| Re: Issue 413: Byte Ordering Issue for EAP Session-Id | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Fri, 30 May 2008 11:56:38 -0700 (PDT) | |
Text looks OK. Please take care of this by submitting the new draft revision, or, as I am about to approve the draft, take care of it in AUTH48. Jari Bernard Aboba kirjoitti: > *Issue 413: Session-Id Byte Ordering* > Submitter name: Mick Seaman > Submitter email address: mickseaman [at] SBCGLOBAL.NET > Date first submitted: May 21, 2008 > Reference: > Document: KEYING-22 > Comment type: Technical > Priority: S > Section: 1.4, Appendix A > Rationale/Explanation of Issue: > > Section 6.2.1 of IEEE 802.1X-REV D2.4 references the EAP Session-Id in > calculation of the CKN. > However, byte ordering of the Session-Id is undefined. > > The proposed resolution is as follows: > > In Section 1.4, change: > > " > Session-Id > > The Session-Id uniquely identifies an EAP session between an EAP > peer (as identified by the Peer-Id) and server (as identified by > the Server-Id). Where non-expanded EAP Type Codes are used (EAP > Type Code not equal to 254), the EAP Session-Id is the > concatenation of the single octet EAP Type Code and a temporally > unique identifier obtained from the method (known as the Method- > Id). Where expanded EAP Type Codes are used, the EAP Session-Id > consists of the Expanded Type Code (including the Type, Vendor-Id > and Vendor-Type fields defined in [RFC3748] Section 5.7) > concatenated with a temporally unique identifier obtained from the > method (Method-Id). The Method-Id is typically constructed from > nonces or counters used within the EAP method exchange. The > inclusion of the Type Code or Expanded Type Code in the EAP > Session-Id ensures that each EAP method has a distinct Session-Id > space. Since an EAP session is not bound to a particular > authenticator or specific ports on the peer and authenticator, the > authenticator port or identity are not included in the Session-Id. > " > > To: > > " > Session-Id > > The Session-Id uniquely identifies an EAP session between an EAP > peer (as identified by the Peer-Id) and server (as identified by > the Server-Id). Where non-expanded EAP Type Codes are used (EAP > Type Code not equal to 254), the EAP Session-Id is the > concatenation of the single octet EAP Type Code and a temporally > unique identifier obtained from the method (known as the Method- > Id): > > Session-Id = Type-Code || Method-Id > > Where expanded EAP Type Codes are used, the EAP Session-Id > consists of the Expanded Type Code (including the Type, Vendor-Id > (in network byte order) and Vendor-Type fields (in network byte > order) defined in [RFC3748] Section 5.7), concatenated with a > temporally unique identifier obtained from the method (Method-Id): > > Session-Id = 0xFE || Vendor-Id || Vendor-Type || Method-Id > > The Method-Id is typically constructed from > nonces or counters used within the EAP method exchange. The > inclusion of the Type Code or Expanded Type Code in the EAP > Session-Id ensures that each EAP method has a distinct Session-Id > space. Since an EAP session is not bound to a particular > authenticator or specific ports on the peer and authenticator, the > authenticator port or identity are not included in the Session-Id. > " > > Replace Appendix A with the following text: > Appendix A - Exported Parameters in Existing Methods > > This Appendix specifies Session-Id, Peer-Id, Server-Id and Key- > Lifetime for EAP methods that have been published prior to this > specification. Future EAP method specifications MUST include a > definition of the Session-Id, Peer-Id and Server-Id (could be the > null string). In the descriptions that follow, all fields are > assumed to be in network byte order. > > EAP-Identity > > The EAP-Identity method is defined in [RFC3748]. It does not derive > keys, and therefore does not define the Session-Id. The Peer-Id and > Server-Id are the null string (zero length). > > EAP-Notification > > The EAP-Notification method is defined in [RFC3748]. It does not > derive keys and therefore does not define the Session-Id. The Peer- > Id and Server-Id are the null string (zero length). > > EAP-MD5-Challenge > > The EAP-MD5-Challenge method is defined in [RFC3748]. It does not > derive keys and therefore does not define the Session-Id. The Peer- > Id and Server-Id are the null string (zero length). > > EAP-GTC > > The EAP-GTC method is defined in [RFC3748]. It does not derive keys > and therefore does not define the Session-Id. The Peer-Id and > Server-Id are the null string (zero length). > > EAP-OTP > > The EAP-OTP method is defined in [RFC3748]. It does not derive keys > and therefore does not define the Session-Id. The Peer-Id and > Server-Id are the null string (zero length). > > EAP-AKA > > EAP-AKA is defined in [RFC4187]. The EAP-AKA Session-Id is the > concatenation of the EAP Type Code (0x17) with the contents of the > RAND field from the AT_RAND attribute, followed by the contents of > the AUTN field in the AT_AUTN attribute: > > Session-Id = 0x17 || RAND || AUTN > > The Peer-Id is the contents of the Identity field from the > AT_IDENTITY attribute, using only the Actual Identity Length octets > from the beginning, however. Note that the contents are used as they > are transmitted, regardless of whether the transmitted identity was a > permanent, pseudonym, or fast EAP re-authentication identity. The > Server-Id is the null string (zero length). > > EAP-SIM > > EAP-SIM is defined in [RFC4186]. The EAP-SIM Session-Id is the > concatenation of the EAP Type Code (0x12) with the contents of the > RAND field from the AT_RAND attribute, followed by the contents of > the NONCE_MT field in the AT_NONCE_MT attribute: > > Session-Id = 0x12 || RAND || NONCE_MT > > The Peer-Id is the contents of the Identity field from the > AT_IDENTITY attribute, using only the Actual Identity Length octets > from the beginning, however. Note that the contents are used as they > are transmitted, regardless of whether the transmitted identity was a > permanent, pseudonym, or fast EAP re-authentication identity. The > Server-Id is the null string (zero length). > > EAP-PSK > > EAP-PSK is defined in [RFC4764]. The EAP-PSK Session-Id is the > concatenation of the EAP Type Code (0x2F) with the peer (RAND_P) and > server (RAND_S) nonces: > > Session-Id = 0x2F || RAND_P || RAND_S > > The Peer-Id is the contents of the ID_P field and the Server-Id is > the contents of the ID_S field. > > EAP-SAKE > > EAP-SAKE is defined in [RFC4763]. The EAP-SAKE Session-Id is the > concatenation of the EAP Type Code (0x30) with the contents of the > RAND_S field from the AT_RAND_S attribute, followed by the contents > of the RAND_P field in the AT_RAND_P attribute: > > Session-Id = 0x30 || RAND_S || RAND_P > > Note that the EAP-SAKE Session-Id is not the same as the "Session ID" > parameter chosen by the Server, which is sent in the first message, > and replicated in subsequent messages. The Peer-Id is contained > within the value field of the AT_PEERID attribute and the Server-Id, > if available, is contained in the value field of the AT_SERVERID > attribute. > > EAP-TLS > > For EAP-TLS, the Peer-Id, Server-Id and Session-Id are defined in > [RFC5216]. > > ------------------------------------------------------------------------ > > _________________________________________________________________ > To unsubscribe or modify your subscription options, please visit: > http://lists.frascone.com/mailman/listinfo/eap > > Arhives: http://lists.frascone.com/pipermail/eap
-
Issue 413: Byte Ordering Issue for EAP Session-Id Bernard Aboba, May 21 2008
- Re: Issue 413: Byte Ordering Issue for EAP Session-Id Jari Arkko, May 30 2008
Results generated by Tiger Technologies using MHonArc.