One document matched: draft-ietf-dime-erp-09.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3748 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml">
<!ENTITY RFC3588 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml">
<!ENTITY RFC4072 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4072.xml">
<!ENTITY RFC4187 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4187.xml">
<!ENTITY RFC5247 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5247.xml">
<!ENTITY RFC5295 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5295.xml">
<!ENTITY RFC5296 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5296.xml">
<!ENTITY I-D.ietf-hokey-key-mgm SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-hokey-key-mgm.xml">
<!ENTITY I-D.ietf-app-design-guide SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dime-app-design-guide.xml">
<!ENTITY I-D.ietf-dime-local-keytran SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dime-local-keytran.xml">
<!ENTITY I-D.ietf-dime-rfc3588bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dime-rfc3588bis.xml">
<!ENTITY nbsp " ">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes"?>
<?rfc comments="no"?>
<?rfc inline="yes"?>
<?rfc editing="no"?>
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc rfcedstyle="yes"?>
<?rfc rfcprocack="no"?>
<?rfc tocindent="yes"?>
<rfc category="std" docName="draft-ietf-dime-erp-09.txt" ipr="trust200902">
<front>
<title abbrev="Diameter ERP Application">Diameter Support for the EAP
Re-authentication Protocol (ERP)</title>
<author fullname="Julien Bournelle" initials="J." surname="Bournelle">
<organization abbrev="Orange Labs">Orange Labs</organization>
<address>
<postal>
<street>38-40 rue du general Leclerc</street>
<city>Issy-Les-Moulineaux</city>
<code>92794</code>
<country>France</country>
</postal>
<email>julien.bournelle@orange-ftgroup.com</email>
</address>
</author>
<author fullname="Lionel Morand" initials="L." surname="Morand">
<organization abbrev="Orange Labs">Orange Labs</organization>
<address>
<postal>
<street>38-40 rue du general Leclerc</street>
<city>Issy-Les-Moulineaux</city>
<code>92794</code>
<country>France</country>
</postal>
<email>lionel.morand@orange-ftgroup.com</email>
</address>
</author>
<author fullname="Sebastien Decugis" initials="S." surname="Decugis">
<organization>INSIDE Secure</organization>
<address>
<postal>
<street>41 Parc Club du Golf</street>
<city>Aix-en-Provence</city>
<code>13856</code>
<country>France</country>
</postal>
<phone>+33 (0)4 42 39 63 00</phone>
<email>sdecugis@freediameter.net</email>
</address>
</author>
<author fullname="Qin Wu" initials="Q." surname="Wu">
<organization abbrev="Huawei">Huawei Technologies Co.,
Ltd</organization>
<address>
<postal>
<street>Site B, Floor 12F, Huihong Mansion, No.91 Baixia
Rd.</street>
<city>Nanjing</city>
<code>210001</code>
<country>China</country>
</postal>
<email>sunseawq@huawei.com</email>
</address>
</author>
<author fullname="Glen Zorn" initials="G.W." surname="Zorn">
<organization>Network Zen</organization>
<address>
<postal>
<street>227/358 Thanon Sanphawut</street>
<city>Bang Na</city>
<region>Bangkok</region>
<code>10260</code>
<country>Thailand</country>
</postal>
<email>glenzorn@gmail.com</email>
</address>
</author>
<date year="2012" />
<keyword>Internet-Draft</keyword>
<keyword>EAP</keyword>
<keyword>Diameter</keyword>
<keyword>Re-authentication</keyword>
<keyword>inter-authenticator roaming</keyword>
<abstract>
<t>The EAP Re-authentication Protocol (ERP) defines extensions to the
Extensible Authentication Protocol (EAP) to support efficient re-
authentication between the peer and an EAP Re-authentication (ER) server
through a compatible authenticator. This document specifies Diameter
support for ERP. It defines a new Diameter ERP application to transport
ERP messages between an ER authenticator and the ER server, and a set of
new AVPs that can be used to transport the cryptographic material needed
by the re-authentication server.</t>
</abstract>
</front>
<middle>
<section anchor="Introduction" title="Introduction">
<t>RFC5296 <xref target="RFC5296"></xref> defines the EAP
Re-authentication Protocol (ERP). It consists of the following
steps:<list style="hanging">
<t hangText="Bootstrapping"><vspace blankLines="1" />A root key for
re-authentication is derived from the Extended Master Session Key
(EMSK) created during EAP authentication <xref
target="RFC5295"></xref>. This root key is transported from the EAP
server to the ER server.</t>
<t hangText="Re-authentication"><vspace blankLines="1" />A
one-round-trip exchange between the peer and the ER server,
resulting in mutual authentication. To support the EAP
reauthentication functionality, ERP defines two new EAP codes -
EAP-Initiate and EAP-Finish.</t>
</list></t>
<t>This document defines how Diameter transports the ERP messages during
the re-authentication process. For this purpose, we define a new
Application Identifier for ERP, and re-use the Diameter EAP commands
(DER/DEA).</t>
<t>This document also discusses the distribution of the root key during
bootstrapping, in conjunction with either the initial EAP authentication
