1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
|
<pre>Internet Engineering Task Force (IETF) M. Cullen
Request for Comments: 7652 S. Hartman
Updates: <a href="./rfc6887">6887</a> Painless Security
Category: Standards Track D. Zhang
ISSN: 2070-1721
T. Reddy
Cisco
September 2015
<span class="h1">Port Control Protocol (PCP) Authentication Mechanism</span>
Abstract
An IPv4 or IPv6 host can use the Port Control Protocol (PCP) to
flexibly manage the IP address-mapping and port-mapping information
on Network Address Translators (NATs) or firewalls to facilitate
communication with remote hosts. However, the uncontrolled
generation or deletion of IP address mappings on such network devices
may cause security risks and should be avoided. In some cases, the
client may need to prove that it is authorized to modify, create, or
delete PCP mappings. This document describes an in-band
authentication mechanism for PCP that can be used in those cases.
The Extensible Authentication Protocol (EAP) is used to perform
authentication between PCP devices.
This document updates <a href="./rfc6887">RFC 6887</a>.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7652">http://www.rfc-editor.org/info/rfc7652</a>.
<span class="grey">Cullen, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Cullen, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2">2</a>. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-3">3</a>. Protocol Details . . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-3.1">3.1</a>. Session Initiation . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-3.1.1">3.1.1</a>. Authentication Triggered by the Client . . . . . . . <a href="#page-6">6</a>
<a href="#section-3.1.2">3.1.2</a>. Authentication Triggered by the Server . . . . . . . <a href="#page-7">7</a>
<a href="#section-3.1.3">3.1.3</a>. Authentication Using EAP . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-3.2">3.2</a>. Recovery from Lost PA Session . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-3.3">3.3</a>. Session Termination . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-3.4">3.4</a>. Session Re-authentication . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-4">4</a>. PA Security Association . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-5">5</a>. Packet Format . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-5.1">5.1</a>. Packet Format of PCP Auth Messages . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-5.2">5.2</a>. Opcode-Specific Information of AUTHENTICATION Opcode . . <a href="#page-16">16</a>
<a href="#section-5.3">5.3</a>. NONCE Option . . . . . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
<a href="#section-5.4">5.4</a>. AUTHENTICATION_TAG Option . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-5.5">5.5</a>. PA_AUTHENTICATION_TAG Option . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-5.6">5.6</a>. EAP_PAYLOAD Option . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-5.7">5.7</a>. PRF Option . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-5.8">5.8</a>. MAC_ALGORITHM Option . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-5.9">5.9</a>. SESSION_LIFETIME Option . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-5.10">5.10</a>. RECEIVED_PAK Option . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-5.11">5.11</a>. ID_INDICATOR Option . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-6">6</a>. Processing Rules . . . . . . . . . . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-6.1">6.1</a>. Authentication Data Generation . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-6.2">6.2</a>. Authentication Data Validation . . . . . . . . . . . . . <a href="#page-23">23</a>
<a href="#section-6.3">6.3</a>. Retransmission Policies for PA Messages . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-6.4">6.4</a>. Sequence Numbers for PCP Auth Messages . . . . . . . . . <a href="#page-25">25</a>
<a href="#section-6.5">6.5</a>. Sequence Numbers for Common PCP Messages . . . . . . . . <a href="#page-26">26</a>
<a href="#section-6.6">6.6</a>. MTU Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
<a href="#section-7">7</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-7.1">7.1</a>. NONCE . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-7.2">7.2</a>. AUTHENTICATION_TAG . . . . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-7.3">7.3</a>. PA_AUTHENTICATION_TAG . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-7.4">7.4</a>. EAP_PAYLOAD . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-7.5">7.5</a>. PRF . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-7.6">7.6</a>. MAC_ALGORITHM . . . . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-7.7">7.7</a>. SESSION_LIFETIME . . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-7.8">7.8</a>. RECEIVED_PAK . . . . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-7.9">7.9</a>. ID_INDICATOR . . . . . . . . . . . . . . . . . . . . . . <a href="#page-31">31</a>
<a href="#section-8">8</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-31">31</a>
<a href="#section-9">9</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-32">32</a>
<a href="#section-9.1">9.1</a>. Normative References . . . . . . . . . . . . . . . . . . <a href="#page-32">32</a>
<a href="#section-9.2">9.2</a>. Informative References . . . . . . . . . . . . . . . . . <a href="#page-33">33</a>
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-33">33</a>
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-34">34</a>
<span class="grey">Cullen, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Using the Port Control Protocol (PCP) [<a href="./rfc6887" title=""Port Control Protocol (PCP)"">RFC6887</a>], an application can
flexibly manage the IP address-mapping information on its network
address translators (NATs) and firewalls and can control their
policies in processing incoming and outgoing IP packets. Because
NATs and firewalls both play important roles in network security
architectures, there are many situations in which authentication and
access control are required to prevent unauthorized users from
accessing such devices. This document defines a PCP security
extension that enables PCP servers to authenticate their clients with
the Extensible Authentication Protocol (EAP). The EAP messages are
encapsulated within PCP messages during transmission.
