WDIFF

draft-aboba-pppext-eapgss-04.txt --> draft-aboba-pppext-eapgss-05.txt

PPPEXT Working Group Bernard Aboba
INTERNET-DRAFT Microsoft
Category: Experimental
<draft-aboba-pppext-eapgss-04.txt>
1 July
<draft-aboba-pppext-eapgss-05.txt>
8 August 2001

EAP GSS Authentication Protocol

Status of this Memo

This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.

This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute working
documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

Abstract

The Extensible Authentication Protocol (EAP) provides a standard
mechanism for support of multiple authentication methods, including
public key, smart cards, Kerberos, One Time Passwords, and others. EAP
typically runs directly over the link layer without requiring IP and
therefore includes its own support for in-order delivery and re-
transmission. While EAP was originally developed for use with PPP, it is
also now in use with IEEE 802.

This document describes the EAP-GSS protocol, which enables the use of
GSS-API mechanisms within EAP. GSS-API provides for protected
negotiation of authentication methods via the SPNEGO mechanism. As a
result, any GSS-API mechanism supported by SPNEGO and providing initial
authentication can be used with EAP-GSS, including IAKERB. It is

Aboba Experimental [Page 1]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

desirable to support GSS-API authentication methods within EAP, since
this permits developers creating GSS-API authentication methods to
leverage their development efforts. EAP-GSS includes support for
fragmentation and reassembly.

Table of Contents

1. Introduction .......................................... 3
1.1 Requirements language ........................... 3
1.2 Terminology ..................................... 3
2. Protocol overview ...................... .............. 3
2.1 EAP server as GSS-API initiator ................. 4
2.2 Peer as GSS-API initiator ....................... 6
2.3 Example topologies .............................. 7 5
3. Detailed description of EAP-GSS protocol .............. 13 8
3.1 EAP GSS packet format ........................... 13 8
3.2 EAP GSS Request packet .......................... 14 9
3.3 EAP GSS Response packet ......................... 15 10
3.4 Fragmentation ....... ........................... 16 11
3.5 Retry behavior .................................. 19 14
3.6 Identity verification ........................... 19 14
3.7 Use of addresses ................................ 20
3.8 Credential reuse ................................ 20
3.9 ECP negotiation ................................. 21 15
4. References ............................................ 21 15
5. Security considerations ............................... 25 18
5.1 Dictionary attacks .................................... 25 .............................. 18
5.2 Certificate revocation ............................... 25 ......................... 19
5.3 Mutual authentication ................................. 26 ........................... 19
5.4 Credential reuse ................................ 19
5.5 Key management ........................... ............ 26
6. ...... 21
5.6 ECP negotiation ................................. 21
Appendix A - Example IAKERB topologies ....................... 23
Acknowledgments ....................................... 26
7. .............................................. 28
Author's Addresses .................................... 26 ........................................... 28
Intellectual Property Statement .............................. 27 28
Full Copyright Statement ..................................... 27 29

Aboba Experimental [Page 2]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

1. Introduction

The Extensible Authentication Protocol (EAP) [5] provides a standard
mechanism for support of multiple authentication methods, including
public key [12], smart cards, Kerberos, One Time Passwords [5], and
others. EAP typically runs directly over the link layer without
requiring IP and therefore includes its own support for in-order
delivery and re-transmission. While EAP was originally developed for use
with PPP [1], it is also now in use with IEEE 802 [27].

This document describes the EAP-GSS protocol, which enables the use of
GSS-API mechanisms within EAP. GSS-API, described in [15], provides for
protected negotiation of authentication methods via the SPNEGO mechanism
[19]. As a result, any GSS-API mechanism supported by SPNEGO and providing
initial authentication can be used with EAP-GSS, including IAKERB [18].
It is desirable to support GSS-API authentication methods within EAP,
since this permits developers creating GSS-API authentication methods to
leverage their development efforts. EAP-GSS includes support for
fragmentation and reassembly.

1.1. Requirements language

In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [11].

1.2. Terminology

This document frequently uses the following terms:

Authenticator

NAS The end of the link requiring the authentication. In IEEE
802.1X, this end is known as the Authenticator.

Peer The other end of the point-to-point link (PPP), point-to-point
LAN segment (IEEE 802.1x) or 802.11 wireless link, which being
authenticated by the authenticator. NAS. In IEEE 802.1X, this end is known as
the Supplicant.

Authentication Server
An Authentication Server is an entity that provides an
Authentication Service to an authenticator. NAS. This service verifies from
the credentials provided by the peer, the claim of identity
made by the peer.

2. Protocol overview

As described in [5], the EAP-GSS conversation will typically begin with
the authenticator NAS and the peer negotiating EAP. The authenticator NAS will then typically send

Aboba Experimental [Page 3]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

then typically send

an EAP-Request/Identity packet to the peer, and the peer will respond
with an EAP-Response/Identity packet to the
authenticator, NAS, containing the peer's
user-Id.

Once having received the peer's Identity, the EAP server responds with
an EAP-Request packet of EAP-Type=EAP-GSS. From this point forward, the
EAP-GSS conversation may proceed in one of two modes. way.

In the first mode, the EAP server acts as the GSS-API initiator, and the
peer acts as the GSS-API target. In the second mode, which adds an
extra round-trip, the peer acts as the GSS-API initiator, and the EAP
server acts as the GSS-API target. We discuss each mode in turn.

2.1. EAP server as GSS-API initiator

As described in RFC 2284 [5], the EAP server typically authenticates the
peer using a prearranged method or set of methods. As a result, the EAP
server may have predetermined the use of EAP-GSS as well as the GSS-API
method to be used. If that GSS-API method can be initiated by the EAP
Server, then the EAP server MAY act as a GSS-API initiator with the peer
acting as a GSS-API target. In this case, the EAP Server will indicate
the pre-determined GSS-API method, possibly via SPNEGO, but SHOULD NOT
allow negotiation of a substitute GSS-API method.

To initiate the conversation, the EAP-Server sends an EAP-Request packet
with EAP-Type=EAP-GSS. The data field of the packet will encapsulate a
GSS-API token, created as a result of a call to GSS_Init_sec_context ().
In this case mutual authentication MUST be requested (otherwise the peer
would not be authenticated to the authenticator!) NAS!) so that the the mutual_req_flag
is set and the call to GSS_Init_sec-context() returns
GSS_S_CONTINUE_NEEDED status.

When it receives the EAP-Request, the peer will de-capsulate the
received GSS-API token within the EAP-GSS frame, and will pass it as the
input_token parameter to GSS_Accept_sec_context(). If
GSS_Accept_sec_context indicates GSS_S_COMPLETE status, then the
authenticator NAS has
been authenticated by the peer, and the
authenticator's NAS's indicated identity is
provided in the src_name result, along with an output_token to be
encapsulated within an EAP-Response packet with EAP-Type=EAP-GSS, and
passed back to the EAP-Server.

The EAP server will then de-capsulate the GSS-API token within the EAP-
Response message and pass it as the input_token parameter to
GSS_Init_sec_context(). If the call returns GSS_S_COMPLETE status, then
the peer has been authenticated to the EAP-Server, then the EAP-Server
responds with an EAP-Success message. If GSS_S_CONTINUE_NEEDED status
is returned, then the EAP Server encapsulates the returned output_token
with an EAP-Request packet of EAP-Type=EAP-GSS, and pass this back to

Aboba Experimental [Page 4]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

the peer.

The conversation (which can require as few as be completed in a minimum of 2.5 round trips)
trips), appears as follows:

Peer Authenticator NAS
------ -------------
EAP/Identity
<-------Request

EAP/Identity
Response -------->

GSS_Init_sec_context(mutual_req_flag)
returns GSS_S_CONTINUE_NEEDED,
output_token

<--------EAP Request
EAP-GSS
output_token

GSS_Accept_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token

EAP Response -------->
EAP-GSS
output_token

GSS_Init_sec_context(input_token)
returns GSS_S_COMPLETE

<--------EAP Success

2.2. Peer as GSS-API initiator

If the EAP server is prepared to allow negotiation of the GSS-API method
via SPNEGO [19], or if the EAP server knows the GSS-API method to be
used, but cannot initiate it (e.g. IAKERB, or Kerberos V), then the peer
MUST act as a GSS-API initiator, with the EAP server acting as the GSS-
API target.

In this case, the EAP server MUST respond with an EAP-GSS/Start packet,
which is an EAP-Request packet with EAP-Type=EAP-GSS, the Start (S) bit
set, and no data. The peer then calls GSS_Init_sec_context(), typically
with mutual authentication requested so that the mutual_req_flag is set
and the call returns GSS_S_CONTINUE_NEEDED status. The output_token is
then encapsulated within an EAP-Response packet with EAP-Type=EAP-GSS

Aboba Experimental [Page 5]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

and sent to the authenticator. NAS. If method negotiation is to be used, then an
initial negotiation token for the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) [19] is transferred. This contains an
ordered list of mechanisms, a set of options that should be supported by
the selected mechanism and the initial security token for the mechanism
preferred by the peer. The inclusion of the initial security token for
the preferred method saves a round-trip, assuming that the authenticator NAS agrees to
the preferred mechanism.