(implicit bootstrapping) or the first ERP exchange (explicit
bootstrapping). Security considerations for this key distribution are
detailed in RFC 5295 <xref target="RFC5295"></xref>.</t>
</section>
<section title="Terminology">
<t>This document uses terminology defined in RFC3748 <xref
target="RFC3748"></xref>, RFC5295 <xref target="RFC5295"></xref>,
RFC5296 <xref target="RFC5296"></xref>, and RFC4072 <xref
target="RFC4072"></xref>.</t>
<t>"Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK
derived from an EMSK, depending on the location of the ER server in home
or foreign domain.</t>
<t>We use the notation "ERP/DER" and "ERP/DEA" in this document to refer
to Diameter-EAP-Request and Diameter-EAP-Answer commands with the
Application Id set to <Diameter ERP Application> <xref target="DAI"/>;
the same
commands are denoted "EAP/DER" and "EAP/DEA" when the Application Id in
the message is set to <Diameter EAP Application> <xref
target="RFC4072"></xref>.</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"></xref>.</t>
</section>
</section>
<section title="Assumptions">
<t>This document assumes the existence of at most one logical ER server
entity in a domain. If several physical servers are deployed for
robustness, a replication mechanism must be deployed to synchronize the
ERP states (root keys) between these servers. This replication mechanism
is out of the scope of this document. If multiple ER servers are
deployed in the domain, we assume that they can be used interchangeably.
If multiple ER servers are deployed across the domains, we assume only
one ER server that is near to the peer is getting involved in the
ERP.</t>
<t>Also this document assumes the existence of at most one EAP server
entity in the home domain.
In case of multiple physical home EAP servers
in the same domain, if the ER server wants to reach the same home EAP
server, the ER server may cache the Destination-Host AVP corresponding
to the home EAP server it requests. </t>
</section>
<section anchor="Overview" title="Protocol Overview">
<t>The following figure shows the components involved in ERP, and their
interactions.</t>
<figure title="Figure 1: Diameter ERP Overview.">
<artwork>
Diameter +--------+
+-------------+ ERP +-----------+ (*) | Home |
Peer <->|Authenticator|<=======>| ER server | <---> | EAP |
+-------------+ +-----------+ | server |
+--------+
(*) Diameter EAP application, explicit bootstrapping scenario only.
</artwork>
</figure>
<t>The ER server is located either in the home domain (same as EAP
server) or in the visited domain (same as authenticator, when it differs
from the home domain). <cref>Can the ER server be located in a third
domain (ex: broker's) according to ERP mechanism?</cref></t>
<t>When the peer initiates an ERP exchange, the authenticator creates a
Diameter-EAP-Request (DER) message <xref target="RFC4072"></xref>. The
Application Id of the message is set to that of the Diameter ERP
application <xref target="DAI"/> in the message. The generation of the ERP/DER
message is detailed in <xref target="Re-authentication"></xref>.</t>
<t>If there is an ER server in the same domain as the authenticator
(i.e., the local domain), Diameter routing MUST be configured so that this ERP/DER
message reaches that server, even if the Destination-Realm is not the same as
local domain.</t>
<t>If there is no local ER server, the message is routed according to
its Destination-Realm AVP content, extracted from the realm component of
the keyName-NAI attribute. As specified in RFC5296 <xref
target="RFC5296"></xref>, this realm is the home domain of the peer in the
case of bootstrapping exchange ('B' flag is set in ERP message) or the
domain of the bootstrapped ER server otherwise <cref>This actually might
allow the ER server to be in a third party realm</cref>.</t>
<t>If no ER server is available in the home domain either, the ERP/DER
message cannot be delivered, and an error DIAMETER_UNABLE_TO_DELIVER MUST be
generated as specified in <xref target="I-D.ietf-dime-rfc3588bis"></xref> and returned to
the authenticator. The authenticator MAY cache this information (with
limited duration) to avoid further attempts to execute ERP with this realm. It
MAY also fallback to full EAP authentication to authenticate the
peer.</t>
<t>When an ER server receives the ERP/DER message, it searches its local
database for a valid, unexpired root key <cref>and authorization state ?</cref> matching
the keyName part of the User-Name AVP. If such key is found, the ER
server processes the ERP message as described in <xref
target="RFC5296"></xref> then creates the ERP/DEA answer as described in
<xref target="Re-authentication"></xref>. The rMSK is included in this
answer.</t>
<t>Finally, the authenticator extracts the rMSK from the ERP/DEA as
described in RFC5296 <xref target="RFC5296"></xref>, and forwards the
content of the EAP-Payload AVP, the EAP-Finish/Re-Auth message, to the
peer.</t>
<t>The ER server may or may not possess the root key in its local
database. If the EAP-Initiate/Re-Auth message has its 'B' flag set
(Bootstrapping exchange) and the ER server possesses the root key, the ER
server SHOULD respond directly to the peer that initiated the ERP exchange.
