the PaC via EAP_REQUEST event variable. The event variable is set when the EAP authenticator passes the EAP request to its lower-layer. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event variable refers to eapReq variable of the EAP authenticator state machine and the EAP request is contained in eapReqData variable of the EAP authenticator state machine. 7.1.4 EAP Authentication Result Notification from EAP Authenticator to PAA In order for the EAP authenticator to notify the PAA of the EAP Ohba, et al. Expires January 9, 2005 [Page 27] Internet-Draft PANA State Machines July 2004 authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables are defined. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables refer to eapSuccess, eapFail and eapTimeout variables of the EAP authenticator state machine, respectively. In this case, if EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is contained in eapReqData variable of the EAP authenticator state machine, and additionally, eapKeyAvailable variable is set to TRUE and eapKeyData variable contains a AAA-Key if the AAA-Key is generated as a result of successful authentication by the EAP authentication method in use. Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP-Failure message is contained in eapReqData variable of the EAP authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a trigger to send a PBR or a PFER message to the PaC. 7.2 Variables USE_COOKIE This variable indicates whether the PAA uses Cookie. PIGGYBACK This variable indicates whether the PAA is able to piggyback an EAP-Request in PANA-Start-Request. SEPARATE This variable indicates whether the PAA provides NAP/ISP separate authentication. 1ST_EAP This variable indicates whether the 1st EAP authentication is success, failure or yet completed. MOBILITY This variable indicates whether the mobility handling feature described in Section 4.9 of [I-D.ietf-pana-pana] is supported. PSA.SESSION_ID Ohba, et al. Expires January 9, 2005 [Page 28] Internet-Draft PANA State Machines July 2004 This variable contains the Session-Id AVP value in the PANA-Start-Answer message in process. CARRY_LIFETIME This variable indicates whether a Session-Lifetime AVP is carried in PANA-Bind-Request message. PROTECTION_CAP This variable indicates whether a Protection-Capability AVP is carried in PANA-Bind-Request message. CARRY_EP_DEVICE_ID This variable indicates whether an EP-Device-Id AVP is carried in PANA-Bind-Request message. CARRY_NAP_INFO This variable indicates whether a NAP-Information AVP is carried in PANA-Start-Request message. CARRY_ISP_INFO This variable indicates whether an ISP-Information AVP is carried in PANA-Start-Request message. NAP_AUTH This variable indicates whether a NAP authentication is being performed or not. CARRY_PPAC This variable indicates whether a Post-PANA-Address-Configuration AVP is carried in PANA-Start-Request message. PAC_FOUND This event variable is set to TRUE when presence of a new PaC is informed by EP. FAST_REAUTH Ohba, et al. Expires January 9, 2005 [Page 29] Internet-Draft PANA State Machines July 2004 This event variable is set to TRUE when initiation of re-authentication based on PRAR-PRAA exchange is triggered. TERMINATE This event variable is set to TRUE when initiation of PANA session termination is triggered. EAP_SUCCESS This event variable is set to TRUE when EAP conversation completes with success. This event accompanies an EAP- Success message passed from the EAP authenticator. EAP_FAILURE This event variable is set to TRUE when EAP conversation completes with failure. This event accompanies an EAP- Failure message passed from the EAP authenticator. EAP_REQUEST This event variable is set to TRUE when the EAP authenticator delivers an EAP Request to the PAA. This event accompanies an EAP-Request message received from the EAP authenticator. EAP_TIMEOUT This event variable is set to TRUE when EAP conversation times out without generating an EAP-Success or an EAP-Failure message. This event does not accompany any EAP message. 