Network Working Group                                    V. Fajardo, Ed.
Request for Comments: 5609                        Telcordia Technologies
Category: Informational                                          Y. Ohba
                                                                 Toshiba
                                                          R. Marin-Lopez
                                                         Univ. of Murcia
                                                             August 2009
        
Network Working Group                                    V. Fajardo, Ed.
Request for Comments: 5609                        Telcordia Technologies
Category: Informational                                          Y. Ohba
                                                                 Toshiba
                                                          R. Marin-Lopez
                                                         Univ. of Murcia
                                                             August 2009
        

State Machines for the Protocol for Carrying Authentication for Network Access (PANA)

网络访问认证协议(PANA)的状态机

Abstract

摘要

This document defines the conceptual state machines for the Protocol for Carrying Authentication for Network Access (PANA). The state machines consist of the PANA Client (PaC) state machine and the PANA Authentication Agent (PAA) state machine. The two state machines show how PANA can interface with the Extensible Authentication Protocol (EAP) state machines. The state machines and associated models are informative only. Implementations may achieve the same results using different methods.

本文档定义了承载网络访问身份验证(PANA)协议的概念状态机。状态机由PANA客户端(PaC)状态机和PANA身份验证代理(PAA)状态机组成。这两个状态机显示了PANA如何与可扩展身份验证协议(EAP)状态机接口。状态机和相关模型仅供参考。实现可以使用不同的方法获得相同的结果。

Status of This Memo

关于下段备忘

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2009 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托在本文件出版之日生效的与IETF文件有关的法律规定的约束(http://trustee.ietf.org/license-info). 请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1. Introduction ....................................................3
   2. Terminology .....................................................3
   3. Interface between PANA and EAP ..................................3
   4. Document Authority ..............................................5
   5. Notations .......................................................5
   6. Common Rules ....................................................6
      6.1. Common Procedures ..........................................6
      6.2. Common Variables ...........................................9
      6.3. Configurable Values .......................................10
      6.4. Common Message Initialization Rules .......................10
      6.5. Common Retransmission Rules ...............................10
      6.6. Common State Transitions ..................................11
   7. PaC State Machine ..............................................12
      7.1. Interface between PaC and EAP Peer ........................12
           7.1.1. Delivering EAP Messages from PaC to EAP Peer .......12
           7.1.2. Delivering EAP Messages from EAP Peer to PaC .......12
           7.1.3. EAP Restart Notification from PaC to EAP Peer ......13
           7.1.4. EAP Authentication Result Notification from
                  EAP Peer to PaC ....................................13
           7.1.5. Alternate Failure Notification from PaC to
                  EAP Peer ...........................................13
      7.2. Configurable Values .......................................13
      7.3. Variables .................................................14
      7.4. Procedures ................................................15
      7.5. PaC State Transition Table ................................15
   8. PAA State Machine ..............................................21
      8.1. Interface between PAA and EAP Authenticator ...............21
           8.1.1. EAP Restart Notification from PAA to EAP
                  Authenticator ......................................21
           8.1.2. Delivering EAP Responses from PAA to EAP
                  Authenticator ......................................22
           8.1.3. Delivering EAP Messages from EAP
                  Authenticator to PAA ...............................22
           8.1.4. EAP Authentication Result Notification from
                  EAP Authenticator to PAA ...........................22
      8.2. Variables .................................................23
      8.3. Procedures ................................................24
      8.4. PAA State Transition Table ................................24
   9. Implementation Considerations ..................................29
      9.1. PAA and PaC Interface to Service Management Entity ........29
   10. Security Considerations .......................................29
   11. Acknowledgments ...............................................29
   12. References ....................................................29
      12.1. Normative References .....................................29
      12.2. Informative References ...................................30
        
   1. Introduction ....................................................3
   2. Terminology .....................................................3
   3. Interface between PANA and EAP ..................................3
   4. Document Authority ..............................................5
   5. Notations .......................................................5
   6. Common Rules ....................................................6
      6.1. Common Procedures ..........................................6
      6.2. Common Variables ...........................................9
      6.3. Configurable Values .......................................10
      6.4. Common Message Initialization Rules .......................10
      6.5. Common Retransmission Rules ...............................10
      6.6. Common State Transitions ..................................11
   7. PaC State Machine ..............................................12
      7.1. Interface between PaC and EAP Peer ........................12
           7.1.1. Delivering EAP Messages from PaC to EAP Peer .......12
           7.1.2. Delivering EAP Messages from EAP Peer to PaC .......12
           7.1.3. EAP Restart Notification from PaC to EAP Peer ......13
           7.1.4. EAP Authentication Result Notification from
                  EAP Peer to PaC ....................................13
           7.1.5. Alternate Failure Notification from PaC to
                  EAP Peer ...........................................13
      7.2. Configurable Values .......................................13
      7.3. Variables .................................................14
      7.4. Procedures ................................................15
      7.5. PaC State Transition Table ................................15
   8. PAA State Machine ..............................................21
      8.1. Interface between PAA and EAP Authenticator ...............21
           8.1.1. EAP Restart Notification from PAA to EAP
                  Authenticator ......................................21
           8.1.2. Delivering EAP Responses from PAA to EAP
                  Authenticator ......................................22
           8.1.3. Delivering EAP Messages from EAP
                  Authenticator to PAA ...............................22
           8.1.4. EAP Authentication Result Notification from
                  EAP Authenticator to PAA ...........................22
      8.2. Variables .................................................23
      8.3. Procedures ................................................24
      8.4. PAA State Transition Table ................................24
   9. Implementation Considerations ..................................29
      9.1. PAA and PaC Interface to Service Management Entity ........29
   10. Security Considerations .......................................29
   11. Acknowledgments ...............................................29
   12. References ....................................................29
      12.1. Normative References .....................................29
      12.2. Informative References ...................................30
        
1. Introduction
1. 介绍

This document defines the state machines for the Protocol for Carrying Authentication for Network Access (PANA) [RFC5191]. There are state machines for the PANA Client (PaC) and for the PANA Authentication Agent (PAA). Each state machine is specified through a set of variables, procedures, and a state transition table. The state machines and associated models described in this document are informative only. Implementations may achieve similar results using different models and/or methods.

本文档定义了承载网络访问身份验证(PANA)协议的状态机[RFC5191]。PANA客户端(PaC)和PANA身份验证代理(PAA)都有状态机。每个状态机都是通过一组变量、过程和状态转换表指定的。本文档中描述的状态机和相关模型仅供参考。实现可以使用不同的模型和/或方法获得类似的结果。

A PANA protocol execution consists of several exchanges to carry authentication information. Specifically, EAP PDUs are transported inside PANA PDUs between PaC and PAA; that is, PANA represents a lower layer for EAP. Thus, a PANA state machine bases its execution on an EAP state machine execution and vice versa. Thus, this document also shows for each of PaC and PAA an interface between an EAP state machine and a PANA state machine and how this interface allows to exchange information between them. Thanks to this interface, a PANA state machine can be informed about several events generated in an EAP state machine and make its execution conditional to its events.

一个PANA协议的执行由几个交换组成,以携带身份验证信息。具体而言,EAP PDU在PaC和PAA之间的PANA PDU内部传输;也就是说,PANA代表EAP的较低层。因此,PANA状态机的执行基于EAP状态机执行,反之亦然。因此,本文档还为PaC和PAA中的每一个显示了EAP状态机和PANA状态机之间的接口,以及该接口如何允许它们之间交换信息。借助此接口,可以向PANA状态机通知EAP状态机中生成的多个事件,并使其执行以其事件为条件。

The details of EAP state machines are out of the scope of this document. Additional information can be found in [RFC4137]. Nevertheless, PANA state machines presented here have been coordinated with state machines shown by [RFC4137].

EAP状态机的详细信息不在本文档的范围内。更多信息请参见[RFC4137]。尽管如此,本文介绍的PANA状态机与[RFC4137]所示的状态机进行了协调。

This document, apart from defining PaC and PAA state machines and their interfaces to EAP state machines (running on top of PANA), provides some implementation considerations, taking into account that it is not a specification but an implementation guideline.

本文档除了定义PaC和PAA状态机及其与EAP状态机(在PANA上运行)的接口外,还提供了一些实现注意事项,考虑到它不是规范,而是实现指南。

2. Terminology
2. 术语

This document reuses the terminology used in [RFC5191].

本文件重复使用[RFC5191]中使用的术语。

3. Interface between PANA and EAP
3. PANA与EAP之间的接口

PANA carries EAP messages exchanged between an EAP peer and an EAP authenticator (see Figure 1). Thus, a PANA state machine interacts with an EAP state machine.

PANA承载EAP对等方和EAP验证器之间交换的EAP消息(见图1)。因此,PANA状态机与EAP状态机交互。

Two state machines are defined in this document: the PaC state machine (see Section 7) and the PAA state machine (see Section 8). The definition of each state machine consists of a set of variables, procedures, and a state transition table. A subset of these variables and procedures defines the interface between a PANA state

本文件定义了两种状态机:PaC状态机(见第7节)和PAA状态机(见第8节)。每个状态机的定义由一组变量、过程和状态转换表组成。这些变量和过程的子集定义了PANA状态之间的接口

machine and an EAP state machine, and the state transition table defines the PANA state machine behavior based on results obtained through them.

状态转换表根据通过它们获得的结果定义了PANA状态机行为。

On the one hand, the PaC state machine interacts with an EAP peer state machine in order to carry out the PANA protocol on the PaC side. On the other hand, the PAA state machine interacts with an EAP authenticator state machine to run the PANA protocol on the PAA side.

一方面,PaC状态机与EAP对等状态机交互,以便在PaC端执行PANA协议。另一方面,PAA状态机与EAP验证器状态机交互以在PAA端运行PANA协议。

                     Peer             |EAP            Auth
                     EAP    <---------|------------>  EAP
                    ^ |               |              ^ |
                    | |               | EAP-Message  | |  EAP-Message
       EAP-Message    | |EAP-Message  |                | |
                      | v             |PANA            | v
                     PaC    <---------|------------>  PAA
        
                     Peer             |EAP            Auth
                     EAP    <---------|------------>  EAP
                    ^ |               |              ^ |
                    | |               | EAP-Message  | |  EAP-Message
       EAP-Message    | |EAP-Message  |                | |
                      | v             |PANA            | v
                     PaC    <---------|------------>  PAA
        

Figure 1: Interface between PANA and EAP

图1:PANA和EAP之间的接口

Thus, two interfaces are needed between PANA state machines and EAP state machines, namely:

因此,PANA状态机和EAP状态机之间需要两个接口,即:

o Interface between the PaC state machine and the EAP peer state machine

o PaC状态机和EAP对等状态机之间的接口

o Interface between the PAA state machine and the EAP authenticator state machine

o PAA状态机和EAP验证器状态机之间的接口

In general, the PaC and PAA state machines present EAP messages to the EAP peer and authenticator state machines through the interface, respectively. The EAP peer and authenticator state machines process these messages and send EAP messages through the PaC and PAA state machines that are responsible for actually transmitting this message, respectively.

