Network Working Group J. Vollbrecht Request for Comments: 4137 Meetinghouse Data Communications Category: Informational P. Eronen Nokia N. Petroni University of Maryland Y. Ohba TARI August 2005
Network Working Group J. Vollbrecht Request for Comments: 4137 Meetinghouse Data Communications Category: Informational P. Eronen Nokia N. Petroni University of Maryland Y. Ohba TARI August 2005
State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator
可扩展身份验证协议(EAP)对等方和身份验证器的状态机
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
This document describes a set of state machines for Extensible Authentication Protocol (EAP) peer, EAP stand-alone authenticator (non-pass-through), EAP backend authenticator (for use on Authentication, Authorization, and Accounting (AAA) servers), and EAP full authenticator (for both local and pass-through). This set of state machines shows how EAP can be implemented to support deployment in either a peer/authenticator or peer/authenticator/AAA Server environment. The peer and stand-alone authenticator machines are illustrative of how the EAP protocol defined in RFC 3748 may be implemented. The backend and full/pass-through authenticators illustrate how EAP/AAA protocol support defined in RFC 3579 may be implemented. Where there are differences, RFC 3748 and RFC 3579 are authoritative.
本文档描述了一组用于可扩展身份验证协议(EAP)对等方、EAP独立身份验证程序(非传递)、EAP后端身份验证程序(用于身份验证、授权和记帐(AAA)服务器)和EAP完全身份验证程序(用于本地和传递)的状态机。这组状态机显示了如何实现EAP以支持在对等/身份验证程序或对等/身份验证程序/AAA服务器环境中的部署。对等和独立验证器机器说明了如何实现RFC 3748中定义的EAP协议。后端和完全/通过认证器说明了如何实现RFC 3579中定义的EAP/AAA协议支持。如果存在差异,RFC 3748和RFC 3579具有权威性。
The state machines are based on the EAP "Switch" model. This model includes events and actions for the interaction between the EAP Switch and EAP methods. A brief description of the EAP "Switch" model is given in the Introduction section.
状态机基于EAP“开关”模型。此模型包括EAP交换机和EAP方法之间交互的事件和操作。导言部分简要介绍了EAP“交换机”模型。
The state machine and associated model are informative only. Implementations may achieve the same results using different methods.
状态机和相关模型仅供参考。实现可以使用不同的方法获得相同的结果。
Table of Contents
目录
1. Introduction: The EAP Switch Model ..............................3 2. Specification of Requirements ...................................4 3. Notational Conventions Used in State Diagrams ...................5 3.1. Notational Specifics .......................................5 3.2. State Machine Symbols ......................................7 3.3. Document Authority .........................................8 4. Peer State Machine ..............................................9 4.1. Interface between Peer State Machine and Lower Layer .......9 4.2. Interface between Peer State Machine and Methods ..........11 4.3. Peer State Machine Local Variables ........................13 4.4. Peer State Machine Procedures .............................14 4.5. Peer State Machine States .................................15 5. Stand-Alone Authenticator State Machine ........................17 5.1. Interface between Stand-Alone Authenticator State Machine and Lower Layer ...................................17 5.2. Interface between Stand-Alone Authenticator State Machine and Methods .......................................19 5.3. Stand-Alone Authenticator State Machine Local Variables ...21 5.4. EAP Stand-Alone Authenticator Procedures ..................22 5.5. EAP Stand-Alone Authenticator States ......................24 6. EAP Backend Authenticator ......................................26 6.1. Interface between Backend Authenticator State Machine and Lower Layer ...................................26 6.2. Interface between Backend Authenticator State Machine and Methods .......................................28 6.3. Backend Authenticator State Machine Local Variables .......28 6.4. EAP Backend Authenticator Procedures ......................28 6.5. EAP Backend Authenticator States ..........................29 7. EAP Full Authenticator .........................................29 7.1. Interface between Full Authenticator State Machine and Lower Layer ...........................................30 7.2. Interface between Full Authenticator State Machine and Methods ...............................................31 7.3. Full Authenticator State Machine Local Variables ..........32 7.4. EAP Full Authenticator Procedures .........................32 7.5. EAP Full Authenticator States .............................32 8. Implementation Considerations ..................................34 8.1. Robustness ................................................34 8.2. Method/Method and Method/Lower-Layer Interfaces ...........35 8.3. Peer State Machine Interoperability with Deployed Implementations ...........................................35 9. Security Considerations ........................................35 10. Acknowledgements ..............................................36 11. References ....................................................37 11.1. Normative References ....................................37 11.2. Informative References ..................................37
1. Introduction: The EAP Switch Model ..............................3 2. Specification of Requirements ...................................4 3. Notational Conventions Used in State Diagrams ...................5 3.1. Notational Specifics .......................................5 3.2. State Machine Symbols ......................................7 3.3. Document Authority .........................................8 4. Peer State Machine ..............................................9 4.1. Interface between Peer State Machine and Lower Layer .......9 4.2. Interface between Peer State Machine and Methods ..........11 4.3. Peer State Machine Local Variables ........................13 4.4. Peer State Machine Procedures .............................14 4.5. Peer State Machine States .................................15 5. Stand-Alone Authenticator State Machine ........................17 5.1. Interface between Stand-Alone Authenticator State Machine and Lower Layer ...................................17 5.2. Interface between Stand-Alone Authenticator State Machine and Methods .......................................19 5.3. Stand-Alone Authenticator State Machine Local Variables ...21 5.4. EAP Stand-Alone Authenticator Procedures ..................22 5.5. EAP Stand-Alone Authenticator States ......................24 6. EAP Backend Authenticator ......................................26 6.1. Interface between Backend Authenticator State Machine and Lower Layer ...................................26 6.2. Interface between Backend Authenticator State Machine and Methods .......................................28 6.3. Backend Authenticator State Machine Local Variables .......28 6.4. EAP Backend Authenticator Procedures ......................28 6.5. EAP Backend Authenticator States ..........................29 7. EAP Full Authenticator .........................................29 7.1. Interface between Full Authenticator State Machine and Lower Layer ...........................................30 7.2. Interface between Full Authenticator State Machine and Methods ...............................................31 7.3. Full Authenticator State Machine Local Variables ..........32 7.4. EAP Full Authenticator Procedures .........................32 7.5. EAP Full Authenticator States .............................32 8. Implementation Considerations ..................................34 8.1. Robustness ................................................34 8.2. Method/Method and Method/Lower-Layer Interfaces ...........35 8.3. Peer State Machine Interoperability with Deployed Implementations ...........................................35 9. Security Considerations ........................................35 10. Acknowledgements ..............................................36 11. References ....................................................37 11.1. Normative References ....................................37 11.2. Informative References ..................................37
Appendix. ASCII Versions of State Diagrams ........................38 A.1. EAP Peer State Machine (Figure 3) .......................38 A.2. EAP Stand-Alone Authenticator State Machine (Figure 4) ..41 A.3. EAP Backend Authenticator State Machine (Figure 5) ......44 A.4. EAP Full Authenticator State Machine (Figures 6 and 7) ..47
Appendix. ASCII Versions of State Diagrams ........................38 A.1. EAP Peer State Machine (Figure 3) .......................38 A.2. EAP Stand-Alone Authenticator State Machine (Figure 4) ..41 A.3. EAP Backend Authenticator State Machine (Figure 5) ......44 A.4. EAP Full Authenticator State Machine (Figures 6 and 7) ..47
This document offers a proposed state machine for RFCs [RFC3748] and [RFC3579]. There are state machines for the peer, the stand-alone authenticator, a backend authenticator, and a full/pass-through authenticator. Accompanying each state machine diagram is a description of the variables, the functions, and the states in the diagram. Whenever possible, the same notation has been used in each of the state machines.
本文档为RFC[RFC3748]和[RFC3579]提供了一个建议的状态机。有对等身份验证程序、独立身份验证程序、后端身份验证程序和完全/通过身份验证程序的状态机。每个状态机图都附有对图中变量、函数和状态的描述。只要可能,在每个状态机中都使用相同的符号。
An EAP authentication consists of one or more EAP methods in sequence followed by an EAP Success or EAP Failure sent from the authenticator to the peer. The EAP switches control negotiation of EAP methods and sequences of methods.
EAP身份验证由一个或多个EAP方法按顺序组成,然后从身份验证程序向对等方发送EAP成功或EAP失败。EAP交换机控制EAP方法和方法序列的协商。
Peer Peer | Authenticator Auth Method | Method \ | / \ | / Peer | Auth EAP <-----|----------> EAP Switch | Switch
Peer Peer | Authenticator Auth Method | Method \ | / \ | / Peer | Auth EAP <-----|----------> EAP Switch | Switch
Figure 1: EAP Switch Model
图1:EAP交换机模型
At both the peer and authenticator, one or more EAP methods exist. The EAP switches select which methods each is willing to use, and negotiate between themselves to pick a method or sequence of methods.
在对等方和身份验证方,都存在一个或多个EAP方法。EAP开关选择每个开关愿意使用的方法,并在它们之间协商选择一种方法或方法序列。
Note that the methods may also have state machines. The details of these are outside the scope of this paper.
请注意,这些方法也可能有状态机。这些细节超出了本文的范围。
Peer | Authenticator | Backend | / Local | | / Method | Peer | Auth | Backend EAP -|-----> EAP | --> EAP Switch | Switch | / Server | \ | / | \ pass-through | | |
Peer | Authenticator | Backend | / Local | | / Method | Peer | Auth | Backend EAP -|-----> EAP | --> EAP Switch | Switch | / Server | \ | / | \ pass-through | | |
Figure 2: EAP Pass-Through Model
图2:EAP传递模型
The Full/Pass-Through state machine allows an NAS or edge device to pass EAP Response messages to a backend server where the authentication method resides. This paper includes a state machine for the EAP authenticator that supports both local and pass-through methods as well as a state machine for the backend authenticator existing at the AAA server. A simple stand-alone authenticator is also provided to show a basic, non-pass-through authenticator's behavior.
完全/通过状态机允许NAS或边缘设备将EAP响应消息传递到身份验证方法所在的后端服务器。本文包括一个支持本地和传递方法的EAP身份验证程序的状态机,以及一个AAA服务器上存在的后端身份验证程序的状态机。还提供了一个简单的独立身份验证器,以显示基本的非传递身份验证器的行为。
This document describes a set of state machines that can manage EAP authentication from the peer to an EAP method on the authenticator or from the peer through the authenticator pass-through method to the EAP method on the backend EAP server.
本文档描述了一组状态机,这些状态机可以管理从对等方到验证器上的EAP方法的EAP身份验证,或者从对等方通过验证器传递方法到后端EAP服务器上的EAP方法的EAP身份验证。
Some environments where EAP is used, such as PPP, may support peer-to-peer operation. That is, both parties act as peers and authenticators at the same time, in two simultaneous and independent EAP conversations. In this case, the implementation at each node has to perform demultiplexing of incoming EAP packets. EAP packets with code set to Response are delivered to the authenticator state machine, and EAP packets with code set to Request, Success, or Failure are delivered to the peer state machine.
使用EAP的某些环境(如PPP)可能支持对等操作。也就是说,在两次同时且独立的EAP对话中,双方同时充当对等方和认证方。在这种情况下,每个节点上的实现必须执行传入EAP分组的解复用。代码设置为Response的EAP数据包被传递到authenticator状态机,代码设置为Request、Success或Failure的EAP数据包被传递到对等状态机。
The state diagrams presented in this document have been coordinated with the diagrams in [1X-2004]. The format of the diagrams is adapted from the format therein. The interface between the state machines defined here and the IEEE 802.1X-2004 state machines is also explained in Appendix F of [1X-2004].
本文件中给出的状态图与[1X-2004]中的状态图进行了协调。图表的格式根据其中的格式进行调整。此处定义的状态机与IEEE 802.1X-2004状态机之间的接口也在[1X-2004]的附录F中进行了说明。
In this document, several words are used to signify the requirements of the specification. These words are often capitalized. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC2119].
在本文件中,使用了几个词来表示规范的要求。这些词通常大写。关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The following state diagrams have been completed based on the conventions specified in [1X-2004], section 8.2.1. The complete text is reproduced here:
以下状态图是根据[1X-2004]第8.2.1节规定的约定完成的。全文如下:
State diagrams are used to represent the operation of the protocol by a number of cooperating state machines, each comprising a group of connected, mutually exclusive states. Only one state of each machine can be active at any given time.
状态图用于表示多个协作状态机对协议的操作,每个状态机由一组相互连接的互斥状态组成。在任何给定时间,每台机器只能有一种状态处于活动状态。
Each state is represented in the state diagram as a rectangular box, divided into two parts by a horizontal line. The upper part contains the state identifier, written in uppercase letters. The lower part contains any procedures that are executed upon entry to the state.
每个状态在状态图中表示为一个矩形框,由一条水平线分为两部分。上半部分包含以大写字母书写的状态标识符。下半部分包含进入状态时执行的任何过程。
All permissible transitions between states are represented by arrows, the arrowhead denoting the direction of the possible transition. Labels attached to arrows denote the condition(s) that must be met in order for the transition to take place. All conditions are expressions that evaluate to TRUE or FALSE; if a condition evaluates to TRUE, then the condition is met. The label UCT denotes an unconditional transition (i.e., UCT always evaluates to TRUE). A transition that is global in nature (i.e., a transition that occurs from any of the possible states if the condition attached to the arrow is met) is denoted by an open arrow; i.e., no specific state is identified as the origin of the transition. When the condition associated with a global transition is met, it supersedes all other exit conditions including UCT. The special global condition BEGIN supersedes all other global conditions, and once asserted it remains asserted until all state blocks have executed to the point that variable assignments and other consequences of their execution remain unchanged.
状态之间所有允许的过渡都用箭头表示,箭头表示可能过渡的方向。附在箭头上的标签表示发生转换必须满足的条件。所有条件都是计算为真或假的表达式;如果条件的计算结果为TRUE,则满足该条件。标签UCT表示无条件转换(即UCT的计算结果始终为TRUE)。本质上是全局的转换(即,如果满足附在箭头上的条件,则从任何可能状态发生的转换)由开放箭头表示;i、 例如,没有特定的状态被确定为转换的起源。当满足与全局转换关联的条件时,它将取代所有其他退出条件,包括UCT。特殊全局条件BEGIN将取代所有其他全局条件,一旦断言,它将保持断言状态,直到所有状态块执行到变量赋值及其执行的其他结果保持不变为止。
On entry to a state, the procedures defined for the state (if any) are executed exactly once, in the order that they appear on the page. Each action is deemed to be atomic; i.e., execution of a procedure completes before the next sequential procedure starts to execute. No procedures execute outside a state block. The procedures in only one state block execute at a time, even if the conditions for execution of state blocks in different state machines are satisfied, and all procedures in an executing state block complete execution before the transition to and execution of any other state block occurs. That is, the execution of any state
在进入某个状态时,为该状态定义的过程(如果有)将按照它们在页面上出现的顺序执行一次。每一个动作都被认为是原子的;i、 例如,一个过程的执行在下一个顺序过程开始执行之前完成。没有过程在状态块之外执行。一次仅执行一个状态块中的过程,即使满足不同状态机中执行状态块的条件,并且执行状态块中的所有过程在转换到任何其他状态块并执行任何其他状态块之前完成执行。也就是说,任何国家的死刑
block appears to be atomic with respect to the execution of any other state block, and the transition condition to that state from the previous state is TRUE when execution commences. The order of execution of state blocks in different state machines is undefined except as constrained by their transition conditions. A variable that is set to a particular value in a state block retains this value until a subsequent state block executes a procedure that modifies the value.
