One document matched: draft-zorn-radius-pkmv1-01.txt
Differences from draft-zorn-radius-pkmv1-00.txt
Network Working Group G. Zorn
Internet-Draft NetCube Technologies
Intended status: Standards Track October 18, 2008
Expires: April 21, 2009
RADIUS Attributes for IEEE 802.16 Privacy Key Management Version 1
(PKMv1) Protocol Support
draft-zorn-radius-pkmv1-01.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 21, 2009.
Copyright Notice
Copyright (C) The IETF Trust (2008).
Abstract
This document defines a set of RADIUS Attributes which are designed
to provide RADIUS support for IEEE 802.16 Privacy Key Management
Version 1.
Zorn Expires April 21, 2009 [Page 1]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Specification of Requirements . . . . . . . . . . . . . . 3
2.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. PKM-SS-Cert . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. PKM-CA-Cert . . . . . . . . . . . . . . . . . . . . . . . 5
3.3. PKM-Config-Settings . . . . . . . . . . . . . . . . . . . 5
3.4. PKM-Cryptosuite-List . . . . . . . . . . . . . . . . . . . 7
3.5. PKM-SAID . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.6. PKM-SA-Descriptor . . . . . . . . . . . . . . . . . . . . 9
3.7. PKM-AUTH-Key . . . . . . . . . . . . . . . . . . . . . . . 10
4. Diameter Considerations . . . . . . . . . . . . . . . . . . . 11
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
5.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 11
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. Normative References . . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
Intellectual Property and Copyright Statements . . . . . . . . . . 14
Zorn Expires April 21, 2009 [Page 2]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
1. Introduction
Privacy Key Management Version 1 (PKMv1) [IEEE.802.16-2004] is a
public-key based authentication and key establishment protocol
typically used in fixed wireless broadband network deployments. The
protocol utilizes X.509 v3 certificates [RFC2459], RSA encryption
[PKCS.1.1998] and a variety of secret key cryptographic methods to
allow an 802.16 Base Station (BS) to authenticate a Subscriber
Station (SS) and perform key establishment and maintenance between a
SS and BS.
This document defines a set of RADIUS Attributes which are designed
to provide support for PKMv1. The target audience for this document
consists of those developers implementing RADIUS support for PKMv1;
therefore, familiarity with (or at least access to) the IEEE 802.16-
2004 standard is assumed.
Discussion of this draft may be directed to the author.
2. Terminology
2.1. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2.2. Acronyms
SA
Security Association
SAID
Security Association Identifier
TEK
Traffic Encryption Key
For further information on these terms, please see
[IEEE.802.16-2004].
3. Attributes
The following subsections describe the Attributes defined by this
document. This specification concerns the following values:
Zorn Expires April 21, 2009 [Page 3]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
<TBD1> PKM-SS-Cert
<TBD2> PKM-CA-Cert
<TBD3> PKM-Config-Settings
<TBD4> PKM-Cryptosuite-List
<TBD5> PKM-SAID
<TBD6> PKM-SA-Descriptor
<TBD7> PKM-Auth-Key
3.1. PKM-SS-Cert
Description
The PKM-SS-Cert Attribute is variable length and contains the
X.509 certificate [RFC2459] identifying the Subscriber Station; it
MAY be transmitted in the Access-Request message.
A summary of the PKM-SS-Cert Attribute format is shown below. The
fields are transmitted from left to right.
1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
<TBD1> for PKM-SS-Cert
Len
> 2
Value
The Value field is variable length and contains an X.509
certificate.
Zorn Expires April 21, 2009 [Page 4]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
3.2. PKM-CA-Cert
Description
The PKM-CA-Cert Attribute is variable length and contains the
X.509 certificate [RFC2459] identifying the CA certificate for the
SS; it MAY be transmitted in the Access-Request message.
A summary of the PKM-CA-Cert Attribute format is shown below. The
fields are transmitted from left to right.
1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
<TBD2> for PKM-CA-Cert
Len
> 2
Value
The Value field is variable length and contains an X.509
certificate.
3.3. PKM-Config-Settings
Description
The PKM-Config-Settings Attribute is 30 octets in length and
consists of seven independent fields, each of type integer
[RFC2865]. Each of the fields contains a timer and corresponds to
a Type-Length-Value (TLV) tuple encapsulated in the IEEE 802.16
"PKM configuration settings" attribute; for details on the
contents of each field, see [IEEE.802.16-2004]. An instance of
the PKM-Config-Settings Attribute MAY be included in the Access-
Accept message.