7.3 Procedures boolean retrieve_pana_sa(Session-Id) This procedure returns TRUE when a PANA SA for the PANA Session corresponds to the specified Session-Id has been retrieved, otherwise returns FALSE. boolean new_key_available() A procedure to check whether the PANA session has a new PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, it returns FALSE. If the state machine does not have a PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns TRUE. Otherwise, it returns FALSE. Ohba, et al. Expires January 9, 2005 [Page 30] Internet-Draft PANA State Machines July 2004 7.4 PAA State Transition Table ------------------------------ State: OFFLINE (Initial State) ------------------------------ Initialization Action: USE_COOKIE=Set|Unset; PIGGYBACK=Set|Unset; SEPARATE=Set|Unset; if (PIGGYBACK==Set) SEPARATE=Unset; MOBILITY=Set|Unset; 1ST_EAP=Unset; ABORT_ON_1ST_EAP_FAILURE=Set|Unset; PROTECTION_CAP=Set|Unset; CARRY_LIFETIME=Set|Unset; CARRY_EP_DEVICE_ID=Set|Unset; CARRY_NAP_INFO=Set|Unset; CARRY_ISP_INFO=Set|Unset; CARRY_PPAC=Set|Unset; NAP_AUTH=Unset; RTX_COUNTER=0; RtxTimerStop(); Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - (Rx:PDI || EAP_Restart(); WAIT_EAP_MSG_ PAC_FOUND) && IN_DISC USE_COOKIE==Unset && PIGGYBACK==Set (Rx:PDI || if (SEPARATE==Set) STATEFUL_DISC PAC_FOUND) && PSR.S_flag=1; USE_COOKIE==Unset && if (CARRY_NAP_INFO==Set) PIGGYBACK==Unset PSR.insert_avp ("NAP-Information"); if (CARRY_ISP_INFO==Set) PSR.insert_avp ("ISP-Information"); if (CARRY_PPAC==Set) PSR.insert_avp ("Post-PANA-Address- Configuration"); Tx:PSR(); RtxTimerStart(); Ohba, et al. Expires January 9, 2005 [Page 31] Internet-Draft PANA State Machines July 2004 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Stateless discovery) - - - - - - - - (Rx:PDI || if (SEPARATE==Set) OFFLINE PAC_FOUND) && PSR.S_flag=1; USE_COOKIE==Set PSR.insert_avp ("Cookie"); if (CARRY_NAP_INFO==Set) PSR.insert_avp ("NAP-Information"); if (CARRY_ISP_INFO==Set) PSR.insert_avp ("ISP-Information"); if (CARRY_PPAC==Set) PSR.insert_avp ("Post-PANA-Address- Configuration"); Tx:PSR(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PSA processing without mobility support) - - - - Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG USE_COOKIE==Set && PSA.S_flag==0) (!PSA.exist_avp SEPARATE=Unset; ("Session-Id") || EAP_Restart(); !PSA.exit_avp ("Nonce") || MOBILITY==Unset || (MOBILITY==Set && !retrieve_pana_sa (PSA.SESSION_ID))) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PSA processing with mobility support)- - - - - Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA USE_COOKIE==Set && PBR.insert_avp("Nonce"); PSA.exist_avp PBR.insert_avp("Key-Id"); ("Session-Id") && if (CARRY_EP_DEVICE_ID PSA.exist_avp ==Set) ("Nonce") && PBR.insert_avp MOBILITY==Set && ("EP-Device-Id"); retrieve_pana_sa if (PROTECTION_CAP==Set) (PSA.SESSION_ID) PBR.insert_avp ("Protection-Cap."); PBR.insert_avp("MAC"); Tx:PBR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------------------- State: WAIT_EAP_MSG_IN_DISC Ohba, et al. Expires January 9, 2005 [Page 32] Internet-Draft PANA State Machines July 2004 --------------------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - (Send PSR with EAP-Request) - - - - - - - EAP_REQUEST PSR.insert_avp STATEFUL_DISC ("EAP-Payload"); if (CARRY_NAP_INFO==Set) PSR.insert_avp ("NAP-Information"); if (CARRY_ISP_INFO==Set) PSR.insert_avp ("ISP-Information"); if (CARRY_PPAC==Set) PSR.insert_avp ("Post-PANA-Address- Configuration"); Tx:PSR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------- State: STATEFUL_DISC -------------------- Exit Condition Action Next-State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (Stateful discovery)- - - - - - - - - Rx:PSA if (SEPARATE==Set && WAIT_PAN PSA.S_flag==0) SEPARATE=Unset; if (SEPARATE==Set) { PAR.S_flag=1; NAP_AUTH=Set|Unset; if (NAP_AUTH==Set) PAR.N_flag=1; } Tx:PAR(); EAP_TIMEOUT Tx:PER(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------- State: WAIT_EAP_MSG ------------------- Ohba, et al. Expires January 9, 2005 [Page 33] Internet-Draft PANA State Machines July 2004 Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - EAP_REQUEST if (key_available()) WAIT_PAN PAR.insert_avp("MAC"); if (SEPARATE==Set) { PAR.S_flag=1; if (NAP_AUTH==Set) PAR.N_flag=1; } Tx:PAR(); EAP_TIMEOUT Tx:PER(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - - EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PBA 1ST_EAP==Unset && PBR.insert_avp SEPARATE==Unset ("EAP-Payload"); if (key_available()) PBR.insert_avp("MAC"); Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && 1ST_EAP=Success WAIT_SUCC_PBA 1ST_EAP==Unset && PBR.insert_avp SEPARATE==Unset && ("EAP-Payload"); Authorize() if (CARRY_EP_DEVICE_ID ==Set) PBR.insert_avp ("EP-Device-Id"); if (CARRY_LIFETIME==Set) PBR.insert_avp ("Session-Lifetime"); if (PROTECTION_CAP==Set) PBR.insert_avp ("Protection-Cap."); if (new_key_available()) PBR.insert_avp ("Key-Id"); if (key_available()) PBR.insert_avp("MAC"); Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && 1ST_EAP=Success WAIT_FAIL_PBA 1ST_EAP==Unset && PBR.insert_avp SEPARATE==Unset && ("EAP-Payload"); Ohba, et al. Expires January 9, 2005 [Page 34] Internet-Draft PANA State Machines July 2004 !Authorize() if (new_key_available()) PBR.insert_avp ("Key-Id"); if (key_available()) PBR.insert_avp("MAC"); Tx:PBR(); RtxTimerStart(); EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA 1ST_EAP==Unset && PBR.insert_avp SEPARATE==Set && ("EAP-Payload"); ABORT_ON_1ST_EAP_FAILURE if (key_available()) ==Unset PFER.insert_avp("MAC"); PFER.S_flag=1; if (NAP_AUTH) PFER.N_flag=1; Tx:PFER(); RtxTimerStart(); EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA 1ST_EAP==Unset && PFER.insert_avp SEPARATE==Set && ("EAP-Payload"); ABORT_ON_1ST_EAP_FAILURE if (key_available()) ==Set PFER.insert_avp("MAC"); PFER.S_flag=0; Tx:PFER(); RtxTimerStart(); EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA 1ST_EAP==Unset && PFER.insert_avp SEPARATE==Set ("EAP-Payload"); if (new_key_available()) PFER.insert_avp ("Key-Id"); if (key_available()) PFER.insert_avp("MAC"); PFER.S_flag=1; if (NAP_AUTH) PFER.N_flag=1; Tx:PFER(); RtxTimerStart(); EAP_TIMEOUT && 1ST_EAP=Failure FAIT_FAIL_PBA 1ST_EAP==Unset && if (key_available()) SEPARATE==Unset PBR.insert_avp("MAC"); Tx:PBR(); RtxTimerStart(); Ohba, et al. Expires January 9, 2005 [Page 35] Internet-Draft PANA State Machines July 2004 EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1ST_EAP==Unset && if (key_available()) SEPARATE==Set && PFER.insert_avp("MAC"); ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; ==Unset if (NAP_AUTH) PFER.N_flag=1; Tx:PFER(); RtxTimerStart(); EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1ST_EAP==Unset && if (key_available()) SEPARATE==Set && PFER.insert_avp("MAC"); ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; ==Set PFER.S_flag=0; Tx:PFER(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Failure ("EAP-Payload"); if (key_available()) PBR.insert_avp("MAC"); if (SEPARATE) PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1ST_EAP==Success && ("EAP-Payload"); Authorize() if (CARRY_EP_DEVICE_ID ==Set) PBR.insert_avp ("EP-Device-Id"); if (PROTECTION_CAP==Set) PBR.insert_avp ("Protection-Cap."); if (new_key_available()) PBR.insert_avp ("Key-Id"); if (key_available()) PBR.insert_avp("MAC"); if (SEPARATE) PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Ohba, et al. Expires January 9, 2005 [Page 36] Internet-Draft PANA State Machines July 2004 Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Success && ("EAP-Payload"); !Authorize() if (new_key_available()) PBR.insert_avp ("Key-Id"); if (key_available()) PBR.insert_avp("MAC"); if (SEPARATE) PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA 1ST_EAP==Success && ("EAP-Payload"); Authorize() if (key_available()) PBR.insert_avp("MAC"); if (SEPARATE) PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Success && ("EAP-Payload"); !Authorize() if (key_available()) PBR.insert_avp("MAC"); if (SEPARATE) PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1ST_EAP==Failure PBR.insert_avp("MAC"); if (SEPARATE) PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); Ohba, et al. Expires January 9, 2005 [Page 37] Internet-Draft PANA State Machines July 2004 EAP_TIMEOUT && if (key_available()) WAIT_SUCC_PBA 1ST_EAP==Success && PBR.insert_avp("MAC"); Authorize() if (SEPARATE) PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1ST_EAP==Success && PBR.insert_avp("MAC"); !Authorize() if (SEPARATE) PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: WAIT_PFEA ---------------- Event/Condition Action Next-State ------------------------+--------------------------+------------ - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - - - Rx:PFEA && if (key_available()) WAIT_EAP_MSG PFEA.S_flag==1 PAR.insert_avp("MAC"); if (NAP_AUTH==Set) { NAP_AUTH=Unset; PAR.N_flag=0; } else { NAP_AUTH=Set; PAR.N_flag=1; }; EAP_Restart(); Rx:PFEA && RtxTimerStop(); CLOSED PFEA.S_flag==0 Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------------- State: WAIT_FAIL_PFEA --------------------- Event/Condition Action Next-State ------------------------+--------------------------+------------ - - - - - - - - - - - - - -(PFEA Processing)- - - - - - - - - - Ohba, et al. Expires January 9, 2005 [Page 38] Internet-Draft PANA State Machines July 2004 Rx:PFEA RtxTimerStop(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------- State: WAIT_SUCC_PBA -------------------- Event/Condition Action Next-State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - - Rx:PBA SessionTimerStart(); OPEN Authorize(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------- State: WAIT_FAIL_PBA -------------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (PBA Processing)- - - - - - - - - - Rx:PBA RtxTimerStop(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ----------- State: OPEN ----------- Event/Condition Action Next-State ------------------------+--------------------------+------------ - - - - - - - - - - (EAP-based re-authentication) - - - - - - - EAP_REAUTH || if (key_available()) WAIT_EAP_MSG (Rx:PDI && PAR.insert_avp("MAC"); PDI.exist_avp EAP_Restart(); ("Session-Id")) 1ST_EAP=Unset; NAP_AUTH=Set|Unset; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication based on PRAR-PRAA exchange initiated by PAA) FAST_REAUTH Tx:PRAR(); WAIT_PRAA RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Session termination initated from PAA) - - - - TERMINATE if (key_available()) SESS_TERM PTR.insert_avp("MAC"); Tx:PTR(); RtxTimerStart(); Ohba, et al. Expires January 9, 2005 [Page 39] Internet-Draft PANA State Machines July 2004 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Session termination initated from PaC) - - - - Rx:PTR if (key_available()) CLOSED PTA.insert_avp("MAC"); Tx:PTA(); Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Address update) - - - - - - - - - - - Rx:PAUR && Tx:PAUA(); OPEN Authorize() - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: WAIT_PRAA ---------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (PRAA processing) - - - - - - - - - - Rx:PRAA RtxTimerStop(); OPEN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- State: WAIT_PAN --------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - (Pass EAP Resposne to the EAP authenticator)- - - - Rx:PAN TxEAP(); WAIT_EAP_MSG EAP_TIMEOUT Tx:PER(); CLOSED RtxTimerStop(); Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: SESS_TERM ---------------- Exit Condition Exit Action Exist State ------------------------+--------------------------+------------ - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - - Rx:PTA RtxTimerStop(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Ohba, et al. Expires January 9, 2005 [Page 40] Internet-Draft PANA State Machines July 2004 8. Implementation Considerations 8.1 Interface exposed by PANA to the Host System It is recommended that a generic interface be provided by the implementation to enable the host system to manage the PANA protocol stack. It is conceivable that the PANA protocol stack resides as part of the operating system network services. Therefore, it is conceded that this interface will inherently have a certain level of system dependency. However, common procedures such as startup, shutdown, re-authenticate signals and provisions for extracting keying material should be provided by all implementations. Host operating systems may require finer control on when re-authentication can occur. Also, access to keying material is especially critical when PANA is used for bootstrapping external protocols such as IPsec. Additional bootstrapping interface may also need to be defined to accommodate such functionality. 