通常,PaC和PAA状态机分别通过接口向EAP对等机和验证器状态机呈现EAP消息。EAP对等和身份验证状态机处理这些消息,并分别通过负责实际传输此消息的PaC和PAA状态机发送EAP消息。

For example, [RFC4137] specifies four interfaces to lower layers: (i) an interface between the EAP peer state machine and a lower layer, (ii) an interface between the EAP standalone authenticator state machine and a lower layer, (iii) an interface between the EAP full authenticator state machine and a lower layer, and (iv) an interface between the EAP backend authenticator state machine and a lower layer. In this document, the PANA protocol is the lower layer of EAP and only the first three interfaces are of interest to PANA. The second and third interfaces are the same. In this regard, the EAP standalone authenticator or the EAP full authenticator and its state machine in [RFC4137] are referred to as the EAP authenticator and the EAP authenticator state machine, respectively, in this document. If an EAP peer and an EAP authenticator follow the state machines

例如,[RFC4137]为较低层指定了四个接口:(i)EAP对等状态机和较低层之间的接口,(ii)EAP独立验证器状态机和较低层之间的接口,(iii)EAP完全验证器状态机和较低层之间的接口,以及(iv)EAP后端验证器状态机和较低层之间的接口。在本文档中,PANA协议是EAP的较低层,只有前三个接口是PANA感兴趣的。第二个和第三个接口是相同的。就此而言,[RFC4137]中的EAP独立验证器或EAP完全验证器及其状态机在本文档中分别称为EAP验证器和EAP验证器状态机。如果EAP对等方和EAP验证器遵循状态机

defined in [RFC4137], the interfaces between PANA and EAP could be based on that document. Detailed definition of interfaces between PANA and EAP are described in the subsequent sections.

在[RFC4137]中定义,PANA和EAP之间的接口可以基于该文档。PANA和EAP之间接口的详细定义将在后续章节中描述。

4. Document Authority
4. 文件授权

This document is intended to comply with the technical contents of any of the related documents ([RFC5191] and [RFC4137]). When there is a discrepancy, the related documents are considered authoritative and they take precedence over this document.

本文件旨在符合任何相关文件([RFC5191]和[RFC4137])的技术内容。当存在差异时,相关文件被视为权威文件,优先于本文件。

5. Notations
5. 符号

The following state transition tables are completed mostly based on the conventions specified in [RFC4137]. The complete text is described below.

以下状态转换表主要基于[RFC4137]中规定的约定完成。全文如下所述。

State transition tables are used to represent the operation of the protocol by a number of cooperating state machines each comprising a group of connected, mutually exclusive states. Only one state of each machine can be active at any given time.

状态转换表用于表示多个协作状态机对协议的操作,每个状态机包括一组相互连接的互斥状态。在任何给定时间,每台机器只能有一种状态处于活动状态。

All permissible transitions from a given state to other states and associated actions performed when the transitions occur are represented by using triplets of (exit condition, exit action, exit state). All conditions are expressions that evaluate to TRUE or FALSE; if a condition evaluates to TRUE, then the condition is met. A state "ANY" is a wildcard state that matches any state in each state machine except those explicitly enumerated as exception states. The exit conditions of a wildcard state are evaluated after all other exit conditions specific to the current state are met.

从给定状态到其他状态的所有允许转换以及转换发生时执行的相关操作都使用三元组(退出条件、退出操作、退出状态)表示。所有条件都是计算为真或假的表达式;如果条件的计算结果为TRUE,则满足该条件。状态“ANY”是一个通配符状态,它匹配每个状态机中的任何状态,但显式枚举为异常状态的状态除外。通配符状态的退出条件在满足特定于当前状态的所有其他退出条件后进行评估。

On exit from a state, the exit actions defined for the state and the exit condition are executed exactly once, in the order that they appear. (Note that the procedures defined in [RFC4137] are executed on entry to a state, which is one major difference from this document.) Each exit action is deemed to be atomic; i.e., execution of an exit action completes before the next sequential exit action starts to execute. No exit action executes outside of a state block. The exit actions in only one state block execute at a time even if the conditions for execution of state blocks in different state machines are satisfied. All exit actions in an executing state block complete execution before the transition to and execution of any other state blocks. The execution of any state block appears to be atomic with respect to the execution of any other state block, and the transition condition to that state from the previous state is TRUE when execution commences. The order of execution of state blocks in different state machines is undefined except as constrained

从状态退出时,为状态和退出条件定义的退出操作将按照其出现的顺序执行一次。(注意,[RFC4137]中定义的程序是在进入某一状态时执行的,这是与本文件的一个主要区别。)每个退出动作都被认为是原子的;i、 例如,退出操作的执行在下一个顺序退出操作开始执行之前完成。在状态块之外不执行退出操作。即使满足在不同状态机中执行状态块的条件,一次也只执行一个状态块中的退出操作。执行状态块中的所有退出操作在转换到和执行任何其他状态块之前完成执行。任何状态块的执行相对于任何其他状态块的执行似乎是原子的,并且当执行开始时,从前一状态到该状态的转换条件为真。不同状态机中状态块的执行顺序未定义,但受约束的情况除外

by their transition conditions. A variable that is set to a particular value in a state block retains this value until a subsequent state block executes an exit action that modifies the value.

根据它们的过渡条件。在状态块中设置为特定值的变量将保留该值,直到后续状态块执行修改该值的退出操作。

On completion of the transition from the previous state to the current state, all exit conditions occurring during the current state (including exit conditions defined for the wildcard state) are evaluated until an exit condition for that state is met.

完成从前一状态到当前状态的转换后,将评估当前状态期间发生的所有退出条件(包括为通配符状态定义的退出条件),直到满足该状态的退出条件。

Any event variable is set to TRUE when the corresponding event occurs and set to FALSE immediately after completion of the action associated with the current state and the event.

当相应的事件发生时,任何事件变量都设置为TRUE,并在与当前状态和事件关联的操作完成后立即设置为FALSE。

The interpretation of the special symbols and operators used is defined in [RFC4137].

[RFC4137]中定义了所用特殊符号和运算符的解释。

6. Common Rules
6. 共同规则

There are following procedures, variables, message initializing rules, and state transitions that are common to both the PaC and PAA state machines.

PaC和PAA状态机共有以下过程、变量、消息初始化规则和状态转换。

Throughout this document, the character string "PANA_MESSAGE_NAME" matches any one of the abbreviated PANA message names, i.e., "PCI", "PAR", "PAN", "PTR", "PTA", "PNR", "PNA".

在本文档中,字符串“PANA_消息_名称”与任何一个缩写的PANA消息名称匹配,即“PCI”、“PAR”、“PAN”、“PTR”、“PTA”、“PNR”、“PNA”。

6.1. Common Procedures
6.1. 共同程序

void None()

无无效()

A null procedure, i.e., nothing is done.

一个空过程,即什么也不做。

void Disconnect()

无效断开连接()

A procedure to delete the PANA session as well as the corresponding EAP session and authorization state.

删除PANA会话以及相应EAP会话和授权状态的过程。

boolean Authorize()

布尔授权()

A procedure to create or modify authorization state. It returns TRUE if authorization is successful. Otherwise, it returns FALSE. It is assumed that Authorize() procedure of PaC state machine always returns TRUE. In the case that a non-key-generating EAP method is used but a PANA SA is required after successful authentication (generate_pana_sa() returns TRUE), Authorize() procedure must return FALSE.

创建或修改授权状态的过程。如果授权成功,则返回TRUE。否则,它将返回FALSE。假设PaC状态机的Authorize()过程总是返回TRUE。如果使用非密钥生成EAP方法,但在成功身份验证后需要PANA SA(generate_PANA_SA()返回TRUE),则Authorize()过程必须返回FALSE。

void Tx:PANA_MESSAGE_NAME[flag](AVPs)

无效发送:PANA_消息名称[标志](AVPs)

A procedure to send a PANA message to its peering PANA entity. The "flag" argument contains one or more flags (e.g., Tx:PAR[C]) to be set to the message, except for 'R' (Request) flag. The "AVPs" contains a list of names of optional AVPs to be inserted in the message, except for AUTH AVP.

向对等PANA实体发送PANA消息的过程。“flag”参数包含一个或多个要设置为消息的标志(例如Tx:PAR[C]),但“R”(请求)标志除外。“AVP”包含要插入到消息中的可选AVP的名称列表,AUTH AVP除外。

This procedure includes the following action before actual transmission:

此程序包括实际变速前的以下操作:

             if (flag==S)
               PANA_MESSAGE_NAME.S_flag=Set;
             if (flag==C)
               PANA_MESSAGE_NAME.C_flag=Set;
             if (flag==A)
               PANA_MESSAGE_NAME.A_flag=Set;
             if (flag==P)
               PANA_MESSAGE_NAME.P_flag=Set;
             PANA_MESSAGE_NAME.insert_avp(AVPs);
             if (key_available())
               PANA_MESSAGE_NANE.insert_avp("AUTH");
        
             if (flag==S)
               PANA_MESSAGE_NAME.S_flag=Set;
             if (flag==C)
               PANA_MESSAGE_NAME.C_flag=Set;
             if (flag==A)
               PANA_MESSAGE_NAME.A_flag=Set;
             if (flag==P)
               PANA_MESSAGE_NAME.P_flag=Set;
             PANA_MESSAGE_NAME.insert_avp(AVPs);
             if (key_available())
               PANA_MESSAGE_NANE.insert_avp("AUTH");
        

void TxEAP()

void TxEAP()

A procedure to send an EAP message to the EAP state machine to which it interfaces.

将EAP消息发送到与之接口的EAP状态机的过程。

void RtxTimerStart()

void RtxTimerStart()

A procedure to start the retransmission timer, reset RTX_COUNTER variable to zero, and set an appropriate value to RTX_MAX_NUM variable. Note that RTX_MAX_NUM is assumed to be set to the same default value for all messages. However, implementations may also reset RTX_MAX_NUM in this procedure and its value may vary depending on the message that was sent.

