Internet Engineering Task Force (IETF) Y. Ohba
Request for Comments: 5836 Toshiba
Category: Informational Q. Wu, Ed.
ISSN: 2070-1721 Huawei
G. Zorn, Ed.
Network Zen
April 2010
Internet Engineering Task Force (IETF) Y. Ohba
Request for Comments: 5836 Toshiba
Category: Informational Q. Wu, Ed.
ISSN: 2070-1721 Huawei
G. Zorn, Ed.
Network Zen
April 2010
Extensible Authentication Protocol (EAP) Early Authentication Problem Statement
可扩展身份验证协议(EAP)早期身份验证问题声明
Abstract
摘要
Extensible Authentication Protocol (EAP) early authentication may be defined as the use of EAP by a mobile device to establish authenticated keying material on a target attachment point prior to its arrival. This document discusses the EAP early authentication problem in detail.
可扩展认证协议(EAP)早期认证可定义为移动设备在到达目标连接点之前使用EAP在目标连接点上建立经认证的密钥材料。本文档详细讨论了EAP早期身份验证问题。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5836.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5836.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction ....................................................3
2. Terminology .....................................................4
3. Problem Statement ...............................................6
3.1. Handover Preparation .......................................6
3.2. Handover Execution .........................................6
3.2.1. Examples ............................................7
3.3. Solution Space .............................................7
3.3.1. Context Transfer ....................................7
3.3.2. Early Authentication ................................8
4. System Overview .................................................8
5. Topological Classification of Handover Scenarios ................9
6. Models of Early Authentication .................................10
6.1. EAP Pre-Authentication Usage Models .......................10
6.1.1. The Direct Pre-Authentication Model ................11
6.1.2. The Indirect Pre-Authentication Usage Model ........11
6.2. The Authenticated Anticipatory Keying Usage Model .........13
7. Architectural Considerations ...................................13
7.1. Authenticator Discovery ...................................13
7.2. Context Binding ...........................................14
8. AAA Issues .....................................................14
9. Security Considerations ........................................16
10. Acknowledgments ...............................................17
11. Contributors ..................................................17
12. References ....................................................17
12.1. Normative References .....................................17
12.2. Informative References ...................................18
1. Introduction ....................................................3
2. Terminology .....................................................4
3. Problem Statement ...............................................6
3.1. Handover Preparation .......................................6
3.2. Handover Execution .........................................6
3.2.1. Examples ............................................7
3.3. Solution Space .............................................7
3.3.1. Context Transfer ....................................7
3.3.2. Early Authentication ................................8
4. System Overview .................................................8
5. Topological Classification of Handover Scenarios ................9
6. Models of Early Authentication .................................10
6.1. EAP Pre-Authentication Usage Models .......................10
6.1.1. The Direct Pre-Authentication Model ................11
6.1.2. The Indirect Pre-Authentication Usage Model ........11
6.2. The Authenticated Anticipatory Keying Usage Model .........13
7. Architectural Considerations ...................................13
7.1. Authenticator Discovery ...................................13
7.2. Context Binding ...........................................14
8. AAA Issues .....................................................14
9. Security Considerations ........................................16
10. Acknowledgments ...............................................17
11. Contributors ..................................................17
12. References ....................................................17
12.1. Normative References .....................................17
12.2. Informative References ...................................18
When a mobile device, during an active communication session, moves from one access network to another and changes its attachment point, the session may be subjected to disruption of service due to the delay associated with the handover operation. The performance requirements of a real-time application will vary based on the type of application and its characteristics such as delay and packet-loss tolerance. For Voice over IP applications, ITU-T G.114 [ITU] recommends a steady-state end-to-end delay of 150 ms as the upper limit and rates 400 ms as generally unacceptable delay. Similarly, a streaming application has tolerable packet-error rates ranging from 0.1 to 0.00001 with a transfer delay of less than 300 ms. Any help that an optimized handoff mechanism can provide toward meeting these objectives is useful. The ultimate objective is to achieve seamless handover with low latency, even when handover is between different link technologies or between different Authentication, Authorization, and Accounting (AAA) realms.