The EAP server then de-capsulates the GSS-API token contained within the
EAP-Response of EAP-Type=EAP-GSS and uses this as the input_token
parameter to a call to GSS_Accept_sec_context(). The output_token
parameter will then contain a token, containing the result of the
negotiation and in the case of accept, the agreed security mechanism and
the response to the initial security token as described in [19]. This
token is then encapsulated within an EAP-Request packet of EAP-Type=GSS-
API, which is sent to the peer. This occurs whether the call completed
with GSS_S_CONTINUE_NEEDED status or GSS_S_COMPLETE status.

The peer then de-capsulates the GSS-API token contained within the EAP-
Request packet with EAP-Type=EAP-GSS, and passes the input_token
parameter to GSS_Init_sec_context(). The output_token is encapsulated
within an EAP-Response packet with EAP-Type=EAP-GSS and sent to the EAP
server. This occurs whether the call completed with
GSS_S_CONTINUE_NEEDED status or GSS_S_COMPLETE status.

If the previous call to GSS_Accept_sec_context() returned GSS_S_COMPLETE
status, then the EAP-Server returns an EAP-Success message to the
client. Otherwise, it de-capsulates the GSS-API token contained within
the EAP-Request packet, and the conversation continues.

Aboba Experimental [Page 6]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

The conversation (which can require as few as be completed in a minimum of 3.5 round trips)
trips), appears as follows:

Authenticating Peer Authenticator NAS
------------------- -------------
EAP-Request/
<- Identity
EAP-Response/
Identity (MyID) ->
EAP-Request/
EAP-Type=EAP-GSS
<- (GSS Start, S bit set)

GSS_Init_sec_context(mutual_req_flag)
returns GSS_S_CONTINUE_NEEDED,
output_token (SPNEGO)

EAP-Response/
EAP-Type=EAP-GSS
output_token ->
GSS_Accept_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token (SPNEGO)

EAP-Request/
EAP-Type=EAP-GSS
<- output_token

GSS_Init_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token

EAP-Response/
EAP-Type=EAP-GSS
output_token ->
<- EAP-Success

2.3. Example topologies

While nominally the EAP conversation occurs between the authenticator
and the peer, the authenticator MAY act as a pass-through device, with
the EAP packets received from the peer being encapsulated for
transmission to a RADIUS server or backend security server, such as a
Kerberos KDC. In the discussion that follows, we will use the term "EAP
server" to denote the ultimate endpoint conversing with the peer.

For use with EAP-GSS, two topologies are likely, one with a RADIUS
backend as well as a Kerberos KDC backend, and other using solely a

Aboba Experimental [Page 7]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

Kerberos KDC backend. We discuss each

3. Detailed description of these topologies in turn.

In the other topology, EAP-GSS is used along with protocol

3.1. EAP GSS Packet Format

A summary of the GSS-API IAKERB
[18] or Kerberos V [20] mechanisms. Where IAKERB EAP GSS Request/Response packet format is used, the
authenticator functions as an IAKERB proxy, de-capsulating EAP-
GSS/IAKERB messages and passing them on shown below.
The fields are transmitted from left to the KDC. In addition, where
the peer already has a valid TGT right.

Code

1 - Request
2 - Response

Identifier

The identifier field is one octet and ticket to the NAS, it may choose to
use the Kerberos V mechanism within EAP. Note that aids in matching responses with
requests.

Length

The Length field is two octets and indicates the case length of
802.11, the Kerberos AP_REQ/AP_REP messages are carried in messages EAP
packet including the Code, Identifier, Length, Type, and Data fields.
Octets outside the conventional EAP exchange [27] so that use range of the Kerberos V
mechanism within Length field should be treated as
Data Link Layer padding and should be ignored on reception.

Type

14 - EAP GSS

Data

The format of the Data field is not necessary.

In determined by the alternate topology, messages from Code field.

Aboba Experimental [Page 8]

INTERNET-DRAFT EAP GSS Authentication Protocol 8 August 2001

3.2. EAP GSS Request Packet

A summary of the KDC EAP GSS Request packet format is shown below. The
fields are encapsulated within
EAP-GSS/IAKERB and sent to the peer. In this case, the authenticator
needs transmitted from left to understand the EAP-GSS, GSS-API IAKERB, as well as GSS-API
Kerberos V mechanisms.

In the examples below, conversations are provided for each topology.

2.3.1. RADIUS backend

In the RADIUS backend topology, the authenticator functions as an EAP-
passthrough device, encapsulating EAP messages received from the peer
within RADIUS as described in [33], right.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Flags | GSS Message Length
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| GSS Message Length | GSS Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Code

Identifier

The Identifier field is one octet and passing them aids in matching responses with
requests. The Identifier field MUST be changed on to each Request
packet.

Length

The Length field is two octets and indicates the RADIUS
server. In turn, EAP-Message attributes received from length of the RADIUS server
are de-capsulated by EAP
packet including the authenticator Code, Identifier, Length, Type, and sent to the peer. In this
topology, the authenticator need not have knowledge of specific GSS Response
fields.

Type

? - EAP or
GSS-API methods. GSS

Aboba Experimental [Page 8] 9]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

A successful EAP-GSS/IAKERB authentication occurring in a topology with
an authenticator acting as an IAKERB proxy to a Kerberos KDC will appear
as below.

Peer Authenticator RADIUS KDC
------ ------------- --------- ------
EAP/Identity
<-Request

EAP/Identity
Response ->

EAP/Identity
Response ->
Access-Challenge

Flags

0 1 2 3 4 5 6 7 8
+-+-+-+-+-+-+-+-+
|L M S R R R R R|
+-+-+-+-+-+-+-+-+

L = Length included
M = More fragments
S = EAP-GSS Request
<- (Start)

<-EAP-GSS Request(Empty)

EAP-GSS
Response [1]
(SPNEGO) ->

EAP-GSS Response
(SPNEGO) ->
Access-Challenge
EAP-GSS Request
<-(SPNEGO)

EAP-GSS Request
<-(SPNEGO)

EAP-GSS IAKERB
Response [2]
(AS_REQ) ->

EAP-GSS IAKERB
Response
(AS_REQ) ->

AS_REQ ->
<- AS_REP

Access-Challenge
EAP-GSS IAKERB Request
<-(AS_REP)

Aboba Experimental [Page 9]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 2001

EAP-GSS IAKERB
Request
<-(AS_REP)

EAP-GSS IAKERB
Response [3]
(TGS_REQ) ->

EAP-GSS IAKERB
Response
(TGS_REQ) ->

TGS_REQ ->
<- TGS_REP

Access-Challenge
EAP-GSS IAKERB Request
<-(TGS_REP)
EAP-GSS IAKERB
Request
<-(TGS_REP)

EAP-GSS IAKERB
Response
(Empty) ->

EAP-GSS IAKERB
Response
(Empty) ->
Access-Accept [4]
<- EAP-Success

<- EAP-Success
AP_REQ ->
<- AP_REP [5]

Notes:

1. IAKERB may be requested by start
R = Reserved

The L bit (length included) is set to indicate the EAP-GSS client without presence of the need for
negotiation, or SPNEGO may
four octet GSS Message Length field, and MUST be used.

2. The AS_REQ requests a TGT from set for the KDC. It may or may not include
PADATA. As first
fragment of a result, the AS_REQ may not authenticate the peer to
the KDC, fragmented GSS message or set of messages. The M bit
(more fragments) is set on all but the AS_REP authenticates the KDC to the peer.

3. last fragment. The TGS_REQ requests a ticket to S bit (EAP-
GSS start) is set in an EAP-GSS Start message. This differentiates
the authenticator service. EAP-GSS Start message from a fragment acknowledgment.

GSS Message Length

The
ticket GSS Message Length field is encrypted with the authenticator's key so that it can four octets, and is present only be validated by if
the authenticator.

Aboba Experimental [Page 10]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 2001

4. On receiving a TGS_REP from the KDC rather than a KRB_ERROR, the
RADIUS server can conclude that the peer has successfully
authenticated, and thus that it L bit is appropriate to reply to the
authenticator with an Access-Accept encapsulating an EAP-Success.

5. The IAKERB exchange ends before the AP_REQ/AP_REP exchange occurs.
As a result, set. This field provides the AP_REQ/AP_REP exchange either will not occur
(preventing mutual authentication between peer and authenticator or
transport total length of the session key from peer to authenticator), will
occur out-of-band (e.g. after access is granted), or will occur in
a subsequent EAP-GSS conversation (e.g. using the GSS-API Kerberos
V method).

2.3.2. Kerberos backend

In the solely Kerberos-based topology, EAP-GSS is used along with the
GSS-API IAKERB [18] GSS
message or Kerberos V [20] mechanisms. Where IAKERB is
used, the authenticator functions as an IAKERB proxy, de-capsulating
EAP-GSS/IAKERB set of messages and passing them on to the KDC. In addition,
where the peer already has a valid TGT and ticket to the NAS, it may
choose to use the Kerberos V mechanism within EAP. Note that in the case is being fragmented.