启动重传计时器,将RTX_计数器变量重置为零,并为RTX_MAX_NUM变量设置适当值的过程。请注意,RTX_MAX_NUM被假定为所有消息的相同默认值。但是,在此过程中,实现也可能重置RTX_MAX_NUM,其值可能会因发送的消息而异。

void RtxTimerStop()

void RtxTimerStop()

A procedure to stop the retransmission timer.

停止重传计时器的过程。

void SessionTimerReStart(TIMEOUT)

void SessionTimerReStart(超时)

A procedure to (re)start the PANA session timer. TIMEOUT specifies the expiration time associated with the session timer. Expiration of TIMEOUT will trigger a SESS_TIMEOUT event.

(重新)启动PANA会话计时器的过程。超时指定与会话计时器关联的过期时间。超时过期将触发SESS_超时事件。

void SessionTimerStop()

void SessionTimerStop()

A procedure to stop the current PANA session timer.

停止当前PANA会话计时器的过程。

void Retransmit()

无效重传()

A procedure to retransmit a PANA message and increment RTX_COUNTER by one(1).

重新传输PANA报文并将RTX_计数器增加一(1)的过程。

void EAP_Restart()

无效EAP_重新启动()

A procedure to (re)start an EAP conversation resulting in the re-initialization of an existing EAP session.

(重新)启动EAP会话,从而重新初始化现有EAP会话的过程。

void PANA_MESSAGE_NAME.insert_avp("AVP_NAME1", "AVP_NAME2",...)

作废PANA_消息名称。插入avp(“avp_名称1”、“avp_名称2”、…)

A procedure to insert AVPs for each specified AVP name in the list of AVP names in the PANA message. When an AVP name ends with "*", zero, one, or more AVPs are inserted; otherwise, one AVP is inserted.

在PANA报文的AVP名称列表中为每个指定的AVP名称插入AVP的过程。当AVP名称以“*”结尾时,插入零个、一个或多个AVP;否则,将插入一个AVP。

boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME")

布尔PANA\u消息\u名称。存在\u avp(“avp\u名称”)

A procedure that checks whether an AVP of the specified AVP name exists in the specified PANA message and returns TRUE if the specified AVP is found, otherwise returns FALSE.

一种过程,用于检查指定的PANA报文中是否存在指定AVP名称的AVP,如果找到指定的AVP,则返回TRUE,否则返回FALSE。

boolean generate_pana_sa()

布尔生成函数

A procedure to check whether the EAP method being used generates keys and that a PANA SA will be established on successful authentication. For the PaC, the procedure is also used to check and match the PRF and Integrity algorithm AVPs advertised by the PAA in PAR[S] message. For the PAA, it is used to indicate whether a PRF and Integrity algorithm AVPs will be sent in the PAR[S]. This procedure will return TRUE if a PANA SA will be generated. Otherwise, it returns FALSE.

检查所使用的EAP方法是否生成密钥以及PANA SA是否将在成功身份验证后建立的过程。对于PaC,该程序还用于检查和匹配PAA在PAR[S]消息中公布的PRF和完整性算法AVP。对于PAA,它用于指示是否将在PAR中发送PRF和完整性算法AVPs。如果生成PANA SA,此过程将返回TRUE。否则,它将返回FALSE。

boolean key_available()

布尔键_可用()

A procedure to check whether the PANA session has a PANA_AUTH_KEY. If the state machine already has a PANA_AUTH_KEY, it returns TRUE. If the state machine does not have a PANA_AUTH_KEY, it tries to retrieve a Master Session Key (MSK) from the EAP entity. If an MSK is retrieved, it computes a PANA_AUTH_KEY from the MSK and returns TRUE. Otherwise, it returns FALSE.

检查PANA会话是否具有PANA_认证密钥的过程。如果状态机已经有一个PANA_AUTH_密钥,它将返回TRUE。如果状态机没有PANA_AUTH_密钥,它将尝试从EAP实体检索主会话密钥(MSK)。如果检索到MSK,它将从MSK计算PANA_AUTH_密钥并返回TRUE。否则,它将返回FALSE。

6.2. Common Variables
6.2. 公共变量

PAR.RESULT_CODE

结果代码

This variable contains the Result-Code AVP value in the PANA-Auth-Request message in process. When this variable carries PANA_SUCCESS, it is assumed that the PAR message always contains an EAP-Payload AVP that carries an EAP-Success message.

此变量包含处理中的PANA Auth请求消息中的结果代码AVP值。当这个变量携带PANAY成功时,假定PAR消息总是包含承载EAP成功消息的EAP有效载荷AVP。

NONCE_SENT

暂时发送

This variable is set to TRUE to indicate that a Nonce-AVP has already been sent. Otherwise, it is set to FALSE.

此变量设置为TRUE,表示已发送Nonce AVP。否则,它将设置为FALSE。

RTX_COUNTER

RTX_计数器

This variable contains the current number of retransmissions of the outstanding PANA message.

此变量包含未完成PANA消息的当前重新传输次数。

Rx:PANA_MESSAGE_NAME[flag]

Rx:PANA_消息_名称[标志]

This event variable is set to TRUE when the specified PANA message is received from its peering PANA entity. The "flag" contains a flag (e.g., Rx:PAR[C]), except for 'R' (Request) flag.

当从对等PANA实体接收到指定的PANA消息时,此事件变量设置为TRUE。“标志”包含一个标志(例如Rx:PAR[C]),但“R”(请求)标志除外。

RTX_TIMEOUT

RTX_超时

This event variable is set to TRUE when the retransmission timer is expired.

当重传计时器过期时,此事件变量设置为TRUE。

REAUTH

雷乌斯

This event variable is set to TRUE when an initiation of re-authentication phase is triggered. This event variable can only be set while in the OPEN state.

当触发重新身份验证阶段的启动时,此事件变量设置为TRUE。只能在打开状态下设置此事件变量。

TERMINATE

终止

This event variable is set to TRUE when initiation of PANA session termination is triggered. This event variable can only be set while in the OPEN state.

触发PANA会话终止启动时,此事件变量设置为TRUE。只能在打开状态下设置此事件变量。

PANA_PING

帕纳平

This event variable is set to TRUE when initiation of liveness test based on PANA-Notification exchange is triggered. This event variable can only be set while in the OPEN state.

当触发基于PANA通知交换的活动性测试启动时,此事件变量设置为TRUE。只能在打开状态下设置此事件变量。

SESS_TIMEOUT

SESS_超时

This event is variable is set to TRUE when the session timer has expired.

当会话计时器过期时,此事件变量设置为TRUE。

LIFETIME_SESS_TIMEOUT

生命周期超时

Configurable value used by the PaC and PAA to close or disconnect an established session in the access phase. This variable indicates the expiration of the session and is set to the value of Session-Lifetime AVP if present in the last PANA-Auth-Request message in the case of the PaC. Otherwise, it is assumed that the value is infinite and therefore has no expiration. Expiration of LIFETIME_SESS_TIMEOUT will cause the event variable SESS_TIMEOUT to be set.

PaC和PAA用于在访问阶段关闭或断开已建立会话的可配置值。此变量表示会话到期,如果PaC的最后一条PANA Auth请求消息中存在,则将其设置为会话生存期AVP的值。否则,假定该值是无限的,因此不会过期。生存期SESS\u超时过期将导致设置事件变量SESS\u TIMEOUT。

ANY

任何

This event variable is set to TRUE when any event occurs.

当任何事件发生时,此事件变量设置为TRUE。

6.3. Configurable Values
6.3. 可配置值

RTX_MAX_NUM

RTX_MAX_NUM

Configurable maximum for how many retransmissions should be attempted before aborting.

中止前应尝试的重新传输次数的可配置最大值。

6.4. Common Message Initialization Rules
6.4. 通用消息初始化规则

When a message is prepared for sending, it is initialized as follows:

当准备发送消息时,将按如下方式对其进行初始化:

o For a request message, R-flag of the header is set. Otherwise, R-flag is not set.

o 对于请求消息,设置标头的R标志。否则,不设置R标志。

o Other message header flags are not set. They are set explicitly by specific state machine actions.

o 未设置其他消息头标志。它们由特定的状态机操作显式设置。

o AVPs that are mandatory to be included in a message are inserted with appropriate values set.

o 必须包含在消息中的AVP插入时设置了适当的值。

6.5. Common Retransmission Rules
6.5. 通用重传规则

The state machines defined in this document assume that the PaC and the PAA cache the last transmitted answer message. This scheme is described in Section 5.2 of [RFC5191]. When the PaC or PAA receives a retransmitted or duplicate request, it would be able to resend the corresponding answer without any aid from the EAP layer. However, to simplify the state machine description, this caching scheme is

本文档中定义的状态机假设PaC和PAA缓存最后传输的应答消息。[RFC5191]第5.2节描述了该方案。当PaC或PAA接收到重传或重复请求时,它将能够在没有EAP层任何帮助的情况下重新发送相应的应答。但是,为了简化状态机描述,此缓存方案是

omitted in the state machines below. In the case that there is not a corresponding answer to a retransmitted request, the request will be handled by the corresponding state machine.

在下面的状态机中省略。在重发的请求没有相应的应答的情况下,该请求将由相应的状态机处理。

6.6. Common State Transitions
6.6. 共态跃迁

The following transitions can occur at any state with exemptions explicitly noted.

以下转换可以在任何状态下发生,并明确说明例外情况。

   ----------
   State: ANY
   ----------
        
   ----------
   State: ANY
   ----------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - -
   RTX_TIMEOUT &&           Retransmit();              (no change)
   RTX_COUNTER<
   RTX_MAX_NUM
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - (Reach maximum number of transmissions)- - - - - -
   (RTX_TIMEOUT &&          Disconnect();              CLOSED
    RTX_COUNTER>=
    RTX_MAX_NUM) ||
   SESS_TIMEOUT
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - -
   RTX_TIMEOUT &&           Retransmit();              (no change)
   RTX_COUNTER<
   RTX_MAX_NUM
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - (Reach maximum number of transmissions)- - - - - -
   (RTX_TIMEOUT &&          Disconnect();              CLOSED
    RTX_COUNTER>=
    RTX_MAX_NUM) ||
   SESS_TIMEOUT
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   -------------------------
   State: ANY except INITIAL
   -------------------------
        
   -------------------------
   State: ANY except INITIAL
   -------------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - (liveness test initiated by peer)- - - - - -
   Rx:PNR[P]                Tx:PNA[P]();               (no change)
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - (liveness test initiated by peer)- - - - - -
   Rx:PNR[P]                Tx:PNA[P]();               (no change)
        
   -------------------------------
   State: ANY except WAIT_PNA_PING
   -------------------------------
        
   -------------------------------
   State: ANY except WAIT_PNA_PING
   -------------------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - (liveness test response) - - - - - - - -
   Rx:PNA[P]                None();                    (no change)
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - (liveness test response) - - - - - - - -
   Rx:PNA[P]                None();                    (no change)
        

The following transitions can occur on any exit condition within the specified state.