Otherwise, the ER server SHOULD act as a proxy and forward
the message to the home EAP server after changing its Application Id to
Diameter EAP and adding the ERP-RK-Request AVP to request the root key.
See <xref target="Bootstrapping"></xref> for more detail on this
process.</t>
</section>
<section anchor="Bootstrapping" title="Bootstrapping the ER Server">
<t>The bootstrapping process involves the home EAP server and the ER
server, but also impacts the peer and the authenticator. In ERP, the
peer must derive the same keying material as the ER server. To achieve
this, it must learn the domain name of the ER server. How this
information is acquired is outside the scope of this specification, but
the authenticator might be configured to advertize this
domain name, especially in the case of re-authentication after a
handover.</t>
<t>The bootstrapping of an ER server with a given root key happens
either during the initial EAP authentication of the peer when the EMSK
-- from which the root key is derived -- is created, during the first
re-authentication, or sometime between those events. We only consider
the first two possibilities in this specification, in the following
sub-sections.</t>
<section anchor="ImplicitBS" title="Bootstrapping During the Initial EAP authentication ">
<t>Bootstrapping the ER server during the initial EAP authentication
(also known as implicit bootstrapping) offers the advantage that the
server is immediately available for re-authentication of the peer,
thus minimizing the re-authentication delay. On the other hand, it is
possible that only a small number of peers will use re-authentication
in the visited domain. Deriving and caching key material for all the
peers (for example, for the peers that do not support ERP) is a waste
of resources and should be avoided.</t>
<t>To achieve implicit bootstrapping, the ER server acts as a Diameter
EAP Proxy , and Diameter routing MUST be configured so that Diameter
EAP application messages are routed through this proxy. The figure
bellow illustrates this mechanism.</t>
<figure title="Figure 2: ERP Bootstrapping During Full EAP Authentication">
<artwork>
ER server &
Authenticator EAP Proxy Home EAP server
============= =========== ===============
------------------------->
Diameter EAP/DER
(EAP-Response)
------------------------->
Diameter EAP/DER
(EAP-Response)
(ERP-RK-Request)
<==================================================>
Multi-round Diameter EAP exchanges, unmodified
<-------------------------
Diameter EAP/DEA
(EAP-Success)
(MSK)
(Key AVP (rRK))
<-------------------------
Diameter EAP/DEA
(EAP-Success)
(MSK)
[ERP-Realm]
</artwork>
</figure>
<t>The authenticator creates the first DER of the full EAP
authentication and sends it to the ER server. The ER server proxies the
first DER of the full EAP authentication and adds the ERP-RK-Request
AVP inside, then forwards the request to the home EAP server. </t>
<t>If the home Diameter server does not support the Diameter ERP extensions,
it simply ignores the ERP-RK-Request AVP and
continues as specified in RFC 4072 <xref target="RFC4072"></xref>. If
the server supports the ERP extensions, it saves the value of the
ERP-Realm AVP found inside the ERP-RK-Request AVP, and continues with
the EAP authentication. When the authentication completes, if it is
successful and the EAP method has generated an EMSK, the server MUST
derive the rRK as specified in RFC 5296 <xref
target="RFC5296"></xref>, using the saved domain name. It then
includes the rRK inside a Key AVP (<xref target="KAVP"/>) with the Key-Type AVP
set to rRK, before sending the DEA as usual.</t>
<t>When the ER server proxies a Diameter-EAP-Answer message with a
Session-Id corresponding to a message to which it added an ERP-RK-
Request AVP, and the Result-Code is DIAMETER_SUCCESS, it MUST examine
the message and save and remove any Key AVP (<xref target="KAVP"/>) with Key-Type
AVP set to rRK. If the message does not contain such Key AVP, the ER
server may cache the information that ERP is not possible for this
session to avoid possible subsequent attempts. In any case, the
