| Issue 391: Peer-Ids | <– Date –> <– Thread –> |
From: Bernard Aboba (bernard_aboba hotmail.com)
|
|
| Date: Sat, 3 Feb 2007 18:53:26 -0800 (PST) | |
Issue 391: Peer-Ids Submitter name: Bernard Aboba Submitter email address: aboba [at] internaut.com Date Submitted: February 3, 2007 Reference: Document: KEYING-17 Comment type: Editorial Priority: S Section: Appendix A Rationale/Explanation of issue:
Currently Appendix A seems to imply that EAP methods defined in RFC 3748
(including EAP GTC, OTP and MD5-Challenge) do not export a Peer-Id. This
seems wrong, since these methods authenticate the peer identity. Also, this section
does not include a reference to RFC 2716bis which defines the Peer-Id and
Server-Id for EAP-TLS.
The proposed resolution is to change Appendix A to the following:
"Appendix A - Exported Parameters in Existing Methods
This Appendix specifies Session-Id, Peer-Id, Server-Id and Key- Lifetime for EAP methods that have been published prior to this specification. Future EAP method specifications MUST include a definition of the Session-Id, Peer-Id and Server-Id (could be the empty string).
EAP-Identity
The EAP-Identity method is defined in [RFC3748]. It does not derive keys, and therefore does not define the Session-Id. The Peer-Id exported by the Identity method is determined by the octets included within the EAP-Response/Identity. The Server-Id is the empty string (zero length).
EAP-Notification
The EAP-Notification method is defined in [RFC3748]. It does not derive keys and therefore does not define the Session-Id. The Peer- Id and Server-Id are the empty string (zero length).
EAP-MD5-Challenge
The EAP-MD5-Challenge method is defined in [RFC3748]. It does not derive keys and therefore does not define the Session-Id. The Server-Id is the empty string (zero length). The Peer-Id is determined by the octets included within the EAP-Response/Identity.
EAP-GTC
The EAP-GTC method is defined in [RFC3748]. It does not derive keys and therefore does not define the Session-Id. The Server-Id is the empty string (zero length). The Peer-Id is determined by the octets included within the EAP-Response/Identity.
EAP-OTP
The EAP-OTP method is defined in [RFC3748]. It does not derive keys and therefore does not define the Session-Id. The Server-Id is the empty string (zero length). The Peer-Id is determined by the octets included within the EAP-Response/Identity.
EAP-AKA
EAP-AKA is defined in [RFC4187]. The EAP-AKA Session-Id is the concatenation of the EAP Type Code (0x17) with the contents of the RAND field from the AT_RAND attribute, followed by the contents of the AUTN field in the AT_AUTN attribute.
The Peer-Id is the contents of the Identity field from the AT_IDENTITY attribute, using only the Actual Identity Length octets from the beginning, however. Note that the contents are used as they are transmitted, regardless of whether the transmitted identity was a permanent, pseudonym, or fast EAP re-authentication identity. The Server-Id is the empty string (zero length).
EAP-SIM
EAP-SIM is defined in [RFC4186]. The EAP-SIM Session-Id is the concatenation of the EAP Type Code (0x12) with the contents of the RAND field from the AT_RAND attribute, followed by the contents of the NONCE_MT field in the AT_NONCE_MT attribute.
The Peer-Id is the contents of the Identity field from the AT_IDENTITY attribute, using only the Actual Identity Length octets from the beginning, however. Note that the contents are used as they are transmitted, regardless of whether the transmitted identity was a permanent, pseudonym, or fast EAP re-authentication identity. The Server-Id is the empty string (zero length).
EAP-PSK
EAP-PSK is defined in [RFC4764]. The EAP-PSK Session-Id is the concatenation of the EAP Type Code (0x2F) with the peer (RAND_P) and server (RAND_S) nonces. The Peer-Id is the contents of the ID_P field and the Server-Id is the contents of the ID_S field.
EAP-SAKE
EAP-SAKE is defined in [RFC4763]. The EAP-SAKE Session-Id is the concatenation of the EAP Type Code (0x30) with the contents of the RAND_S field from the AT_RAND_S attribute, followed by the contents of the RAND_P field in the AT_RAND_P attribute. Note that the EAP- SAKE Session-Id is not the same as the "Session ID" parameter chosen by the Server, which is sent in the first message, and replicated in subsequent messages. The Peer-Id is contained within the value field of the AT_PEERID attibute and the Server-Id, if available, is contained in the value field of the AT_SERVERID attribute.
EAP-TLS
For EAP-TLS, the Session-Id, Peer-Id and Server-Id are defined in [RFC2716bis]."
-
Issue 391: Peer-Ids Bernard Aboba, February 3 2007
- Re: Issue 391: Peer-Ids Bernard Aboba, February 6 2007
Results generated by Tiger Technologies using MHonArc.