The following issues are considered in the design of this extension:
o Loss of EAP messages during transmission.
o Reordered delivery of EAP messages.
o Generation of transport keys.
o Integrity protection and data origin authentication for
PCP messages.
o Algorithm agility.
The mechanism described in this document meets the security
requirements to address the Advanced Threat Model described in the
base PCP specification [<a href="./rfc6887" title=""Port Control Protocol (PCP)"">RFC6887</a>]. This mechanism can be used to
secure PCP in the following situations:
o On security infrastructure equipment, such as corporate firewalls,
that does not create implicit mappings for specific traffic.
o On equipment (such as Carrier-Grade NATs (CGNs) or service
provider firewalls) that serves multiple administrative domains
and do not have a mechanism to securely partition traffic from
those domains.
o For any implementation that wants to be more permissive in
authorizing applications to create mappings for successful inbound
communications destined to machines located behind a NAT or a
firewall.
<span class="grey">Cullen, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Terminology</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
Most of the terms used in this document are introduced in [<a href="./rfc6887" title=""Port Control Protocol (PCP)"">RFC6887</a>].
PCP client: A PCP software instance that is responsible for issuing
PCP requests to a PCP server. In this document, a PCP client is also
an EAP peer [<a href="./rfc3748" title=""Extensible Authentication Protocol (EAP)"">RFC3748</a>], and it is the responsibility of a PCP client
to provide the credentials when authentication is required.
PCP server: A PCP software instance that resides on the
PCP-controlled device that receives PCP requests from the PCP client
and creates appropriate state in response to that request. In this
document, a PCP server is integrated with an EAP authenticator
[<a href="./rfc3748" title=""Extensible Authentication Protocol (EAP)"">RFC3748</a>]. Therefore, when necessary, a PCP server can verify the
credentials provided by a PCP client and make an access control
decision based on the authentication result.
PCP-Authentication (PA) session: A series of PCP message exchanges
transferred between a PCP client and a PCP server. The PCP messages
that are part of a given session include the PA messages used to
perform EAP authentication, key distribution, and session management,
as well as the common PCP messages secured with the keys distributed
during authentication. Each PA session is assigned a distinctive
Session ID.
Session partner: A PCP implementation involved in a PA session. Each
PA session has two session partners (a PCP server and a PCP client).
PCP device: A PCP client or a PCP server.
Session lifetime: The lifetime associated with a PA session. The
session lifetime of the PA session decides the lifetime of the
current authorization given to the PCP client.
PA Security Association (PCP SA): An association formed between a
PCP client and a PCP server by sharing cryptographic keying material
and associated context. The formed duplex security association is
used to protect the bidirectional PCP signaling traffic between the
PCP client and PCP server.
Master Session Key (MSK): A key derived by the partners of a
PA session, using an EAP key-generating method (e.g., the method
defined in [<a href="./rfc5448" title=""Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA')"">RFC5448</a>]).
<span class="grey">Cullen, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
PCP-Authentication (PA) message: A PCP message containing an
AUTHENTICATION Opcode. Specifically, a PA message sent from a
PCP server to a PCP client is referred to as a PA-Server message,
while a PA message sent from a PCP client to a PCP server is referred
to as a PA-Client message. Therefore, a PA-Server message is
actually a PCP response message as specified in [<a href="./rfc6887" title=""Port Control Protocol (PCP)"">RFC6887</a>], and a
PA-Client message is a PCP request message. This document specifies
an option -- the PA_AUTHENTICATION_TAG option defined in <a href="#section-5.5">Section 5.5</a>
for PCP authentication -- to provide integrity protection and message
origin authentication for PA messages.
Common PCP message: A PCP message that does not contain an
AUTHENTICATION Opcode. This document specifies an AUTHENTICATION_TAG
option to provide integrity protection and message origin
authentication for the common PCP messages.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Protocol Details</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Session Initiation</span>
At the beginning of a PA session, a PCP client and a PCP server need
to exchange a series of PA messages in order to perform an EAP
authentication process. Each PA message MUST contain an
AUTHENTICATION Opcode and may optionally contain a set of options for
various purposes (e.g., transporting authentication messages and
session management). The Opcode-specific information in an
AUTHENTICATION Opcode consists of two fields: Session ID and Sequence
Number. The Session ID field is used to identify the PA session to
which the message belongs. The Sequence Number field is used to
detect whether reordering or duplication occurred during message
delivery.