GSS data

The GSS data consists of 802.11, the Kerberos AP_REQ/AP_REP messages are carried in messages
outside the conventional encapsulated GSS packet.

3.3. EAP exchange [27] so that use GSS Response Packet

A summary of the Kerberos V
mechanism within EAP GSS Response packet format is not necessary.

In the Kerberos-only topology, messages from the KDC shown below. The
fields are encapsulated
within EAP-GSS/IAKERB and sent to the peer. In this case, the
authenticator needs transmitted from left to understand the EAP-GSS, GSS-API IAKERB, as well
as GSS-API Kerberos V mechanisms.

Aboba Experimental [Page 11]

INTERNET-DRAFT EAP GSS Authentication Protocol right.

0 1 July 2001

A successful EAP-GSS/IAKERB authentication occurring in a topology with
an authenticator acting as an IAKERB proxy to a Kerberos KDC will appear
as follows:

Peer Authenticator KDC
------ ------------- ---------
EAP/Identity
<-Request

EAP/Identity
Response ->

<-EAP-GSS Start

EAP-GSS IAKERB
Response [1]
(AS_REQ) ->

AS_REQ ->
<- AS_REP [2]

EAP-GSS IAKERB Request
<-AS_REP)

EAP-GSS IAKERB
Response [3]
(TGS_REQ) ->

TGS_REQ ->

<- TGS_REP [4]

EAP-GSS IAKERB Request
<-(TGS_REP)

EAP-GSS IAKERB
Response
(Empty) ->

<- EAP-Success
AP_REQ [5]->
<- AP_REP [6]
Notes:

1. If PADATA is not used in the AS_REQ, then the peer does not
authenticate to the KDC. 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Flags | GSS Message Length
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| GSS Message Length | GSS Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Code

Aboba Experimental [Page 12] 10]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

2. The KDC authenticates to the peer in the AS_REP.

Identifier

The peer authenticates to Identifier field is one octet and MUST match the KDC via Identifier field
from the TGS_REQ.

4. corresponding request.

Length

The KDC authenticates to Length field is two octets and indicates the peer via length of the TGS_REP. The TGS_REP
also provides EAP
packet including the peer with a ticket Code, Identifier, Length, Type, and session-key for use with
the authenticator.

5. Up until this point, the peer has not mutually authenticated with
the authenticator, or exchanged a key with it. As a result, the
peer and authenticator need to conclude an AP_REQ/AP_REP exchange.
This can occur in-band or out-of-band. In the AP-REQ, the peer
authenticates to the authenticator and provides it with a session
key.

6. The authenticator authenticates to the peer using the AP_REP.

3. Detailed description of the EAP-GSS protocol

3.1. EAP GSS Packet Format

A summary of the data
fields.

Type

TBD - EAP GSS Request/Response packet format is shown below.
The fields are transmitted from left to right.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9

Flags

0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier |
+-+-+-+-+-+-+-+-+
|L M S R R R R R|
+-+-+-+-+-+-+-+-+

L = Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Code

1 - Request
2 - Response

Identifier included
M = More fragments
S = EAP-GSS start
R = Reserved

The identifier field L bit (length included) is one set to indicate the presence of the
four octet GSS Message Length field, and aids MUST be set for the first
fragment of a fragmented GSS message or set of messages. The M bit
(more fragments) is set on all but the last fragment. The S bit (EAP-
GSS start) is set in matching responses with
requests. an EAP-GSS Start message. This differentiates
the EAP-GSS Start message from a fragment acknowledgment.

GSS Message Length

The GSS Message Length field is two octets four octets, and indicates the length of is present only if
the EAP
packet including the Code, Identifier, Length, Type, and Data fields.
Octets outside L bit is set. This field provides the range total length of the Length field should be treated as
Data Link Layer padding and should be ignored on reception.

Aboba Experimental [Page 13]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 2001

Type

14 - EAP GSS

Data

The format
message or set of the Data field messages that is determined by the Code field.

3.2. EAP GSS Request Packet

A summary of the EAP being fragmented.

GSS Request packet format is shown below. data

The
fields are transmitted from left to right.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Flags | GSS Message Length
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| GSS Message Length | data consists of the encapsulated GSS Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Code

Identifier

The Identifier field is one octet and aids in matching responses with
requests. The Identifier field MUST be changed on each Request packet.

Length

The Length field

3.4. Fragmentation

It is two octets and indicates possible that EAP-GSS messages may exceed the length of link MTU size, the EAP
maximum RADIUS packet including size of 4096 octets, or even the Code, Identifier, Length, Type, and GSS Response
fields.

Type

? - EAP GSS PPP Multilink

Aboba Experimental [Page 14] 11]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 2001

Flags

0 1 2 3 4 5 6 7 8
+-+-+-+-+-+-+-+-+
|L M S R R R R R|
+-+-+-+-+-+-+-+-+

L = Length included
M = More fragments
S = EAP-GSS start
R = Reserved

The L bit (length included) August 2001

Maximum Received Reconstructed Unit (MRRU). As described in [2], within
PPP the multi-link MRRU is set to indicate negotiated via the presence Multilink MRRU LCP option,
which includes an MRRU length field of the
four octet GSS Message Length field, two octets, and MUST thus can support
MRRUs as large as 64 KB.

In order to protect against reassembly lockup and denial of service
attacks, it may be desirable for an implementation to set a maximum size
for the first
fragment of a fragmented GSS message or set of messages. The M bit
(more fragments) is set on all but the last fragment. The S bit (EAP-
GSS start) is set in an EAP-GSS Start message. This differentiates
the EAP-GSS Start message from GSS-API token. Since a fragment acknowledgment.

GSS Message Length

The GSS Message Length field typical certificate chain is four rarely longer
than a few thousand octets, and is present only if
the L bit is set. This no other field provides the total length is likely to be anywhere
near as long, a reasonable choice of the GSS maximum acceptable message or set of messages that length
might be 64 KB.

If this value is being fragmented.

GSS data

The GSS data consists of the encapsulated GSS packet.

3.3. EAP GSS Response Packet

A summary of chosen, then for PPP links, fragmentation can be
handled via the EAP GSS Response packet format multi-link PPP fragmentation mechanisms described in
[2]. While this is shown below. The
fields are transmitted from left to right.

Code

Aboba Experimental [Page 15]

INTERNET-DRAFT desirable, there may be cases in which multi-link or
the MRRU LCP option cannot be negotiated. Also, since EAP methods must
also be usable within IEEE 802.1X [27], an EAP-GSS implementation MUST
provide its own support for fragmentation and reassembly.

Since EAP GSS Authentication Protocol 1 July 2001

Identifier

The Identifier field is one octet a simple ACK-NAK protocol, fragmentation support can be
added in a simple manner. In EAP, fragments that are lost or damaged in
transit will be retransmitted, and MUST match since sequencing information is
provided by the Identifier field
from the corresponding request.

Length

The Length in EAP, there is no need for a fragment
offset field as is two octets and indicates the length provided in IP.

EAP-GSS fragmentation support is provided through addition of a flags
octet within the EAP
packet including the Code, Identifier, Length, Type, EAP-Response and EAP-Request packets, as well as a GSS data
fields.

Type

TBD - EAP GSS
Message Length field of four octets. Flags

0 1 2 3 4 5 6 7 8
+-+-+-+-+-+-+-+-+
|L M S R R R R R|
+-+-+-+-+-+-+-+-+

L = include the Length included
M =
(L), More fragments
S = (M), and EAP-GSS start
R = Reserved Start (S) bits. The L bit (length included) flag is set
to indicate the presence of the four octet GSS Message Length field, and
MUST be set for the first fragment of a fragmented GSS message or set of
messages. The M bit
(more fragments) flag is set on all but the last fragment. The S bit (EAP-
GSS start) flag is
set in an EAP-GSS Start message. This differentiates only within the EAP-GSS Start start message sent from a fragment acknowledgment.

GSS Message Length the EAP server to
the peer. The GSS Message Length field is four octets, and is present only if
the L bit is set. This field provides the
total length of the GSS
message GSS-API token or set of messages that is being fragmented.

GSS data
fragmented; this simplifies buffer allocation.

When an EAP-GSS peer receives an EAP-Request packet with the M bit set,
it MUST respond with an EAP-Response with EAP-Type=EAP-GSS and no data.
This serves as a fragment ACK. The GSS data consists EAP server MUST wait until it
receives the EAP-Response before sending another fragment. In order to
prevent errors in processing of fragments, the encapsulated GSS packet.

3.4. Fragmentation

It is possible that EAP-GSS messages may exceed EAP server MUST increment
the link MTU size, Identifier field for each fragment contained within an EAP-Request,
and the
maximum RADIUS packet size of 4096 octets, or even peer MUST include this Identifier value in the Multilink fragment ACK
contained within the EAP-Response. Retransmitted fragments will contain
the same Identifier value.

Aboba Experimental [Page 16] 12]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

Maximum Received Reconstructed Unit (MRRU). As described in [2], within
PPP

Similarly, when the multi-link MRRU is negotiated via EAP server receives an EAP-Response with the Multilink MRRU LCP option,
which includes M bit
set, it MUST respond with an MRRU length field of two octets, EAP-Request with EAP-Type=EAP-GSS and thus can support
MRRUs as large no
data. This serves as 64 KB.

