List Info

Thread: Issue 391: Peer-Ids
Issue 391: Peer-Ids
country flaguser name
United States		 2007-02-03 20:53:18 
Issue 391: Peer-Ids
Submitter name: Bernard Aboba
Submitter email address: abobainternaut.com
Date Submitted: February 3, 2007
Reference:
Document: KEYING-17
Comment type: Editorial
Priority: S
Section: Appendix A
Rationale/Explanation of issue:

Currently Appendix A seems to imply that EAP methods defined
in RFC 3748
(including EAP GTC, OTP and MD5-Challenge) do not export a
Peer-Id. This
seems wrong, since these methods authenticate the peer
identity. Also, this 
section
does not include a reference to RFC 2716bis which defines
the Peer-Id and
Server-Id for EAP-TLS.

The proposed resolution is to change Appendix A to the
following:

"Appendix A - Exported Parameters in Existing Methods

This Appendix specifies Session-Id, Peer-Id, Server-Id and
Key-
Lifetime for EAP methods that have been published prior to
this
specification. Future EAP method specifications MUST include
a
definition of the Session-Id, Peer-Id and Server-Id (could
be the
empty string).

EAP-Identity

The EAP-Identity method is defined in [RFC3748]. It does not
derive
keys, and therefore does not define the Session-Id. The
Peer-Id
exported by the Identity method is determined by the octets
included
within the EAP-Response/Identity. The Server-Id is the empty
string
(zero length).

EAP-Notification

The EAP-Notification method is defined in [RFC3748]. It does
not
derive keys and therefore does not define the Session-Id.
The Peer-
Id and Server-Id are the empty string (zero length).

EAP-MD5-Challenge

The EAP-MD5-Challenge method is defined in [RFC3748]. It
does not
derive keys and therefore does not define the Session-Id.
The
Server-Id is the empty string (zero length). The Peer-Id is
determined by the octets included within the
EAP-Response/Identity.

EAP-GTC

The EAP-GTC method is defined in [RFC3748]. It does not
derive keys
and therefore does not define the Session-Id. The Server-Id
is the
empty string (zero length). The Peer-Id is determined by the
octets
included within the EAP-Response/Identity.

EAP-OTP

The EAP-OTP method is defined in [RFC3748]. It does not
derive keys
and therefore does not define the Session-Id. The Server-Id
is the
empty string (zero length). The Peer-Id is determined by the
octets
included within the EAP-Response/Identity.

EAP-AKA

EAP-AKA is defined in [RFC4187]. The EAP-AKA Session-Id is
the
concatenation of the EAP Type Code (0x17) with the contents
of the
RAND field from the AT_RAND attribute, followed by the
contents of
the AUTN field in the AT_AUTN attribute.

The Peer-Id is the contents of the Identity field from the
AT_IDENTITY attribute, using only the Actual Identity Length
octets
from the beginning, however. Note that the contents are used
as they
are transmitted, regardless of whether the transmitted
identity was a
permanent, pseudonym, or fast EAP re-authentication
identity. The
Server-Id is the empty string (zero length).

EAP-SIM

EAP-SIM is defined in [RFC4186]. The EAP-SIM Session-Id is
the
concatenation of the EAP Type Code (0x12) with the contents
of the
RAND field from the AT_RAND attribute, followed by the
contents of
the NONCE_MT field in the AT_NONCE_MT attribute.

The Peer-Id is the contents of the Identity field from the
AT_IDENTITY attribute, using only the Actual Identity Length
octets
from the beginning, however. Note that the contents are used
as they
are transmitted, regardless of whether the transmitted
identity was a
permanent, pseudonym, or fast EAP re-authentication
identity. The
Server-Id is the empty string (zero length).

EAP-PSK

EAP-PSK is defined in [RFC4764]. The EAP-PSK Session-Id is
the
concatenation of the EAP Type Code (0x2F) with the peer
(RAND_P) and
server (RAND_S) nonces. The Peer-Id is the contents of the
ID_P
field and the Server-Id is the contents of the ID_S field.

EAP-SAKE

EAP-SAKE is defined in [RFC4763]. The EAP-SAKE Session-Id is
the
concatenation of the EAP Type Code (0x30) with the contents
of the
RAND_S field from the AT_RAND_S attribute, followed by the
contents
of the RAND_P field in the AT_RAND_P attribute. Note that
the EAP-
SAKE Session-Id is not the same as the "Session
ID" parameter chosen
by the Server, which is sent in the first message, and
replicated in
subsequent messages. The Peer-Id is contained within the
value field
of the AT_PEERID attibute and the Server-Id, if available,
is
contained in the value field of the AT_SERVERID attribute.

EAP-TLS

For EAP-TLS, the Session-Id, Peer-Id and Server-Id are
defined in
[RFC2716bis]."


____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap
Re: Issue 391: Peer-Ids
country flaguser name
United States		 2007-02-06 12:07:27 
While the methods defined in RFC 3748 do authenticate the
peer identity, 
that identity is not necessarily the EAP-Response/Identity.

For example, a user might enclose a decorated NAI within the

EAP-Response/Identity: example.com!userexample2.com.

AAA proxies will strip the 'decoration' from the User-Name
attribute, so 
that by the time the Request arrives at the AAA server, it
will contain 
userexample.com.

