Internet Engineering Task Force (IETF)                           Y. Ohba
Request for Comments: 5836                                       Toshiba
Category: Informational                                       Q. Wu, Ed.
ISSN: 2070-1721                                                   Huawei
                                                            G. Zorn, Ed.
                                                             Network Zen
                                                              April 2010
        
Internet Engineering Task Force (IETF)                           Y. Ohba
Request for Comments: 5836                                       Toshiba
Category: Informational                                       Q. Wu, Ed.
ISSN: 2070-1721                                                   Huawei
                                                            G. Zorn, Ed.
                                                             Network Zen
                                                              April 2010
        

Extensible Authentication Protocol (EAP) Early Authentication Problem Statement

可扩展身份验证协议(EAP)早期身份验证问题声明

Abstract

摘要

Extensible Authentication Protocol (EAP) early authentication may be defined as the use of EAP by a mobile device to establish authenticated keying material on a target attachment point prior to its arrival. This document discusses the EAP early authentication problem in detail.

可扩展认证协议(EAP)早期认证可定义为移动设备在到达目标连接点之前使用EAP在目标连接点上建立经认证的密钥材料。本文档详细讨论了EAP早期身份验证问题。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5836.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5836.

Copyright Notice

版权公告

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.

本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。

Table of Contents

目录

   1. Introduction ....................................................3
   2. Terminology .....................................................4
   3. Problem Statement ...............................................6
      3.1. Handover Preparation .......................................6
      3.2. Handover Execution .........................................6
           3.2.1. Examples ............................................7
      3.3. Solution Space .............................................7
           3.3.1. Context Transfer ....................................7
           3.3.2. Early Authentication ................................8
   4. System Overview .................................................8
   5. Topological Classification of Handover Scenarios ................9
   6. Models of Early Authentication .................................10
      6.1. EAP Pre-Authentication Usage Models .......................10
           6.1.1. The Direct Pre-Authentication Model ................11
           6.1.2. The Indirect Pre-Authentication Usage Model ........11
      6.2. The Authenticated Anticipatory Keying Usage Model .........13
   7. Architectural Considerations ...................................13
      7.1. Authenticator Discovery ...................................13
      7.2. Context Binding ...........................................14
   8. AAA Issues .....................................................14
   9. Security Considerations ........................................16
   10. Acknowledgments ...............................................17
   11. Contributors ..................................................17
   12. References ....................................................17
      12.1. Normative References .....................................17
      12.2. Informative References ...................................18
        
   1. Introduction ....................................................3
   2. Terminology .....................................................4
   3. Problem Statement ...............................................6
      3.1. Handover Preparation .......................................6
      3.2. Handover Execution .........................................6
           3.2.1. Examples ............................................7
      3.3. Solution Space .............................................7
           3.3.1. Context Transfer ....................................7
           3.3.2. Early Authentication ................................8
   4. System Overview .................................................8
   5. Topological Classification of Handover Scenarios ................9
   6. Models of Early Authentication .................................10
      6.1. EAP Pre-Authentication Usage Models .......................10
           6.1.1. The Direct Pre-Authentication Model ................11
           6.1.2. The Indirect Pre-Authentication Usage Model ........11
      6.2. The Authenticated Anticipatory Keying Usage Model .........13
   7. Architectural Considerations ...................................13
      7.1. Authenticator Discovery ...................................13
      7.2. Context Binding ...........................................14
   8. AAA Issues .....................................................14
   9. Security Considerations ........................................16
   10. Acknowledgments ...............................................17
   11. Contributors ..................................................17
   12. References ....................................................17
      12.1. Normative References .....................................17
      12.2. Informative References ...................................18
        
1. Introduction
1. 介绍

When a mobile device, during an active communication session, moves from one access network to another and changes its attachment point, the session may be subjected to disruption of service due to the delay associated with the handover operation. The performance requirements of a real-time application will vary based on the type of application and its characteristics such as delay and packet-loss tolerance. For Voice over IP applications, ITU-T G.114 [ITU] recommends a steady-state end-to-end delay of 150 ms as the upper limit and rates 400 ms as generally unacceptable delay. Similarly, a streaming application has tolerable packet-error rates ranging from 0.1 to 0.00001 with a transfer delay of less than 300 ms. Any help that an optimized handoff mechanism can provide toward meeting these objectives is useful. The ultimate objective is to achieve seamless handover with low latency, even when handover is between different link technologies or between different Authentication, Authorization, and Accounting (AAA) realms.

当移动设备在活动通信会话期间从一个接入网络移动到另一个接入网络并改变其连接点时,该会话可能由于与切换操作相关联的延迟而遭受服务中断。实时应用程序的性能要求将根据应用程序的类型及其特性(如延迟和丢包容忍度)而有所不同。对于IP语音应用,ITU-T G.114[ITU]建议将稳态端到端延迟150 ms作为上限,将速率400 ms作为一般不可接受的延迟。类似地,流式应用程序具有0.1到0.00001的可容忍分组错误率,传输延迟小于300 ms。优化的切换机制可以为实现这些目标提供的任何帮助都是有用的。最终目标是实现低延迟的无缝切换,即使切换是在不同的链路技术之间或在不同的身份验证、授权和计费(AAA)领域之间。

As a mobile device goes through a handover process, it is subjected to delay because of the rebinding of its association at or across several layers of the protocol stack and because of the additional round trips needed for a new EAP exchange. Delays incurred within each protocol layer affect the ongoing multimedia application and data traffic within the client [WCM].

当移动设备经历切换过程时,由于其关联在协议栈的几层处或跨几层重新绑定,以及由于新EAP交换所需的额外往返,移动设备受到延迟。每个协议层内产生的延迟会影响客户端[WCM]内正在进行的多媒体应用程序和数据流量。

The handover process often requires authentication and authorization for acquisition or modification of resources assigned to the mobile device. In most cases, these authentications and authorizations require interaction with a central authority in a realm. In some cases, the central authority may be distant from the mobile device. The delay introduced due to such an authentication and authorization procedure adds to the handover latency and consequently affects ongoing application sessions [MQ7]. The discussion in this document is focused on mitigating delay due to EAP authentication.

切换过程通常需要认证和授权来获取或修改分配给移动设备的资源。在大多数情况下,这些身份验证和授权需要与域中的中心机构进行交互。在某些情况下,中央机关可能远离移动设备。由于这种身份验证和授权过程而引入的延迟增加了切换延迟,并因此影响正在进行的应用程序会话[MQ7]。本文档中的讨论重点是缓解EAP身份验证造成的延迟。

2. Terminology
2. 术语

AAA

AAA

Authentication, Authorization, and Accounting (see below). RADIUS [RFC2865] and Diameter [RFC3588] are examples of AAA protocols defined in the IETF.

身份验证、授权和记帐(见下文)。半径[RFC2865]和直径[RFC3588]是IETF中定义的AAA协议的示例。

AAA realm The set of access networks within the scope of a specific AAA server. Thus, if a mobile device moves from one attachment point to another within the same AAA realm, it continues to be served by the same AAA server.

AAA领域特定AAA服务器范围内的一组访问网络。因此,如果移动设备在同一AAA领域内从一个连接点移动到另一个连接点,则它将继续由同一AAA服务器提供服务。

Accounting The act of collecting information on resource usage for the purpose of trend analysis, auditing, billing, or cost allocation [RFC2989].