当移动设备在活动通信会话期间从一个接入网络移动到另一个接入网络并改变其连接点时,该会话可能由于与切换操作相关联的延迟而遭受服务中断。实时应用程序的性能要求将根据应用程序的类型及其特性(如延迟和丢包容忍度)而有所不同。对于IP语音应用,ITU-T G.114[ITU]建议将稳态端到端延迟150 ms作为上限,将速率400 ms作为一般不可接受的延迟。类似地,流式应用程序具有0.1到0.00001的可容忍分组错误率,传输延迟小于300 ms。优化的切换机制可以为实现这些目标提供的任何帮助都是有用的。最终目标是实现低延迟的无缝切换,即使切换是在不同的链路技术之间或在不同的身份验证、授权和计费(AAA)领域之间。
As a mobile device goes through a handover process, it is subjected to delay because of the rebinding of its association at or across several layers of the protocol stack and because of the additional round trips needed for a new EAP exchange. Delays incurred within each protocol layer affect the ongoing multimedia application and data traffic within the client [WCM].
当移动设备经历切换过程时,由于其关联在协议栈的几层处或跨几层重新绑定,以及由于新EAP交换所需的额外往返,移动设备受到延迟。每个协议层内产生的延迟会影响客户端[WCM]内正在进行的多媒体应用程序和数据流量。
The handover process often requires authentication and authorization for acquisition or modification of resources assigned to the mobile device. In most cases, these authentications and authorizations require interaction with a central authority in a realm. In some cases, the central authority may be distant from the mobile device. The delay introduced due to such an authentication and authorization procedure adds to the handover latency and consequently affects ongoing application sessions [MQ7]. The discussion in this document is focused on mitigating delay due to EAP authentication.
切换过程通常需要认证和授权来获取或修改分配给移动设备的资源。在大多数情况下,这些身份验证和授权需要与域中的中心机构进行交互。在某些情况下,中央机关可能远离移动设备。由于这种身份验证和授权过程而引入的延迟增加了切换延迟,并因此影响正在进行的应用程序会话[MQ7]。本文档中的讨论重点是缓解EAP身份验证造成的延迟。
AAA
AAA
Authentication, Authorization, and Accounting (see below). RADIUS [RFC2865] and Diameter [RFC3588] are examples of AAA protocols defined in the IETF.
身份验证、授权和记帐(见下文)。半径[RFC2865]和直径[RFC3588]是IETF中定义的AAA协议的示例。
AAA realm The set of access networks within the scope of a specific AAA server. Thus, if a mobile device moves from one attachment point to another within the same AAA realm, it continues to be served by the same AAA server.
AAA领域特定AAA服务器范围内的一组访问网络。因此,如果移动设备在同一AAA领域内从一个连接点移动到另一个连接点,则它将继续由同一AAA服务器提供服务。
Accounting The act of collecting information on resource usage for the purpose of trend analysis, auditing, billing, or cost allocation [RFC2989].
会计收集资源使用信息的行为,用于趋势分析、审计、计费或成本分配[RFC2989]。
Attachment Point A device, such as a wireless access point, that serves as a gateway between access clients and a network. In the context of this document, an attachment point must also support EAP authenticator functionality and may act as a AAA client.
连接点用作接入客户端和网络之间网关的设备,如无线接入点。在本文档的上下文中,附件点还必须支持EAP验证器功能,并且可以充当AAA客户端。
Authentication The act of verifying a claimed identity, in the form of a preexisting label from a mutually known name space, as the originator of a message (message authentication) or as the end-point of a channel (entity authentication) [RFC2989].
身份验证——验证声称的身份的行为,该身份以相互已知的名称空间中预先存在的标签的形式,作为消息的发起人(消息身份验证)或作为信道的端点(实体身份验证)[RFC2989]。
Authenticator The end of the link initiating EAP authentication [RFC3748].
Authenticator发起EAP身份验证的链路的末端[RFC3748]。
Authorization The act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential [RFC2989].
授权确定特定凭证的提交人是否可以获得特定权利(如访问某些资源)的行为[RFC2989]。
Candidate Access Network An access network that can potentially become the target access network for a mobile device. Multiple access networks may be candidates simultaneously.