In order to protect against reassembly lockup and denial of service
attacks, it may be desirable for an implementation to set a maximum size
for a GSS-API token. Since a typical certificate chain is rarely longer
than a few thousand octets, and no other field is likely fragment ACK. The EAP peer MUST wait until it
receives the EAP-Request before sending another fragment. In order to be anywhere
near as long, a reasonable choice
prevent errors in the processing of maximum acceptable message length
might be 64 KB.

If this fragments, the EAP server MUST use
increment the Identifier value is chosen, then for PPP links, fragmentation can be
handled via each fragment ACK contained within an
EAP-Request, and the multi-link PPP fragmentation mechanisms described in
[2]. While peer MUST include this is desirable, there may be cases Identifier value in which multi-link or the MRRU LCP option cannot be negotiated. Also, since EAP methods must
also be usable
subsequent fragment contained within IEEE 802.1X [27], an EAP-GSS implementation MUST
provide its own support for fragmentation and reassembly.

Since EAP is a simple ACK-NAK protocol, fragmentation support can be
added in a simple manner. EAP-Response.

In EAP, fragments that are lost or damaged in
transit will be retransmitted, and since sequencing information is
provided by the Identifier field in EAP, there is no need for a fragment
offset field as is provided in IP. case where the EAP-GSS authentication is successful, and
fragmentation support is provided through addition of a flags
octet within required, the EAP-Response and EAP-Request packets, as well conversation will appear as a GSS
Message Length field of four octets. Flags include the Length included
(L), More fragments (M), and EAP-GSS Start (S) bits. The L flag follows:

Authenticating Peer NAS
------------------- -------------
EAP-Request/
<- Identity
EAP-Response/
Identity (MyID) ->
EAP-Request/
EAP-Type=EAP-GSS
<-(GSS Start, S bit set)

GSS_Init_sec_context(mutual_req_flag)
returns GSS_S_CONTINUE_NEEDED,
output_token (SPNEGO)

EAP-Response/
EAP-Type=EAP-GSS
output_token ->

GSS_Accept_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token (SPNEGO)

EAP-Request/
EAP-Type=EAP-GSS
output_token
<- (Fragment 1: L, M bits set)
EAP-Response/
EAP-Type=EAP-GSS ->
EAP-Request/
EAP-Type=EAP-GSS
<- (Fragment 2: M bit set)
EAP-Response/
EAP-Type=EAP-GSS ->
EAP-Request/
EAP-Type=EAP-GSS

Aboba Experimental [Page 13]

INTERNET-DRAFT EAP GSS Authentication Protocol 8 August 2001

<- (Fragment 3)

GSS_Init_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token

EAP-Response/
EAP-Type=EAP-GSS
output_token
(Fragment 1:
L, M bits set)->
EAP-Request/
<- EAP-Type=EAP-GSS
EAP-Response/
EAP-Type=EAP-GSS
(Fragment 2)->
<- EAP-Success

3.5. Retry behavior

As with other EAP protocols, the EAP server is set
to indicate responsible for retry
behavior. This means that if the presence of EAP server does not receive a reply
from the four octet GSS Message Length field, and peer, it MUST be set resend the EAP-Request for which it has not yet
received an EAP-Response. However, the peer MUST NOT resend EAP-Response
packets without first fragment of a fragmented GSS message or set of
messages. The M flag is set on all but being prompted by the last fragment. The S flag is
set only within EAP server.

For example, if the initial EAP-GSS start message packet sent from by the EAP server
were to be lost, then the peer. The GSS Message Length field is four octets, peer would not receive this packet, and provides the
total length of would
not respond to it. As a result, the GSS-API token or set of messages that is being
fragmented; this simplifies buffer allocation.

When an EAP-GSS peer receives an EAP-Request start packet with would be resent
by the M bit set, EAP server. Once the peer received the EAP-GSS start packet, it MUST respond with
would send an EAP-Response with EAP-Type=EAP-GSS and no data.
This serves as a fragment ACK. The EAP server MUST wait until it
receives encapsulating the client_hello message. If
the EAP-Response before sending another fragment. In order were to
prevent errors in processing of fragments, be lost, then the EAP server MUST increment would resend the Identifier field for each fragment contained within an EAP-Request,
initial EAP-GSS start, and the peer MUST include would resend the EAP-Response.

As a result, it is possible that a peer will receive duplicate EAP-
Request messages, and may send duplicate EAP-Responses. Both the peer
and the EAP-Server should be engineered to handle this Identifier value possibility.

3.6. Identity verification

As part of the GSS-API conversation, it is possible that the server may
present a certificate to the peer, or that the peer may present a
certificate to the EAP server. If the peer has made a claim of identity
in the fragment ACK
contained within EAP-Response/Identity (MyID) packet, the EAP-Response. Retransmitted fragments EAP server SHOULD
verify that the claimed identity corresponds to the certificate
presented by the peer. Typically this will contain be accomplished either by
placing the same Identifier value. userId within the peer certificate, or by providing a
mapping between the peer certificate and the userId using a directory

Aboba Experimental [Page 17] 14]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

service.

Similarly, when the peer MUST verify the validity of the EAP server receives an EAP-Response with the M bit
set, it MUST respond with an EAP-Request with EAP-Type=EAP-GSS
certificate, and no
data. This serves as a fragment ACK. The SHOULD also examine the EAP peer MUST wait until it
receives server name presented in
the EAP-Request before sending another fragment. In certificate, in order to
prevent errors in the processing of fragments, determine whether the EAP server MUST use
increment the Identifier value for each fragment ACK contained within an
EAP-Request, and the peer MUST include this Identifier value can be
trusted. Please note that in the
subsequent fragment contained within an EAP-Response.

In the case where the EAP-GSS authentication is successful, and
fragmentation is required, the conversation will appear as follows:

Authenticating Peer Authenticator
------------------- -------------
EAP-Request/
<- Identity
EAP-Response/
Identity (MyID) ->
EAP-Request/
EAP-Type=EAP-GSS
<-(GSS Start, S bit set)

GSS_Init_sec_context(mutual_req_flag)
returns GSS_S_CONTINUE_NEEDED,
output_token (SPNEGO)

EAP-Response/
EAP-Type=EAP-GSS
output_token ->

GSS_Accept_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token (SPNEGO)

Aboba Experimental [Page 18]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 2001

<- (Fragment 3)

GSS_Init_sec_context(input_token)
returns GSS_S_COMPLETE,
output_token

EAP-Response/
EAP-Type=EAP-GSS
output_token
(Fragment 1:
L, M bits set)->
EAP-Request/
<- EAP-Type=EAP-GSS
EAP-Response/
EAP-Type=EAP-GSS
(Fragment 2)->
<- EAP-Success

3.5. Retry behavior

As with other EAP protocols, the EAP server authentication is responsible for retry
behavior. This means
remoted that if the EAP server does will not receive a reply
from reside on the peer, it MUST resend same machine as the EAP-Request for which it has not yet
received an EAP-Response. However,
NAS, and therefore the peer MUST NOT resend EAP-Response
packets without first being prompted by name in the EAP server.

For example, if server's certificate cannot be
expected to match that of the initial EAP-GSS start packet sent by the EAP server
were to be lost, then the peer would not receive intended destination. In this packet, and would
not respond to it. As case, a result, the EAP-GSS start packet would more
appropriate test might be resent
by whether the EAP server. Once the peer received the EAP-GSS start packet, it
would send an EAP-Response encapsulating the client_hello message. If server's certificate is signed
by a CA controlling the EAP-Response were to be lost, then intended destination and whether the EAP server would resend the
initial EAP-GSS start, and the peer would resend the EAP-Response.

As a result, it is possible that
exists within a peer will receive duplicate EAP-
Request messages, and may send duplicate EAP-Responses. Both the peer
and target sub-domain.

3.7. Use of addresses

When using EAP-GSS, the EAP-Server should EAP client may not be engineered able to handle this possibility.

3.6. Identity verification

As part of the GSS-API conversation, it is possible that include an address
in an EAP-Response message, since prior to obtaining access the server EAP
client may
present a certificate not have an IP address. This limits effective use of EAP-GSS
to the peer, or GSS-API methods that do not require the peer may present a
certificate to the EAP server. If the peer has made a claim of identity have an IP address
prior to authentication.

The IAKERB GSS-API method can explicitly handle this situation, as
described in [18]. However, where Kerberos V is negotiated [16], [20]
the EAP-Response/Identity (MyID) packet, addresses field of the EAP server AS_REQ and TGS_REQ SHOULD
verify that the claimed identity corresponds to be blank and the certificate
presented by
caddr field of the peer. Typically this will ticket SHOULD also be accomplished either by
placing the userId within the peer certificate, or by providing a
mapping between the peer certificate left blank.

4. References

[1] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)." STD 51,
RFC 1661, July 1994.

[2] Sklower, K., Lloyd, B., McGregor, G., Carr, D., and the userId using a directory T. Coradetti,
"The PPP Multilink Protocol (MP)." RFC 1990, August 1996.

