RFC Errata
RFC 5247, "Extensible Authentication Protocol (EAP) Key Management Framework", August 2008
Note: This RFC has been updated by RFC 8940
Source of RFC: eap (int)
Errata ID: 1642
Status: Rejected
Type: Editorial
Publication Format(s) : TEXT
Reported By: Yoshihiro Ohba
Date Reported: 2008-12-20
Rejected by: Jari Arkko
Date Rejected: 2009-03-11
Section 4 says:
EAP pre-authentication In EAP pre-authentication, an EAP peer pre-establishes EAP keying material with an authenticator prior to arrival. EAP pre-authentication only affects the timing of EAP authentication, but does not shorten or eliminate EAP (phase 1a) or AAA (phase 1b) exchanges; Discovery (phase 0) and Secure Association Protocol (phase 2) exchanges occur as described in Section 1.3. As a result, the primary benefit is to enable EAP authentication to be removed from the handoff critical path, thereby reducing latency. Use of EAP pre-authentication within IEEE 802.11 is described in [IEEE-802.11] and [8021XPreAuth]. Proactive key distribution In proactive key distribution, keying material and authorizations are transported from the backend authentication server to a candidate authenticator in advance of a handoff. As a result, EAP (phase 1a) is not needed, but the Discovery (phase 0), and Secure Association Protocol exchanges (phase 2) are still necessary. Within the AAA exchange (phase 1b), authorization and key distribution functions are typically supported, but not authentication. Proactive key distribution is described in [MishraPro], [IEEE-03-084], and [HANDOFF].
It should say:
EAP pre-authentication In EAP pre-authentication, an EAP peer pre-establishes EAP keying material with an authenticator through which the peer has routed the EAP authentication prior to arrival. EAP pre-authentication only affects the timing of EAP authentication, but does not shorten or eliminate EAP (phase 1a) or AAA (phase 1b) exchanges through the authenticator. Discovery (phase 0) and Secure Association Protocol (phase 2) exchanges occur as described in Section 1.3. As a result, the primary benefit is to enable EAP authentication to be removed from the handoff critical path, thereby reducing latency. Use of EAP pre-authentication within IEEE 802.11 is described in [IEEE-802.11]. Proactive key distribution In proactive key distribution, keying material and authorizations are transported from the backend authentication server to a candidate authenticator in advance of a handoff. As a result, EAP (phase 1a) is not needed, but the Discovery (phase 0), and Secure Association Protocol exchanges (phase 2) are still necessary. Within the AAA exchange (phase 1b), authorization and key distribution functions are typically supported, but not authentication. Proactive key distribution is described in [MishraPro], [IEEE-03-084], [HANDOFF] and [8021XPreAuth].
Notes:
The EAP pre-authentication definition should be more clear that an EAP peer
runs EAP authentication through the target authenticator before EAP keying material will be pre-established with the target authenticator prior to arrival.
--VERIFIER NOTES--
Discussion between EAP and HOKEY chairs and the ADs revealed that this is not an appropriate change.