WDIFF

draft-aboba-pppext-eapgss-00.txt --> draft-aboba-pppext-eapgss-02.txt

Network Working Group Bernard Aboba
INTERNET-DRAFT Microsoft
Category: Standards Track
<draft-aboba-pppext-eapgss-00.txt>
1 December 1999
Expires: August 1, Experimental
<draft-aboba-pppext-eapgss-02.txt>
21 November 2000

PPP

EAP GSS Authentication Protocol

1. Status of this Memo

This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.

This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute working
documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim),
ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).

The distribution of this memo is unlimited.

2. Copyright Notice

3. Abstract

The Point-to-Point Protocol (PPP) provides a standard method for
transporting multi-protocol datagrams over point-to-point links. PPP
also defines an extensible Link Control Protocol (LCP), which can be
used to negotiate authentication methods, as well as an Encryption

Aboba Standards Track [Page 1]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

Control Protocol (ECP), used to negotiate data encryption over PPP
links, and a Compression Control Protocol (CCP), used to negotiate
compression methods. The Extensible Authentication Protocol (EAP) provides a standard
mechanism for support of additional authentication methods within PPP. layer
2 protocols, including PPP and IEEE 802.1X. Through the use of EAP,
support for a number of authentication schemes may be added, including
public key, smart cards, Kerberos,
Public Key, One Time Passwords, and others.

It is desirable to support GSS_API GSS-API authentication methods within EAP,
since this permits developers creating GSS_API GSS-API compliant authentication
methods to leverage their development efforts. This document describes
how EAP-GSS, which includes support for fragmentation and reassembly,
supports the use of GSS_API GSS-API mechanisms within EAP. GSS_API GSS-API provides for
the negotiation of authentication methods through use of the SPNEGO
mechanism. As a result, any GSS_API GSS-API mechanism supported by SPNEGO and

Aboba Experimental [Page 1]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

providing initial authentication can be used with EAP-GSS. EAP-GSS, including
IAKERB.

4. Introduction

The Point-to-Point Protocol (PPP), described in [1], provides a standard
method for transporting multi-protocol datagrams over point-to-point
links. PPP also defines an extensible Link Control Protocol (LCP) [3],
which can be used to negotiate authentication methods, as well as an
Encryption Control Protocol (ECP) [6], used to negotiate data encryption
over PPP links, and a Compression Control Protocol (CCP) [13], used to
negotiate compression methods. The Extensible Authentication Protocol (EAP) [5], [5] provides a standard
mechanism for support of additional authentication methods within PPP. layer
2 protocols, including PPP [1] and IEEE 802.1X [27]. Through the use of
EAP, support for a number of authentication schemes may be added,
including public key [12], smart cards, Kerberos, One Time Passwords,
and others.

It is desirable to support GSS_API GSS-API authentication methods within EAP,
since this permits developers creating GSS_API GSS-API compliant authentication
methods to leverage their development efforts. This document describes
how EAP-GSS, which includes support for fragmentation and reassembly,
supports the use of GSS_API GSS-API mechanisms within EAP. GSS_API, GSS-API, described
in [15], provides for the negotiation of authentication methods through
use of the SPNEGO mechanism, described in [20]. [19]. As a result, any GSS_API GSS-API
mechanism supported by SPNEGO and providing initial authentication can
be used with EAP-GSS. EAP-GSS, including IAKERB [18].

4.1. Requirements language

In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [11].

Aboba Standards Track [Page 2]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

5. Protocol overview

5.1. Overview of the EAP-GSS conversation

As described in [5], the EAP-GSS conversation will typically begin with
the authenticator and the peer negotiating EAP. The authenticator will
then typically send an EAP-Request/Identity packet to the peer, and the
peer will respond with an EAP-Response/Identity packet to the
authenticator, containing the peer's userId. user-Id.

>From this point forward, while nominally here on, the EAP EAP-GSS conversation occurs
between the PPP authenticator and may proceed in one of two ways.
In the peer, first mode, the authenticator MAY act peer acts as
a passthrough device, with the EAP packets received from GSS-API initiator, and the peer being
encapsulated for transmission to a RADIUS EAP
server or backend security
server. acts as the GSS-API target. In the discussion that follows, we will use second mode, which shortens
the term "EAP
server" to denote conversation by one round-trip, the ultimate endpoint conversing with EAP server acts as the peer. GSS-API
initiator, and the peer acts as the GSS-API target. We discuss each mode
in turn.

5.1. EAP server as GSS-API initiator

Once having received the peer's Identity, the EAP server MUST respond responds with
an EAP-GSS/Start packet, which is an EAP-Request packet of EAP-Type=EAP-GSS.

Aboba Experimental [Page 2]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

If the EAP server knows the GSS-API method to be used with EAP-
Type=EAP-GSS, the Start (S) bit set, peer a-
priori, and no data. The EAP-GSS
conversation will that GSS-API method can be initiated by the EAP Server, then begin,
the EAP server MAY act as a GSS-API initiator with the peer sending an EAP-Response
packet with EAP-Type=EAP-GSS. The data field of that packet will
encapsulate acting as a GSS_API token.

The
GSS-API target. Since the EAP server will then respond with cannot know whether it can act as
initiator if the GSS-API method is to be negotiated, in this case the
method must be selected a-priori and SPNEGO MUST NOT be used.

To initiate the conversation, the EAP-Server sends an EAP-Request packet
with EAP-
Type=EAP-GSS. EAP-Type=EAP-GSS. The data field of this the packet will encapsulate a GSS_API
token.

Note that a client with valid GSS_API credentials may chose to reuse
those credentials
GSS-API token, created as part of the GSS_API authentication. This allows for
improved efficiency in the case where a client repeatedly attempts to
authentication to an EAP server within a short period result of time. This may
have application in cases such as multilink authentication.

As a result, it is left up call to GSS_Init_sec_context ().
In this case mutual authentication MUST be requested (otherwise the peer whether to attempt
would not be authenticated to reuse
credentials, thus shortening the EAP-GSS conversation. Typically authenticator!) so that the
peer's decision will be made based on the time elapsed since
mutual_req_flag is set and the
previous authentication attempt call to that EAP server. Based on the
expiration time of GSS_Init_sec-context() returns
GSS_S_CONTINUE_NEEDED status.

When it receives the credentials, EAP-Request, the EAP server peer will decide whether
to allow the reuse.

