Issue 413: Session-Id Byte Ordering
Submitter name: Mick Seaman
Submitter email address: mickseaman [at] SBCGLOBAL.NET
Date first submitted: May 21, 2008
Reference:
Document: KEYING-22
Comment type: Technical
Priority: S
Section: 1.4, Appendix A
Rationale/Explanation of Issue:
Section 6.2.1 of IEEE 802.1X-REV D2.4 references the EAP Session-Id in calculation of the CKN.
However, byte ordering of the Session-Id is undefined.
The proposed resolution is as follows:
In Section 1.4, change:
" Session-Id
The Session-Id uniquely identifies an EAP session between an EAP
peer (as identified by the Peer-Id) and server (as identified by
the Server-Id). Where non-expanded EAP Type Codes are used (EAP
Type Code not equal to 254), the EAP Session-Id is the
concatenation of the single octet EAP Type Code and a temporally
unique identifier obtained from the method (known as the Method-
Id). Where expanded EAP Type Codes are used, the EAP Session-Id
consists of the Expanded Type Code (including the Type, Vendor-Id
and Vendor-Type fields defined in [RFC3748] Section 5.7)
concatenated with a temporally unique identifier obtained from the
method (Method-Id). The Method-Id is typically constructed from
nonces or counters used within the EAP method exchange. The
inclusion of the Type Code or Expanded Type Code in the EAP
Session-Id ensures that each EAP method has a distinct Session-Id
space. Since an EAP session is not bound to a particular
authenticator or specific ports on the peer and authenticator, the
authenticator port or identity are not included in the Session-Id. "
To:
" Session-Id
The Session-Id uniquely identifies an EAP session between an EAP
peer (as identified by the Peer-Id) and server (as identified by
the Server-Id). Where non-expanded EAP Type Codes are used (EAP
Type Code not equal to 254), the EAP Session-Id is the
concatenation of the single octet EAP Type Code and a temporally
unique identifier obtained from the method (known as the Method-
Id):
Session-Id = Type-Code || Method-Id
Where expanded EAP Type Codes are used, the EAP Session-Id
consists of the Expanded Type Code (including the Type, Vendor-Id
(in network byte order) and Vendor-Type fields (in network byte
order) defined in [RFC3748] Section 5.7), concatenated with a
temporally unique identifier obtained from the method (Method-Id):
Session-Id = 0xFE || Vendor-Id || Vendor-Type || Method-Id
The Method-Id is typically constructed from
nonces or counters used within the EAP method exchange. The
inclusion of the Type Code or Expanded Type Code in the EAP
Session-Id ensures that each EAP method has a distinct Session-Id
space. Since an EAP session is not bound to a particular
authenticator or specific ports on the peer and authenticator, the
authenticator port or identity are not included in the Session-Id. "
Replace Appendix A with the following text:
Appendix A - Exported Parameters in Existing Methods
This Appendix specifies Session-Id, Peer-Id, Server-Id and Key-
Lifetime for EAP methods that have been published prior to this
specification. Future EAP method specifications MUST include a
definition of the Session-Id, Peer-Id and Server-Id (could be the
null string). In the descriptions that follow, all fields are
assumed to be in network byte order.
EAP-Identity
The EAP-Identity method is defined in [RFC3748]. It does not derive
keys, and therefore does not define the Session-Id. The Peer-Id and
Server-Id are the null string (zero length).
EAP-Notification
The EAP-Notification method is defined in [RFC3748]. It does not
derive keys and therefore does not define the Session-Id. The Peer-
Id and Server-Id are the null string (zero length).
EAP-MD5-Challenge
The EAP-MD5-Challenge method is defined in [RFC3748]. It does not
derive keys and therefore does not define the Session-Id. The Peer-
Id and Server-Id are the null string (zero length).
EAP-GTC
The EAP-GTC method is defined in [RFC3748]. It does not derive keys
and therefore does not define the Session-Id. The Peer-Id and
Server-Id are the null string (zero length).
EAP-OTP
The EAP-OTP method is defined in [RFC3748]. It does not derive keys
and therefore does not define the Session-Id. The Peer-Id and
Server-Id are the null string (zero length).
EAP-AKA
EAP-AKA is defined in [RFC4187]. The EAP-AKA Session-Id is the
concatenation of the EAP Type Code (0x17) with the contents of the
RAND field from the AT_RAND attribute, followed by the contents of
the AUTN field in the AT_AUTN attribute:
Session-Id = 0x17 || RAND || AUTN
The Peer-Id is the contents of the Identity field from the
AT_IDENTITY attribute, using only the Actual Identity Length octets
from the beginning, however. Note that the contents are used as they
are transmitted, regardless of whether the transmitted identity was a
permanent, pseudonym, or fast EAP re-authentication identity. The
Server-Id is the null string (zero length).
EAP-SIM
EAP-SIM is defined in [RFC4186]. The EAP-SIM Session-Id is the
concatenation of the EAP Type Code (0x12) with the contents of the
RAND field from the AT_RAND attribute, followed by the contents of
the NONCE_MT field in the AT_NONCE_MT attribute:
Session-Id = 0x12 || RAND || NONCE_MT
The Peer-Id is the contents of the Identity field from the
AT_IDENTITY attribute, using only the Actual Identity Length octets
from the beginning, however. Note that the contents are used as they
are transmitted, regardless of whether the transmitted identity was a
permanent, pseudonym, or fast EAP re-authentication identity. The
Server-Id is the null string (zero length).
EAP-PSK
EAP-PSK is defined in [RFC4764]. The EAP-PSK Session-Id is the
concatenation of the EAP Type Code (0x2F) with the peer (RAND_P) and
server (RAND_S) nonces:
Session-Id = 0x2F || RAND_P || RAND_S
The Peer-Id is the contents of the ID_P field and the Server-Id is
the contents of the ID_S field.
EAP-SAKE
EAP-SAKE is defined in [RFC4763]. The EAP-SAKE Session-Id is the
concatenation of the EAP Type Code (0x30) with the contents of the
RAND_S field from the AT_RAND_S attribute, followed by the contents
of the RAND_P field in the AT_RAND_P attribute:
Session-Id = 0x30 || RAND_S || RAND_P
Note that the EAP-SAKE Session-Id is not the same as the "Session ID"
parameter chosen by the Server, which is sent in the first message,
and replicated in subsequent messages. The Peer-Id is contained
within the value field of the AT_PEERID attribute and the Server-Id,
if available, is contained in the value field of the AT_SERVERID
attribute.
EAP-TLS
For EAP-TLS, the Peer-Id, Server-Id and Session-Id are defined in
[RFC5216].
|
hotmail.com)