One document matched: draft-ietf-dime-local-keytran-04.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type='text/xsl' href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc3748 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml'>
<!ENTITY rfc3588 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml'>
<!ENTITY rfc4072 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4072.xml'>
<!ENTITY rfc5226 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5226.xml'>
<!ENTITY rfc2989 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2989.xml'>
<!ENTITY rfc5216 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5216.xml'>
<!ENTITY rfc5295 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5295.xml'>
<!ENTITY rfc5296 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5296.xml'>
<!ENTITY rfc5247 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5247.xml'>
<!ENTITY I-D.ietf-dime-ikev2-psk-diameter PUBLIC ""
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dime-ikev2-psk-diameter.xml">
]>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="4"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc category="std" docName="draft-ietf-dime-local-keytran-04" ipr="trust200902">
<front>
<title abbrev="Diameter Key Transport AVPs">Diameter Attribute-Value Pairs for Cryptographic Key Transport</title>
<author fullname="Glen Zorn" initials="G." surname="Zorn" role="editor">
<organization abbrev="Network Zen">Network Zen</organization>
<address>
<postal>
<street>1463 East Republican Street</street>
<street>#358</street>
<city>Seattle</city>
<region>Washington</region>
<code>98112</code>
<country>US</country>
</postal>
<email>gwz@net-zen.net</email>
</address>
</author>
<author fullname="Qin Wu" initials="Q." surname="Wu" role="editor">
<organization abbrev="Huawei">Huawei Technologies Co., Ltd.</organization>
<address>
<postal>
<street>Site B, Floor 12F, Huihong Mansion, No.91 Baixia Rd.</street>
<city>Nanjing</city>
<region>JiangSu</region>
<code>210001</code>
<country>China</country>
</postal>
<phone>+86-25-84565892</phone>
<email>Sunseawq@huawei.com</email>
</address>
</author>
<author initials='V.' surname='Cakulev' fullname='Violeta Cakulev'>
<organization>Alcatel Lucent</organization>
<address>
<postal>
<street>600 Mountain Ave.</street>
<street>3D-517</street>
<city>Murray Hill</city>
<region>NJ</region>
<code>07974</code>
<country>US</country>
</postal>
<phone>+1 908 582 3207</phone>
<email>violeta.cakulev@alcatel-lucent.com</email>
</address>
</author>
<date year="2010"/>
<abstract>
<t>
Some Authentication, Authorization, and Accounting (AAA) applications require the transport of cryptographic keying
material; this document specifies a set of Attribute-Value Pairs
(AVPs) providing native Diameter support of cryptographic key delivery.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
<xref target="RFC4072">The Diameter EAP application</xref>
defines the EAP-Master-Session-Key and EAP-Key-Name AVPs for the purpose of transporting
cryptographic keying material derived during the execution of certain
EAP <xref target="RFC3748"/>
methods (for example, EAP-TLS <xref target="RFC5216"/>).
At most one instance of either of these AVPs is allowed in any Diameter message.
<vspace blankLines="1"/>
However, recent work (see, for example, <xref target="RFC5295"/>)
has specified methods to derive other keys from the keying material created during EAP method execution
that may require transport in addition to the MSK.
In addition, ERP <xref target="RFC5296"/>
specifies new keys that may need to be transported between Diameter nodes.
<vspace blankLines="1"/>
This note specifies a set of AVPs allowing the transport of multiple cryptographic keys in a single Diameter message.
</t>
</section>
<section title="Terminology">
<section title="Standards Language">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119">RFC 2119</xref>.
</t>
</section>
<section title="Technical Terms and Acronyms">
<t>
<list style="hanging">
<t hangText="DER">
<vspace blankLines="0"/>
Diameter EAP request <xref target="RFC4072"/>.
</t>
<t hangText="DEA">
<vspace blankLines="0"/>
Diameter EAP Answer <xref target="RFC4072"/>.
</t>
<t hangText="DSRK">
<vspace blankLines="0"/>
Domain-Specific Root Key <xref target="RFC5295"/>.
</t>
<t hangText="DSUSRK">
<vspace blankLines="0"/>
Domain-Specific Usage-Specific Root Key.
This is a Usage-Specific Root Key derived from a DSRK <xref target="RFC5295"/>.
</t>
<t hangText="EAP">
<vspace blankLines="0"/>
Extensible Authentication Protocol <xref target="RFC3748"/>.
</t>
<t hangText="EMSK">
<vspace blankLines="0"/>
Extended Master Session Key <xref target="RFC3748"/>.
</t>
<t hangText="ERP">
<vspace blankLines="0"/>
EAP Re-authentication Protocol <xref target="RFC5296"/>.
</t>
<t hangText="MSK">
<vspace blankLines="0"/>
Master Session Key <xref target="RFC3748"/>.
</t>
<t hangText="rMSK">
<vspace blankLines="0"/>
reauthentication MSK <xref target="RFC5296"/>. This is a per-authenticator key, derived from the rRK (see below).
</t>
<t hangText="rRK">
<vspace blankLines="0"/>
reauthentication Root Key, derived from the EMSK or DSRK <xref target="RFC5296"/>.
</t>
<t hangText="USRK">
<vspace blankLines="0"/>
Usage-Specific Root Key <xref target="RFC5295"/>
</t>
</list>
</t>
</section>
</section>
<section title="Attribute-Value Pair Definitions">
<t>
This section defines new AVPs for the transport of cryptographic keys
in the Diameter EAP application [RFC4072], as well as other Diameter applications.
</t>
<section anchor="K" title="Key AVP">
<t>
The Key AVP (AVP Code <AC1>) is of type Grouped <xref target="RFC3588"/>.
It contains the type and keying material and, optionally, an indication of the usable lifetime of
the key, the name of the key and a Security Parameter Index (SPI) with which the key is
associated.
</t>
<figure>
<artwork><![CDATA[
Key ::= < AVP Header: AC1 >
< Key-Type >
{ Keying-Material }
[ Key-Lifetime ]
[ Key-Name ]
[ Key-SPI ]
* [ AVP ]
]]></artwork>
</figure>
<section anchor="K-T" title="Key-Type AVP">
<t>
The Key-Type AVP (AVP Code <AC2>) is of type Enumerated and
signifies the type of the key being sent.
The following
values are defined in this document:
<list style="hanging">
<t hangText="MSK (0)">
<vspace blankLines="0"/>
The EAP Master Session Key <xref target="RFC3748"/>
</t>
<t hangText="DSRK (1)">
<vspace blankLines="0"/>
A Domain-Specific Root Key <xref target="RFC5295"/>.
</t>
<t hangText="rRK (2)">
<vspace blankLines="0"/>
A reauthentication Root Key <xref target="RFC5296"/>.
</t>
<t hangText="rMSK (3)">
<vspace blankLines="0"/>
A reauthentication Master Session Key <xref target="RFC5296"/>.
</t>
<t hangText="IKEv2-PSK (4)">
A pre-shared key for use in IKE-V2 key exchange
<xref target="I-D.ietf-dime-ikev2-psk-diameter"/>.
</t>
</list>
If additional values are needed, they are to be assigned by IANA
according to the policy stated in <xref target="AV"/>
</t>
</section>
<section anchor="K-N" title="Key-Name AVP">
<t>
The Key-Name AVP is of type OctetString.
It contains an opaque key identifier.
Exactly how this name is generated and used depends on the key type and
usage in question, and is beyond the scope of this document (see <xref target="RFC5247"/>
and <xref target="RFC5295"/>
for discussions of key name generation in the context of EAP).
</t>
</section>
<section anchor="K-M" title="Keying-Material AVP">
<t>
The Keying-Material AVP (AVP Code <AC3>) is of type OctetString.
The exact usage of this keying material depends upon several factors,
including the link layer in use and the type of the key; it is beyond
the scope of this document.
</t>
</section>
<section anchor="K-L" title="Key-Lifetime AVP">
<t>
The Key-Lifetime AVP (AVP Code <AC4>) is of type Integer64 <xref target="RFC3588"/>
and represents the period of time (in seconds) for which the contents of the
Keying-Material AVP <xref target="K-M"/>
is valid.
<list style="hanging">
<t hangText="NOTE:">
<vspace blankLines="0"/>
Applications using this value SHOULD consider the beginning of
the lifetime to be the point in time when the message containing the keying material is
received.
</t>
</list>
</t>
</section>
<section title="Key-SPI" anchor="K-S">
<t>
The Key-SPI AVP (AVP Code <AC5>) is of type Unsigned32 and contains a SPI
value that can be used with other parameters for identifying
associated keying material.
</t>
</section>
</section>
</section>
<section title="Security Considerations">
<t>
The security considerations applicable to the Diameter Base Protocol <xref target="RFC3588"/>
are also applicable to this document, as are those in Section 8.4 of RFC 4072 <xref target="RFC4072"/>.
</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
Upon publication of this memo as an RFC, IANA is requested to assign
values as described in the following sections.
</t>
<section anchor="AC" title="AVP Codes">
<t>
Codes must be assigned for the following AVPs using the policy specified in RFC 3588,
Section 11.1.1:
<list style="symbols">
<t>
Key (<AC1>, <xref target="K"/>)
</t>
<t>
Key-Type (<AC2>, <xref target="K-T"/>)
</t>
<t>
Keying-Material (<AC3>, <xref target="K-M"/>)
</t>
<t>
Key-Lifetime (<AC4>, <xref target="K-L"/>)
</t>
<t>
Key-SPI (<AC5>, <xref target="K-S"/>)
</t>
</list>
</t>
</section>
<section anchor="AV" title="AVP Values">
<t>
IANA is requested to create a new registry for values assigned to the Key-Type AVP and
populated with the values defined in this document (<xref target="K-T"/>).
New values may be assigned for the Key-Type AVP
using the "Expert Review" policy <xref target="RFC5226"/>;
once values have been assigned, they MUST NOT be deleted, replaced, modified or deprecated.
</t>
</section>
</section>
<section title="Acknowledgements">
<t>
Thanks to Semyon Mizikovsky, Hannes Tschofenig, Joe Salowey, Tom Taylor,
Frank Xia and Sebastien Decugis for useful comments.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc3748;
&rfc3588;
&rfc4072;
&rfc5226;
</references>
<references title="Informative References">
&rfc5216;
&rfc5295;
&rfc5296;
&rfc5247;
&I-D.ietf-dime-ikev2-psk-diameter;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 07:45:52 |