In de-capsulate the case where
received GSS-API token within the EAP server EAP-GSS frame, and authenticator reside on the same
device, then client will only be able to reuse credentials when
connecting pass it as the
input_token parameter to GSS_Accept_sec_context(). If
GSS_Accept_sec_context indicates GSS_S_COMPLETE status, then the same NAS or tunnel server. Should these devices be set
up
authenticator has been authenticated by the peer, and the
authenticator's indicated identity is provided in a rotary or round-robin then it may not be possible for the peer src_name result,
along with an output_token to be encapsulated within an EAP-Response
packet with EAP-Type=EAP-GSS, and passed back to know in advance the authenticator it EAP-Server.

The EAP server will be connecting to, then de-capsulate the GSS-API token within the EAP-
Response message and
therefore which credentials pass it as the input_token parameter to attempt
GSS_Init_sec_context(). If the call returns GSS_S_COMPLETE status, then
the peer has been authenticated to reuse. As a result, it is
likely that the reuse attempt will fail. In EAP-Server, then the case where EAP-Server
responds with an EAP-Success message. If GSS_S_CONTINUE_NEEDED status
is returned, then the EAP Server encapsulates the returned output_token
with an EAP-Request packet of EAP-Type=EAP-GSS, and pass this back to
the peer.

Aboba Standards Track Experimental [Page 3]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

authentication is remoted then reuse 21 November 2000

The conversation (which can require as few as 2.5 round trips) appears
as follows:

Peer Authenticator
------ -------------
EAP/Identity
<-------Request
EAP/Identity
Response -------->

GSS_Init_sec_context(mutual_req_flag)
returns GSS_S_CONTINUE_NEEDED,
output_token

<--------EAP Request
EAP-GSS
output_token

GSS_Accept_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token
EAP Response
EAP-GSS
output_token -------->
GSS_Init_sec_context(input_token)
returns GSS_S_COMPLETE

<--------EAP Success

5.2. Peer as GSS-API initiator

If the EAP server is much more likely prepared to be
successful, since multiple NAS devices and tunnel servers will remote
their allow negotiation of the GSS-API method
via SPNEGO [19], or if the EAP authentications server knows the GSS-API method to be
used, but cannot initiate it (e.g. IAKERB, Kerberos V), then the same RADIUS server.

If peer
MUST act as a GSS-API initiator, with the EAP server authenticates successfully, acting as the peer GSS-
API target.

In this case, the EAP server MUST send respond with an EAP-
Response EAP-GSS/Start packet,
which is an EAP-Request packet of with EAP-Type=EAP-GSS, the Start (S) bit
set, and no data. The EAP-Server per then
MUST respond with an EAP-Success message.

5.2. Retry behavior

As calls GSS_Init_sec_context(), typically
with other EAP protocols, the EAP server is responsible for retry
behavior. This means mutual authentication requested so that if the EAP server does not receive a reply
from the peer, it MUST resend mutual_req_flag is set
and the EAP-Request for which it has not yet
received call returns GSS_S_CONTINUE_NEEDED status. The output_token is
then encapsulated within an EAP-Response. However, the peer MUST NOT resend EAP-Response
packets without first being prompted by the EAP server.

For example, if the initial EAP-GSS start packet with EAP-Type=EAP-GSS
and sent by to the EAP server
were authenticator. If method negotiation is to be lost, used,
then an initial negotiation toekn for the peer would not receive this packet, Simple and would
not respond to it. As Protected GSS-API
Negotiation Mechanism (SPNEGO) [19] is transferred. This contains an
ordered list of mechanisms, a result, the EAP-GSS start packet would set of options that should be resent supported by
the selected mechanism and the initial security token for the mechanism

Aboba Experimental [Page 4]

INTERNET-DRAFT EAP server. Once GSS Authentication Protocol 21 November 2000

preferred by the peer received peer. The inclusion of the EAP-GSS start packet, it
would send an EAP-Response encapsulating initial security token for
the client_hello message. If preferred method saves a round-trip, assuming that the EAP-Response were authenticator
agrees to be lost, then the preferred mechanism.

The EAP server would resend then de-capsulates the
initial EAP-GSS start, and GSS-API token contained within the peer would resend
EAP-Response of EAP-Type=EAP-GSS and uses this as the EAP-Response.

As a result, it is possible that input_token
parameter to a peer call to GSS_Accept_sec_context(). The output_token
parameter will receive duplicate EAP-
Request messages, then contain a token, containing the result of the
negotiation and may send duplicate EAP-Responses. Both in the peer case of accept, the agreed security mechanism and
the EAP-Server should be engineered response to handle this possibility.

5.3. Fragmentation

It is possible that EAP-GSS messages may exceed the PPP MTU size, the
maximum RADIUS packet size of 4096 octets, or even the Multilink
Maximum Received Reconstructed Unit (MRRU). As initial security token as described in [2], the
multilink MRRU [19]. This
token is negotiated via the Multilink MRRU LCP option, which
includes then encapsulated within an MRRU length field EAP-Request packet of two octets, and thus can support MRRUs
as large as 64 KB.

However, note that in order EAP-Type=GSS-
API, which is sent to protect against reassembly lockup the peer. This occurs whether the call completed
with GSS_S_CONTINUE_NEEDED status or GSS_S_COMPLETE status.

The peer then de-capsulates the GSS-API token contained within the EAP-
Request packet with EAP-Type=EAP-GSS, and
denial of service attacks, it may be desirable for an implementation passes the input_token
parameter to
set a maximum size for a GSS_API token. Since a typical certificate
chain GSS_Init_sec_context(). The output_token is rarely longer than a few thousand octets, encapsulated
within an EAP-Response packet with EAP-Type=EAP-GSS and no other field is
likely sent to be anwhere near as long, a reasonable choice of maximum
acceptable message length might be 64 KB.

If this value is chosen, then fragmentation can be handled via the
multilink PPP fragmentation mechanisms described in [2]. While this is
desirable, there may be cases in which multilink EAP
server. This occurs whether the call completed with
GSS_S_CONTINUE_NEEDED status or GSS_S_COMPLETE status.

If the MRRU LCP option
cannot be negotiated. As a result, previous call to GSS_Accept_sec_context() returned GSS_S_COMPLETE
status, then the EAP-Server returns an EAP-GSS implementation MUST EAP-Success message to the
client. Otherwise, it de-capsulates the GSS-API token contained within
the EAP-Request packet, and the conversation continues.

Aboba Standards Track Experimental [Page 4] 5]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

provide its own support for fragmentation and reassembly.