以下转换可以在指定状态内的任何退出条件下发生。

   -------------
   State: CLOSED
   -------------
        
   -------------
   State: CLOSED
   -------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - -(Catch all event on closed state) - - - - - - - -
   ANY                      None();                    CLOSED
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - -(Catch all event on closed state) - - - - - - - -
   ANY                      None();                    CLOSED
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
7. PaC State Machine
7. 状态机
7.1. Interface between PaC and EAP Peer
7.1. PaC和EAP对等机之间的接口

This interface defines the interactions between a PaC and an EAP peer. The interface serves as a mechanism to deliver EAP messages for the EAP peer. It allows the EAP peer to receive EAP requests and send EAP responses via the PaC. It also provides a mechanism to notify the EAP peer of PaC events and a mechanism to receive notification of EAP peer events. The EAP message delivery mechanism as well as the event notification mechanism in this interface have direct correlation with the PaC state transition table entries. These message delivery and event notifications mechanisms occur only within the context of their associated states or exit actions.

此接口定义PaC和EAP对等机之间的交互。该接口用作向EAP对等方传递EAP消息的机制。它允许EAP对等方通过PaC接收EAP请求并发送EAP响应。它还提供了向EAP对等方通知PaC事件的机制和接收EAP对等方事件通知的机制。此接口中的EAP消息传递机制以及事件通知机制与PaC状态转换表条目直接相关。这些消息传递和事件通知机制仅在其关联状态或退出操作的上下文中发生。

7.1.1. Delivering EAP Messages from PaC to EAP Peer
7.1.1. 将EAP消息从PaC传送到EAP对等方

TxEAP() procedure in the PaC state machine serves as the mechanism to deliver EAP messages contained in PANA-Auth-Request messages to the EAP peer. This procedure is enabled only after an EAP restart event is notified to the EAP peer and before any event resulting in a termination of the EAP peer session. In the case where the EAP peer follows the EAP peer state machine defined in [RFC4137], TxEAP() procedure sets eapReq variable of the EAP peer state machine and puts the EAP request in eapReqData variable of the EAP peer state machine.

PaC状态机中的TxEAP()过程用作将PANA Auth请求消息中包含的EAP消息传递给EAP对等方的机制。只有在将EAP重启事件通知给EAP对等方之后以及导致EAP对等方会话终止的任何事件之前,才启用此过程。在EAP对等机遵循[RFC4137]中定义的EAP对等机状态机的情况下,TxEAP()过程设置EAP对等机状态机的eapReq变量,并将EAP请求放入EAP对等机状态机的eapReqData变量中。

7.1.2. Delivering EAP Messages from EAP Peer to PaC
7.1.2. 将EAP消息从EAP对等传输到PaC

An EAP message is delivered from the EAP peer to the PaC via EAP_RESPONSE event variable. The event variable is set when the EAP peer passes the EAP message to its lower layer. In the case where the EAP peer follows the EAP peer state machine defined in [RFC4137], EAP_RESPONSE event variable refers to eapResp variable of the EAP peer state machine and the EAP message is contained in eapRespData variable of the EAP peer state machine.

EAP消息通过EAP_响应事件变量从EAP对等机传递到PaC。事件变量在EAP对等方将EAP消息传递到其较低层时设置。在EAP对等体遵循[RFC4137]中定义的EAP对等体状态机的情况下,EAP_响应事件变量指的是EAP对等体状态机的eapResp变量,EAP消息包含在EAP对等体状态机的eapResp数据变量中。

7.1.3. EAP Restart Notification from PaC to EAP Peer
7.1.3. 从PaC到EAP对等方的EAP重启通知

The EAP peer state machine defined in [RFC4137] has an initialization procedure before receiving an EAP message. To initialize the EAP state machine, the PaC state machine defines an event notification mechanism to send an EAP (re)start event to the EAP peer. The event notification is done via EAP_Restart() procedure in the initialization action of the PaC state machine.

[RFC4137]中定义的EAP对等状态机在接收EAP消息之前有一个初始化过程。为了初始化EAP状态机,PaC状态机定义了一种事件通知机制,用于向EAP对等方发送EAP(重新)启动事件。事件通知通过PaC状态机初始化操作中的EAP_Restart()过程完成。

7.1.4. EAP Authentication Result Notification from EAP Peer to PaC
7.1.4. 从EAP对等到PaC的EAP身份验证结果通知

In order for the EAP peer to notify the PaC of an EAP authentication result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In the case where the EAP peer follows the EAP peer state machine defined in [RFC4137], EAP_SUCCESS and EAP_FAILURE event variables refer to eapSuccess and eapFail variables of the EAP peer state machine, respectively. In this case, if EAP_SUCCESS event variable is set to TRUE and an MSK is generated by the EAP authentication method in use, eapKeyAvailable variable is set to TRUE and eapKeyData variable contains the MSK. Note that EAP_SUCCESS and EAP_FAILURE event variables may be set to TRUE even before the PaC receives a PAR with a 'Complete' flag set from the PAA.

为了使EAP对等方将EAP身份验证结果通知PaC,定义了EAP_成功和EAP_失败事件变量。在EAP对等机遵循[RFC4137]中定义的EAP对等机状态机的情况下,EAP_SUCCESS和EAP_FAILURE事件变量分别指EAP对等机状态机的EAPSucture和eapFail变量。在这种情况下,如果EAP_SUCCESS事件变量设置为TRUE,并且使用中的EAP身份验证方法生成MSK,则eapKeyAvailable变量设置为TRUE,eapKeyData变量包含MSK。注意,即使在PAC通过PAA设置的“完整”标志接收PAR之前,EAPHULL成功和EAPHL失败事件变量也可以被设置为真。

7.1.5. Alternate Failure Notification from PaC to EAP Peer
7.1.5. 从PaC到EAP对等机的备用故障通知

alt_reject() procedure in the PaC state machine serves as the mechanism to deliver an authentication failure event to the EAP peer without accompanying an EAP message. In the case where the EAP peer follows the EAP peer state machine defined in [RFC4137], alt_reject() procedure sets altReject variable of the EAP peer state machine. Note that the EAP peer state machine in [RFC4137] also defines altAccept variable; however, it is never used in PANA in which EAP-Success messages are reliably delivered by the last PANA-Auth exchange.

PaC状态机中的alt_reject()过程用作向EAP对等方传递身份验证失败事件的机制,而不附带EAP消息。在EAP对等机遵循[RFC4137]中定义的EAP对等机状态机的情况下,alt_reject()过程设置EAP对等机状态机的altReject变量。注意,[RFC4137]中的EAP对等状态机也定义了altAccept变量;但是,在PANA中,EAP成功消息由最后一个PANA身份验证交换可靠地传递时,它从未被使用。

7.2. Configurable Values
7.2. 可配置值

FAILED_SESS_TIMEOUT

失败的\u SESS\u超时

This is a configurable value that allows the PaC to determine whether a PaC authentication and authorization phase has stalled without an explicit EAP success or failure notification.

这是一个可配置的值,允许PaC在没有明确EAP成功或失败通知的情况下确定PaC身份验证和授权阶段是否已暂停。

7.3. Variables
7.3. 变量

AUTH_USER

授权用户

This event variable is set to TRUE when initiation of EAP-based (re-)authentication is triggered by the application.

当应用程序触发基于EAP的(重新)身份验证启动时,此事件变量设置为TRUE。

EAP_SUCCESS

EAP_成功

This event variable is set to TRUE when the EAP peer determines that an EAP conversation completes with success.

当EAP对等方确定EAP对话成功完成时,此事件变量设置为TRUE。

EAP_FAILURE

EAP_故障

This event variable is set to TRUE when the EAP peer determines that an EAP conversation completes with failure.

当EAP对等方确定EAP会话完成但失败时,此事件变量设置为TRUE。

EAP_RESPONSE

EAP_响应

This event variable is set to TRUE when the EAP peer delivers an EAP message to the PaC. This event accompanies an EAP message received from the EAP peer.

当EAP对等方向PaC发送EAP消息时,此事件变量设置为TRUE。此事件伴随着从EAP对等方接收的EAP消息。

EAP_RESP_TIMEOUT

EAP\u响应超时

This event variable is set to TRUE when the PaC that has passed an EAP message to the EAP layer does not receive a subsequent EAP message from the EAP layer in a given period. This provides a time limit for certain EAP methods where user interaction may be required.

当已向EAP层传递EAP消息的PaC在给定时间段内未从EAP层接收后续EAP消息时,此事件变量设置为TRUE。这为可能需要用户交互的某些EAP方法提供了时间限制。

EAP_DISCARD

EAP_丢弃

This event variable is set to TRUE when the EAP peer indicates that it has silently discarded the last received EAP-Request. This event does not accompany any EAP message. In the case where the EAP peer follows the EAP peer state machine defined in [RFC4137], this event variable refers to eapNoResp. Note that this specification does not support silently discarding EAP messages. They are treated as fatal errors instead. This may have an impact on denial-of-service resistance.

当EAP对等方指示它已以静默方式放弃上次接收的EAP请求时,此事件变量设置为TRUE。此事件不伴随任何EAP消息。如果EAP对等方遵循[RFC4137]中定义的EAP对等方状态机,则此事件变量引用eapNoResp。请注意,此规范不支持以静默方式丢弃EAP消息。它们被视为致命错误。这可能会对拒绝服务抵抗产生影响。

7.4. Procedures
7.4. 程序

boolean eap_piggyback()

布尔eap_piggyback()

This procedure returns TRUE to indicate whether the next EAP response will be carried in the pending PAN message for optimization.

此过程返回TRUE以指示下一个EAP响应是否将在挂起的PAN消息中进行优化。

void alt_reject()

无效alt_拒绝()

This procedure informs the EAP peer of an authentication failure event without accompanying an EAP message.

