Download presentation
Presentation is loading. Please wait.
1
EAP State Machines (draft-vollbrecht-eap-state-04.txt,ps)
John Vollbrecht, Pasi Eronen, Nick Petroni, Yoshihiro Ohba July 14, 2003 EAP WG, IETF 57
2
Introduction State machines for Goals EAP peer EAP authenticator
Including special cases for passthrough and backend authenticator Goals Make understanding 2284bis easier Work together with 802.1X state machines July 14, 2003 EAP WG, IETF 57
3
Status Lot of progress since –01 (IETF 56)
Version –03 incorporated as informative Annex in IEEE P802.1aa draft 6.1 ”Pre-alpha” implementation by Yoshihiro Ohba for Open Diameter project July 14, 2003 EAP WG, IETF 57
4
EAP peer July 14, 2003 EAP WG, IETF 57
5
Peer changes Main changes since –01 (IETF 56)
Data flows shown in the diagram (main source of size increase) Silently discard packets that should not occur (main source of complexity) Clarified interfaces to 802.1X July 14, 2003 EAP WG, IETF 57
6
Peer lower layer interface
Lower layer EAP portEnabled, eapRestart eapReq + eapReqData altAccept / altReject idleWhile (timer) EAP lower layer eapResp + eapRespData eapNoResp eapSuccess + eapKeyAvailable + eapKeyData eapFail July 14, 2003 EAP WG, IETF 57
7
Peer method interface EAP Method Method EAP eapReqData
intCheck (boolean) methodState {CONT, MAY_CONT, DONE} decision {FAIL, COND_SUCC, UNCOND_SUCC} allowNotifications (boolean) July 14, 2003 EAP WG, IETF 57
8
EAP authenticator July 14, 2003 EAP WG, IETF 57
9
Authenticator changes
Main changes since –01 (IETF 56) Data flows shown in the diagram Support switching to passthrough mode Support for backend authenticator Clarified interfaces to 802.1X July 14, 2003 EAP WG, IETF 57
10
Authenticator lower layer if.
Similar to peer, except… Lower layer EAP eapSRTT + eapRTTVAR EAP Lower layer eapTimeout (802.1aa needs to distinguish failure caused by timeout and failure caused by something else) July 14, 2003 EAP WG, IETF 57
11
Authenticator method if.
Much more complex than peer! Reasons: Authenticator can propose multiple methods Notifications July 14, 2003 EAP WG, IETF 57
12
Passthrough The passthrough ”virtual method” converts EAP method signals to AAA protocol and back Supports an authenticator that can authenticate some users locally July 14, 2003 EAP WG, IETF 57
13
Backend Differences in backend
Retransmissions done by passthrough The conversation can start with an EAP Response packet (from backend’s point of view) The ”backend adapter” converts AAA protocol to EAP lower layer signals and back July 14, 2003 EAP WG, IETF 57
14
Passthrough & backend EAP method Method interface Method interface
Authenticator Authenticator Lower layer interface Lower layer interface Lower layer Passthrough ”method” Backend adapter AAA interface AAA interface AAA protocol AAA protocol July 14, 2003 EAP WG, IETF 57
15
Open issues Degree of formalism
We have this notation ”x = FOO | BAR”, meaning that x is set either to FOO or BAR, the choice being determined by logic explained elsewhere. On authenticator, many issues are hidden in Policy.update(..), Policy.isSatisfied(..) and Policy.getNextMethod() calls. Maybe separate ”next method selection” from other Policy stuff? July 14, 2003 EAP WG, IETF 57
16
Open issues Alignment with 2284bis Lower layer indications
There will probably remain some cases where e.g. 2284bis says ”SHOULD” but the state machine does not support the other alternative July 14, 2003 EAP WG, IETF 57
17
Next steps Wait for 2284bis to be finished, and sync the state machine
Create text-only version of state machines for RFC publication Try to clarify authenticator diagram But still keep it on one page… Future uses of EAP and tunnels? July 14, 2003 EAP WG, IETF 57
Similar presentations