就任何其他状态块的执行而言,块似乎是原子的,当执行开始时,从上一个状态到该状态的转换条件为TRUE。不同状态机中状态块的执行顺序未定义,除非受其转换条件的约束。在状态块中设置为特定值的变量将保留该值,直到后续状态块执行修改该值的过程。
On completion of all the procedures within a state, all exit conditions for the state (including all conditions associated with global transitions) are evaluated continuously until one of the conditions is met. The label ELSE denotes a transition that occurs if none of the other conditions for transitions from the state are met (i.e., ELSE evaluates to TRUE if all other possible exit conditions from the state evaluate to FALSE). Where two or more exit conditions with the same level of precedence become TRUE simultaneously, the choice as to which exit condition causes the state transition to take place is arbitrary.
完成一个状态内的所有过程后,将连续评估该状态的所有退出条件(包括与全局转换相关的所有条件),直到满足其中一个条件为止。标签ELSE表示在不满足状态转换的其他条件时发生的转换(即,如果状态的所有其他可能退出条件都计算为FALSE,则ELSE计算为TRUE)。如果具有相同优先级的两个或多个退出条件同时变为真,则选择哪个退出条件导致状态转换发生是任意的。
Where it is necessary to split a state machine description across more than one diagram, a transition between two states that appear on different diagrams is represented by an exit arrow drawn with dashed lines, plus a reference to the diagram that contains the destination state. Similarly, dashed arrows and a dashed state box are used on the destination diagram to show the transition to the destination state. In a state machine that has been split in this way, any global transitions that can cause entry to states defined in one of the diagrams are deemed potential exit conditions for all the states of the state machine, regardless of which diagram the state boxes appear in.
如果需要在多个图表中拆分状态机描述,则出现在不同图表上的两个状态之间的转换由一个用虚线绘制的退出箭头以及对包含目标状态的图表的引用表示。类似地,在目标关系图上使用虚线箭头和虚线状态框来显示到目标状态的转换。在以这种方式拆分的状态机中,任何可能导致进入其中一个图中定义的状态的全局转换都被视为状态机所有状态的潜在退出条件,而不管状态框出现在哪个图中。
Should a conflict exist between the interpretation of a state diagram and either the corresponding global transition tables or the textual description associated with the state machine, the state diagram takes precedence. The interpretation of the special symbols and operators used in the state diagrams is as defined in Section 3.2; these symbols and operators are derived from the notation of the C++ programming language, ISO/IEC 14882. If a boolean variable is described in this clause as being set, it has or is assigned the value TRUE; if it is described as being reset or clear, it has the value FALSE.
如果状态图的解释与相应的全局转换表或与状态机关联的文本描述之间存在冲突,则状态图优先。状态图中使用的特殊符号和运算符的解释如第3.2节所述;这些符号和运算符是从C++编程语言ISO/IEC 14882的符号中导出的。如果布尔变量在本条款中被描述为已设置,则该布尔变量的值为真;如果描述为重置或清除,则其值为FALSE。
In addition to the above notation, there are a couple of clarifications specific to this document. First, all boolean variables are initialized to FALSE before the state machine execution begins. Second, the following notational shorthand is specific to this document:
除上述注释外,本文件还有一些特定的澄清。首先,在状态机开始执行之前,所有布尔变量都初始化为FALSE。其次,以下符号速记是本文件特有的:
<variable> = <expression1> | <expression2> | ...
<variable> = <expression1> | <expression2> | ...
Execution of a statement of this form will result in <variable> having a value of exactly one of the expressions. The logic for which of those expressions gets executed is outside of the state machine and could be environmental, configurable, or based on another state machine, such as that of the method.
执行此形式的语句将导致<variable>的值正好是其中一个表达式的值。执行这些表达式的逻辑在状态机之外,可以是环境的、可配置的,或者基于另一个状态机,例如方法的状态机。
( )
( )
Used to force the precedence of operators in Boolean expressions and to delimit the argument(s) of actions within state boxes.
用于强制布尔表达式中运算符的优先级,并在状态框中分隔操作的参数。
;
;
Used as a terminating delimiter for actions within state boxes. If a state box contains multiple actions, the order of execution follows the normal English language conventions for reading text.
用作状态框内操作的终止分隔符。如果状态框包含多个操作,则执行顺序遵循阅读文本的正常英语约定。
=
=
Assignment action. The value of the expression to the right of the operator is assigned to the variable to the left of the operator. If this operator is used to define multiple assignments (e.g., a = b = X), the action causes the value of the expression following the right-most assignment operator to be assigned to all the variables that appear to the left of the right-most assignment operator.
分配行动。运算符右侧表达式的值将分配给运算符左侧的变量。如果此运算符用于定义多个赋值(例如,a=b=X),则该操作会将最右侧赋值运算符后面的表达式的值赋给最右侧赋值运算符左侧的所有变量。
!
!
Logical NOT operator.
逻辑NOT运算符。
&&
&&
Logical AND operator.
逻辑与运算符。
||
||
Logical OR operator.
逻辑OR运算符。
if...then...
如果……那么。。。
Conditional action. If the Boolean expression following the "if" evaluates to TRUE, then the action following the "then" is executed.
有条件的行动。如果“If”后面的布尔表达式的计算结果为TRUE,则执行“then”后面的操作。
{ statement 1, ... statement N }
{语句1,…语句N}
Compound statement. Braces are used to group statements that are executed together as if they were a single statement.
复合语句。大括号用于将一起执行的语句分组,就像它们是单个语句一样。
!=
!=
Inequality. Evaluates to TRUE if the expression to the left of the operator is not equal in value to the expression to the right.
不平等如果运算符左侧的表达式与右侧的表达式的值不相等,则计算结果为TRUE。
==
==
Equality. Evaluates to TRUE if the expression to the left of the operator is equal in value to the expression to the right.
平等如果运算符左侧的表达式与右侧的表达式的值相等,则计算结果为TRUE。
>
>
Greater than. Evaluates to TRUE if the value of the expression to the left of the operator is greater than the value of the expression to the right.
大于。如果运算符左侧表达式的值大于右侧表达式的值,则计算结果为TRUE。
<=
<=
Less than or equal to. Evaluates to TRUE if the value of the expression to the left of the operator is either less than or equal to the value of the expression to the right.
小于或等于。如果运算符左侧表达式的值小于或等于右侧表达式的值,则计算结果为TRUE。
++
++
Increment the preceding integer operator by 1.
将前面的整数运算符递增1。
+
+
Arithmetic addition operator.
算术加法运算符。
&
&
Bitwise AND operator.
按位AND运算符。
Should a conflict exist between the interpretation of a state diagram and either the corresponding global transition tables or the textual description associated with the state machine, the state diagram takes precedence. When a discrepancy occurs between any part of this document (text or diagram) and any of the related documents ([RFC3748], [RFC3579], etc.), the latter (the other document) is considered authoritative and takes precedence.
如果状态图的解释与相应的全局转换表或与状态机关联的文本描述之间存在冲突,则状态图优先。当本文件的任何部分(文本或图表)与任何相关文件([RFC3748]、[RFC3579]等)之间出现差异时,后者(其他文件)被视为权威文件,并优先考虑。
The following is a diagram of the EAP peer state machine. Also included is an explanation of the primitives and procedures referenced in the diagram, as well as a clarification of notation.
以下是EAP对等状态机的示意图。还包括对图中引用的原语和过程的解释,以及对符号的澄清。
(see the .pdf version for missing diagram or refer to Appendix A.1 if reading the .txt version)
(缺少图表,请参见.pdf版本;如果阅读.txt版本,请参阅附录A.1)
Figure 3: EAP Peer State Machine
图3:EAP对等状态机
The lower layer presents messages to the EAP peer state machine by storing the packet in eapReqData and setting the eapReq signal to TRUE. Note that despite the name of the signal, the lower layer does not actually inspect the contents of the EAP packet (it could be a Success or Failure message instead of a Request).
下层通过将数据包存储在eapReqData中并将eapReq信号设置为TRUE,向EAP对等状态机显示消息。请注意,尽管信号的名称不同,下层实际上并不检查EAP数据包的内容(它可能是成功或失败消息,而不是请求)。
When the EAP peer state machine has finished processing the message, it sets either eapResp or eapNoResp. If it sets eapResp, the corresponding response packet is stored in eapRespData. The lower layer is responsible for actually transmitting this message. When the EAP peer state machine authentication is complete, it will set eapSuccess or eapFailure to indicate to the lower layer that the authentication has succeeded or failed.
EAP对等状态机完成消息处理后,将设置eapResp或eapNoResp。如果设置了eapResp,则相应的响应数据包存储在eapResp数据中。下层负责实际传输此消息。当EAP对等状态机身份验证完成时,它将设置EAPSucture或eapFailure,以向下层指示身份验证已成功或失败。
eapReq (boolean)
eapReq(布尔值)
Set to TRUE in lower layer, FALSE in peer state machine. Indicates that a request is available in the lower layer.
在较低层中设置为TRUE,在对等状态机中设置为FALSE。指示请求在较低层中可用。
eapReqData (EAP packet)
eapReqData(EAP数据包)
Set in lower layer when eapReq is set to TRUE. The contents of the available request.
当eapReq设置为TRUE时,在下层设置。可用请求的内容。
portEnabled (boolean)
可移植(布尔)
Indicates that the EAP peer state machine should be ready for communication. This is set to TRUE when the EAP conversation is started by the lower layer. If at any point the communication port or session is not available, portEnabled is set to FALSE, and the state machine transitions to DISABLED. To avoid unnecessary resets, the lower layer may dampen link down indications when it believes that the link is only temporarily down and that it will
指示EAP对等状态机应准备好进行通信。当较低层启动EAP对话时,此设置为TRUE。如果在任何时候通信端口或会话不可用,portEnabled设置为FALSE,状态机转换为DISABLED。为了避免不必要的重置,当下层认为链路只是暂时断开并且将断开时,它可能会抑制链路断开指示
soon be back up (see [RFC3748], Section 7.12). In this case, portEnabled may not always be equal to the "link up" flag of the lower layer.
很快就会恢复(见[RFC3748],第7.12节)。在这种情况下,Portabled可能并不总是等于较低层的“链接”标志。
idleWhile (integer)
idleWhile(整数)
Outside timer used to indicate how much time remains before the peer will time out while waiting for a valid request.
外部计时器,用于指示在等待有效请求时,在对等方超时之前还有多少时间。
eapRestart (boolean)
EAP重新启动(布尔值)
Indicates that the lower layer would like to restart authentication.
指示较低层要重新启动身份验证。
altAccept (boolean)
altAccept(布尔值)
Alternate indication of success, as described in [RFC3748].
成功的替代指示,如[RFC3748]所述。
altReject (boolean)
altReject(布尔值)
Alternate indication of failure, as described in [RFC3748].
故障的替代指示,如[RFC3748]所述。
eapResp (boolean)
eapResp(布尔值)
Set to TRUE in peer state machine, FALSE in lower layer. Indicates that a response is to be sent.
在对等状态机中设置为TRUE,在较低层中设置为FALSE。指示要发送的响应。
eapNoResp (boolean)
eapNoResp(布尔值)
Set to TRUE in peer state machine, FALSE in lower layer. Indicates that the request has been processed, but that there is no response to send.
在对等状态机中设置为TRUE,在较低层中设置为FALSE。指示已处理请求,但没有要发送的响应。
eapSuccess (boolean)
EAPSCCESS(布尔值)
Set to TRUE in peer state machine, FALSE in lower layer. Indicates that the peer has reached the SUCCESS state.
在对等状态机中设置为TRUE,在较低层中设置为FALSE。指示对等方已达到成功状态。
eapFail (boolean)
eapFail(布尔值)
Set to TRUE in peer state machine, FALSE in lower layer. Indicates that the peer has reached the FAILURE state.
在对等状态机中设置为TRUE,在较低层中设置为FALSE。指示对等方已达到故障状态。
eapRespData (EAP packet)
EAP数据(EAP数据包)
Set in peer state machine when eapResp is set to TRUE. The EAP packet that is the response to send.
当eapResp设置为TRUE时,在对等状态机中设置。作为要发送的响应的EAP数据包。
eapKeyData (EAP key)
EAP密钥数据(EAP密钥)
Set in peer state machine when keying material becomes available. Set during the METHOD state. Note that this document does not define the structure of the type "EAP key". We expect that it will be defined in [Keying].
当键控材质可用时,在对等状态机中设置。在方法状态期间设置。请注意,本文档未定义“EAP密钥”类型的结构。我们希望它将在[键控]中定义。
eapKeyAvailable (boolean)
eapKeyAvailable(布尔值)
Set to TRUE in the SUCCESS state if keying material is available. The actual key is stored in eapKeyData.
如果关键帧材质可用,则在成功状态下设置为TRUE。实际密钥存储在eapKeyData中。
ClientTimeout (integer)
ClientTimeout(整数)
Configurable amount of time to wait for a valid request before aborting, initialized by implementation-specific means (e.g., a configuration setting).
中止前等待有效请求的可配置时间量,通过特定于实现的方式(例如,配置设置)初始化。
IN: eapReqData (includes reqId)
IN:eapReqData(包括reqId)
OUT: ignore, eapRespData, allowNotifications, decision
输出:忽略、eapRespData、允许通知、决策
IN/OUT: methodState, (method-specific state)
输入/输出:methodState(特定于方法的状态)
The following describes the interaction between the state machine and EAP methods.
下面描述状态机和EAP方法之间的交互。
If methodState==INIT, the method starts by initializing its own method-specific state.
如果methodState==INIT,则该方法首先初始化自己的方法特定状态。
Next, the method must decide whether to process the packet or to discard it silently. If the packet appears to have been sent by someone other than the legitimate authenticator (for instance, if message integrity check fails) and the method is capable of treating such situations as non-fatal, the method can set ignore=TRUE. In this case, the method should not modify any other variables.
接下来,该方法必须决定是处理数据包还是以静默方式丢弃数据包。如果数据包似乎是由合法身份验证器以外的人发送的(例如,如果消息完整性检查失败),并且该方法能够将此类情况视为非致命情况,则该方法可以设置ignore=TRUE。在这种情况下,该方法不应修改任何其他变量。
If the method decides to process the packet, it behaves as follows.
如果该方法决定处理该数据包,则其行为如下。
o It updates its own method-specific state.
o 它更新自己的方法特定状态。
o If the method has derived keying material it wants to export, it stores the keying material to eapKeyData.
o 如果该方法已导出要导出的关键帧材质,则会将关键帧材质存储到eapKeyData。
o It creates a response packet (with the same identifier as the request) and stores it to eapRespData.
o 它创建一个响应包(与请求具有相同的标识符)并将其存储到eapRespData。
o It sets ignore=FALSE.
o 它设置ignore=FALSE。
Next, the method must update methodState and decision according to the following rules.
