Network Working Group                                         D. Stanley
Request for Comments: 4017                                 Agere Systems
Category: Informational                                        J. Walker
                                                       Intel Corporation
                                                                B. Aboba
                                                   Microsoft Corporation
                                                              March 2005
        
Network Working Group                                         D. Stanley
Request for Comments: 4017                                 Agere Systems
Category: Informational                                        J. Walker
                                                       Intel Corporation
                                                                B. Aboba
                                                   Microsoft Corporation
                                                              March 2005
        

Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs

无线局域网的可扩展认证协议(EAP)方法要求

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

Abstract

摘要

The IEEE 802.11i MAC Security Enhancements Amendment makes use of IEEE 802.1X, which in turn relies on the Extensible Authentication Protocol (EAP). This document defines requirements for EAP methods used in IEEE 802.11 wireless LAN deployments. The material in this document has been approved by IEEE 802.11 and is being presented as an IETF RFC for informational purposes.

IEEE 802.11i MAC安全增强修正案使用了IEEE 802.1X,而IEEE 802.1X又依赖于可扩展认证协议(EAP)。本文档定义了IEEE 802.11无线LAN部署中使用的EAP方法的要求。本文件中的材料已获得IEEE 802.11的批准,现作为IETF RFC提交,以供参考。

Table of Contents

目录

   1.  Introduction .................................................  2
       1.1.  Requirements Specification .............................  2
       1.2.  Terminology ............................................  2
   2.  Method Requirements ..........................................  3
       2.1.  Credential Types .......................................  3
       2.2.  Mandatory Requirements .................................  4
       2.3.  Recommended Requirements ...............................  5
       2.4.  Optional Features ......................................  5
       2.5.  Non-compliant EAP Authentication Methods ...............  5
   3.  Security Considerations ......................................  6
   4.  References ...................................................  8
   Acknowledgments ..................................................  9
   Authors' Addresses ............................................... 10
   Full Copyright Statement ......................................... 11
        
   1.  Introduction .................................................  2
       1.1.  Requirements Specification .............................  2
       1.2.  Terminology ............................................  2
   2.  Method Requirements ..........................................  3
       2.1.  Credential Types .......................................  3
       2.2.  Mandatory Requirements .................................  4
       2.3.  Recommended Requirements ...............................  5
       2.4.  Optional Features ......................................  5
       2.5.  Non-compliant EAP Authentication Methods ...............  5
   3.  Security Considerations ......................................  6
   4.  References ...................................................  8
   Acknowledgments ..................................................  9
   Authors' Addresses ............................................... 10
   Full Copyright Statement ......................................... 11
        
1. Introduction
1. 介绍

The IEEE 802.11i MAC Security Enhancements Amendment [IEEE802.11i] makes use of IEEE 802.1X [IEEE802.1X], which in turn relies on the Extensible Authentication Protocol (EAP), defined in [RFC3748].

IEEE 802.11i MAC安全增强修正案[IEEE802.11i]使用了IEEE 802.1X[IEEE802.1X],而IEEE 802.1X[IEEE802.1X]又依赖于[RFC3748]中定义的可扩展认证协议(EAP)。

Today, deployments of IEEE 802.11 wireless LANs are based on EAP and use several EAP methods, including EAP-TLS [RFC2716], EAP-TTLS [TTLS], PEAP [PEAP], and EAP-SIM [EAPSIM]. These methods support authentication credentials that include digital certificates, user-names and passwords, secure tokens, and SIM secrets.

今天,IEEE 802.11无线局域网的部署基于EAP并使用几种EAP方法,包括EAP-TLS[RFC2716]、EAP-TTLS[TTLS]、PEAP[PEAP]和EAP-SIM[EAPSIM]。这些方法支持身份验证凭据,其中包括数字证书、用户名和密码、安全令牌和SIM机密。

This document defines requirements for EAP methods used in IEEE 802.11 wireless LAN deployments. EAP methods claiming conformance to the IEEE 802.11 EAP method requirements for wireless LANs must complete IETF last call review.

本文档定义了IEEE 802.11无线LAN部署中使用的EAP方法的要求。声称符合IEEE 802.11无线局域网EAP方法要求的EAP方法必须完成IETF上次呼叫审查。

1.1. Requirements Specification
1.1. 需求规范

In this document, several words are used to signify the requirements of the specification. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

在本文件中,使用了几个词来表示规范的要求。本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

An EAP authentication method is not compliant with this specification if it fails to satisfy one or more of the MUST or MUST NOT requirements. An EAP authentication method that satisfies all the MUST, MUST NOT, SHOULD, and SHOULD NOT requirements is said to be "unconditionally compliant"; one that satisfies all the MUST and MUST NOT requirements but not all the SHOULD or SHOULD NOT requirements is said to be "conditionally compliant".