会计收集资源使用信息的行为,用于趋势分析、审计、计费或成本分配[RFC2989]。

Attachment Point A device, such as a wireless access point, that serves as a gateway between access clients and a network. In the context of this document, an attachment point must also support EAP authenticator functionality and may act as a AAA client.

连接点用作接入客户端和网络之间网关的设备,如无线接入点。在本文档的上下文中,附件点还必须支持EAP验证器功能,并且可以充当AAA客户端。

Authentication The act of verifying a claimed identity, in the form of a preexisting label from a mutually known name space, as the originator of a message (message authentication) or as the end-point of a channel (entity authentication) [RFC2989].

身份验证——验证声称的身份的行为,该身份以相互已知的名称空间中预先存在的标签的形式,作为消息的发起人(消息身份验证)或作为信道的端点(实体身份验证)[RFC2989]。

Authenticator The end of the link initiating EAP authentication [RFC3748].

Authenticator发起EAP身份验证的链路的末端[RFC3748]。

Authorization The act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential [RFC2989].

授权确定特定凭证的提交人是否可以获得特定权利(如访问某些资源)的行为[RFC2989]。

Candidate Access Network An access network that can potentially become the target access network for a mobile device. Multiple access networks may be candidates simultaneously.

候选接入网可能成为移动设备的目标接入网的接入网。多个接入网络可以同时是候选网络。

Candidate Attachment Point (CAP) An attachment point that can potentially become the target attachment point for a mobile device. Multiple attachment points may be candidates simultaneously.

候选连接点(CAP):可能成为移动设备目标连接点的连接点。多个附着点可以同时作为候选点。

Candidate Authenticator (CA) The EAP authenticator on the CAP.

候选验证器(CA)CAP上的EAP验证器。

EAP Server The entity that terminates the EAP authentication method with the peer [RFC3748]. EAP servers are often, but not necessarily, co-located with AAA servers, using a AAA protocol to communicate with remote pass-through authenticators.

EAP服务器与对等方终止EAP身份验证方法的实体[RFC3748]。EAP服务器通常(但不一定)与AAA服务器位于同一位置,使用AAA协议与远程直通认证器通信。

Inter-AAA-realm Handover (Inter-realm Handover) A handover across multiple AAA realms.

AAA域间切换(域间切换)跨多个AAA域的切换。

Inter-Technology Handover A handover across different link-layer technologies.

技术间切换跨不同链路层技术的切换。

Intra-AAA-realm Handover (Intra-realm Handover) A handover within the same AAA realm. Intra-AAA-realm handover includes a handover across different authenticators within the same AAA realm.

AAA域内切换(域内切换)同一AAA域内的切换。AAA域内切换包括同一AAA域内不同认证器之间的切换。

Intra-Technology Handover A handover within the same link-layer technology.

技术内切换同一链路层技术内的切换。

Master Session Key (MSK) Keying material that is derived between the EAP peer and server and exported by the EAP method [RFC3748].

主会话密钥(MSK)密钥材料,在EAP对等方和服务器之间导出,并通过EAP方法导出[RFC3748]。

Peer The entity that responds to the authenticator and requires authentication [RFC3748].

对等响应身份验证器并需要身份验证的实体[RFC3748]。

Serving Access Network An access network that is currently serving the mobile device.

服务接入网络当前为移动设备服务的接入网络。

Serving Attachment Point (SAP) An attachment point that is currently serving the mobile device.

服务连接点(SAP)当前为移动设备服务的连接点。

Target Access Network An access network that has been selected to be the new serving access network for a mobile device.

目标接入网已被选择为移动设备的新服务接入网的接入网。

Target Attachment Point (TAP) An attachment point that has been selected to be the new SAP for a mobile device.

目标连接点(TAP)已选择为移动设备的新SAP的连接点。

3. Problem Statement
3. 问题陈述

The basic mechanism of handover is a two-step procedure involving

移交的基本机制是一个两步程序,涉及

o handover preparation and

o 交接准备和

o handover execution

o 移交执行

3.1. Handover Preparation
3.1. 交接准备

Handover preparation includes the discovery of candidate attachment points and selection of an appropriate target attachment point from the candidate set. Handover preparation is outside the scope of this document.

切换准备包括发现候选连接点和从候选集中选择适当的目标连接点。交接准备不在本文件范围内。

3.2. Handover Execution
3.2. 移交执行

Handover execution consists of setting up Layer 2 (L2) and Layer 3 (L3) connectivity with the TAP. Currently, handover execution includes network access authentication and authorization performed directly with the target network; this may include full EAP authentication in the absence of any particular optimization for handover key management. Following a successful EAP authentication, a secure association procedure is typically performed between the mobile device and the TAP to derive a new set of link-layer encryption keys from EAP keying material such as the MSK. The handover latency introduced by full EAP authentication has proven to be higher than that which is acceptable for real-time application scenarios [MQ7]; hence, reduction in handover latency due to EAP is a necessary objective for such scenarios.

切换执行包括与TAP建立第2层(L2)和第3层(L3)连接。目前,切换执行包括直接与目标网络进行的网络接入认证和授权;这可能包括在没有针对切换密钥管理的任何特定优化的情况下进行完全EAP认证。在成功的EAP认证之后,通常在移动设备和TAP之间执行安全关联过程,以从诸如MSK的EAP密钥材料导出一组新的链路层加密密钥。经证明,完全EAP认证引入的切换延迟高于实时应用场景可接受的切换延迟[MQ7];因此,减少EAP导致的切换延迟是此类场景的必要目标。

3.2.1. Examples
3.2.1. 例子
3.2.1.1. IEEE 802.11
3.2.1.1. IEEE 802.11

In IEEE 802.11 Wireless Local Area Networks (WLANs) [IEEE.802-11.2007] network access authentication and authorization involves performing a new IEEE 802.1X [IEEE.802-1X.2004] message exchange with the authenticator in the TAP to execute an EAP exchange with the authentication server [WPA]. There has been some optimization work undertaken by the IEEE, but these efforts have been scoped to IEEE link-layer technologies; for example, the work done in the IEEE 802.11f [IEEE.802-11F.2003] and 802.11r [IEEE.802-11R.2008] Task Groups applies only to intra-technology handovers.

在IEEE 802.11无线局域网(WLAN)[IEEE.802-11.2007]中,网络访问认证和授权涉及与TAP中的认证器执行新的IEEE 802.1X[IEEE.802-1X.2004]消息交换,以与认证服务器[WPA]执行EAP交换。IEEE进行了一些优化工作,但这些工作的范围仅限于IEEE链路层技术;例如,在IEEE 802.11f[IEEE.802-11f.2003]和802.11r[IEEE.802-11r.2008]任务组中完成的工作仅适用于技术内切换。

3.2.1.2. 3GPP TS33.402
3.2.1.2. 3GPP TS33.402

The Third Generation Partnership Project (3GPP) Technical Specification 33.402 [TS33.402] defines the authentication and key management procedures performed during interworking between non-3GPP access networks and the Evolved Packet System (EPS). Network access authentication and authorization happens after the L2 connection is established between the mobile device and a non-3GPP target access network, and involves an EAP exchange between the mobile device and the 3GPP AAA server via the non-3GPP target access network. These procedures are not really independent of link technology, since they assume either that the authenticator lies in the EPS network or that separate authentications are performed in the access network and then in the EPS network.