接下来,该方法必须根据以下规则更新methodState和decision。
methodState=CONT: The method always continues at this point (and the peer wants to continue it). The decision variable is always set to FAIL.
methodState=CONT:该方法始终在此点继续(对等方希望继续)。决策变量始终设置为失败。
methodState=MAY_CONT: At this point, the authenticator can decide either to continue the method or to end the conversation. The decision variable tells us what to do if the conversation ends. If the current situation does not satisfy the peer's security policy (that is, if the authenticator now decides to allow access, the peer will not use it), set decision=FAIL. Otherwise, set decision=COND_SUCC.
methodState=MAY_CONT:此时,身份验证器可以决定继续该方法或结束对话。decision变量告诉我们如果对话结束该怎么做。如果当前情况不满足对等方的安全策略(即,如果验证器现在决定允许访问,对等方将不使用它),则设置decision=FAIL。否则,设置decision=COND\u SUCC。
methodState=DONE: The method never continues at this point (or the peer sees no point in continuing it).
methodState=DONE:该方法在这一点上永远不会继续(或者对等方认为继续它没有意义)。
If either (a) the authenticator has informed us that it will not allow access, or (b) we're not willing to talk to this authenticator (e.g., our security policy is not satisfied), set decision=FAIL. (Note that this state can occur even if the method still has additional messages left, if continuing it cannot change the peer's decision to success).
如果(a)认证者通知我们它将不允许访问,或者(b)我们不愿意与该认证者交谈(例如,我们的安全策略不满足),则设置decision=FAIL。(请注意,即使该方法仍保留其他消息,也可能出现此状态,如果继续,则无法将对等方的决定更改为成功)。
If both (a) the server has informed us that it will allow access, and the next packet will be EAP Success, and (b) we're willing to use this access, set decision=UNCOND_SUCC.
如果(a)服务器通知我们它将允许访问,并且下一个数据包将是EAP Success,(b)我们愿意使用此访问,则设置decision=UNCOND_Success。
Otherwise, we do not know what the server's decision is, but are willing to use the access if the server allows. In this case, set decision=COND_SUCC.
否则,我们不知道服务器的决定是什么,但如果服务器允许,我们愿意使用访问。在这种情况下,设置decision=COND\u SUCC。
Finally, the method must set the allowNotifications variable. If the new methodState is either CONT or MAY_CONT, and if the method specification does not forbid the use of Notification messages, set allowNotifications=TRUE. Otherwise, set allowNotifications=FALSE.
最后,该方法必须设置allowNotifications变量。如果新methodState为CONT或MAY_CONT,并且如果方法规范不禁止使用通知消息,则将allowNotifications设置为TRUE。否则,将allowNotifications设置为FALSE。
selectMethod (EAP type)
selectMethod(EAP类型)
Set in GET_METHOD state. The method that the peer believes is currently "in progress"
设置为GET_方法状态。对等方认为当前正在“进行中”的方法
methodState (enumeration)
methodState(枚举)
As described above.
如上所述。
lastId (integer)
lastId(整数)
0-255 or NONE. Set in SEND_RESPONSE state. The EAP identifier value of the last request.
0-255或无。设置为发送\ U响应状态。上次请求的EAP标识符值。
lastRespData (EAP packet)
lastRespData(EAP数据包)
Set in SEND_RESPONSE state. The EAP packet last sent from the peer.
设置为发送\ U响应状态。上次从对等方发送的EAP数据包。
decision (enumeration)
决定(列举)
As described above.
如上所述。
NOTE: EAP type can be normal type (0..253,255), or an extended type consisting of type 254, Vendor-Id, and Vendor-Type.
注意:EAP类型可以是普通类型(0..253255),也可以是由类型254、供应商Id和供应商类型组成的扩展类型。
rxReq (boolean)
rxReq(布尔值)
Set in RECEIVED state. Indicates that the current received packet is an EAP request.
设置为接收状态。指示当前接收的数据包是EAP请求。
rxSuccess (boolean)
rxSuccess(布尔值)
Set in RECEIVED state. Indicates that the current received packet is an EAP Success.
设置为接收状态。指示当前接收的数据包是EAP成功。
rxFailure (boolean)
rxFailure(布尔值)
Set in RECEIVED state. Indicates that the current received packet is an EAP Failure.
设置为接收状态。指示当前接收的数据包是EAP故障。
reqId (integer)
请求ID(整数)
Set in RECEIVED state. The identifier value associated with the current EAP request.
设置为接收状态。与当前EAP请求关联的标识符值。
reqMethod (EAP type)
REQ方法(EAP类型)
Set in RECEIVED state. The method type of the current EAP request.
设置为接收状态。当前EAP请求的方法类型。
ignore (boolean)
忽略(布尔值)
Set in METHOD state. Indicates whether the method has decided to drop the current packet.
设置为方法状态。指示方法是否已决定丢弃当前数据包。
NOTE: For method procedures, the method uses its internal state in addition to the information provided by the EAP layer. The only arguments that are explicitly shown as inputs to the procedures are those provided to the method by EAP. Those inputs provided by the method's internal state remain implicit.
注:对于方法过程,方法除了使用EAP层提供的信息外,还使用其内部状态。唯一显式显示为过程输入的参数是EAP提供给方法的参数。由方法的内部状态提供的那些输入仍然是隐式的。
parseEapReq()
parseAppreq()
Determine the code, identifier value, and type of the current request. In the case of a parsing error (e.g., the length field is longer than the received packet), rxReq, rxSuccess, and rxFailure will all be set to FALSE. The values of reqId and reqMethod may be undefined as a result. Returns three booleans, one integer, and one EAP type.
确定当前请求的代码、标识符值和类型。在解析错误的情况下(例如,长度字段比接收到的数据包长),rxReq、rxSuccess和rxFailure都将设置为FALSE。因此,reqId和reqMethod的值可能未定义。返回三个布尔值、一个整数和一个EAP类型。
processNotify()
processNotify()
Process the contents of Notification Request (for instance, display it to the user or log it). The return value is undefined.
处理通知请求的内容(例如,向用户显示或记录)。返回值未定义。
buildNotify()
buildNotify()
Create the appropriate notification response. Returns an EAP packet.
创建适当的通知响应。返回EAP数据包。
processIdentity()
processIdentity()
Process the contents of Identity Request. Return value is undefined.
处理身份请求的内容。返回值未定义。
buildIdentity()
buildIdentity()
Create the appropriate identity response. Returns an EAP packet.
创建适当的标识响应。返回EAP数据包。
m.check()
m、 检查()
Method-specific procedure to test for the validity of a message. Returns a boolean.
测试消息有效性的方法特定程序。返回一个布尔值。
m.process()
m、 过程()
Method procedure to parse and process a request for that method. Returns a methodState enumeration, a decision enumeration, and a boolean.
方法过程来解析和处理该方法的请求。返回methodState枚举、决策枚举和布尔值。
m.buildResp()
m、 buildResp()
Method procedure to create a response message. Returns an EAP packet.
方法创建响应消息的过程。返回EAP数据包。
m.getKey()
m、 getKey()
Method procedure to obtain key material for use by EAP or lower layers. Returns an EAP key.
获取EAP或下层使用的关键材料的方法和程序。返回EAP密钥。
DISABLED
残废
This state is reached whenever service from the lower layer is interrupted or unavailable. Immediate transition to INITIALIZE occurs when the port becomes enabled.
只要来自下层的服务中断或不可用,就会达到该状态。当端口启用时,立即转换为初始化。
INITIALIZE
初始化
Initializes variables when the state machine is activated.
激活状态机时初始化变量。
IDLE
闲置的
The state machine spends most of its time here, waiting for something to happen.
状态机大部分时间都花在这里,等待发生什么事情。
RECEIVED
收到
This state is entered when an EAP packet is received. The packet header is parsed here.
当接收到EAP数据包时,进入该状态。包头在这里被解析。
GET_METHOD
获取方法
This state is entered when a request for a new type comes in. Either the correct method is started, or a Nak response is built.
当收到新类型的请求时,将进入此状态。要么启动正确的方法,要么生成Nak响应。
METHOD
方法
The method processing happens here. The request from the authenticator is processed, and an appropriate response packet is built.
方法处理发生在这里。处理来自认证器的请求,并构建适当的响应包。
SEND_RESPONSE
发送响应
This state signals the lower layer that a response packet is ready to be sent.
该状态向下层发出信号,表示响应数据包已准备好发送。
DISCARD
丢弃
This state signals the lower layer that the request was discarded, and no response packet will be sent at this time.
该状态向下层发出信号,表示请求已被丢弃,此时不会发送响应数据包。
IDENTITY
身份
Handles requests for Identity method and builds a response.
处理标识方法的请求并生成响应。
NOTIFICATION
通知
Handles requests for Notification method and builds a response.
处理通知方法的请求并生成响应。
RETRANSMIT
重发
Retransmits the previous response packet.
重新传输上一个响应数据包。
SUCCESS
成功
A final state indicating success.
表示成功的最后状态。
FAILURE
失败
A final state indicating failure.
表示失败的最后状态。
The following is a diagram of the stand-alone EAP authenticator state machine. This diagram should be used for those interested in a self-contained, or non-pass-through, authenticator. Included is an explanation of the primitives and procedures referenced in the diagram, as well as a clarification of notation.
以下是独立EAP验证器状态机的示意图。此图应用于那些对自包含或非传递身份验证器感兴趣的人。包括对图中引用的原语和过程的解释,以及对符号的澄清。
(see the .pdf version for missing diagram or refer to Appendix A.2 if reading the .txt version)
(缺少图表,请参见.pdf版本;如果阅读.txt版本,请参阅附录A.2)
Figure 4: EAP Stand-Alone Authenticator State Machine
图4:EAP独立身份验证程序状态机
5.1. Interface between Stand-Alone Authenticator State Machine and Lower Layer
5.1. 独立验证器状态机与底层的接口
The lower layer presents messages to the EAP authenticator state machine by storing the packet in eapRespData and setting the eapResp signal to TRUE.
下层通过将数据包存储在eapResp数据中并将eapResp信号设置为TRUE,向EAP验证器状态机呈现消息。
When the EAP authenticator state machine has finished processing the message, it sets one of the signals eapReq, eapNoReq, eapSuccess, and eapFail. If it sets eapReq, eapSuccess, or eapFail, the corresponding request (or success/failure) packet is stored in eapReqData. The lower layer is responsible for actually transmitting this message.
当EAP验证器状态机完成对消息的处理后,它将设置信号eapReq、eapNoReq、EAPSCESS和EAPFILE之一。如果设置了eapReq、EAPSCCESS或EAPFILE,则相应的请求(或成功/失败)数据包存储在eapReq数据中。下层负责实际传输此消息。
eapResp (boolean)
eapResp(布尔值)
Set to TRUE in lower layer, FALSE in authenticator state machine. Indicates that an EAP response is available for processing.
在较低层中设置为TRUE,在验证器状态机中设置为FALSE。指示EAP响应可用于处理。
eapRespData (EAP packet)
EAP数据(EAP数据包)
Set in lower layer when eapResp is set to TRUE. The EAP packet to be processed.
当eapResp设置为TRUE时,在较低层中设置。要处理的EAP数据包。
portEnabled (boolean)
可移植(布尔)
Indicates that the EAP authenticator state machine should be ready for communication. This is set to TRUE when the EAP conversation is started by the lower layer. If at any point the communication port or session is not available, portEnabled is set to FALSE, and the state machine transitions to DISABLED. To avoid unnecessary resets, the lower layer may dampen link down indications when it believes that the link is only temporarily down and that it will
指示EAP验证器状态机应准备好进行通信。当较低层启动EAP对话时,此设置为TRUE。如果在任何时候通信端口或会话不可用,portEnabled设置为FALSE,状态机转换为DISABLED。为了避免不必要的重置,当下层认为链路只是暂时断开并且将断开时,它可能会抑制链路断开指示
soon be back up (see [RFC3748], Section 7.12). In this case, portEnabled may not always be equal to the "link up" flag of the lower layer.
很快就会恢复(见[RFC3748],第7.12节)。在这种情况下,Portabled可能并不总是等于较低层的“链接”标志。
retransWhile (integer)
重传时间(整数)
Outside timer used to indicate how long the authenticator has waited for a new (valid) response.
外部计时器,用于指示验证器等待新(有效)响应的时间。
eapRestart (boolean)
EAP重新启动(布尔值)
Indicates that the lower layer would like to restart authentication.
指示较低层要重新启动身份验证。
eapSRTT (integer)
eapSRTT(整数)
Smoothed round-trip time. (See [RFC3748], Section 4.3.)
平滑的往返时间。(见[RFC3748]第4.3节。)
eapRTTVAR (integer)
eapRTTVAR(整数)
Round-trip time variation. (See [RFC3748], Section 4.3.)
往返时间变化。(见[RFC3748]第4.3节。)
eapReq (boolean)
eapReq(布尔值)
Set to TRUE in authenticator state machine, FALSE in lower layer. Indicates that a new EAP request is ready to be sent.
在验证器状态机中设置为TRUE,在较低层中设置为FALSE。指示新的EAP请求已准备好发送。
eapNoReq (boolean)
eapNoReq(布尔值)
Set to TRUE in authenticator state machine, FALSE in lower layer. Indicates the most recent response has been processed, but there is no new request to send.
在验证器状态机中设置为TRUE,在较低层中设置为FALSE。指示已处理最近的响应,但没有要发送的新请求。
eapSuccess (boolean)
EAPSCCESS(布尔值)
Set to TRUE in authenticator state machine, FALSE in lower layer. Indicates that the state machine has reached the SUCCESS state.
在验证器状态机中设置为TRUE,在较低层中设置为FALSE。指示状态机已达到成功状态。
eapFail (boolean)
eapFail(布尔值)
Set to TRUE in authenticator state machine, FALSE in lower layer. Indicates that the state machine has reached the FAILURE state.
在验证器状态机中设置为TRUE,在较低层中设置为FALSE。指示状态机已达到故障状态。
eapTimeout (boolean)
EAP超时(布尔值)
Set to TRUE in the TIMEOUT_FAILURE state if the authenticator has reached its maximum number of retransmissions without receiving a response.
如果验证器在未收到响应的情况下已达到其最大重传次数,则在超时\ U故障状态下设置为TRUE。
eapReqData (EAP packet)
eapReqData(EAP数据包)
Set in authenticator state machine when eapReq, eapSuccess, or eapFail is set to TRUE. The actual EAP request to be sent (or success/failure).
当eapReq、eapSuccess或eapFail设置为TRUE时,在验证器状态机中设置。要发送的实际EAP请求(或成功/失败)。
eapKeyData (EAP key)
EAP密钥数据(EAP密钥)
Set in authenticator state machine when keying material becomes available. Set during the METHOD state. Note that this document does not define the structure of the type "EAP key". We expect that it will be defined in [Keying].
