EAP State Machines (draft-vollbrecht-eap-state-04.txt,ps) - PowerPoint PPT Presentation

About This Presentation
Title:

EAP State Machines (draft-vollbrecht-eap-state-04.txt,ps)

Description:

(draft-vollbrecht-eap-state-04.txt,ps) John Vollbrecht, Pasi Eronen, Nick Petroni, ... Including special cases for passthrough and backend ... formalism ... – PowerPoint PPT presentation

Number of Views:18
Avg rating:3.0/5.0
Slides: 18
Provided by: PasiE7
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: EAP State Machines (draft-vollbrecht-eap-state-04.txt,ps)


1
EAP State Machines(draft-vollbrecht-eap-state-04.
txt,ps)
  • John Vollbrecht, Pasi Eronen, Nick Petroni,
    Yoshihiro Ohba

2
Introduction
  • State machines for
  • EAP peer
  • EAP authenticator
  • Including special cases for passthrough and
    backend authenticator
  • Goals
  • Make understanding 2284bis easier
  • Work together with 802.1X state machines

3
Status
  • Lot of progress since 01 (IETF 56)
  • Version 03 incorporated as informative Annex in
    IEEE P802.1aa draft 6.1
  • Pre-alpha implementation by Yoshihiro Ohba for
    Open Diameter project

4
EAP peer

5
Peer changes
  • Main changes since 01 (IETF 56)
  • Data flows shown in the diagram (main source of
    size increase)
  • Silently discard packets that should not occur
    (main source of complexity)
  • Clarified interfaces to 802.1X

6
Peer lower layer interface
  • Lower layer ? EAP
  • portEnabled, eapRestart
  • eapReq eapReqData
  • altAccept / altReject
  • idleWhile (timer)
  • EAP ? lower layer
  • eapResp eapRespData
  • eapNoResp
  • eapSuccess eapKeyAvailable eapKeyData
  • eapFail

7
Peer method interface
  • EAP ? Method
  • eapReqData
  • Method ? EAP
  • intCheck (boolean)
  • methodState ? CONT, MAY_CONT, DONE
  • decision ? FAIL, COND_SUCC, UNCOND_SUCC
  • allowNotifications (boolean)

8
EAP authenticator
9
Authenticator changes
  • Main changes since 01 (IETF 56)
  • Data flows shown in the diagram
  • Support switching to passthrough mode
  • Support for backend authenticator
  • Clarified interfaces to 802.1X

10
Authenticator lower layer if.
  • Similar to peer, except
  • Lower layer ? EAP
  • eapSRTT eapRTTVAR
  • EAP ? Lower layer
  • eapTimeout (802.1aa needs to distinguish failure
    caused by timeout and failure caused by something
    else)

11
Authenticator method if.
  • Much more complex than peer!
  • Reasons
  • Authenticator can propose multiple methods
  • Notifications

12
Passthrough
  • The passthrough virtual method converts EAP
    method signals to AAA protocol and back
  • Supports an authenticator that can authenticate
    some users locally

13
Backend
  • Differences in backend
  • Retransmissions done by passthrough
  • The conversation can start with an EAP Response
    packet (from backends point of view)
  • The backend adapter converts AAA protocol to
    EAP lower layer signals and back

14
Passthrough backend
EAPmethod
Method interface
Method interface
Authenticator
Authenticator
Lower layer interface
Lower layer interface
Lower layer
Backendadapter
Passthrough method
AAA interface
AAA interface
AAA protocol
AAA protocol
15
Open issues
  • Degree of formalism
  • We have this notation x FOO BAR, meaning
    that x is set either to FOO or BAR, the choice
    being determined by logic explained elsewhere.
  • On authenticator, many issues are hidden in
    Policy.update(..), Policy.isSatisfied(..) and
    Policy.getNextMethod() calls.
  • Maybe separate next method selection from other
    Policy stuff?

16
Open issues
  • Alignment with 2284bis
  • Lower layer indications
  • There will probably remain some cases where e.g.
    2284bis says SHOULD but the state machine does
    not support the other alternative

17
Next steps
  • Wait for 2284bis to be finished, and sync the
    state machine
  • Create text-only version of state machines for
    RFC publication
  • Try to clarify authenticator diagram
  • But still keep it on one page
  • Future uses of EAP and tunnels?
Write a Comment
User Comments (0)
About PowerShow.com