此过程通知EAP对等方身份验证失败事件,而不附带EAP消息。

void EAP_RespTimerStart()

void EAP_RespTimerStart()

This is a procedure to start a timer to receive an EAP-Response from the EAP peer.

这是一个启动计时器以从EAP对等方接收EAP响应的过程。

void EAP_RespTimerStop()

无效EAP_RespTimerStop()

This is a procedure to stop a timer to receive an EAP-Response from the EAP peer.

这是一个停止计时器以从EAP对等方接收EAP响应的过程。

7.5. PaC State Transition Table
7.5. 状态转换表
   ------------------------------
   State: INITIAL (Initial State)
   ------------------------------
        
   ------------------------------
   State: INITIAL (Initial State)
   ------------------------------
        

Initialization Action:

初始化操作:

     NONCE_SENT=Unset;
     RTX_COUNTER=0;
     RtxTimerStop();
        
     NONCE_SENT=Unset;
     RTX_COUNTER=0;
     RtxTimerStop();
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+-----------
   - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - -
   AUTH_USER                Tx:PCI[]();                INITIAL
                            RtxTimerStart();
                            SessionTimerReStart
                              (FAILED_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+-----------
   - - - - - - - - - - (PaC-initiated Handshake) - - - - - - - - -
   AUTH_USER                Tx:PCI[]();                INITIAL
                            RtxTimerStart();
                            SessionTimerReStart
                              (FAILED_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - -(PAA-initiated Handshake, not optimized) - - - - -
   Rx:PAR[S] &&             EAP_Restart();             WAIT_PAA
   !PAR.exist_avp           SessionTimerReStart
   ("EAP-Payload")              (FAILED_SESS_TIMEOUT);
                            if (generate_pana_sa())
                                Tx:PAN[S]("PRF-Algorithm",
                                   "Integrity-Algorithm");
                            else
                                Tx:PAN[S]();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - -(PAA-initiated Handshake, not optimized) - - - - -
   Rx:PAR[S] &&             EAP_Restart();             WAIT_PAA
   !PAR.exist_avp           SessionTimerReStart
   ("EAP-Payload")              (FAILED_SESS_TIMEOUT);
                            if (generate_pana_sa())
                                Tx:PAN[S]("PRF-Algorithm",
                                   "Integrity-Algorithm");
                            else
                                Tx:PAN[S]();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - -
   Rx:PAR[S] &&             EAP_Restart();             INITIAL
   PAR.exist_avp            TxEAP();
   ("EAP-Payload") &&       SessionTimerReStart
   eap_piggyback()            (FAILED_SESS_TIMEOUT);
        
   - - - - - - - -(PAA-initiated Handshake, optimized) - - - - - -
   Rx:PAR[S] &&             EAP_Restart();             INITIAL
   PAR.exist_avp            TxEAP();
   ("EAP-Payload") &&       SessionTimerReStart
   eap_piggyback()            (FAILED_SESS_TIMEOUT);
        
   Rx:PAR[S] &&             EAP_Restart();             WAIT_EAP_MSG
   PAR.exist_avp            TxEAP();
   ("EAP-Payload") &&       SessionTimerReStart
   !eap_piggyback()           (FAILED_SESS_TIMEOUT);
                            if (generate_pana_sa())
                                Tx:PAN[S]("PRF-Algorithm",
                                  "Integrity-Algorithm");
                            else
                                Tx:PAN[S]();
        
   Rx:PAR[S] &&             EAP_Restart();             WAIT_EAP_MSG
   PAR.exist_avp            TxEAP();
   ("EAP-Payload") &&       SessionTimerReStart
   !eap_piggyback()           (FAILED_SESS_TIMEOUT);
                            if (generate_pana_sa())
                                Tx:PAN[S]("PRF-Algorithm",
                                  "Integrity-Algorithm");
                            else
                                Tx:PAN[S]();
        
   EAP_RESPONSE             if (generate_pana_sa())    WAIT_PAA
                                Tx:PAN[S]("EAP-Payload",
                                  "PRF-Algorithm",
                                  "Integrity-Algorithm");
                            else
                                Tx:PAN[S]("EAP-Payload");
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   EAP_RESPONSE             if (generate_pana_sa())    WAIT_PAA
                                Tx:PAN[S]("EAP-Payload",
                                  "PRF-Algorithm",
                                  "Integrity-Algorithm");
                            else
                                Tx:PAN[S]("EAP-Payload");
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   ---------------
   State: WAIT_PAA
   ---------------
        
   ---------------
   State: WAIT_PAA
   ---------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - -
   Rx:PAR[] &&              RtxTimerStop();            WAIT_EAP_MSG
   !eap_piggyback()         TxEAP();
                            EAP_RespTimerStart();
                            if (NONCE_SENT==Unset) {
                              NONCE_SENT=Set;
                              Tx:PAN[]("Nonce");
                            }
                            else
                              Tx:PAN[]();
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - -
   Rx:PAR[] &&              RtxTimerStop();            WAIT_EAP_MSG
   !eap_piggyback()         TxEAP();
                            EAP_RespTimerStart();
                            if (NONCE_SENT==Unset) {
                              NONCE_SENT=Set;
                              Tx:PAN[]("Nonce");
                            }
                            else
                              Tx:PAN[]();
        
   Rx:PAR[] &&              RtxTimerStop();            WAIT_EAP_MSG
   eap_piggyback()          TxEAP();
                            EAP_RespTimerStart();
        
   Rx:PAR[] &&              RtxTimerStop();            WAIT_EAP_MSG
   eap_piggyback()          TxEAP();
                            EAP_RespTimerStart();
        
   Rx:PAN[]                 RtxTimerStop();            WAIT_PAA
        
   Rx:PAN[]                 RtxTimerStop();            WAIT_PAA
        
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - - - - - - -(PANA result) - - - - - - - - - -
   Rx:PAR[C] &&             TxEAP();                   WAIT_EAP_RESULT
   PAR.RESULT_CODE==
     PANA_SUCCESS
        
   - - - - - - - - - - - - - - -(PANA result) - - - - - - - - - -
   Rx:PAR[C] &&             TxEAP();                   WAIT_EAP_RESULT
   PAR.RESULT_CODE==
     PANA_SUCCESS
        
   Rx:PAR[C] &&             if (PAR.exist_avp          WAIT_EAP_RESULT_
   PAR.RESULT_CODE!=          ("EAP-Payload"))         CLOSE
     PANA_SUCCESS             TxEAP();
                            else
                               alt_reject();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Rx:PAR[C] &&             if (PAR.exist_avp          WAIT_EAP_RESULT_
   PAR.RESULT_CODE!=          ("EAP-Payload"))         CLOSE
     PANA_SUCCESS             TxEAP();
                            else
                               alt_reject();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   -------------------
   State: WAIT_EAP_MSG
   -------------------
        
   -------------------
   State: WAIT_EAP_MSG
   -------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - (Return PAN/PAR from EAP) - - - - - - - - -
   EAP_RESPONSE &&          EAP_RespTimerStop()        WAIT_PAA
   eap_piggyback()          if (NONCE_SENT==Unset) {
                              Tx:PAN[]("EAP-Payload",
                                       "Nonce");
                              NONCE_SENT=Set;
                            }
                            else
                              Tx:PAN[]("EAP-Payload");
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - (Return PAN/PAR from EAP) - - - - - - - - -
   EAP_RESPONSE &&          EAP_RespTimerStop()        WAIT_PAA
   eap_piggyback()          if (NONCE_SENT==Unset) {
                              Tx:PAN[]("EAP-Payload",
                                       "Nonce");
                              NONCE_SENT=Set;
                            }
                            else
                              Tx:PAN[]("EAP-Payload");
        
   EAP_RESPONSE &&          EAP_RespTimerStop()        WAIT_PAA
   !eap_piggyback()         Tx:PAR[]("EAP-Payload");
                            RtxTimerStart();
        
   EAP_RESPONSE &&          EAP_RespTimerStop()        WAIT_PAA
   !eap_piggyback()         Tx:PAR[]("EAP-Payload");
                            RtxTimerStart();
        
   EAP_RESP_TIMEOUT &&      Tx:PAN[]();                WAIT_PAA
   eap_piggyback()
        
   EAP_RESP_TIMEOUT &&      Tx:PAN[]();                WAIT_PAA
   eap_piggyback()
        
   EAP_DISCARD &&           Tx:PAN[]();                CLOSED
   eap_piggyback()          SessionTimerStop();
                            Disconnect();
        
   EAP_DISCARD &&           Tx:PAN[]();                CLOSED
   eap_piggyback()          SessionTimerStop();
                            Disconnect();
        
   EAP_FAILURE ||           SessionTimerStop();        CLOSED
   (EAP_DISCARD &&          Disconnect();
   !eap_piggyback())
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   EAP_FAILURE ||           SessionTimerStop();        CLOSED
   (EAP_DISCARD &&          Disconnect();
   !eap_piggyback())
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   ----------------------
   State: WAIT_EAP_RESULT
   ----------------------
        
   ----------------------
   State: WAIT_EAP_RESULT
   ----------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
   EAP_SUCCESS             if (PAR.exist_avp           OPEN
                              ("Key-Id"))
                             Tx:PAN[C]("Key-Id");
                           else
                             Tx:PAN[C]();
                           Authorize();
                           SessionTimerReStart
                             (LIFETIME_SESS_TIMEOUT);
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
   EAP_SUCCESS             if (PAR.exist_avp           OPEN
                              ("Key-Id"))
                             Tx:PAN[C]("Key-Id");
                           else
                             Tx:PAN[C]();
                           Authorize();
                           SessionTimerReStart
                             (LIFETIME_SESS_TIMEOUT);
        
   EAP_FAILURE             Tx:PAN[C]();                CLOSED
                           SessionTimerStop();
                           Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   EAP_FAILURE             Tx:PAN[C]();                CLOSED
                           SessionTimerStop();
                           Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   ----------------------------
   State: WAIT_EAP_RESULT_CLOSE
   ----------------------------
        
   ----------------------------
   State: WAIT_EAP_RESULT_CLOSE
   ----------------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
   EAP_SUCCESS ||          if (EAP_SUCCESS &&         CLOSED
   EAP_FAILURE               PAR.exist_avp("Key-Id"))
                             Tx:PAN[C]("Key-Id");
                           else
                             Tx:PAN[C]();
                           SessionTimerStop();
                           Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
   EAP_SUCCESS ||          if (EAP_SUCCESS &&         CLOSED
   EAP_FAILURE               PAR.exist_avp("Key-Id"))
                             Tx:PAN[C]("Key-Id");
                           else
                             Tx:PAN[C]();
                           SessionTimerStop();
                           Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   -----------
   State: OPEN
   -----------
        