如果EAP身份验证方法不能满足一个或多个必须或不得要求,则该方法不符合本规范。满足所有必须、不得、应和不应要求的EAP认证方法称为“无条件兼容”;满足所有“必须”和“不得”要求,但并非所有“应该”或“不应该”要求的人被称为“有条件遵从”。

1.2. Terminology
1.2. 术语

authenticator The end of the link initiating EAP authentication. The term authenticator is used in [IEEE802.1X], and authenticator has the same meaning in this document.

authenticator发起EAP身份验证的链接的末尾。[IEEE802.1X]中使用了术语authenticator,并且authenticator在本文档中具有相同的含义。

peer The end of the link that responds to the authenticator. In [IEEE802.1X], this end is known as the supplicant.

对等响应身份验证器的链接的末端。在[IEEE802.1X]中,这一端被称为请求者。

Supplicant The end of the link that responds to the authenticator in [IEEE802.1X].

在[IEEE802.1X]中响应身份验证器的链路端。

backend authentication server A backend authentication server is an entity that provides an authentication service to an authenticator. When used, this server typically executes EAP methods for the authenticator. This terminology is also used in [IEEE802.1X].

后端身份验证服务器后端身份验证服务器是向身份验证者提供身份验证服务的实体。使用时,此服务器通常为身份验证程序执行EAP方法。[IEEE802.1X]中也使用了该术语。

EAP server The entity that terminates the EAP authentication method with the peer. In the case where no backend authentication server is used, the EAP server is part of the authenticator. In the case where the authenticator operates in pass-through mode, the EAP server is located on the backend authentication server.

EAP服务器与对等方终止EAP身份验证方法的实体。在不使用后端身份验证服务器的情况下,EAP服务器是身份验证程序的一部分。在认证器以直通模式操作的情况下,EAP服务器位于后端认证服务器上。

Master Session Key (MSK) Keying material that is derived between the EAP peer and server and exported by the EAP method. The MSK is at least 64 octets in length. In existing implementations, an AAA server acting as an EAP server transports the MSK to the authenticator.

主会话密钥(MSK)是在EAP对等方和服务器之间派生并通过EAP方法导出的密钥材料。MSK的长度至少为64个八位字节。在现有的实现中,充当EAP服务器的AAA服务器将MSK传输到验证器。

Extended Master Session Key (EMSK) Additional keying material derived between the EAP client and server that is exported by the EAP method. The EMSK is at least 64 octets in length. The EMSK is not shared with the authenticator or any other third party. The EMSK is reserved for future uses that are not yet defined.

扩展主会话密钥(EMSK):由EAP方法导出的EAP客户端和服务器之间派生的附加密钥材料。EMSK的长度至少为64个八位字节。EMSK不与认证者或任何其他第三方共享。EMSK保留用于尚未定义的未来用途。

4-Way Handshake A pairwise Authentication and Key Management Protocol (AKMP) defined in [IEEE802.11i], which confirms mutual possession of a Pairwise Master Key by two parties and distributes a Group Key.

4路握手[IEEE802.11i]中定义的成对认证和密钥管理协议(AKMP),用于确认双方相互拥有成对主密钥,并分发组密钥。

2. Method Requirements
2. 方法要求
2.1. Credential Types
2.1. 凭证类型

The IEEE 802.11i MAC Security Enhancements Amendment requires that EAP authentication methods be available. Wireless LAN deployments are expected to use different credential types, including digital certificates, user-names and passwords, existing secure tokens, and mobile network credentials (GSM and UMTS secrets). Other credential types that may be used include public/private key (without necessarily requiring certificates) and asymmetric credential support (such as password on one side, public/private key on the other).

IEEE 802.11i MAC安全增强修正案要求EAP认证方法可用。无线LAN部署预计将使用不同的凭据类型,包括数字证书、用户名和密码、现有安全令牌和移动网络凭据(GSM和UMTS机密)。可使用的其他凭证类型包括公钥/私钥(不一定需要证书)和非对称凭证支持(例如一侧的密码,另一侧的公钥/私钥)。

2.2. Mandatory Requirements
2.2. 强制性要求

EAP authentication methods suitable for use in wireless LAN authentication MUST satisfy the following criteria:

适用于无线LAN认证的EAP认证方法必须满足以下标准:

[1] Generation of symmetric keying material. This corresponds to the "Key derivation" security claim defined in [RFC3748], Section 7.2.1.