information stored in ER server concerning a session should not have a
lifetime greater than the EMSK for this session. <cref>how does the ER
server knows the EMSK lifetime, if there is no ERP-RK-Answer? What is
the lifetime of the MSK for example?</cref></t>
<t>If the ER server is successfully bootstrapped, it should also add
the ERP-Realm AVP after removing the Key AVP with Key-Type of rRK in
the EAP/DEA message. This ERP-Realm information can be used by the
authenticator to notify the peer that ER server is bootstrapped, and
for which domain. How this information can be transmitted to the peer
is outside the scope of this document. This information needs to be
sent to the peer if both implicit and explicit bootstrapping
mechanisms are possible, because the ERP message and the root key used
for protecting this message are different in bootstrapping exchanges
and non-bootstrapping exchanges. </t>
</section>
<section title="Bootstrapping During the First Re-authentication">
<t>Bootstrapping the ER server during the first re-authentication
(also known as explicit bootstrapping) is only needed when there is no
local ER server in the visited domain and there is an ER server in
the home domain. It is less resource-intensive, since the EMSK generated
during initial EAP authentication is reused to derive root keys. On
the other hand, the first re-authentication requires a
one-round-trip exchange with the home EAP server, since the EMSK is
generated during the initial EAP authentication and never leaves the home
EAP server, which is less efficient than the implicit bootstrapping
scenario. </t>
<t> The EAP-Initiate/Re-auth message is sent to the home ER server.
The home ER server receives the ERP/DER message containing the EAP-
Initiate/Re-Auth message with the 'B' flag set. It creates the new
EAP/DER message using the received DRP/DER message and performs the
following processing: <list>
<t>Set the Application Id in the header of the message to <Diameter
EAP Application> <xref target="RFC4072"/> </t>
<t>Extract the ERP-RK-Request AVP from the ERP/DER message, which contains the name of the
domain where the ER server is located and add it to the newly
created ERP/DER message.</t>
</list>Then the newly created EAP/DER is sent and routed to the home
Diameter EAP application server. </t>
<t>If the home Diameter server does not support ERP extensions, it replies
with an error since the encapsulated ERP-RK-Request AVP is not
understood. Otherwise, it processes the DSRK request as described in
<xref target="RFC5296"></xref>. In particular, it includes the Domain-
Name TLV attribute with the content from the ERP-Realm AVP. The server creates
the EAP/DEA reply message <xref target="RFC4072"></xref> including an
instance of the Key AVP (<xref target="KAVP"/>) with Key-Type AVP set to rRK
and an instance of the Domain-Name TLV attribute with the
content from the ERP-Realm AVP. </t>
<t>The ER server receives this EAP/DEA and proxies it as follows, in
addition to standard proxy operations: <list>
<t>Set the Application Id back to Diameter ERP Application Id
(<xref target="DAI"/>
<cref>TBD IANA</cref>)</t>
<t>Extract and cache the content of the Key AVP with Key-Type set
to rRK, as described in the implicit scenario
(<xref target="ImplicitBS"/>).<cref>And authorization
AVPs ?</cref></t>
</list> The ERP/DEA message is then forwarded to the authenticator,
that can use the rMSK as described in RFC 5296 <xref
target="RFC5296"></xref>.</t>
<t>The figure below captures this proxy behavior:</t>
<figure title="Figure 3: ERP Explicit Bootstrapping Message Flow">
<artwork>
Authenticator ER server Home Diameter server
============= ========= ====================
----------------------->
Diameter ERP/DER
(EAP-Initiate)
------------------------>
Diameter EAP/DER
(EAP-Response)
(ERP-RK-Request)
<------------------------
Diameter EAP/DEA
(EAP-Success)
(Key AVP (rRK))
(Key AVP (rMSK))
<----------------------
Diameter ERP/DEA
(EAP-Finish)
(Key AVP (rMSK))
</artwork>
</figure>
</section>
</section>
<?rfc needLines="30" ?>
<section anchor="Re-authentication" title="Re-Authentication">