[3] Simpson, W., Editor, "PPP LCP Extensions." RFC 1570, January 1994.

[4] Rivest, R., Dusse, S., "The MD5 Message-Digest Algorithm", RFC
1321, April 1992.

[5] Blunk, L., Vollbrecht, J., "PPP Extensible Authentication Protocol
(EAP)", RFC 2284, March 1998.

[6] Meyer, G., "The PPP Encryption Protocol (ECP)." RFC 1968, June 1996

[7] National Bureau of Standards, "Data Encryption Standard", FIPS PUB
46 (January 1977).

Aboba Experimental [Page 19] 15]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

service.

Similarly, the peer MUST verify the validity

[8] National Bureau of the EAP server
certificate, and SHOULD also examine the EAP server name presented in
the certificate, Standards, "DES Modes of Operation", FIPS PUB 81
(December 1980).

[9] Sklower, K., Meyer, G., "The PPP DES Encryption Protocol, Version 2
(DESE-bis)", RFC 2419, September 1998.

[10] Hummert, K., "The PPP Triple-DES Encryption Protocol (3DESE)", RFC
2420, September 1998.

[11] Bradner, S., "Key words for use in order RFCs to determine whether the EAP server can be
trusted. Please note that in the case where the EAP authentication is
remoted that the Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.

[12] Aboba, B., Simon, S.,"PPP EAP server will not reside on the same machine as the
authenticator, TLS Authentication Protocol", RFC
2716, October 1999.

[13] D. Rand. "The PPP Compression Control Protocol." RFC 1962, Novell,
June 1996.

[14] Myers, J., "Simple Authentication and therefore the name in the EAP server's certificate
cannot be expected to match that of the intended destination. In this
case, a more appropriate test might be whether the EAP server's
certificate is signed by a CA controlling the intended destination Security Layer (SASL)", RFC
2222, October 1997.

[15] Linn, J., "Generic Security Service Application Program Interface,
Version 2", RFC 2743, January 2000.

[16] Kohl, J., Neuman, C., "The Kerberos Network Authentication Service
(V5)", RFC 1510, September 1993.

[17] Neuman, B. C., Ts'o, T., "Kerberos: An Authentication Service for
Computer Networks", IEEE Communications, 32(9):33-38, September
1994.

[18] Swift, M., Trostle, J., Aboba, B., Zorn, G., "Initial
Authentication and Pass Through Authentication Using Kerberos V5
and
whether the EAP server exists within a target sub-domain.

3.7. Use of addresses

When using EAP-GSS, the EAP client may not be able to include an address
in an EAP-Response message, since prior to obtaining access the EAP
client may not have an IP address. The IAKERB GSS-API method can
explicitly handle this, as described (IAKERB)", Internet draft (work in [18]. However, Where Kerberos V
is negotiated [16], progress),
draft-ietf-cat-iakerb-08.txt, August 2001.

[19] Baize, E., Pinkas., D., "The Simple and Protected GSS-API
Negotiation Mechanism", RFC 2478, December 1998.

[20] the addresses field of the AS_REQ Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964,
June 1996.

[21] IEEE Standards for Local and TGS_REQ
SHOULD be blank Metropolitan Area Networks: Overview
and the caddr field of the ticket SHOULD also be left
blank.

3.8. Credential reuse

Note that a peer with valid credentials may reuse those credentials in a
subsequent authentication. For example, a peer initially using the
IAKERB GSS-API method to obtain a TGT Architecture, ANSI/IEEE Std 802, 1990.

[22] ISO/IEC 10038 Information technology - Telecommunications and a ticket to the authenticator
may subsequently reuse that ticket in an AP_REQ/AP_REP exchange that may
occur either in-band (e.g. via use of the Kerberos V GSS-API method) or
out-of-band (e.g. via an 802.1X EAPOL-Key message). Typically in-band
efficiency savings are modest (one round-trip saved using the Kerberos V
GSS-API method versus IAKERB), while savings from out-of-band credential
reuse can be more substantial.

Credential reuse improves efficiency in a number of scenarios. Where
the peer attempts to re-authenticate to an EAP server within a short
period of time, the re-authentication time may be shortened. Also, where
the peer roams to another authenticator willing to accept credentials
from a previous authenticator, fast-handoff may be achieved. Credential
reuse may also prove useful during multi-link authentication.

The decision of whether to attempt to reuse credentials is left up to
the peer, which needs to determine whether credential use is likely to
succeed. The decision may be based on out-of-band
information (such as
probe/response messages exchanged via 802.11 [28], or the time elapsed
since the previous authentication attempt. exchange between systems - Local area networks - Media
Access Control (MAC) Bridges, (also ANSI/IEEE Std 802.1D- 1993),

Aboba Experimental [Page 20] 16]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

If the peer attempts to reuse credentials that are not valid for the
authenticator, then no harm is done. The authenticator will respond with
an error

1993.

[23] ISO/IEC Final CD 15802-3 Information technology - Tele-
communications and the peer can then re-authenticate using the more complete
sequence. For example, after an initial IAKERB authentication, the peer
will have obtained a TGT from the KDC via the AS_REP, information exchange between systems - Local and a ticket to
the authenticator within the TGS_REP. The peer may subsequently attempt
to negotiate the Kerberos V GSS-API method, so
metropolitan area networks - Common specifications - Part 3:Media
Access Control (MAC) bridges, (current draft available as to reuse the
previously obtained credentials. Should a KRB_ERROR be returned by the
authenticator, then the peer can negotiate IAKERB on its next attempt
instead.

Note that IEEE
P802.1D/D15).

[24] IEEE Standards for credential reuse to be possible while roaming, it is
necessary Local and Metropolitan Area Networks: Draft
Standard for authenticators to share the same key Virtual Bridged Local Area Networks, P802.1Q/D8,
January 1998.

[25] ISO/IEC 8802-3 Information technology - Telecommunications and
information exchange between systems - Local and metropolitan area
networks - Common specifications - Part 3: Carrier Sense Multiple
Access with the KDC. If
this is not the case, then peers moving from one authenticator to
another will not be able to reuse authenticator tickets. Similarly, if
the EAP servers are set up in a rotary or made available via a round-
robin technique, then the credentials also may not be reusable, unless
the EAP authentication is remoted to a central authentication server.

3.9. ECP negotiation

ECP, described in [6], supports unprotected cipher-suite negotiations
within PPP Collision Detection (CSMA/CD) Access Method and is thus vulnerable to attack. Since SPNEGO [19] supports
protected cipher-suite negotiation in the case where the negotiated
method provides authentication
Physical Layer Specifications, (also ANSI/IEEE Std 802.3- 1996),
1996.

[26] IEEE Standards for Local and integrity protection, use of SPNEGO
is preferable to ECP. Peers completing the GSS-API SPNEGO negotiation
will typically implicitly select a cipher-suite, which includes key
strength, encryption Metropolitan Area Networks: Demand
Priority Access Method, Physical Layer and hashing methods. As a result, a subsequent
Encryption Control Protocol (ECP) conversation [6], if it occurs, has a
predetermined result.

However, since the ECP-supported ciphersuites may not correspond to the
ciphersuites implicitly negotiated as part of SPNEGO, it may not be
possible for the ECP conversation to verify the ciphersuites implicitly
selected via SPNEGO. Repeater Specification
For example, the ECP methods defined in [9]-[10]
only support DES and 3DES transforms 100 Mb/s Operation, IEEE Std 802.12-1995.

[27] IEEE Standards for confidentiality, Local and do not
support authentication or integrity protection. Thus, there is no
correspondence Metropolitan Area Networks: Port based
Network Access Control, IEEE Std 802.1X-2001, June 2001.

[28] Information technology - Telecommunications and information
exchange between existing ECP methods systems - Local and the ciphersuites
available within GSS-API methods such as Kerberos [16]-[17].

4. References

[1] metropolitan area networks -
Specific Requirements Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) Specifications, IEEE Std.
802.11-1997, 1997.

[29] Rigney, C., Rubens, A., Simpson, W., Editor, "The Point-to-Point Protocol (PPP)." STD 51, Willens, S., "Remote
Authentication Dial In User Service (RADIUS)", RFC 1661, July 1994.

[2] Sklower, K., Lloyd, B., McGregor, G., Carr, 2865, June 2000.

[30] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.

[31] Zorn, G., Mitton, D., and T. Coradetti,
"The PPP Multilink Aboba, B., "RADIUS Accounting Modifications
for Tunnel Protocol (MP)." Support", RFC 1990, August 1996. 2867, June 2000.

[32] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M.,
Goyret, I., "RADIUS Attributes for Tunnel Protocol Support", RFC
2868, June 2000.

[33] Rigney, C., Willats, W., Calhoun, P., "RADIUS Extensions", RFC
2869, June 2000.

Aboba Experimental [Page 21] 17]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

[3] Simpson, W., Editor, "PPP LCP Extensions." RFC 1570, January 1994.

[4] Rivest, R., Dusse, S., "The MD5 Message-Digest Algorithm", RFC
1321, April 1992.

[5] Blunk, L., Vollbrecht, J., "PPP Extensible Authentication Protocol
(EAP)", RFC 2284, March 1998.

[6] Meyer, G., "The PPP Encryption Protocol (ECP)." RFC 1968, June 1996

[7] National Bureau

[34] Wu, T., "A Real-World Analysis of Standards, "Data Encryption Standard", FIPS PUB
46 (January 1977).

[8] National Bureau Kerberos Password Security",
Stanford University Computer Science Department,
http://theory.stanford.edu/~tjw/krbpass.html

[35] Bellovin, S.M., Merritt, M., "Limitations of Standards, "DES Modes the kerberos
authentication system", Proceedings of Operation", FIPS PUB 81
(December 1980).

[9] Sklower, K., Meyer, G., "The PPP DES Encryption Protocol, Version 2
(DESE-bis)", RFC 2419, September 1998.

[10] Hummert, K., the 1991 Winter USENIX
Conference, pp. 253-267, 1991.

[36] Dole, B., Lodin, S., and Spafford, E., "Misplaced trust: Kerberos 4
session keys", Proceedings of the Internet Society Network and
Distributed System Security Symposium, pp. 60-70, March 1997.

[37] Wu, T., "The PPP Triple-DES Encryption Protocol (3DESE)", SRP Authentication and Key Exchange System", RFC
2420, 2945,
September 1998.

[11] Bradner, S., "Key words for use 2000.

[38] Bellovin, S.M., Merritt, M., "Encrypted key exchange: Password-
based protocols secure against dictionary attacks", Proceedings of
the 1992 IEEE Computer Society Conference on Research in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.

[12] Aboba, B., Simon, S.,"PPP EAP TLS Authentication Protocol", RFC
2716, Security
and Privacy, pp. 72-84, 1992.

[39] Jablon, D., "Strong password-only authenticated key exchange",
Computer Communication Review, 26(5):5-26, October 1999.

[13] D. Rand. "The PPP Compression Control Protocol." RFC 1962, Novell,
June 1996.

[14] Myers, J., "Simple Authentication

[40] Jaspan, B., "Dual-workfactor encrypted key exchange: Efficiently
preventing password chaining and dictionary attacks", Proceedings
of the Sixth Annual USENIX Security Layer (SASL)", RFC
2222, October 1997.

[15] Linn, J., "Generic Security Service Application Program Interface,
Version 2", RFC 2743, January 2000.

[16] Kohl, J., Neuman, C., "The Kerberos Network Authentication Service
(V5)", RFC 1510, September 1993.

[17] Neuman, Conference, pp. 43-50, July
1996.

[41] Tung, B. Neuman, C., Ts'o, T., "Kerberos: An Authentication Service for
Computer Networks", IEEE Communications, 32(9):33-38, September
1994.

[18] Swift, Hur, M., Medvinsky, A., Medvinsky, S., Wray,
J., Trostle, J., Aboba, B., Zorn, G., "Initial
Authentication and Pass Through "Public Key Cryptography for Initial
Authentication Using Kerberos V5
and the GSS-API (IAKERB)", Internet draft (work in progress),
draft-ietf-cat-iakerb-07.txt, June Kerberos", draft-ietf-cat-kerberos-pk-
init-13.txt, August 2001.

Aboba Experimental [Page 22]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 2001

[19] Baize, E., Pinkas., D., "The Simple and Protected GSS-API
Negotiation Mechanism", RFC 2478, December 1998.

[20] Linn, J., "The

5. Security Considerations

5.1. Dictionary attacks

As noted in [34]-[36], both Kerberos Version 5 GSS-API Mechanism", RFC 1964,
June 1996.

[21] IEEE Standards IV and V are vulnerable to attack.
These attacks are particularly potent when carried out in a location
where a large number of authentication exchanges can be collected within
a short period of time, such as with wireless LANs deployed in "hot
spots".

As noted in [34], offline dictionary attacks are easily carried out
against the AS_REP, since the key encrypting the enclosed Kerberos
ticket is a function of the password. Such attacks are amenable to
parallelization, and it is therefore possible to crack a large number of
passwords in short time with only modest resources. As noted in [34],

Aboba Experimental [Page 18]

INTERNET-DRAFT EAP GSS Authentication Protocol 8 August 2001

the imposition of a password policy is likely only to decrease the
yield, but given access to sufficient exchanges, large scale password
compromise remains likely.

For this reason, when used on wireless networks, EAP-GSS SHOULD be used
only to negotiate methods thought to be invulnerable to offline
dictionary attacks against the on-the-wire protocol, such as public key
authentication techniques or those described in [37]-[40]. In
particular, Kerberos V without PKINIT [41] SHOULD NOT be used. As noted
in [34], it has been proposed that Kerberos be augmented by utilizing
these methods as part of pre-authentication. Such an enhancement would
be likely to address the vulnerability to dictionary attack.

5.2. Certificate revocation

Since the EAP server is on the Internet during the EAP conversation, the
server is capable of following a certificate chain or verifying whether
the peer's certificate has been revoked. In contrast, the peer may or
may not have Internet connectivity, and thus while it can validate the
EAP server's certificate based on a pre-configured set of CAs, it may
not be able to follow a certificate chain or verify whether the EAP
server's certificate has been revoked.

In the case where the peer is initiating a voluntary Layer 2 tunnel
using PPTP or L2TP, the peer will typically already have a PPP interface
and Internet connectivity established at the time of tunnel initiation.
As a result, during the EAP conversation it is capable of checking for
certificate revocation.

However, in the case where the peer is initiating a connection, it will
not have Internet connectivity and is therefore not capable of checking
for certificate revocation until after the peer has access to the
Internet. In this case, the peer SHOULD check for certificate revocation
after connecting to the Internet.

5.3. Mutual authentication

It is highly recommended that a GSS-API method supporting mutual
authentication be selected during the SPNEGO negotiation. This addresses
vulnerabilities associated with rogue EAP servers, as well as avoiding
vulnerabilities associated with parallel one-way authentications.

5.4. Credential reuse

A peer with valid credentials may reuse those credentials in a
subsequent authentication. Credential reuse improves efficiency in a
number of scenarios. Where the peer attempts to re-authenticate to an
EAP server within a short period of time, the re-authentication time may

Aboba Experimental [Page 19]

INTERNET-DRAFT EAP GSS Authentication Protocol 8 August 2001

be shortened. Also, where the peer roams to another NAS willing to
accept credentials from a previous NAS, fast-handoff may be achieved.
Credential reuse may also prove useful during multi-link authentication.

For example, a peer initially using the IAKERB GSS-API method to obtain
a TGT and a ticket to the NAS may subsequently reuse that ticket in an
AP_REQ/AP_REP exchange that may occur either in-band (e.g. via use of
the Kerberos V GSS-API method) or out-of-band (e.g. via an 802.1X EAPOL-
Key message). Typically in-band efficiency savings are modest (one
round-trip saved using the Kerberos V GSS-API method versus IAKERB),
while savings from out-of-band credential reuse can be more substantial.

The decision of whether to attempt to reuse credentials is left up to
the peer, which needs to determine whether credential use is likely to
succeed. The decision may be based on out-of-band information (such as
probe/response messages exchanged via 802.11 [28]), or the time elapsed
since the previous authentication attempt.

If the peer attempts to reuse credentials that are not valid, then the
NAS will respond with an error and the peer can re-authenticate using
the more complete sequence. For example, after an initial IAKERB
authentication, the peer will have obtained a TGT from the KDC via the
AS_REP, and a ticket to the NAS within the TGS_REP. The peer may
subsequently attempt to negotiate the Kerberos V GSS-API method, so as
to reuse the previously obtained credentials. Should a KRB_ERROR be
returned by the NAS, then the peer can negotiate IAKERB on its next
attempt instead.

Note that credential reuse for the purpose of "fast handoff" has
significant limitations. For example, in order to reuse a Kerberos
ticket on a different NAS, it is necessary for NASes within the same
geographic area to share a key with the KDC. If this is not the case,
then peers moving from one NAS to another will not be able to reuse
credentials. Allowing multiple NASes to share a key with the KDC makes
it more likely that an attacker sniffing the wire will be able to obtain
the NAS key, particularly if the key is derived from a password. Details
are provided within reference [34].

Similarly, if the EAP servers are set up in a rotary or made available
via a round-robin technique, then the credentials also may not be
reusable, unless the EAP authentication is remoted to a central
authentication server.

Furthermore, since existing Kerberos implementations do not include AAA
authorizations within the authorization data field of the Kerberos
ticket [16], even if the credentials can be reused, it may be necessary
for Local the NAS to obtain the authorization information from the AAA server
before the correct session state can be re-established on the new NAS.

Aboba Experimental [Page 20]

INTERNET-DRAFT EAP GSS Authentication Protocol 8 August 2001

If AAA authorizations are not obtained prior to granting access, then
the new NAS could potentially provide the wrong service to the peer. For
example, where Filter-Id [29] or tunnel attributes [32] were
unavailable, a peer might be given unrestricted network access where
this was not intended.

As a result of these considerations, credential reuse for the purpose of
"fast handoff" does not appear to be practical at this time.