[1] 对称键控材质的生成。这与[RFC3748]第7.2.1节中定义的“密钥派生”安全声明相对应。

[2] Key strength. An EAP method suitable for use with IEEE 802.11 MUST be capable of generating keying material with 128-bits of effective key strength, as defined in [RFC3748], Section 7.2.1. As noted in [RFC3748], Section 7.10, an EAP method supporting key derivation MUST export a Master Session Key (MSK) of at least 64 octets, and an Extended Master Session Key (EMSK) of at least 64 octets.

[2] 关键力量。适用于IEEE 802.11的EAP方法必须能够生成具有128位有效密钥强度的密钥材料,如[RFC3748]第7.2.1节所定义。如[RFC3748]第7.10节所述,支持密钥派生的EAP方法必须导出至少64个八位字节的主会话密钥(MSK)和至少64个八位字节的扩展主会话密钥(EMSK)。

[3] Mutual authentication support. This corresponds to the "Mutual authentication" security claim defined in [RFC3748], Section 7.2.1.

[3] 相互认证支持。这与[RFC3748]第7.2.1节中定义的“相互认证”安全声明相对应。

[4] Shared state equivalence. The shared EAP method state of the EAP peer and server must be equivalent when the EAP method is successfully completed on both sides. This includes the internal state of the authentication protocol but not the state external to the EAP method, such as the negotiation occurring prior to initiation of the EAP method. The exact state attributes that are shared may vary from method to method, but typically include the method version number, the credentials presented and accepted by both parties, the cryptographic keys shared, and the EAP method specific attributes negotiated, such as ciphersuites and limitations of usage on all protocol state. Both parties must be able to distinguish this instance of the protocol from all other instances of the protocol, and they must share the same view regarding which state attributes are public and which are private to the two parties alone. The server must obtain the authenticated peer name, and the peer must obtain the authenticated server name (if the authenticated server name is available).

[4] 共享状态等价。当EAP方法在双方成功完成时,EAP对等方和服务器的共享EAP方法状态必须相等。这包括认证协议的内部状态,但不包括EAP方法外部的状态,例如在EAP方法启动之前发生的协商。共享的确切状态属性可能因方法而异,但通常包括方法版本号、双方提供和接受的凭据、共享的加密密钥以及协商的EAP方法特定属性,例如密码套件和所有协议状态的使用限制。双方必须能够将本协议实例与本协议的所有其他实例区分开来,并且对于哪些状态属性是公共的,哪些是双方单独的私有属性,双方必须有相同的看法。服务器必须获得经过身份验证的对等方名称,对等方必须获得经过身份验证的服务器名称(如果经过身份验证的服务器名称可用)。

[5] Resistance to dictionary attacks. This corresponds to the "Dictionary attack resistance" security claim defined in [RFC3748], Section 7.2.1.

[5] 抵抗字典攻击。这与[RFC3748]第7.2.1节中定义的“字典攻击抵抗”安全声明相对应。

[6] Protection against man-in-the-middle attacks. This corresponds to the "Cryptographic binding", "Integrity protection", "Replay protection", and "Session independence" security claims defined in [RFC3748], Section 7.2.1.

[6] 防止中间人攻击。这与[RFC3748]第7.2.1节中定义的“加密绑定”、“完整性保护”、“重播保护”和“会话独立性”安全声明相对应。

[7] Protected ciphersuite negotiation. If the method negotiates the ciphersuite used to protect the EAP conversation, then it MUST support the "Protected ciphersuite negotiation" security claim defined in [RFC3748], Section 7.2.1.

[7] 受保护的密码套件协商。如果该方法协商用于保护EAP对话的密码套件,则它必须支持[RFC3748]第7.2.1节中定义的“受保护密码套件协商”安全声明。

2.3. Recommended Requirements
2.3. 建议要求

EAP authentication methods used for wireless LAN authentication SHOULD support the following features:

用于无线LAN身份验证的EAP身份验证方法应支持以下功能:

[8] Fragmentation. This implies support for the "Fragmentation" claim defined in [RFC3748], Section 7.2.1. [RFC3748], Section 3.1 states: "EAP methods can assume a minimum EAP MTU of 1020 octets, in the absence of other information. EAP methods SHOULD include support for fragmentation and reassembly if their payloads can be larger than this minimum EAP MTU."