候选接入网可能成为移动设备的目标接入网的接入网。多个接入网络可以同时是候选网络。
Candidate Attachment Point (CAP) An attachment point that can potentially become the target attachment point for a mobile device. Multiple attachment points may be candidates simultaneously.
候选连接点(CAP):可能成为移动设备目标连接点的连接点。多个附着点可以同时作为候选点。
Candidate Authenticator (CA) The EAP authenticator on the CAP.
候选验证器(CA)CAP上的EAP验证器。
EAP Server The entity that terminates the EAP authentication method with the peer [RFC3748]. EAP servers are often, but not necessarily, co-located with AAA servers, using a AAA protocol to communicate with remote pass-through authenticators.
EAP服务器与对等方终止EAP身份验证方法的实体[RFC3748]。EAP服务器通常(但不一定)与AAA服务器位于同一位置,使用AAA协议与远程直通认证器通信。
Inter-AAA-realm Handover (Inter-realm Handover) A handover across multiple AAA realms.
AAA域间切换(域间切换)跨多个AAA域的切换。
Inter-Technology Handover A handover across different link-layer technologies.
技术间切换跨不同链路层技术的切换。
Intra-AAA-realm Handover (Intra-realm Handover) A handover within the same AAA realm. Intra-AAA-realm handover includes a handover across different authenticators within the same AAA realm.
AAA域内切换(域内切换)同一AAA域内的切换。AAA域内切换包括同一AAA域内不同认证器之间的切换。
Intra-Technology Handover A handover within the same link-layer technology.
技术内切换同一链路层技术内的切换。
Master Session Key (MSK) Keying material that is derived between the EAP peer and server and exported by the EAP method [RFC3748].
主会话密钥(MSK)密钥材料,在EAP对等方和服务器之间导出,并通过EAP方法导出[RFC3748]。
Peer The entity that responds to the authenticator and requires authentication [RFC3748].
对等响应身份验证器并需要身份验证的实体[RFC3748]。
Serving Access Network An access network that is currently serving the mobile device.
服务接入网络当前为移动设备服务的接入网络。
Serving Attachment Point (SAP) An attachment point that is currently serving the mobile device.
服务连接点(SAP)当前为移动设备服务的连接点。
Target Access Network An access network that has been selected to be the new serving access network for a mobile device.
目标接入网已被选择为移动设备的新服务接入网的接入网。
Target Attachment Point (TAP) An attachment point that has been selected to be the new SAP for a mobile device.
目标连接点(TAP)已选择为移动设备的新SAP的连接点。
The basic mechanism of handover is a two-step procedure involving
移交的基本机制是一个两步程序,涉及
o handover preparation and
o 交接准备和
o handover execution
o 移交执行
Handover preparation includes the discovery of candidate attachment points and selection of an appropriate target attachment point from the candidate set. Handover preparation is outside the scope of this document.
切换准备包括发现候选连接点和从候选集中选择适当的目标连接点。交接准备不在本文件范围内。
Handover execution consists of setting up Layer 2 (L2) and Layer 3 (L3) connectivity with the TAP. Currently, handover execution includes network access authentication and authorization performed directly with the target network; this may include full EAP authentication in the absence of any particular optimization for handover key management. Following a successful EAP authentication, a secure association procedure is typically performed between the mobile device and the TAP to derive a new set of link-layer encryption keys from EAP keying material such as the MSK. The handover latency introduced by full EAP authentication has proven to be higher than that which is acceptable for real-time application scenarios [MQ7]; hence, reduction in handover latency due to EAP is a necessary objective for such scenarios.
切换执行包括与TAP建立第2层(L2)和第3层(L3)连接。目前,切换执行包括直接与目标网络进行的网络接入认证和授权;这可能包括在没有针对切换密钥管理的任何特定优化的情况下进行完全EAP认证。在成功的EAP认证之后,通常在移动设备和TAP之间执行安全关联过程,以从诸如MSK的EAP密钥材料导出一组新的链路层加密密钥。经证明,完全EAP认证引入的切换延迟高于实时应用场景可接受的切换延迟[MQ7];因此,减少EAP导致的切换延迟是此类场景的必要目标。
In IEEE 802.11 Wireless Local Area Networks (WLANs) [IEEE.802-11.2007] network access authentication and authorization involves performing a new IEEE 802.1X [IEEE.802-1X.2004] message exchange with the authenticator in the TAP to execute an EAP exchange with the authentication server [WPA]. There has been some optimization work undertaken by the IEEE, but these efforts have been scoped to IEEE link-layer technologies; for example, the work done in the IEEE 802.11f [IEEE.802-11F.2003] and 802.11r [IEEE.802-11R.2008] Task Groups applies only to intra-technology handovers.