8.2 PAA Interface to EP Since the PANA protocol stack has a peer relationship with the EP and perhaps other network services in a host system, it is recommended that a standardized interface be defined to accommodate their integration. If the PAA and EP are not co-located, this interface may come in the form of an SNMP conversations between PANA and EP as defined in [I-D.ietf-pana-snmp]. A standard mechanism such as SNMP minimizes complications associated with proprietary PAA-to-EP interfaces. If the PAA and the EP are co-located, it is recommended that a PAA-to-EP API be defined. The functionality and definitions of this API should use Section 4.4 of the [I-D.ietf-pana-requirements] and [I-D.ietf-pana-snmp] as a guide. It is conceded that such an API may have a certain level of system dependency. However, certain programming models allow for exposing an API in a relatively system independent way but at the cost of performance. Models such as COM/ DCOM, CORBA, SOAP or RPC messaging systems may be used to decrease system dependency. These models may also provide support for non co-located invocations of the API and may even provide some degree of inherent security. However, such usage is recommended only if there is high level of certainty that all entities are within the same administratively secure domain. It is left to the implementation to decide which programming model the API will utilize. Such decisions are dictated by software engineering practices as well as the implementation environment and are beyond the scope of this document. Ohba, et al. Expires January 9, 2005 [Page 41] Internet-Draft PANA State Machines July 2004 8.3 Multicast Traffic In general, binding a UDP socket to a multicast address and/or port is system dependent. In most systems, a socket can be bounded to any address and a specific port. This allows the socket to receive all packets destined for the local host (on all it's local addresses) for that port. If the host subscribes to a multicast addresses then this socket will also receive multicast traffic as well. In some systems, this would also result in the socket receiving all multicast traffic even though it has subscribed to only one multicast address. This is because most physical interfaces has either multicast traffic enabled or disabled and does not provide specific address filtering. Normally, it is not possible to filter out specific traffic on a socket from the user level. Most environments provides lower layer filtering that allows the use of only one socket to receive both unicast and specific multicast address. However it might introduce portability problems. Ohba, et al. Expires January 9, 2005 [Page 42] Internet-Draft PANA State Machines July 2004 9. Security Considerations This document's intent is to describe the PANA state machines fully. To this end, any security concerns with this document are likely a reflection of security concerns with PANA itself. Ohba, et al. Expires January 9, 2005 [Page 43] Internet-Draft PANA State Machines July 2004 10. Acknowledgments This work was started from state machines originally made by Dan Forsberg. Ohba, et al. Expires January 9, 2005 [Page 44] Internet-Draft PANA State Machines July 2004 11. References 11.1 Normative References [I-D.ietf-pana-pana] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H. and A. Yegin, "Protocol for Carrying Authentication for Network Access (PANA)", draft-ietf-pana-pana-04 (work in progress), May 2004. [I-D.ietf-eap-statemachine] Vollbrecht, J., Eronen, P., Petroni, N. and Y. Ohba, "State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator", draft-ietf-eap-statemachine-03 (work in progress), March 2004. 11.2 Informative References [I-D.ietf-pana-requirements] Yegin, A. and Y. Ohba, "Protocol for Carrying Authentication for Network Access (PANA)Requirements", draft-ietf-pana-requirements-08 (work in progress), June 2004. [I-D.ietf-pana-snmp] Mghazli, Y., Ohba, Y. and J. Bournelle, "SNMP usage for PAA-2-EP interface", draft-ietf-pana-snmp-00 (work in progress), April 2004. Authors' Addresses Yoshihiro Ohba Toshiba America Research, Inc. 1 Telcordia Drive Piscataway, NJ 08854 USA Phone: +1 732 699 5305 EMail: yohba@tari.toshiba.com Ohba, et al. Expires January 9, 2005 [Page 45] Internet-Draft PANA State Machines July 2004 Victor Fajardo Consultant of Toshiba America Research, Inc. 1 Telcordia Drive Piscataway, NJ 08854 USA Phone: +1 732 699 5368 EMail: vfajardo@msbx.net Rafa Marin Lopez University of Murcia 30071 Murcia Spain EMail: rafa@dif.um.es Ohba, et al. Expires January 9, 2005 [Page 46] Internet-Draft PANA State Machines July 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Ohba, et al. Expires January 9, 2005 [Page 47]