The identity in the User-Name attribute should be utilized
by EAP methods 
that do not create their own user-specific identities, *not*
the 
EAP-Response/Identity, which RFC 3748 states is only to be
used for routing.

Therefore the text should not suggest that the
EAP-Response/Identity be 
exported as the Peer-Id by any method, even the Identity 
method.

Revised versions of Appendix A and Section 1.4 relating to
Peer-Id and 
Server-Id are enclosed below:

Section 1.4:

   Peer-Id

      As described in [RFC3748] Section 7.3, the identity
provided in
      the EAP-Response/Identity may be different from the
peer identity
      authenticated by the EAP method.  For example, the
identity
      provided in the EAP-Response/Identity may be a privacy
identifier
      as described in "The Network Access
Identifier" [RFC4282] Section
      2.3, or may be decorated as described in [RFC4282]
Section 2.7.
      Where the EAP method authenticates the peer identity,
that
      identity is exported by the method as the Peer-Id.  A
suitable EAP
      peer name may not always be available.  Where an EAP
method does
      not define a method-specific peer identity, the
Peer-Id is the
      null string.

   Server-Id

      Where the EAP method authenticates the server
identity, that
      identity is exported by the method as the Server-Id. 
A suitable
      EAP server name may not always be available.  Where an
EAP method
      does not define a method-specific server identity, the
Server-Id
      is the null string.

Appendix A:

Appendix A - Exported Parameters in Existing Methods

   This Appendix specifies Session-Id, Peer-Id, Server-Id
and Key-
   Lifetime for EAP methods that have been published prior
to this
   specification.  Future EAP method specifications MUST
include a
   definition of the Session-Id,  Peer-Id and Server-Id
(could be the
   empty string).

EAP-Identity

   The EAP-Identity method is defined in [RFC3748].  It does
not derive
   keys, and therefore does not define the Session-Id.  The
Peer-Id and
   Server-Id are the empty string (zero length).

EAP-Notification

   The EAP-Notification method is defined in [RFC3748].  It
does not
   derive keys and therefore does not define the Session-Id.
 The Peer-
   Id and Server-Id are the empty string (zero length).

EAP-MD5-Challenge

   The EAP-MD5-Challenge method is defined in [RFC3748].  It
does not
   derive keys and therefore does not define the Session-Id.
 The Peer-
   Id and Server-Id are the empty string (zero length).

EAP-GTC

   The EAP-GTC method is defined in [RFC3748].  It does not
derive keys
   and therefore does not define the Session-Id.  The
Peer-Id and
   Server-Id are the empty string (zero length).

EAP-OTP

   The EAP-OTP method is defined in [RFC3748].  It does not
derive keys
   and therefore does not define the Session-Id.  The
Peer-Id and
   Server-Id are the empty string (zero length).

EAP-AKA

   EAP-AKA is defined in [RFC4187].  The EAP-AKA Session-Id
is the
   concatenation of the EAP Type Code (0x17) with the
contents of the
   RAND field from the AT_RAND attribute, followed by the
contents of
   the AUTN field in the AT_AUTN attribute.

   The Peer-Id is the contents of the Identity field from
the
   AT_IDENTITY attribute, using only the Actual Identity
Length octets
   from the beginning, however.  Note that the contents are
used as they
   are transmitted, regardless of whether the transmitted
identity was a
   permanent, pseudonym, or fast EAP re-authentication
identity.  The
   Server-Id is the empty string (zero length).

EAP-SIM

   EAP-SIM is defined in [RFC4186].  The EAP-SIM Session-Id
is the
   concatenation of the EAP Type Code (0x12) with the
contents of the
   RAND field from the AT_RAND attribute, followed by the
contents of
   the NONCE_MT field in the AT_NONCE_MT attribute.

   The Peer-Id is the contents of the Identity field from
the
   AT_IDENTITY attribute, using only the Actual Identity
Length octets
   from the beginning, however.  Note that the contents are
used as they
   are transmitted, regardless of whether the transmitted
identity was a
   permanent, pseudonym, or fast EAP re-authentication
identity.  The
   Server-Id is the empty string (zero length).

EAP-PSK

   EAP-PSK is defined in [RFC4764].  The EAP-PSK Session-Id
is the
   concatenation of the EAP Type Code (0x2F) with the peer
(RAND_P) and
   server (RAND_S) nonces.  The Peer-Id is the contents of
the ID_P
   field and the Server-Id is the contents of the ID_S
field.

EAP-SAKE

   EAP-SAKE is defined in [RFC4763].  The EAP-SAKE
Session-Id is the
   concatenation of the EAP Type Code (0x30) with the
contents of the
   RAND_S field from the AT_RAND_S attribute, followed by
the contents
   of the RAND_P field in the AT_RAND_P attribute.  Note
that the EAP-
   SAKE Session-Id is not the same as the "Session
ID" parameter chosen
   by the Server, which is sent in the first message, and
replicated in
   subsequent messages.  The Peer-Id is contained within the
value field
   of the AT_PEERID attibute and the Server-Id, if
available, is
   contained in the value field of the AT_SERVERID
attribute.

EAP-TLS

   For EAP-TLS, the Peer-Id, Server-Id and Session-Id are
defined in [I-
   D.simon-emu-rfc2716bis].


____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )