RFC Errata
RFC 5247, "Extensible Authentication Protocol (EAP) Key Management Framework", August 2008
Note: This RFC has been updated by RFC 8940
Source of RFC: eap (int)
Errata ID: 1711
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: Yoshihiro Ohba
Date Reported: 2008-12-20
Held for Document Update by: Brian Haberman
Date Held: 2009-03-11
Section 4 says:
EAP pre-authentication In EAP pre-authentication, an EAP peer pre-establishes EAP keying material with an authenticator prior to arrival. EAP pre-authentication only affects the timing of EAP authentication, but does not shorten or eliminate EAP (phase 1a) or AAA (phase 1b) exchanges; Discovery (phase 0) and Secure Association Protocol (phase 2) exchanges occur as described in Section 1.3. As a result, the primary benefit is to enable EAP authentication to be removed from the handoff critical path, thereby reducing latency. Use of EAP pre-authentication within IEEE 802.11 is described in [IEEE-802.11] and [8021XPreAuth]. Proactive key distribution In proactive key distribution, keying material and authorizations are transported from the backend authentication server to a candidate authenticator in advance of a handoff. As a result, EAP (phase 1a) is not needed, but the Discovery (phase 0), and Secure Association Protocol exchanges (phase 2) are still necessary. Within the AAA exchange (phase 1b), authorization and key distribution functions are typically supported, but not authentication. Proactive key distribution is described in [MishraPro], [IEEE-03-084], and [HANDOFF].
It should say:
Move the reference 8021XPreAuth to the second paragraph.
Notes:
The reference [8021XPreAuth] describes a mechanism in which EAP
authentication happens only once with the serving authenticator, i.e.,
one EAP authentication with the serving authenticator generates
multiple MSKs and distributed to serving authenticator and target
authenticator, and there is no additional EAP authentication
performed between peer and target authenticator. This does not match
the definition of pre-authentication as described by the first paragraph;
hence the reference should be moved to the second paragraph.