[8] 碎片化。这意味着支持[RFC3748]第7.2.1节中定义的“碎片”索赔。[RFC3748]第3.1节规定:“在没有其他信息的情况下,EAP方法可以假定最小EAP MTU为1020个八位字节。如果有效载荷可以大于此最小EAP MTU,则EAP方法应包括对碎片和重组的支持。”

[9] End-user identity hiding. This corresponds to the "Confidentiality" security claim defined in [RFC3748], Section 7.2.1.

[9] 最终用户身份隐藏。这与[RFC3748]第7.2.1节中定义的“保密性”安全声明相对应。

2.4. Optional Features
2.4. 可选功能

EAP authentication methods used for wireless LAN authentication MAY support the following features:

用于无线LAN身份验证的EAP身份验证方法可能支持以下功能:

[10] Channel binding. This corresponds to the "Channel binding" security claim defined in [RFC3748], Section 7.2.1.

[10] 通道绑定。这与[RFC3748]第7.2.1节中定义的“通道绑定”安全声明相对应。

[11] Fast reconnect. This corresponds to the "Fast reconnect" security claim defined in [RFC3748], Section 7.2.1.

[11] 快速重新连接。这与[RFC3748]第7.2.1节中定义的“快速重新连接”安全声明相对应。

2.5. Non-compliant EAP Authentication Methods
2.5. 不兼容的EAP身份验证方法

EAP-MD5-Challenge (the current mandatory-to-implement EAP authentication method), is defined in [RFC3748], Section 5.4. As defined in [RFC3748], EAP-MD5-Challenge, One-Time Password (Section 5.5), and Generic Token Card (Section 5.6) are non-compliant with the requirements specified in this document. As noted in [RFC3748], these methods do not support any of the mandatory requirements defined in Section 2.2, including key derivation and mutual authentication. In addition, these methods do not support any of the recommended features defined in Section 2.3 or any of the optional features defined in Section 2.4.

[RFC3748]第5.4节定义了EAP-MD5-Challenge(当前强制实施EAP认证方法)。如[RFC3748]中所定义,EAP-MD5-Challenge、一次性密码(第5.5节)和通用令牌卡(第5.6节)不符合本文件规定的要求。如[RFC3748]所述,这些方法不支持第2.2节中定义的任何强制性要求,包括密钥推导和相互认证。此外,这些方法不支持第2.3节中定义的任何推荐功能或第2.4节中定义的任何可选功能。

3. Security Considerations
3. 安全考虑

Within [IEEE802.11i], EAP is used for both authentication and key exchange between the EAP peer and server. Given that wireless local area networks provide ready access to an attacker within range, EAP usage within [IEEE802.11i] is subject to the threats outlined in [RFC3748], Section 7.1. Security considerations relating to EAP are discussed in [RFC3748], Sections 7; where an authentication server is utilized, the security considerations described in [RFC3579], Section 4, will apply.

在[IEEE802.11i]中,EAP用于EAP对等方和服务器之间的身份验证和密钥交换。鉴于无线局域网可随时访问范围内的攻击者,因此[IEEE802.11i]中的EAP使用受到[RFC3748]第7.1节中概述的威胁。[RFC3748]第7节讨论了与EAP相关的安全注意事项;在使用认证服务器的情况下,[RFC3579]第4节中描述的安全注意事项将适用。

The system security properties required to address the threats described in [RFC3748], Section 7.1, are noted in [Housley56]. In the material below, the requirements articulated in [Housley56] are listed, along with the corresponding recommendations.

解决[RFC3748]第7.1节中所述威胁所需的系统安全属性见[Housley 56]。在以下材料中,列出了[Housley 56]中阐述的要求以及相应的建议。

Algorithm independence Requirement: "Wherever cryptographic algorithms are chosen, the algorithms must be negotiable, in order to provide resilience against compromise of a particular cryptographic algorithm."

算法独立性要求:“无论选择哪种加密算法,算法都必须是可协商的,以提供针对特定加密算法妥协的弹性。”

This issue is addressed by mandatory requirement [7] in Section 2.2. Algorithm independence is one of the EAP invariants described in [KEYFRAME].

第2.2节中的强制性要求[7]解决了该问题。算法独立性是[KEYFRAME]中描述的EAP不变量之一。

Strong, fresh session keys Requirement: "Session keys must be demonstrated to be strong and fresh in all circumstances, while at the same time retaining algorithm independence."