第三代合作伙伴关系项目(3GPP)技术规范33.402[TS33.402]定义了非3GPP接入网络和演进分组系统(EPS)之间互通期间执行的认证和密钥管理过程。网络接入认证和授权发生在移动设备和非3GPP目标接入网络之间建立L2连接之后,并且涉及移动设备和3GPP AAA服务器之间经由非3GPP目标接入网络的EAP交换。这些过程并非真正独立于链路技术,因为它们假定验证器位于EPS网络中,或者在接入网络中然后在EPS网络中执行单独的认证。

3.3. Solution Space
3.3. 解空间

As the examples in the preceding sections illustrate, a solution is needed to enable EAP early authentication for inter-AAA-realm handovers and inter-technology handovers. A search for solutions at the IP level may offer the necessary technology independence.

如前几节中的示例所示,需要一种解决方案来为AAA域间切换和技术间切换启用EAP早期身份验证。在IP级别搜索解决方案可能会提供必要的技术独立性。

Optimized solutions for secure inter-authenticator handovers can be seen either as security context transfer (e.g., using the EAP Extensions for EAP Re-authentication Protocol (ERP)) [RFC5296], or as EAP early authentication.

安全认证者间切换的优化解决方案可以看作是安全上下文传输(例如,使用EAP重新认证协议(ERP)的EAP扩展)[RFC5296],也可以看作是EAP早期认证。

3.3.1. Context Transfer
3.3.1. 上下文转移

Security context transfer involves transfer of reusable key context to the TAP and can take two forms: horizontal and vertical.

安全上下文传输涉及将可重用密钥上下文传输到TAP,可以采取两种形式:水平和垂直。

Horizontal security context transfer (e.g., from SAP to TAP) is not recommended because of the possibility that the compromise of one attachment point might lead to the compromise of another (the so-called domino effect, [RFC4962]). Vertical context transfer is similar to the initial establishment of keying material on an attachment point in that the keys are sent from a trusted server to the TAP as a direct result of a successful authentication. ERP specifies vertical context transfer using existing EAP keying material obtained from the home AAA server during the initial authentication. A cryptographically independent re-authentication key is derived and transmitted to the TAP as a result of successful ERP authentication. This reduces handover delay for intra-realm handovers by eliminating the need to run full EAP authentication with the home EAP server.

不建议横向安全上下文传输(例如,从SAP到TAP),因为一个连接点的泄露可能会导致另一个连接点的泄露(所谓的多米诺效应,[RFC4962])。垂直上下文传输类似于在附件点上初始建立密钥材料,因为密钥作为成功身份验证的直接结果从受信任服务器发送到TAP。ERP使用初始身份验证期间从家庭AAA服务器获得的现有EAP密钥材料指定垂直上下文传输。作为成功的ERP认证的结果,导出了一个加密独立的重新认证密钥,并将其传输到TAP。这通过消除使用家庭EAP服务器运行完整EAP身份验证的需要,减少了域内切换的切换延迟。

However, in the case of inter-realm handover, either ERP is not applicable or an additional optimization mechanism is needed to establish a key on the TAP.

然而,在域间切换的情况下,要么ERP不适用,要么需要额外的优化机制来建立TAP上的密钥。

3.3.2. Early Authentication
3.3.2. 早期认证

In EAP early authentication, AAA-based authentication and authorization for a CAP is performed while ongoing data communication is in progress via the serving access network, the goal being to complete AAA signaling for EAP before the mobile device moves. The applicability of EAP early authentication is limited to the scenarios where candidate authenticators can be discovered and an accurate prediction of movement can be easily made. In addition, the effectiveness of EAP early authentication may be less significant for particular inter-technology-handover scenarios where simultaneous use of multiple technologies is not a major concern.

在EAP早期认证中,在通过服务接入网络进行正在进行的数据通信的同时,对CAP执行基于AAA的认证和授权,目标是在移动设备移动之前完成EAP的AAA信令。EAP早期身份验证的适用性仅限于可以发现候选身份验证者并且可以轻松准确预测移动的场景。此外,EAP早期认证的有效性对于同时使用多种技术不是主要问题的特定技术间切换场景可能不太重要。

There are also several AAA issues related to EAP early authentication, discussed in Section 8.

第8节还讨论了与EAP早期身份验证相关的几个AAA问题。

4. System Overview
4. 系统概述

Figure 1 shows the functional elements that are related to EAP early authentication. These functional elements include a mobile device, a SAP, a CAP, and one or more AAA and EAP servers; for the sake of convenience, the AAA and EAP servers are represented as being co-located. When the SAP and CAP belong to different AAA realms, the CAP may require a different set of user credentials than those used by the peer when authenticating to the SAP. Alternatively, the CAP and the SAP may rely on the same AAA server, located in the home realm of the mobile device (MD).

图1显示了与EAP早期身份验证相关的功能元素。这些功能元件包括移动设备、SAP、CAP和一个或多个AAA和EAP服务器;为了方便起见,AAA和EAP服务器被表示为位于同一位置。当SAP和CAP属于不同的AAA领域时,CAP可能需要一组不同于对等方在向SAP进行身份验证时使用的用户凭据。或者,CAP和SAP可以依赖于位于移动设备(MD)的主域中的相同AAA服务器。

         +------+      +-------+      +---------+      +---------+
         |  MD  |------|  SAP  |------|         |      |         |
         +------+      +-------+      |   IP    |      | EAP/AAA
            .                         |         |------|         |
            . Move                    | Network |      | Server  |
            v          +-------+      |         |      |         |
                       |  CAP  |------|         |      |         |
                       +-------+      +---------+      +---------+
        
         +------+      +-------+      +---------+      +---------+
         |  MD  |------|  SAP  |------|         |      |         |
         +------+      +-------+      |   IP    |      | EAP/AAA
            .                         |         |------|         |
            . Move                    | Network |      | Server  |
            v          +-------+      |         |      |         |
                       |  CAP  |------|         |      |         |
                       +-------+      +---------+      +---------+
        

Figure 1: EAP Early Authentication Functional Elements

图1:EAP早期身份验证功能元素

A mobile device is attached to the serving access network. Before the MD performs handover from the serving access network to a candidate access network, it performs EAP early authentication with a candidate authenticator via the serving access network. The peer may perform EAP early authentication with one or more candidate authenticators. It is assumed that each attachment point has an IP address. It is assumed that there is at least one CAP in each candidate access network. The serving and candidate access networks may use different link-layer technologies.

移动设备连接到服务接入网络。在MD执行从服务接入网络到候选接入网络的切换之前,它通过服务接入网络与候选认证器执行EAP早期认证。对等方可以使用一个或多个候选验证器执行EAP早期认证。假设每个连接点都有一个IP地址。假设每个候选接入网络中至少有一个CAP。服务和候选接入网络可以使用不同的链路层技术。

Each authenticator is either a standalone authenticator or a pass-through authenticator [RFC3748]. When an authenticator acts as a standalone authenticator, it also has the functionality of an EAP server. When an authenticator acts as a pass-through authenticator, it communicates with the EAP server, typically using a AAA transport protocol such as RADIUS [RFC2865] or Diameter [RFC3588].