当密钥材料可用时,在验证器状态机中设置。在方法状态期间设置。请注意,本文档未定义“EAP密钥”类型的结构。我们希望它将在[键控]中定义。
eapKeyAvailable (boolean)
eapKeyAvailable(布尔值)
Set to TRUE in the SUCCESS state if keying material is available. The actual key is stored in eapKeyData.
如果关键帧材质可用,则在成功状态下设置为TRUE。实际密钥存储在eapKeyData中。
MaxRetrans (integer)
MaxRetrans(整数)
Configurable maximum for how many retransmissions should be attempted before aborting.
中止前应尝试的重新传输次数的可配置最大值。
5.2. Interface between Stand-Alone Authenticator State Machine and Methods
5.2. 独立身份验证程序状态机和方法之间的接口
IN: eapRespData, methodState
IN:eaprepsdata,methodState
OUT: ignore, eapReqData
输出:忽略、删除数据
IN/OUT: currentId, (method-specific state), (policy)
输入/输出:currentId,(方法特定状态),(策略)
The following describes the interaction between the state machine and EAP methods.
下面描述状态机和EAP方法之间的交互。
m.init (in: -, out: -)
m.init (in: -, out: -)
When the method is first started, it must initialize its own method-specific state, possibly using some information from Policy (e.g., identity).
当方法首次启动时,它必须初始化自己的方法特定状态,可能使用策略中的一些信息(例如,标识)。
m.buildReq (in: integer, out: EAP packet)
m、 buildReq(输入:整数,输出:EAP数据包)
Next, the method creates a new EAP Request packet, with the given identifier value, and updates its method-specific state accordingly.
接下来,该方法使用给定的标识符值创建一个新的EAP请求包,并相应地更新其特定于方法的状态。
m.getTimeout (in: -, out: integer or NONE)
m.getTimeout (in: -, out: integer or NONE)
The method can also provide a hint for retransmission timeout with m.getTimeout.
该方法还可以使用m.getTimeout提供重传超时提示。
m.check (in: EAP packet, out: boolean)
m、 签入(入:EAP数据包,出:布尔值)
When a new EAP Response is received, the method must first decide whether to process the packet or to discard it silently. If the packet looks like it was not sent by the legitimate peer (e.g., if it has an invalid Message Integrity Check (MIC), which should never occur), the method can indicate this by returning FALSE. In this case, the method should not modify its own method-specific state.
当接收到新的EAP响应时,该方法必须首先决定是处理该数据包还是以静默方式丢弃该数据包。如果数据包看起来不是由合法的对等方发送的(例如,如果它具有无效的消息完整性检查(MIC),则该方法可以通过返回FALSE来指示这一点。在这种情况下,方法不应该修改自己的方法特定状态。
m.process (in: EAP packet, out: -)
m.process (in: EAP packet, out: -)
m.isDone (in: -, out: boolean)
m.isDone (in: -, out: boolean)
m.getKey (in: -, out: EAP key or NONE)
m.getKey (in: -, out: EAP key or NONE)
Next, the method processes the EAP Response and updates its own method-specific state. Now the options are to continue the conversation (send another request) or to end this method.
接下来,该方法处理EAP响应并更新其自己的方法特定状态。现在的选项是继续对话(发送另一个请求)或结束此方法。
If the method wants to end the conversation, it
如果该方法想要结束对话,则
o Tells Policy about the outcome of the method and possibly other information.
o 告诉策略有关方法的结果以及可能的其他信息。
o If the method has derived keying material it wants to export, returns it from m.getKey().
o 如果该方法已派生要导出的关键帧材质,则从m.getKey()返回该材质。
o Indicates that the method wants to end by returning TRUE from m.isDone().
o 指示该方法希望通过从m.isDone()返回TRUE来结束。
Otherwise, the method continues by sending another request, as described earlier.
否则,该方法继续发送另一个请求,如前所述。
currentMethod (EAP type)
currentMethod(EAP类型)
EAP type, IDENTITY, or NOTIFICATION.
EAP类型、标识或通知。
currentId (integer)
当前ID(整数)
0-255 or NONE. Usually updated in PROPOSE_METHOD state. Indicates the identifier value of the currently outstanding EAP request.
0-255或无。通常在建议方法状态下更新。指示当前未完成的EAP请求的标识符值。
methodState (enumeration)
methodState(枚举)
As described above.
如上所述。
retransCount (integer)
重新计数(整数)
Reset in SEND_REQUEST state and updated in RETRANSMIT state. Current number of retransmissions.
在发送请求状态下重置,在重新传输状态下更新。当前重新传输的次数。
lastReqData (EAP packet)
lastReqData(EAP数据包)
Set in SEND_REQUEST state. EAP packet containing the last sent request.
设置为发送请求状态。包含上次发送请求的EAP数据包。
methodTimeout (integer)
methodTimeout(整数)
Method-provided hint for suitable retransmission timeout, or NONE.
方法提供了适当的重新传输超时提示,或无。
rxResp (boolean)
rxResp(布尔值)
Set in RECEIVED state. Indicates that the current received packet is an EAP response.
设置为接收状态。指示当前接收的数据包是EAP响应。
respId (integer)
respId(整数)
Set in RECEIVED state. The identifier from the current EAP response.
设置为接收状态。当前EAP响应中的标识符。
respMethod (EAP type)
respMethod(EAP类型)
Set in RECEIVED state. The method type of the current EAP response.
设置为接收状态。当前EAP响应的方法类型。
ignore (boolean)
忽略(布尔值)
Set in METHOD state. Indicates whether the method has decided to drop the current packet.
设置为方法状态。指示方法是否已决定丢弃当前数据包。
decision (enumeration)
决定(列举)
Set in SELECT_ACTION state. Temporarily stores the policy decision to succeed, fail, or continue.
设置为选择操作状态。临时存储要成功、失败或继续的策略决策。
NOTE: For method procedures, the method uses its internal state in addition to the information provided by the EAP layer. The only arguments that are explicitly shown as inputs to the procedures are those provided to the method by EAP. Those inputs provided by the method's internal state remain implicit.
注:对于方法过程,方法除了使用EAP层提供的信息外,还使用其内部状态。唯一显式显示为过程输入的参数是EAP提供给方法的参数。由方法的内部状态提供的那些输入仍然是隐式的。
calculateTimeout()
calculateTimeout()
Calculates the retransmission timeout, taking into account the retransmission count, round-trip time measurements, and method-specific timeout hint (see [RFC3748], Section 4.3). Returns an integer.
计算重传超时,考虑重传计数、往返时间测量和方法特定超时提示(参见[RFC3748],第4.3节)。返回一个整数。
parseEapResp()
parseAppResp()
Determines the code, identifier value, and type of the current response. In the case of a parsing error (e.g., the length field is longer than the received packet), rxResp will be set to FALSE. The values of respId and respMethod may be undefined as a result. Returns a boolean, an integer, and an EAP type.
确定当前响应的代码、标识符值和类型。在分析错误的情况下(例如,长度字段比接收到的数据包长),rxResp将设置为FALSE。因此,respId和respMethod的值可能未定义。返回布尔值、整数和EAP类型。
buildSuccess()
buildSuccess()
Creates an EAP Success Packet. Returns an EAP packet.
创建EAP成功数据包。返回EAP数据包。
buildFailure()
buildFailure()
Creates an EAP Failure Packet. Returns an EAP packet.
创建EAP故障数据包。返回EAP数据包。
nextId()
nextId()
Determines the next identifier value to use, based on the previous one. Returns an integer.
基于上一个标识符值确定要使用的下一个标识符值。返回一个整数。
Policy.update()
Policy.update()
Updates all variables related to internal policy state. The return value is undefined.
更新与内部策略状态相关的所有变量。返回值未定义。
Policy.getNextMethod()
Policy.getNextMethod()
Determines the method that should be used at this point in the conversation based on predefined policy. Policy.getNextMethod() MUST comply with [RFC3748] (Section 2.1), which forbids the use of sequences of authentication methods within an EAP conversation. Thus, if an authentication method has already been executed within an EAP dialog, Policy.getNextMethod() MUST NOT propose another authentication method within the same EAP dialog. Returns an EAP type.
根据预定义的策略确定此时对话中应使用的方法。Policy.getNextMethod()必须符合[RFC3748](第2.1节),该节禁止在EAP对话中使用身份验证方法序列。因此,如果已在EAP对话框中执行了身份验证方法,则Policy.getNextMethod()不得在同一EAP对话框中提出其他身份验证方法。返回EAP类型。
Policy.getDecision()
Policy.getDecision()
Determines if the policy will allow SUCCESS, FAIL, or is yet to determine (CONTINUE). Returns a decision enumeration.
确定策略是否允许成功、失败或尚未确定(继续)。返回决策枚举。
m.check()
m、 检查()
Method-specific procedure to test for the validity of a message. Returns a boolean.
测试消息有效性的方法特定程序。返回一个布尔值。
m.process()
m、 过程()
Method procedure to parse and process a response for that method. The return value is undefined.
方法过程来解析和处理该方法的响应。返回值未定义。
m.init()
m、 init()
Method procedure to initialize state just before use. The return value is undefined.
方法过程在使用前初始化状态。返回值未定义。
m.reset()
m、 重置()
Method procedure to indicate that the method is ending in the middle of or before completion. The return value is undefined.
方法过程以指示方法在完成之前或结束之前结束。返回值未定义。
m.isDone()
m、 isDone()
Method procedure to check for method completion. Returns a boolean.
检查方法完成情况的方法程序。返回一个布尔值。
m.getTimeout()
m、 getTimeout()
Method procedure to determine an appropriate timeout hint for that method. Returns an integer.
方法过程来确定该方法的适当超时提示。返回一个整数。
m.getKey()
m、 getKey()
Method procedure to obtain key material for use by EAP or lower layers. Returns an EAP key.
获取EAP或下层使用的关键材料的方法和程序。返回EAP密钥。
m.buildReq()
m、 buildReq()
Method procedure to produce the next request. Returns an EAP packet.
方法生成下一个请求的过程。返回EAP数据包。
DISABLED
残废
The authenticator is disabled until the port is enabled by the lower layer.
在较低层启用端口之前,将禁用验证器。
INITIALIZE
初始化
Initializes variables when the state machine is activated.
激活状态机时初始化变量。
IDLE
闲置的
The state machine spends most of its time here, waiting for something to happen.
状态机大部分时间都花在这里,等待发生什么事情。
RECEIVED
收到
This state is entered when an EAP packet is received. The packet header is parsed here.
当接收到EAP数据包时,进入该状态。包头在这里被解析。
INTEGRITY_CHECK
完整性检查
A method state in which the integrity of the incoming packet from the peer is verified by the method.
一种方法状态,在此状态下,通过该方法验证来自对等方的传入数据包的完整性。
METHOD_RESPONSE
方法u响应
A method state in which the incoming packet is processed.
处理传入数据包的一种方法状态。
METHOD_REQUEST
方法请求
A method state in which a new request is formulated if necessary.
一种方法状态,在这种状态下,如有必要,将制定新的请求。
PROPOSE_METHOD
提出一种新的方法
A state in which the authenticator decides which method to try next in the authentication.
身份验证程序决定在身份验证中下一步尝试哪种方法的状态。
SELECT_ACTION
选择行动
Between methods, the state machine re-evaluates whether its policy is satisfied and succeeds, fails, or remains undecided.
在方法之间,状态机重新评估其策略是否得到满足,以及是否成功、失败或尚未决定。
SEND_REQUEST
发送请求
This state signals the lower layer that a request packet is ready to be sent.
该状态向下层发出信号,表示请求数据包已准备好发送。
DISCARD
丢弃
This state signals the lower layer that the response was discarded, and no new request packet will be sent at this time.
该状态向下层发出信号,表示响应已被丢弃,此时不会发送新的请求数据包。
NAK
纳克
This state processes Nak responses from the peer.
此状态处理来自对等方的Nak响应。
RETRANSMIT
重发
Retransmits the previous request packet.
重新传输上一个请求数据包。
SUCCESS
成功
A final state indicating success.
表示成功的最后状态。
FAILURE
失败
A final state indicating failure.
表示失败的最后状态。
TIMEOUT_FAILURE
超时故障
A final state indicating failure because no response has been received. Because no response was received, no new message (including failure) should be sent to the peer. Note that this is different from the FAILURE state, in which a message indicating failure is sent to the peer.
由于未收到响应而指示失败的最终状态。由于未收到响应,因此不应向对等方发送新消息(包括失败)。注意,这与故障状态不同,在故障状态中,指示故障的消息被发送到对等方。
When operating in pass-through mode, there are conceptually two parts to the authenticator: the part that passes packets through, and the backend that actually implements the EAP method. The following diagram shows a state machine for the backend part of this model when using a AAA server. Note that this diagram is identical to Figure 4 except that no retransmit is included in the IDLE state because with RADIUS, retransmit is handled by the NAS. Also, a PICK_UP_METHOD state and variable in INITIALIZE state are added to allow the Method to "pick up" a method started in a NAS. Included is an explanation of the primitives and procedures referenced in the diagram, many of which are the same as above. Note that the "lower layer" in this case is some AAA protocol (e.g., RADIUS).
在传递模式下操作时,验证器在概念上有两个部分:传递数据包的部分和实际实现EAP方法的后端。下图显示了使用AAA服务器时此模型后端部分的状态机。请注意,此图与图4相同,只是空闲状态中不包括重传,因为对于RADIUS,重传由NAS处理。此外,还添加了PICK_-UP_方法状态和处于初始化状态的变量,以允许该方法“拾取”NAS中启动的方法。其中包括对图中引用的原语和过程的解释,其中许多与上面相同。注意,本例中的“下层”是一些AAA协议(例如RADIUS)。
(see the .pdf version for missing diagram or refer to Appendix A.3 if reading the .txt version)
(缺少图表,请参见.pdf版本;如果阅读.txt版本,请参阅附录A.3)
Figure 5: EAP Backend Authenticator State Machine
图5:EAP后端验证器状态机
6.1. Interface between Backend Authenticator State Machine and Lower Layer
6.1. 后端验证器状态机与底层的接口
The lower layer presents messages to the EAP backend authenticator state machine by storing the packet in aaaEapRespData and setting the aaaEapResp signal to TRUE.
下层通过将数据包存储在aaaEapRespData中并将aaaEapResp信号设置为TRUE,向EAP后端验证器状态机呈现消息。
When the EAP backend authenticator state machine has finished processing the message, it sets one of the signals aaaEapReq, aaaEapNoReq, aaaSuccess, and aaaFail. If it sets eapReq, eapSuccess, or eapFail, the corresponding request (or success/failure) packet is stored in aaaEapReqData. The lower layer is responsible for actually transmitting this message.
EAP后端验证器状态机完成消息处理后,将设置信号aaaEapReq、aaaEapNoReq、AAASACCESS和aaaFail之一。如果设置了eapReq、EAPSCCESS或EAPFILE,则相应的请求(或成功/失败)数据包存储在aaaEapReqData中。下层负责实际传输此消息。
aaaEapResp (boolean)
aaaEapResp(布尔值)
Set to TRUE in lower layer, FALSE in authenticator state machine. Usually indicates that an EAP response, stored in aaaEapRespData, is available for processing by the AAA server. If aaaEapRespData is set to NONE, it indicates that the AAA server should send the initial EAP request.