Since EAP is a simple ACK-NAK protocol, fragmentation support 21 November 2000

The conversation (which can be
added in a simple manner. In EAP, fragments that are lost or damaged in
transit will be retransmitted, and since sequencing information is
provided by the Identifier field in EAP, there is no need for a fragment
offset field require as is provided in IPv4.

EAP-GSS fragmentation support is provided through addition of a flags
octet within few as 3.5 round trips) appears
as follows:

Authenticating Peer Authenticator
------------------- -------------
EAP-Request/
<- Identity
EAP-Response/
Identity (MyID) ->
EAP-Request/
EAP-Type=EAP-GSS
<- (GSS Start, S bit set)

GSS_Init_sec_context(mutual_req_flag)
returns GSS_S_CONTINUE_NEEDED,
output_token (SPNEGO)

EAP-Response/
EAP-Type=EAP-GSS
output_token ->
GSS_Accept_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token (SPNEGO)

EAP-Request/
EAP-Type=EAP-GSS
<- output_token

GSS_Init_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token

EAP-Response/
EAP-Type=EAP-GSS
output_token ->
<- EAP-Success

5.3. Topology

While nominally the EAP-Response EAP conversation occurs between the authenticator
and EAP-Request packets, the peer, the authenticator MAY act as well a pass-through device, with
the EAP packets received from the peer being encapsulated for
transmission to a RADIUS server or backend security server, such as a GSS
Message Length field of four octets. Flags include
Kerberos KDC. In the Length included
(L), More fragments (M), and EAP-GSS Start (S) bits. The L flag is set discussion that follows, we will use the term "EAP
server" to indicate denote the presence of ultimate endpoint conversing with the four octet GSS Message Length field, and
MUST be set for peer.

For use with EAP-GSS, two topologies are likely. In one topology, the first fragment of a fragmented
authenticator functions as an EAP-passthrough device, encapsulating EAP

Aboba Experimental [Page 6]

INTERNET-DRAFT EAP GSS message or set of
messages. The M flag is set on all but Authentication Protocol 21 November 2000

messages received from the last fragment. The S flag is
set only peer within RADIUS as described in [33], and
passing them on to the EAP-GSS start message sent RADIUS server. In turn, EAP-Message attributes
received from the EAP RADIUS server to are de-capsulated by the peer. The GSS Message Length field is four octets, authenticator
and provides sent to the
total length of peer. In this topology, the GSS_API token or set authenticator need not have
knowledge of messages that is being
fragmented; this simplifies buffer allocation.

When an specific EAP or GSS-API methods.

In the other topology, EAP-GSS peer receives an EAP-Request packet is used along with the M bit set,
it MUST respond with GSS-API IAKERB
[18] or Kerberos V [20] mechanisms. Where IAKERB is used, the
authenticator functions as an EAP-Response with EAP-Type=EAP-GSS IAKERB proxy, de-capsulating EAP-
GSS/IAKERB messages and no data.
This serves as a fragment ACK. The EAP server MUST wait until it
receives the EAP-Response before sending another fragment. In order passing them on to
prevent errors in processing of fragments, the EAP server MUST increment KDC. In turn, messages
from the Identifier field for each fragment contained KDC are encapsulated within an EAP-Request, EAP-GSS/IAKERB and sent to the peer MUST include
peer. In this Identifier value in the fragment ACK
contained within the EAP-Reponse. Retransmitted fragments will contain
the same Identifier value.

Similarly, when case, the EAP server receives an EAP-Response with authenticator needs to understand the M bit
set, it MUST respond with an EAP-Request with EAP-Type=EAP-GSS and no
data. This serves EAP-GSS,
GSS-API IAKERB, as a fragment ACK. The EAP peer MUST wait until it
receives the EAP-Request before sending another fragment. well as GSS-API Kerberos V mechanisms.

In order to
prevent errors in the processing of fragments, the EAP server MUST use
increment the Identifier value examples below, conversations are provided for each fragment ACK contained within an
EAP-Request, and the peer MUST include this Identifier value topology.

Aboba Experimental [Page 7]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

5.3.1. RADIUS backend

A successful EAP-GSS/IAKERB authentication occuring in the
subsequent fragment contained within an EAP-Reponse.

5.4. Identity verification

As part of GSS_API, it is possible that the server may present a
certificate topology with
an authenticator acting as an IAKERB proxy to the peer, a Kerberos KDC will appear
as follows:

Peer Authenticator RADIUS KDC
------ ------------- --------- ------
EAP/Identity
<-------Request
EAP/Identity
Response -------->
EAP/Identity
Response --------> Access-Challenge
<--------EAP-GSS Request
(Start)
<-------EAP-GSS Request(Empty)
EAP-GSS
Response [1]
(SPNEGO) -------->
EAP-GSS Response
(SPNEGO) --------> Access-Challenge
EAP-GSS Request
<--------(SPNEGO)
EAP-GSS Request
<-------(SPNEGO)
EAP-GSS IAKERB
Response [2]
(AS_REQ) -------->
EAP-GSS IAKERB
Response
(AS_REQ) -------->
AS_REQ ------------>
<-------------------- AS_REP
Access-Challenge
EAP-GSS IAKERB Request
<--------(AS_REP)
EAP-GSS IAKERB
Request
<-------(AS_REP)
EAP-GSS IAKERB
Response [3]
(TGS_REQ) ------->
EAP-GSS IAKERB
Response
(TGS_REQ) -------->
TGS_REQ ---------->

Aboba Experimental [Page 8]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

<-------------------- TGS_REP
Access-Challenge
EAP-GSS IAKERB Request
<--------(TGS_REP)
EAP-GSS IAKERB
Request
<-------(TGS_REP)
EAP-GSS IAKERB
Response
(Empty) -------->
EAP-GSS IAKERB
Response
(Empty) -----------> Access-Accept [4]
<------- EAP-Success
<------ EAP-Success
AP_REQ --------->
<------ AP_REP [5]

Notes:

1. IAKERB may be requested by the EAP-GSS client without the need for
negotiation, or that SPNEGO may be used.

2. The AS_REQ requests a TGT from the peer KDC. It may present or may not include
PADATA. As a certificate to result, the server. If AS_REQ may not authenticate the peer has made a claim of identity in to
the EAP-
Response/Identity (MyID) packet, KDC, but the EAP server SHOULD verify that AS_REP authenticates the
claimed identity corresponds KDC to the certificate presented by the peer.
Typically this will

3. The TGS_REQ requests a ticket to the authenticator service. The
ticket is encrypted with the authenticator's key so that it can
only be accomplished either validated by placing the userId within authenticator.