在IEEE 802.11无线局域网(WLAN)[IEEE.802-11.2007]中,网络访问认证和授权涉及与TAP中的认证器执行新的IEEE 802.1X[IEEE.802-1X.2004]消息交换,以与认证服务器[WPA]执行EAP交换。IEEE进行了一些优化工作,但这些工作的范围仅限于IEEE链路层技术;例如,在IEEE 802.11f[IEEE.802-11f.2003]和802.11r[IEEE.802-11r.2008]任务组中完成的工作仅适用于技术内切换。
The Third Generation Partnership Project (3GPP) Technical Specification 33.402 [TS33.402] defines the authentication and key management procedures performed during interworking between non-3GPP access networks and the Evolved Packet System (EPS). Network access authentication and authorization happens after the L2 connection is established between the mobile device and a non-3GPP target access network, and involves an EAP exchange between the mobile device and the 3GPP AAA server via the non-3GPP target access network. These procedures are not really independent of link technology, since they assume either that the authenticator lies in the EPS network or that separate authentications are performed in the access network and then in the EPS network.
第三代合作伙伴关系项目(3GPP)技术规范33.402[TS33.402]定义了非3GPP接入网络和演进分组系统(EPS)之间互通期间执行的认证和密钥管理过程。网络接入认证和授权发生在移动设备和非3GPP目标接入网络之间建立L2连接之后,并且涉及移动设备和3GPP AAA服务器之间经由非3GPP目标接入网络的EAP交换。这些过程并非真正独立于链路技术,因为它们假定验证器位于EPS网络中,或者在接入网络中然后在EPS网络中执行单独的认证。
As the examples in the preceding sections illustrate, a solution is needed to enable EAP early authentication for inter-AAA-realm handovers and inter-technology handovers. A search for solutions at the IP level may offer the necessary technology independence.
如前几节中的示例所示,需要一种解决方案来为AAA域间切换和技术间切换启用EAP早期身份验证。在IP级别搜索解决方案可能会提供必要的技术独立性。
Optimized solutions for secure inter-authenticator handovers can be seen either as security context transfer (e.g., using the EAP Extensions for EAP Re-authentication Protocol (ERP)) [RFC5296], or as EAP early authentication.
安全认证者间切换的优化解决方案可以看作是安全上下文传输(例如,使用EAP重新认证协议(ERP)的EAP扩展)[RFC5296],也可以看作是EAP早期认证。
Security context transfer involves transfer of reusable key context to the TAP and can take two forms: horizontal and vertical.
安全上下文传输涉及将可重用密钥上下文传输到TAP,可以采取两种形式:水平和垂直。
Horizontal security context transfer (e.g., from SAP to TAP) is not recommended because of the possibility that the compromise of one attachment point might lead to the compromise of another (the so-called domino effect, [RFC4962]). Vertical context transfer is similar to the initial establishment of keying material on an attachment point in that the keys are sent from a trusted server to the TAP as a direct result of a successful authentication. ERP specifies vertical context transfer using existing EAP keying material obtained from the home AAA server during the initial authentication. A cryptographically independent re-authentication key is derived and transmitted to the TAP as a result of successful ERP authentication. This reduces handover delay for intra-realm handovers by eliminating the need to run full EAP authentication with the home EAP server.
不建议横向安全上下文传输(例如,从SAP到TAP),因为一个连接点的泄露可能会导致另一个连接点的泄露(所谓的多米诺效应,[RFC4962])。垂直上下文传输类似于在附件点上初始建立密钥材料,因为密钥作为成功身份验证的直接结果从受信任服务器发送到TAP。ERP使用初始身份验证期间从家庭AAA服务器获得的现有EAP密钥材料指定垂直上下文传输。作为成功的ERP认证的结果,导出了一个加密独立的重新认证密钥,并将其传输到TAP。这通过消除使用家庭EAP服务器运行完整EAP身份验证的需要,减少了域内切换的切换延迟。
However, in the case of inter-realm handover, either ERP is not applicable or an additional optimization mechanism is needed to establish a key on the TAP.