<t>This section describes in detail a re-authentication exchange with an
ER server that was previously bootstrapped. The following figure
summarizes the re-authentication exchange.</t>
<figure title="Figure 4: Diameter ERP Re-authentication Exchange">
<artwork>
ER server
Peer Authenticator (bootstrapped)
==== ============= ======================
[ <------------------------ ]
[optional EAP-Initiate/Re-auth-start,]
[ possibly with ERP domain name ]
----------------------->
EAP-Initiate/Re-auth
===============================>
Diameter ERP, cmd code DER
User-Name: Keyname-NAI
EAP-Payload: EAP-Initiate/Re-auth
<===============================
Diameter ERP, cmd code DEA
EAP-Payload: EAP-Finish/Re-auth
Key AVP: rMSK
<----------------------
EAP-Finish/Re-auth
</artwork>
</figure>
<t>The peer sends an EAP-Initiate/Re-auth message to the ER server via
the authenticator. Alternatively, the authenticator may send an EAP-
Initiate/Re-auth-Start message to the peer to trigger the mechanism. In
this case, the peer responds with an EAP-Initiate/Re-auth message.</t>
<t>If the authenticator does not support ERP (pure Diameter EAP <xref
target="RFC4072"></xref> support), it discards the EAP packets with an
unknown ERP-specific code (EAP-Initiate). The peer should fallback to
full EAP authentication in this case.</t>
<t>When the authenticator receives an EAP-Initiate/Re-auth message from
the peer, the message is processed as described in <xref target="RFC5296"></xref> with
regard to the EAP state machine. It creates a Diameter ERP/DER message
following the general process of <xref target="RFC4072"> Diameter
EAP</xref>, with the following differences:<list>
<t>The Application Id in the header is set to <Diameter ERP> (code TBD
<cref>TBD IANA</cref>).</t>
<t>The value in Auth-Application-Id AVP is also set to <Diameter ERP>.</t>
<t>The keyName-NAI attribute from the ERP message is used to create the
content of the User-Name and Destination-Realm AVPs.
<cref>FFS: What about Session-ID AVP -- in case of re-auth at the
same place, and in case of handover?</cref></t>
<t>The Auth-Request-Type AVP content is set to the appropriate
value.</t>
<t>The EAP-Payload AVP contains the EAP-Initiate/Re-Auth meassge.</t>
</list>Then this ERP/DER message is sent as described in <xref
target="Overview"></xref>.</t>
<t>The ER server receives and processes this request as described in
<xref target="Overview"></xref>. It then creates an ERP/DEA message
following the general process described in RFC4072 <xref
target="RFC4072"></xref>, with the following differences:<list>
<t>The Application Id in the header is set to <Diameter ERP> (code
TBD).</t>
<t>The value of the Auth-Application-Id AVP is also set to <Diameter
ERP>.</t>
<t>The EAP-Payload AVP contains the EAP-Finish/Re-auth message.</t>
<t>If authentication is successful, an instance of the Key AVP
containing the Re-authentication Master Session Key (rMSK) derived
by ERP is included.</t>
</list></t>
<t>When the authenticator receives this ERP/DEA answer, it processes it
as described in Diameter EAP <xref target="RFC4072"></xref> and RFC5296
<xref target="RFC5296"></xref>: the content of the EAP-Payload AVP
is forwarded to the peer, and the contents of the Keying-Material AVP
<xref target="I-D.ietf-dime-local-keytran"></xref> is used as a shared
secret for a secure association protocol specific to the lower-layer in use.</t>
</section>
<section anchor="ApplicationId" title="Application Id">
<t>We define a new Diameter application in this document, Diameter ERP
Application, with an Application Id value of TBD. Diameter nodes
conforming to this specification in the role of ER server MUST advertise
support by including an Auth-Application-Id AVP with a value of Diameter
ERP in the Capabilities-Exchange-Request and
Capabilities-Exchange-Answer commands <xref
target="I-D.ietf-dime-rfc3588bis"></xref>.</t>
<t>The primary use of the Diameter ERP Application Id is to ensure
proper routing of the messages, and that the nodes that advertise the
support for this application do understand the new AVPs defined in <xref