   -----------
   State: OPEN
   -----------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - (liveness test initiated by PaC)- - - - - -
   PANA_PING                Tx:PNR[P]();               WAIT_PNA_PING
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - - (re-authentication initiated by PaC)- - - - - -
   REAUTH                   NONCE_SENT=Unset;          WAIT_PNA_REAUTH
                            Tx:PNR[A]();
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - (liveness test initiated by PaC)- - - - - -
   PANA_PING                Tx:PNR[P]();               WAIT_PNA_PING
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - - (re-authentication initiated by PaC)- - - - - -
   REAUTH                   NONCE_SENT=Unset;          WAIT_PNA_REAUTH
                            Tx:PNR[A]();
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
   Rx:PAR[]                 EAP_RespTimerStart();      WAIT_EAP_MSG
                            TxEAP();
                            if (!eap_piggyback())
                              Tx:PAN[]("Nonce");
                            else
                              NONCE_SENT=Unset;
                            SessionTimerReStart
                              (FAILED_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - -(Session termination initiated by PAA) - - - - - -
   Rx:PTR[]                 Tx:PTA[]();                CLOSED
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - -(Session termination initiated by PaC) - - - - - -
   TERMINATE                Tx:PTR[]();                SESS_TERM
                            RtxTimerStart();
                            SessionTimerStop();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
   Rx:PAR[]                 EAP_RespTimerStart();      WAIT_EAP_MSG
                            TxEAP();
                            if (!eap_piggyback())
                              Tx:PAN[]("Nonce");
                            else
                              NONCE_SENT=Unset;
                            SessionTimerReStart
                              (FAILED_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - -(Session termination initiated by PAA) - - - - - -
   Rx:PTR[]                 Tx:PTA[]();                CLOSED
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - -(Session termination initiated by PaC) - - - - - -
   TERMINATE                Tx:PTR[]();                SESS_TERM
                            RtxTimerStart();
                            SessionTimerStop();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   ----------------------
   State: WAIT_PNA_REAUTH
   ----------------------
        
   ----------------------
   State: WAIT_PNA_REAUTH
   ----------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - -(re-authentication initiated by PaC) - - - - -
   Rx:PNA[A]                RtxTimerStop();            WAIT_PAA
                            SessionTimerReStart
                              (FAILED_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - -(Session termination initiated by PAA) - - - - - -
   Rx:PTR[]                 RtxTimerStop();            CLOSED
                            Tx:PTA[]();
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - -(re-authentication initiated by PaC) - - - - -
   Rx:PNA[A]                RtxTimerStop();            WAIT_PAA
                            SessionTimerReStart
                              (FAILED_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - -(Session termination initiated by PAA) - - - - - -
   Rx:PTR[]                 RtxTimerStop();            CLOSED
                            Tx:PTA[]();
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   --------------------
   State: WAIT_PNA_PING
   --------------------
        
   --------------------
   State: WAIT_PNA_PING
   --------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - -(liveness test initiated by PaC) - - - - - - -
   Rx:PNA[P]                RtxTimerStop();            OPEN
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - -(liveness test initiated by PaC) - - - - - - -
   Rx:PNA[P]                RtxTimerStop();            OPEN
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - (re-authentication initiated by PAA)- - - - -
   Rx:PAR[]                 RtxTimerStop();            WAIT_EAP_MSG
                            EAP_RespTimerStart();
                            TxEAP();
                            if (!eap_piggyback())
                              Tx:PAN[]("Nonce");
                            else
                              NONCE_SENT=Unset;
                            SessionTimerReStart
                              (FAILED_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - -(Session termination initiated by PAA) - - - - - -
   Rx:PTR[]                 RtxTimerStop();            CLOSED
                            Tx:PTA[]();
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - (re-authentication initiated by PAA)- - - - -
   Rx:PAR[]                 RtxTimerStop();            WAIT_EAP_MSG
                            EAP_RespTimerStart();
                            TxEAP();
                            if (!eap_piggyback())
                              Tx:PAN[]("Nonce");
                            else
                              NONCE_SENT=Unset;
                            SessionTimerReStart
                              (FAILED_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - -(Session termination initiated by PAA) - - - - - -
   Rx:PTR[]                 RtxTimerStop();            CLOSED
                            Tx:PTA[]();
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   ----------------
   State: SESS_TERM
   ----------------
        
   ----------------
   State: SESS_TERM
   ----------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - -(Session termination initiated by PaC) - - - - -
   Rx:PTA[]                 Disconnect();              CLOSED
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - -(Session termination initiated by PaC) - - - - -
   Rx:PTA[]                 Disconnect();              CLOSED
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
8. PAA State Machine
8. PAA状态机
8.1. Interface between PAA and EAP Authenticator
8.1. PAA与EAP认证器之间的接口

The interface between a PAA and an EAP authenticator provides a mechanism to deliver EAP messages for the EAP authenticator as well as a mechanism to notify the EAP authenticator of PAA events and to receive notification of EAP authenticator events. These message delivery and event notification mechanisms occur only within context of their associated states or exit actions.

PAA和EAP验证器之间的接口提供了一种为EAP验证器传递EAP消息的机制,以及一种将PAA事件通知EAP验证器和接收EAP验证器事件通知的机制。这些消息传递和事件通知机制仅在其关联状态或退出操作的上下文中发生。

8.1.1. EAP Restart Notification from PAA to EAP Authenticator
8.1.1. 从PAA到EAP验证器的EAP重启通知

An EAP authenticator state machine defined in [RFC4137] has an initialization procedure before sending the first EAP request. To initialize the EAP state machine, the PAA state machine defines an event notification mechanism to send an EAP (re)start event to the EAP authenticator. The event notification is done via EAP_Restart() procedure in the initialization action of the PAA state machine.

[RFC4137]中定义的EAP验证器状态机在发送第一个EAP请求之前有一个初始化过程。为了初始化EAP状态机,PAA状态机定义了一种事件通知机制,用于向EAP验证器发送EAP(重新)启动事件。事件通知通过PAA状态机初始化操作中的EAP_Restart()过程完成。

8.1.2. Delivering EAP Responses from PAA to EAP Authenticator
8.1.2. 将EAP响应从PAA传递到EAP验证器

TxEAP() procedure in the PAA state machine serves as the mechanism to deliver EAP-Responses contained in PANA-Auth-Answer messages to the EAP authenticator. This procedure is enabled only after an EAP restart event is notified to the EAP authenticator and before any event resulting in a termination of the EAP authenticator session. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [RFC4137], TxEAP() procedure sets eapResp variable of the EAP authenticator state machine and puts the EAP response in eapRespData variable of the EAP authenticator state machine.

PAA状态机中的TxEAP()过程用作将PANA Auth应答消息中包含的EAP响应传递给EAP验证器的机制。只有在将EAP重启事件通知给EAP验证器之后,以及导致EAP验证器会话终止的任何事件之前,才启用此过程。在EAP验证器遵循[RFC4137]中定义的EAP验证器状态机的情况下,TxEAP()过程设置EAP验证器状态机的eapResp变量,并将EAP响应放入EAP验证器状态机的eapResp数据变量中。

8.1.3. Delivering EAP Messages from EAP Authenticator to PAA
8.1.3. 将EAP消息从EAP验证器传递到PAA

An EAP request is delivered from the EAP authenticator to the PAA via EAP_REQUEST event variable. The event variable is set when the EAP authenticator passes the EAP request to its lower layer. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [RFC4137], EAP_REQUEST event variable refers to eapReq variable of the EAP authenticator state machine and the EAP request is contained in eapReqData variable of the EAP authenticator state machine.

EAP请求通过EAP_请求事件变量从EAP验证器传递到PAA。当EAP验证器将EAP请求传递给其较低层时,将设置事件变量。在EAP验证器遵循[RFC4137]中定义的EAP验证器状态机的情况下,EAP_请求事件变量引用EAP验证器状态机的eapReq变量,EAP请求包含在EAP验证器状态机的eapReq数据变量中。

8.1.4. EAP Authentication Result Notification from EAP Authenticator to PAA

8.1.4. 从EAP验证器到PAA的EAP认证结果通知

In order for the EAP authenticator to notify the PAA of the EAP authentication result, EAP_SUCCESS, EAP_FAILURE, and EAP_TIMEOUT event variables are defined. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [RFC4137], EAP_SUCCESS, EAP_FAILURE, and EAP_TIMEOUT event variables refer to eapSuccess, eapFail, and eapTimeout variables of the EAP authenticator state machine, respectively. In this case, if EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is contained in eapReqData variable of the EAP authenticator state machine, and additionally, eapKeyAvailable variable is set to TRUE and eapKeyData variable contains an MSK if the MSK is generated as a result of successful authentication by the EAP authentication method in use. Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP-Failure message is contained in eapReqData variable of the EAP authenticator state machine. The PAA uses EAP_SUCCESS and EAP_FAILURE event variables as a trigger to send a PAR message to the PaC.

为了让EAP认证器将EAP认证结果通知给PAA,定义了EAP_成功、EAP_失败和EAP_超时事件变量。在EAP验证器遵循[RFC4137]中定义的EAP验证器状态机的情况下,EAP_成功、EAP_失败和EAP_超时事件变量分别指EAP验证器状态机的EAP成功、EAP失败和EAP超时变量。在这种情况下,如果EAP_SUCCESS event variable设置为TRUE,则EAP authenticator状态机的eapReqData变量中包含EAP SUCCESS消息,此外,如果MSK是由使用中的EAP身份验证方法成功进行身份验证后生成的,则eapKeyAvailable变量设置为TRUE,eapKeyData变量包含MSK。类似地,如果EAP_FAILURE event变量设置为TRUE,则EAP authenticator状态机的eapReqData变量中包含EAP FAILURE消息。PAA使用EAPUX成功和EAPHL失败事件变量作为触发器来向PAC发送PAR消息。

8.2. Variables
8.2. 变量

OPTIMIZED_INIT

优化初始化

This variable indicates whether the PAA is able to piggyback an EAP-Request in the initial PANA-Auth-Request. Otherwise, it is set to FALSE.

此变量指示PAA是否能够在初始PANA Auth请求中搭载EAP请求。否则,它将设置为FALSE。

PAC_FOUND

PAC_发现

This variable is set to TRUE as a result of a PAA-initiated handshake.