在较低层中设置为TRUE,在验证器状态机中设置为FALSE。通常表示存储在AAAAPRespData中的EAP响应可供AAA服务器处理。如果aaaEapRespData设置为NONE,则表示AAA服务器应发送初始EAP请求。
aaaEapRespData (EAP packet)
aaaEapRespData(EAP数据包)
Set in lower layer when eapResp is set to TRUE. The EAP packet to be processed, or NONE.
当eapResp设置为TRUE时,在较低层中设置。要处理的EAP数据包,或无。
backendEnabled (boolean)
可反转(布尔型)
Indicates that there is a valid link to use for the communication. If at any point the port is not available, backendEnabled is set to FALSE, and the state machine transitions to DISABLED.
指示存在用于通信的有效链接。如果在任何时候端口不可用,backendEnabled设置为FALSE,状态机转换为DISABLED。
aaaEapReq (boolean)
aaaEapReq(布尔值)
Set to TRUE in authenticator state machine, FALSE in lower layer. Indicates that a new EAP request is ready to be sent.
在验证器状态机中设置为TRUE,在较低层中设置为FALSE。指示新的EAP请求已准备好发送。
aaaEapNoReq (boolean)
aaaEapNoReq(布尔值)
Set to TRUE in authenticator state machine, FALSE in lower layer. Indicates that the most recent response has been processed, but there is no new request to send.
在验证器状态机中设置为TRUE,在较低层中设置为FALSE。指示已处理最近的响应,但没有要发送的新请求。
aaaSuccess (boolean)
aaASAccess(布尔值)
Set to TRUE in authenticator state machine, FALSE in lower layer. Indicates that the state machine has reached the SUCCESS state.
在验证器状态机中设置为TRUE,在较低层中设置为FALSE。指示状态机已达到成功状态。
aaaFail (boolean)
aaaFail(布尔值)
Set to TRUE in authenticator state machine, FALSE in lower layer. Indicates that the state machine has reached the FAILURE state.
在验证器状态机中设置为TRUE,在较低层中设置为FALSE。指示状态机已达到故障状态。
aaaEapReqData (EAP packet)
aaaEapReqData(EAP数据包)
Set in authenticator state machine when aaaEapReq, aaaSuccess, or aaaFail is set to TRUE. The actual EAP request to be sent (or success/failure).
当AAAPREQ、AAASACCESS或aaaFail设置为TRUE时,在验证器状态机中设置。要发送的实际EAP请求(或成功/失败)。
aaaEapKeyData (EAP key)
aaaEapKeyData(EAP密钥)
Set in authenticator state machine when keying material becomes available. Set during the METHOD_RESPONSE state. Note that this document does not define the structure of the type "EAP key". We expect that it will be defined in [Keying].
当密钥材料可用时,在验证器状态机中设置。在方法\u响应状态期间设置。请注意,本文档未定义“EAP密钥”类型的结构。我们希望它将在[键控]中定义。
aaaEapKeyAvailable (boolean)
aaaEapKeyAvailable(布尔值)
Set to TRUE in the SUCCESS state if keying material is available. The actual key is stored in aaaEapKeyData.
如果关键帧材质可用,则在成功状态下设置为TRUE。实际密钥存储在AAAPKEYDATA中。
aaaMethodTimeout (integer)
aaaMethodTimeout(整数)
Method-provided hint for suitable retransmission timeout, or NONE. (Note that this hint is for the EAP retransmissions done by the pass-through authenticator, not for retransmissions of AAA packets.)
方法提供了适当的重新传输超时提示,或无。(请注意,此提示适用于直通身份验证程序执行的EAP重传,而不是AAA数据包的重传。)
6.2. Interface between Backend Authenticator State Machine and Methods
6.2. 后端验证器状态机和方法之间的接口
The backend method interface is almost the same as in stand-alone authenticator described in Section 5.2. The only difference is that some methods on the backend may support "picking up" a conversation started by the pass-through. That is, the EAP Request packet was sent by the pass-through, but the backend must process the corresponding EAP Response. Usually only the Identity method supports this, but others are possible.
后端方法接口与第5.2节中描述的独立身份验证程序中的接口几乎相同。唯一的区别是,后端的一些方法可能支持“拾取”由pass-through启动的对话。也就是说,EAP请求数据包是通过直通发送的,但是后端必须处理相应的EAP响应。通常只有Identity方法支持这一点,但其他方法也可以。
When "picking up" a conversation, m.initPickUp() is called instead of m.init(). Next, m.process() must examine eapRespData and update its own method-specific state to match what it would have been if it had actually sent the corresponding request. (Obviously, this only works for methods that can determine what the initial request contained; Identity and EAP-TLS are good examples.)
“拾取”对话时,将调用m.initpick()而不是m.init()。接下来,m.process()必须检查eapRespData并更新其自己的特定于方法的状态,以匹配实际发送相应请求时的状态。(显然,这只适用于可以确定初始请求包含的内容的方法;Identity和EAP-TLS就是很好的例子。)
After this, the processing continues as described in Section 5.2.
在此之后,按照第5.2节所述继续处理。
For definitions of the variables used in the Backend Authenticator, see Section 5.3.
有关后端验证器中使用的变量的定义,请参见第5.3节。
Most of the procedures of the backend authenticator have already been defined in Section 5.4. This section contains definitions for those not existent in the stand-alone version, as well as those that are defined differently.
后端验证器的大多数过程已在第5.4节中定义。本节包含独立版本中不存在的定义,以及定义不同的定义。
NOTE: For method procedures, the method uses its internal state in addition to the information provided by the EAP layer. The only arguments that are explicitly shown as inputs to the procedures are those provided to the method by EAP. Those inputs provided by the method's internal state remain implicit.
注:对于方法过程,方法除了使用EAP层提供的信息外,还使用其内部状态。唯一显式显示为过程输入的参数是EAP提供给方法的参数。由方法的内部状态提供的那些输入仍然是隐式的。
Policy.doPickUp()
Policy.doPickUp()
Notifies the policy that an already-chosen method is being picked up and will be completed. Returns a boolean.
通知策略已选择的方法正在被提取并将完成。返回一个布尔值。
m.initPickUp()
m、 initpick()
Method procedure to initialize state when continuing from an already-started method. The return value is undefined.
从已启动的方法继续时初始化状态的方法过程。返回值未定义。
Most of the states of the backend authenticator have already been defined in Section 5.5. This section contains definitions for those not existent in the stand-alone version, as well as those that are defined differently.
后端验证器的大多数状态已在第5.5节中定义。本节包含独立版本中不存在的定义,以及定义不同的定义。
PICK_UP_METHOD
拾音法
Sets an initial state for a method that is being continued and that was started elsewhere.
为正在继续且在其他地方启动的方法设置初始状态。
The following two diagrams show the state machine for a complete authenticator. The first diagram is identical to the stand-alone state machine, shown in Figure 4, with the exception that the SELECT_ACTION state has an added transition to PASSTHROUGH. The second diagram also keeps most of the logic, except the four method states, and it shows how the state machine works once it goes to pass-through mode.
以下两个图显示了完整身份验证器的状态机。第一个图与图4所示的独立状态机相同,只是SELECT_操作状态增加了到PASSTHROUGH的转换。第二个图还保留了除四个方法状态之外的大部分逻辑,它显示了状态机进入直通模式后的工作方式。
The first diagram is largely a reproduction of that found above, with the added hooks for a transition to PASSTHROUGH mode.
第一个图主要是上面发现的图的复制,添加了用于转换到直通模式的挂钩。
(see the .pdf version for missing diagram or refer to Appendix A.4 if reading the .txt version)
(缺少图表,请参见.pdf版本;如果阅读.txt版本,请参阅附录A.4)
Figure 6: EAP Full Authenticator State Machine (Part 1)
图6:EAP完全认证器状态机(第1部分)
The second diagram describes the functionality necessary for an authenticator operating in pass-through mode. This section of the diagram is the counterpart of the backend diagram above.
第二个图描述了在直通模式下操作的验证器所需的功能。图的这一部分与上面的后端图相对应。
(see the .pdf version for missing diagram or refer to Appendix A.4 if reading the .txt version)
(缺少图表,请参见.pdf版本;如果阅读.txt版本,请参阅附录A.4)
Figure 7: EAP Full Authenticator State Machine (Part 2)
图7:EAP完全认证器状态机(第2部分)
7.1. Interface between Full Authenticator State Machine and Lower Layers
7.1. 完整身份验证程序状态机和较低层之间的接口
The full authenticator is unique in that it interfaces to multiple lower layers in order to support pass-through mode. The interface to the primary EAP transport layer is the same as described in Section 5. The following describes the interface to the second lower layer, which represents an interface to AAA. Note that there is not necessarily a direct interaction between the EAP layer and the AAA layer, as in the case of [1X-2004].
完整身份验证器的独特之处在于它与多个较低层接口,以支持直通模式。主EAP传输层的接口与第5节所述相同。下面描述了到第二个较低层的接口,它表示到AAA的接口。注意,EAP层和AAA层之间不一定存在直接交互,如[1X-2004]的情况。
aaaEapReq (boolean)
aaaEapReq(布尔值)
Set to TRUE in lower layer, FALSE in authenticator state machine. Indicates that a new EAP request is available from the AAA server.
在较低层中设置为TRUE,在验证器状态机中设置为FALSE。指示新的EAP请求可从AAA服务器获得。
aaaEapNoReq (boolean)
aaaEapNoReq(布尔值)
Set to TRUE in lower layer, FALSE in authenticator state machine. Indicates that the most recent response has been processed, but that there is no new request to send.
在较低层中设置为TRUE,在验证器状态机中设置为FALSE。指示已处理最近的响应,但没有要发送的新请求。
aaaSuccess (boolean)
aaASAccess(布尔值)
Set to TRUE in lower layer. Indicates that the AAA backend authenticator has reached the SUCCESS state.
在较低层中设置为TRUE。指示AAA后端身份验证程序已达到成功状态。
aaaFail (boolean)
aaaFail(布尔值)
Set to TRUE in lower layer. Indicates that the AAA backend authenticator has reached the FAILURE state.
在较低层中设置为TRUE。指示AAA后端身份验证程序已达到失败状态。
aaaEapReqData (EAP packet)
aaaEapReqData(EAP数据包)
Set in the lower layer when aaaEapReq, aaaSuccess, or aaaFail is set to TRUE. The actual EAP request to be sent (or success/ failure).
当aaaaapreq、aaasaccess或aaaFail设置为TRUE时,在较低层中设置。要发送的实际EAP请求(或成功/失败)。
aaaEapKeyData (EAP key)
aaaEapKeyData(EAP密钥)
Set in lower layer when keying material becomes available from the AAA server. Note that this document does not define the structure of the type "EAP key". We expect that it will be defined in [Keying].
当AAA服务器上的键控材料可用时,在较低层设置。请注意,本文档未定义“EAP密钥”类型的结构。我们希望它将在[键控]中定义。
aaaEapKeyAvailable (boolean)
aaaEapKeyAvailable(布尔值)
Set to TRUE in the lower layer if keying material is available. The actual key is stored in aaaEapKeyData.
如果关键帧材质可用,则在较低层中设置为TRUE。实际密钥存储在AAAPKEYDATA中。
aaaMethodTimeout (integer)
aaaMethodTimeout(整数)
Method-provided hint for suitable retransmission timeout, or NONE. (Note that this hint is for the EAP retransmissions done by the pass-through authenticator, not for retransmissions of AAA packets.)
方法提供了适当的重新传输超时提示,或无。(请注意,此提示适用于直通身份验证程序执行的EAP重传,而不是AAA数据包的重传。)
aaaEapResp (boolean)
aaaEapResp(布尔值)
Set to TRUE in authenticator state machine, FALSE in the lower layer. Indicates that an EAP response is available for processing by the AAA server.
在验证器状态机中设置为TRUE,在较低层中设置为FALSE。指示AAA服务器可处理EAP响应。
aaaEapRespData (EAP packet)
aaaEapRespData(EAP数据包)
Set in authenticator state machine when eapResp is set to TRUE. The EAP packet to be processed.
当eapResp设置为TRUE时,在验证器状态机中设置。要处理的EAP数据包。
aaaIdentity (EAP packet)
A辅助实体(EAP数据包)
Set in authenticator state machine when an IDENTITY response is received. Makes that identity available to AAA lower layer.
当收到身份响应时,在身份验证器状态机中设置。使该标识可用于AAA较低层。
aaaTimeout (boolean)
aaaTimeout(布尔值)
Set in AAA_IDLE if, after a configurable amount of time, there is no response from the AAA layer. The AAA layer in the NAS is itself alive and OK, but for some reason it has not received a valid Access-Accept/Reject indication from the backend.
如果在一段可配置的时间后,AAA层没有响应,则在AAA_IDLE中设置。NAS中的AAA层本身处于活动状态且正常,但由于某些原因,它尚未从后端接收到有效的访问接受/拒绝指示。
Same as Section 5.
与第5节相同。
Same as stand-alone authenticator (Section 5.2).
与独立验证器相同(第5.2节)。
Many of the variables of the full authenticator have already been defined in Section 5. This section contains definitions for those not existent in the stand-alone version, as well as those that are defined differently.
完整验证器的许多变量已在第5节中定义。本节包含独立版本中不存在的定义,以及定义不同的定义。
decision (enumeration)
决定(列举)
Set in SELECT_ACTION state. Temporarily stores the policy decision to succeed, fail, continue with a local method, or continue in pass-through mode.
设置为选择操作状态。临时存储策略决策,以便成功、失败、使用本地方法继续或以传递模式继续。
All the procedures defined in Section 5 exist in the full version. In addition, the following procedures are defined.
第5节中定义的所有程序均为完整版本。此外,还定义了以下程序。
getId()
getId()
Determines the identifier value chosen by the AAA server for the current EAP request. The return value is an integer.
确定AAA服务器为当前EAP请求选择的标识符值。返回值是一个整数。
All the states defined in Section 5 exist in the full version. In addition, the following states are defined.
第5节中定义的所有状态都存在于完整版本中。此外,还定义了以下状态。
INITIALIZE_PASSTHROUGH
初始化\u传递
Initializes variables when the pass-through portion of the state machine is activated.
在激活状态机的传递部分时初始化变量。
IDLE2
IDLE2
The state machine waits for a response from the primary lower layer, which transports EAP traffic from the peer.
状态机等待来自主要较低层的响应,该层传输来自对等方的EAP流量。
IDLE
闲置的
The state machine spends most of its time here, waiting for something to happen.
状态机大部分时间都花在这里,等待发生什么事情。
RECEIVED2
收到2
This state is entered when an EAP packet is received and the authenticator is in PASSTHROUGH mode. The packet header is parsed here.
当接收到EAP数据包且认证器处于直通模式时,将进入此状态。包头在这里被解析。
AAA_REQUEST
AAA_请求
The incoming EAP packet is parsed for sending to the AAA server.
将解析传入的EAP数据包以发送到AAA服务器。
AAA_IDLE
空转
Idle state that tells the AAA layer that it has a response and then waits for a new request, a no-request signal, or success/failure.