4. On receiving a TGS_REP from the peer certificate, or by providing KDC rather than a mapping between KRB_ERROR, the
RADIUS server can conclude that the peer

Aboba Standards Track [Page 5]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

certificate has succesfully
authenticated, and thus that it is appropriate to reply to the userId using
authenticator with an Access-Accept encapsulating an EAP-Success.

5. The IAKERB exchange ends before the AP_REQ/AP_REP exchange occurs.
As a directory service.

Similarly, result, the AP_REQ/AP_REP exchange either will not occur
(preventing mutual authentication between peer MUST verify the validity of the EAP server
certificate, and SHOULD also examine the EAP server name presented in authenticator or
transport of the certificate, in order session key from peer to determine whether the EAP server can be
trusted. Please note that authenticator), will
occur out-of-band (e.g. after access is granted), or will occur in
another EAP-GSS conversation (e.g. using the case where the GSS-API Kerberos V
method).

Aboba Experimental [Page 9]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

5.3.2. Kerberos backend

A successful EAP-GSS/IAKERB authentication is
remoted that the EAP server occuring in a topology with
an authenticator acting as an IAKERB proxy to a Kerberos KDC will appear
as follows:

Peer Authenticator KDC
------ ------------- ---------
EAP/Identity
<----------Request
EAP/Identity
Response ---------->
<----------EAP-GSS Start
EAP-GSS IAKERB
Response [1]
(AS_REQ) ---------->
AS_REQ ------------------>
<------------------------- AS_REP [2]
EAP-GSS IAKERB Request
<----------(AS_REP)
EAP-GSS IAKERB
Response [3]
(TGS_REQ) ---------->
TGS_REQ ----------------->
<------------------------- TGS_REP [4]
EAP-GSS IAKERB Request
<----------(TGS_REP)
EAP-GSS IAKERB
Response
(Empty) ----------->
<--------- EAP-Success
AP_REQ [5]----------->
<----------- AP_REP [6]

Notes:

1. If PADATA is not reside on used in the same machine as AS_REQ, then the
authenticator, and therefore peer does not
authenticate to the name KDC.

2. The KDC authenticates to the peer in the EAP server's certificate
cannot be expected AS_REP.

3. The peer authenticates to match that of the intended destination. In this
case, a more appropriate test might be whether KDC via the EAP server's
certificate is signed by a CA controlling TGS_REQ.

4. The KDC authenticates to the intended destination and
whether peer via the EAP server exists within a target sub-domain.

5.5. Key derivation

As part of TGS_REP. The TGS_REP
also provides the GSS_API exchange, it is conceivable that peer with a session key
may be derived.

[Should we just ticket and session-key for use with
the authenticator.

Aboba Experimental [Page 10]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

5. Up until this session key or derive another session key from
it??]

5.6. ECP negotiation

Since SPNEGO supports ciphersuite negotiation, peers completing point, the
GSS_API SPNEGO negotiation will also have selected peer has not mutually authenticated with
the authenticator, or exchanged a ciphersuite, which
includes key strength, encryption and hashing methods. with it. As a result, a
subsequent Encryption Control Protocol (ECP) conversation, if it occurs,
has a predetermined result.

In order to ensure agreement between the EAP-GSS SPNEGO
peer and authenticator need to conclude an AP_REQ/AP_REP exchange.
This can occur in-band or out-of-band. In the
subsequent ECP negotiation (described in [6]), during ECP negotiation AP-REQ, the PPP peer MUST offer only the ciphersuite negotiated in EAP-GSS.
This ensures that
authenticates to the PPP authenticator MUST accept the EAP-GSS
negotiated ciphersuite in order for the onversation and provides it with a session
key.

6. The authenticator authenticates to proceed. Should the authenticator not accept peer using the EAP-GSS negotiated ciphersuite, then AP_REP.

6. Detailed description of the peer MUST send an LCP terminate and disconnect.

Please note that it cannot be assumed that EAP-GSS protocol

6.1. EAP GSS Packet Format

A summary of the PPP authenticator and EAP
server GSS Request/Response packet format is shown below.
The fields are located on transmitted from left to right.

Code

1 - Request
2 - Response

Identifier

The identifier field is one octet and aids in matching responses with
requests.

Length

The Length field is two octets and indicates the same machine or that length of the authenticator
understands EAP
packet including the EAP-GSS conversation that has passed through it. Thus if Code, Identifier, Length, Type, and Data fields.
Octets outside the peer offers a ciphersuite other than range of the one negotiated in EAP-GSS
there Length field should be treated as
Data Link Layer padding and should be ignored on reception.

Type

14 - EAP GSS

Data

The format of the Data field is no way for determined by the authenticator to know how to respond correctly. Code field.

Aboba Standards Track Experimental [Page 6] 11]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

5.7. Examples

In the case where 21 November 2000

6.2. EAP GSS Request Packet

A summary of the EAP-GSS authentication is successful, the
conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- PPP LCP Request-EAP
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity
PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Type=EAP-GSS
(GSS Start, S bit set)
PPP EAP-Response/
EAP-Type=EAP-GSS ->
<- PPP EAP-Request/
EAP-Type=EAP-GSS
PPP EAP-Response/
EAP-Type=EAP-GSS ->
<- PPP EAP-Request/
EAP-Type=EAP-GSS
PPP EAP-Response/
EAP-Type=EAP-GSS ->
<- PPP EAP-Success
PPP Authentication
Phase complete,
NCP Phase starts

ECP negotiation

CCP negotiation

In the case where the EAP-GSS authentication is successful, and
fragmentation is required, the conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
<- PPP LCP Request-EAP
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity

Aboba Standards Track [Page 7]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Type=EAP-GSS
(GSS Start, S bit set)
PPP EAP-Response/
EAP-Type=EAP-GSS ->
<- PPP EAP-Request/
EAP-Type=EAP-GSS
(Fragment 1: L, M bits set)
PPP EAP-Response/
EAP-Type=EAP-GSS ->
<- PPP EAP-Request/
EAP-Type=EAP-GSS
(Fragment 2: M bit set)
PPP EAP-Response/
EAP-Type=EAP-GSS ->
<- PPP EAP-Request/
EAP-Type=EAP-GSS
(Fragment 3)
PPP EAP-Response/
EAP-Type=EAP-GSS
(Fragment 1:
L, M bits set)->
<- PPP EAP-Request/
EAP-Type=EAP-GSS
PPP EAP-Response/
EAP-Type=EAP-GSS
(Fragment 2)->
<- PPP EAP-Request/
EAP-Type=EAP-GSS
PPP EAP-Response/
EAP-Type=EAP-GSS ->
<- PPP EAP-Success
PPP Authentication
Phase complete,
NCP Phase starts

ECP negotiation

CCP negotiation

6. Detailed description of the EAP-GSS protocol

6.1. PPP EAP GSS Packet Format

A summary of the PPP EAP GSS Request/Response packet format EAP GSS Request packet format is shown below. The
fields are transmitted from left to right.

