eap Mailing List: Issue 339: Use of Session-Timeout in Pre-authentication

[Bernard Aboba (bernard_aboba]

Issue 339: Use of Session-Timeout in Pre-authentication
Submitter name: Bernard Aboba
Submitter email address: aboba [at] internaut.com
Date Submitted: March 23, 2006
Reference:
Document: Keying-10
Comment type: T
Priority: S
Section: 3.4
Rationale/Explanation of issue:

During the HOAKEY BOF, Avi Lior pointed out that overloading of
Session-Timeout for use in pre-authentication could cause problems.
For example, it might be desirable to be able to specify both the
pre-authentication timeout and the Session-Timeout values at the
same time.

Section 3.4 of the keying document describes use of the Session-Timeout
attribute to set the pre-authentication timeout.  Rather than
specifying this here, it would be best to leave this to a future
document.

The proposed change is as follows:

In Section 3.4, delete

"Where EAP is used
for pre-authentication, the session may not start until some future
time, or may never occur.  Nevertheless, the Session-Timeout value
represents the time after which transported EAP keying material,
and all keys calculated from it, will have expired on the
authenticator.  If the session subsequently starts, re-
authentication will be initiated once the Session-Time has expired.
If the session never started, or started and ended, by default keys
transported by AAA and all keys calculated from them will be
expired by the authenticator prior to the future time indicated by
Session-Timeout."