空闲状态,告知AAA层有响应,然后等待新请求、无请求信号或成功/失败。
AAA_RESPONSE
AAA_回应
State in which the request from the AAA interface is processed into an EAP request.
将来自AAA接口的请求处理为EAP请求的状态。
SEND_REQUEST2
发送请求2
This state signals the lower layer that a request packet is ready to be sent.
该状态向下层发出信号,表示请求数据包已准备好发送。
DISCARD2
丢弃2
This state signals the lower layer that the response was discarded, and that no new request packet will be sent at this time.
该状态向下层发出信号,表示响应已被丢弃,此时不会发送新的请求数据包。
RETRANSMIT2
重发2
Retransmits the previous request packet.
重新传输上一个请求数据包。
SUCCESS2
成功2
A final state indicating success.
表示成功的最后状态。
FAILURE2
失败2
A final state indicating failure.
表示失败的最后状态。
TIMEOUT_FAILURE2
超时\u故障2
A final state indicating failure because no response has been received. Because no response was received, no new message (including failure) should be sent to the peer. Note that this is different from the FAILURE2 state, in which a message indicating failure is sent to the peer.
由于未收到响应而指示失败的最终状态。由于未收到响应,因此不应向对等方发送新消息(包括失败)。请注意,这与FAILURE2状态不同,在FAILURE2状态中,向对等方发送指示故障的消息。
In order to deal with erroneous cases that are not directly related to the protocol behavior, implementations may need additional considerations to provide robustness against errors.
为了处理与协议行为不直接相关的错误情况,实现可能需要额外考虑以提供对错误的鲁棒性。
For example, an implementation of a state machine may spend a significant amount of time in a particular state performing the procedure defined for the state without returning a response. If such an implementation is made on a multithreading system, the procedure may be performed in a separate thread so that the implementation can perform appropriate action without blocking on the state for a long time (or forever if the procedure never completes due to, e.g., a non-responding user or a bug in an application callback function).
例如,状态机的实现可能在特定状态下花费大量时间执行为该状态定义的过程,而不返回响应。如果这种实现是在多线程系统上进行的,则该过程可以在单独的线程中执行,以便该实现可以执行适当的操作,而不会长时间阻塞该状态(或者如果该过程由于(例如)无响应用户或应用程序回调函数中的错误而永远无法完成)。
The following states are identified as the possible places of blocking:
以下状态被确定为可能的阻塞位置:
o IDENTITY state in the peer state machine. It may take some time to process Identity request when a user input is needed for obtaining an identity from the user. The user may never input an identity. An implementation may define an additional state transition from IDENTITY state to FAILURE state so that authentication can fail if no identity is obtained from the user before ClientTimeout timer expires.
o 对等状态机中的标识状态。当需要用户输入以从用户获取身份时,处理身份请求可能需要一些时间。用户可能永远不会输入标识。实现可以定义从标识状态到故障状态的附加状态转换,以便如果在ClientTimeout计时器过期之前没有从用户获得标识,则身份验证可能会失败。
o METHOD state in the peer state machine and in METHOD_RESPONSE state in the authenticator state machines. It may take some time to perform method-specific procedures in these states. An implementation may define an additional state transition from METHOD state and METHOD_RESPONSE state to FAILURE or TIMEOUT_FAILURE state so that authentication can fail if no method processing result is obtained from the method before methodTimeout timer expires.
o 对等状态机中的方法状态和验证器状态机中的方法响应状态。在这些状态下执行特定于方法的程序可能需要一些时间。实现可以定义从方法状态和方法响应状态到失败或超时失败状态的附加状态转换,以便如果在方法超时计时器过期之前没有从方法获得方法处理结果,则身份验证可能失败。
Implementations may define additional interfaces to pass method-specific information between methods and lower layers. These interfaces are beyond the scope of this document.
实现可以定义额外的接口,以便在方法和较低层之间传递特定于方法的信息。这些接口超出了本文档的范围。
Number of deployed EAP authenticator implementations, mainly in RADIUS authentication servers, have been observed to increment the Identifier field incorrectly when generating EAP Success and EAP Failure packets which is against the MUST requirement in RFC 3748 section 4.2. The peer state machine is based on RFC 3748, and as such it will discard such EAP Success and EAP Failure packets.
已观察到,在生成EAP成功和EAP失败数据包时,部署的EAP验证器实现的数量(主要在RADIUS认证服务器中)错误地增加了标识符字段,这违反了RFC 3748第4.2节中的必需要求。对等状态机基于RFC 3748,因此它将丢弃此类EAP成功和EAP失败数据包。
As a workaround for the potential interoperability issue with existing implementations, conditions for peer state machine transitions from RECEIVED state to SUCCESS and FAILURE states MAY be changed from "(reqId == lastId)" to "((reqId == lastId) || (reqId == (lastId + 1) & 255))". However, because this behavior does not conform to RFC 3748, such a workaround is not recommended, and if included, it should be implemented as an optional workaround that can be disabled.
作为现有实现潜在互操作性问题的解决办法,对等状态机从接收状态转换为成功和失败状态的条件可能会从“(reqId==lastId)”更改为“((reqId==lastId)|(reqId==(lastId+1)和255”)”。但是,由于此行为不符合RFC 3748,因此不建议使用此解决方案,如果包含此解决方案,则应将其实现为可禁用的可选解决方案。
This document's intent is to describe the EAP state machine fully. To this end, any security concerns with this document are likely a reflection of security concerns with EAP itself.
本文档旨在全面描述EAP状态机。为此,本文件中的任何安全问题都可能反映了EAP本身的安全问题。
An accurate state machine can help reduce implementation errors. Although [RFC3748] remains the normative protocol description, this state machine should help in this regard.
准确的状态机有助于减少实现错误。尽管[RFC3748]仍然是规范性协议描述,但此状态机在这方面应该有所帮助。
As noted in [RFC3748], some security concerns arise because of the following EAP packets:
如[RFC3748]所述,由于以下EAP数据包,出现了一些安全问题:
1. EAP-Request/Response Identity 2. EAP-Response/NAK 3. EAP-Success/Failure
1. EAP请求/响应标识2。EAP响应/NAK 3。EAP成功/失败
Because these packets are not cryptographically protected by themselves, an attacker can modify or insert them without immediate detection by the peer or authenticator.
由于这些数据包本身不受加密保护,攻击者可以修改或插入它们,而无需对等方或身份验证方立即检测。
Following Figure 3 specification, an attacker may cause denial of service by:
根据图3规范,攻击者可能通过以下方式导致拒绝服务:
o Sending an EAP-Failure to the peer before the peer has started an EAP authentication method. As long as the peer has not modified the methodState variable (initialized to NONE), the peer MUST accept an EAP-Failure.
o 在对等方启动EAP身份验证方法之前向该对等方发送EAP故障。只要对等方没有修改methodState变量(初始化为NONE),对等方就必须接受EAP失败。
o Forcing the peer to engage in endless EAP-Request/Response Identity exchanges before it has started an EAP authentication method. As long as the peer has not modified the selectedMethod variable (initialized to NONE), the peer MUST accept an EAP-Request/Identity and respond to it with an EAP-Response/Identity.
o 强制对等方在启动EAP身份验证方法之前进行无休止的EAP请求/响应身份交换。只要对等方未修改selectedMethod变量(初始化为NONE),对等方必须接受EAP请求/标识,并使用EAP响应/标识对其进行响应。
Following Figure 4 specification, an attacker may cause denial of service by:
根据图4规范,攻击者可能通过以下方式导致拒绝服务:
o Sending a NAK to the authenticator after the authenticator first proposes an EAP authentication method to the peer. When the methodState variable has the value PROPOSED, the authenticator is obliged to process a NAK that is received in response to its first packet of an EAP authentication method.
o 在认证者首先向对等方提出EAP认证方法之后,向认证者发送NAK。当methodState变量具有建议的值时,认证器必须处理响应其EAP认证方法的第一个分组而接收的NAK。
There MAY be some cases when it is desired to prevent such attacks. This can be done by modifying initial values of some variables of the EAP state machines. However, such modifications are NOT RECOMMENDED.
在某些情况下,可能需要防止此类攻击。这可以通过修改EAP状态机的一些变量的初始值来实现。但是,不建议进行此类修改。
There is a trade-off between mitigating these denial-of-service attacks and being able to deal with EAP peers and authenticators in general. For instance, if a NAK is ignored when it is sent to the authenticator after it has just proposed an EAP authentication method to the peer, then a legitimate peer that is not able or willing to process the proposed EAP authentication method would fail without an opportunity to negotiate another EAP method.
在减轻这些拒绝服务攻击和能够处理EAP对等点和身份验证程序之间存在着一种权衡。例如,如果在NAK刚刚向对等方提出EAP认证方法之后将其发送给认证方时忽略了NAK,则不能或不愿意处理所提出的EAP认证方法的合法对等方将失败,而没有机会协商另一EAP方法。
The work in this document was done as part of the EAP Design Team. It was done primarily by Nick Petroni, John Vollbrecht, Pasi Eronen, and Yoshihiro Ohba. Nick started this work with Bryan Payne and Chuk Seng at the University of Maryland. John Vollbrecht of Meetinghouse Data Communications started independently with help from Dave Spence at Interlink Networks. John and Nick collaborated to create a common document, and then were joined by Pasi Eronen of Nokia, who has made major contributions in creating coherent state machines, and by Yoshihiro Ohba of Toshiba, who insisted on including pass-through documentation and provided significant support for understanding implementation issues.
本文件中的工作是作为EAP设计团队的一部分完成的。这项工作主要由尼克·彼得罗尼、约翰·沃尔布雷希特、帕西·埃隆和大叶吉弘完成。Nick在马里兰大学与Bryan Payne和Chuk Seng开始了这项工作。Meetinghouse Data Communications的John Vollbrecht在Interlink Networks的Dave Spence的帮助下独立起步。John和Nick合作创建了一个通用文档,诺基亚的Pasi Eronen和东芝的Yoshihiro Ohba也加入了进来,后者在创建相干状态机方面做出了重大贡献,并坚持包含传递文档,为理解实现问题提供了重要支持。
In addition, significant response and conversation has come from the design team, especially Jari Arkko of Ericsson and Bernard Aboba of Microsoft, as well as the rest of the team. It has also been reviewed by IEEE 802.1, and has had input from Jim Burns of Meetinghouse and Paul Congdon of Hewlett Packard.
此外,设计团队,特别是爱立信的贾里·阿尔科(Jari Arkko)和微软的伯纳德·阿博巴(Bernard Aboba)以及团队的其他成员也做出了重要的回应和对话。它还经过了IEEE 802.1的审查,并得到了Meetinghouse的Jim Burns和Hewlett-Packard的Paul Congdon的意见。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3579]Aboba,B.和P.Calhoun,“RADIUS(远程认证拨入用户服务)对可扩展认证协议(EAP)的支持”,RFC 3579,2003年9月。
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, Ed., "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.
[RFC3748]Aboba,B.,Blunk,L.,Vollbrecht,J.,Carlson,J.,和H.Levkowetz,Ed.,“可扩展认证协议(EAP)”,RFC 3748,2004年6月。
[Keying] Aboba, B., Simon, D., Arkko, J., Eronen, P., Levkowetz, H., "Extensible Authentication Protocol (EAP) Key Management Framework", Work in Progress, July 2005.
[Keying]Aboba,B.,Simon,D.,Arkko,J.,Eronen,P.,Levkowetz,H.,“可扩展认证协议(EAP)密钥管理框架”,正在进行的工作,2005年7月。
[1X-2004] Institute of Electrical and Electronics Engineers, "Standard for Local and Metropolitan Area Networks: Port-Based Network Access Control", IEEE 802.1X-2004, December 2004.
[1X-2004]电气和电子工程师协会,“局域网和城域网标准:基于端口的网络访问控制”,IEEE 802.1X-2004,2004年12月。
This appendix contains the state diagrams in ASCII format. Please use the PDF version whenever possible; it is much easier to understand.
本附录包含ASCII格式的状态图。请尽可能使用PDF版本;这更容易理解。
The notation is as follows: state name and pseudocode executed when entering it are shown on the left; outgoing transitions with their conditions are shown on the right.