<span class="h4"><a class="selflink" id="section-3.1.1" href="#section-3.1.1">3.1.1</a>. Authentication Triggered by the Client</span>
When a PCP client intends to proactively initiate a PA session with a
PCP server, it sends a PA-Initiation message (a PA-Client message
with the result code INITIATION) to the PCP server. <a href="#section-5.1">Section 5.1</a>
updates the PCP request message format with result codes for the PCP
authentication mechanism. In the Opcode-specific information of the
message, the Session ID and Sequence Number fields are set to zero.
The PA-Client message MUST also contain a NONCE option (defined in
<a href="#section-5.3">Section 5.3</a>) that consists of a random nonce.
After receiving the PA-Initiation message, if the PCP server agrees
to initiate a PA session with the PCP client, it will reply with a
PA-Server message that contains an EAP request, and the Result Code
field of this PA-Server message is set to AUTHENTICATION_REQUEST. In
addition, the server MUST assign a unique session identifier to
<span class="grey">Cullen, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
distinctly identify this session and insert the identifier into the
Session ID field in the Opcode-specific information of the PA-Server
message. The Sequence Number field of the message is set to zero.
The PA-Server message MUST contain a NONCE option so as to send the
nonce value back. The nonce will then be used by the PCP client to
check the freshness of this message. Subsequent PCP messages within
this PA session MUST contain this session identifier.
PCP PCP
client server
|-- PA-Initiation ------------------------------->|
| (Seq=0, rc=INITIATION, Session ID=0) |
| |
|<-- PA-Server -----------------------------------|
| (Seq=0, Session ID=X, EAP request, |
| rc=AUTHENTICATION_REQUEST) |
| |
|-- PA-Client ----------------------------------->|
| (Seq=1, Session ID=X, EAP response, |
| rc=AUTHENTICATION_REPLY) |
| |
|<-- PA-Server -----------------------------------|
| (Seq=1, Session ID=X, EAP request, |
| rc=AUTHENTICATION_REQUEST) |
<span class="h4"><a class="selflink" id="section-3.1.2" href="#section-3.1.2">3.1.2</a>. Authentication Triggered by the Server</span>
In the scenario where a PCP server receives a common PCP request
message from a PCP client that needs to be authenticated, the
PCP server rejects the request with an AUTHENTICATION_REQUIRED error
code and can reply with an unsolicited PA-Server message to initiate
a PA session. The Result Code field of this PA-Server message is set
to AUTHENTICATION_REQUEST. In addition, the PCP server MUST assign a
Session ID for the session and transfer it within the PA-Server
message. The Sequence Number field in the PA-Server message is set
to zero. If the PCP client retries the common request before EAP
authentication is successful, then it will receive an
AUTHENTICATION_REQUIRED error code from the PCP server. In
subsequent PA messages exchanged during this session, the Session ID
will be used in order to help session partners distinguish the
messages within this session from those not within it. When the
PCP client receives this initial PA-Server message from the
PCP server, it can reply with a PA-Client message or silently discard
the request message, according to its local policies. In the
PA-Client message, a NONCE option that consists of a random nonce MAY
be appended. If so, in the next PA-Server message, the PCP server
MUST forward the nonce back within a NONCE option.
<span class="grey">Cullen, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
PCP PCP
client server
|-- Common PCP request -------------------------->|
| |
|<- Common PCP response --------------------------|
| (rc=AUTHENTICATION_REQUIRED) |
| |
|<-- PA-Server -----------------------------------|
| (Seq=0, Session ID=X, EAP request, |
| rc=AUTHENTICATION_REQUEST) |
| |
|-- PA-Client ----------------------------------->|
| (Seq=0, Session ID=X, EAP response, |
| rc=AUTHENTICATION_REPLY) |
| |
|<-- PA-Server -----------------------------------|
| (Seq=1, Session ID=X, EAP request, |
| rc=AUTHENTICATION_REQUEST) |
<span class="h4"><a class="selflink" id="section-3.1.3" href="#section-3.1.3">3.1.3</a>. Authentication Using EAP</span>
In a PA session, an EAP request message is transported within a
PA-Server message and an EAP response message is transported within a
PA-Client message. EAP relies on the underlying protocol to provide
reliable transmission; any reordered delivery or loss of packets
occurring during transmission must be detected and addressed.
Therefore, after sending out a PA-Server message, the PCP server will
not send a new PA-Server message in the same PA session until it
receives a PA-Client message with a proper sequence number from the
PCP client, and vice versa. If a PCP client receives a PA message
containing an EAP request and for some reason cannot generate an EAP
response immediately (e.g., waiting for human input in order to
construct an EAP message, or waiting for the additional PA messages
in order to assemble a complete EAP message from fragmented packets),
the PCP device MUST reply with a PA-Acknowledgement message (a
PA message with a RECEIVED_PAK option) to indicate that the message
has been received. This approach not only can avoid unnecessary
retransmission of the PA message but also can guarantee reliable
message delivery in conditions where a PCP device needs to receive
multiple PA messages carrying the fragmented EAP request before
generating an EAP response. The number of EAP messages exchanged
between the PCP client and PCP server depends on the EAP method used
for authentication.
In this approach, a PCP client and a PCP server MUST perform a
key-generating EAP method in authentication. Specifically, a PCP
authentication implementation MUST support Extensible Authentication
Protocol Tunneled Transport Layer Security (EAP-TTLS) [<a href="./rfc5281" title=""Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)"">RFC5281</a>] and
<span class="grey">Cullen, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
SHOULD support the Tunnel Extensible Authentication Protocol (TEAP)
[<a href="./rfc7170" title=""Tunnel Extensible Authentication Protocol (TEAP) Version 1"">RFC7170</a>]. Therefore, after a successful authentication procedure, a
Master Session Key (MSK) will be generated. If the PCP client and
the PCP server want to generate a transport key using the MSK, they
need to agree upon a Pseudorandom Function (PRF) for the transport
key derivation and a Message Authentication Code (MAC) algorithm to
provide data origin authentication for subsequent PCP messages. In
order to do this, the PCP server needs to append a set of PRF options
and MAC_ALGORITHM options to the initial PA-Server message. Each PRF
option contains a PRF that the PCP server supports, and each
MAC_ALGORITHM option contains a MAC algorithm that the PCP server
supports. Moreover, in the first PA-Server message, the server MAY
also attach an ID_INDICATOR option (defined in <a href="#section-5.11">Section 5.11</a>) to
direct the client to choose correct credentials. After receiving the
options, the PCP client MUST select the PRF and the MAC algorithm
that it would like to use; it then MUST add the associated PRF and
MAC Algorithm options to the next PA-Client message.
After the EAP authentication, the PCP server sends out a PA-Server
message to indicate the EAP authentication and PCP authorization
results. If the EAP authentication succeeds, the result code of the
PA-Server message is AUTHENTICATION_SUCCEEDED. In this case, before
sending out the PA-Server message, the PCP server MUST update the
PCP SA with the MSK and transport key and MUST use the derived
transport key to generate a digest for the message. The digest is
transported within a PA_AUTHENTICATION_TAG option for PCP Auth. A
more detailed description of generating the authentication data can
be found in <a href="#section-6.1">Section 6.1</a>. In addition, the PA-Server message MUST
also contain a SESSION_LIFETIME option (defined in <a href="#section-5.9">Section 5.9</a>) that
indicates the lifetime of the PA session (i.e., the lifetime of the
MSK). After receiving the PA-Server message, the PCP client then
needs to generate a PA-Client message in response. If the PCP client
also authenticates the PCP server, the result code of the PA-Client
message is AUTHENTICATION_SUCCEEDED. In addition, the PCP client
needs to update the PCP SA with the MSK and transport key, and it
uses the derived transport key to secure the message. From then on,
all the PCP messages within the session are secured with the
transport key and the MAC algorithm specified in the PCP SA. The
first secure PA-Client message from the client MUST include the set
of PRF and MAC_ALGORITHM options received from the PCP server. The
PCP server determines if the set of algorithms conveyed by the client
matches the set it had initially sent, to detect an algorithm
downgrade attack. If the server detects a downgrade attack, then it
MUST send a PA-Server message with result code
DOWNGRADE_ATTACK_DETECTED and terminate the session. If the
PCP client sends a common PCP request within the PA session without
an AUTHENTICATION_TAG option, then the PCP server rejects the request
by returning an AUTHENTICATION_REQUIRED error code.
<span class="grey">Cullen, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
If a PCP client/server cannot authenticate its session partner, the
device sends out a PA message with the result code
AUTHENTICATION_FAILED. If the EAP authentication succeeds but
authorization fails, the device making the decision sends out a
PA message with the result code AUTHORIZATION_FAILED. In these two
cases, after the PA message is sent out, the PA session MUST be
terminated immediately. It is possible for independent PCP clients
on the host to create multiple PA sessions with the PCP server.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Recovery from Lost PA Session</span>
If a PCP server resets or loses the PCP SA due to reboot, power
failure, or any other reason, then it sends an unsolicited ANNOUNCE
response, as explained in <a href="./rfc6887#section-14.1.3">Section 14.1.3 of [RFC6887]</a>, to the
PCP client. Upon receiving the ANNOUNCE response with an anomalous
Epoch Time, the PCP client deduces that the server may have lost
state. The ANNOUNCE is either bogus (an attack), legitimate, or not
seen by the client. These three cases are described below:
o The PCP client sends an integrity-protected unicast ANNOUNCE
request to the PCP server to see whether the PCP server has indeed
lost state or an attacker has sent the ANNOUNCE response.
* If an integrity-protected success response is received from the
PCP server, then the PCP client determines that the PCP server
has not lost the PA session, and the unsolicited ANNOUNCE
response was sent by an attacker.
* If the PCP server responds to the ANNOUNCE request with an
UNKNOWN_SESSION_ID error code, then the PCP client MUST
initiate full EAP authentication with the PCP server, as
explained in <a href="#section-3.1.1">Section 3.1.1</a>. After EAP authentication is
successful, the PCP client updates the PCP SA and issues new
common PCP requests to recreate any lost mapping state.
o In a scenario where the PCP server has lost the PCP SA but did not
inform the PCP client, if the PCP client sends an integrity-
protected PCP request, then the PCP server rejects the request
with an UNKNOWN_SESSION_ID error code. The PCP client then
initiates full EAP authentication with the PCP server, as
explained in <a href="#section-3.1.1">Section 3.1.1</a>, and updates the PCP SA after
successful authentication.
If the PCP client resets or loses the PCP SA due to reboot, power
failure, or any other reason and sends a common PCP request, then the
PCP server rejects the request with an AUTHENTICATION_REQUIRED error
code. The PCP client MUST authenticate with the PCP server and,
after EAP authentication is successful, retry the common PCP request
<span class="grey">Cullen, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
with an AUTHENTICATION_TAG option. The PCP server MUST update the
PCP SA after successful EAP authentication.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Session Termination</span>
A PA session can be explicitly terminated by either session partner.
A PCP server may explicitly request termination of the session by
sending an unsolicited termination-indicating PA response (a
PA response with a result code of SESSION_TERMINATED). Upon
receiving a termination-indicating message, the PCP client MUST
respond with a termination-indicating PA message and MUST then remove
the associated PCP SA. To accommodate packet loss, the PCP server
MAY transmit the termination-indicating PA response up to ten times
(with an appropriate Epoch Time value in each to reflect the passage
of time between transmissions), provided that (1) the interval
between the first two notifications is at least 250 ms and (2) each
interval between subsequent notifications at least doubles.
A PCP client may explicitly request termination of the session by
sending a termination-indicating PA request (a PA request with a
result code of SESSION_TERMINATED). After receiving a termination-
indicating message from the PCP client, a PCP server MUST respond
with a termination-indicating PA message and remove the PCP SA
immediately. When the PCP client receives the termination-indicating
PA response, it MUST remove the associated PCP SA immediately.
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Session Re-authentication</span>
A session partner may choose to perform EAP re-authentication if it
would like to update the PCP SA without initiating a new PA session.
For example, a re-authentication procedure could be triggered for the
following reasons:
o The session lifetime needs to be extended.
o The sequence number is going to reach the maximum value.
Specifically, when the sequence number reaches 2**32 - 2**16, the
session partner MUST trigger re-authentication.
When the PCP server would like to initiate a re-authentication, it
sends the PCP client a PA-Server message. The result code of the
message is set to RE-AUTHENTICATION, which indicates that the message
is for a re-authentication process. If the PCP client would like to
start the re-authentication, it will send a PA-Client message to the
PCP server, with the result code of the PA-Client message set to
RE-AUTHENTICATION. Then, the session partners exchange PA messages
to transfer EAP messages for the re-authentication. During the
re-authentication procedure, the session partners protect the
<span class="grey">Cullen, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
integrity of PA messages with the key and MAC algorithm specified in
the current PCP SA; the sequence numbers associated with the message
will continue to keep increasing as specified in <a href="#section-6.4">Section 6.4</a>. The
result code for a PA-Server message carrying an EAP request will be
set to AUTHENTICATION_REQUIRED, and a PA-Client message carrying an
EAP response will be set to AUTHENTICATION_REPLY.
If the EAP re-authentication succeeds, the result code of the last
PA-Server message is AUTHENTICATION_SUCCEEDED. In this case, before
sending out the PA-Server message, the PCP server MUST update the SA
and use the new key to generate a digest for the PA-Server message
and subsequent PCP messages. In addition, the PA-Server message MUST
be appended with a SESSION_LIFETIME option that indicates the new
lifetime of the PA session. PA and PCP message sequence numbers must
also be reset to zero.
If the EAP authentication fails, the result code of the last
PA-Server message is AUTHENTICATION_FAILED. If the EAP
authentication succeeds but authorization fails, the result code of
the last PA-Server message is AUTHORIZATION_FAILED. In the latter
two cases, the PA session MUST be terminated immediately after the
last PA message exchange. If for some unknown reason
re-authentication is not performed and the session lifetime has
expired, then the PA session MUST be terminated immediately.
During re-authentication, the session partners can also exchange
common PCP messages in parallel. The common PCP messages MUST be
protected with the current SA until the new SA has been generated.
The sequence of EAP messages exchanged for re-authentication will not
change, regardless of the PCP device triggering re-authentication.
If the PCP server receives a re-authentication request from the
PCP client after the PCP server itself had sent a re-authentication
request, then it should discard its request and respond to the
re-authentication request from the PCP client.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. PA Security Association</span>
At the beginning of a new PA session, each PCP device must create and
initialize state information for a new PA Security Association
(PCP SA) to maintain its state information for the duration of the
PA session. The parameters of a PCP SA are as follows:
o IP address and UDP port number of the PCP client.
o IP address and UDP port number of the PCP server.
o Session identifier.
<span class="grey">Cullen, et al. Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
o Sequence number for the next outgoing PA message.
o Sequence number for the next incoming PA message.
o Sequence number for the next outgoing common PCP message.
o Sequence number for the next incoming common PCP message.
o Last outgoing message payload.
o Retransmission interval.
o The Master Session Key (MSK) generated by the EAP method.
o The MAC algorithm that the transport key should use to generate
digests for PCP messages.
o The pseudorandom function negotiated in the initial PA-Server and
PA-Client message exchange for the transport key derivation.
o The transport key derived from the MSK to provide integrity
protection and data origin authentication for the messages in the
PA session. The lifetime of the transport key SHOULD be identical
to the lifetime of the session.
o The nonce selected by the PCP client at the initiation of the
session.
o The key ID associated with the transport key.
Specifically, the transport key is computed in the following way:
transport key = prf(MSK, "IETF PCP" || Session ID || Nonce ||
key ID), where:
o prf is the pseudorandom function assigned in the PRF option
(<a href="#section-5.7">Section 5.7</a>).
o MSK is the master session key generated by the EAP method.
o "IETF PCP" is the ASCII code representation of the
non-null-terminated string (excluding the double quotes
around it).
o '||' is the concatenation operator.
o Session ID is the ID of the session from which the MSK is derived.
<span class="grey">Cullen, et al. Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
o Nonce is the nonce selected by the client and transported in the
initial PA-Client message.
o Key ID is the ID assigned for the transport key.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Packet Format</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Packet Format of PCP Auth Messages</span>
The format of the PA-Server message is identical to the response
message format specified in <a href="./rfc6887#section-7.2">Section 7.2 of [RFC6887]</a>. The result
code for a PA-Server message carrying an EAP request MUST be set to
AUTHENTICATION_REQUEST.
This document updates the Reserved field (see Figure 1) in the
Request header specified in <a href="./rfc6887#section-7.1">Section 7.1 of [RFC6887]</a> to carry
Opcode-specific data.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version = 2 |R| Opcode | Reserved |Opcode-specific|
| | | | | data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Requested Lifetime (32 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| PCP Client's IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: :
: Opcode-specific information :
: :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: :
: (optional) PCP Options :
: :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Request Packet Format
<span class="grey">Cullen, et al. Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
The PA-Client messages (as shown in Figure 2) use the Request header
specified in Figure 1. The Opcode-specific data is used to transfer
the result codes (e.g., INITIATION, AUTHENTICATION_FAILED). Other
fields in Figure 2 are described in <a href="./rfc6887#section-7.1">Section 7.1 of [RFC6887]</a>. The
result code for a PA-Client message carrying an EAP response MUST be
set to AUTHENTICATION_REPLY.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version = 2 |R| Opcode | Reserved | Result Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Requested Lifetime (32 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| PCP Client's IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: :
: Opcode-specific information :
: :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: :
: (optional) PCP Options :
: :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: PA-Client Message Format
The Requested Lifetime field of a PA-Client message and the Lifetime
field of a PA-Server message are both set to zero on transmission and
ignored on reception.
<span class="grey">Cullen, et al. Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Opcode-Specific Information of AUTHENTICATION Opcode</span>
The following diagram shows the format of the Opcode-specific
information for the AUTHENTICATION Opcode.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Session ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Session ID: This field contains a 32-bit PA session identifier.
Sequence Number: This field contains a 32-bit sequence number. A
sequence number needs to be incremented on every new
(non-retransmission) outgoing PA message in order to provide an
ordering guarantee for PA messages.
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. NONCE Option</span>
Because the session identifier of a PA session is determined by the
PCP server, a PCP client does not know the session identifier that
will be used when it sends out a PA-Initiation message. In order to
prevent an attacker from interrupting the authentication process by
sending spoofed PA-Server messages, the PCP client needs to generate
a random number as a nonce in the PA-Initiation message. The
PCP server will append the nonce within the initial PA-Server
message. If the PA-Server message does not carry the correct nonce,
the message MUST be silently discarded.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Code: 4.
Reserved: 8 bits. MUST be set to zero on transmission and MUST be
ignored on reception.
Option-Length: 4 octets.
<span class="grey">Cullen, et al. Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
Nonce: A random 32-bit number that is transported within a
PA-Initiation message and the corresponding reply message from the
PCP server.
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. AUTHENTICATION_TAG Option</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Session ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authentication Data (Variable) |
~ ~
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Because there is no authentication Opcode in common PCP messages, the
authentication tag for common PCP messages needs to carry the
Session ID and Sequence Number.
Option Code: 5.
Reserved: 8 bits. MUST be set to zero on transmission and MUST be
ignored on reception.
Option-Length: The length of the AUTHENTICATION_TAG option for the
common PCP message (in octets), including the 12-octet
fixed-length header and the variable-length authentication data.
Session ID: A 32-bit field used to identify the session to which
the message belongs and identify the secret key used to create the
message digest appended to the PCP message.
Sequence Number: A 32-bit sequence number. In this option, a
sequence number needs to be incremented on every new
(non-retransmission) outgoing common PCP message in order to
provide an ordering guarantee for common PCP messages.
<span class="grey">Cullen, et al. Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
Key ID: The ID associated with the transport key used to generate
authentication data. This field is filled with zeros if the MSK
is directly used to secure the message.
Authentication Data: A variable-length field that carries the
Message Authentication Code for the common PCP message. The
generation of the digest varies according to the algorithms
specified in different PCP SAs. This field MUST end on a 32-bit
boundary, padded with zeros when necessary.
<span class="h3"><a class="selflink" id="section-5.5" href="#section-5.5">5.5</a>. PA_AUTHENTICATION_TAG Option</span>
This option is used to provide message authentication for
PA messages. In contrast to the AUTHENTICATION_TAG option for common
PCP messages, the Session ID field and the Sequence Number field are
removed because such information is provided in the Opcode-specific
information of the AUTHENTICATION Opcode.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authentication Data (Variable) |
~ ~
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Code: 6.
Reserved: 8 bits. MUST be set to zero on transmission and MUST be
ignored on reception.
Option-Length: The length of the PA_AUTHENTICATION option for the
PCP Auth message (in octets), including the 4-octet fixed-length
header and the variable-length authentication data.
Key ID: The ID associated with the transport key used to generate
authentication data. This field is filled with zeros if the MSK
is directly used to secure the message.
Authentication Data: A variable-length field that carries the
Message Authentication Code for the PCP Auth message. The
generation of the digest varies according to the algorithms
<span class="grey">Cullen, et al. Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
specified in different PCP SAs. This field MUST end on a 32-bit
boundary, padded with null characters when necessary.
<span class="h3"><a class="selflink" id="section-5.6" href="#section-5.6">5.6</a>. EAP_PAYLOAD Option</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| EAP Message |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Code: 7.
Reserved: 8 bits. MUST be set to zero on transmission and MUST be
ignored on reception.
Option-Length: Variable.
EAP Message: The EAP message transferred. Note that this field
MUST end on a 32-bit boundary, padded with zeros when necessary.
<span class="h3"><a class="selflink" id="section-5.7" href="#section-5.7">5.7</a>. PRF Option</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PRF |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Code: 8.
Reserved: 8 bits. MUST be set to zero on transmission and MUST be
ignored on reception.
Option-Length: 4 octets.
PRF: The pseudorandom function that the sender supports to
generate an MSK. This field contains a value indicating Internet
Key Exchange Protocol version 2 (IKEv2) Transform Type 2 [<a href="./rfc7296" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC7296</a>]
[<a href="./rfc4868" title=""Using HMAC-SHA-256, HMAC-SHA- 384, and HMAC-SHA-512 with IPsec"">RFC4868</a>]. A PCP implementation MUST support PRF_HMAC_SHA2_256
(transform ID = 5).
<span class="grey">Cullen, et al. Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h3"><a class="selflink" id="section-5.8" href="#section-5.8">5.8</a>. MAC_ALGORITHM Option</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| MAC Algorithm ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Code: 9.