Aboba Standards Track [Page 8]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Flags | GSS Message Length
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| GSS Message Length | GSS Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Code

1 - Request
2 - Response

Identifier

The identifier Identifier field is one octet and aids in matching responses with
requests.

Length The Length field is two octets and indicates the length of the EAP
packet including the Code, Identifier, Length, Type, and Data fields.
Octets outside the range of the Length field should be treated as
Data Link Layer padding and should be ignored on reception.

Type

14 - EAP GSS

Data

The format of the Data field is determined by the Code field.

6.2. PPP EAP GSS Request Packet

A summary of the PPP EAP GSS Request packet format is shown below. The
fields are transmitted from left to right.

Aboba Standards Track [Page 9]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

Code

Identifier

The Identifier field is one octet and aids in matching responses with
requests. The Identifier Identifier field MUST be changed on each Request
packet.

Length

The Length field is two octets and indicates the length of the EAP
packet including the Code, Identifier, Length, Type, and GSS Response
fields.

Type

? - EAP GSS

Flags

0 1 2 3 4 5 6 7 8
+-+-+-+-+-+-+-+-+
|L M S R R R R R|
+-+-+-+-+-+-+-+-+

L = Length included
M = More fragments
S = EAP-GSS start
R = Reserved

The L bit (length included) is set to indicate the presence of the

Aboba Experimental [Page 12]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

four octet GSS Message Length field, and MUST be set for the first
fragment of a fragmented GSS message or set of messages. The M bit
(more fragments) is set on all but the last fragment. The S bit (EAP-
GSS start) is set in an EAP-GSS Start message. This differentiates
the EAP-GSS Start message from a fragment acknowledgement. acknowledgment.

GSS Message Length

The GSS Message Length field is four octets, and is present only if
the L bit is set. This field provides the total length of the GSS
message or set of messages that is being fragmented.

GSS data

The GSS data consists of the encapsulated GSS packet.

Aboba Standards Track [Page 10]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

6.3. PPP EAP GSS Response Packet

A summary of the PPP EAP GSS Response packet format is shown below. The
fields are transmitted from left to right.

Code

Identifier

The Identifier field is one octet and MUST match the Identifier field
from the corresponding request.

Length

The Length field is two octets and indicates the length of the EAP
packet including the Code, Identifier, Length, Type, Code, Identifier, Length, Type, and GSS data
fields.

Type

Aboba Experimental [Page 13]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

? - EAP GSS

Flags

0 1 2 3 4 5 6 7 8
+-+-+-+-+-+-+-+-+
|L M S R R R R R|
+-+-+-+-+-+-+-+-+

L = Length included
M = More fragments
S = EAP-GSS start
R = Reserved

The L bit (length included) is set to indicate the presence of the
four octet GSS Message Length field, and MUST be set for the first
fragment of a fragmented GSS message or set of messages. The M bit
(more fragments) is set on all but the last fragment. The S bit (EAP-
GSS start) is set in an EAP-GSS Start message. This differentiates
the EAP-GSS Start message from a fragment acknowledgment.

GSS Message Length

The GSS Message Length field is four octets, and is present only if
the L bit is set. This field provides the total length of the GSS
message or set of messages that is being fragmented.

GSS data

The GSS data consists of the encapsulated GSS packet.

6.4. Fragmentation

It is possible that EAP-GSS messages may exceed the link MTU size, the
maximum RADIUS packet size of 4096 octets, or even the Multilink
Maximum Received Reconstructed Unit (MRRU). As described in [2], within
PPP the multi-link MRRU is negotiated via the Multilink MRRU LCP option,
which includes an MRRU length field of two octets, and thus can support
MRRUs as large as 64 KB.

In order to protect against reassembly lockup and denial of service
attacks, it may be desirable for an implementation to set a maximum size
for a GSS-API token. Since a typical certificate chain is rarely longer
than a few thousand octets, and no other field is likely to be anywhere
near as long, a reasonable choice of maximum acceptable message length
might be 64 KB.

Aboba Experimental [Page 14]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

If this value is chosen, then for PPP links, fragmentation can be
handled via the multi-link PPP fragmentation mechanisms described in
[2]. While this is desirable, there may be cases in which multi-link or
the MRRU LCP option cannot be negotiated. Also, since EAP methods must
also be usable within IEEE 802.1X [27], an EAP-GSS implementation MUST
provide its own support for fragmentation and reassembly.

Since EAP is a simple ACK-NAK protocol, fragmentation support can be
added in a simple manner. In EAP, fragments that are lost or damaged in
transit will be retransmitted, and since sequencing information is
provided by the Identifier field in EAP, there is no need for a fragment
offset field as is provided in IP.

EAP-GSS fragmentation support is provided through addition of a flags
octet within the EAP-Response and EAP-Request packets, as well as a GSS
Message Length field of four octets. Flags include the Length included
(L), More fragments (M), and EAP-GSS Start (S) bits. The L flag is set
to indicate the presence of the four octet GSS Message Length field, and
MUST be set for the first fragment of a fragmented GSS message or set of
messages. The M flag is set on all but the last fragment. The S flag is
set only within the EAP-GSS start message sent from the EAP server to
the peer. The GSS Message Length field is four octets, and provides the
total length of the GSS-API token or set of messages that is being
fragmented; this simplifies buffer allocation.

When an EAP-GSS peer receives an EAP-Request packet with the M bit set,
it MUST respond with an EAP-Response with EAP-Type=EAP-GSS and no data.
This serves as a fragment ACK. The EAP server MUST wait until it
receives the EAP-Response before sending another fragment. In order to
prevent errors in processing of fragments, the EAP server MUST increment
the Identifier field for each fragment contained within an EAP-Request,
and the peer MUST include this Identifier value in the fragment ACK
contained within the EAP-Response. Retransmitted fragments will contain
the same Identifier value.

Similarly, when the EAP server receives an EAP-Response with the M bit
set, it MUST respond with an EAP-Request with EAP-Type=EAP-GSS and no
data. This serves as a fragment ACK. The EAP peer MUST wait until it
receives the EAP-Request before sending another fragment. In order to
prevent errors in the processing of fragments, the EAP server MUST use
increment the Identifier value for each fragment ACK contained within an
EAP-Request, and the peer MUST include this Identifier value in the
subsequent fragment contained within an EAP-Response.

Aboba Experimental [Page 15]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

In the case where the EAP-GSS authentication is successful, and
fragmentation is required, the conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
EAP-Request/
<- Identity
EAP-Response/
Identity (MyID) ->
EAP-Request/
EAP-Type=EAP-GSS
<-(GSS Start, S bit set)

GSS_Init_sec_context(mutual_req_flag)
returns GSS_S_CONTINUE_NEEDED,
output_token (SPNEGO)

EAP-Response/
EAP-Type=EAP-GSS
output_token ->

GSS_Accept_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token (SPNEGO)

EAP-Request/
EAP-Type=EAP-GSS
output_token
<- (Fragment 1: L, M bits set)
EAP-Response/
EAP-Type=EAP-GSS ->
EAP-Request/
EAP-Type=EAP-GSS
<- (Fragment 2: M bit set)
EAP-Response/
EAP-Type=EAP-GSS ->
EAP-Request/
EAP-Type=EAP-GSS
<- (Fragment 3)

GSS_Init_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token

EAP-Response/
EAP-Type=EAP-GSS
output_token

Aboba Experimental [Page 16]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

(Fragment 1:
L, M bits set)->
EAP-Request/
<- EAP-Type=EAP-GSS
EAP-Response/
EAP-Type=EAP-GSS
(Fragment 2)->
<- EAP-Success

6.5. Retry behavior

As with other EAP protocols, the EAP server is responsible for retry
behavior. This means that if the EAP server does not receive a reply
from the peer, it MUST resend the EAP-Request for which it has not yet
received an EAP-Response. However, the peer MUST NOT resend EAP-Response
packets without first being prompted by the EAP server.

For example, if the initial EAP-GSS start packet sent by the EAP server
were to be lost, then the peer would not receive this packet, and would
not respond to it. As a result, the EAP-GSS start packet would be resent
by the EAP server. Once the peer received the EAP-GSS start packet, it
would send an EAP-Response encapsulating the client_hello message. If
the EAP-Response were to be lost, then the EAP server would resend the
initial EAP-GSS start, and the peer would resend the EAP-Response.

As a result, it is possible that a peer will receive duplicate EAP-
Request messages, and may send duplicate EAP-Responses. Both the peer
and the EAP-Server should be engineered to handle this possibility.

6.6. Identity verification

As part of the GSS-API conversation, it is possible that the server may
present a certificate to the peer, or that the peer may present a
certificate to the EAP server. If the peer has made a claim of identity
in the EAP-Response/Identity (MyID) packet, the EAP server SHOULD
verify that the claimed identity corresponds to the certificate
presented by the peer. Typically this will be accomplished either by
placing the userId within the peer certificate, or by providing a
mapping between the peer certificate and the userId using a directory
service.

Similarly, the peer MUST verify the validity of the EAP server
certificate, and SHOULD also examine the EAP server name presented in
the certificate, in order to determine whether the EAP server can be
trusted. Please note that in the case where the EAP authentication is
remoted that the EAP server will not reside on the same machine as the
authenticator, and therefore the name in the EAP server's certificate
cannot be expected to match that of the intended destination. In this

Aboba Experimental [Page 17]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

case, a more appropriate test might be whether the EAP server's
certificate is signed by a CA controlling the intended destination and
whether the EAP server exists within a target sub-domain.

6.7. Use of addresses

When using EAP-GSS, the EAP client may not be able to include an address
in an EAP-Response message, since prior to obtaining access the EAP
client may not have an IP address. The IAKERB GSS-API method can
explicitly handle this, as described in [18]. However, Where Kerberos V
is negotiated [16], [20] the addresses field of the AS_REQ and TGS_REQ
SHOULD be blank and the caddr field of the ticket SHOULD also be left
blank.

6.8. Credential reuse

Note that a peer with valid credentials may reuse those credentials in a
subsequent authentication. For example, a peer initially using the
IAKERB GSS-API method to obtain a TGT and a ticket to the authenticator
may subsequently reuse that ticket in an AP_REQ/AP_REP exchange that may
occur either in-band (e.g. via use of the Kerberos V GSS-API method) or
out-of-band (e.g. via an 802.1X EAPOL-Key message). Typically in-band
efficiency savings are modest (one round-trip saved using the Kerberos V
GSS-API method versus IAKERB), while savings from out-of-band credential
reuse can be more substantial.

Credential reuse improves efficiency in a number of scenarios. Where
the peer attempts to re-authenticate to an EAP server within a short
period of time, the re-authentication time may be shortened. Also, where
the peer roams to another authenticator willing to accept credentials
from a previous authenticator, fast-handoff may be achieved. Credential
reuse may also prove useful during multi-link authentication.

The decision of whether to attempt to reuse credentials is left up to
the peer, which needs to determine whether credential use is likely to
succeed. The decision may be based on out-of-band information (such as
probe/response messages exchanged via 802.11 [28], or the time elapsed
since the previous authentication attempt.

If the peer attempts to reuse credentials that are not valid for the
authenticator, then no harm is done. The authenticator will respond with
an error and the peer can then re-authenticate using the more complete
sequence. For example, after an initial IAKERB authentication, the peer
will have obtained a TGT from the KDC via the AS_REP, and GSS data
fields.

Type

14 - EAP GSS

Flags

0 1 2 3 4 5 6 7 8
+-+-+-+-+-+-+-+-+
|L M S R R R R R|
+-+-+-+-+-+-+-+-+

L = Length included
M = More fragments
S = EAP-GSS start
R = Reserved a ticket to
the authenticator within the TGS_REP. The L bit (length included) is set peer may subsequently attempt
to indicate negotiate the presence of Kerberos V GSS-API method, so as to reuse the
four octet GSS Message Length field, and MUST
previously obtained credentials. Should a KRB_ERROR be set for returned by the first
authenticator, then the peer can negotiate IAKERB on its next attempt

Aboba Standards Track Experimental [Page 11] 18]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

fragment of a fragmented GSS message or set of messages. The M bit
(more fragments) 21 November 2000

instead.

Note that for credential reuse to be possible while roaming, it is set on all but
necessary for authenticators to share the last fragment. The S bit (EAP-
GSS start) same key with the KDC. If
this is not the case, then peers moving from one authenticator to
another will not be able to reuse authenticator tickets. Similarly, if
the EAP servers are set up in an EAP-GSS Start message. This differentiates a rotary or made available via a round-
robin technique, then the EAP-GSS Start message from credentials also may not be reusable, unless
the EAP authentication is remoted to a fragment acknowledgement.

GSS Message Length

The GSS Message Length field central authentication server.

6.9. ECP negotiation

ECP, described in [6], supports unprotected cipher-suite negotiations
within PPP and is four octets, thus vulnerable to attack. Since SPNEGO [19] supports
protected cipher-suite negotiation in the case where the negotiated
method provides authentication and integrity protection, use of SPNEGO
is present only preferable to ECP. Peers completing the GSS-API SPNEGO negotiation
will typically implicitly select a cipher-suite, which includes key
strength, encryption and hashing methods. As a result, a subsequent
Encryption Control Protocol (ECP) conversation [6], if it occurs, has a
predetermined result.

However, since the L bit is set. This field provides ECP-supported ciphersuites may not correspond to the total length
ciphersuites implicitly negotiated as part of SPNEGO, it may not be
possible for the GSS
message ECP conversation to verify the ciphersuites implicitly
selected via SPNEGO. For example, the ECP methods defined in [9]-[10]
only support DES and 3DES transforms for confidentiality, and do not
support authentication or set of messages that integrity protection. Thus, there is being fragmented.

GSS data

The GSS data consists of no
correspondence between existing ECP methods and the encapsulated GSS packet. ciphersuites
available within GSS-API methods such as Kerberos [16]-[17].

7. References

[1] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)." STD 51,
RFC 1661, July 1994.

[2] Sklower, K., Lloyd, B., McGregor, G., Carr, D., and T. Coradetti,
"The PPP Multilink Protocol (MP)." RFC 1990, August 1996.

[3] Simpson, W., Editor, "PPP LCP Extensions." RFC 1570, January 1994.

[4] Rivest, R., Dusse, S., "The MD5 Message-Digest Algorithm", RFC
1321, April 1992.

[5] Blunk, L., Vollbrecht, J., "PPP Extensible Authentication Protocol
(EAP)", RFC 2284, March 1998.

Aboba Experimental [Page 19]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

[6] Meyer, G., "The PPP Encryption Protocol (ECP)." RFC 1968, June 1996

[7] National Bureau of Standards, "Data Encryption Standard", FIPS PUB
46 (January 1977).

[8] National Bureau of Standards, "DES Modes of Operation", FIPS PUB 81
(December 1980).

[9] Sklower, K., Meyer, G., "The PPP DES Encryption Protocol, Version 2
(DESE-bis)", RFC 2419, September 1998.

[10] Hummert, K., "The PPP Triple-DES Encryption Protocol (3DESE)", RFC
2420, September 1998.

Aboba Standards Track [Page 12]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

[11] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.

[12] Aboba, B., Simon, S.,"PPP EAP TLS Authentication Protocol", RFC
2716, October 1999.

[13] D. Rand. "The PPP Compression Control Protocol." RFC 1962, Novell,
June 1996.

[14] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC
2222, October 1997.

[15] Linn, J., "Generic Security Service Application Program Interface,
Version 2", RFC 2078, 2743, January 1997. 2000.

[16] Kohl, J., Neuman, C., "The Kerberos Network Authentication Service
(V5)", RFC 1510, September 1993.

[17] Neuman, B. C., Ts'o, T., "Kerberos: An Authentication Service for
Computer Networks", IEEE Communications, 32(9):33-38, September
1994.

[18] Tung, B., Neuman, B. C., Hur, Swift, M., Medvinsky, Medvinsky, S., Wray,
J., Trostle, J., A., "Public Key Cryptography for Initial "Initial Authentication in Kerberos", and Pass Through
Authentication Using Kerberos V5 and the GSS-API (IAKERB)",
Internet draft (work in progress),
draft-ietf-cat-kerberos-pk-init-08.txt, May 1999. draft-ietf-cat-iakerb-05.txt,
November 2000.

[19] McMahon, P., "GSS-API Authentication Method for SOCKS Version 5",
RFC 1961, June 1996.

[20] Baize, E., Pinkas., D., "The Simple and Protected GSS-API
Negotiation Mechanism", RFC 2478, December 1998.

[21]

[20] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, 1964,
June 1996.

Aboba Experimental [Page 20]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

[21] IEEE Standards for Local and Metropolitan Area Networks: Overview
and Architecture, ANSI/IEEE Std 802, 1990.

[22] ISO/IEC 10038 Information technology - Telecommunications and
information exchange between systems - Local area networks - Media
Access Control (MAC) Bridges, (also ANSI/IEEE Std 802.1D- 1993),
1993.

[23] ISO/IEC Final CD 15802-3 Information technology - Tele-
communications and information exchange between systems - Local and
metropolitan area networks - Common specifications - Part 3:Media
Access Control (MAC) bridges, (current draft available as IEEE
P802.1D/D15).

[24] IEEE Standards for Local and Metropolitan Area Networks: Draft
Standard for Virtual Bridged Local Area Networks, P802.1Q/D8,
January 1998.

[25] ISO/IEC 8802-3 Information technology - Telecommunications and
information exchange between systems - Local and metropolitan area
networks - Common specifications - Part 3: Carrier Sense Multiple
Access with Collision Detection (CSMA/CD) Access Method and
Physical Layer Specifications, (also ANSI/IEEE Std 802.3- 1996),
1996.

[26] IEEE Standards for Local and Metropolitan Area Networks: Demand
Priority Access Method, Physical Layer and Repeater Specification
For 100 Mb/s Operation, IEEE Std 802.12-1995.

[27] IEEE Standards for Local and Metropolitan Area Networks: Port based
Network Access Control, IEEE Draft 802.1X/D8, November 2000.

[28] Information technology - Telecommunications and information
exchange between systems - Local and metropolitan area networks -
Specific Requirements Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) Specifications, IEEE Std.
802.11-1997, 1997.