然而,在域间切换的情况下,要么ERP不适用,要么需要额外的优化机制来建立TAP上的密钥。
In EAP early authentication, AAA-based authentication and authorization for a CAP is performed while ongoing data communication is in progress via the serving access network, the goal being to complete AAA signaling for EAP before the mobile device moves. The applicability of EAP early authentication is limited to the scenarios where candidate authenticators can be discovered and an accurate prediction of movement can be easily made. In addition, the effectiveness of EAP early authentication may be less significant for particular inter-technology-handover scenarios where simultaneous use of multiple technologies is not a major concern.
在EAP早期认证中,在通过服务接入网络进行正在进行的数据通信的同时,对CAP执行基于AAA的认证和授权,目标是在移动设备移动之前完成EAP的AAA信令。EAP早期身份验证的适用性仅限于可以发现候选身份验证者并且可以轻松准确预测移动的场景。此外,EAP早期认证的有效性对于同时使用多种技术不是主要问题的特定技术间切换场景可能不太重要。
There are also several AAA issues related to EAP early authentication, discussed in Section 8.
第8节还讨论了与EAP早期身份验证相关的几个AAA问题。
Figure 1 shows the functional elements that are related to EAP early authentication. These functional elements include a mobile device, a SAP, a CAP, and one or more AAA and EAP servers; for the sake of convenience, the AAA and EAP servers are represented as being co-located. When the SAP and CAP belong to different AAA realms, the CAP may require a different set of user credentials than those used by the peer when authenticating to the SAP. Alternatively, the CAP and the SAP may rely on the same AAA server, located in the home realm of the mobile device (MD).
图1显示了与EAP早期身份验证相关的功能元素。这些功能元件包括移动设备、SAP、CAP和一个或多个AAA和EAP服务器;为了方便起见,AAA和EAP服务器被表示为位于同一位置。当SAP和CAP属于不同的AAA领域时,CAP可能需要一组不同于对等方在向SAP进行身份验证时使用的用户凭据。或者,CAP和SAP可以依赖于位于移动设备(MD)的主域中的相同AAA服务器。
+------+ +-------+ +---------+ +---------+
| MD |------| SAP |------| | | |
+------+ +-------+ | IP | | EAP/AAA
. | |------| |
. Move | Network | | Server |
v +-------+ | | | |
| CAP |------| | | |
+-------+ +---------+ +---------+
+------+ +-------+ +---------+ +---------+
| MD |------| SAP |------| | | |
+------+ +-------+ | IP | | EAP/AAA
. | |------| |
. Move | Network | | Server |
v +-------+ | | | |
| CAP |------| | | |
+-------+ +---------+ +---------+
Figure 1: EAP Early Authentication Functional Elements
图1:EAP早期身份验证功能元素
A mobile device is attached to the serving access network. Before the MD performs handover from the serving access network to a candidate access network, it performs EAP early authentication with a candidate authenticator via the serving access network. The peer may perform EAP early authentication with one or more candidate authenticators. It is assumed that each attachment point has an IP address. It is assumed that there is at least one CAP in each candidate access network. The serving and candidate access networks may use different link-layer technologies.
移动设备连接到服务接入网络。在MD执行从服务接入网络到候选接入网络的切换之前,它通过服务接入网络与候选认证器执行EAP早期认证。对等方可以使用一个或多个候选验证器执行EAP早期认证。假设每个连接点都有一个IP地址。假设每个候选接入网络中至少有一个CAP。服务和候选接入网络可以使用不同的链路层技术。
Each authenticator is either a standalone authenticator or a pass-through authenticator [RFC3748]. When an authenticator acts as a standalone authenticator, it also has the functionality of an EAP server. When an authenticator acts as a pass-through authenticator, it communicates with the EAP server, typically using a AAA transport protocol such as RADIUS [RFC2865] or Diameter [RFC3588].