target="AVPs"></xref>, although these AVP have the 'M' flag
cleared.</t>
</section>
<section anchor="AVPs" title="AVPs">
<t>The following sub-sections discuss the AVPs used by the Diameter ERP
application.</t>
<section title="ERP-RK-Request AVP">
<t>The ERP-RK-Request AVP (AVP Code TBD) is of type grouped AVP. This
AVP is used by the ER server to indicate its willingness to act as ER
server for a particular session.</t>
<t>This AVP has the M and V bits cleared.</t>
<figure title="Figure 5: ERP-RK-Request ABNF">
<artwork>
ERP-RK-Request ::= < AVP Header: TBD >
{ ERP-Realm }
* [ AVP ]
</artwork>
</figure>
</section>
<section title="ERP-Realm AVP">
<t>The ERP-Realm AVP (AVP Code TBD) is of type DiameterIdentity. It
contains the name of the realm in which the ER server is located.</t>
<t>This AVP has the M and V bits cleared.</t>
</section>
<section anchor="KAVP" title="Key AVP">
<t>The Key AVP <xref target="I-D.ietf-dime-local-keytran"></xref> is
of type "Grouped" and is used to carry the rRK or rMSK and associated
attributes. The usage of the Key AVP and its constituent AVPs in this
application is specified in the following sub-sections.</t>
<section title="Key-Type AVP">
<t>The value of the Key-Type AVP MUST be set to 2 for rRK or 3 for
rMSK.</t>
</section>
<section title="Keying-Material AVP">
<t>The Keying-Material AVP contains the rRK sent by the home EAP server
to the ER server, in answer to a request containing an
ERP-RK-Request AVP, or the rMSK sent by the ER server to the authenticator.
How this material is derived and used is specified in RFC 5296 <xref
target="RFC5296"></xref>.</t>
</section>
<section title="Key-Name AVP">
<t>This AVP contains the EMSKname which identifies the keying
material. The derivation of this name is specified in RGC 5296 <xref
target="RFC5296"></xref>.</t>
</section>
<section title="Key-Lifetime AVP">
<t>The Key-Lifetime AVP contains the lifetime of the keying material
in seconds. It MUST NOT be greater than the remaining lifetime of
the EMSK from which the material was derived.</t>
</section>
</section>
</section>
<section title="Contributors">
<t>Hannes Tschofenig wrote the initial draft of this document.</t>
<t>Lakshminath Dondeti contributed to the early versions of the document.</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>Hannes Tschofenig provided useful reviews.</t>
<t>Vidya Narayanan reviewed a rough draft version of the document and
found some errors.</t>
<t>Many thanks to these people!</t>
</section>
<section title="IANA Considerations">
<t>This document requires IANA registration of the following new
elements in the <eref
target="http://www.iana.org/assignments/aaa-parameters/">Authentication,
Authorization, and Accounting (AAA) Parameters</eref> registries.</t>
<section anchor="DAI" title="Diameter Application Identifier">
<t>This specification requires IANA to allocate a new value "Diameter
ERP" in the "Application IDs" registry using the policy specified in
Section 11.3 of RFC 3588 <xref target="RFC3588"></xref>.</t>
</section>
<section title="New AVPs">
<t>This specification requires IANA to allocate new values from the
"AVP Codes" registry according to the policy specified in Section 11.1
of Fajardo, et al. <xref target="I-D.ietf-dime-rfc3588bis"></xref> for the following AVPs:
<list>
<t>ERP-RK-Request</t>
<t>ERP-Realm</t>
</list>These AVPs are defined in <xref target="AVPs"></xref>.</t>
</section>
</section>
<section anchor="Security" title="Security Considerations">
<t>The security considerations from the following documents apply here:
<list style="symbols">
<t>Fajardo, et al. <xref target="I-D.ietf-dime-rfc3588bis"></xref></t>
<t>RFC 4072 <xref target="RFC4072"></xref></t>
<t>RFC 5296 <xref target="RFC5296"></xref></t>
<t>Zorn, Wu and Cakulev <xref target="I-D.ietf-dime-local-keytran"></xref></t>
</list></t>
</section>
</middle>
<back>
<references title="Normative References">
&I-D.ietf-dime-local-keytran;
&I-D.ietf-dime-rfc3588bis;
&RFC3588;
&RFC2119;
&RFC4072;
&RFC5295;
&RFC5296;
&RFC3748;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 20:04:53 |