One document matched: draft-ietf-emu-eap-tunnel-method-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2560 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2560.xml">
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc3748 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml">
<!ENTITY rfc3268 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3268.xml">
<!ENTITY rfc2434 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2434.xml">
<!ENTITY rfc5216 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5216.xml">
<!ENTITY rfc4282 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4282.xml">
<!ENTITY rfc4072 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4072.xml">
<!ENTITY rfc4086 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4086.xml">
<!ENTITY rfc3579 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3579.xml">
<!ENTITY rfc5422 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5422.xml">
<!ENTITY rfc4851 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4851.xml">
<!ENTITY rfc5246 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY rfc4013 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4013.xml">
<!ENTITY draft-ietf-emu-eaptunnel-req SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-emu-eaptunnel-req-09.xml">
<!ENTITY rfc5077 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5077.xml">
<!ENTITY draft-ietf-emu-chbind SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-emu-chbind-06.xml">
<!ENTITY rfc6066 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6066.xml">
<!ENTITY rfc5746 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5746.xml">
<!ENTITY rfc5705 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5705.xml">
<!ENTITY rfc5421 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5421.xml">
<!ENTITY rfc3280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3280.xml">
<!ENTITY rfc4630 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4630.xml">
<!ENTITY rfc3766 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3766.xml">
<!ENTITY rfc5281 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5281.xml">
<!ENTITY rfc3629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3629.xml">
<!ENTITY rfc2315 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2315.xml">
<!ENTITY rfc2311 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2311.xml">
<!ENTITY rfc5272 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5272.xml">
<!ENTITY rfc4945 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4945.xml">
]>
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="6"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc subcompact="no"?>
<rfc docName="draft-ietf-emu-eap-tunnel-method-01.txt" ipr="trust200902" category="std" >
<front>
<title abbrev="TEAP">Tunnel EAP Method (TEAP) Version 1</title>
<author fullname="Hao Zhou" initials="H" surname="Zhou">
<organization abbrev="">Cisco Systems</organization>
<address>
<postal>
<street>4125 Highlander Parkway</street>
<city>Richfield</city>
<country>US</country>
<code>44286</code>
<region>OH</region>
</postal>
<email>hzhou@cisco.com</email>
</address>
</author>
<author fullname="Nancy Cam-Winget" initials="N" surname="Cam-Winget">
<organization abbrev="">Cisco Systems</organization>
<address>
<postal>
<street>3625 Cisco Way</street>
<city>San Jose</city>
<country>US</country>
<code>95134</code>
<region>CA</region>
</postal>
<email>ncamwing@cisco.com</email>
</address>
</author>
<author fullname="Joseph Salowey" initials="J" surname="Salowey">
<organization abbrev="">Cisco Systems</organization>
<address>
<postal>
<street>2901 3rd Ave</street>
<city>Seattle</city>
<country>US</country>
<code>98121</code>
<region>WA</region>
</postal>
<email>jsalowey@cisco.com</email>
</address>
</author>
<author fullname="Stephen Hanna" initials="S" surname="Hanna">
<organization abbrev="">Juniper Networks</organization>
<address>
<postal>
<street>79 Parsons Street</street>
<city>Brighton</city>
<country>US</country>
<code>02135</code>
<region>MA</region>
</postal>
<email>shanna@juniper.net</email>
</address>
</author>
<date month="October" year="2011" />
<workgroup>EMU Working Group</workgroup>
<abstract>
<t>This document defines the Tunnel Extensible Authentication Protocol (TEAP)
protocol version 1.
TEAP is a tunnel based EAP method that enables secure communication between a
peer and a server by using the Transport Layer Security (TLS) to
establish a mutually authenticated tunnel. Within the tunnel,
Type-Length-Value (TLV) objects are used to convey authentication
related data between the EAP peer and the EAP server.</t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>An Extensible Authentication Protocol (EAP) tunnel method is an EAP method that establishes a secure tunnel and executes other EAP methods under the protection of that secure tunnel. An EAP tunnel method can be used in any lower layer protocol that supports EAP
authentication. There are several existing EAP tunnel methods that use Transport Layer Security (TLS) to establish the secure tunnel. EAP methods supporting this include Protected EAP (PEAP) <xref target="PEAP"></xref>, Tunneled Transport Layer Security EAP (TTLS) <xref target="RFC5281"></xref> and EAP Flexible Authentication via Secure Tunneling (EAP-FAST) <xref target="RFC4851"></xref>. However, they all are either vendor specific or informational and industry calls for a standard-track tunnel EAP method. <xref target="I-D.ietf-emu-eaptunnel-req"></xref> outlines the list of requirements for a standard tunnel based EAP method. </t>
<t>Since the introduction of EAP-FAST <xref target="RFC4851"></xref> a few years ago, it has been widely adopted in variety of devices and platforms due to its strong security, flexibility and ease of deployment. It has been adopted by EMU working group as the basis for the standard tunnel based EAP method. This document describes TEAP version 1, based on EAP-FAST <xref target="RFC4851"></xref> with some minor changes, to meet the requirements outlined in <xref target="I-D.ietf-emu-eaptunnel-req"></xref> for a standard tunnel based EAP method. </t>
<section title="Specification Requirements">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"></xref> .</t>
</section>
<section anchor="goals" title="Design Goals">
<t>Network access solutions requiring user friendly and easily
deployable secure authentication mechanisms highlight the need for
strong mutual authentication protocols that enable the use of weaker
user credentials. This document defines an Extensible Authentication
Protocol (EAP) which consists of establishing a Transport Layer Security
(TLS) tunnel using TLS 1.2 <xref target="RFC5246"></xref> or
a successor version of TLS, using the latest version supported by
both parties. Once the tunnel is established, the protocol further exchanges data in the form of Type-Length-Value (TLV) objects to perform further authentication. TEAP
supports the TLS extension defined in <xref target="RFC5077"></xref> to
support fast re-establishment of the secure tunnel without having to
maintain per-session state on the server. </t>
<t>TEAP's design motivations included:</t>
<t><list style="symbols">
<t>Mutual authentication: an EAP server must be able to verify the
identity and authenticity of the peer, and the peer must be able to
verify the authenticity of the EAP server. <vspace
blankLines="1" /></t>
<t>Immunity to passive dictionary attacks: many authentication
protocols require a password to be explicitly provided (either as
cleartext or hashed) by the peer to the EAP server; at minimum, the
communication of the weak credential (e.g., password) must be immune
from eavesdropping. <vspace blankLines="1" /></t>
<t>Immunity to man-in-the-middle (MitM) attacks: in establishing a
mutually authenticated protected tunnel, the protocol must prevent
adversaries from successfully interjecting information into the
conversation between the peer and the EAP server. <vspace
blankLines="1" /></t>
<t>Flexibility to enable support for most password authentication
interfaces: as many different password interfaces (e.g., Microsoft
Challenge Handshake Authentication Protocol (MS-CHAP), Lightweight
Directory Access Protocol (LDAP), One-Time Password (OTP), etc.) exist to authenticate a peer, the protocol must
provide this support for legacy password authentication seamlessly. <vspace blankLines="1" /></t>
<t>Cryptographic algorithm agility: a cryptographic algorithm's strength is not perpetual, as weaknesses in an algorithm
are discovered or increased processing power overtakes an algorithm over time. Hence, the protocol must not be tied to any single cryptographic
algorithm. Instead, it MUST support run-time negotiation to select
among an extensible set of cryptographic algorithms and also allow users to
choose the algorithm that best meets their needs.</t>
<t>Sequence of chained EAP methods: Several circumstances are best addressed by using chained EAP
methods. For example, it may be desirable to authenticate the user
and also authenticate the device being used. The protocol must support chained EAP methods while including
protection against attacks on method chaining.</t>
</list></t>
<t>With these motivational goals defined, further secondary design
criteria are imposed:</t>
<t><list style="symbols">
<t>Flexibility to extend the communications inside the tunnel: with
the growing complexity in network infrastructures, the need to gain
authentication, authorization, and accounting is also evolving. For
instance, there may be instances in which multiple existing
authentication protocols are required to achieve mutual
authentication. Similarly, different protected conversations may be
required to achieve the proper authorization once a peer has
successfully authenticated.</t>
<t>Minimize the authentication server's per user authentication
state requirements: with large deployments, it is typical to have
servers authenticating many peers. With many different authentication servers deployed, a peer's session state may need to be replicated to allow for high availability or mobility scenarios. To facilitate scalable authentication server deployments and more efficient per user state management, it is desirable for a peer to cache its session state that has been securely encapsulated by the authentication server infrastructure.</t>
<t>Efficiency: specifically when using wireless media, peers will be
limited in computational and power resources. The protocol must
enable the network access communication to be computationally
lightweight.</t>
<t>Channel bindings: EAP channel bindings seek to authenticate previously unauthenticated
information provided by the authenticator to the EAP peer, by
allowing the peer and server to compare their perception of network
properties in a secure channel. It is used to solve
the lying NAS and the lying provider problems. The protocol should provide support for EAP channel bindings as defined in <xref target="I-D.ietf-emu-chbind"></xref>.</t>
</list></t>
</section>
<section title="Terminology">
<t>Much of the terminology in this document comes from <xref
target="RFC3748"></xref>. Additional terms are defined below:</t>
<t><list style="hanging">
<t hangText="Protected Access Credential (PAC)"><vspace
blankLines="1" />Credentials distributed to a peer for future
optimized network authentication. The PAC consists of a minimum
of two components: a shared secret and an opaque element.
The shared secret component contains
the pre-shared key between the peer and the authentication server.
The opaque part is provided to the peer and is presented to the
authentication server when the peer wishes to obtain access to
network resources. The opaque element and shared secret are used with TLS stateless session resumption defined in RFC 5077 <xref
target="RFC5077"></xref> to establish a protected TLS session. The secret key and opaque part may distributed using RFC 5077 messages or using TLVs within the TEAP tunnel. Finally, a PAC may optionally include other
information that may be useful to the peer. </t>
<t hangText="Type-Length-Value (TLV)"><vspace
blankLines="1" />The TEAP protocol utilizes objects in Type Length Value (TLV)
format. The TLV format is defined in <xref target="tlvformat"></xref>.</t>
</list></t>
</section>
</section>
<section anchor="protocoloverview" title="Protocol Overview">
<t>TEAP authentication occurs in two phases. In the first phase,
TEAP employs the TLS <xref target="RFC5246"></xref> handshake to provide an authenticated key
exchange and to establish a protected tunnel. Once the tunnel is
established, the second phase begins with the peer and server engaging in
further conversations to establish the required authentication and
authorization policies. TEAP makes use of Type-Length-Value objects (TLVs) to carry out the
inner authentication, results and other information, such as channel binding information. </t>
<t>TEAP makes use of the TLS enhancements in Ticket Extension <xref
target="RFC5077"></xref> to enable an optimized TLS tunnel session
resume while minimizing server state. The ticket is referred to as the Protected Access
Credential opaque data (or PAC-Opaque). The PAC-Opaque may be distributed through the use of the NewSessionTicket message or through a mechanism that uses TLVs within phase 2 of TEAP. The secret key used to resume the session in TEAP is referred to as the Protected Access Credential key (or PAC-Key). When the NewSessionTicket message is being used to distribute the PAC-Opaque the PAC-Key is the Master Secret for the session. If TEAP phase 2 is used to distribute the PAC-Opaque then the PAC-Key is distributed along with the PAC-Opaque. TEAP implementations MUST support the RFC 5077 mechanism for distributing a PAC-Opaque and it is RECOMMENDED that implementations
support the capability to distribute the ticket and secret key within
the TEAP tunnel.</t>
<t>The TEAP conversation is used to establish or resume an existing
session to typically establish network connectivity between a peer and
the network. Upon successful execution of TEAP, both EAP peer and EAP
server derive strong session key material that can then be communicated
to the network access server (NAS) for use in establishing a link layer
security association.</t>
<section anchor="archmodel" title="Architectural Model">
<t>The network architectural model for TEAP usage is shown
below:</t>
<figure title="TEAP Architectural Model">
<artwork><![CDATA[
+----------+ +----------+ +----------+ +----------+
| | | | | | | Inner |
| Peer |<---->| Authen- |<---->| TEAP |<---->| Method |
| | | ticator | | server | | server |
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
]]></artwork>
</figure>
<t>The entities depicted above are logical entities and may or may not
correspond to separate network components. For example, the TEAP
server and inner method server might be a single entity; or the
authenticator and TEAP server might be a single entity; or the
functions of the authenticator, TEAP server, and inner method
server might be combined into a single physical device. For example,
typical IEEE 802.11 deployments place the Authenticator in an access point
(AP) while a Radius server may provide the TEAP and inner method
server components. The above diagram illustrates the division of labor
among entities in a general manner and shows how a distributed system
might be constructed; however, actual systems might be realized more
simply. The security considerations <xref target="sepp1p2"></xref>
provides an additional discussion of the implications of separating
the TEAP server from the inner method server.</t>
</section>
<section anchor="protlayermodel" title="Protocol Layering Model">
<t>TEAP packets are encapsulated within EAP; EAP in turn
requires a carrier protocol for transport. TEAP packets
encapsulate TLS, which is then used to encapsulate user authentication
information. Thus, TEAP messaging can be described using a layered
model, where each layer encapsulates the layer above it. The
following diagram clarifies the relationship between protocols:</t>
<figure title="Protocol Layering Model">
<artwork><![CDATA[
+---------------------------------------------------------------+
| Inner EAP Method | Other TLV information |
|---------------------------------------------------------------|
| TLV Encapsulation (TLVs) |
|---------------------------------------------------------------|
| TLS | Optional TLVs |
|---------------------------------------------------------------|
| TEAP |
|---------------------------------------------------------------|
| EAP |
|---------------------------------------------------------------|
| Carrier Protocol (EAP over LAN, RADIUS, Diameter, etc.) |
+---------------------------------------------------------------+
]]></artwork>
</figure>
<t>The TLV layer is a payload with Type-Length-Value (TLV) Objects
defined in <xref target="tlvformat"></xref>. The TLV objects are used
to carry arbitrary parameters between an EAP peer and an EAP server.
All conversations in the TEAP protected tunnel must be
encapsulated in a TLV layer.</t>
<t>TEAP packets may include TLVs both inside and outside the TLS tunnel.
The term "Outer TLVs" is used to refer to optional TLVs outside the
TLS tunnel, which are only allowed in the first two messages in the
TEAP protocol. That is the first EAP server to peer message and
first peer to EAP server message. If the message is fragmented, the
whole set of messages is counted as one message. The term "Inner
TLVs" is used to refer to TLVs sent within the TLS tunnel. In TEAP Phase 1, Outer TLVs are used to help establishing the TLS
tunnel, but no Inner TLVs are used. In Phase 2 of the TEAP conversation, TLS records may encapsulate zero
or more Inner TLVs, but no Outer TLVs.</t>
<t>Methods for encapsulating EAP within carrier protocols are already
defined. For example, IEEE 802.1X <xref
target="IEEE.802-1X.2004"></xref> may be used to transport EAP between
the peer and the authenticator; RADIUS <xref target="RFC3579"></xref>
or Diameter <xref target="RFC4072"></xref> may be used to transport
EAP between the authenticator and the EAP server.</t>
</section>
</section>
<section anchor="teapprotocol" title="TEAP Protocol">
<t>TEAP authentication occurs in two phases. In the first phase,
TEAP employs the TLS handshake to provide an authenticated key
exchange and to establish a protected tunnel. Once the tunnel is
established the second phase begins with the peer and server engaging in
further conversations to establish the required authentication and
authorization policies. The operation of the protocol, including Phase 1
and Phase 2, is the topic of this section. The format of TEAP
messages is given in <xref target="messageformats"></xref> and the
cryptographic calculations are given in <xref
target="crypto"></xref>.</t>
<section anchor="versionnegotiation" title="Version Negotiation">
<t>TEAP packets contain a 3-bit version field, following the
TLS Flags field, which enables TEAP implementations to be backward
compatible with previous versions of the protocol. This specification
documents the TEAP version 1 protocol; implementations of this
specification MUST use a version field set to 1.</t>
<t>Version negotiation proceeds as follows:</t>
<t><list style="hanging">
<t>In the first EAP-Request sent with EAP type=TEAP, the EAP
server must set the version field to the highest supported version
number. <vspace blankLines="1" /></t>
<t>If the EAP peer supports this version of the protocol, it MUST
respond with an EAP-Response of EAP type=TEAP, and the version
number proposed by the TEAP server. <vspace
blankLines="1" /></t>
<t>If the TEAP peer does not support this version, it responds
with an EAP-Response of EAP type=TEAP and the highest
supported version number that's less than the number proposed by the TEAP server. <vspace blankLines="1" /></t>
<t>If the TEAP server does not support the version number
proposed by the TEAP peer, it MAY terminate the conversation with EAP-Failure or negotiate for another EAP type.
Otherwise the TEAP conversation continues.</t>
</list></t>
<t>The version negotiation procedure guarantees that the TEAP peer
and server will agree to the latest version supported by both parties.
If version negotiation fails, then use of TEAP will not be
possible, and another mutually acceptable EAP method will need to be
negotiated if authentication is to proceed.</t>
<t>The TEAP version is not protected by TLS; and hence can be
modified in transit. In order to detect a modification of the TEAP
version, the peers MUST exchange the TEAP version number received
during version negotiation using the Crypto-Binding TLV described in
<xref target="cbtlv"></xref>. The receiver of the Crypto-Binding TLV
MUST verify that the version received in the Crypto-Binding TLV
matches the version sent by the receiver in the TEAP version
negotiation.</t>
</section>
<section anchor="phase1"
title="TEAP Authentication Phase 1: Tunnel Establishment">
<t>TEAP is based on the TLS handshake <xref target="RFC5246"></xref>
to establish an authenticated and protected tunnel. The TLS version
offered by the peer and server MUST be TLS version 1.2 <xref target="RFC5246"></xref> or later. This version
of the TEAP implementation MUST support the following TLS
ciphersuites:</t>
<t><list style="hanging">
<t>TLS_RSA_WITH_AES_128_CBC_SHA <xref target="RFC3268"></xref></t>
<t>TLS_DHE_RSA_WITH_AES_128_CBC_SHA <xref
target="RFC3268"></xref></t>
</list></t>
<t>Other ciphersuites MAY be supported. It is RECOMMENDED that
anonymous ciphersuites such as TLS_DH_anon_WITH_AES_128_CBC_SHA only
be used in the case when the inner authentication method provides man-in-the-middle protection [Editor's Note: The use of Anonymous Cipher Suites is still under discussion on the list]. Care must be taken to address potential man-in-the-middle attacks
when ciphersuites that do not provide authenticated tunnel
establishment are used. During the
TEAP Phase 1 conversation the TEAP endpoints MAY negotiate TLS
compression. During TLS tunnel establishment, TLS extensions MAY be used. For instance, Certificate Status Request extension <xref
target="RFC6066"></xref> can be used to leverage a certificate-status protocol such as OCSP <xref
target="RFC2560"></xref> to check the validity of server certificates. TLS renegotiation indications defined in RFC 5746
<xref target="RFC5746"> </xref> MUST be supported.</t>
<t>The EAP server initiates the TEAP conversation with an EAP
request containing an TEAP/Start packet. This packet includes a
set Start (S) bit, the TEAP version as specified in <xref
target="versionnegotiation"></xref>, and an authority identity. The
TLS payload in the initial packet is empty. The authority identity
(Authority-ID TLV) is used to provide the peer a hint of the server's identity
that may be useful in helping the peer select the appropriate
credential to use. Assuming that the peer supports TEAP the
conversation continues with the peer sending an EAP-Response packet
with EAP type of TEAP with the Start (S) bit clear and the version
as specified in <xref target="versionnegotiation"></xref>. This
message encapsulates one or more TLS records containing the TLS
handshake messages. If the TEAP version negotiation is successful
then the TEAP conversation continues until the EAP server and EAP
peer are ready to enter Phase 2. When the full TLS handshake is
performed, then the first payload of TEAP Phase 2 MAY be sent
along with server-finished handshake message to reduce the number of
round trips.</t>
<t> TEAP
implementations MUST support client authentication during tunnel
establishment using the TLS ciphersuites specified in <xref
target="phase1"></xref>. The EAP peer does not need to authenticate as part
of the TLS exchange, but can alternatively be authenticated through
additional EAP exchanges carried out in Phase 2.</t>
<t>The TEAP tunnel protects peer identity information exchanged during phase 2 from
disclosure outside the tunnel. Implementations that wish to provide
identity privacy for the peer identity must carefully consider what
information is disclosed outside the tunnel prior to phase 2. TEAP implementations SHOULD support
the immediate renegotiation of a TLS session to initiate a new
handshake message exchange under the protection of the current
cipher suite. This allows support for protection of the peer's
identity when using TLS client authentication.
</t>
<t>The following sections describe resuming a TLS session based on
server-side or client-side state.</t>
<section anchor="sessres"
title="TLS Session Resume Using Server State">
<t>TEAP session resumption is achieved in the same manner TLS
achieves session resume. To support session resumption, the server
and peer must minimally cache the Session ID, master secret, and
ciphersuite. The peer attempts to resume a session by including a
valid Session ID from a previous handshake in its ClientHello
message. If the server finds a match for the Session ID and is
willing to establish a new connection using the specified session
state, the server will respond with the same Session ID and proceed
with the TEAP Authentication Phase 1 tunnel establishment based
on a TLS abbreviated handshake. After a successful conclusion of the
TEAP Authentication Phase 1 conversation, the conversation then
continues on to Phase 2.</t>
</section>
<section anchor="tunnelpac" title="TLS Session Resume Using a PAC">
<t>TEAP supports the resumption of sessions based on client-side
state using the TLS SessionTicket extension techniques described in <xref target="RFC5077"></xref>.
This version of TEAP supports the provisioning of a ticket called a Protected
Access Credential (PAC) through the use of the NewSessionTicket handshake described in <xref target="RFC5077"></xref>,
as well as provisioning of a PAC inside the protected tunnel.
Implementations may provide additional ways to provision the PAC,
such as manual configuration. Since the PAC mentioned here is used
for establishing the TLS Tunnel, it is more specifically referred to
as the Tunnel PAC. The Tunnel PAC is a security credential provided
by the EAP server to a peer and comprised of:</t>
<t><list style="numbers">
<t>PAC-Key: this is the key used by the peer as the TLS master secret to establish
the TEAP Phase 1 tunnel. The PAC-Key is a strong high-entropy 48-octet key and is typically the master secret from a previous TLS session. The
PAC-Key is a secret and MUST be treated accordingly. In the case that a PAC-Key is provisioned to the client through another means it must have its confidentiality and integrity protected by a mechanism, such as the TEAP phase 2 tunnel. The PAC-Key must be stored securely by the peer. <vspace blankLines="1" /></t>
<t>PAC-Opaque: this is a variable length field containing the ticket that is sent to
the EAP server during the TEAP Phase 1 tunnel establishment based on RFC 5077.
The PAC-Opaque can only be interpreted by the EAP server to
recover the required information for the server to validate the
peer's identity and authentication. The PAC-Opaque
includes the PAC-Key and other TLS session parameters. It may contain the PAC's peer identity.
The PAC-Opaque format and contents are specific to the PAC
issuing server. The PAC-Opaque may be presented in the clear, so
an attacker MUST NOT be able to gain useful information from the
PAC-Opaque itself. The server issuing the PAC-Opaque must ensure
it is protected with strong cryptographic keys and algorithms. The PAC-Opaque may be distributed using the NewSessionTicket message defined in RFC 5077 or it may be distributed through another mechanism such as the phase 2 TLVs defined in this document.
<vspace blankLines="1" /></t>
<t>PAC-Info: this is an optional variable length field used to provide, at a
minimum, the authority identity of the PAC issuer. Other useful but
not mandatory information, such as the PAC-Key lifetime, may
also be conveyed by the PAC issuing server to the peer during
PAC provisioning or refreshment. PAC-Info is not included if the NewSessionTicket message is used to provision the PAC.</t>
</list></t>
<t>The use of the PAC is based on the SessionTicket extension
defined in <xref target="RFC5077"></xref>. The EAP server initiates
the TEAP conversation as normal. Upon receiving the Authority-ID TLV from
the server, the peer checks to see if it has an existing valid
PAC-Key and PAC-Opaque for the server. If it does, then it obtains
the PAC-Opaque and puts it in the SessionTicket extension in the
ClientHello. It is RECOMMENDED in TEAP that the peer include an
empty Session ID in a ClientHello containing a PAC-Opaque. This version of TEAP
supports the NewSessionTicket Handshake message as described in <xref target="RFC5077"></xref> for distribution of a new PAC, as well as the provisioning of PAC inside the protected tunnel. If the PAC-Opaque included in the SessionTicket extension
is valid and the EAP server permits the abbreviated TLS handshake, it
will select the cipher suite from information
within the PAC-Opaque and finish with the abbreviated TLS handshake. If the
server receives a Session ID and a PAC-Opaque in the SessionTicket
extension in a ClientHello, it should place the same Session ID in
the ServerHello if it is resuming a session based on the PAC-Opaque.
The conversation then proceeds as described in <xref
target="RFC5077"></xref> until the handshake completes or a fatal
error occurs. After the abbreviated handshake completes, the peer and
the server are ready to commence Phase 2.</t>
</section>
<section title="Transition between Abbreviated and Full TLS Handshake">
<t>If session resumption based on server-side or client-side state
fails, the server can gracefully fall back to a full TLS handshake. If
the ServerHello received by the peer contains an empty Session ID or a
Session ID that is different than in the ClientHello, the server may
fall back to a full handshake. The peer can distinguish the server's
intent of negotiating full or abbreviated TLS handshake by checking
the next TLS handshake messages in the server response to the ClientHello.
If ChangeCipherSpec follows the ServerHello in response to the
ClientHello, then the server has accepted the session resumption and
intends to negotiate the abbreviated handshake. Otherwise, the server
intends to negotiate the full TLS handshake. A peer can request for a
new PAC to be provisioned after the full TLS handshake and mutual
authentication of the peer and the server. In order to facilitate the
fallback to a full handshake the peer SHOULD include cipher suites
that allow for a full handshake and possibly PAC provisioning so the
server can select one of these in case session resumption fails. An
example of the transition is shown in <xref
target="examples"></xref>.</t>
</section>
</section>
<section anchor="phase2"
title="TEAP Authentication Phase 2: Tunneled Authentication">
<t>The second portion of the TEAP Authentication occurs
immediately after successful completion of Phase 1. Phase 2 occurs
even if both peer and authenticator are authenticated in the Phase 1
TLS negotiation. Phase 2 MUST NOT occur if the Phase 1 TLS handshake
fails. Phase 2 consists of a series of requests and responses
encapsulated in TLV objects defined in <xref
target="tlvformat"></xref>. Phase 2 MUST always end with a protected
termination exchange described in <xref target="proterm"></xref>. The
TLV exchange may include the execution of zero or more EAP methods
within the protected tunnel as described in <xref
target="eapseq"></xref>. A server MAY proceed directly to the
protected termination exchange if it does not wish to request further
authentication from the peer. However, the peer and server must not
assume that either will skip inner EAP methods or other TLV exchanges.
The peer may have roamed to a network that requires conformance with
a different authentication policy or the peer may request the server
take additional action through the use of the Request-Action TLV.</t>
<section anchor="eapseq" title="EAP Sequences">
<t>EAP <xref target="RFC3748"></xref> prohibits use of multiple
authentication methods within a single EAP conversation in order to
limit vulnerabilities to man-in-the-middle attacks. TEAP
addresses man-in-the-middle attacks through support for
cryptographic protection of the inner EAP exchange and cryptographic
binding of the inner authentication method(s) to the protected
tunnel. EAP methods are executed serially in a sequence. This
version of TEAP does not support initiating multiple EAP methods
simultaneously in parallel. The methods need not be distinct. For
example, EAP-TLS could be run twice as an inner method, first using
machine credentials followed by a second instance using user
credentials.</t>
<t>EAP method messages are carried within EAP-Payload TLVs defined
in <xref target="eappayloadtlv"></xref>. If more than one method is
going to be executed in the tunnel, then upon method completion, the server MUST send an Intermediate-Result TLV indicating the
result. The peer MUST respond to the Intermediate-Result TLV
indicating its result. If the result indicates success, the
Intermediate-Result TLV MUST be accompanied by a Crypto-Binding TLV.
The Crypto-Binding TLV is further discussed in <xref
target="cbtlv"></xref> and <xref target="compmac"></xref>. The
Intermediate-Result TLVs can be included with other TLVs such as
EAP-Payload TLVs starting a new EAP conversation or with the Result
TLV used in the protected termination exchange. </t>
<t>If both peer and server indicate success, then the method is
considered complete. If either indicates failure, then the method is
considered failed. The result of failure of an EAP method does not
always imply a failure of the overall authentication. If one
authentication method fails, the server may attempt to authenticate
the peer with a different method.</t>
</section>
<section anchor="passauth" title="Optional Password Authentication">
<t>The use of EAP-FAST-GTC as defined in RFC 5421 <xref target="RFC5421"></xref> is not recommended with TEAPv1.
Implementations should instead make use of the password authentication TLVs
defined in this specification. The
authentication server initiates password authentication by sending a
Basic-Password-Auth-Req TLV defined in <xref target="passreq"></xref>.
If the peer wishes to participate in password authentication then it
responds with a Basic-Password-Auth-Resp TLV as defined in <xref target="passresp"></xref>
that contains the username and password. If it does not wish to perform password
authentication then it responds with a NAK TLV indicating the rejection of the
Basic-Password-Auth-Req TLV. Upon receiving the response the server indicates
the success or failure of the exchange using an Intermediate-Result TLV.
Multiple roundtrips of password authentication requests and responses MAY be used to
support some "housecleaning" functions such as password change, change pin, etc.
before a user is authenticated. </t>
</section>
<section anchor="proterm"
title="Protected Termination and Acknowledged Result Indication">
<t>A successful TEAP Phase 2 conversation MUST always end in a
successful Result TLV exchange. An TEAP server may initiate the
Result TLV exchange without initiating any EAP conversation in
TEAP Phase 2. After the final Result TLV exchange, the TLS tunnel
is terminated and a clear text EAP-Success or EAP-Failure is sent by
the server. The format of the Result TLV is described in <xref
target="resulttlv"></xref>.</t>
<t>A server initiates a successful protected termination exchange by
sending a Result TLV indicating success. The server may send the
Result TLV along with an Intermediate-Result TLV and a Crypto-Binding
TLV. If the peer requires nothing more from the server it will respond
with a Result TLV indicating success accompanied by an
Intermediate-Result TLV and Crypto-Binding TLV if necessary. The
server then tears down the tunnel and sends a clear text
EAP-Success.</t>
<t>If the peer receives a Result TLV indicating success from the
server, but its authentication policies are not satisfied (for example
it requires a particular authentication mechanism be run or it wants
to request a PAC), it may request further action from the server using
the Request-Action TLV. The Request-Action TLV is sent along with the
Result TLV indicating what EAP Success/Failure result the peer would
expect if the requested action is not granted. The value of the
Request-Action TLV indicates what the peer would like to do next. The
format and values for the Request-Action TLV are defined in <xref
target="ratlv"></xref>.</t>
<t>Upon receiving the Request-Action TLV the server may process the
request or ignore it, based on its policy. If the server ignores the
request, it proceeds with termination of the tunnel and send the clear
text EAP Success or Failure message based on the value of the peer's
result TLV. If the server honors and processes the request, it continues
with the requested action. The conversation completes with a Result
TLV exchange. The Result TLV may be included with the TLV that
completes the requested action.</t>
<t>Error handling for Phase 2 is discussed in <xref
target="phase2err"></xref>.</t>
</section>
</section>
<section anchor="peerid" title="Determining Peer-Id and Server-Id">
<t>The Peer-Id and Server-Id may be determined based on the types of
credentials used during either the TEAP tunnel creation or
authentication. In the case of multiple peer authentications, the Peer-ID is determined from the first peer authenticatication.</t>
<t>When X.509 certificates are used for peer authentication, the Peer-Id
is determined by the subject or subjectAltName fields in the peer
certificate. As noted in <xref target="RFC3280"></xref> (updated by <xref target="RFC4630"></xref>):</t>
<t><list hangIndent="2" style="hanging">
<t>The subject field identifies the entity associated with the public
key stored in the subject public key field. The subject name MAY
be carried in the subject field and/or the subjectAltName
extension.... If subject naming information is present only in
the subjectAltName extension (e.g., a key bound only to an email
address or URI), then the subject name MUST be an empty sequence
and the subjectAltName extension MUST be critical.</t>
<t>Where it is non-empty, the subject field MUST contain an X.500
distinguished name (DN).</t>
</list></t>
<t>If an inner EAP method is run, then the Peer-Id is obtained from the
inner method.</t>
<t>When the server uses an X.509 certificate to establish the TLS
tunnel, the Server-Id is determined in a similar fashion as stated
above for the Peer-Id; e.g., the subject or subjectAltName field in
the server certificate defines the Server-Id.</t>
</section>
<section anchor="sessionid" title="TEAP Session Identifier">
<t>The EAP session identifier is constructed using the random values
provided by the peer and server during the TLS tunnel establishment. The randoms from the outermost TLS handshake are used in the case that renegotiation is used.
The Session-Id is defined as follows:</t>
<t><list hangIndent="2" style="hanging">
<t>Session-Id = teap_type || client_random || server_random</t>
<t>type_type = EAP method type assigned to TEAP</t>
<t>client_random = 32 octet nonce generated by the peer for the initial TLS handshake</t>
<t>server_random = 32 octet nonce generated by the server for the initial TLS handshake</t>
</list></t>
</section>
<section anchor="error" title="Error Handling">
<t>TEAP uses the following error handling rules summarized
below:</t>
<t><list style="numbers">
<t>Errors in the TLS layer are communicated via TLS alert messages in
all phases of TEAP.</t>
<t>The Intermediate-Result TLVs carry success or failure
indications of the individual EAP methods in TEAP Phase 2.
Errors within the EAP conversation in Phase 2 are expected to be
handled by individual EAP methods.</t>
<t>Violations of the TLV rules are handled using Result TLVs
together with Error TLVs.</t>
<t>Tunnel compromised errors (errors caused by Crypto-Binding
failed or missing) are handled using Result TLVs and Error
TLVs.</t>
</list></t>
<section anchor="tlserr" title="TLS Layer Errors">
<t>If the TEAP server detects an error at any point in the TLS
Handshake or the TLS layer, the server SHOULD send an TEAP
request encapsulating a TLS record containing the appropriate TLS
alert message rather than immediately terminating the conversation
so as to allow the peer to inform the user of the cause of the
failure and possibly allow for a restart of the conversation. The
peer MUST send an TEAP response to an alert message. The
EAP-Response packet sent by the peer may encapsulate a TLS
ClientHello handshake message, in which case the TEAP server MAY
allow the TEAP conversation to be restarted, or it MAY contain
an TEAP response with a zero-length message, in which case the
server MUST terminate the conversation with an EAP-Failure packet.
It is up to the TEAP server whether to allow restarts, and if
so, how many times the conversation can be restarted. An TEAP
server implementing restart capability SHOULD impose a limit on the
number of restarts, so as to protect against denial-of-service
attacks.</t>
<t>If the TEAP peer detects an error at any point in the TLS
layer, the TEAP peer should send an TEAP response
encapsulating a TLS record containing the appropriate TLS alert
message. The server may restart the conversation by sending an
TEAP request packet encapsulating the TLS HelloRequest handshake
message. The peer may allow the TEAP conversation to be
restarted or it may terminate the conversation by sending an
TEAP response with an zero-length message.</t>
</section>
<section anchor="phase2err" title="Phase 2 Errors">
<t>Any time the peer or the server finds a fatal error outside of
the TLS layer during Phase 2 TLV processing, it MUST send a Result
TLV of failure and an Error TLV with the appropriate error code. For
errors involving the processing of the sequence of exchanges, such as a
violation of TLV rules (e.g., multiple EAP-Payload TLVs), the error
code is Unexpected_TLVs_Exchanged. For errors involving a tunnel
compromise, the error-code is Tunnel_Compromise_Error. Upon sending a
Result TLV with a fatal Error TLV the sender terminates the TLS
tunnel. Note that a server will still wait for a message from the
peer after it sends a failure, however the server does not need to
process the contents of the response message.</t>
<t>If a server receives a Result TLV of failure with a fatal Error
TLV, it SHOULD send a clear text EAP-Failure. If a peer receives a
Result TLV of failure, it MUST respond with a Result TLV indicating
failure. If the server has sent a Result TLV of failure, it ignores
the peer response, and it SHOULD send a clear text EAP-Failure.</t>
</section>
</section>
<section anchor="frag" title="Fragmentation">
<t>A single TLS record may be up to 16384 octets in length, but a TLS
message may span multiple TLS records, and a TLS certificate message
may in principle be as long as 16 MB. This is larger than the maximum
size for a message on most media types, therefore it is desirable to
support fragmentation. Note that in order to protect against
reassembly lockup and denial-of-service attacks, it may be desirable
for an implementation to set a maximum size for one such group of TLS
messages. Since a typical certificate chain is rarely longer than a
few thousand octets, and no other field is likely to be anywhere near
as long, a reasonable choice of maximum acceptable message length
might be 64 KB. This is still a fairly large message packet size so an
TEAP implementation MUST provide its own support for fragmentation
and reassembly.</t>
<t>Since EAP is a lock-step protocol, fragmentation support can be
added in a simple manner. In EAP, fragments that are lost or damaged
in transit will be retransmitted, and since sequencing information is
provided by the Identifier field in EAP, there is no need for a
fragment offset field.</t>
<t>TEAP fragmentation support is provided through the addition of flag
bits within the EAP-Response and EAP-Request packets, as well as a TLS
Message Length field of four octets. Flags include the Length included
(L), More fragments (M), and TEAP Start (S) bits. The L flag is
set to indicate the presence of the four-octet TLS Message Length
field, and MUST be set for the first fragment of a fragmented TLS
message or set of messages. The M flag is set on all but the last
fragment. The S flag is set only within the TEAP start message
sent from the EAP server to the peer. The TLS Message Length field is
four octets, and provides the total length of the TLS message or set
of messages that is being fragmented; this simplifies buffer
allocation.</t>
<t>When an TEAP peer receives an EAP-Request packet with the M bit
set, it MUST respond with an EAP-Response with EAP-Type of TEAP
and no data. This serves as a fragment ACK. The EAP server must wait
until it receives the EAP-Response before sending another fragment. In
order to prevent errors in processing of fragments, the EAP server
MUST increment the Identifier field for each fragment contained within
an EAP-Request, and the peer must include this Identifier value in the
fragment ACK contained within the EAP-Response. Retransmitted
fragments will contain the same Identifier value.</t>
<t>Similarly, when the TEAP server receives an EAP-Response with
the M bit set, it must respond with an EAP-Request with EAP-Type of
TEAP and no data. This serves as a fragment ACK. The EAP peer MUST
wait until it receives the EAP-Request before sending another
fragment. In order to prevent errors in the processing of fragments,
the EAP server MUST increment the Identifier value for each fragment
ACK contained within an EAP-Request, and the peer MUST include this
Identifier value in the subsequent fragment contained within an
EAP-Response.</t>
</section>
<section anchor="pacprovision" title="PAC Provisioning Within Tunnel">
<t>To request provisioning of a PAC, a peer sends a PAC TLV as defined in <xref target="pactlv"></xref> containing a
PAC Attribute as defined in <xref target="pacat"></xref> of PAC Type set to the appropriate value. The request
MAY be issued after the peer has determined that it has successfully
authenticated the EAP server and validated the Crypto-Binding TLV as defined in <xref target="cbtlv"></xref> to
ensure that the TLS tunnel's integrity is intact. The peer MUST send separate
PAC TLVs for each type of PAC it wants to be provisioned. Multiple PAC
TLVs can be sent in the same packet or different packets. The EAP
server will send the PACs after its internal policy has been
satisfied, or it MAY ignore the request or request additional
authentications if its policy dictates. If a peer receives a PAC
with an unknown type, it MUST ignore it.</t>
<t>A PAC-TLV containing PAC-Acknowledge attribute MUST be sent by the
peer to acknowledge the receipt of the Tunnel PAC. A PAC-TLV conatining PAC-Acknowledge
attribute MUST NOT be used by the peer to acknowledge the receipt of other
types of PACs.</t>
</section>
</section>
<section anchor="messageformats" title="Message Formats">
<t>The following sections describe the message formats used in TEAP.
The fields are transmitted from left to right in network byte order.</t>
<section title="TEAP Message Format">
<t>A summary of the TEAP Request/Response packet format is shown
below.</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Flags | Ver | Message Length :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: Message Length | TLS Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Outer TLVs...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork>
</figure>
<t><list hangIndent="1" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="Code"><vspace blankLines="1" />The code field is
one octet in length defined as follows:<vspace
blankLines="1" /><list hangIndent="0">
<t hangText="1">Request</t>
<t hangText="2">Response<vspace blankLines="1" /></t>
</list></t>
<t hangText="Identifier"><vspace blankLines="1" /> The
Identifier field is one octet and aids in matching responses
with requests. The Identifier field MUST be changed on each
Request packet. The Identifier field in the Response packet
MUST match the Identifier field from the corresponding
request.<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />The Length field
is two octets and indicates the length of the EAP packet
including the Code, Identifier, Length, Type, Flags, Ver,
Message Length, TLS Data, and Outer TLVs fields. Octets outside the range of
the Length field should be treated as Data Link Layer padding
and should be ignored on reception. <vspace
blankLines="1" /></t>
<t hangText="Type"><vspace blankLines="1" />TBD for TEAP
<vspace blankLines="1" /></t>
<t hangText="Flags"><figure>
<artwork><![CDATA[
0 1 2 3 4
+-+-+-+-+-+
|L M S R R|
+-+-+-+-+-+
]]></artwork>
</figure> <list hangIndent="0">
<t hangText="L">Length included; set to indicate the presence of the four octet Message
Length field</t>
<t hangText="M">More fragments; set on all but the last fragment</t>
<t hangText="S">TEAP start; set in an TEAP Start message</t>
<t hangText="R">Reserved (must be zero)</t>
</list> <vspace blankLines="1" /></t>
<t hangText="Ver"><vspace blankLines="1" /> This field
contains the version of the protocol. This document describes
version 1 (001 in binary) of TEAP. <vspace
blankLines="1" /></t>
<t hangText="Message Length"><vspace blankLines="1" /> The
Message Length field is four octets, and is present only if
the L bit is set. This field provides the total length of the
message that may be fragmented over the data fields of
multiple packets. <vspace blankLines="1" /></t>
<t hangText="TLS Data"><vspace blankLines="1" /> When the Data field is
present, it consists of an encapsulated TLS packet in TLS
record format. A TEAP packet with Flags and Version
fields, but with zero length TLS data field, is used to indicate
TEAP acknowledgement for either a fragmented message, a
TLS Alert message or a TLS Finished message.</t>
<t hangText="Outer TLVs"><vspace blankLines="1" /> The Outer-TLVs consist of the optional data used to help
establishing the TLS tunnel in TLV format. They are only allowed in the first two messages in the TEAP protocol. That is the first EAP server to peer message and
first peer to EAP server message. The start of the Outer-TLV can be derived from the EAP Length field and Message Length field.</t>
</list></t>
</list></t>
</section>
<section anchor="tlvformat" title="TEAP TLV Format and Support">
<t>The TLVs defined here are standard Type-Length-Value (TLV) objects.
The TLV objects could be used to carry arbitrary parameters between
EAP peer and EAP server within the protected TLS tunnel.</t>
<t>The EAP peer may not necessarily implement all the TLVs supported
by the EAP server. To allow for interoperability, TLVs are designed to
allow an EAP server to discover if a TLV is supported by the EAP peer,
using the NAK TLV. The mandatory bit in a TLV indicates whether
support of the TLV is required. If the peer or server does not support
a TLV marked mandatory, then it MUST send a NAK TLV in the response,
and all the other TLVs in the message MUST be ignored. If an EAP peer
or server finds an unsupported TLV that is marked as optional, it can
ignore the unsupported TLV. It MUST NOT send an NAK TLV for a TLV that
is not marked mandatory. If all TLVs in a message are marked optional and none are understood by the peer, then an EMPTY TEAP Phase 2 message must still be sent to the other side in order to continue the conversation. </t>
<t>Note that a peer or server may support a TLV with the mandatory bit
set, but may not understand the contents. The appropriate response to
a supported TLV with content that is not understood is defined by the
individual TLV specification.</t>
<t>EAP implementations compliant with this specification MUST support
TLV exchanges, as well as the processing of mandatory/optional settings on
the TLV. Implementations conforming to this specification MUST support
the following TLVs:<vspace blankLines="1" /><list hangIndent="3"
style="hanging">
<t hangText="">Result TLV</t>
<t hangText="">NAK TLV</t>
<t hangText="">Error TLV</t>
<t hangText="">EAP-Payload TLV</t>
<t hangText="">Intermediate-Result TLV</t>
<t hangText="">Crypto-Binding TLV</t>
<t hangText="">Authority-ID TLV</t>
<t hangText="">Request-Action TLV</t>
</list></t>
<section anchor="basicformat" title="General TLV Format">
<t>TLVs are defined as described below. The fields are transmitted
from left to right.</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="M"><vspace blankLines="1" /><list>
<t hangText="0">Optional TLV</t>
<t hangText="1">Mandatory TLV<vspace
blankLines="1" /></t>
</list></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />A 14-bit
field, denoting the TLV type. Allocated Types include:
<vspace blankLines="1" /><list>
<t hangText="0">Unassigned</t>
<t hangText="1">Authority-ID TLV (<xref target="aidtlv"></xref>)</t>
<t hangText="2">Identity-Type TLV (<xref target="identitytype"></xref>)</t>
<t hangText="3">Result TLV (<xref target="resulttlv"></xref>)</t>
<t hangText="4">NAK TLV (<xref target="naktlv"></xref>)</t>
<t hangText="5">Error TLV (<xref target="errtlv"></xref>)</t>
<t hangText="6">Channel-Binding TLV (<xref target="channelbinding"></xref>)</t>
<t hangText="7">Vendor-Specific TLV (<xref target="vendortlv"></xref>)</t>
<t hangText="8">Unassigned</t>
<t hangText="9">EAP-Payload TLV (<xref target="eappayloadtlv"></xref>)</t>
<t hangText="10">Intermediate-Result TLV (<xref target="intrestlv"></xref>)</t>
<t hangText="11">PAC TLV (<xref target="pactlv"></xref>)</t>
<t hangText="12">Crypto-Binding TLV (<xref target="cbtlv"></xref>)</t>
<t hangText="13">Basic-Password-Auth-Req TLV (<xref target="passreq"></xref>)</t>
<t hangText="14">Basic-Password-Auth-Resp TLV (<xref target="passresp"></xref>)</t>
<t hangText="15">PKCS#10 TLV (<xref target="pkcs10tlv" />)</t>
<t hangText="16">Unassigned</t>
<t hangText="17">Unassigned</t>
<t hangText="18">Server-Trusted-Root TLV (<xref target="trustroottlv"></xref>)</t>
<t hangText="19">Request-Action TLV (<xref target="ratlv"></xref>)</t>
<t hangText="20">PKCS#7 TLV (<xref target="pkcstlv"></xref>)</t>
</list><vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />The length of
the Value field in octets.<vspace blankLines="1" /></t>
<t hangText="Value"><vspace blankLines="1" /> The value of
the TLV.</t>
</list></t>
</list></t>
</section>
<section anchor="resulttlv" title="Result TLV">
<t>The Result TLV provides support for acknowledged success and
failure messages for protected termination within TEAP. If the
Status field does not contain one of the known values, then the peer
or EAP server MUST treat this as a fatal error of
Unexpected_TLVs_Exchanged. The behavior of the Result TLV is further
discussed in <xref target="proterm"></xref> and <xref
target="phase2err"></xref>. A Result TLV indicating failure MUST
NOT be accompanied by the following TLVs: NAK, EAP-Payload TLV, or
Crypto-Binding TLV. The Result TLV is defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Status |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="M"><vspace blankLines="1" />Mandatory, set to
one (1)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />3 for Result
TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />2<vspace
blankLines="1" /></t>
<t hangText="Status"><vspace blankLines="1" />The Status
field is two octets. Values include: <vspace
blankLines="1" /><list style="hanging">
<t hangText="1">Success</t>
<t hangText="2">Failure<vspace blankLines="1" /></t>
</list></t>
</list></t>
</list></t>
</section>
<section anchor="naktlv" title="NAK TLV">
<t>The NAK TLV allows a peer to detect TLVs that are not supported
by the other peer. An TEAP packet can contain 0 or more NAK
TLVs. A NAK TLV should not be accompanied by other TLVs. A NAK TLV
MUST NOT be sent in response to a message containing a Result TLV,
instead a Result TLV of failure should be sent indicating failure
and an Error TLV of Unexpected_TLVs_Exchanged. The NAK TLV is
defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NAK-Type | TLVs...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="M"><vspace blankLines="1" />Mandatory, set to
one (1)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" /><vspace
blankLines="1" />Reserved, set to zero (0)<vspace
blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />4 for NAK
TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />>=6<vspace
blankLines="1" /></t>
<t hangText="Vendor-Id"><vspace blankLines="1" />The
Vendor-Id field is four octets, and contains the Vendor-Id
of the TLV that was not supported. The high-order octet is 0
and the low-order three octets are the Structure of Management Information (SMI) Network Management
Private Enterprise Code of the Vendor in network byte order.
The Vendor-Id field MUST be zero for TLVs that are not
Vendor-Specific TLVs. <vspace blankLines="1" /></t>
<t hangText="NAK-Type"><vspace blankLines="1" />The NAK-Type
field is two octets. The field contains the Type of the TLV
that was not supported. A TLV of this Type MUST have been
included in the previous packet.<vspace
blankLines="1" /></t>
<t hangText="TLVs"><vspace blankLines="1" /> This field
contains a list of zero or more TLVs, each of which MUST NOT have the
mandatory bit set. These optional TLVs are for future
extensibility to communicate why the offending TLV was
determined to be unsupported.<vspace blankLines="1" /></t>
</list></t>
</list></t>
</section>
<section anchor="errtlv" title="Error TLV">
<t>The Error TLV allows an EAP peer or server to indicate errors to
the other party. An TEAP packet can contain 0 or more Error
TLVs. The Error-Code field describes the type of error. Error Codes
1-999 represent successful outcomes (informative messages),
1000-1999 represent warnings, and codes 2000-2999 represent fatal
errors. A fatal Error TLV MUST be accompanied by a Result TLV
indicating failure and the conversation must be terminated as
described in <xref target="phase2err"></xref>. The Error TLV is
defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Error-Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="M"><vspace blankLines="1" />Mandatory, set to
one (1)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />5 for Error
TLV <vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />4 <vspace
blankLines="1" /></t>
<t hangText="Error-Code"><vspace blankLines="1" /> The
Error-Code field is four octets. Currently defined values
for Error-Code include:<vspace blankLines="1" /> <list
style="hanging">
<t>2001 Tunnel_Compromise_Error</t>
<t>2002 Unexpected_TLVs_Exchanged</t>
</list></t>
</list></t>
</list></t>
</section>
<section anchor="vendortlv" title="Vendor-Specific TLV">
<t>The Vendor-Specific TLV is available to allow vendors to support
their own extended attributes not suitable for general usage. A
Vendor-Specific TLV attribute can contain one or more TLVs, referred
to as Vendor TLVs. The TLV-type of a Vendor-TLV is defined by the
vendor. All the Vendor TLVs inside a single Vendor-Specific TLV
belong to the same vendor. There can be multiple Vendor-Specific TLVs
from different vendors in the same message.</t>
<t>Vendor TLVs may be optional or mandatory. Vendor TLVs sent with
Result TLVs MUST be marked as optional.</t>
<t>The Vendor-Specific TLV is defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor TLVs....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="M"><vspace blankLines="1" />0 or 1<vspace
blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />7 for Vendor
Specific TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />4 + cumulative length of all included Vendor TLVs<vspace
blankLines="1" /></t>
<t hangText="Vendor-Id"><vspace blankLines="1" />The
Vendor-Id field is four octets, and contains the Vendor-Id
of the TLV. The high-order octet is 0 and the low-order 3
octets are the SMI Network Management Private Enterprise
Code of the Vendor in network byte order. <vspace
blankLines="1" /></t>
<t hangText="Vendor TLVs"><vspace blankLines="1" />This
field is of indefinite length. It contains vendor-specific
TLVs, in a format defined by the vendor.</t>
</list></t>
</list></t>
</section>
<section anchor="eappayloadtlv" title="EAP-Payload TLV">
<t>To allow piggybacking an EAP request or response with other TLVs,
the EAP-Payload TLV is defined, which includes an encapsulated EAP
packet and a list of optional TLVs. The optional TLVs are provided
for future extensibility to provide hints about the current EAP
authentication. Only one EAP-Payload TLV is allowed in a message.
The EAP-Payload TLV is defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP packet...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLVs...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="M"><vspace blankLines="1" />Mandatory, set to
(1)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />9 for
EAP-Payload TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />length of embedded EAP packet + cumulative length of additional TLVs<vspace
blankLines="1" /></t>
<t hangText="EAP packet"><vspace blankLines="1" /> This
field contains a complete EAP packet, including the EAP
header (Code, Identifier, Length, Type) fields. The length
of this field is determined by the Length field of the
encapsulated EAP packet.<vspace blankLines="1" /></t>
<t hangText=" TLVs"><vspace blankLines="1" /> This
(optional) field contains a list of TLVs associated with the
EAP packet field. The TLVs MUST NOT have the mandatory bit
set. The total length of this field is equal to the Length
field of the EAP-Payload TLV, minus the Length field in the
EAP header of the EAP packet field.</t>
</list></t>
</list></t>
</section>
<section anchor="intrestlv" title="Intermediate-Result TLV">
<t>The Intermediate-Result TLV provides support for acknowledged
intermediate Success and Failure messages between multiple inner EAP
methods within EAP. An Intermediate-Result TLV indicating success
MUST be accompanied by a Crypto-Binding TLV. The optional TLVs
associated with this TLV are provided for future extensibility to
provide hints about the current result. The Intermediate-Result TLV
is defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Status | TLVs...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="M"><vspace blankLines="1" />Mandatory, set to
(1)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />10 for
Intermediate-Result TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />2 + cumulative length of the embedded associated TLVs<vspace
blankLines="1" /></t>
<t hangText="Status"><vspace blankLines="1" />The Status
field is two octets. Values include: <vspace
blankLines="1" /> <list style="hanging">
<t hangText="1">Success</t>
<t hangText="2">Failure<vspace blankLines="1" /></t>
</list></t>
<t hangText="TLVs"><vspace blankLines="1" />This
field is of indeterminate length, and contains zero or more of the TLVs
associated with the Intermediate Result TLV. The TLVs in
this field MUST NOT have the mandatory bit set.</t>
</list></t>
</list></t>
</section>
<section title="PAC TLV Format" anchor="pactlv">
<t>The PAC TLV provides support for provisioning the Protected Access Credential (PAC)
defined within <xref target="RFC4851"></xref>. The PAC TLV carries the PAC and related information within PAC attribute fields. Additionally, the PAC TLV MAY be used by the peer to
request provisioning of a PAC of the type specified in the PAC Type PAC attribute. The PAC TLV MUST only be used in a protected tunnel providing encryption and integrity protection. A general PAC TLV
format is defined as follows: </t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PAC Attributes...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork>
</figure>
<t><list hangIndent="5">
<t><list style="hanging" hangIndent="5">
<t hangText="M">
<vspace blankLines="1"></vspace>0 - Non-mandatory TLV
<vspace></vspace>1 - Mandatory TLV</t>
<t hangText="R">
<vspace blankLines="1"></vspace>Reserved, set to zero (0)</t>
<t hangText="TLV Type"><vspace blankLines="1"></vspace>11 - PAC TLV</t>
<t hangText="Length"><vspace blankLines="1"></vspace>Two octets containing the length of the PAC attributes field in octets.</t>
<t hangText="PAC Attributes"><vspace blankLines="1"></vspace>A list of PAC attributes in the TLV format.</t>
</list></t>
</list></t>
<t></t>
<section title="Formats for PAC Attributes" anchor="pacat">
<t> Each PAC attribute in a PAC TLV is formatted as a TLV defined as follows: </t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork>
</figure>
<t hangText="Type">
<vspace blankLines="1"></vspace>The Type field is two octets, denoting the attribute type.
Allocated Types include:</t>
<t><figure>
<artwork>
1 - PAC-Key
2 - PAC-Opaque
3 - PAC-Lifetime
4 - A-ID
5 - I-ID
6 - Reserved
7 - A-ID-Info
8 - PAC-Acknowledgement
9 - PAC-Info
10 - PAC-Type
</artwork></figure>
</t>
<t hangText="Length"><vspace blankLines="1"></vspace>Two octets containing the length of the Value field in octets. </t>
<t hangText="Value"><vspace blankLines="1"></vspace>The value of the PAC attribute.</t>
</section>
<section title="PAC-Key">
<t>The PAC-Key is a secret key distributed in a PAC attribute of type
PAC-Key. The PAC-Key attribute is included within the PAC TLV whenever
the server wishes to issue or renew a PAC that is bound to a key such
as a Tunnel PAC. The key is a randomly generated octet string, which is 48
octets in length.
The generator of this key is the issuer of the credential, which is identified by the Authority Identifier (A-ID). </t>
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Key ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </artwork>
</figure>
<t><list>
<t><list style="hanging">
<t hangText="Type"><vspace blankLines="1"></vspace>1 - PAC-Key</t>
<t hangText="Length"><vspace blankLines="1"></vspace>2-octet length indicating the length of the key</t>
<t hangText="Key"><vspace blankLines="1"></vspace>The value of the PAC-Key.</t>
</list>
</t>
</list></t>
</section>
<section title="PAC-Opaque">
<t>The PAC-Opaque attribute is included within the PAC TLV whenever the server wishes to issue or renew a PAC.
</t>
<t> The PAC-Opaque is opaque to the peer and thus the peer MUST NOT
attempt to interpret it. A peer that has been issued a PAC-Opaque by
a server stores that data and presents it back to the server according to its PAC Type. The Tunnel PAC is used in the ClientHello SessionTicket extension field defined in <xref target="RFC5077"></xref>. If a
peer has opaque data issued to it by multiple servers, then it
stores the data issued by each server separately according to the A-ID.
This requirement allows the peer to maintain and use each opaque
datum as an independent PAC pairing, with a PAC-Key mapping to a PAC-Opaque identified by the A-ID. As there is a one-to-one
correspondence between the PAC-Key and PAC-Opaque, the peer
determines the PAC-Key and corresponding PAC-Opaque based on the A-ID
provided in the TEAP/Start message and the A-ID provided in the
PAC-Info when it was provisioned with a PAC-Opaque. </t>
<t>The PAC-Opaque attribute format is summarized as follows:</t>
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </artwork>
</figure>
<t><list>
<t><list style="hanging">
<t hangText="Type"><vspace blankLines="1"></vspace>2 - PAC-Opaque </t>
<t hangText="Length"><vspace blankLines="1"></vspace>The Length filed is two octets, which contains the length of
the Value field in octets.</t>
<t hangText="Value"><vspace blankLines="1"></vspace>The Value field contains the actual data for the PAC-Opaque. It is specific to the server implementation.</t>
</list></t>
</list></t>
</section>
<section title="PAC-Info">
<t> The PAC-Info is comprised of a set of PAC attributes as defined in
<xref target="pacat"></xref>. The PAC-Info attribute MUST contain the
A-ID, A-ID-Info, and PAC-Type attributes. Other attributes MAY be included
in the PAC-Info to provide more information to the peer. The
PAC-Info attribute MUST NOT contain the PAC-Key, PAC-Acknowledgement,
PAC-Info, or PAC-Opaque attributes. The PAC-Info attribute is
included within the PAC TLV whenever the server
wishes to issue or renew a PAC.</t>
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </artwork>
</figure>
<t><list>
<t><list style="hanging">
<t hangText="Type"><vspace blankLines="1" />9 - PAC-Info</t>
<t hangText="Length"><vspace blankLines="1" />2-octet Length field containing the length of
the attributes field in octets. </t>
<t hangText="Attributes"><vspace blankLines="1" />The attributes field contains a list of PAC attributes.
Each mandatory and optional field type is defined as follows:
<list style="hanging">
<t hangText="3 - PAC-LIFETIME"><vspace blankLines="1" />
This is a 4-octet quantity representing the expiration time
of the credential expressed as the number of seconds, excluding leap seconds, after midnight UTC, January 1, 1970. This attribute MAY be
provided to the peer as part of the PAC-Info.
</t>
<t hangText="4 - A-ID"><vspace blankLines="1" />The A-ID is the identity of the authority that
issued the PAC. The A-ID is intended to be unique across
all issuing servers to avoid namespace collisions. The A-ID is
used by the peer to determine which PAC to employ. The A-ID is treated as an opaque octet string. This attribute MUST be included in the PAC-Info attribute. The A-ID MUST match the Authority-ID the server used to establish the tunnel. One method for generating the A-ID is to use a high-quality random number generator to generate a random number. An alternate method would be to take the hash of the public key or public key certificate belonging a server represented by the A-ID. </t>
<t hangText="5 - I-ID"><vspace blankLines="1" />Initiator identifier (I-ID) is the peer identity associated
with the credential. This identity is derived from the inner EAP exchange or from the client-side authentication during tunnel establishment if inner EAP method authentication is not used. The server employs the I-ID in the TEAP phase 2 conversation to validate that the same peer
identity used to execute TEAP phase 1 is also used in at minimum one inner EAP method in TEAP phase 2. If the server is enforcing the I-ID
validation on the inner EAP method, then the I-ID MUST be included in
the PAC-Info, to enable the peer to also enforce a unique PAC
for each unique user. If the I-ID is missing from the PAC-Info,
it is assumed that the Tunnel PAC can be used for multiple
users and the peer will not enforce the unique-Tunnel-PAC-per-user policy.</t>
<t hangText="7 - A-ID-Info"><vspace blankLines="1" />Authority Identifier Information is intended
to provide a user-friendly name for the A-ID. It may contain
the enterprise name and server name in a human-readable
format. This TLV serves as an aid to the peer to better
inform the end-user about the A-ID. The name is encoded in UTF-8 <xref target="RFC3629"></xref> format. This attribute MUST be included in the PAC-Info.
</t>
<t hangText="10 - PAC-type"><vspace blankLines="1" />The PAC-Type is intended to provide the type of
PAC. This attribute SHOULD be included in the PAC-Info. If the PAC-Type is not present, then it
defaults to a Tunnel PAC (Type 1). </t>
</list>
</t>
</list></t>
</list></t>
</section>
<section title="PAC-Acknowledgement TLV">
<t>The PAC-Acknowledgement is used to acknowledge the receipt of the
Tunnel PAC by the peer. The peer includes the PAC-Acknowledgement TLV in a PAC-TLV sent to the server to indicate the result of the processing and storing of a newly provisioned
Tunnel PAC. This TLV is only used when Tunnel PAC is provisioned.</t>
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Result |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </artwork>
</figure>
<t><list>
<t><list style="hanging">
<t hangText="Type"><vspace blankLines="1" />8 - PAC-Acknowledgement</t>
<t hangText="Length"><vspace blankLines="1" />The length of this field is two octets containing a value of 2.</t>
<t hangText="Result"><vspace blankLines="1" />The resulting
value MUST be one of the following: </t>
<t><figure><artwork>
1 - Success
2 - Failure
</artwork></figure>
</t>
</list></t>
</list></t>
</section>
<section title="PAC-Type TLV">
<t>The PAC-Type TLV is a TLV intended to specify the PAC type. It is included in a PAC-TLV sent by the peer to request PAC provisioning from the server. Its
format is described below: </t>
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PAC Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </artwork>
</figure>
<t><list>
<t><list style="hanging">
<t hangText="Type"><vspace blankLines="1"></vspace>10 - PAC-Type </t>
<t hangText="Length"><vspace blankLines="1"></vspace>2-octet Length field with a value of 2</t>
<t hangText="PAC Type"><vspace blankLines="1"></vspace>This
2-octet field defines the type of PAC being requested or
provisioned. The following values are defined:</t>
<t>
<figure>
<artwork>
1 - Tunnel PAC
</artwork>
</figure>
</t>
</list></t>
</list></t>
</section>
</section>
<section anchor="cbtlv" title="Crypto-Binding TLV">
<t>The Crypto-Binding TLV is used to prove that both the peer and
server participated in the tunnel establishment and sequence of
authentications. It also provides verification of the TEAP
version negotiated before TLS tunnel establishment, see <xref
target="versionnegotiation"></xref>.</t>
<t>The Crypto-Binding TLV MUST be included with the Intermediate-Result
TLV to perform Cryptographic Binding after each successful EAP
method in a sequence of EAP methods. The Crypto-Binding TLV can be
issued at other times as well. </t>
<t>The Crypto-Binding TLV is valid only if the following checks
pass:</t>
<t><list style="symbols">
<t>The Crypto-Binding TLV version is supported</t>
<t>The MAC verifies correctly</t>
<t>The received version in the Crypto-Binding TLV matches the
version sent by the receiver during the EAP version
negotiation</t>
<t>The subtype is set to the correct value</t>
</list></t>
<t>If any of the above checks fails, then the TLV is invalid. An
invalid Crypto-Binding TLV is a fatal error and is handled as
described in <xref target="phase2err"> </xref></t>
<t>The Crypto-Binding TLV is defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Version | Received Ver.| Sub-Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Nonce ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Compound MAC ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="M"><vspace blankLines="1" />Mandatory, set to
(1)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />12 for
Crypto-Binding TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />56<vspace
blankLines="1" /></t>
<t hangText="Reserved"><vspace blankLines="1" />Reserved,
set to zero (0)<vspace blankLines="1" /></t>
<t hangText="Version"><vspace blankLines="1" />The Version
field is a single octet, which is set to the version of
Crypto-Binding TLV the EAP method is using. For an
implementation compliant with this version of TEAP, the
version number MUST be set to 1.<vspace blankLines="1" /></t>
<t hangText="Received Version"><vspace blankLines="1" />The
Received Version field is a single octet and MUST be set to
the EAP version number received during version negotiation.
Note that this field only provides protection against
downgrade attacks, where a version of EAP requiring support
for this TLV is required on both sides.<vspace
blankLines="1" /></t>
<t hangText="Sub-Type"><vspace blankLines="1" />The Sub-Type
field is one octet. Defined values include <vspace
blankLines="1" /><list style="hanging">
<t hangText="0">Binding Request</t>
<t hangText="1">Binding Response<vspace
blankLines="1" /></t>
</list></t>
<t hangText="Nonce"><vspace blankLines="1" /> The Nonce
field is 32 octets. It contains a 256-bit nonce that is
temporally unique, used for compound MAC key derivation at
each end. The nonce in a request MUST have its least
significant bit set to 0 and the nonce in a response MUST
have the same value as the request nonce except the least
significant bit MUST be set to 1. <vspace
blankLines="1" /></t>
<t hangText="Compound MAC"><vspace blankLines="1" /> The
Compound MAC field is 20 octets. This can be the Server MAC
(B1_MAC) or the Client MAC (B2_MAC). The computation of the
MAC is described in <xref target="compmac"></xref>.</t>
</list></t>
</list></t>
</section>
<section anchor="aidtlv" title="Authority-ID TLV">
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ID...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="3" style="hanging">
<t hangText="M"><vspace blankLines="1" />Mandatory, set to (0)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t> <t hangText="Type"><vspace blankLines="1" /> The Type field
is two octets. It is set to 16 for Authority ID<vspace
blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />The Length
filed is two octets, which contains the length of the ID
field in octets.<vspace blankLines="1" /></t>
<t hangText="ID"><vspace blankLines="1" />Hint of the
identity of the server, to help the peer to match the credetials avaiable for the server. It should be unique across the
deployment.</t>
</list></t>
</list></t>
</section>
<section anchor="ratlv" title="Request-Action TLV">
<t>The Request-Action TLV MAY be sent by the peer along with a
Result TLV in response to a server's successful Result TLV. It
allows the peer to request the EAP server to negotiate additional
EAP methods or process TLVs specified in the response packet. The
server MAY ignore this TLV.</t>
<t>The Request-Action TLV is defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Action |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="1" style="hanging">
<t hangText="M"><vspace blankLines="1" />Mandatory set to
one (1)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />19 for
Request-Action TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />2<vspace
blankLines="1" /></t>
<t hangText="Action"><vspace blankLines="1" /> The Action
field is two octets. Values include: <vspace
blankLines="1" /><list style="hanging">
<t hangText="1">Process-TLV</t>
<t hangText="2">Negotiate-EAP<vspace
blankLines="1" /></t>
</list></t>
</list></t>
</list></t>
</section>
<section anchor="trustroottlv" title="Trusted-Server-Root TLV">
<t>Trusted-Server-Root TLV facilitates the request and delivery of a trusted server root certificate. The Trusted-Server-Root TLV can be exchanged in regular TEAP authentication mode or provisioning mode. The Trusted-Server-Root TLV is always marked as optional, and cannot be responded to with a Negative Acknowledgement (NAK) TLV. The Trusted-Server-Root TLV MUST only be sent as an inner TLV (inside
the protection of the tunnel).</t>
<t>After the peer has determined that it has successfully authenticated
the EAP server and validated the Crypto-Binding TLV, it MAY send one or more Trusted-Server-Root TLVs
(marked as optional) to request the trusted server root certificates from the EAP server. The EAP server MAY send one or more root certificates with a Public Key Cryptographic System #7 (PKCS#7) TLV inside Server-Trusted-Root TLV. The EAP server MAY also choose not to honor the request. </t>
<t>The Trusted-Server-Root TLV allows the peer to send a request to the
EAP server for a list of trusted roots. The server may respond with one or more root certificates in PKCS#7 <xref target="RFC2315"></xref> format.</t>
<t>If the EAP server sets the credential format to PKCS#7-Server-
Certificate-Root, then the Trusted-Server-Root TLV should contain the
root of the certificate chain of the certificate issued to the EAP
server packaged in a PKCS#7 TLV. If the Server certificate is a self-signed certificate, then the root is the self-signed
certificate. </t>
<t>If the Trusted-Server-Root TLV credential format contains a value unknown to the peer, then the EAP peer should ignore the TLV. </t>
<t>The Trusted-Server-Root TLV is defined as follows: </t>
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Credential-Format | Cred TLVs...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-</artwork>
</figure>
<t><list hangIndent="5">
<t><list style="hanging" hangIndent="5">
<t hangText="M">
<vspace blankLines="1"></vspace>0 - Non-mandatory TLV</t>
<t hangText="R">
<vspace blankLines="1"></vspace>Reserved, set to zero (0)</t>
<t hangText="TLV Type"><vspace blankLines="1"></vspace>18 - Trusted-Server-Root TLV [RFC4851]</t>
<t hangText="Length"><vspace blankLines="1"></vspace>>=2 octets</t>
<t hangText="Credential-Format"><vspace blankLines="1"></vspace>The Credential-Format field is two octets. Values include: <list style="hanging">
<t>1 - PKCS#7-Server-Certificate-Root</t>
</list></t>
<t hangText="Cred TLVs"><vspace blankLines="1" />This field is of indefinite length. It contains TLVs
associated with the credential format. The peer may leave this field empty when using this TLV to request server trust roots. </t>
</list></t>
</list></t>
</section>
<section anchor="pkcstlv" title="PKCS#7 TLV">
<t>The PKCS#7 TLV is sent by the EAP server to the peer inside the
Server-Trusted-Root TLV. It contains PKCS#7-wrapped <xref target="RFC2315"></xref>
X.509 certificates. The format consists of a certificate or certificate chain in a Certificates-Only PKCS#7 SignedData message as defined in <xref target="RFC2311"></xref>.</t>
<t>The PKCS#7 TLV is always marked as optional, which cannot be
responded to with a NAK TLV. TEAP server implementations that
claim to support the dynamic provisioning defined in this document SHOULD support this TLV. TEAP peer implementations MAY support this TLV. </t>
<t>If the PKCS#7 TLV contains a certificate or certificate chain that is
not acceptable to the peer, then the peer MUST ignore the TLV. </t>
<t>The PKCS#7 TLV is defined as follows: </t>
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PKCS #7 Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- </artwork>
</figure>
<t>
<list>
<t><list style="hanging">
<t hangText="M"><vspace blankLines="1" />0 - Optional TLV</t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to zero (0)</t>
<t hangText="TLV Type"><vspace blankLines="1" />20 - PKCS#7 TLV [RFC4851]</t>
<t hangText="Length"><vspace blankLines="1" />The length of the PKCS #7 Data field. </t>
<t hangText="PKCS #7 Data"><vspace blankLines="1" /> This field contains the X.509 certificate or
certificate chain in a Certificates-Only PKCS#7 SignedData message.</t>
</list></t>
</list></t>
</section>
<section anchor="pkcs10tlv" title="PKCS#10 TLV">
<t>The PKCS#10 TLV is used by the peer to initiate
the "simple PKI" Request/Response from <xref target="RFC5272"></xref>. The format of
the request is as specified in Section 6.4 of <xref target="RFC4945"></xref>.</t>
<t>The PKCS#10 TLV is always marked as optional, which cannot be
responded to with a NAK TLV. </t>
<t>The PKCS#10 TLV is defined as follows: </t>
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PKCS #10 Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- </artwork>
</figure>
<t>
<list>
<t><list style="hanging">
<t hangText="M"><vspace blankLines="1" />0 - Optional TLV</t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to zero (0)</t>
<t hangText="TLV Type"><vspace blankLines="1" />[tbd]</t>
<t hangText="Length"><vspace blankLines="1" />The length of the PKCS #7 Data field. </t>
<t hangText="PKCS #10 Data"><vspace blankLines="1" /> This field contains the PKCS#10 certificate request.</t>
</list></t>
</list></t>
</section>
<section anchor="channelbinding" title="Channel-Binding TLV">
<t>The Channel-Binding TLV allows an EAP-peer to send channel binding data to the EAP-server as described in <xref target="I-D.ietf-emu-chbind"></xref>.
TEAPv1 implementations MAY support this TLV, which cannot be responded
to with a NAK TLV.
If the Channel-Binding data field does not contain one of the known values
or if the EAP server does not support this TLV, then the server MUST ignore the value. The Channel-Binding TLV is defined as follows:
</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="1" style="hanging">
<t hangText="M"><vspace blankLines="1" />0 (Optional)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />6 for
Channel-Binding TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />variable<vspace
blankLines="1" /></t>
<t hangText="Data"><vspace blankLines="1" /> The data
field contains channel binding data defined in <xref target="I-D.ietf-emu-chbind"></xref>. <vspace
blankLines="1" /></t>
</list></t>
</list></t>
</section>
<section anchor="identitytype" title="Identity-Type TLV">
<t>The Identity-Type TLV allows an EAP server to send a hint to help the EAP peer select the right type of identity; for example; user or
machine. TEAPv1 implementations MUST support this TLV. If the Identity-Type field does not contain one of the known values
or if the EAP peer does not have an identity corresponding to the identity-type, then the peer SHOULD respond with a NAK TLV. The Identity-Type TLV is defined as follows:
</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identity-Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="1" style="hanging">
<t hangText="M"><vspace blankLines="1" />0 (Optional)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />17 for
Identity-Type TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />2<vspace
blankLines="1" /></t>
<t hangText="Identity-Type"><vspace blankLines="1" /> The Identity-Type
field is two octets. Values include: <vspace
blankLines="1" /><list style="hanging">
<t hangText="1">User</t>
<t hangText="2">Machine<vspace
blankLines="1" /></t>
</list></t>
</list></t>
</list></t>
</section>
<section anchor="passreq" title="Basic-Password-Auth-Req TLV">
<t>The Basic-Password-Auth-Req TLV is used by the authentication server to request a username and password from the peer. It contains an optional user prompt message for the request. The peer is expected to obtain the username and password and send them in a Basic-Password-Auth-Resp TLV. </t>
<t>The Basic-Password-Auth-Req TLV is defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prompt ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="1" style="hanging">
<t hangText="M"><vspace blankLines="1" />0 (Optional)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />13 for
Basic-Password-Auth-Req TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />variable<vspace
blankLines="1" /></t>
<t hangText="Prompt"><vspace blankLines="1" />optional user prompt message in UTF-8 format<vspace
blankLines="1" /></t>
</list></t>
</list></t>
</section>
<section anchor="passresp" title="Basic-Password-Auth-Resp TLV">
<t>The Basic-Password-Auth-Resp TLV is used by the peer to respond to a Basic-Password-Auth-Req TLV with a username and password. The TLV contains a username and password. The username and password are in UTF-8 format and prepared as defined in <xref target="RFC4013">SASLprep</xref>.
</t>
<t>The Basic-Password-Auth-Resp TLV is defined as follows:</t>
<figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Userlen | Username
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... Username ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Passlen | Password
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... Password ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list hangIndent="0" style="hanging">
<t><list hangIndent="1" style="hanging">
<t hangText="M"><vspace blankLines="1" />0 (Optional)<vspace blankLines="1" /></t>
<t hangText="R"><vspace blankLines="1" />Reserved, set to
zero (0)<vspace blankLines="1" /></t>
<t hangText="TLV Type"><vspace blankLines="1" />14 for
Basic-Password-Auth-Resp TLV<vspace blankLines="1" /></t>
<t hangText="Length"><vspace blankLines="1" />variable
<vspace blankLines="1" /></t>
<t hangText="Userlen"><vspace blankLines="1" />Length of Username field in octets<vspace blankLines="1" /></t>
<t hangText="Username"><vspace blankLines="1" />Username in UTF-8 format<vspace blankLines="1" /></t>
<t hangText="Passlen"><vspace blankLines="1" />Length of Password field in octets<vspace blankLines="1" /></t>
<t hangText="Password"><vspace blankLines="1" />Password in UTF-8 format<vspace blankLines="1" /></t>
</list></t>
</list></t>
</section>
</section>
<section anchor="tlvtable" title="Table of TLVs">
<t>The following table provides a guide to which TLVs may be found in
which kinds of messages, and in what quantity. The messages are as
follows: Request is an TEAP Request, Response is an TEAP
Response, Success is a message containing a successful Result TLV, and
Failure is a message containing a failed Result TLV.</t>
<figure>
<artwork><![CDATA[
Request Response Success Failure TLVs
0-1 0-1 0-1 0-1 Intermediate-Result
0-1 0-1 0 0 EAP-Payload
0-1 0-1 1 1 Result
0-1 0-1 0-1 0-1 Crypto-Binding
0+ 0+ 0+ 0+ Error
0+ 0+ 0 0 NAK
0+ 0+ 0+ 0+ Vendor-Specific [NOTE1]
0-1 0-1 0 0 Authority-ID
0 0-1 0-1 0-1 Request-Action
0 0-1 0 0 Channel-Binding
0-1 0-1 0 0 Identity-Type
0-1 0 0 0 Basic-Password-Auth-Req
0 0-1 0 0 Basic-Password-Auth-Resp
]]></artwork>
</figure>
<t>[NOTE1] Vendor TLVs (included in Vendor-Specific TLVs) sent with a
Result TLV MUST be marked as optional.</t>
<t>The following table defines the meaning of the table entries in the
sections below:</t>
<t>0 This TLV MUST NOT be present in the message.</t>
<t>0+ Zero or more instances of this TLV MAY be present in the
message.</t>
<t>0-1 Zero or one instance of this TLV MAY be present in the
message.</t>
<t>1 Exactly one instance of this TLV MUST be present in the
message.</t>
</section>
</section>
<section anchor="crypto" title="Cryptographic Calculations">
<section anchor="phase1key"
title="TEAP Authentication Phase 1: Key Derivations">
<t>With TEAPv1, the TLS master secret is generated as specified in TLS.
If a PAC is used then the master secret is obtained as described in RFC 5077 <xref target="RFC5077" />. </t>
<t>TEAPv1 makes use of the TLS Keying Material Exporters defined
in RFC 5705 <xref target="RFC5705" /> to derive the session_key_seed.
The Label used in the derivation is "EXPORTER-TEAP-SKS". The length
of the session key seed material is 40 octets.
No context data is used in the export process.</t>
<t>The session_key_seed is used by the TEAP Authentication Phase 2
conversation to both cryptographically bind the inner method(s) to the
tunnel as well as generate the resulting TEAP session keys. The
other quantities are used as they are defined in <xref
target="RFC5246"></xref>.</t>
</section>
<section anchor="phase2key"
title="Intermediate Compound Key Derivations">
<t>The session_key_seed derived as part of TEAP Phase 2 is used in
TEAP Phase 2 to generate an Intermediate Compound Key (IMCK) used
to verify the integrity of the TLS tunnel after each successful inner
authentication and in the generation of Master Session Key (MSK) and
Extended Master Session Key (EMSK) defined in <xref
target="RFC3748"></xref>. Note that the IMCK must be recalculated
after each successful inner EAP method.</t>
<t><figure>
<preamble>The first step in these calculations is the generation
of the base compound key, IMCK[n] from the session_key_seed and
any session keys derived from the successful execution of n inner
EAP methods. The inner EAP method(s) may provide Master Session
Keys, MSK1..MSKn, corresponding to inner methods 1 through n. The
MSK is truncated at 32 octets if it is longer than 32 octets or
padded to a length of 32 octets with zeros if it is less than 32
octets. If the ith inner method does not generate an MSK, then
MSKi is set to zero (e.g., MSKi = 32 octets of 0x00s). If an inner
method fails, then it is not included in this calculation. The
derivations of S-IMCK is as follows:</preamble>
<artwork><![CDATA[
S-IMCK[0] = session_key_seed
For j = 1 to n-1 do
IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
MSK[j], 60)
S-IMCK[j] = first 40 octets of IMCK[j]
CMK[j] = last 20 octets of IMCK[j]
]]></artwork>
<postamble>where TLS-PRF is the PRF negotiated as part of TLS handshake <xref
target="RFC5246"></xref>.</postamble>
</figure></t>
<t></t>
</section>
<section anchor="compmac" title="Computing the Compound MAC">
<t>For authentication methods that generate keying material, further
protection against man-in-the-middle attacks is provided through
cryptographically binding keying material established by both TEAP
Phase 1 and TEAP Phase 2 conversations. After each successful
inner EAP authentication, EAP MSKs are cryptographically combined with
key material from TEAP Phase 1 to generate a compound session key,
CMK. The CMK is used to calculate the Compound MAC as part of the
Crypto-Binding TLV described in <xref target="cbtlv"></xref>, which
helps provide assurance that the same entities are involved in all
communications in TEAP. During the calculation of the Compound-MAC
the MAC field is filled with zeros.</t>
<t><figure>
<preamble>The Compound MAC computation is as follows:</preamble>
<artwork><![CDATA[
CMK = CMK[j]
Compound-MAC = HMAC-HASH( CMK, BUFFER )
]]></artwork>
<postamble>where j is the number of the last successfully executed
inner EAP method, HASH is the default hash function or the alternative hash function negotiated in TLS 1.2 <xref target="RFC5246"></xref>,
and BUFFER is created after concatenating these fields in the following order:</postamble>
</figure></t>
<t><list style="hanging">
<t hangText="1">The entire Crypto-Binding TLV attribute with the MAC field
zeroed out. </t>
<t hangText="2">The EAP Type sent by the other party in the first TEAP message. </t>
<t hangText="3">All the Outer-TLVs from the first TEAP message sent by EAP
server to peer. If a single TEAP message is fragmented into
multiple TEAP packets; then the Outer-TLVs in all the
fragments of that message MUST be included. </t>
<t hangText="4">All the Outer-TLVs from the first TEAP message sent by the
peer to the EAP server. If a single TEAP message is
fragmented into multiple TEAP packets, then the Outer-TLVs in
all the fragments of that message MUST be included. </t>
</list></t>
</section>
<section anchor="sesskey" title="EAP Master Session Key Generation">
<t></t>
<t><figure>
<preamble>TEAP Authentication assures the master session key
(MSK) and Extended Master Session Key (EMSK) output from the EAP
method are the result of all authentication conversations by
generating an Intermediate Compound Key (IMCK). The IMCK
is mutually derived by the peer and the server as described in
<xref target="phase2key"></xref> by combining the MSKs from inner
EAP methods with key material from TEAP Phase 1. The resulting
MSK and EMSK are generated as part of the IMCKn key hierarchy as
follows:</preamble>
<artwork><![CDATA[
MSK = TLS-PRF(S-IMCK[j], "Session Key Generating Function", 64)
EMSK = TLS-PRF(S-IMCK[j],
"Extended Session Key Generating Function", 64)
]]></artwork>
<postamble>where j is the number of the last successfully executed
inner EAP method.</postamble>
</figure></t>
<t>The EMSK is typically only known to the TEAP peer and server
and is not provided to a third party. The derivation of additional
keys and transportation of these keys to a third party is outside the
scope of this document.</t>
<t>If no EAP methods have been negotiated inside the tunnel or no EAP
methods have been successfully completed inside the tunnel, the MSK
and EMSK will be generated directly from the session_key_seed meaning
S-IMCK = session_key_seed.</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This section provides guidance to the Internet Assigned Numbers
Authority (IANA) regarding registration of values related to the
TEAP protocol, in accordance with BCP 26, <xref
target="RFC2434"></xref>.</t>
<t>The EAP Method Type number for TEAP needs to be assigned.</t>
<t>The document defines a registry for TEAP TLV types, which may be
assigned by Specification Required as defined in <xref
target="RFC2434"></xref>. <xref target="tlvformat"></xref> defines the
TLV types that initially populate the registry. A summary of the
TEAP TLV types is given below:</t>
<t><vspace blankLines="1" /><list style="hanging">
<t><list style="hanging">
<t hangText="0">Unassigned</t>
<t hangText="1">Authority-ID TLV</t>
<t hangText="2">Identity-Type TLV</t>
<t hangText="3">Result TLV</t>
<t hangText="4">NAK TLV</t>
<t hangText="5">Error TLV</t>
<t hangText="6">Channel-Binding TLV </t>
<t hangText="7">Vendor-Specific TLV</t>
<t hangText="8">Unassigned</t>
<t hangText="9">EAP-Payload TLV</t>
<t hangText="10">Intermediate-Result TLV</t>
<t hangText="11">PAC TLV </t>
<t hangText="12">Crypto-Binding TLV</t>
<t hangText="13">Basic-Password-Auth-Req TLV</t>
<t hangText="14">Basic-Password-Auth-Resp TLV </t>
<t hangText="15">PKCS#10 TLV</t>
<t hangText="16">Unassigned</t>
<t hangText="17">Unassigned</t>
<t hangText="18">Trusted-Server-Root TLV </t>
<t hangText="19">Request-Action TLV</t>
<t hangText="20">PKCS#7 TLV </t>
</list></t>
</list></t>
<t>The Error-TLV defined in <xref target="errtlv"></xref>
requires an error-code. TEAP Error-TLV error-codes are assigned
based on Specification Required as defined in <xref
target="RFC2434"></xref>. The initial list of error codes is as
follows:</t>
<t><list style="hanging">
<t>2001 Tunnel_Compromise_Error</t>
<t>2002 Unexpected_TLVs_Exchanged</t>
</list></t>
<t>The Request-Action TLV defined in section <xref
target="ratlv"></xref> contains an action code which is assigned on a
Specification Required basis as defined in <xref
target="RFC2434"></xref>. The initial actions defined are:</t>
<t></t>
<t></t>
<t><list style="hanging">
<t><list style="hanging">
<t hangText="1">Process-TLV</t>
<t hangText="2">Negotiate-EAP<vspace blankLines="1" /></t>
</list></t>
</list></t>
<t>The various values under Vendor-Specific TLV are assigned by Private
Use and do not need to be assigned by IANA.</t>
</section>
<section anchor="securityconsiderations" title="Security Considerations">
<t>TEAP is designed with a focus on wireless media, where the medium
itself is inherent to eavesdropping. Whereas in wired media, an attacker
would have to gain physical access to the wired medium; wireless media
enables anyone to capture information as it is transmitted over the air,
enabling passive attacks. Thus, physical security can not be assumed and
security vulnerabilities are far greater. The threat model used for the
security evaluation of TEAP is defined in the EAP <xref
target="RFC3748"></xref>.</t>
<section anchor="mutauth"
title="Mutual Authentication and Integrity Protection ">
<t>TEAP as a whole, provides message and integrity protection by
establishing a secure tunnel for protecting the authentication
method(s). The confidentiality and integrity protection is
defined by TLS and provides the same security strengths afforded by
TLS employing a strong entropy shared master secret. The integrity of
the key generating authentication methods executed within the TEAP
tunnel is verified through the calculation of the Crypto-Binding TLV.
This ensures that the tunnel endpoints are the same as the inner
method endpoints.</t>
<t>The Result TLV is protected and conveys the true Success or Failure
of TEAP, and should be used as the indicator of its success or
failure respectively. However, as EAP must terminate with a clear text
EAP Success or Failure, a peer will also receive a clear text EAP
Success or Failure. The received clear text EAP Success or Failure
must match that received in the Result TLV; the peer SHOULD silently
discard those clear text EAP success or failure messages that do not
coincide with the status sent in the protected Result TLV.</t>
</section>
<section anchor="nego" title="Method Negotiation">
<t>As is true for any negotiated EAP protocol, NAK packets used to
suggest an alternate authentication method are sent unprotected and as
such, are subject to spoofing. During unprotected EAP method
negotiation, NAK packets may be interjected as active attacks to
negotiate down to a weaker form of authentication, such as EAP-MD5
(which only provides one-way authentication and does not derive a
key). Both the peer and server should have a method selection policy
that prevents them from negotiating down to weaker methods. Inner
method negotiation resists attacks because it is protected by the
mutually authenticated TLS tunnel established. Selection of TEAP
as an authentication method does not limit the potential inner
authentication methods, so TEAP should be selected when
available.</t>
<t>An attacker cannot readily determine the inner EAP method used,
except perhaps by traffic analysis. It is also important that peer
implementations limit the use of credentials with an unauthenticated
or unauthorized server.</t>
</section>
<section anchor="sepp1p2"
title="Separation of Phase 1 and Phase 2 Servers">
<t>Separation of the TEAP Phase 1 from the Phase 2 conversation is
not recommended. Allowing the Phase 1 conversation to be terminated at
a different server than the Phase 2 conversation can introduce
vulnerabilities if there is not a proper trust relationship and
protection for the protocol between the two servers. Some
vulnerabilities include:</t>
<t><list style="symbols">
<t>Loss of identity protection</t>
<t>Offline dictionary attacks</t>
<t>Lack of policy enforcement</t>
</list></t>
<t>There may be cases where a trust relationship exists between the
Phase 1 and Phase 2 servers, such as on a campus or between two
offices within the same company, where there is no danger in revealing
the inner identity and credentials of the peer to entities between the
two servers. In these cases, using a proxy solution without end-to-end
protection of TEAP MAY be used. The TEAP encrypting/decrypting
gateway SHOULD, at a minimum, provide support for IPsec or similar
protection in order to provide confidentiality for the portion of the
conversation between the gateway and the EAP server.</t>
</section>
<section title="Mitigation of Known Vulnerabilities and Protocol Deficiencies">
<t>TEAP addresses the known deficiencies and weaknesses in the EAP
method. By employing a shared secret between the peer and server to
establish a secured tunnel, TEAP enables:</t>
<t><list style="symbols">
<t>Per packet confidentiality and integrity protection</t>
<t>User identity protection</t>
<t>Better support for notification messages</t>
<t>Protected EAP inner method negotiation</t>
<t>Sequencing of EAP methods</t>
<t>Strong mutually derived master session keys</t>
<t>Acknowledged success/failure indication</t>
<t>Faster re-authentications through session resumption</t>
<t>Mitigation of dictionary attacks</t>
<t>Mitigation of man-in-the-middle attacks</t>
<t>Mitigation of some denial-of-service attacks</t>
</list></t>
<t>It should be noted that TEAP, as in many other authentication
protocols, a denial-of-service attack can be mounted by adversaries
sending erroneous traffic to disrupt the protocol. This is a problem
in many authentication or key agreement protocols and is therefore noted for
TEAP as well.</t>
<t>TEAP was designed with a focus on protected authentication
methods that typically rely on weak credentials, such as password-based secrets. To that extent, the TEAP Authentication mitigates
several vulnerabilities, such as dictionary attacks, by protecting the
weak credential-based authentication method. The protection is based
on strong cryptographic algorithms in TLS to provide message
confidentiality and integrity. The keys derived for the
protection relies on strong random challenges provided by both peer
and server as well as an established key with strong entropy.
Implementations should follow the recommendation in <xref
target="RFC4086"></xref> when generating random numbers.</t>
<section title="User Identity Protection and Verification">
<t>The initial identity request response exchange is sent in
cleartext outside the protection of TEAP. Typically the Network Access Identifier (NAI)
<xref target="RFC4282"> </xref> in the identity response is useful
only for the realm information that is used to route the
authentication requests to the right EAP server. This means that the
identity response may contain an anonymous identity and just contain
realm information. In other cases, the identity exchange may be
eliminated altogether if there are other means for establishing the
destination realm of the request. In no case should an intermediary
place any trust in the identity information in the identity response
since it is unauthenticated and may not have any relevance to the
authenticated identity. TEAP implementations should not attempt
to compare any identity disclosed in the initial cleartext EAP
Identity response packet with those Identities authenticated in
Phase 2.</t>
<t>Identity request-response exchanges sent after the TEAP
tunnel is established are protected from modification and
eavesdropping by attackers.</t>
<t>Note that since TLS client certificates are sent in the clear, if
identity protection is required, then it is possible for the TLS
authentication to be re-negotiated after the first server
authentication. To accomplish this, the server will typically not
request a certificate in the server_hello, then after the
server_finished message is sent, and before TEAP Phase 2, the
server MAY send a TLS hello_request. This allows the client to
perform client authentication by sending a client_hello if it wants
to, or send a no_renegotiation alert to the server indicating that
it wants to continue with TEAP Phase 2 instead. Assuming that
the client permits renegotiation by sending a client_hello, then the
server will respond with server_hello, a certificate and
certificate_request messages. The client replies with certificate,
client_key_exchange and certificate_verify messages. Since this
re-negotiation occurs within the encrypted TLS channel, it does not
reveal client certificate details. It is possible to perform
certificate authentication using an EAP method (for example:
EAP-TLS) within the TLS session in TEAP Phase 2 instead of using
TLS handshake renegotiation.</t>
</section>
<section title="Dictionary Attack Resistance">
<t>TEAP was designed with a focus on protected authentication
methods that typically rely on weak credentials, such as password-based secrets. TEAP mitigates dictionary attacks by allowing the
establishment of a mutually authenticated encrypted TLS tunnel
providing confidentiality and integrity to protect the weak
credential based authentication method.</t>
</section>
<section title="Protection against Man-in-the-Middle Attacks">
<t>Allowing methods to be executed both with and without the
protection of a secure tunnel opens up a possibility of a
man-in-the-middle attack. To avoid man-in-the-middle attacks it is
recommended to always deploy authentication methods with protection
of TEAP. TEAP provides protection from man-in-the-middle
attacks even if a deployment chooses to execute inner EAP methods
both with and without TEAP protection, TEAP prevents this
attack in two ways:</t>
<t><list style="numbers">
<t>By using the PAC-Key to mutually authenticate the peer and
server during TEAP Authentication Phase 1 establishment of a
secure tunnel.</t>
<t>By using the keys generated by the inner authentication
method (if the inner methods are key generating) in the
crypto-binding exchange and in the generation of the key
material exported by the EAP method described in <xref
target="crypto"></xref>.</t>
</list></t>
</section>
<section title="PAC Binding to User Identity">
<t>A PAC may be bound to a user identity. A compliant implementation
of TEAP MUST validate that an identity obtained in the
PAC-Opaque field matches at minimum one of the identities provided
in the TEAP Phase 2 authentication method. This validation
provides another binding to ensure that the intended peer (based on
identity) has successfully completed the TEAP Phase 1 and proved
identity in the Phase 2 conversations.</t>
</section>
</section>
<section title="Protecting against Forged Clear Text EAP Packets">
<t>EAP Success and EAP Failure packets are, in general, sent in clear
text and may be forged by an attacker without detection. Forged EAP
Failure packets can be used to attempt to convince an EAP peer to
disconnect. Forged EAP Success packets may be used to attempt to
convince a peer that authentication has succeeded, even though the
authenticator has not authenticated itself to the peer.</t>
<t>By providing message confidentiality and integrity, TEAP
provides protection against these attacks. Once the peer and AS
initiate the TEAP Authentication Phase 2, compliant TEAP
implementations must silently discard all clear text EAP messages,
unless both the TEAP peer and server have indicated success or
failure using a protected mechanism. Protected mechanisms include TLS
alert mechanism and the protected termination mechanism described in
<xref target="proterm"></xref>.</t>
<t>The success/failure decisions within the TEAP tunnel indicate
the final decision of the TEAP authentication conversation. After
a success/failure result has been indicated by a protected mechanism,
the TEAP peer can process unprotected EAP Success and EAP Failure
messages; however the peer MUST ignore any unprotected EAP success or
failure messages where the result does not match the result of the
protected mechanism.</t>
<t>To abide by <xref target="RFC3748"></xref>, the server must send a
clear text EAP Success or EAP Failure packet to terminate the EAP
conversation. However, since EAP Success and EAP Failure packets are
not retransmitted, the final packet may be lost. While an TEAP
protected EAP Success or EAP Failure packet should not be a final
packet in an TEAP conversation, it may occur based on the
conditions stated above, so an EAP peer should not rely upon the
unprotected EAP success and failure messages.</t>
</section>
<section title="Server Certificate Validation">
<t>As part of the TLS negotiation, the server presents a certificate
to the peer. The peer MUST verify the validity of the EAP server
certificate, and SHOULD also examine the EAP server name presented in
the certificate, in order to determine whether the EAP server can be
trusted. Please note that in the case where the EAP authentication is
remoted, the EAP server will not reside on the same machine as the
authenticator, and therefore the name in the EAP server's certificate
cannot be expected to match that of the intended destination. In this
case, a more appropriate test might be whether the EAP server's
certificate is signed by a CA controlling the intended domain and
whether the authenticator can be authorized by a server in that
domain.</t>
</section>
<section title="Tunnel PAC Considerations">
<t>Since the Tunnel PAC is stored by the peer, special care should be
given to the overall security of the peer. The Tunnel PAC must be
securely stored by the peer to prevent theft or forgery of any of the
Tunnel PAC components.
In particular, the peer must securely store the PAC-Key and protect
it from disclosure or modification. Disclosure of the PAC-Key
enables an attacker to establish the TEAP tunnel; however,
disclosure of the PAC-Key does not reveal the peer or server identity
or compromise any other peer's PAC credentials. Modification of the
PAC-Key or PAC-Opaque components of the Tunnel PAC may also lead to
denial of service as the tunnel establishment will fail.
The PAC-Opaque component is the effective TLS ticket extension used
to establish the tunnel using the techniques of <xref target="RFC5077"></xref>. Thus, the
security considerations defined by <xref target="RFC5077"></xref> also apply to the PAC-
Opaque.
The PAC-Info may contain information about the Tunnel PAC such as the
identity of the PAC issuer and the Tunnel PAC lifetime for use in the
management of the Tunnel PAC. The PAC-Info should be securely stored
by the peer to protect it from disclosure and modification.</t>
</section>
<section title="Security Claims">
<t>This section provides the needed security claim requirement for EAP
[RFC3748].</t>
<t><list hangIndent="25" style="hanging">
<t hangText="Auth. mechanism:">Certificate based, shared secret
based and various tunneled authentication mechanisms.</t>
<t hangText="Ciphersuite negotiation:">Yes</t>
<t hangText="Mutual authentication:">Yes</t>
<t hangText="Integrity protection:">Yes, Any method executed
within the TEAP tunnel is integrity protected. The cleartext
EAP headers outside the tunnel are not integrity protected.</t>
<t hangText="Replay protection:">Yes</t>
<t hangText="Confidentiality:">Yes</t>
<t hangText="Key derivation:">Yes</t>
<t hangText="Key strength:">See Note 1 below.</t>
<t hangText="Dictionary attack prot.:">Yes</t>
<t hangText="Fast reconnect:">Yes</t>
<t hangText="Cryptographic binding:">Yes</t>
<t hangText="Session independence:">Yes</t>
<t hangText="Fragmentation:">Yes</t>
<t hangText="Key Hierarchy:">Yes</t>
<t hangText="Channel binding:">Yes</t>
</list></t>
<t>Notes</t>
<t><list style="numbers">
<t>BCP 86 <xref target="RFC3766"></xref> offers advice on appropriate key sizes. The
National Institute for Standards and Technology (NIST) also
offers advice on appropriate key sizes in <xref target="NIST-SP-800-57"></xref>.
<xref target="RFC3766"></xref> Section 5 advises use of the following required RSA or
DH module and DSA subgroup size in bits, for a given level of
attack resistance in bits. Based on the table below, a 2048-bit
RSA key is required to provide 128-bit equivalent key strength:</t>
</list></t>
<figure>
<artwork><![CDATA[
Attack Resistance RSA or DH Modulus DSA subgroup
(bits) size (bits) size (bits)
----------------- ----------------- ------------
70 947 129
80 1228 148
90 1553 167
100 1926 186
150 4575 284
200 8719 383
250 14596 482
]]></artwork>
</figure>
</section>
</section>
<section title="Acknowledgements">
<t>The TEAP v1 design and protocol specification is based on the ideas
and hard efforts of Pad Jakkahalli, Mark Krischer, Doug Smith, and Glen
Zorn of Cisco Systems, Inc.</t>
<t>The TLV processing was inspired from work on the Protected Extensible
Authentication Protocol version 2 (PEAPv2) with Ashwin
Palekar, Dan Smith and Simon Josefsson. Helpful review comments were
provided by Russ Housley, Jari Arkko, Ilan Frenkel and Jeremy
Steiglitz.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc3748;
&rfc3268;
&rfc2434;
&rfc5422;
&rfc4851;
&rfc5246;
&rfc5077;
&rfc4013;
&rfc5705;
&rfc5746;
&draft-ietf-emu-chbind;
</references>
<references title="Informative References">
&rfc2311;
&rfc2315;
&rfc2560;
&rfc5216;
&rfc4282;
&rfc4072;
&rfc4086;
&rfc3579;
&rfc3766;
&rfc6066;
&draft-ietf-emu-eaptunnel-req;
&rfc5421;
&rfc3280;
&rfc3629;
&rfc4630;
&rfc5281;
&rfc5272;
&rfc4945;
<reference anchor="IEEE.802-1X.2004">
<front>
<title>Local and Metropolitan Area Networks: Port-Based Network
Access Control</title>
<author>
<organization></organization>
</author>
<date month="December" year="2004" />
</front>
<seriesInfo name="IEEE" value="Standard 802.1X" />
</reference>
<reference anchor="PEAP">
<front>
<title>"[MS-PEAP]: Protected Extensible Authentication Protocol (PEAP) Specification"</title>
<author>
<organization>Microsoft Corporation</organization>
</author>
<date month="August" year="2009" />
</front>
</reference>
<reference anchor="NIST-SP-800-57">
<front>
<title>"Recommendation for Key Management"</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="May" year="2006" />
</front>
<seriesInfo name="NIST" value="Special Publication 800-57" />
</reference>
</references>
<section anchor="evaluation" title="Evaluation Against Tunnel Based EAP Method Requirements">
<t>This section evaluates all tunnel based EAP method requirements described in <xref target="I-D.ietf-emu-eaptunnel-req"></xref> against TEAP version 1.</t>
<section title="Requirement 4.1.1 RFC Compliance">
<t>TEAP v1 meets this requirement by being compliant to RFC 3748, RFC 4017, RFC 5247, and RFC 4962. It is also compliant with the "cryptographic algorithm agility" requirement by leveraging TLS 1.2 for all cryptographic algorithm negotiation.</t>
</section>
<section title="Requirement 4.2.1 TLS Requirements">
<t> Requirement 4.2.1 states:</t>
<t>The tunnel based method MUST support TLS version 1.2 [RFC5246] and may support earlier versions greater than SSL 2.0 to enable the possibility of backwards compatibility.</t>
<t>TEAP v1 meets this requirement by mandating TLS version 1.2 support as defined in <xref target="phase1"></xref>.</t>
</section>
<section title="Requirement 4.2.1.1.1 Cipher Suite Negotiation">
<t> Requirement 4.2.1.1.1 states:</t>
<t>Hence, the tunnel method MUST provide integrity protected cipher suite negotiation with secure integrity algorithms and integrity keys.</t>
<t>TEAP v1 meets this requirement by using TLS to provide protected cipher suite negotiation.</t>
</section>
<section title="Requirement 4.2.1.1.2 Tunnel Data Protection Algorithms">
<t> Requirement 4.2.1.1.2 states:</t>
<t>The tunnel method MUST provide at least one mandatory to implement cipher suite that provides the equivalent security of 128-bit AES for encryption and message authentication.</t>
<t>TEAP v1 meets this requirement by mandating TLS_RSA_WITH_AES_128_CBC_SHA as a mandatory to implement cipher suite as defined in <xref target="phase1"></xref>.</t>
</section>
<section title="Requirement 4.2.1.1.3 Tunnel Authentication and Key Establishment">
<t>TEAP v1 meets this requirement by mandating TLS_RSA_WITH_AES_128_CBC_SHA as a mandatory to implement cipher suite which provides certificate-based authentication of the server and is approved by NIST. The mandatory to implement cipher suites only include cipher suites that use strong cryptographic algorithms. They do not include cipher suites providing mutually anonymous authentication or static Diffie-Hellman cipher suites as defined in <xref target="phase1"></xref>.</t>
</section>
<section title="Requirement 4.2.1.2 Tunnel Replay Protection">
<t>TEAP v1 meets this requirement by using TLS to provide sufficient replay protection.</t>
</section>
<section title="Requirement 4.2.1.3 TLS Extensions">
<t>TEAP v1 meets this requirement by allowing TLS extensions, such as TLS Certificate Status Request extension <xref target="RFC6066"></xref> and SessionTicket extension <xref target="RFC5077"></xref> to be used during TLS tunnel establishment.</t>
</section>
<section title="Requirement 4.2.1.4 Peer Identity Privacy">
<t>TEAP v1 meets this requirement by establishment of the TLS tunnel and protection of inner method specific identities. In addition, the peer certificate can be sent confidentially (i.e. encrypted).</t>
</section>
<section title="Requirement 4.2.1.5 Session Resumption">
<t>TEAP v1 meets this requirement by mandating support of TLS session resumption as defined in <xref target="sessres"></xref> and TLS Session Resume Using a PAC as defined in <xref target="tunnelpac"></xref> .</t>
</section>
<section title="Requirement 4.2.2 Fragmentation">
<t>TEAP v1 meets this requirement by leveraging fragmentation support provided by TLS as defined in <xref target="frag"></xref>.</t>
</section>
<section title="Requirement 4.2.3 Protection of Data External to Tunnel">
<t>TEAP v1 meets this requirement by including TEAP version number received in the computation of crypto-binding TLV as defined in <xref target="cbtlv"></xref>.</t>
</section>
<section title="Requirement 4.3.1 Extensible Attribute Types">
<t>TEAP v1 meets this requirement by using an extensible TLV data layer inside the tunnel as defined in <xref target="tlvformat"></xref>.</t>
</section>
<section title="Requirement 4.3.2 Request/Challenge Response Operation">
<t>TEAP v1 meets this requirement by allowing multiple TLVs to be sent in a single EAP request or response packet, while maintaining the half-duplex operation typical of EAP.</t>
</section>
<section title="Requirement 4.3.3 Indicating Criticality of Attributes">
<t>TEAP v1 meets this requirement by having a mandatory bit in TLV to indicate whether it is mandatory to support or not as defined in <xref target="tlvformat"></xref>.</t>
</section>
<section title="Requirement 4.3.4 Vendor Specific Support">
<t>TEAP v1 meets this requirement by having a Vendor-Specific TLV to allow vendors to define their own attributes as defined in <xref target="vendortlv"></xref>.</t>
</section>
<section title="Requirement 4.3.5 Result Indication">
<t>TEAP v1 meets this requirement by having a Result TLV to exchange the final result of the EAP authentication so both the peer and server have a synchronized state as defined in <xref target="resulttlv"></xref>.</t>
</section>
<section title="Requirement 4.3.6 Internationalization of Display Strings">
<t>TEAP v1 meets this requirement by supporting UTF-8 format in Basic-Password-Auth-Req TLV as defined in <xref target="passreq"></xref> and Basic-Password-Auth-Resp TLV as defined in <xref target="passresp"></xref>.</t>
</section>
<section title="Requirement 4.4 EAP Channel Binding Requirements">
<t>TEAP v1 meets this requirement by having a Channel-Binding TLV to exchange the EAP channel binding data as defined in <xref target="channelbinding"></xref>.</t>
</section>
<section title="Requirement 4.5.1.1 Confidentiality and Integrity">
<t>TEAP v1 meets this requirement by running the password authentication inside a protected TLS tunnel.</t>
</section>
<section title="Requirement 4.5.1.2 Authentication of Server">
<t>TEAP v1 meets this requirement by mandating authentication of the server before establishment of the protected TLS and then running inner password authentication as defined in <xref target="phase1"></xref>.</t>
</section>
<section title="Requirement 4.5.1.3 Server Certificate Revocation Checking">
<t>TEAP v1 meets this requirement by supporting TLS Certificate Status Request extension <xref target="RFC6066"></xref> during tunnel establishment.</t>
</section>
<section title="Requirement 4.5.2 Internationalization">
<t>TEAP v1 meets this requirement by supporting UTF-8 format in Basic-Password-Auth-Req TLV as defined in <xref target="passreq"></xref> and Basic-Password-Auth-Resp TLV as defined in <xref target="passresp"></xref>.</t>
</section>
<section title="Requirement 4.5.3 Meta-data">
<t>TEAP v1 meets this requirement by supporting Identity-Type TLV as defined in <xref target="identitytype"></xref> to indicate whether the authentication is for a user or a machine.</t>
</section>
<section title="Requirement 4.5.4 Password Change">
<t>TEAP v1 meets this requirement by supporting multiple Basic-Password-Auth-Req TLV and Basic-Password-Auth-Resp TLV exchanges within a single EAP authentication, which allows "housekeeping"" functions such as password change.</t>
</section>
<section title="Requirement 4.6.1 Method Negotiation">
<t>TEAP v1 meets this requirement by supporting inner EAP method negotiation within the protected TLS tunnel.</t>
</section>
<section title="Requirement 4.6.2 Chained Methods">
<t>TEAP v1 meets this requirement by supporting inner EAP method chaining within protected TLS tunnel as defined in <xref target="eapseq"></xref>.</t>
</section>
<section title="Requirement 4.6.3 Cryptographic Binding with the TLS Tunnel">
<t>TEAP v1 meets this requirement by supporting cryptographic binding of the inner EAP method keys with the keys derived from the TLS tunnel as defined in <xref target="cbtlv"></xref>.</t>
</section>
<section title="Requirement 4.6.4 Peer Initiated">
<t>TEAP v1 meets this requirement by supporting Request-Action TLV as defined in <xref target="ratlv"></xref> to allow peer to initiate another inner EAP method.</t>
</section>
<section title="Requirement 4.6.5 Method Meta-data">
<t>TEAP v1 meets this requirement by supporting Identity-Type TLV as defined in <xref target="identitytype"></xref> to indicate whether the authentication is for a user or a machine.</t>
</section>
</section>
<section anchor="changes" title="Major Differences from EAP-FAST">
<t>This document is a new standard tunnel EAP method based on revision of the EAP-FAST version 1 <xref target="RFC4851"></xref> which
contains improved flexibility, particularly for negotiation of
cryptographic algorithms. The major changes are:</t>
<t><list style="numbers">
<t hangText="Version Number">The EAP method name have been changed from EAP-FAST to TEAP, hence it would require a new EAP method type to be assigned.</t>
<t hangText="TLS Version Number">This version of TEAP MUST support TLS 1.2 <xref target="RFC5246"></xref>.</t>
<t hangText="PRF and Hash Function">The key derivation now makes use of TLS keying material exporters <xref target="RFC5705"></xref> and the PRF and hash function negotiated in TLS. This is to simplify implementation and better support cryptographic algorithm agility.</t>
<t hangText="TLS Session Resume Using a PAC">TEAP is in full conformance with TLS Ticket extension <xref target="RFC5077"></xref> as described in <xref target="tunnelpac"></xref>.</t>
<t hangText="Outer TLVs">Support of passing optional outer TLVs in the first two message exchanges, in addtion to the Authority-ID TLV data in EAP-FAST.</t>
<t hangText="Basic Password Authentication">Basic password authentication on the TLV level has been added in addition to the existing inner EAP method.</t>
<t hangText="Addtional TLV Types">Additional TLV types have been defined to support EAP channel binding and meta-data. They are Identity Type TLV and Channel-Binding TLVs, defined in <xref target="tlvformat"></xref>.</t>
</list></t>
</section>
<section anchor="examples" title="Examples">
<section title="Successful Authentication">
<t>The following exchanges show a successful TEAP authentication
with optional PAC refreshment, the conversation will appear as
follows:</t>
<figure>
<artwork><![CDATA[
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello with
PAC-Opaque in SessionTicket extension)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)
TLS channel established
(messages sent within the TLS channel)
<- EAP Payload TLV, EAP-Request,
EAP-GTC, Challenge
EAP Payload TLV, EAP-Response,
EAP-GTC, Response with both
user name and password) ->
optional additional exchanges (new pin mode,
password change etc.) ...
<- Intermediate-Result TLV (Success)
Crypto-Binding TLV (Request)
Intermediate-Result TLV (Success)
Crypto-Binding TLV(Response) ->
<- Result TLV (Success)
(Optional PAC TLV)
Result TLV (Success)
(PAC TLV Acknowledgment) ->
TLS channel torn down
(messages sent in clear text)
<- EAP-Success
]]></artwork>
</figure>
</section>
<section title="Failed Authentication">
<t>The following exchanges show a failed TEAP authentication due
to wrong user credentials, the conversation will appear as
follows:</t>
<figure>
<artwork><![CDATA[
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello with
PAC-Opaque in SessionTicket extension)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)
TLS channel established
(messages sent within the TLS channel)
<- EAP Payload TLV, EAP-Request,
EAP-GTC, Challenge
EAP Payload TLV, EAP-Response,
EAP-GTC, Response with both
user name and password) ->
<- EAP Payload TLV, EAP-Request,
EAP-GTC, error message
EAP Payload TLV, EAP-Response,
EAP-GTC, empty data packet to
acknowledge unrecoverable error) ->
<- Result TLV (Failure)
Result TLV (Failure) ->
TLS channel torn down
(messages sent in clear text)
<- EAP-Failure ]]></artwork>
</figure>
</section>
<section anchor="fullcertex"
title="Full TLS Handshake using Certificate-based Cipher Suite">
<t>In the case where an abbreviated TLS handshake is tried and failed
and falls back to certificate based full TLS handshake occurs within
TEAP Phase 1, the conversation will appear as follows:</t>
<figure>
<artwork><![CDATA[
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->
// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity.
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello
[PAC-Opaque extension])->
// Peer sends PAC-Opaque of Tunnel PAC along with a list of
ciphersuites supported. If the server rejects the PAC-
Opaque, if falls through to the full TLS handshake
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload-TLV[EAP-Request/
Identity])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel
EAP-Payload-TLV
[EAP-Response/Identity (MyID2)]->
// identity protected by TLS.
<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]
EAP-Payload-TLV
[EAP-Response/EAP-Type=X] ->
// Method X exchanges followed by Protected Termination
<- Crypto-Binding TLV (Version=1,
TEAP Version=1, Nonce,
CompoundMAC),
Result TLV (Success)
Crypto-Binding TLV (Version=1,
TEAP Version=1, Nonce,
CompoundMAC),
Result-TLV (Success) ->
// TLS channel torn down
(messages sent in clear text)
<- EAP-Success]]></artwork>
</figure>
</section>
<section title="Client authentication during Phase 1 with identity privacy">
<t>In the case where a certificate based TLS handshake occurs within
TEAP Phase 1, and client certificate authentication and identity
privacy is desired, the conversation will appear as follows:</t>
<figure>
<artwork><![CDATA[
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->
// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity.
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_key_exchange,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,TLS Hello-Request)
// TLS channel established
(messages sent within the TLS channel)
// TLS Hello-Request is piggybacked to the TLS Finished as
Handshake Data and protected by the TLS tunnel
TLS client_hello ->
<- TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done
[TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished ->
<- TLS change_cipher_spec,
TLS finished,
Result TLV (Success)
Result-TLV (Success)) ->
//TLS channel torn down
(messages sent in clear text)
<- EAP-Success
]]></artwork>
</figure>
</section>
<section title="Fragmentation and Reassembly">
<t>In the case where TEAP fragmentation is required, the
conversation will appear as follows:</t>
<figure>
<artwork><![CDATA[
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
(Fragment 1: L, M bits set)
EAP-Response/
EAP-Type=TEAP, V=1 ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(Fragment 2: M bit set)
EAP-Response/
EAP-Type=TEAP, V=1 ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(Fragment 3)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished)
(Fragment 1: L, M bits set)->
<- EAP-Request/
EAP-Type=TEAP, V=1
EAP-Response/
EAP-Type=TEAP, V=1
(Fragment 2)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
[EAP-Payload-TLV[
EAP-Request/Identity]])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel
EAP-Payload-TLV
[EAP-Response/Identity (MyID2)]->
// identity protected by TLS.
<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]
EAP-Payload-TLV
[EAP-Response/EAP-Type=X] ->
// Method X exchanges followed by Protected Termination
<- Crypto-Binding TLV (Version=1,
TEAP Version=1, Nonce,
CompoundMAC),
Result TLV (Success)
Crypto-Binding TLV (Version=1,
TEAP Version=1, Nonce,
CompoundMAC),
Result-TLV (Success) ->
// TLS channel torn down
(messages sent in clear text)
<- EAP-Success
]]></artwork>
</figure>
</section>
<section title="Sequence of EAP Methods">
<t>When TEAP is negotiated, with a sequence of EAP method X
followed by method Y, the conversation will occur as follows:</t>
<figure>
<artwork><![CDATA[
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload-TLV[
EAP-Request/Identity])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel
EAP-Payload-TLV
[EAP-Response/Identity] ->
<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]
EAP-Payload-TLV
[EAP-Response/EAP-Type=X] ->
// Optional additional X Method exchanges...
<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]
EAP-Payload-TLV
[EAP-Response/EAP-Type=X]->
<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Version=1
TEAP Version=1, Nonce,
CompoundMAC),
EAP Payload TLV [EAP-Type=Y],
// Next EAP conversation started after successful completion
of previous method X. The Intermediate-Result and Crypto-
Binding TLVs are sent in next packet to minimize round-
trips. In this example, identity request is not sent
before negotiating EAP-Type=Y.
// Compound MAC calculated using Keys generated from
EAP methods X and the TLS tunnel.
Intermediate Result TLV (Success),
Crypto-Binding TLV (Version=1,
TEAP Version=1, Nonce,
CompoundMAC),
EAP-Payload-TLV [EAP-Type=Y] ->
// Optional additional Y Method exchanges...
<- EAP Payload TLV [
EAP-Type=Y]
EAP Payload TLV
[EAP-Type=Y] ->
<- Intermediate-Result-TLV (Success),
Crypto-Binding TLV (Version=1
TEAP Version=1, Nonce,
CompoundMAC),
Result TLV (Success)
Intermediate-Result-TLV (Success),
Crypto-Binding TLV (Version=1,
TEAP Version=1, Nonce,
CompoundMAC),
Result-TLV (Success) ->
// Compound MAC calculated using Keys generated from EAP
methods X and Y and the TLS tunnel. Compound Keys
generated using Keys generated from EAP methods X and Y;
and the TLS tunnel.
// TLS channel torn down (messages sent in clear text)
<- EAP-Success
]]></artwork>
</figure>
</section>
<section title="Failed Crypto-binding">
<t>The following exchanges show a failed crypto-binding validation.
The conversation will appear as follows:</t>
<figure>
<artwork><![CDATA[
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello without
PAC-Opaque extension)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS Server Key Exchange
TLS Server Hello Done)
EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS Client Key Exchange
TLS change_cipher_spec,
TLS finished)
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec
TLS finished)
EAP-Payload-TLV[
EAP-Request/Identity])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel
EAP-Payload TLV/
EAP Identity Response ->
<- EAP Payload TLV, EAP-Request,
(EAP-MSCHAPV2, Challenge)
EAP Payload TLV, EAP-Response,
(EAP-MSCHAPV2, Response) ->
<- EAP Payload TLV, EAP-Request,
(EAP-MSCHAPV2, Success Request)
EAP Payload TLV, EAP-Response,
(EAP-MSCHAPV2, Success Response) ->
<- Crypto-Binding TLV (Version=1,
TEAP Version=1, Nonce,
CompoundMAC),
Result TLV (Success)
Result TLV (Failure)
Error TLV with
(Error Code = 2001) ->
// TLS channel torn down
(messages sent in clear text)
<- EAP-Failure
]]></artwork>
</figure>
</section>
<section title="Sequence of EAP Method with Vendor-Specific TLV Exchange">
<t>When TEAP is negotiated, with a sequence of EAP method
followed by Vendor-Specific TLV exchange, the conversation will occur
as follows:</t>
<figure>
<artwork><![CDATA[
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload-TLV[
EAP-Request/Identity])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is piggybacked to the TLS Finished as
Application Data and protected by the TLS tunnel
EAP-Payload-TLV
[EAP-Response/Identity] ->
<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]
EAP-Payload-TLV
[EAP-Response/EAP-Type=X] ->
<- EAP-Payload-TLV
[EAP-Request/EAP-Type=X]
EAP-Payload-TLV
[EAP-Response/EAP-Type=X]->
<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Version=1
TEAP Version=1, Nonce,
CompoundMAC),
Vendor-Specific TLV,
// Vendor Specific TLV exchange started after successful
completion of previous method X. The Intermediate-Result
and Crypto-Binding TLVs are sent with Vendor Specific TLV
in next packet to minimize round-trips.
// Compound MAC calculated using Keys generated from
EAP methods X and the TLS tunnel.
Intermediate Result TLV (Success),
Crypto-Binding TLV (Version=1,
TEAP Version=1, Nonce,
CompoundMAC),
Vendor-Specific TLV ->
// Optional additional Vendor-Specific TLV exchanges...
<- Vendor-Specific TLV
Vendor Specific TLV ->
<- Result TLV (Success)
Result-TLV (Success) ->
// TLS channel torn down (messages sent in clear text)
<- EAP-Success]]></artwork>
</figure>
</section>
</section>
<section anchor="revchanges" title="Major Differences from previous revisions">
<section anchor="rev01" title="Changes from -00">
<t><list style="numbers">
<t>Changed protocol name to TEAP: Tunnel EAP Method</t>
<t>Changed version of protocol to version 1</t>
<t>Revised introduction</t>
<t>Moved differences section to appendix</t>
<t>Revised design goals section</t>
<t>Revised PAC definition</t>
<t>Revised protocol description to be in line with RFC 5077 PAC distribution</t>
<t>Revised EAP Sequences Section</t>
<t>Added section on PAC provisioning within tunnel</t>
<t>Added outer TLVs to the message format</t>
<t>Renumbered TLVs</t>
<t>Included PAC TLVs</t>
<t>Added Authority ID TLV</t>
<t>Added PKCS#7 and server trust root TLV definitions</t>
<t>Added PKCS#10 TLV</t>
<t>Added EAP-Type and outer TLVs to crypto binding compound MAC</t>
</list></t>
</section>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 18:34:54 |