[29] Rigney, C., Rubens, A., Simpson, W., Willens, S., "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.

[30] Rigney, C., "RADIUS Accounting", RFC 2866, June 1996.

[22] Myers, J., "SASL GSSAPI mechanisms", Internet draft (work in
progress), draft-ietf-cat-sasl-gssapi-00.txt, March 1999.

[23] Piper, 2000.

[31] Zorn, G., Mitton, D., "A GSS-API Authentication Mode Aboba, B., "RADIUS Accounting Modifications
for IKE", Internet draft
(work in progress), draft-ietf-ipsec-isakmp-gss-auth-03.txt,
October 1999.

[24] Swift, M., Trostle, Tunnel Protocol Support", RFC 2867, June 2000.

[32] Zorn, G., Leifer, D., Rubens, A., Shriver, J., "Initial Authentication and Pass Through
Authentication Using Kerberos V5 and the GSS-API (IAKERB)",
Internet draft (work in progress), draft-ietf-cat-iakerb-04.txt,
October 1999. Holdrege, M.,
Goyret, I., "RADIUS Attributes for Tunnel Protocol Support", RFC

Aboba Standards Track Experimental [Page 13] 21]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999 21 November 2000

2868, June 2000.

[33] Rigney, C., Willats, W., Calhoun, P., "RADIUS Extensions", RFC
2869, June 2000.

8. Security Considerations

8.1. Certificate revocation

Since the EAP server is on the Internet during the EAP conversation, the
server is capable of following a certificate chain or verifying whether
the peer's certificate has been revoked. In contrast, the peer may or
may not have Internet connectivity, and thus while it can validate the
EAP server's certificate based on a pre-configured set of CAs, it may
not be able to follow a certificate chain or verify whether the EAP
server's certificate has been revoked.

In the case where the peer is initiating a voluntary Layer 2 tunnel
using PPTP or L2TP, the peer will typically already have a PPP interface
and Internet connectivity established at the time of tunnel initiation.
As a result, during the EAP conversation it is capable of checking for
certificate revocation.

However, in the case where the peer is initiating an intial PPP
conversation, a connection, it will
not have Internet connectivity and is therefore not capable of checking
for certificate revocation until after NCP
negotiation completes and the peer has access to the
Internet. In this case, the peer SHOULD check for certificate revocation
after connecting to the Internet.

8.2. Separation of Mutual authentication

It is highly recommended that a GSS-API method supporting mutual
authentication be selected during the SPNEGO negotiation. This addresses
vulnerabilities associated with rogue EAP server and PPP authenticator servers, as well as avoiding
vulnerabilities associated with parallel one-way authentications.

8.3. Key management

As a result of the EAP-GSS conversation, the EAP endpoints will mutually
authenticate, negotiate a ciphersuite,
authenticate and derive a session key for subsequent use in PPP or
802.11 WEP [28] encryption. Since the peer and EAP client reside on the
same machine, it is necessary for the EAP client module to pass the
session key to the PPP layer 2 encryption module.

The situation may be more complex on the PPP authenticator, which may or may
not reside on the same machine as the EAP server. In the case where the
EAP server and PPP authenticator reside on different machines, there are
several implications for security. Firstly, the mutual authentication

Aboba Experimental [Page 22]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

defined in EAP-GSS will occur between the peer and the EAP server, not
between the peer and the authenticator. This means that as a result of
the EAP-GSS conversation, it is not possible for the peer
to validate the identity of the NAS or tunnel server that it is speaking
to.

The second issue is that the session key negotiated between the peer and
EAP server will need to be transmitted to the authenticator. Therefore
a mechanism needs to be provided to transmit the session key from the
EAP server to the authenticator or tunnel server that needs to use the
key. The specification of this transit mechanism is outside the scope of

Aboba Standards Track [Page 14]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999

this document.

8.3. Relationship of PPP encryption to other security mechanisms

It is envisaged that EAP-GSS will be used primarily with dialup PPP
connections. However, there are also circumstances in which PPP
encryption may be used along with Layer 2 tunneling protocols such as
PPTP and L2TP.

In compulsory layer 2 tunneling, a PPP not possible for the peer makes a connection to a NAS
or router which tunnels validate
the PPP packets to a tunnel server. Since with
compulsory tunneling a PPP peer cannot tell whether its packets are
being tunneled, let alone whether identity of the network device that it is securing the
tunnel, if security speaking to. The second issue is required then
that the client must make its own
arrangements. In session key negotiated between the case where all endpoints cannot be relied upon peer and EAP server will
need to
implement IPSEC, TLS, or another suitable security protocol, PPP
encryption provides a convenient means be transmitted to ensure the privacy authenticator. Both issues can be
addressed via addition of packets
transiting between a followon exchange. For example, where the client
IAKERB GSS-API method is used for initial authentication, the Kerberos V
GSS-API method can be used to mutually authenticate the peer and
authenticator and transfer the tunnel server. session key from the peer to the
authenticator.

9. Acknowledgments

Thanks to Terence Spies, Paul Leach, and Mike Swift of Microsoft for
useful discussions of this problem space.

10. Authors' Addresses

Bernard Aboba
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

Phone: +1 (425) 936-6605
EMail: bernarda@microsoft.com

11. Intellectual Property Statement

The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11. Copies of claims of
rights made available for publication and any assurances of licenses to
be made available, or the result of an attempt made to obtain a general
license or permission for the use of such proprietary rights by
implementors or users of this specification can be obtained from the
IETF Secretariat.

The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary rights
which may cover technology that may be required to practice this
standard. Please address the information to the IETF Executive

Aboba Experimental [Page 23]

INTERNET-DRAFT EAP GSS Authentication Protocol 21 November 2000

Director.

12. Full Copyright Statement

Copyright (C) The Internet Society (1999). (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or
assist in its implmentation implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included
on all such copies and derivative works. However, this document itself
may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet

Aboba Standards Track [Page 15]

INTERNET-DRAFT PPP EAP GSS Authentication Protocol 1 December 1999
Standards process must be followed, or as required to translate it into
languages other than English. The limited permissions granted above are
perpetual and will not be revoked by the Internet Society or its
successors or assigns. This document and the information contained
herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."

12.

13. Expiration Date

This memo is filed as <draft-aboba-pppext-eapgss-00.txt>, <draft-aboba-pppext-eapgss-02.txt>, and expires
August 1, 2000. 2001.

Aboba Standards Track Experimental [Page 16] 24]

----