每个验证器都是独立验证器或传递验证器[RFC3748]。当验证器充当独立验证器时,它还具有EAP服务器的功能。当认证器充当直通认证器时,它通常使用AAA传输协议(如RADIUS[RFC2865]或Diameter[RFC3588])与EAP服务器通信。

If the CAP uses an MSK [RFC5247] for generating lower-layer ciphering keys, EAP early authentication is used to proactively generate an MSK for the CAP.

如果CAP使用MSK[RFC5247]生成较低层加密密钥,则EAP早期身份验证用于主动为CAP生成MSK。

5. Topological Classification of Handover Scenarios
5. 切换场景的拓扑分类

The complexity of the authentication and authorization part of handover depends on whether it involves a change in EAP server. Consider first the case where the authenticators operate in pass-through mode, so that the EAP server is co-located with a AAA server. Then, there is a strict hierarchy of complexity, as follows:

切换的身份验证和授权部分的复杂性取决于是否涉及EAP服务器的更改。首先考虑认证者在传递模式中运行的情况,以便EAP服务器与AAA服务器协同定位。然后,有一个严格的复杂性层次结构,如下所示:

1. inter-attachment-point handover with common AAA server: the CAP and SAP are different entities, but the AAA server is the same. There are two sub-cases here:

1. 与通用AAA服务器的连接点间切换:CAP和SAP是不同的实体,但AAA服务器是相同的。这里有两个子案例:

(a) the AAA server is common because both attachment points lie within the same network, or

(a) AAA服务器是公用的,因为两个连接点位于同一网络中,或者

(b) the AAA server is common because AAA entities in the serving and candidate networks proxy to a AAA server in the home realm.

(b) AAA服务器很常见,因为服务网络和候选网络中的AAA实体代理家庭领域中的AAA服务器。

2. inter-AAA-realm handover: the CAP and SAP are different entities, and the respective AAA servers also differ. As a result, authentication in the candidate network requires a second set of user credentials.

2. AAA域间切换:CAP和SAP是不同的实体,各自的AAA服务器也不同。结果,候选网络中的认证需要第二组用户凭证。

A third case is where one or both authenticators are co-located with an EAP server. This has some of the characteristics of an inter-AAA-realm handover, but offers less flexibility for resolution of the early authentication problem.

第三种情况是一个或两个验证器与EAP服务器共存。这具有AAA域间切换的一些特征,但为解决早期身份验证问题提供的灵活性较低。

Orthogonally to this classification, one can distinguish intra-technology handover from inter-technology handover thinking of the link technologies involved. In the inter-technology case, it is highly probable that the authenticators will differ. The most likely cases are 1(b) or 2 in the above list.

与该分类正交,可以区分所涉及的链路技术的技术内切换和技术间切换思想。在技术间的情况下,验证器很可能会有所不同。最有可能的情况是上述列表中的1(b)或2。

6. Models of Early Authentication
6. 早期认证模型

As noted in Section 3, there are cases where early authentication is applicable while ERP does not work. This section concentrates on providing some models around which we can build our analysis of the EAP early authentication problem. Different usage models can be defined depending on whether

如第3节所述,在某些情况下,早期认证适用,而ERP不起作用。本节主要提供一些模型,我们可以围绕这些模型对EAP早期身份验证问题进行分析。可以根据以下情况定义不同的使用模型:

o the SAP is not involved in early authentication (direct pre-authentication usage model),

o SAP不参与早期认证(直接预认证使用模式),

o the SAP interacts only with the CAP (indirect pre-authentication usage model), or

o SAP仅与CAP(间接预认证使用模型)交互,或

o the SAP interacts with the AAA server (the authenticated anticipatory keying usage model).

o SAP与AAA服务器(经过验证的预期密钥使用模型)交互。

It is assumed that the CAP and SAP are different entities. It is further assumed in describing these models that there is no direct L2 connectivity between the peer and the candidate attachment point.

假设CAP和SAP是不同的实体。在描述这些模型时,进一步假设对等点和候选连接点之间没有直接的L2连接。

6.1. EAP Pre-Authentication Usage Models
6.1. EAP预认证使用模型

In the EAP pre-authentication model, the SAP does not interact with the AAA server directly. Depending on how the SAP is involved in the pre-authentication signaling, the EAP pre-authentication usage model can be further categorized into the following two sub-models, direct and indirect.

在EAP预认证模型中,SAP不直接与AAA服务器交互。根据SAP如何参与预认证信令,EAP预认证使用模型可进一步分为以下两个子模型:直接和间接。

6.1.1. The Direct Pre-Authentication Model
6.1.1. 直接预认证模型

In this model, the SAP is not involved in the EAP exchange and only forwards the EAP pre-authentication traffic as it would any other data traffic. The direct pre-authentication model is based on the assumption that the MD can discover candidate authenticators and establish direct IP communication with them. It is applicable to any of the cases described in Section 5.

在此模型中,SAP不参与EAP交换,只转发EAP预认证流量,就像转发任何其他数据流量一样。直接预认证模型基于这样的假设,即MD可以发现候选认证者并与其建立直接的IP通信。它适用于第5节所述的任何情况。

           Mobile          Candidate Attachment          AAA Server
           Device              Point(CAP)
       +-----------+    +-------------------------+    +------------+
       |           |    |        Candidate        |    |            |
       |   Peer    |    |      Authenticator      |    | EAP Server |
       |           |    |                         |    |            |
       +-----------+    +-------------------------+    +------------+
       | MD-CAP    |<-->| MD-CAP    | | CAP-AAA   |<-->| CAP-AAA    |
       | Signaling |    | Signaling | | Signaling |    | Signaling  |
       +-----------+    +-----------+ +-----------+    +------------+
        
           Mobile          Candidate Attachment          AAA Server
           Device              Point(CAP)
       +-----------+    +-------------------------+    +------------+
       |           |    |        Candidate        |    |            |
       |   Peer    |    |      Authenticator      |    | EAP Server |
       |           |    |                         |    |            |
       +-----------+    +-------------------------+    +------------+
       | MD-CAP    |<-->| MD-CAP    | | CAP-AAA   |<-->| CAP-AAA    |
       | Signaling |    | Signaling | | Signaling |    | Signaling  |
       +-----------+    +-----------+ +-----------+    +------------+
        

Figure 2: Direct Pre-Authentication Usage Model

图2:直接预认证使用模型

The direct pre-authentication signaling for the usage model is shown in Figure 3.

使用模型的直接预认证信令如图3所示。

    Mobile             Serving             Candidate            AAA/EAP
    Device         Attachment Point      Authenticator          Server
                        (SAP)
      |                   |                    |                   |
      |                   |                    |                   |
      |     EAP over MD-CAP Signaling (L3)     |    EAP over AAA   |
      |<------------------+------------------->|<----------------->|
      |                   |                    |                   |
      |                   |                    |                   |
        
    Mobile             Serving             Candidate            AAA/EAP
    Device         Attachment Point      Authenticator          Server
                        (SAP)
      |                   |                    |                   |
      |                   |                    |                   |
      |     EAP over MD-CAP Signaling (L3)     |    EAP over AAA   |
      |<------------------+------------------->|<----------------->|
      |                   |                    |                   |
      |                   |                    |                   |
        

Figure 3: Direct Pre-Authentication Signaling for the Usage Model

图3:使用模型的直接预认证信令

6.1.2. The Indirect Pre-Authentication Usage Model
6.1.2. 间接预认证使用模型

The indirect pre-authentication usage model is illustrated in Figure 4.