A summary of the PKM-Config-Settings Attribute format is shown below.
The fields are transmitted from left to right.
Zorn Expires April 21, 2009 [Page 5]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Auth Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Wait Timeout (cont.) | Reauth Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Reauth Wait Timeout (cont.) | Auth Grace Time
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Grace Time (cont.) | Op Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Op Wait Timeout (cont.) | Rekey Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Rekey Wait Timeout (cont.) | TEK Grace Time
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TEK Grace Time (cont.) | Auth Rej Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Rej Wait Timeout (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
<TBD3> for PKM-Config-Settings
Len
30
Auth Wait Timeout
The Auth Wait Timeout field is 4 octets in length and corresponds
to the "Authorize wait timeout" field of the 802.16 "PKM
configuration settings" attribute [IEEE.802.16-2004].
Reauth Wait Timeout
The Reauth Wait Timeout field is 4 octets in length and
corresponds to the "Reauthorize wait timeout" field of the 802.16
"PKM configuration settings" attribute [IEEE.802.16-2004].
Auth Grace Time
The Auth Grace Time field is 4 octets in length and corresponds to
the "Authorize grace time" field of the 802.16 "PKM configuration
settings" attribute [IEEE.802.16-2004].
Zorn Expires April 21, 2009 [Page 6]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
Op Wait Timeout
The Op Wait Timeout field is 4 octets in length and corresponds to
the "Operational wait timeout" field of the 802.16 "PKM
configuration settings" attribute [IEEE.802.16-2004].
Rekey Wait Timeout
The Rekey Wait Timeout field is 4 octets in length and corresponds
to the "Rekey wait timeout" field of the 802.16 "PKM configuration
settings" attribute [IEEE.802.16-2004].
TEK Grace Time
The TEK Grace Time field is 4 octets in length and corresponds to
the "TEK grace time" field of the 802.16 "PKM configuration
settings" attribute [IEEE.802.16-2004].
Auth Rej Wait Timeout
The Auth Rej Wait Timeout field is 4 octets in length and
corresponds to the "Authorize reject wait timeout" field of the
802.16 "PKM configuration settings" attribute [IEEE.802.16-2004].
3.4. PKM-Cryptosuite-List
Description
The PKM-Cryptosuite-List Attribute is variable length and
corresponds roughly to the "Cryptographic-Suite-List" 802.16
attribute [IEEE.802.16-2004], the difference being that the RADIUS
Attribute contains only the 3 octet cryptographic suite
identifiers, omitting the IEEE Type and Length fields.
The PKM-Cryptosuite-List Attribute MAY be present in an Access-
Request message.
Implementation Note
The PKM-Cryptosuite-List Attribute is used as a building block
to create the 802.16 "Security-Capabilities" attribute; since
this document only pertains to PKM version 1, the "Version"
sub-attribute in that structure MUST be set to 0x01 when the
RADIUS client constructs it.
A summary of the PKM-Cryptosuite-List Attribute format is shown
Zorn Expires April 21, 2009 [Page 7]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
below. The fields are transmitted from left to right.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
<TBD4> for PKM-Cryptosuite-List
Len
>= 5
Value
The Value field is variable length and contains a sequence of one
or more cryptosuite identifiers, each of which is 3 octets in
length and corresponds to the Value field of an IEEE 802.16
Cryptographic-Suite attribute.
3.5. PKM-SAID
Description
The PKM-SAID Attribute is 4 octets in length and contains a PKM
Security Association Identifier [IEEE.802.16-2004]. It MAY be
included in an Access-Request message.
A summary of the PKM-SAID Attribute format is shown below. The
fields are transmitted from left to right.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | SAID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
<TBD5> for PKM-SAID
Len
4
Zorn Expires April 21, 2009 [Page 8]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
SAID
The SAID field is two octets in length and corresponds to the
Value field of the 802.16 PKM SAID attribute.
3.6. PKM-SA-Descriptor
Description
The PKM-SA-Descriptor Attribute is 8 octets in length. It
consists of 3 fields, described below, which together specify the
characteristics of a PKM security association. One or more
instances of the PKM-SA-Descriptor Attribute MAY occur in an
Access-Accept message.
