errata logo graphic

Found 2 records.

Status: Held for Document Update (1)

RFC5247, "Extensible Authentication Protocol (EAP) Key Management Framework", August 2008

Source of RFC: eap (int)

Errata ID: 1711

Status: Held for Document Update
Type: Editorial

Reported By: Yoshihiro Ohba
Date Reported: 2008-12-20
Held for Document Update by: Brian Haberman
Date Held: 2009-03-11

Section 4 says:

   EAP pre-authentication
      In EAP pre-authentication, an EAP peer pre-establishes EAP keying
      material with an authenticator prior to arrival.  EAP
      pre-authentication only affects the timing of EAP authentication,
      but does not shorten or eliminate EAP (phase 1a) or AAA (phase 1b)
      exchanges;  Discovery (phase 0) and Secure Association Protocol
      (phase 2) exchanges occur as described in Section 1.3.  As a
      result, the primary benefit is to enable EAP authentication to be
      removed from the handoff critical path, thereby reducing latency.
      Use of EAP pre-authentication within IEEE 802.11 is described in
      [IEEE-802.11] and [8021XPreAuth].

   Proactive key distribution
      In proactive key distribution, keying material and authorizations
      are transported from the backend authentication server to a
      candidate authenticator in advance of a handoff.  As a result, EAP
      (phase 1a) is not needed, but the Discovery (phase 0), and Secure
      Association Protocol exchanges (phase 2) are still necessary.
      Within the AAA exchange (phase 1b), authorization and key
      distribution functions are typically supported, but not
      authentication.  Proactive key distribution is described in
      [MishraPro], [IEEE-03-084], and [HANDOFF].


It should say:

Move the reference 8021XPreAuth to the second paragraph.

Notes:

The reference [8021XPreAuth] describes a mechanism in which EAP
authentication happens only once with the serving authenticator, i.e.,
one EAP authentication with the serving authenticator generates
multiple MSKs and distributed to serving authenticator and target
authenticator, and there is no additional EAP authentication
performed between peer and target authenticator. This does not match
the definition of pre-authentication as described by the first paragraph;
hence the reference should be moved to the second paragraph.


Status: Rejected (1)

RFC5247, "Extensible Authentication Protocol (EAP) Key Management Framework", August 2008

Source of RFC: eap (int)

Errata ID: 1642

Status: Rejected
Type: Editorial

Reported By: Yoshihiro Ohba
Date Reported: 2008-12-20
Rejected by: Jari Arkko
Date Rejected: 2009-03-11

Section 4 says:

   EAP pre-authentication
      In EAP pre-authentication, an EAP peer pre-establishes EAP keying
      material with an authenticator prior to arrival.  EAP
      pre-authentication only affects the timing of EAP authentication,
      but does not shorten or eliminate EAP (phase 1a) or AAA (phase 1b)
      exchanges;  Discovery (phase 0) and Secure Association Protocol
      (phase 2) exchanges occur as described in Section 1.3.  As a
      result, the primary benefit is to enable EAP authentication to be
      removed from the handoff critical path, thereby reducing latency.
      Use of EAP pre-authentication within IEEE 802.11 is described in
      [IEEE-802.11] and [8021XPreAuth].

   Proactive key distribution
      In proactive key distribution, keying material and authorizations
      are transported from the backend authentication server to a
      candidate authenticator in advance of a handoff.  As a result, EAP
      (phase 1a) is not needed, but the Discovery (phase 0), and Secure
      Association Protocol exchanges (phase 2) are still necessary.
      Within the AAA exchange (phase 1b), authorization and key
      distribution functions are typically supported, but not
      authentication.  Proactive key distribution is described in
      [MishraPro], [IEEE-03-084], and [HANDOFF].


It should say:

   EAP pre-authentication
      In EAP pre-authentication, an EAP peer pre-establishes EAP 
      keying material with an authenticator through which the peer has
      routed the EAP authentication prior to arrival.  EAP
      pre-authentication only affects the timing of EAP 
      authentication, but does not shorten or eliminate EAP (phase 1a)
      or AAA (phase 1b) exchanges through the authenticator.
      Discovery (phase 0) and Secure Association Protocol (phase 2)
      exchanges occur as described in Section 1.3.  As a result, the
      primary benefit is to enable EAP authentication to be removed
      from the handoff critical path, thereby reducing latency.  Use
      of EAP pre-authentication within IEEE 802.11 is described in
      [IEEE-802.11].

   Proactive key distribution
      In proactive key distribution, keying material and authorizations
      are transported from the backend authentication server to a
      candidate authenticator in advance of a handoff.  As a result, EAP
      (phase 1a) is not needed, but the Discovery (phase 0), and Secure
      Association Protocol exchanges (phase 2) are still necessary.
      Within the AAA exchange (phase 1b), authorization and key
      distribution functions are typically supported, but not
      authentication.  Proactive key distribution is described in
      [MishraPro], [IEEE-03-084], [HANDOFF] and [8021XPreAuth].

Notes:

The EAP pre-authentication definition should be more clear that an EAP peer
runs EAP authentication through the target authenticator before EAP keying material will be pre-established with the target authenticator prior to arrival.
--VERIFIER NOTES--
Discussion between EAP and HOKEY chairs and the ADs revealed that this is not an appropriate change.


Report New Errata