间接预认证使用模型如图4所示。

    Mobile Device      Serving              Candidate          AAA
        (MD)       Attachment Point     Attachment Point      Server
                        (SAP)                 (CAP)
    +----------+                         +----------------+   +--------+
    |          |                         |                |   |        |
    | EAP Peer |                         |    Candidate   |   | EAP    |
    |          |                         |  Authenticator |   | Server |
    |          |                         |                |   |        |
    +----------+   +---------+-------+   +-------+--------+   +--------+
    |  MD-SAP  |<->| MD-SAP  |SAP-CAP|<->|SAP-CAP|CAP-AAA |<->|CAP-AAA |
    +----------+   +---------+-------+   +-------+--------+   +--------+
        
    Mobile Device      Serving              Candidate          AAA
        (MD)       Attachment Point     Attachment Point      Server
                        (SAP)                 (CAP)
    +----------+                         +----------------+   +--------+
    |          |                         |                |   |        |
    | EAP Peer |                         |    Candidate   |   | EAP    |
    |          |                         |  Authenticator |   | Server |
    |          |                         |                |   |        |
    +----------+   +---------+-------+   +-------+--------+   +--------+
    |  MD-SAP  |<->| MD-SAP  |SAP-CAP|<->|SAP-CAP|CAP-AAA |<->|CAP-AAA |
    +----------+   +---------+-------+   +-------+--------+   +--------+
        
    {-----------------------------Signaling----------------------------}
        
    {-----------------------------Signaling----------------------------}
        

Figure 4: Indirect Pre-Authentication Usage Model

图4:间接预认证使用模型

In the indirect pre-authentication model, it is assumed that a trust relationship exists between the serving network (or serving AAA realm) and candidate network (or candidate AAA realm). The SAP is involved in EAP pre-authentication signaling. This pre-authentication model is needed if the peer cannot discover the candidate authenticators identity or if direct IP communication between the MD and CAP is not possible due to security or network topology issues.

在间接预认证模型中,假设服务网络(或服务AAA领域)和候选网络(或候选AAA领域)之间存在信任关系。SAP参与EAP预认证信令。如果对等方无法发现候选身份验证者身份,或者由于安全或网络拓扑问题,MD和CAP之间无法进行直接IP通信,则需要此预身份验证模型。

The role of the SAP in this pre-authentication model is to forward EAP pre-authentication signaling between the mobile device and CAP; the role of the CAP is to forward EAP pre-authentication signaling between the peer (via the SAP) and EAP server and receive the transported keying material.

SAP在该预认证模型中的作用是在移动设备和CAP之间转发EAP预认证信令;CAP的作用是在对等方(通过SAP)和EAP服务器之间转发EAP预认证信令,并接收传输的密钥材料。

The pre-authentication signaling for this model is shown in Figure 5.

此模型的预认证信令如图5所示。

    Mobile             Serving              Candidate            AAA/EAP
    Device         Attachment Point     Attachment Point         Server
                        (SAP)                (CAP)
      |                   |                    |                   |
      |     EAP over      |       EAP over     |   EAP over AAA    |
      | MD-SAP Signaling  |  SAP-CAP Signaling |                   |
      |    (L2 or L3)     |        (L3)        |                   |
      |<----------------->|<------------------<|<----------------->|
      |                   |                    |                   |
      |                   |                    |                   |
        
    Mobile             Serving              Candidate            AAA/EAP
    Device         Attachment Point     Attachment Point         Server
                        (SAP)                (CAP)
      |                   |                    |                   |
      |     EAP over      |       EAP over     |   EAP over AAA    |
      | MD-SAP Signaling  |  SAP-CAP Signaling |                   |
      |    (L2 or L3)     |        (L3)        |                   |
      |<----------------->|<------------------<|<----------------->|
      |                   |                    |                   |
      |                   |                    |                   |
        

Figure 5: Indirect Pre-Authentication Signaling for the Usage Model

图5:使用模型的间接预认证信令

In this model, the pre-authentication signaling path between a peer and a candidate authenticator consists of two segments: peer-to-SAP signaling (over L2 or L3) and SAP-to-CAP signaling over L3.

在该模型中,对等方和候选认证者之间的预认证信令路径由两个部分组成:对等方到SAP信令(通过L2或L3)和SAP到CAP信令(通过L3)。

6.2. The Authenticated Anticipatory Keying Usage Model
6.2. 认证预期密钥使用模型

In this model, it is assumed that there is no trust relationship between the SAP and the CAP, and the SAP is required to interact with the AAA server directly. The authenticated anticipatory keying usage model is illustrated in Figure 6.

在此模型中,假设SAP和CAP之间没有信任关系,并且SAP需要直接与AAA服务器交互。经过验证的预期键控使用模型如图6所示。

     Mobile            Serving               AAA Server      Candidate
     Device        Attachment Point                          Attachment
                        (SAP)                                Point (CAP)
   +---------+   +------------------+   +-----------------+  +--------+
   |         |   |                  |   |                 |  |        |
   |  Peer   |   |   Authenticator  |   |   EAP Server    |  |  AAA   |
   |         |   |                  |   |                 |  | Client |
   +---------+   +------------------+   +-----------------+  +--------+
   |  MD-SA  |<->|  MD-SAP |SAP-AAA |<->|SAP-AAA |CAP-AAA |<>|CAP-AAA |
   +---------+   +------------------+   +--------+--------+  +--------+
   {------------------------------Signaling---------------------------}
        
     Mobile            Serving               AAA Server      Candidate
     Device        Attachment Point                          Attachment
                        (SAP)                                Point (CAP)
   +---------+   +------------------+   +-----------------+  +--------+
   |         |   |                  |   |                 |  |        |
   |  Peer   |   |   Authenticator  |   |   EAP Server    |  |  AAA   |
   |         |   |                  |   |                 |  | Client |
   +---------+   +------------------+   +-----------------+  +--------+
   |  MD-SA  |<->|  MD-SAP |SAP-AAA |<->|SAP-AAA |CAP-AAA |<>|CAP-AAA |
   +---------+   +------------------+   +--------+--------+  +--------+
   {------------------------------Signaling---------------------------}
        

Figure 6: Authenticated Anticipatory Keying Usage Model

图6:经过验证的预期键控使用模型

The SAP is involved in EAP authenticated anticipatory keying signaling.

SAP参与EAP认证的预期键控信令。

The role of the serving attachment point in this usage model is to communicate with the peer on one side and exchange authenticated anticipatory keying signaling with the EAP server on the other side. The role of the candidate authenticator is to receive the transported keying materials from the EAP server and to act as the serving attachment point after handover occurs. The MD-SAP signaling is performed over L2 or L3; the SAP-AAA and AAA-CAP segments operate over L3.

此使用模型中的服务连接点的作用是与一端的对等方通信,并与另一端的EAP服务器交换经过身份验证的预期键控信令。候选认证者的角色是从EAP服务器接收传输的密钥材料,并在发生切换后充当服务连接点。MD-SAP信令通过L2或L3执行;SAP-AAA和AAA-CAP部门在L3上运行。

7. Architectural Considerations
7. 建筑考虑

There are two architectural issues relating to early authentication: authenticator discovery and context binding.