每个验证器都是独立验证器或传递验证器[RFC3748]。当验证器充当独立验证器时,它还具有EAP服务器的功能。当认证器充当直通认证器时,它通常使用AAA传输协议(如RADIUS[RFC2865]或Diameter[RFC3588])与EAP服务器通信。
If the CAP uses an MSK [RFC5247] for generating lower-layer ciphering keys, EAP early authentication is used to proactively generate an MSK for the CAP.
如果CAP使用MSK[RFC5247]生成较低层加密密钥,则EAP早期身份验证用于主动为CAP生成MSK。
The complexity of the authentication and authorization part of handover depends on whether it involves a change in EAP server. Consider first the case where the authenticators operate in pass-through mode, so that the EAP server is co-located with a AAA server. Then, there is a strict hierarchy of complexity, as follows:
切换的身份验证和授权部分的复杂性取决于是否涉及EAP服务器的更改。首先考虑认证者在传递模式中运行的情况,以便EAP服务器与AAA服务器协同定位。然后,有一个严格的复杂性层次结构,如下所示:
1. inter-attachment-point handover with common AAA server: the CAP and SAP are different entities, but the AAA server is the same. There are two sub-cases here:
1. 与通用AAA服务器的连接点间切换:CAP和SAP是不同的实体,但AAA服务器是相同的。这里有两个子案例:
(a) the AAA server is common because both attachment points lie within the same network, or
(a) AAA服务器是公用的,因为两个连接点位于同一网络中,或者
(b) the AAA server is common because AAA entities in the serving and candidate networks proxy to a AAA server in the home realm.
(b) AAA服务器很常见,因为服务网络和候选网络中的AAA实体代理家庭领域中的AAA服务器。
2. inter-AAA-realm handover: the CAP and SAP are different entities, and the respective AAA servers also differ. As a result, authentication in the candidate network requires a second set of user credentials.
2. AAA域间切换:CAP和SAP是不同的实体,各自的AAA服务器也不同。结果,候选网络中的认证需要第二组用户凭证。
A third case is where one or both authenticators are co-located with an EAP server. This has some of the characteristics of an inter-AAA-realm handover, but offers less flexibility for resolution of the early authentication problem.
第三种情况是一个或两个验证器与EAP服务器共存。这具有AAA域间切换的一些特征,但为解决早期身份验证问题提供的灵活性较低。
Orthogonally to this classification, one can distinguish intra-technology handover from inter-technology handover thinking of the link technologies involved. In the inter-technology case, it is highly probable that the authenticators will differ. The most likely cases are 1(b) or 2 in the above list.
与该分类正交,可以区分所涉及的链路技术的技术内切换和技术间切换思想。在技术间的情况下,验证器很可能会有所不同。最有可能的情况是上述列表中的1(b)或2。
As noted in Section 3, there are cases where early authentication is applicable while ERP does not work. This section concentrates on providing some models around which we can build our analysis of the EAP early authentication problem. Different usage models can be defined depending on whether
如第3节所述,在某些情况下,早期认证适用,而ERP不起作用。本节主要提供一些模型,我们可以围绕这些模型对EAP早期身份验证问题进行分析。可以根据以下情况定义不同的使用模型:
o the SAP is not involved in early authentication (direct pre-authentication usage model),
o SAP不参与早期认证(直接预认证使用模式),
o the SAP interacts only with the CAP (indirect pre-authentication usage model), or
o SAP仅与CAP(间接预认证使用模型)交互,或
o the SAP interacts with the AAA server (the authenticated anticipatory keying usage model).
o SAP与AAA服务器(经过验证的预期密钥使用模型)交互。
It is assumed that the CAP and SAP are different entities. It is further assumed in describing these models that there is no direct L2 connectivity between the peer and the candidate attachment point.
假设CAP和SAP是不同的实体。在描述这些模型时,进一步假设对等点和候选连接点之间没有直接的L2连接。
In the EAP pre-authentication model, the SAP does not interact with the AAA server directly. Depending on how the SAP is involved in the pre-authentication signaling, the EAP pre-authentication usage model can be further categorized into the following two sub-models, direct and indirect.
在EAP预认证模型中,SAP不直接与AAA服务器交互。根据SAP如何参与预认证信令,EAP预认证使用模型可进一步分为以下两个子模型:直接和