强、新会话密钥要求:“会话密钥必须在所有情况下都是强、新的,同时保持算法独立性。”

Key strength is addressed by mandatory requirement [2] in Section 2.2. Recommendations for ensuring the Freshness of keys derived by EAP methods are discussed in [RFC3748], Section 7.10.

第2.2节中的强制性要求[2]阐述了关键强度。[RFC3748]第7.10节讨论了确保EAP方法产生的密钥新鲜度的建议。

Replay protection Requirement: "All protocol exchanges must be replay protected."

重播保护要求:“必须对所有协议交换进行重播保护。”

This is addressed by mandatory requirement [6] in Section 2.2.

第2.2节中的强制性要求[6]解决了这一问题。

Authentication Requirements: "All parties need to be authenticated. The confidentiality of the authenticator must be maintained. No plaintext passwords are allowed."

身份验证要求:“所有各方都需要进行身份验证。必须维护身份验证人的机密性。不允许使用明文密码。”

Mutual authentication is required as part of mandatory requirement [3] in Section 2.2. Identity protection is a recommended capability, described in requirement [9] in Section 2.3. EAP does not support plaintext passwords, as noted in [RFC3748], Section 7.14.

相互认证是第2.2节强制性要求[3]的一部分。身份保护是一种推荐能力,如第2.3节要求[9]所述。EAP不支持明文密码,如[RFC3748]第7.14节所述。

Authorization Requirement: "EAP peer and authenticator authorization must be performed."

授权要求:“必须执行EAP对等方和身份验证方授权。”

Authorization issues are discussed in [RFC3748], Sections 1.2 and 7.16. Authentication, Authorization, and Accounting (AAA) protocols such as RADIUS [RFC2865][RFC3579] may be used to enable authorization of EAP peers by a central authority. AAA authorization issues are discussed in [RFC3579], Sections 2.6.3 and 4.3.7.

[RFC3748]第1.2和7.16节讨论了授权问题。诸如RADIUS[RFC2865][RFC3579]之类的认证、授权和记帐(AAA)协议可用于使中央机构能够对EAP对等点进行授权。[RFC3579]第2.6.3节和第4.3.7节讨论了AAA授权问题。

Session keys Requirement: "Confidentiality of session keys must be maintained."

会话密钥要求:“必须保持会话密钥的机密性。”

Issues relating to Key Derivation are described in [RFC3748], Section 7.10, as well as in [KEYFRAME].

[RFC3748]第7.10节以及[KEYFRAME]中描述了与密钥派生相关的问题。

Ciphersuite negotiation Requirement: "The selection of the "best" ciphersuite must be securely confirmed."

密码套件协商要求:“必须安全地确认“最佳”密码套件的选择。”

This is addressed in mandatory requirement [7] in Section 2.2.

第2.2节中的强制性要求[7]对此进行了说明。

Unique naming Requirement: "Session keys must be uniquely named."

唯一命名要求:“会话密钥必须唯一命名。”

Key naming issues are addressed in [KEYFRAME].

关键命名问题在[KEYFRAME]中解决。

Domino effect Requirement: "Compromise of a single authenticator cannot compromise any other part of the system, including session keys and long-term secrets."

Domino效应要求:“单个验证器的泄露不能泄露系统的任何其他部分,包括会话密钥和长期机密。”

This issue is addressed by mandatory requirement [6] in Section 2.2.

第2.2节中的强制性要求[6]解决了该问题。

Key binding Requirement: "The key must be bound to the appropriate context."

密钥绑定要求:“密钥必须绑定到适当的上下文。”

This issue is addressed in optional requirement [10] in Section 2.4. Channel binding is also discussed in Section 7.15 of [RFC3748] and Section 4.3.7 of [RFC3579].

该问题在第2.4节的可选要求[10]中进行了说明。[RFC3748]第7.15节和[RFC3579]第4.3.7节也讨论了通道绑定。

4. References
4. 工具书类
4.1. Normative References
4.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.

[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。

[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003.

[RFC3579]Aboba,B.和P.Calhoun,“RADIUS(远程认证拨入用户服务)对可扩展认证协议(EAP)的支持”,RFC 3579,2003年9月。

[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.

[RFC3748]Aboba,B.,Blunk,L.,Vollbrecht,J.,Carlson,J.,和H.Levkowetz,“可扩展身份验证协议(EAP)”,RFC 3748,2004年6月。

[802.11] Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE Std. 802.11- 2003, 2003.

[802.11]信息技术.系统间电信和信息交换.局域网和城域网.特殊要求.第11部分:无线局域网介质访问控制(MAC)和物理层(PHY)规范,IEEE标准802.11-2003,2003。

[IEEE802.1X] IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control, IEEE Std 802.1X-2004, December 2004.