与早期身份验证相关的架构问题有两个:身份验证器发现和上下文绑定。

7.1. Authenticator Discovery
7.1. 验证器发现

In general, early authentication requires the identity of a candidate attachment point to be discovered by a peer, by a serving attachment point, or by some other entity prior to handover. An attachment point discovery protocol is typically defined as a separate protocol

通常,早期身份验证要求对等方、服务连接点或其他实体在切换之前发现候选连接点的身份。连接点发现协议通常定义为单独的协议

from an early authentication protocol. For example, the IEEE 802.21 Information Service (IS) [IEEE.802-21] provides a link-layer-independent mechanism for obtaining neighboring network information by defining a set of Information Elements (IEs), where one of the IEs is defined to contain an IP address of an attachment point. IEEE 802.21 IS queries for such an IE may be used as a method for authenticator discovery.

来自早期的身份验证协议。例如,IEEE 802.21信息服务(IS)[IEEE.802-21]通过定义一组信息元素(ie)来提供用于获取相邻网络信息的链路层独立机制,其中一个ie被定义为包含连接点的IP地址。IEEE 802.21是这样一个IE的查询可以用作验证器发现的方法。

If IEEE 802.21 IS or a similar mechanism is used, authenticator discovery requires a database of information regarding the target network; the provisioning of a server with such a database is another issue.

如果使用IEEE 802.21或类似机制,则认证器发现需要关于目标网络的信息数据库;使用这样的数据库配置服务器是另一个问题。

7.2. Context Binding
7.2. 上下文绑定

When a candidate authenticator uses different EAP transport protocols for normal authentication and early authentication, a mechanism is needed to bind link-layer-independent context carried over early authentication signaling to the link-layer-specific context of the link to be established between the peer and the candidate authenticator. The link-layer-independent context includes the identities of the peer and authenticator as well as the MSK. The link-layer-specific context includes link-layer addresses of the peer and the candidate authenticator. Such context binding can happen before or after the peer changes its point of attachment.

当候选验证器使用不同的EAP传输协议进行正常身份验证和早期身份验证时,需要一种机制将通过早期身份验证信令携带的链路层独立上下文绑定到要在对等方和候选验证器之间建立的链路的链路层特定上下文。独立于链路层的上下文包括对等方和认证方以及MSK的标识。链路层特定上下文包括对等方和候选验证器的链路层地址。这种上下文绑定可以在对等方更改其连接点之前或之后发生。

There are at least two possible approaches to address the context binding issue. The first approach is based on communicating the link-layer context as opaque data via early authentication signaling. The second approach is based on running EAP over the link layer of the candidate authenticator after the peer arrives at the authenticator, using short-term credentials generated via early authentication. In this case, the short-term credentials are shared between the peer and the candidate authenticator. In both approaches, context binding needs to be securely made between the peer and the candidate authenticator. Also, the peer is not fully authorized by the candidate authenticator until the peer completes the link-layer-specific secure association procedure with the authenticator using link-layer signaling.

解决上下文绑定问题至少有两种可能的方法。第一种方法基于通过早期认证信令将链路层上下文作为不透明数据进行通信。第二种方法基于在对等方到达认证器之后,使用通过早期认证生成的短期凭证在候选认证器的链路层上运行EAP。在这种情况下,在对等方和候选验证器之间共享短期凭证。在这两种方法中,需要在对等方和候选身份验证器之间安全地进行上下文绑定。此外,在对等方使用链路层信令完成与认证方的链路层特定安全关联过程之前,候选认证方不会完全授权对等方。

8. AAA Issues
8. AAA问题

Most of the AAA documents today do not distinguish between a normal authentication and an early authentication, and this creates a set of open issues:

如今,大多数AAA文档都没有区分正常身份验证和早期身份验证,这造成了一系列未决问题:

Early authentication authorization Users may not be allowed to have more than one logon session at the time. This means that while such users actively engage in a session (as a result of a previously valid authentication), they will not be able to perform early authentication. The AAA server currently has no way of distinguishing between a normal authentication request and an early authentication request.

早期身份验证授权用户在同一时间不允许有多个登录会话。这意味着,当这些用户主动参与会话时(由于以前有效的身份验证),他们将无法执行早期身份验证。AAA服务器目前无法区分正常身份验证请求和早期身份验证请求。

Early authentication lifetime Currently, AAA protocols define attributes carrying lifetime information for a normal authentication session. Even when a user profile and the AAA server support early authentication, the lifetime for an early authentication session is typically valid only for a short amount of time because the peer has not completed its authentication at the target link layer. It is currently not possible for a AAA server to indicate to the AAA client or a peer the lifetime of the early authenticated session unless AAA protocols are extended to carry early authentication session lifetime information. In other words, it is not clear to the peer or the authenticator when the early authentication session will expire.

早期身份验证生存期目前,AAA协议定义了承载正常身份验证会话的生存期信息的属性。即使当用户配置文件和AAA服务器支持早期身份验证时,早期身份验证会话的生存期通常仅在短时间内有效,因为对等方尚未在目标链路层完成其身份验证。目前,AAA服务器不可能向AAA客户端或对等方指示早期认证会话的生存期,除非AAA协议被扩展以携带早期认证会话生存期信息。换句话说,对等方或身份验证方不清楚早期身份验证会话何时到期。

Early authentication retries It is typically expected that, shortly following the early authentication process, the peer moves to the new point of attachment and converts the early authentication state to a normal authentication state (the procedure for which is not the topic of this particular subsection). However, if the peer has not yet moved to the new location and realizes that the early authentication session is expiring, it may perform another early authentication. Some limiting mechanism is needed to avoid an unlimited number of early authentication attempts.

早期身份验证重试通常预期,在早期身份验证过程之后不久,对等方将移动到新的连接点,并将早期身份验证状态转换为正常身份验证状态(该过程不是本小节的主题)。然而,如果对等方尚未移动到新位置并且意识到早期身份验证会话即将到期,则它可以执行另一个早期身份验证。需要一些限制机制来避免无限次的早期身份验证尝试。

Completion of network attachment Once the peer has successfully attached to the new point of attachment, it needs to convert its authentication state from early authenticated to fully attached and authorized. If the AAA server needs to differentiate between early authentication and normal authentication, there may need to be a mechanism within the AAA protocol to provide this indication to the AAA server. This may be important from a billing perspective if the billing policy does not charge for an early authenticated peer until the peer is fully attached to the target authenticator.

完成网络连接一旦对等方成功连接到新的连接点,它需要将其身份验证状态从早期已验证转换为完全连接和授权。如果AAA服务器需要区分早期身份验证和正常身份验证,则AAA协议中可能需要有一种机制来向AAA服务器提供此指示。从计费的角度来看,如果计费策略在早期认证的对等方完全连接到目标认证方之前不对该对等方收费,那么这可能很重要。

Session resumption In the case where the peer cycles between a network N1 with which it has fully authenticated and another network N2 and then back to N1, it should be possible to simply convert the fully

会话恢复在对等方在其已完全认证的网络N1和另一个网络N2之间循环,然后返回到N1的情况下,应该可以简单地转换完全认证的会话

authenticated state on N1 to an early authenticated state. The problems around handling session lifetime and keying material caching need to be dealt with.

