RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 5247, "Extensible Authentication Protocol (EAP) Key Management Framework", August 2008

Source of RFC: eap (int)

Errata ID: 1642
Status: Rejected
Type: Editorial
Publication Format(s) : TEXT

Reported By: Yoshihiro Ohba
Date Reported: 2008-12-20
Rejected by: Jari Arkko
Date Rejected: 2009-03-11

Section 4 says:

   EAP pre-authentication
      In EAP pre-authentication, an EAP peer pre-establishes EAP keying
      material with an authenticator prior to arrival.  EAP
      pre-authentication only affects the timing of EAP authentication,
      but does not shorten or eliminate EAP (phase 1a) or AAA (phase 1b)
      exchanges;  Discovery (phase 0) and Secure Association Protocol
      (phase 2) exchanges occur as described in Section 1.3.  As a
      result, the primary benefit is to enable EAP authentication to be
      removed from the handoff critical path, thereby reducing latency.
      Use of EAP pre-authentication within IEEE 802.11 is described in
      [IEEE-802.11] and [8021XPreAuth].

   Proactive key distribution
      In proactive key distribution, keying material and authorizations
      are transported from the backend authentication server to a
      candidate authenticator in advance of a handoff.  As a result, EAP
      (phase 1a) is not needed, but the Discovery (phase 0), and Secure
      Association Protocol exchanges (phase 2) are still necessary.
      Within the AAA exchange (phase 1b), authorization and key
      distribution functions are typically supported, but not
      authentication.  Proactive key distribution is described in
      [MishraPro], [IEEE-03-084], and [HANDOFF].


It should say:

   EAP pre-authentication
      In EAP pre-authentication, an EAP peer pre-establishes EAP 
      keying material with an authenticator through which the peer has
      routed the EAP authentication prior to arrival.  EAP
      pre-authentication only affects the timing of EAP 
      authentication, but does not shorten or eliminate EAP (phase 1a)
      or AAA (phase 1b) exchanges through the authenticator.
      Discovery (phase 0) and Secure Association Protocol (phase 2)
      exchanges occur as described in Section 1.3.  As a result, the
      primary benefit is to enable EAP authentication to be removed
      from the handoff critical path, thereby reducing latency.  Use
      of EAP pre-authentication within IEEE 802.11 is described in
      [IEEE-802.11].

   Proactive key distribution
      In proactive key distribution, keying material and authorizations
      are transported from the backend authentication server to a
      candidate authenticator in advance of a handoff.  As a result, EAP
      (phase 1a) is not needed, but the Discovery (phase 0), and Secure
      Association Protocol exchanges (phase 2) are still necessary.
      Within the AAA exchange (phase 1b), authorization and key
      distribution functions are typically supported, but not
      authentication.  Proactive key distribution is described in
      [MishraPro], [IEEE-03-084], [HANDOFF] and [8021XPreAuth].

Notes:

The EAP pre-authentication definition should be more clear that an EAP peer
runs EAP authentication through the target authenticator before EAP keying material will be pre-established with the target authenticator prior to arrival.
--VERIFIER NOTES--
Discussion between EAP and HOKEY chairs and the ADs revealed that this is not an appropriate change.

Report New Errata