表示法如下:左侧显示输入时执行的状态名和伪代码;右侧显示了带条件的传出转换。
--------------------------------------------------------------------- (global transitions) | !portEnabled | DISABLED |------------------------+-------------- | eapRestart && | INITIALIZE | portEnabled | -----------------------------+------------------------+-------------- DISABLED | portEnabled | INITIALIZE -----------------------------+------------------------+-------------- INITIALIZE | | | | selectedMethod = NONE | | methodState = NONE | | allowNotifications = TRUE | | decision = FAIL | UCT | IDLE idleWhile = ClientTimeout | | lastId = NONE | | eapSuccess = FALSE | | eapFail = FALSE | | eapKeyData = NONE | | eapKeyAvailable = FALSE | | eapRestart = FALSE | | -----------------------------+------------------------+-------------- IDLE | eapReq | RECEIVED |------------------------+-------------- | (altAccept && | | decision != FAIL) || | | (idleWhile == 0 && | SUCCESS | decision == | | UNCOND_SUCC) | |------------------------+--------------
--------------------------------------------------------------------- (global transitions) | !portEnabled | DISABLED |------------------------+-------------- | eapRestart && | INITIALIZE | portEnabled | -----------------------------+------------------------+-------------- DISABLED | portEnabled | INITIALIZE -----------------------------+------------------------+-------------- INITIALIZE | | | | selectedMethod = NONE | | methodState = NONE | | allowNotifications = TRUE | | decision = FAIL | UCT | IDLE idleWhile = ClientTimeout | | lastId = NONE | | eapSuccess = FALSE | | eapFail = FALSE | | eapKeyData = NONE | | eapKeyAvailable = FALSE | | eapRestart = FALSE | | -----------------------------+------------------------+-------------- IDLE | eapReq | RECEIVED |------------------------+-------------- | (altAccept && | | decision != FAIL) || | | (idleWhile == 0 && | SUCCESS | decision == | | UNCOND_SUCC) | |------------------------+--------------
|------------------------+-------------- | altReject || | | (idleWhile == 0 && | | decision != | | UNCOND_SUCC) || | FAILURE | (altAccept && | | methodState != CONT && | | decision == FAIL) | -----------------------------+------------------------+-------------- RECEIVED | rxReq && | METHOD | (reqId != lastId) && | (rxReq,rxSuccess,rxFailure, | (reqMethod == | reqId,reqMethod) = | selectedMethod) && | parseEapReq(eapReqData) | (methodState != DONE) | |------------------------+-------------- | rxReq && | | (reqId != lastId) && | | (selectedMethod == | | NONE) && | GET_METHOD | (reqMethod != | | IDENTITY) && | | (reqMethod != | | NOTIFICATION) | |------------------------+-------------- | rxReq && | | (reqId != lastId) && | | (selectedMethod == | IDENTITY | NONE) && | | (reqMethod == | | IDENTITY) | |------------------------+-------------- | rxReq && | | (reqId != lastId) && | | (reqMethod == | NOTIFICATION | NOTIFICATION) && | | allowNotifications | |------------------------+-------------- | rxReq && | RETRANSMIT | (reqId == lastId) | |------------------------+-------------- | rxSuccess && | | (reqId == lastId) && | SUCCESS | (decision != FAIL) | |------------------------+--------------
|------------------------+-------------- | altReject || | | (idleWhile == 0 && | | decision != | | UNCOND_SUCC) || | FAILURE | (altAccept && | | methodState != CONT && | | decision == FAIL) | -----------------------------+------------------------+-------------- RECEIVED | rxReq && | METHOD | (reqId != lastId) && | (rxReq,rxSuccess,rxFailure, | (reqMethod == | reqId,reqMethod) = | selectedMethod) && | parseEapReq(eapReqData) | (methodState != DONE) | |------------------------+-------------- | rxReq && | | (reqId != lastId) && | | (selectedMethod == | | NONE) && | GET_METHOD | (reqMethod != | | IDENTITY) && | | (reqMethod != | | NOTIFICATION) | |------------------------+-------------- | rxReq && | | (reqId != lastId) && | | (selectedMethod == | IDENTITY | NONE) && | | (reqMethod == | | IDENTITY) | |------------------------+-------------- | rxReq && | | (reqId != lastId) && | | (reqMethod == | NOTIFICATION | NOTIFICATION) && | | allowNotifications | |------------------------+-------------- | rxReq && | RETRANSMIT | (reqId == lastId) | |------------------------+-------------- | rxSuccess && | | (reqId == lastId) && | SUCCESS | (decision != FAIL) | |------------------------+--------------
|------------------------+-------------- | (methodState!=CONT) && | | ((rxFailure && | | decision != | | UNCOND_SUCC) || | FAILURE | (rxSuccess && | | decision == FAIL)) && | | (reqId == lastId) | |------------------------+-------------- | else | DISCARD -----------------------------+------------------------+-------------- METHOD | | | | ignore = m.check(eapReqData) | ignore | DISCARD if (!ignore) { | | (methodState, decision, | | allowNotifications) = |------------------------+-------------- m.process(eapReqData) | | /* methodState is CONT, | | MAY_CONT, or DONE */ | (methodState==DONE) && | FAILURE /* decision is FAIL, | (decision == FAIL) | COND_SUCC, or | | UNCOND_SUCC */ | | eapRespData = |------------------------+-------------- m.buildResp(reqId) | | if (m.isKeyAvailable()) | else | SEND_RESPONSE eapKeyData = m.getKey() | | } | | -----------------------------+------------------------+-------------- GET_METHOD | | | selectedMethod == | if (allowMethod(reqMethod)) {| reqMethod | METHOD selectedMethod = reqMethod | | methodState = INIT | | } else { |------------------------+-------------- eapRespData = | | buildNak(reqId) | else | SEND_RESPONSE } | | -----------------------------+------------------------+-------------- IDENTITY | | | | processIdentity(eapReqData) | UCT | SEND_RESPONSE eapRespData = | | buildIdentity(reqId) | | -----------------------------+------------------------+--------------
|------------------------+-------------- | (methodState!=CONT) && | | ((rxFailure && | | decision != | | UNCOND_SUCC) || | FAILURE | (rxSuccess && | | decision == FAIL)) && | | (reqId == lastId) | |------------------------+-------------- | else | DISCARD -----------------------------+------------------------+-------------- METHOD | | | | ignore = m.check(eapReqData) | ignore | DISCARD if (!ignore) { | | (methodState, decision, | | allowNotifications) = |------------------------+-------------- m.process(eapReqData) | | /* methodState is CONT, | | MAY_CONT, or DONE */ | (methodState==DONE) && | FAILURE /* decision is FAIL, | (decision == FAIL) | COND_SUCC, or | | UNCOND_SUCC */ | | eapRespData = |------------------------+-------------- m.buildResp(reqId) | | if (m.isKeyAvailable()) | else | SEND_RESPONSE eapKeyData = m.getKey() | | } | | -----------------------------+------------------------+-------------- GET_METHOD | | | selectedMethod == | if (allowMethod(reqMethod)) {| reqMethod | METHOD selectedMethod = reqMethod | | methodState = INIT | | } else { |------------------------+-------------- eapRespData = | | buildNak(reqId) | else | SEND_RESPONSE } | | -----------------------------+------------------------+-------------- IDENTITY | | | | processIdentity(eapReqData) | UCT | SEND_RESPONSE eapRespData = | | buildIdentity(reqId) | | -----------------------------+------------------------+--------------
-----------------------------+------------------------+-------------- NOTIFICATION | | | | processNotify(eapReqData) | UCT | SEND_RESPONSE eapRespData = | | buildNotify(reqId) | | -----------------------------+------------------------+-------------- RETRANSMIT | | | UCT | SEND_RESPONSE eapRespData = lastRespData | | -----------------------------+------------------------+-------------- DISCARD | | | UCT | IDLE eapReq = FALSE | | eapNoResp = TRUE | | -----------------------------+------------------------+-------------- SEND_RESPONSE | | | | lastId = reqId | | lastRespData = eapRespData | UCT | IDLE eapReq = FALSE | | eapResp = TRUE | | idleWhile = ClientTimeout | | -----------------------------+------------------------+-------------- SUCCESS | | | | if (eapKeyData != NONE) | | eapKeyAvailable = TRUE | | eapSuccess = TRUE | | -----------------------------+------------------------+-------------- FAILURE | | | | eapFail = TRUE | | --------------------------------------------------------------------- Figure 8
-----------------------------+------------------------+-------------- NOTIFICATION | | | | processNotify(eapReqData) | UCT | SEND_RESPONSE eapRespData = | | buildNotify(reqId) | | -----------------------------+------------------------+-------------- RETRANSMIT | | | UCT | SEND_RESPONSE eapRespData = lastRespData | | -----------------------------+------------------------+-------------- DISCARD | | | UCT | IDLE eapReq = FALSE | | eapNoResp = TRUE | | -----------------------------+------------------------+-------------- SEND_RESPONSE | | | | lastId = reqId | | lastRespData = eapRespData | UCT | IDLE eapReq = FALSE | | eapResp = TRUE | | idleWhile = ClientTimeout | | -----------------------------+------------------------+-------------- SUCCESS | | | | if (eapKeyData != NONE) | | eapKeyAvailable = TRUE | | eapSuccess = TRUE | | -----------------------------+------------------------+-------------- FAILURE | | | | eapFail = TRUE | | --------------------------------------------------------------------- Figure 8
--------------------------------------------------------------------- (global transitions) | !portEnabled | DISABLED |---------------------+---------------- | eapRestart && | INITIALIZE | portEnabled | ------------------------------+---------------------+---------------- DISABLED | portEnabled | INITIALIZE ------------------------------+---------------------+----------------
--------------------------------------------------------------------- (global transitions) | !portEnabled | DISABLED |---------------------+---------------- | eapRestart && | INITIALIZE | portEnabled | ------------------------------+---------------------+---------------- DISABLED | portEnabled | INITIALIZE ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- INITIALIZE | | | | currentId = NONE | | eapSuccess = FALSE | | eapFail = FALSE | UCT | SELECT_ACTION eapTimeout = FALSE | | eapKeyData = NONE | | eapKeyAvailable = FALSE | | eapRestart = FALSE | | ------------------------------+---------------------+---------------- IDLE | | | retransWhile == 0 | RETRANSMIT retransWhile = | | calculateTimeout( |---------------------+---------------- retransCount, eapSRTT, | eapResp | RECEIVED eapRTTVAR, methodTimeout) | | ------------------------------+---------------------+---------------- RETRANSMIT | | | retransCount > | TIMEOUT_FAILURE retransCount++ | MaxRetrans | if (retransCount<=MaxRetrans){| | eapReqData = lastReqData |---------------------+---------------- eapReq = TRUE | else | IDLE } | | ------------------------------+---------------------+---------------- RECEIVED | rxResp && | | (respId == | (rxResp,respId,respMethod)= | currentId) && | parseEapResp(eapRespData) | (respMethod == NAK | | || | NAK | respMethod == | | EXPANDED_NAK) && | | (methodState == | | PROPOSED) | |---------------------+---------------- | rxResp && | | (respId == | | currentId) && | INTEGRITY_CHECK | (respMethod == | | currentMethod) | |---------------------+---------------- | else | DISCARD ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- INITIALIZE | | | | currentId = NONE | | eapSuccess = FALSE | | eapFail = FALSE | UCT | SELECT_ACTION eapTimeout = FALSE | | eapKeyData = NONE | | eapKeyAvailable = FALSE | | eapRestart = FALSE | | ------------------------------+---------------------+---------------- IDLE | | | retransWhile == 0 | RETRANSMIT retransWhile = | | calculateTimeout( |---------------------+---------------- retransCount, eapSRTT, | eapResp | RECEIVED eapRTTVAR, methodTimeout) | | ------------------------------+---------------------+---------------- RETRANSMIT | | | retransCount > | TIMEOUT_FAILURE retransCount++ | MaxRetrans | if (retransCount<=MaxRetrans){| | eapReqData = lastReqData |---------------------+---------------- eapReq = TRUE | else | IDLE } | | ------------------------------+---------------------+---------------- RECEIVED | rxResp && | | (respId == | (rxResp,respId,respMethod)= | currentId) && | parseEapResp(eapRespData) | (respMethod == NAK | | || | NAK | respMethod == | | EXPANDED_NAK) && | | (methodState == | | PROPOSED) | |---------------------+---------------- | rxResp && | | (respId == | | currentId) && | INTEGRITY_CHECK | (respMethod == | | currentMethod) | |---------------------+---------------- | else | DISCARD ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- NAK | | | UCT | SELECT_ACTION m.reset() | | Policy.update(<...>) | | ------------------------------+---------------------+---------------- SELECT_ACTION | decision == FAILURE | FAILURE | | decision = |---------------------+---------------- Policy.getDecision() | decision == SUCCESS | SUCCESS /* SUCCESS, FAILURE, or |---------------------+---------------- CONTINUE */ | else | PROPOSE_METHOD ------------------------------+---------------------+---------------- INTEGRITY_CHECK | ignore | DISCARD |---------------------+---------------- ignore = m.check(eapRespData) | !ignore | METHOD_RESPONSE ------------------------------+---------------------+---------------- METHOD_RESPONSE | | | methodState == END | SELECT_ACTION m.process(eapRespData) | | if (m.isDone()) { | | Policy.update(<...>) |---------------------+---------------- eapKeyData = m.getKey() | | methodState = END | else | METHOD_REQUEST } else | | methodState = CONTINUE | | ------------------------------+---------------------+---------------- PROPOSE_METHOD | | | | currentMethod = | | Policy.getNextMethod() | | m.init() | UCT | METHOD_REQUEST if (currentMethod==IDENTITY ||| | currentMethod==NOTIFICATION)| | methodState = CONTINUE | | else | | methodState = PROPOSED | | ------------------------------+---------------------+---------------- METHOD_REQUEST | | | | currentId = nextId(currentId) | UCT | SEND_REQUEST eapReqData = | | m.buildReq(currentId) | | methodTimeout = m.getTimeout()| | ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- NAK | | | UCT | SELECT_ACTION m.reset() | | Policy.update(<...>) | | ------------------------------+---------------------+---------------- SELECT_ACTION | decision == FAILURE | FAILURE | | decision = |---------------------+---------------- Policy.getDecision() | decision == SUCCESS | SUCCESS /* SUCCESS, FAILURE, or |---------------------+---------------- CONTINUE */ | else | PROPOSE_METHOD ------------------------------+---------------------+---------------- INTEGRITY_CHECK | ignore | DISCARD |---------------------+---------------- ignore = m.check(eapRespData) | !ignore | METHOD_RESPONSE ------------------------------+---------------------+---------------- METHOD_RESPONSE | | | methodState == END | SELECT_ACTION m.process(eapRespData) | | if (m.isDone()) { | | Policy.update(<...>) |---------------------+---------------- eapKeyData = m.getKey() | | methodState = END | else | METHOD_REQUEST } else | | methodState = CONTINUE | | ------------------------------+---------------------+---------------- PROPOSE_METHOD | | | | currentMethod = | | Policy.getNextMethod() | | m.init() | UCT | METHOD_REQUEST if (currentMethod==IDENTITY ||| | currentMethod==NOTIFICATION)| | methodState = CONTINUE | | else | | methodState = PROPOSED | | ------------------------------+---------------------+---------------- METHOD_REQUEST | | | | currentId = nextId(currentId) | UCT | SEND_REQUEST eapReqData = | | m.buildReq(currentId) | | methodTimeout = m.getTimeout()| | ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- DISCARD | | | UCT | IDLE eapResp = FALSE | | eapNoReq = TRUE | | ------------------------------+---------------------+---------------- SEND_REQUEST | | | | retransCount = 0 | UCT | IDLE lastReqData = eapReqData | | eapResp = FALSE | | eapReq = TRUE | | ------------------------------+---------------------+---------------- TIMEOUT_FAILURE | | | | eapTimeout = TRUE | | ------------------------------+---------------------+---------------- FAILURE | | | | eapReqData = | | buildFailure(currentId) | | eapFail = TRUE | | ------------------------------+---------------------+---------------- SUCCESS | | | | eapReqData = | | buildSuccess(currentId) | | if (eapKeyData != NONE) | | eapKeyAvailable = TRUE | | eapSuccess = TRUE | | --------------------------------------------------------------------- Figure 9