由于PAA发起的握手,此变量被设置为TRUE。

REAUTH_TIMEOUT

重新授权超时

This event variable is set to TRUE to indicate that the PAA initiates a re-authentication with the PaC. The re-authentication timeout should be set to a value less than the session timeout carried in the Session-Lifetime AVP if present.

此事件变量设置为TRUE,表示PAA启动与PaC的重新身份验证。重新身份验证超时应设置为小于会话生存期AVP(如果存在)中携带的会话超时的值。

EAP_SUCCESS

EAP_成功

This event variable is set to TRUE when an EAP conversation completes with success. This event accompanies an EAP-Success message passed from the EAP authenticator.

当EAP对话成功完成时,此事件变量设置为TRUE。此事件伴随着从EAP验证器传递的EAP成功消息。

EAP_FAILURE

EAP_故障

This event variable is set to TRUE when an EAP conversation completes with failure. This event accompanies an EAP-Failure message passed from the EAP authenticator.

当EAP对话完成但失败时,此事件变量设置为TRUE。此事件伴随着从EAP验证器传递的EAP失败消息。

EAP_REQUEST

EAP_请求

This event variable is set to TRUE when the EAP authenticator delivers an EAP Request to the PAA. This event accompanies an EAP-Request message received from the EAP authenticator.

当EAP验证器向PAA发送EAP请求时,此事件变量设置为TRUE。此事件伴随从EAP验证器接收的EAP请求消息。

EAP_TIMEOUT

EAP_超时

This event variable is set to TRUE when an EAP conversation times out without generating an EAP-Success or an EAP-Failure message. This event does not accompany any EAP message.

当EAP对话超时而未生成EAP成功或EAP失败消息时,此事件变量设置为TRUE。此事件不伴随任何EAP消息。

EAP_DISCARD

EAP_丢弃

This event variable is set to TRUE when the EAP authenticator indicates that it has silently discarded the last received EAP-Response message. This event does not accompany any EAP message. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [RFC4137], this event variable refers to eapNoReq.

当EAP验证器指示它已以静默方式放弃上次收到的EAP响应消息时,此事件变量设置为TRUE。此事件不伴随任何EAP消息。在EAP验证器遵循[RFC4137]中定义的EAP验证器状态机的情况下,此事件变量引用eapNoReq。

8.3. Procedures
8.3. 程序

boolean new_key_available()

布尔值新键可用()

This is a procedure to check whether the PANA session has a new PANA_AUTH_KEY. If the state machine already has a PANA_AUTH_KEY, it returns FALSE. If the state machine does not have a PANA_AUTH_KEY, it tries to retrieve an MSK from the EAP entity. If an MSK has been retrieved, it computes a PANA_AUTH_KEY from the MSK and returns TRUE. Otherwise, it returns FALSE.

这是一个检查PANA会话是否具有新的PANA_验证_密钥的过程。如果状态机已经有一个PANA_AUTH_密钥,它将返回FALSE。如果状态机没有PANA_AUTH_密钥,它将尝试从EAP实体检索MSK。如果已检索MSK,它将从MSK计算PANA_AUTH_密钥并返回TRUE。否则,它将返回FALSE。

8.4. PAA State Transition Table
8.4. 状态转换表
   ------------------------------
   State: INITIAL (Initial State)
   ------------------------------
        
   ------------------------------
   State: INITIAL (Initial State)
   ------------------------------
        

Initialization Action:

初始化操作:

     OPTIMIZED_INIT=Set|Unset;
     NONCE_SENT=Unset;
     RTX_COUNTER=0;
     RtxTimerStop();
        
     OPTIMIZED_INIT=Set|Unset;
     NONCE_SENT=Unset;
     RTX_COUNTER=0;
     RtxTimerStop();
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
    - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - -
   (Rx:PCI[] ||             if (OPTIMIZED_INIT ==      INITIAL
    PAC_FOUND)                  Set) {
                              EAP_Restart();
                              SessionTimerReStart
                               (FAILED_SESS_TIMEOUT);
                            }
                            else {
                              if (generate_pana_sa())
                                   Tx:PAR[S]("PRF-Algorithm",
                                      "Integrity-Algorithm");
                              else
                                   Tx:PAR[S]();
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
    - - - - - - - - (PCI and PAA initiated PANA) - - - - - - - - -
   (Rx:PCI[] ||             if (OPTIMIZED_INIT ==      INITIAL
    PAC_FOUND)                  Set) {
                              EAP_Restart();
                              SessionTimerReStart
                               (FAILED_SESS_TIMEOUT);
                            }
                            else {
                              if (generate_pana_sa())
                                   Tx:PAR[S]("PRF-Algorithm",
                                      "Integrity-Algorithm");
                              else
                                   Tx:PAR[S]();
        

}

}

   EAP_REQUEST              if (generate_pana_sa())    INITIAL
                                Tx:PAR[S]("EAP-Payload",
                                   "PRF-Algorithm",
                                   "Integrity-Algorithm");
                            else
                                Tx:PAR[S]("EAP-Payload");
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   EAP_REQUEST              if (generate_pana_sa())    INITIAL
                                Tx:PAR[S]("EAP-Payload",
                                   "PRF-Algorithm",
                                   "Integrity-Algorithm");
                            else
                                Tx:PAR[S]("EAP-Payload");
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - - - - - - (PAN Handling)  - - - - - - - - - -
   Rx:PAN[S] &&             if (PAN.exist_avp          WAIT_EAP_MSG
   ((OPTIMIZED_INIT ==         ("EAP-Payload"))
     Unset) ||                TxEAP();
   PAN.exist_avp            else {
     ("EAP-Payload"))         EAP_Restart();
                              SessionTimerReStart
                               (FAILED_SESS_TIMEOUT);
                            }
        
   - - - - - - - - - - - - - - (PAN Handling)  - - - - - - - - - -
   Rx:PAN[S] &&             if (PAN.exist_avp          WAIT_EAP_MSG
   ((OPTIMIZED_INIT ==         ("EAP-Payload"))
     Unset) ||                TxEAP();
   PAN.exist_avp            else {
     ("EAP-Payload"))         EAP_Restart();
                              SessionTimerReStart
                               (FAILED_SESS_TIMEOUT);
                            }
        
   Rx:PAN[S] &&             None();                    WAIT_PAN_OR_PAR
   (OPTIMIZED_INIT ==
     Set) &&
   ! PAN.exist_avp
    ("EAP-Payload")
        
   Rx:PAN[S] &&             None();                    WAIT_PAN_OR_PAR
   (OPTIMIZED_INIT ==
     Set) &&
   ! PAN.exist_avp
    ("EAP-Payload")
        
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   -------------------
   State: WAIT_EAP_MSG
   -------------------
        
   -------------------
   State: WAIT_EAP_MSG
   -------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - -
   EAP_REQUEST              if (NONCE_SENT==Unset) {   WAIT_PAN_OR_PAR
                              Tx:PAR[]("Nonce",
                                       "EAP-Payload");
                              NONCE_SENT=Set;
                            }
                            else
                              Tx:PAR[]("EAP-Payload");
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - - - -(Receiving EAP-Success/Failure) - - - - -
   EAP_FAILURE              PAR.RESULT_CODE =          WAIT_FAIL_PAN
                              PANA_AUTHENTICATION_
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - -
   EAP_REQUEST              if (NONCE_SENT==Unset) {   WAIT_PAN_OR_PAR
                              Tx:PAR[]("Nonce",
                                       "EAP-Payload");
                              NONCE_SENT=Set;
                            }
                            else
                              Tx:PAR[]("EAP-Payload");
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - - - -(Receiving EAP-Success/Failure) - - - - -
   EAP_FAILURE              PAR.RESULT_CODE =          WAIT_FAIL_PAN
                              PANA_AUTHENTICATION_
        
                                  REJECTED;
                            Tx:PAR[C]("EAP-Payload");
                            RtxTimerStart();
                            SessionTimerStop();
        
                                  REJECTED;
                            Tx:PAR[C]("EAP-Payload");
                            RtxTimerStart();
                            SessionTimerStop();
        
   EAP_SUCCESS &&           PAR.RESULT_CODE =          WAIT_SUCC_PAN
   Authorize()                PANA_SUCCESS;
                            if (new_key_available())
                              Tx:PAR[C]("EAP-Payload",
                                   "Key-Id");
                            else
                              Tx:PAR[C]("EAP-Payload");
                            RtxTimerStart();
        
   EAP_SUCCESS &&           PAR.RESULT_CODE =          WAIT_SUCC_PAN
   Authorize()                PANA_SUCCESS;
                            if (new_key_available())
                              Tx:PAR[C]("EAP-Payload",
                                   "Key-Id");
                            else
                              Tx:PAR[C]("EAP-Payload");
                            RtxTimerStart();
        
   EAP_SUCCESS &&           PAR.RESULT_CODE =          WAIT_FAIL_PAN
   !Authorize()               PANA_AUTHORIZATION_
                                REJECTED;
                            if (new_key_available())
                              Tx:PAR[C]("EAP-Payload",
                                   "Key-Id");
                            else
                              Tx:PAR[C]("EAP-Payload");
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    - - - - - (Receiving EAP-Timeout or invalid message) - - - - -
   EAP_TIMEOUT ||           SessionTimerStop();        CLOSED
   EAP_DISCARD              Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   EAP_SUCCESS &&           PAR.RESULT_CODE =          WAIT_FAIL_PAN
   !Authorize()               PANA_AUTHORIZATION_
                                REJECTED;
                            if (new_key_available())
                              Tx:PAR[C]("EAP-Payload",
                                   "Key-Id");
                            else
                              Tx:PAR[C]("EAP-Payload");
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    - - - - - (Receiving EAP-Timeout or invalid message) - - - - -
   EAP_TIMEOUT ||           SessionTimerStop();        CLOSED
   EAP_DISCARD              Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   --------------------
   State: WAIT_SUCC_PAN
   --------------------
        
   --------------------
   State: WAIT_SUCC_PAN
   --------------------
        
   Event/Condition          Action                     Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - -
   Rx:PAN[C]                RtxTimerStop();            OPEN
                            SessionTimerReStart
                              (LIFETIME_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Event/Condition          Action                     Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - - -
   Rx:PAN[C]                RtxTimerStop();            OPEN
                            SessionTimerReStart
                              (LIFETIME_SESS_TIMEOUT);
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   --------------------
   State: WAIT_FAIL_PAN
   --------------------
        