5.5. Key management

As a result of the EAP-GSS conversation, the EAP endpoints will mutually
authenticate and Metropolitan Area Networks: Overview derive a session key for subsequent use in PPP or
802.11 WEP [28] encryption. Since the peer and EAP client reside on the
same machine, it is necessary for the EAP client module to pass the
session key to the layer 2 encryption module.

The situation may be more complex on the NAS, which may or may not
reside on the same machine as the EAP server. In the case where the EAP
server and Architecture, ANSI/IEEE Std 802, 1990.

[22] ISO/IEC 10038 Information technology - Telecommunications NAS reside on different machines, there are several
implications for security. Firstly, the mutual authentication defined in
EAP-GSS will occur between the peer and
information exchange the EAP server, not between systems - Local area networks - Media
Access Control (MAC) Bridges, (also ANSI/IEEE Std 802.1D- 1993),
1993.

[23] ISO/IEC Final CD 15802-3 Information technology - Tele-
communications the
peer and information exchange the NAS. This means that as a result of the EAP-GSS
conversation, it is not possible for the peer to validate the identity
of the device that it is speaking to. The second issue is that the
session key negotiated between systems - Local the peer and
metropolitan area networks - Common specifications - Part 3:Media
Access EAP server will need to be
transmitted to the NAS. Both issues can be addressed via addition of a
followon exchange. For example, where the IAKERB GSS-API method is used
for initial authentication, the Kerberos V GSS-API method can be used to
mutually authenticate the peer and NAS and transfer the session key from
the peer to the NAS.

5.6. ECP negotiation

ECP, described in [6], supports unprotected cipher-suite negotiations
within PPP and is thus vulnerable to attack. Since SPNEGO [19] supports
protected cipher-suite negotiation in the case where the negotiated
method provides authentication and integrity protection, use of SPNEGO
is preferable to ECP. Peers completing the GSS-API SPNEGO negotiation
will typically implicitly select a cipher-suite, which includes key
strength, encryption and hashing methods. As a result, a subsequent
Encryption Control (MAC) bridges, (current draft available Protocol (ECP) conversation [6], if it occurs, has a
predetermined result.

However, since the ECP-supported ciphersuites may not correspond to the
ciphersuites implicitly negotiated as IEEE
P802.1D/D15).

[24] IEEE Standards part of SPNEGO, it may not be
possible for Local the ECP conversation to verify the ciphersuites implicitly
selected via SPNEGO. For example, the ECP methods defined in [9]-[10]

Aboba Experimental [Page 21]

INTERNET-DRAFT EAP GSS Authentication Protocol 8 August 2001

only support DES and Metropolitan Area Networks: Draft
Standard 3DES transforms for Virtual Bridged Local Area Networks, P802.1Q/D8,
January 1998.

[25] ISO/IEC 8802-3 Information technology - Telecommunications confidentiality, and
information exchange do not
support authentication or integrity protection. Thus, there is no
correspondence between systems - Local existing ECP methods and metropolitan area
networks - Common specifications the ciphersuites
available within GSS-API methods such as Kerberos [16]-[17].

Aboba Experimental [Page 22]

INTERNET-DRAFT EAP GSS Authentication Protocol 8 August 2001

Appendix A - Part 3: Carrier Sense Multiple
Access Example IAKERB topologies

Where EAP-GSS is used along with Collision Detection (CSMA/CD) Access Method the GSS-API IAKERB [18] or Kerberos V
[20] mechanisms, two major topologies are possible:

RADIUS+KDC backend
Here a RADIUS backend is used, along with a Kerberos KDC backend.
The NAS functions as an EAP-pass-through device, encapsulating EAP
messages received from the peer within RADIUS as described in [33],
and passing them on to the RADIUS server. In turn, the RADIUS
server acts as an IAKERB proxy, de-capsulating EAP-GSS/IAKERB
packets, and passing them on to the Kerberos KDC. In turn, the
RADIUS server will encapsulated packets from the Kerberos KDC in
EAP-GSS/IAKERB and
Physical Layer Specifications, (also ANSI/IEEE Std 802.3- 1996),
1996.

[26] IEEE Standards for Local send this to the NAS. EAP-Message attributes
received from the RADIUS server are de-capsulated by the NAS and Metropolitan Area Networks: Demand
Priority Access Method, Physical Layer
sent to the peer. In this topology, the NAS need not have knowledge
of specific EAP or GSS-API methods, while the RADIUS server does
require this knowledge.

KDC backend
In this topology, only a Kerberos KDC is used as a backend, and Repeater Specification
For 100 Mb/s Operation, IEEE Std 802.12-1995.

[27] IEEE Standards for Local the
NAS functions as an IAKERB proxy, de-capsulating EAP-GSS/IAKERB
messages and Metropolitan Area Networks: Port based
Network Access Control, IEEE Draft 802.1X/D11, March 2001.

[28] Information technology - Telecommunications passing them on to the KDC. Messages from the KDC are
encapsulated within EAP-GSS/IAKERB by the NAS and information
exchange between systems - Local sent to the peer.
In this case, the NAS needs to understand the EAP-GSS, GSS-API
IAKERB, as well as GSS-API Kerberos V mechanisms. In addition,
where the peer already has a valid TGT and metropolitan area networks -
Specific Requirements Part 11: Wireless LAN Medium Access Control
(MAC) ticket to the NAS, it
may choose to use the Kerberos V mechanism within EAP. Note that in
the case of 802.11, the Kerberos AP_REQ/AP_REP messages may be
carried in messages outside the conventional EAP exchange [27] so
that use of the Kerberos V mechanism within EAP is not necessary.

In the examples below, each topology is discussed. While nominally the
EAP conversation occurs between the NAS and Physical Layer (PHY) Specifications, IEEE Std.
802.11-1997, 1997.

[29] Rigney, C., Rubens, A., Simpson, W., Willens, S., "Remote
Authentication Dial the peer, the NAS MAY act as
a pass-through device, with the EAP packets received from the peer being
encapsulated for transmission to a RADIUS server. In User Service (RADIUS)", RFC 2865, June 2000. the discussion
that follows, we will use the term "EAP server" to denote the ultimate
endpoint conversing with the peer.

Aboba Experimental [Page 23]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

[30] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.

[31] Zorn, G., Mitton, D., Aboba, B., "RADIUS Accounting Modifications
for Tunnel

A.1 RADIUS+KDC backend

In this topology, the NAS will act as an EAP pass-through, and the
RADIUS server acts as an IAKERB proxy. A successful EAP-GSS/IAKERB
authentication will appear as follows:

Peer NAS RADIUS KDC
------ ------------- --------- ------
EAP/Identity
<-Request

EAP/Identity
Response ->

EAP/Identity
Response ->
Access-Challenge
EAP-GSS Request
<- (Start)

<-EAP-GSS Request(Empty)

EAP-GSS
Response [1]
(SPNEGO) ->

EAP-GSS Response
(SPNEGO) ->
Access-Challenge
EAP-GSS Request
<-(SPNEGO)

EAP-GSS Request
<-(SPNEGO)

EAP-GSS IAKERB
Response [2]
(AS_REQ) ->

EAP-GSS IAKERB
Response
(AS_REQ) ->

AS_REQ ->
<- AS_REP

Access-Challenge
EAP-GSS IAKERB Request

Aboba Experimental [Page 24]

INTERNET-DRAFT EAP GSS Authentication Protocol Support", RFC 2867, June 2000.

[32] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M.,
Goyret, I., "RADIUS Attributes 8 August 2001

<-(AS_REP)

EAP-GSS IAKERB
Request
<-(AS_REP)

EAP-GSS IAKERB
Response [3]
(TGS_REQ) ->

EAP-GSS IAKERB
Response
(TGS_REQ) ->

TGS_REQ ->
<- TGS_REP

Access-Challenge
EAP-GSS IAKERB Request
<-(TGS_REP)
EAP-GSS IAKERB
Request
<-(TGS_REP)

EAP-GSS IAKERB
Response
(Empty) ->

EAP-GSS IAKERB
Response
(Empty) ->
Access-Accept [4]
<- EAP-Success

<- EAP-Success
AP_REQ ->
<- AP_REP [5]

Notes:

1. IAKERB may be requested by the EAP-GSS client without the need for Tunnel Protocol Support", RFC
2868, June 2000.

[33] Rigney, C., Willats, W., Calhoun, P., "RADIUS Extensions", RFC
2869, June 2000.

[34] Wu, T., "A Real-World Analysis of Kerberos Password Security",
Stanford University Computer Science Department,
http://theory.stanford.edu/~tjw/krbpass.html

[35] Bellovin, S.M., Merritt, M., "Limitations of
negotiation, or SPNEGO may be used.

2. The AS_REQ requests a TGT from the kerberos
authentication system", Proceedings of KDC. It may or may not include
PADATA. As a result, the 1991 Winter USENIX
Conference, pp. 253-267, 1991.

[36] Dole, B., Lodin, S., and Spafford, E., "Misplaced trust: Kerberos 4
session keys", Proceedings of AS_REQ may not authenticate the Internet Society Network and
Distributed System Security Symposium, pp. 60-70, March 1997.

[37] Wu, T., "The SRP Authentication and Key Exchange System", RFC 2945,
September 2000.

