RFC Errata


Errata Search
 
Source of RFC  
Summary Table Full Records

RFC 5247, "Extensible Authentication Protocol (EAP) Key Management Framework", August 2008

Note: This RFC has been updated by RFC 8940

Source of RFC: eap (int)

Errata ID: 1711
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: Yoshihiro Ohba
Date Reported: 2008-12-20
Held for Document Update by: Brian Haberman
Date Held: 2009-03-11

Section 4 says: 

   EAP pre-authentication
      In EAP pre-authentication, an EAP peer pre-establishes EAP keying
      material with an authenticator prior to arrival.  EAP
      pre-authentication only affects the timing of EAP authentication,
      but does not shorten or eliminate EAP (phase 1a) or AAA (phase 1b)
      exchanges;  Discovery (phase 0) and Secure Association Protocol
      (phase 2) exchanges occur as described in Section 1.3.  As a
      result, the primary benefit is to enable EAP authentication to be
      removed from the handoff critical path, thereby reducing latency.
      Use of EAP pre-authentication within IEEE 802.11 is described in
      [IEEE-802.11] and [8021XPreAuth].

   Proactive key distribution
      In proactive key distribution, keying material and authorizations
      are transported from the backend authentication server to a
      candidate authenticator in advance of a handoff.  As a result, EAP
      (phase 1a) is not needed, but the Discovery (phase 0), and Secure
      Association Protocol exchanges (phase 2) are still necessary.
      Within the AAA exchange (phase 1b), authorization and key
      distribution functions are typically supported, but not
      authentication.  Proactive key distribution is described in
      [MishraPro], [IEEE-03-084], and [HANDOFF].

It should say:

Move the reference 8021XPreAuth to the second paragraph.

Notes:

The reference [8021XPreAuth] describes a mechanism in which EAP
authentication happens only once with the serving authenticator, i.e.,
one EAP authentication with the serving authenticator generates
multiple MSKs and distributed to serving authenticator and target
authenticator, and there is no additional EAP authentication
performed between peer and target authenticator. This does not match
the definition of pre-authentication as described by the first paragraph;
hence the reference should be moved to the second paragraph.

Report New Errata



Advanced Search