EAP-GEE diagrams (rough cut)

Download Report

Transcript EAP-GEE diagrams (rough cut) 

EAP-GEE
Lakshminath Dondeti
[email protected]
Vidya Narayanan
[email protected]
EAP WG meeting, IETF-65, Dallas, Mar 2006
Requirements
• Access and service authentication may both use EAP via
the same authenticator
• Need to differentiate EAP-based access and service
authentication
– L2 and L3 service providers may be different (e.g., MVNOs)
– Allow parallel execution of the two EAP exchanges
– No current means to distinguish the two EAP exchanges between
a peer and authenticator without additional signaling
• An MSP may want to require Mobile IP-based service
authentication instead of EAP-based service
authentication
Network Model with Separate ANP
and SNP
Access network provider
(ANP)
MN
Service network provider
(SNP)
Authenticator
AAA-ANP
AAA-SNP
Proposing Generic EAP
Encapsulation
• The GEE protocol runs between the peer and the
authenticator
• We introduce a GEE layer between the EAP layer
and the EAP lower layer
• The GEE header (16 bits) indicates to the peer
and the authenticator whether
– the authentication is for access (L2) or service (L3)
– Whether the service is Mobile IP or not
GEE header format
EAP lower
Layer hdr
GEE
Hdr
Version (8bits)
•
EAP Packet
AM
Reserved
(6bits)
We introduce a 16-bit GEE header between the EAP header and
the lower-layer header. It contains
• An 8-bit version header; Version = 0 for this version
• 1-bit A flag:
• If A==1, the EAP exchange is for access authentication
• If A==0, the EAP exchange is for service authentication
• 1-bit M flag:
• Valid only on an EAP Failure packet
• Ignored when A==1
• If A == 0, M == 1 indicates peer MUST use MIP for
service authentication
• A 6-bit Reserved field (unused, MBZ)
GEE multiplexing model
Method1 Method2
Method1 Method2
Peer Layer
Authenticator Layer
EAP Layer
EAP Layer
GEE Layer
GEE Layer
Lower Layer
Lower Layer
EAP Peer
EAP Authenticator
GEE pass-through
multiplexing model
Method1 Method2
Method1 Method2
Peer Layer
Authenticator
Peer
Authenticator Layer
EAP Layer
GEE Layer
Lower Layer
EAP Peer
EAP Layer
EAP Layer
GEE Layer
Lower Layer
AAA/IP
Authenticator
AAA/IP
Authentication
Server
Next steps
• This work is NOT within the EAP WG scope
• Plan is to seek input from the EAP WG
• Submit as an individual I-D to the IESG for review