[38] Bellovin, S.M., Merritt, M., "Encrypted key exchange: Password-
based protocols secure against dictionary attacks", Proceedings of peer to
the 1992 IEEE Computer Society Conference on Research in Security
and Privacy, pp. 72-84, 1992.

[39] Jablon, D., "Strong password-only authenticated key exchange",
Computer Communication Review, 26(5):5-26, October 1996.

[40] Jaspan, B., "Dual-workfactor encrypted key exchange: Efficiently
preventing password chaining and dictionary attacks", Proceedings
of KDC, but the Sixth Annual USENIX Security Conference, pp. 43-50, July
1996.

[41] Tung, B. Neuman, C., Hur, M., Medvinsky, A., Medvinsky, S., Wray,
J., Trostle, J., "Public Key Cryptography for Initial
Authentication in Kerberos", draft-ietf-cat-kerberos-pk-
init-13.txt, August 2001. AS_REP authenticates the KDC to the peer.

Aboba Experimental [Page 24] 25]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

5. Security Considerations

5.1. Dictionary attacks

As noted in [34]-[36], both Kerberos IV and V are vulnerable to
dictionary attack. These attacks are particularly potent when carried
out in a location where a large number of authentication exchanges can
be collected within

3. The TGS_REQ requests a short period of time, such as with wireless LANs
deployed in "hot spots".

As noted in [34], offline dictionary attacks are easily carried out
against ticket to the AS_REP, since NAS service. The ticket is
encrypted with the NAS's key encrypting so that it can only be validated by
the enclosed Kerberos
ticket is NAS.

4. On receiving a function of TGS_REP from the password. Such attacks are amenable to
parallelization, KDC rather than a KRB_ERROR, the
RADIUS server can conclude that the peer has successfully
authenticated, and thus that it is therefore possible appropriate to crack a large number of
passwords in short time reply to the NAS
with only modest resources. As noted in [34], an Access-Accept encapsulating an EAP-Success.

5. The IAKERB exchange ends before the imposition of AP_REQ/AP_REP exchange occurs.
As a password policy is likely only to decrease result, the
yield, but given access to sufficient exchanges, large scale password
compromise remains likely.

For this reason, when used on wireless networks, EAP-GSS SHOULD be used
only to negotiate methods thought to be invulnerable to offline
dictionary attacks against AP_REQ/AP_REP exchange either will not occur
(preventing mutual authentication between peer and NAS or transport
of the on-the-wire protocol, such as public session key
authentication techniques from peer to NAS), will occur out-of-band (e.g.
after access is granted), or those described will occur in [37]-[40]. In
particular, a subsequent EAP-GSS
conversation (e.g. using the GSS-API Kerberos V without PKINIT [41] SHOULD NOT be used. As noted
in [34], it has been proposed that method).

A.2 Kerberos be augmented by utilizing
these methods KDC backend

In this topology, there is no RADIUS server, and the NAS functions as part of pre-authentication. Such an enhancement would
be likely to address the vulnerability
IAKERB proxy, de-capsulating EAP-GSS/IAKERB frames and passing them on
to dictionary attack.

5.2. Certificate revocation

Since the EAP server is on KDC. In turn, packets from the Internet during KDC are are encapsulated in EAP-
GSS/IAKERB frames and sent to the EAP conversation, peer by the
server NAS. Where IAKERB is capable of following a certificate chain or verifying whether
the peer's certificate has been revoked. In contrast,
used, the peer may or
may not have Internet connectivity, NAS functions as an IAKERB proxy, de-capsulating EAP-
GSS/IAKERB messages and thus while it can validate the
EAP server's certificate based passing them on a pre-configured set of CAs, it may
not be able to follow a certificate chain or verify whether the EAP
server's certificate has been revoked. KDC. In the case addition, where
the peer is initiating a voluntary Layer 2 tunnel
using PPTP or L2TP, the peer will typically already have has a PPP interface valid TGT and Internet connectivity established at the time of tunnel initiation.
As a result, during ticket to the EAP conversation NAS, it is capable of checking for
certificate revocation.

However, may choose to
use the Kerberos V mechanism within EAP. Note that in the case where of
802.11, the Kerberos AP_REQ/AP_REP messages are carried in messages
outside the conventional EAP exchange [27] so that use of the peer is initiating a connection, it will
not have Internet connectivity and Kerberos V
mechanism within EAP is therefore not capable of checking
for certificate revocation until after necessary.

In the peer has access Kerberos-only topology, messages from the KDC are encapsulated
within EAP-GSS/IAKERB and sent to the
Internet. peer. In this case, the peer SHOULD check for certificate revocation NAS needs
to understand the EAP-GSS, GSS-API IAKERB, as well as GSS-API Kerberos V
mechanisms.

Aboba Experimental [Page 25] 26]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 8 August 2001

after connecting to the Internet.

5.3. Mutual

A successful EAP-GSS/IAKERB authentication

It is highly recommended that occurring in a GSS-API method supporting mutual
authentication be selected during the SPNEGO negotiation. This addresses
vulnerabilities associated topology with rogue EAP servers, as well
a NAS acting as avoiding
vulnerabilities associated with parallel one-way authentications.

5.4. Key management

As an IAKERB proxy to a result of the EAP-GSS conversation, the EAP endpoints Kerberos KDC will mutually
authenticate and derive a session key for subsequent use in PPP or
802.11 WEP [28] encryption. Since the peer and EAP client reside on the
same machine, it is necessary for the EAP client module to pass the
session key to the layer 2 encryption module.

The situation may be more complex on the authenticator, which may or may appear as
follows:

Peer NAS KDC
------ ------------- ---------
EAP/Identity
<-Request

EAP/Identity
Response ->

<-EAP-GSS Start

EAP-GSS IAKERB
Response [1]
(AS_REQ) ->

AS_REQ ->
<- AS_REP [2]

EAP-GSS IAKERB Request
<-AS_REP)

EAP-GSS IAKERB
Response [3]
(TGS_REQ) ->

TGS_REQ ->

<- TGS_REP [4]

EAP-GSS IAKERB Request
<-(TGS_REP)

EAP-GSS IAKERB
Response
(Empty) ->

<- EAP-Success
AP_REQ [5]->
<- AP_REP [6]
Notes:

1. If PADATA is not reside on the same machine as used in the EAP server. In AS_REQ, then the case where peer does not
authenticate to the KDC.

Aboba Experimental [Page 27]

INTERNET-DRAFT EAP server and authenticator reside on different machines, there are
several implications for security. Firstly, GSS Authentication Protocol 8 August 2001

2. The KDC authenticates to the mutual authentication
defined peer in EAP-GSS will occur between the AS_REP.

3. The peer and authenticates to the EAP server, not
between KDC via the peer and TGS_REQ.

4. The KDC authenticates to the authenticator. This means that as a result of peer via the EAP-GSS conversation, it is not possible for TGS_REP. The TGS_REP
also provides the peer to validate with a ticket and session-key for use with
the identity of NAS.

5. Up until this point, the device that it is speaking to. The second issue is
that peer has not mutually authenticated with
the session NAS, or exchanged a key negotiated between with it. As a result, the peer and EAP server will NAS
need to be transmitted to the authenticator. Both issues can be
addressed via addition of a followon conclude an AP_REQ/AP_REP exchange. For example, where This can occur in-band
or out-of-band. In the
IAKERB GSS-API method is used for initial authentication, AP-REQ, the Kerberos V
GSS-API method can be used peer authenticates to mutually authenticate the peer and
authenticator NAS
and transfer the provides it with a session key from key.

6. The NAS authenticates to the peer to using the
authenticator.

6. AP_REP.

Acknowledgments

Thanks to Terence Spies, Paul Leach, Leach of Microsoft, Glen Zorn of Cisco Systems, and Mike Swift Jesse
Walker of Microsoft Intel for useful discussions of this problem space.

Authors' Addresses

Bernard Aboba
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

Phone: +1 (425) 936-6605
EMail: bernarda@microsoft.com

Aboba Experimental [Page 26]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 2001

Intellectual Property Statement

The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11. Copies of claims of
rights made available for publication and any assurances of licenses to
be made available, or the result of an attempt made to obtain a general
license or permission for the use of such proprietary rights by
implementors or users of this specification can be obtained from the
IETF Secretariat.

Aboba Experimental [Page 28]

INTERNET-DRAFT EAP GSS Authentication Protocol 8 August 2001

The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary rights
which may cover technology that may be required to practice this
standard. Please address the information to the IETF Executive
Director.

Full Copyright Statement

Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included
on all such copies and derivative works. However, this document itself
may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate it into
languages other than English. The limited permissions granted above are
perpetual and will not be revoked by the Internet Society or its
successors or assigns. This document and the information contained
herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."

Aboba Experimental [Page 27]

INTERNET-DRAFT EAP GSS Authentication Protocol 1 July 2001

Expiration Date

This memo is filed as <draft-aboba-pppext-eapgss-04.txt>, <draft-aboba-pppext-eapgss-05.txt>, and expires
January
February 15, 2002.

Aboba Experimental [Page 28] 29]

----