[IEEE802.1X]IEEE局域网和城域网标准:基于端口的网络访问控制,IEEE标准802.1X-2004,2004年12月。

[IEEE802.11i] Institute of Electrical and Electronics Engineers, "Supplement to Standard for Telecommunications and Information Exchange Between Systems - LAN/MAN Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Specification for Enhanced Security", IEEE 802.11i, July 2004.

[IEEE802.11i]电气和电子工程师协会,“系统间电信和信息交换标准的补充-局域网/城域网特定要求-第11部分:无线局域网介质访问控制(MAC)和物理层(PHY)规范:增强安全性规范”,IEEE 802.11i,2004年7月。

4.2. Informative References
4.2. 资料性引用

[Housley56] Housley, R., "Key Management in AAA", Presentation to the AAA WG at IETF 56, http://www.ietf.org/proceedings/03mar/slides/aaa-5/index.html, March 2003.

[Housley 56]Housley,R.,“AAA中的密钥管理”,在IETF 56上向AAA工作组的介绍,http://www.ietf.org/proceedings/03mar/slides/aaa-5/index.html,2003年3月。

[RFC2716] Aboba, B. and D. Simon, "PPP EAP TLS Authentication Protocol", RFC 2716, October 1999.

[RFC2716]Aboba,B.和D.Simon,“PPP EAP TLS认证协议”,RFC 2716,1999年10月。

[PEAP] Palekar, A., et al., "Protected EAP Protocol (PEAP)", Work in Progress, July 2004.

[PEAP]Palekar,A.,等人,“受保护的EAP协议(PEAP)”,正在进行的工作,2004年7月。

[TTLS] Funk, P. and S. Blake-Wilson, "EAP Tunneled TLS Authentication Protocol (EAP-TTLS)", Work in Progress, August 2004.

[TTLS]Funk,P.和S.Blake Wilson,“EAP隧道TLS认证协议(EAP-TTLS)”,正在进行的工作,2004年8月。

[EAPSIM] Haverinen, H. and J. Salowey, "EAP SIM Authentication", Work in Progress, April 2004.

[EAPSIM]Haverinen,H.和J.Salowey,“EAP SIM认证”,正在进行的工作,2004年4月。

[KEYFRAME] Aboba, B., et al., "EAP Key Management Framework", Work in Progress, July 2004.

[KEYFRAME]Aboba,B.等人,“EAP密钥管理框架”,正在进行的工作,2004年7月。

Acknowledgements

致谢

The authors would like to acknowledge contributions to this document from members of the IEEE 802.11i Task Group, including Russ Housley of Vigil Security, David Nelson of Enterasys Networks and Clint Chaplin of Symbol Technologies, as well as members of the EAP WG including Joe Salowey of Cisco Systems, Pasi Eronen of Nokia, Jari Arkko of Ericsson, and Florent Bersani of France Telecom.

作者要感谢IEEE 802.11i任务组成员对本文件的贡献,包括Vigil Security的Russ Housley、Enterasys Networks的David Nelson和Symbol Technologies的Clint Chaplin,以及EAP工作组成员,包括Cisco Systems的Joe Salowey、诺基亚的Pasi Eronen、,爱立信的贾里·阿尔科和法国电信的弗洛伦特·贝尔萨尼。

Authors' Addresses

作者地址

Dorothy Stanley Agere Systems 2000 North Naperville Rd. Naperville, IL 60566

Dorothy Stanley Agere Systems 2000伊利诺伊州纳珀维尔北路纳珀维尔,邮编60566

   Phone: +1 630 979 1572
   EMail: dstanley@agere.com
        
   Phone: +1 630 979 1572
   EMail: dstanley@agere.com
        

Jesse R. Walker Intel Corporation 2111 N.E. 25th Avenue Hillsboro, OR 97214

Jesse R.Walker英特尔公司2111 N.E.希尔斯伯勒第25大道,邮编:97214

   EMail: jesse.walker@intel.com
        
   EMail: jesse.walker@intel.com
        

Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052

伯纳德·阿博巴(Bernard Aboba)微软公司华盛顿州雷德蒙微软大道一号,邮编:98052

   Phone: +1 425 818 4011
   Fax:   +1 425 936 7329
   EMail: bernarda@microsoft.com
        
   Phone: +1 425 818 4011
   Fax:   +1 425 936 7329
   EMail: bernarda@microsoft.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。