------------------------------+---------------------+---------------- DISCARD | | | UCT | IDLE eapResp = FALSE | | eapNoReq = TRUE | | ------------------------------+---------------------+---------------- SEND_REQUEST | | | | retransCount = 0 | UCT | IDLE lastReqData = eapReqData | | eapResp = FALSE | | eapReq = TRUE | | ------------------------------+---------------------+---------------- TIMEOUT_FAILURE | | | | eapTimeout = TRUE | | ------------------------------+---------------------+---------------- FAILURE | | | | eapReqData = | | buildFailure(currentId) | | eapFail = TRUE | | ------------------------------+---------------------+---------------- SUCCESS | | | | eapReqData = | | buildSuccess(currentId) | | if (eapKeyData != NONE) | | eapKeyAvailable = TRUE | | eapSuccess = TRUE | | --------------------------------------------------------------------- Figure 9
--------------------------------------------------------------------- (global transitions) | !backendEnabled | DISABLED ------------------------------+---------------------+---------------- DISABLED | backendEnabled && | INITIALIZE | aaaEapResp | ------------------------------+---------------------+----------------
--------------------------------------------------------------------- (global transitions) | !backendEnabled | DISABLED ------------------------------+---------------------+---------------- DISABLED | backendEnabled && | INITIALIZE | aaaEapResp | ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- INITIALIZE | !rxResp | SELECT_ACTION |---------------------+---------------- currentMethod = NONE | rxResp && | (rxResp,respId,respMethod)= | (respMethod == NAK | parseEapResp(aaaEapRespData)| || | NAK if (rxResp) | respMethod == | currentId = respId | EXPANDED_NAK) | else |---------------------+---------------- currentId = NONE | else | PICK_UP_METHOD ------------------------------+---------------------+---------------- PICK_UP_METHOD | | | currentMethod == | SELECT_ACTION if (Policy.doPickUp( | NONE | respMethod)) { | | currentMethod = respMethod |---------------------+---------------- m.initPickUp() | else | METHOD_RESPONSE } | | ------------------------------+---------------------+---------------- IDLE | aaaEapResp | RECEIVED ------------------------------+---------------------+---------------- RECEIVED | rxResp && | | (respId == | (rxResp,respId,respMethod)= | currentId) && | parseEapResp(aaaEapRespData)| (respMethod == NAK | | || | NAK | respMethod == | | EXPANDED_NAK) && | | (methodState == | | PROPOSED) | |---------------------+---------------- | rxResp && | | (respId == | | currentId) && | INTEGRITY_CHECK | (respMethod == | | currentMethod) | |---------------------+---------------- | else | DISCARD ------------------------------+---------------------+---------------- NAK | | | UCT | SELECT_ACTION m.reset() | | Policy.update(<...>) | | ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- INITIALIZE | !rxResp | SELECT_ACTION |---------------------+---------------- currentMethod = NONE | rxResp && | (rxResp,respId,respMethod)= | (respMethod == NAK | parseEapResp(aaaEapRespData)| || | NAK if (rxResp) | respMethod == | currentId = respId | EXPANDED_NAK) | else |---------------------+---------------- currentId = NONE | else | PICK_UP_METHOD ------------------------------+---------------------+---------------- PICK_UP_METHOD | | | currentMethod == | SELECT_ACTION if (Policy.doPickUp( | NONE | respMethod)) { | | currentMethod = respMethod |---------------------+---------------- m.initPickUp() | else | METHOD_RESPONSE } | | ------------------------------+---------------------+---------------- IDLE | aaaEapResp | RECEIVED ------------------------------+---------------------+---------------- RECEIVED | rxResp && | | (respId == | (rxResp,respId,respMethod)= | currentId) && | parseEapResp(aaaEapRespData)| (respMethod == NAK | | || | NAK | respMethod == | | EXPANDED_NAK) && | | (methodState == | | PROPOSED) | |---------------------+---------------- | rxResp && | | (respId == | | currentId) && | INTEGRITY_CHECK | (respMethod == | | currentMethod) | |---------------------+---------------- | else | DISCARD ------------------------------+---------------------+---------------- NAK | | | UCT | SELECT_ACTION m.reset() | | Policy.update(<...>) | | ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- SELECT_ACTION | decision == FAILURE | FAILURE | | decision = |---------------------+---------------- Policy.getDecision() | decision == SUCCESS | SUCCESS /* SUCCESS, FAILURE, or |---------------------+---------------- CONTINUE */ | else | PROPOSE_METHOD ------------------------------+---------------------+---------------- INTEGRITY_CHECK | ignore | DISCARD | | ignore = |---------------------+---------------- m.check(aaaEapRespData) | !ignore | METHOD_RESPONSE ------------------------------+---------------------+---------------- METHOD_RESPONSE | | | methodState == END | SELECT_ACTION m.process(aaaEapRespData) | | if (m.isDone()) { | | Policy.update(<...>) |---------------------+---------------- aaaEapKeyData = m.getKey() | | methodState = END | else | METHOD_REQUEST } else | | methodState = CONTINUE | | ------------------------------+---------------------+---------------- PROPOSE_METHOD | | | | currentMethod = | | Policy.getNextMethod() | | m.init() | UCT | METHOD_REQUEST if (currentMethod==IDENTITY ||| | currentMethod==NOTIFICATION)| | methodState = CONTINUE | | else | | methodState = PROPOSED | | ------------------------------+---------------------+---------------- METHOD_REQUEST | | | | currentId = nextId(currentId) | | aaaEapReqData = | UCT | SEND_REQUEST m.buildReq(currentId) | | aaaMethodTimeout = | | m.getTimeout() | | ------------------------------+---------------------+---------------- DISCARD | | | UCT | IDLE aaaEapResp = FALSE | | aaaEapNoReq = TRUE | | ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- SELECT_ACTION | decision == FAILURE | FAILURE | | decision = |---------------------+---------------- Policy.getDecision() | decision == SUCCESS | SUCCESS /* SUCCESS, FAILURE, or |---------------------+---------------- CONTINUE */ | else | PROPOSE_METHOD ------------------------------+---------------------+---------------- INTEGRITY_CHECK | ignore | DISCARD | | ignore = |---------------------+---------------- m.check(aaaEapRespData) | !ignore | METHOD_RESPONSE ------------------------------+---------------------+---------------- METHOD_RESPONSE | | | methodState == END | SELECT_ACTION m.process(aaaEapRespData) | | if (m.isDone()) { | | Policy.update(<...>) |---------------------+---------------- aaaEapKeyData = m.getKey() | | methodState = END | else | METHOD_REQUEST } else | | methodState = CONTINUE | | ------------------------------+---------------------+---------------- PROPOSE_METHOD | | | | currentMethod = | | Policy.getNextMethod() | | m.init() | UCT | METHOD_REQUEST if (currentMethod==IDENTITY ||| | currentMethod==NOTIFICATION)| | methodState = CONTINUE | | else | | methodState = PROPOSED | | ------------------------------+---------------------+---------------- METHOD_REQUEST | | | | currentId = nextId(currentId) | | aaaEapReqData = | UCT | SEND_REQUEST m.buildReq(currentId) | | aaaMethodTimeout = | | m.getTimeout() | | ------------------------------+---------------------+---------------- DISCARD | | | UCT | IDLE aaaEapResp = FALSE | | aaaEapNoReq = TRUE | | ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- SEND_REQUEST | | | UCT | IDLE aaaEapResp = FALSE | | aaaEapReq = TRUE | | ------------------------------+---------------------+---------------- FAILURE | | | | aaaEapReqData = | | buildFailure(currentId) | | aaaEapFail = TRUE | | ------------------------------+---------------------+---------------- SUCCESS | | | | aaaEapReqData = | | buildSuccess(currentId) | | if (aaaEapKeyData != NONE) | | aaaEapKeyAvailable = TRUE | | aaaEapSuccess = TRUE | | --------------------------------------------------------------------- Figure 10
------------------------------+---------------------+---------------- SEND_REQUEST | | | UCT | IDLE aaaEapResp = FALSE | | aaaEapReq = TRUE | | ------------------------------+---------------------+---------------- FAILURE | | | | aaaEapReqData = | | buildFailure(currentId) | | aaaEapFail = TRUE | | ------------------------------+---------------------+---------------- SUCCESS | | | | aaaEapReqData = | | buildSuccess(currentId) | | if (aaaEapKeyData != NONE) | | aaaEapKeyAvailable = TRUE | | aaaEapSuccess = TRUE | | --------------------------------------------------------------------- Figure 10
This state machine contains all the states from EAP stand-alone authenticator state machine, except that SELECT_ACTION state is replaced with the following:
此状态机包含EAP独立身份验证程序状态机中的所有状态,但SELECT_操作状态替换为以下状态除外:
--------------------------------------------------------------------- SELECT_ACTION | decision == FAILURE | FAILURE | | decision = |---------------------+---------------- Policy.getDecision() | decision == SUCCESS | SUCCESS /* SUCCESS, FAILURE, CONTINUE,|---------------------+---------------- or PASSTHROUGH */ | decision == | INITIALIZE_ | PASSTHROUGH | PASSTHROUGH |---------------------+---------------- | else | PROPOSE_METHOD --------------------------------------------------------------------- Figure 11
--------------------------------------------------------------------- SELECT_ACTION | decision == FAILURE | FAILURE | | decision = |---------------------+---------------- Policy.getDecision() | decision == SUCCESS | SUCCESS /* SUCCESS, FAILURE, CONTINUE,|---------------------+---------------- or PASSTHROUGH */ | decision == | INITIALIZE_ | PASSTHROUGH | PASSTHROUGH |---------------------+---------------- | else | PROPOSE_METHOD --------------------------------------------------------------------- Figure 11
And the following new states are added:
并添加了以下新状态:
--------------------------------------------------------------------- INITIALIZE_PASSTHROUGH | currentId != NONE | AAA_REQUEST |---------------------+---------------- aaaEapRespData = NONE | currentId == NONE | AAA_IDLE ------------------------------+---------------------+----------------
--------------------------------------------------------------------- INITIALIZE_PASSTHROUGH | currentId != NONE | AAA_REQUEST |---------------------+---------------- aaaEapRespData = NONE | currentId == NONE | AAA_IDLE ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- IDLE2 | | | retransWhile == 0 | RETRANSMIT2 retransWhile = | | calculateTimeout( |---------------------+---------------- retransCount, eapSRTT, | eapResp | RECEIVED2 eapRTTVAR, methodTimeout) | | ------------------------------+---------------------+---------------- RETRANSMIT2 | | | retransCount > | TIMEOUT_ retransCount++ | MaxRetrans | FAILURE2 if (retransCount<=MaxRetrans){| | eapReqData = lastReqData |---------------------+---------------- eapReq = TRUE | else | IDLE2 } | | ------------------------------+---------------------+---------------- RECEIVED2 | rxResp && | | (respId == | AAA_REQUEST (rxResp,respId,respMethod)= | currentId) | parseEapResp(eapRespData) |---------------------+---------------- | else | DISCARD2 ------------------------------+---------------------+---------------- AAA_REQUEST | | | | if (respMethod == IDENTITY) { | UCT | AAA_IDLE aaaIdentity = eapRespData | | aaaEapRespData = eapRespData | | ------------------------------+---------------------+---------------- AAA_IDLE | aaaEapNoReq | DISCARD2 |---------------------+---------------- aaaFail = FALSE | aaaEapReq | AAA_RESPONSE aaaSuccess = FALSE |---------------------+---------------- aaaEapReq = FALSE | aaaTimeout | TIMEOUT_ aaaEapNoReq = FALSE | | FAILURE2 aaaEapResp = TRUE |---------------------+---------------- | aaaFail | FAILURE2 |---------------------+---------------- | aaaSuccess | SUCCESS2 ------------------------------+---------------------+---------------- AAA_RESPONSE | | | | eapReqData = aaaEapReqData | UCT | SEND_REQUEST2 currentId = getId(eapReqData) | | methodTimeout = | | aaaMethodTimeout | | ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- IDLE2 | | | retransWhile == 0 | RETRANSMIT2 retransWhile = | | calculateTimeout( |---------------------+---------------- retransCount, eapSRTT, | eapResp | RECEIVED2 eapRTTVAR, methodTimeout) | | ------------------------------+---------------------+---------------- RETRANSMIT2 | | | retransCount > | TIMEOUT_ retransCount++ | MaxRetrans | FAILURE2 if (retransCount<=MaxRetrans){| | eapReqData = lastReqData |---------------------+---------------- eapReq = TRUE | else | IDLE2 } | | ------------------------------+---------------------+---------------- RECEIVED2 | rxResp && | | (respId == | AAA_REQUEST (rxResp,respId,respMethod)= | currentId) | parseEapResp(eapRespData) |---------------------+---------------- | else | DISCARD2 ------------------------------+---------------------+---------------- AAA_REQUEST | | | | if (respMethod == IDENTITY) { | UCT | AAA_IDLE aaaIdentity = eapRespData | | aaaEapRespData = eapRespData | | ------------------------------+---------------------+---------------- AAA_IDLE | aaaEapNoReq | DISCARD2 |---------------------+---------------- aaaFail = FALSE | aaaEapReq | AAA_RESPONSE aaaSuccess = FALSE |---------------------+---------------- aaaEapReq = FALSE | aaaTimeout | TIMEOUT_ aaaEapNoReq = FALSE | | FAILURE2 aaaEapResp = TRUE |---------------------+---------------- | aaaFail | FAILURE2 |---------------------+---------------- | aaaSuccess | SUCCESS2 ------------------------------+---------------------+---------------- AAA_RESPONSE | | | | eapReqData = aaaEapReqData | UCT | SEND_REQUEST2 currentId = getId(eapReqData) | | methodTimeout = | | aaaMethodTimeout | | ------------------------------+---------------------+----------------
------------------------------+---------------------+---------------- DISCARD2 | | | UCT | IDLE2 eapResp = FALSE | | eapNoReq = TRUE | | ------------------------------+---------------------+---------------- SEND_REQUEST2 | | | | retransCount = 0 | UCT | IDLE2 lastReqData = eapReqData | | eapResp = FALSE | | eapReq = TRUE | | ------------------------------+---------------------+---------------- TIMEOUT_FAILURE2 | | | | eapTimeout = TRUE | | ------------------------------+---------------------+---------------- FAILURE2 | | | | eapReqData = aaaEapReqData | | eapFail = TRUE | | ------------------------------+---------------------+---------------- SUCCESS2 | | | | eapReqData = aaaEapReqData | | eapKeyData = aaaEapKeyData | | eapKeyAvailable = | | aaaEapKeyAvailable | | eapSuccess = TRUE | | --------------------------------------------------------------------- Figure 12
------------------------------+---------------------+---------------- DISCARD2 | | | UCT | IDLE2 eapResp = FALSE | | eapNoReq = TRUE | | ------------------------------+---------------------+---------------- SEND_REQUEST2 | | | | retransCount = 0 | UCT | IDLE2 lastReqData = eapReqData | | eapResp = FALSE | | eapReq = TRUE | | ------------------------------+---------------------+---------------- TIMEOUT_FAILURE2 | | | | eapTimeout = TRUE | | ------------------------------+---------------------+---------------- FAILURE2 | | | | eapReqData = aaaEapReqData | | eapFail = TRUE | | ------------------------------+---------------------+---------------- SUCCESS2 | | | | eapReqData = aaaEapReqData | | eapKeyData = aaaEapKeyData | | eapKeyAvailable = | | aaaEapKeyAvailable | | eapSuccess = TRUE | | --------------------------------------------------------------------- Figure 12
Authors' Addresses
作者地址
John Vollbrecht Meetinghouse Data Communications 9682 Alice Hill Drive Dexter, MI 48130 USA
John Vollbrecht Meetinghouse数据通信9682美国密苏里州德克斯特市爱丽丝山大道48130号
EMail: jrv@mtghouse.com
EMail: jrv@mtghouse.com
Pasi Eronen Nokia Research Center P.O. Box 407 FIN-00045 Nokia Group, Finland
芬兰诺基亚集团Pasi Eronen诺基亚研究中心邮政信箱407 FIN-00045
EMail: pasi.eronen@nokia.com
EMail: pasi.eronen@nokia.com
Nick L. Petroni, Jr. University of Maryland, College Park A.V. Williams Building College Park, MD 20742 USA
小Nick L. Petroni,马里兰大学,学院公园诉威廉姆斯建筑学院公园,MD 20742美国
EMail: npetroni@cs.umd.edu
EMail: npetroni@cs.umd.edu
Yoshihiro Ohba Toshiba America Research, Inc. 1 Telcordia Drive Piscataway, NJ 08854 USA
美国新泽西州皮斯卡塔韦Telcordia Drive 1号东芝美国研究有限公司,邮编:08854
EMail: yohba@tari.toshiba.com
EMail: yohba@tari.toshiba.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。