A summary of the PKM-SA-Descriptor Attribute format is shown below.
The fields are transmitted from left to right.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | SAID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SA Type | Cryptosuite |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
<TBD6> for PKM-SA-Descriptor
Len
8
SAID
The SAID field is two octets in length and contains a PKM SAID
Section 3.5.
SA Type The SA Type field is one octet in length. The contents
correspond to those of the Value field of an IEEE 802.16 SA-Type
attribute.
Cryptosuite
The Cryptosuite field is 3 octets in length. The contents
correspond to those of the Value field of an IEEE 802.16
Cryptographic-Suite attribute.
Zorn Expires April 21, 2009 [Page 9]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
3.7. PKM-AUTH-Key
Description
The PKM-AUTH-Key Attribute is 135 octets in length. It consists
of 3 fields, described below, which together specify the
characteristics of a PKM authorization key. The PKM-AUTH-Key
Attribute MAY occur in an Access-Accept message. Any packet that
contains an instance of the PKM-SS-Cert Attribute MUST also
contain an instance of the Message-Authenticator Attribute
[RFC3579].
A summary of the PKM-AUTH-Key Attribute format is shown below. The
fields are transmitted from left to right.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Lifetime
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Lifetime (cont.) | Sequence | Key...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
<TBD7> for PKM-AUTH-Key
Len
135
Lifetime
The Lifetime field is 4 octets in length and represents the
lifetime of the authorization key.
Sequence The Sequence field is one octet in length. The contents
correspond to those of the Value field of an IEEE 802.16 Key-
Sequence attribute.
Key
The Key field is 128 octets in length. The contents correspond to
those of the Value field of an IEEE 802.16 AUTH-Key attribute.
The Key field MUST be encrypted under the public key from the
Subscriber Station certificate Section 3.1 using RSA encryption
[PKCS.1.1998]; see [IEEE.802.16-2004] for further details.
Zorn Expires April 21, 2009 [Page 10]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
4. Diameter Considerations
Since the Attributes defined in this document are allocated from the
standard RADIUS type space (see Section 5), no special handling is
required by Diameter entities.
5. IANA Considerations
This section explains the criteria to be used by the IANA for
assignment of numbers within namespaces used within this document.
5.1. Attributes
Upon publication of this document as an RFC, IANA must assign numbers
to the following Attributes:
<TBD1> PKM-SS-Cert
<TBD2> PKM-CA-Cert
<TBD3> PKM-Config-Settings
<TBD4> PKM-Cryptosuite-List
<TBD5> PKM-SAID
<TBD6> PKM-SA-Descriptor
<TBD7> PKM-Auth-Key
The Attribute numbers are to be allocated from the standard RADIUS
Attribute type space according to the "IETF Review" policy [RFC5226].
6. Security Considerations
If the Access-Accept message is not subject to strong integrity
protection, an attacker may be able to modify the contents of the
PKM-Auth-Key Attribute. For example, the Key field could be replaced
with a key known to the attacker.
7. Contributors
Dong-ho Yu and Jay-yung Heo contributed greatly to the creation of
this document, both technically and through inspiration.
Zorn Expires April 21, 2009 [Page 11]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
8. References
8.1. Normative References
[IEEE.802.16-2004]
"Information technology - Telecommunications and
information exchange between systems - Local and
metropolitan area networks - Specific requirements -
Part 16: Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) specifications", IEEE Standard
802.16, 2004, <http://standards.ieee.org/getieee802/
download/802.16-2004.pdf>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
8.2. Informative References
[PKCS.1.1998]
Kaliski, BK. and JS. Staddon, "RSA Encryption Standard,
Version 2.0", PKCS 1, October 1998,
<ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc>.
[RFC2459] Housley, R., Ford, W., Polk, T., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and CRL
Profile", RFC 2459, January 1999.
Zorn Expires April 21, 2009 [Page 12]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
Author's Address
Glen Zorn
NetCube Technologies
1310 East Thomas Street
#306
Seattle, Washington 98102
USA
Phone: +1 (206) 377-9035
Email: gwz@netcube.com
Zorn Expires April 21, 2009 [Page 13]
Internet-Draft RADIUS Attributes for PKMv1 October 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Zorn Expires April 21, 2009 [Page 14]
| PAFTECH AB 2003-2026 | 2026-04-23 02:36:23 |