N1上的已验证状态变为早期已验证状态。需要处理与处理会话生存期和键控材质缓存有关的问题。

Multiple candidate attachment points There may be situations where the peer needs to choose from a number of CAPs. In such cases, it is desirable for the peer to perform early authentication with multiple candidate authenticators. This amplifies the difficulties noted under the point "Early authentication authorization".

多个候选连接点可能存在对等方需要从多个CAP中进行选择的情况。在这种情况下,期望对等方使用多个候选验证器执行早期认证。这加剧了“早期认证授权”一点下指出的困难。

Inter-AAA-realm handover support There may be situations where the peer moves out of the home AAA realm or across different visited AAA realms. In such cases, the early authentication should be performed through the visited AAA realm with the AAA server in the home AAA realm. It also requires AAA in the visited realm to acquire the identity information of the home AAA realms for routing the EAP early authentication traffic. Knowledge of realm identities is required by both the peer and AAA to generate the early authentication key for mutual authentication between the peer and the visited AAA server.

AAA域间切换支持可能存在对等方移出主AAA域或跨不同访问AAA域的情况。在这种情况下,应通过访问的AAA域执行早期身份验证,AAA服务器位于家庭AAA域中。它还要求访问域中的AAA获取家庭AAA域的身份信息,以路由EAP早期身份验证流量。对等方和AAA都需要领域身份的知识来生成早期身份验证密钥,以便在对等方和访问的AAA服务器之间进行相互身份验证。

Inter-technology support Current specifications on early authentication mostly deal with homogeneous 802.11 networks. AAA attributes such as Calling-Station-ID [RADEXT-WLAN] may need to be expanded to cover other access technologies. Furthermore, inter-technology handovers may require a change of the peer identifier as part of the handover. Investigation on the best type of identifiers for peers that support multiple access technologies is required.

技术间支持早期身份验证的当前规范主要涉及同质802.11网络。AAA属性(如呼叫站ID[RADEXT-WLAN])可能需要扩展以涵盖其他接入技术。此外,技术间切换可能需要更改对等标识符作为切换的一部分。需要调查支持多址技术的对等方的最佳标识符类型。

9. Security Considerations
9. 安全考虑

This section specifically covers threats introduced to the EAP model by early authentication. Security issues on general EAP and handover are described in other documents such as [RFC3748], [RFC4962], [RFC5169], and [RFC5247].

本节专门介绍早期身份验证引入EAP模型的威胁。有关一般EAP和移交的安全问题,请参见[RFC3748]、[RFC4962]、[RFC5169]和[RFC5247]等其他文件。

Since early authentication, as described in this document, needs to work across multiple attachment points, any solution needs to consider the following security threats.

由于本文中所描述的早期身份验证需要跨多个连接点工作,所以任何解决方案都需要考虑以下安全威胁。

First, a resource consumption denial-of-service attack is possible, where an attacker that is not on the same IP link as the legitimate peer or the candidate authenticator may send unprotected early authentication messages to the legitimate peer or the candidate authenticator. As a result, the latter may spend computational and bandwidth resources on processing early authentication messages sent

首先,可能发生资源消耗拒绝服务攻击,其中与合法对等方或候选身份验证方不在同一IP链路上的攻击者可能会向合法对等方或候选身份验证方发送未受保护的早期身份验证消息。结果,后者可能将计算和带宽资源用于处理发送的早期认证消息

by the attacker. This attack is possible in both the direct and indirect pre-authentication scenarios. To mitigate this attack, the candidate network or authenticator may apply non-cryptographic packet filtering so that only early authentication messages received from a specific set of serving networks or authenticators are processed. In addition, a simple solution for the peer side would be to let the peer always initiate EAP early authentication and not allow EAP early authentication initiation from an authenticator.

被袭击者袭击。这种攻击在直接和间接预身份验证场景中都可能发生。为了减轻该攻击,候选网络或认证器可应用非加密分组过滤,以便仅处理从特定服务网络或认证器集合接收的早期认证消息。此外,对等方的一个简单解决方案是让对等方始终启动EAP早期身份验证,而不允许从验证器启动EAP早期身份验证。

Second, consideration for the channel binding problem described in [RFC5247] is needed as lack of channel binding may enable an authenticator to impersonate another authenticator or communicate incorrect information via out-of-band mechanisms (such as via a AAA or lower-layer protocol) [RFC3748]. It should be noted that it is relatively easier to launch such an impersonation attack for early authentication than normal authentication because an attacker does not need to be physically on the same link as the legitimate peer to send an early authentication trigger to the peer.

第二,需要考虑[RFC5247]中描述的信道绑定问题,因为缺少信道绑定可能使验证器能够模拟另一验证器或通过带外机制(例如通过AAA或较低层协议)传递错误信息[RFC3748]。应该注意的是,与正常身份验证相比,针对早期身份验证发起此类模拟攻击相对容易,因为攻击者不需要与合法对等方在物理上处于同一链路上,就可以向对等方发送早期身份验证触发器。

10. Acknowledgments
10. 致谢

The editors would like to thank Preetida Vinayakray, Shubhranshu Singh, Ajay Rajkumar, Rafa Marin Lopez, Jong-Hyouk Lee, Maryna Komarova, Katrin Hoeper, Subir Das, Charles Clancy, Jari Arkko, and Bernard Aboba for their valuable input.

编辑们要感谢Preetida Vinayakray、Shubhranshu Singh、Ajay Rajkumar、Rafa Marin Lopez、Jong Hyuk Lee、Maryna Komarova、Katrin Hoeper、Subir Das、Charles Clancy、Jari Arkko和Bernard Aboba的宝贵意见。

11. Contributors
11. 贡献者

The following people all contributed to this document: Alper E. Yegin, Tom Taylor, Srinivas Sreemanthula, Madjid Nakhjiri, Mahalingam Mani, and Ashutosh Dutta.

以下所有人都对这份文件做出了贡献:阿尔珀·E·耶金、汤姆·泰勒、斯里尼瓦斯·斯雷曼图拉、马吉德·纳赫吉里、马哈林根·马尼和阿舒托什·杜塔。

12. References
12. 工具书类
12.1. Normative References
12.1. 规范性引用文件

[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.

[RFC3748]Aboba,B.,Blunk,L.,Vollbrecht,J.,Carlson,J.,和H.Levkowetz,“可扩展身份验证协议(EAP)”,RFC 3748,2004年6月。

[RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, Authorization, and Accounting (AAA) Key Management", BCP 132, RFC 4962, July 2007.

[RFC4962]Housley,R.和B.Aboba,“认证、授权和记帐(AAA)密钥管理指南”,BCP 132,RFC 4962,2007年7月。

[RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework", RFC 5247, August 2008.

[RFC5247]Aboba,B.,Simon,D.,和P.Eronen,“可扩展认证协议(EAP)密钥管理框架”,RFC 5247,2008年8月。

12.2. Informative References
12.2. 资料性引用

[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.

[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。

[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.

[RFC3588]Calhoun,P.,Loughney,J.,Guttman,E.,Zorn,G.,和J.Arkko,“直径基础协议”,RFC 3588,2003年9月。

[RFC5169] Clancy, T., Nakhjiri, M., Narayanan, V., and L. Dondeti, "Handover Key Management and Re- Authentication Problem Statement", RFC 5169, March 2008.