   --------------------
   State: WAIT_FAIL_PAN
   --------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - - (PAN Processing)- - - - - - - - - -
        
   Rx:PAN[C]                RtxTimerStop();            CLOSED
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Rx:PAN[C]                RtxTimerStop();            CLOSED
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   -----------
        
   -----------
        
   State: OPEN
   -----------
        
   State: OPEN
   -----------
        
   Event/Condition          Action                     Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - (re-authentication initiated by PaC) - - - - - -
   Rx:PNR[A]                NONCE_SENT=Unset;          WAIT_EAP_MSG
                            EAP_Restart();
                            Tx:PNA[A]();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (re-authentication initiated by PAA)- - - - - -
   REAUTH ||                NONCE_SENT=Unset;          WAIT_EAP_MSG
   REAUTH_TIMEOUT           EAP_Restart();
        
   Event/Condition          Action                     Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - (re-authentication initiated by PaC) - - - - - -
   Rx:PNR[A]                NONCE_SENT=Unset;          WAIT_EAP_MSG
                            EAP_Restart();
                            Tx:PNA[A]();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (re-authentication initiated by PAA)- - - - - -
   REAUTH ||                NONCE_SENT=Unset;          WAIT_EAP_MSG
   REAUTH_TIMEOUT           EAP_Restart();
        
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - (liveness test based on PNR-PNA exchange initiated by PAA)-
   PANA_PING                Tx:PNR[P]();               WAIT_PNA_PING
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (Session termination initiated from PAA)- - - -
   TERMINATE                Tx:PTR[]();                SESS_TERM
                            SessionTimerStop();
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (Session termination initiated from PaC)- - - -
   Rx:PTR[]                 Tx:PTA[]();                CLOSED
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - (liveness test based on PNR-PNA exchange initiated by PAA)-
   PANA_PING                Tx:PNR[P]();               WAIT_PNA_PING
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (Session termination initiated from PAA)- - - -
   TERMINATE                Tx:PTR[]();                SESS_TERM
                            SessionTimerStop();
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (Session termination initiated from PaC)- - - -
   Rx:PTR[]                 Tx:PTA[]();                CLOSED
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   --------------------
   State: WAIT_PNA_PING
   --------------------
        
   --------------------
   State: WAIT_PNA_PING
   --------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - -(PNA processing) - - - - - - - - - -
   Rx:PNA[P]                RtxTimerStop();            OPEN
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (re-authentication initiated by PaC) - - - - - -
   Rx:PNR[A]                RtxTimerStop();            WAIT_EAP_MSG
                            NONCE_SENT=Unset;
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - -(PNA processing) - - - - - - - - - -
   Rx:PNA[P]                RtxTimerStop();            OPEN
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (re-authentication initiated by PaC) - - - - - -
   Rx:PNR[A]                RtxTimerStop();            WAIT_EAP_MSG
                            NONCE_SENT=Unset;
        
                            EAP_Restart();
                            Tx:PNA[A]();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (Session termination initiated from PaC)- - - -
   Rx:PTR[]                 RtxTimerStop();            CLOSED
                            Tx:PTA[]();
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
                            EAP_Restart();
                            Tx:PNA[A]();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - (Session termination initiated from PaC)- - - -
   Rx:PTR[]                 RtxTimerStop();            CLOSED
                            Tx:PTA[]();
                            SessionTimerStop();
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   ----------------------
   State: WAIT_PAN_OR_PAR
   ----------------------
        
   ----------------------
   State: WAIT_PAN_OR_PAR
   ----------------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (PAR Processing)- - - - - - - - - - -
   Rx:PAR[]                 TxEAP();                   WAIT_EAP_MSG
                            RtxTimerStop();
                            Tx:PAN[]();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - (Pass EAP Response to the EAP authenticator)- - - -
   Rx:PAN[] &&              TxEAP();                   WAIT_EAP_MSG
   PAN.exist_avp            RtxTimerStop();
   ("EAP-Payload")
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - - - (PAN without an EAP response) - - - - - - -
   Rx:PAN[] &&              RtxTimerStop();            WAIT_PAN_OR_PAR
   !PAN.exist_avp
   ("EAP-Payload")
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - -
   EAP_REQUEST              RtxTimerStop();            WAIT_PAN_OR_PAR
                            Tx:PAR[]("EAP-Payload");
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - (EAP authentication timeout or failure)- - - - -
   EAP_FAILURE ||           RtxTimerStop();            CLOSED
   EAP_TIMEOUT ||           SessionTimerStop();
   EAP_DISCARD              Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
   - - - - - - - - - - - - - (PAR Processing)- - - - - - - - - - -
   Rx:PAR[]                 TxEAP();                   WAIT_EAP_MSG
                            RtxTimerStop();
                            Tx:PAN[]();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - (Pass EAP Response to the EAP authenticator)- - - -
   Rx:PAN[] &&              TxEAP();                   WAIT_EAP_MSG
   PAN.exist_avp            RtxTimerStop();
   ("EAP-Payload")
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - - - (PAN without an EAP response) - - - - - - -
   Rx:PAN[] &&              RtxTimerStop();            WAIT_PAN_OR_PAR
   !PAN.exist_avp
   ("EAP-Payload")
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - -
   EAP_REQUEST              RtxTimerStop();            WAIT_PAN_OR_PAR
                            Tx:PAR[]("EAP-Payload");
                            RtxTimerStart();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - (EAP authentication timeout or failure)- - - - -
   EAP_FAILURE ||           RtxTimerStop();            CLOSED
   EAP_TIMEOUT ||           SessionTimerStop();
   EAP_DISCARD              Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   ----------------
   State: SESS_TERM
   ----------------
        
   ----------------
   State: SESS_TERM
   ----------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
        
   Exit Condition           Exit Action                Exit State
   ------------------------+--------------------------+------------
        
   - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - -
   Rx:PTA[]                 RtxTimerStop();            CLOSED
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
   - - - - - - - - - - - - - -(PTA processing) - - - - - - - - - -
   Rx:PTA[]                 RtxTimerStop();            CLOSED
                            Disconnect();
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        
9. Implementation Considerations
9. 实施考虑
9.1. PAA and PaC Interface to Service Management Entity
9.1. PAA和PaC与服务管理实体的接口

In general, it is assumed that each device or network equipment has a PANA protocol stack available for use by other modules within the device or network equipment. One such module is the Service Management Entity (SME). The SME is a generic term for modules that manage different services (including network protocols) that are installed on a device or equipment. To integrate the PANA protocol with the SME, it is recommended that a generic interface (i.e., the SME-PANA interface) between the SME and the PANA protocol stack be provided by the implementation. This interface should include common procedures such as startup, shutdown, and re-authenticate signals. It should also provide for extracting keying material. For the PAA, the SME-PANA interface should also provide a method for communicating filtering parameters to the Enforcement Point(s) when cryptographic filtering is used. The filtering parameters include keying material used for bootstrapping secured transport such as IPsec. When a PAA device interacts with the backend authentication server using a AAA protocol, its SME may also provide an interface to the AAA protocol to obtain authorization parameters such as the authorization lifetime and additional filtering parameters.

通常,假设每个设备或网络设备都有一个PANA协议栈,可供设备或网络设备内的其他模块使用。其中一个模块是服务管理实体(SME)。SME是管理安装在设备或设备上的不同服务(包括网络协议)的模块的通用术语。为了将PANA协议与SME集成,建议由实现提供SME与PANA协议栈之间的通用接口(即SME-PANA接口)。该接口应包括启动、关闭和重新验证信号等通用程序。它还应提供提取键控材料的功能。对于PAA,SME-PANA接口还应提供一种方法,用于在使用加密过滤时将过滤参数传递给实施点。过滤参数包括用于引导安全传输(如IPsec)的密钥材料。当PAA设备使用AAA协议与后端认证服务器交互时,其SME还可以提供到AAA协议的接口,以获得授权参数,例如授权生存期和附加过滤参数。

10. Security Considerations
10. 安全考虑

This document's intent is to describe the PANA state machines fully. To this end, any security concerns with this document are likely a reflection of security concerns with PANA itself.

本文档旨在全面描述PANA状态机。为此,本文件的任何安全问题都可能反映了PANA本身的安全问题。

11. Acknowledgments
11. 致谢

This work was started from state machines originally made by Dan Forsberg.

这项工作是从最初由Dan Forsberg制造的状态机开始的。

12. References
12. 工具书类
12.1. Normative References
12.1. 规范性引用文件

[RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. Yegin, "Protocol for Carrying Authentication for Network Access (PANA)", RFC 5191, May 2008.

[RFC5191]Forsberg,D.,Ohba,Y.,Patil,B.,Tschofenig,H.,和A.Yegin,“承载网络接入认证(PANA)的协议”,RFC 51912008年5月。

12.2. Informative References
12.2. 资料性引用

[RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, "State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator", RFC 4137, August 2005.

[RFC4137]Vollbrecht,J.,Eronen,P.,Petroni,N.,和Y.Ohba,“可扩展认证协议(EAP)对等方和认证方的状态机”,RFC 4137,2005年8月。

Authors' Addresses

作者地址

Victor Fajardo (editor) Telcordia Technologies 1 Telcordia Drive Piscataway, NJ 08854 USA

Victor Fajardo(编辑)Telcordia Technologies 1 Telcordia Drive Piscataway,NJ 08854美国

   Phone: +1 732 699 5368
   EMail: vfajardo@research.telcordia.com
        
   Phone: +1 732 699 5368
   EMail: vfajardo@research.telcordia.com
        

Yoshihiro Ohba Toshiba Corporate Research and Development Center 1 Komukai-Toshiba-cho, Saiwai-ku Kawasaki, Kanagawa 212-8582 Japan

日本神奈川市川崎赛维区Komukai Toshiba cho 1号东芝公司研发中心Yoshihiro Ohba Corporate Research and Development Center 212-8582

   Phone: +81 44 549 2230
   EMail: yoshihiro.ohba@toshiba.co.jp
        
   Phone: +81 44 549 2230
   EMail: yoshihiro.ohba@toshiba.co.jp
        

Rafa Marin-Lopez University of Murcia Campus de Espinardo S/N, Facultad de Informatica Murcia 30100 Spain

拉法马林-洛佩兹大学穆尔西亚分校埃斯皮纳多S/N,信息通报穆尔西亚30100西班牙

   Phone: +34 868 888 501
   EMail: rafa@um.es
        
   Phone: +34 868 888 501
   EMail: rafa@um.es