[RFC5169]Clancy,T.,Nakhjiri,M.,Narayanan,V.,和L.Dondeti,“移交密钥管理和重新认证问题声明”,RFC 5169,2008年3月。

[RFC5296] Narayanan, V. and L. Dondeti, "EAP Extensions for EAP Re-authentication Protocol (ERP)", RFC 5296, August 2008.

[RFC5296]Narayanan,V.和L.Dondeti,“EAP再认证协议(ERP)的EAP扩展”,RFC 52962008年8月。

[RADEXT-WLAN] Aboba, B., Malinen, J., Congdon, P., and J. Salowey, "RADIUS Attributes for IEEE 802 Networks", Work in Progress, February 2010.

[RADEXT-WLAN]Aboba,B.,Malinen,J.,Congdon,P.,和J.Salowey,“IEEE 802网络的半径属性”,正在进行的工作,2010年2月。

[RFC2989] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, P., Shiino, H., Zorn, G., Dommety, G., C.Perkins, B.Patil, D.Mitton, S.Manning, M.Beadles, P.Walsh, X.Chen, S.Sivalingham, A.Hameed, M.Munson, S.Jacobs, B.Lim, B.Hirschman, R.Hsu, Y.Xu, E.Campell, S.Baba, and E.Jaques, "Criteria for Evaluating AAA Protocols for Network Access", RFC 2989, November 2000.

[RFC2989]Aboba,B.,Calhoun,P.,Glass,S.,Hiller,T.,McCann,P.,Shiino,H.,Zorn,G.,Dommety,G.,C.Perkins,B.Patil,D.Mitton,S.Manning,M.Beadles,P.Walsh,X.Chen,S.Sivalingham,A.Hameed,M.Munson,S.Jacobs,B.Lim,B.Hirschman,R.Hsu,Y.Xu,E.Campell,S.Baba和E.Jaques,“网络接入AAA协议评估标准”,RFC 29892000年11月。

[IEEE.802-1X.2004] Institute of Electrical and Electronics Engineers, "Port-Based Network Access Control", IEEE Standard 802.1X, 2004.

[IEEE.802-1X.2004]电气和电子工程师协会,“基于端口的网络访问控制”,IEEE标准802.1X,2004年。

[IEEE.802-21] Institute of Electrical and Electronics Engineers, "Standard for Local and Metropolitan Area Networks: Media Independent Handover Services", IEEE Standard 802.21, 2008.

[IEEE.802-21]电气和电子工程师协会,“局域网和城域网标准:媒体独立切换服务”,IEEE标准802.212008。

[IEEE.802-11.2007] Institute of Electrical and Electronics Engineers, "Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications", IEEE Standard 802.11, 2007.

[IEEE.802-11.2007]电气和电子工程师协会,“信息技术-系统间的电信和信息交换-局域网和城域网-特定要求-第11部分:无线局域网介质访问控制(MAC)和物理层(PHY)规范”,IEEE标准802.112007。

[IEEE.802-11R.2008] Institute of Electrical and Electronics Engineers, "Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications - Amendment 2: Fast BSS Transition", IEEE Standard 802.11R, 2008.

[IEEE.802-11R.2008]电气和电子工程师协会,“信息技术-系统间的电信和信息交换-局域网和城域网-特定要求-第11部分:无线LAN介质访问控制(MAC)和物理层(PHY)规范-修改件2:快速BSS转换”,IEEE标准802.11R,2008年。

[IEEE.802-11F.2003] Institute of Electrical and Electronics Engineers, "IEEE Trial-Use Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11 Operation", IEEE Recommendation 802.11F, 2003.

[IEEE.802-11F.2003]电气和电子工程师协会,“通过支持IEEE 802.11操作的配电系统间接入点协议实现多供应商接入点互操作性的IEEE试用推荐规程”,IEEE建议802.11F,2003年。

[TS33.402] 3GPP, "System Architecture Evolution (SAE): Security aspects of non-3GPP accesses (Release 8)", 3GPP TS33.402 V8.3.1, 2009.

[TS33.402]3GPP,“系统架构演进(SAE):非3GPP访问的安全方面(第8版)”,3GPP TS33.402 V8.3.12009。

[ITU] ITU-T, "General Characteristics of International Telephone Connections and International Telephone Circuits: One-Way Transmission Time", ITU-T Recommendation G.114, 1998.

[ITU]ITU-T,“国际电话连接和国际电话电路的一般特征:单向传输时间”,ITU-T建议G.114,1998年。

[WPA] The Wi-Fi Alliance, "WPA (Wi-Fi Protected Access)", Wi-Fi WPA v3.1, 2004.

[WPA]Wi-Fi联盟,“WPA(Wi-Fi保护访问)”,Wi-Fi WPA v3.12004。

[MQ7] Lopez, R., Dutta, A., Ohba, Y., Schulzrinne, H., and A. Skarmeta, "Network-layer Assisted Mechanism to Optimize Authentication Delay During Handoff in 802.11 Networks", The 4th Annual International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MOBIQUITOUS 2007), 2007.

[MQ7]Lopez,R.,Dutta,A.,Ohba,Y.,Schulzrinne,H.,和A.Skarmeta,“802.11网络切换期间优化认证延迟的网络层辅助机制”,第四届移动和无处不在系统国际年会:计算、网络和服务(MOBIQUITOUS 2007),2007年。

[WCM] Dutta, A., Famorali, D., Das, S., Ohba, Y., and R. Lopez, "Media-independent pre-authentication supporting secure interdomain handover optimization", IEEE Wireless Communications Volume 15, Issue 2, April 2008.

[WCM]Dutta,A.,Famorali,D.,Das,S.,Ohba,Y.,和R.Lopez,“支持安全域间切换优化的媒体独立预认证”,IEEE无线通信第15卷,第2期,2008年4月。

Authors' Addresses

作者地址

Yoshihiro Ohba Toshiba Corporate Research and Development Center 1 Komukai-Toshiba-cho Saiwai-ku, Kawasaki, Kanagawa, 212-8582 Japan

日本神奈川川崎市Komukai Toshiba cho Saiwai ku东芝公司研发中心1号,邮编:212-8582

   Phone: +81 44 549 2230
   EMail: yoshihiro.ohba@toshiba.co.jp
        
   Phone: +81 44 549 2230
   EMail: yoshihiro.ohba@toshiba.co.jp
        

Qin Wu (editor) Huawei Technologies Co., Ltd Huawei Nanjing R&D Center, Floor 1F, Software Avenue, No.101., Yuhua District Nanjing, JiangSu 210012 China

秦武(编辑)华为技术有限公司中国江苏省南京市雨花区软件大道101号1楼华为南京研发中心210012

   Phone: +86 25 56622908
   EMail: sunseawq@huawei.com
        
   Phone: +86 25 56622908
   EMail: sunseawq@huawei.com
        

Glen Zorn (editor) Network Zen 1463 East Republican Street Seattle, Washington 98112 USA

格伦·佐恩(编辑)美国华盛顿州西雅图共和东街1463号网络禅98112

   EMail: gwz@net-zen.net
        
   EMail: gwz@net-zen.net