Reserved: 8 bits. MUST be set to zero on transmission and MUST be
ignored on reception.
Option-Length: 4 octets.
MAC Algorithm ID: Indicates the MAC algorithm that the sender
supports to generate authentication data. The MAC Algorithm ID
field contains a value indicating IKEv2 Transform Type 3 [<a href="./rfc7296" title=""Internet Key Exchange Protocol Version 2 (IKEv2)"">RFC7296</a>]
[<a href="./rfc4868" title=""Using HMAC-SHA-256, HMAC-SHA- 384, and HMAC-SHA-512 with IPsec"">RFC4868</a>]. A PCP implementation MUST support
AUTH_HMAC_SHA2_256_128 (transform ID = 12).
<span class="h3"><a class="selflink" id="section-5.9" href="#section-5.9">5.9</a>. SESSION_LIFETIME Option</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Session Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Code: 10.
Reserved: 8 bits. MUST be set to zero on transmission and MUST be
ignored on reception.
Option-Length: 4 octets.
Session Lifetime: An unsigned 32-bit integer, in seconds, ranging
from 0 to 2^32-1 seconds. The lifetime of the PA session, which
is decided by the authorization result.
<span class="grey">Cullen, et al. Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h3"><a class="selflink" id="section-5.10" href="#section-5.10">5.10</a>. RECEIVED_PAK Option</span>
This option is used in a PA-Acknowledgement message to indicate that
a PA message with the contained sequence number has been received.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Received Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Code: 11.
Reserved: 8 bits. MUST be set to zero on transmission and MUST be
ignored on reception.
Option-Length: 4 octets.
Received Sequence Number: The sequence number of the last received
PA message.
<span class="h3"><a class="selflink" id="section-5.11" href="#section-5.11">5.11</a>. ID_INDICATOR Option</span>
The ID_INDICATOR option is used by the PCP client to determine which
credentials to provide to the PCP server.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| ID Indicator |
~ ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Option Code: 12.
Reserved: 8 bits. MUST be set to zero on transmission and MUST be
ignored on reception.
Option-Length: Variable.
ID Indicator: The identity of the authority that issued the EAP
credentials to be used to authenticate the client. The field
<span class="grey">Cullen, et al. Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
MUST NOT be null terminated, and its length is indicated by the
Option-Length field. In particular, when a client receives an
ID_INDICATOR option, it MUST NOT rely on the presence of a null
character in the wire format data to identify the end of the
ID Indicator field.
The field MUST end on a 32-bit boundary, padded with zeros when
necessary. The ID Indicator field is a UTF-8 encoded [<a href="./rfc3629" title=""UTF-8, a transformation format of ISO 10646"">RFC3629</a>]
Unicode string conforming to the UsernameCaseMapped profile of the
PRECIS IdentifierClass [<a href="./rfc7613" title=""Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords"">RFC7613</a>]. The PCP client validates that
the ID Indicator field conforms to the UsernameCaseMapped profile
of the PRECIS IdentifierClass. The PCP client enforces the rules
specified in <a href="./rfc7613#section-3.2.2">Section 3.2.2 of [RFC7613]</a> to map the ID Indicator
field. The PCP client compares the resulting string with the ID
indicators stored locally on the PCP client to pick the
credentials for authentication. The two indicator strings are to
be considered equivalent by the client if and only if they are an
exact octet-for-octet match.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Processing Rules</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Authentication Data Generation</span>
After a successful EAP authentication process, every subsequent
PCP message within the PA session MUST carry an authentication tag
that contains the digest of the PCP message for data origin
authentication and integrity protection.
o Before generating a digest for a PA message, a device needs to
first locate the PCP SA according to the session identifier and
then get the transport key. Then, the device appends a
PA_AUTHENTICATION_TAG option for PCP Auth at the end of the
PCP Auth message. The length of the Authentication Data field is
decided by the MAC algorithm adopted in the session. The device
then fills the Key ID field with the key ID of the transport key
and sets the Authentication Data field to zero. After this, the
device generates a digest for the entire PCP message (including
the PCP header and PA_AUTHENTICATION_TAG option) using the
transport key and the associated MAC algorithm, and inserts the
generated digest into the Authentication Data field.
o Similar to generating a digest for a PA message, before generating
a digest for a common PCP message, a device needs to first locate
the PCP SA according to the session identifier and then get the
transport key. Then, the device appends the AUTHENTICATION_TAG
option at the end of the common PCP message. The length of the
Authentication Data field is decided by the MAC algorithm adopted
in the session. The device then uses the corresponding values
<span class="grey">Cullen, et al. Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
derived from the SA to fill the Session ID field, the Sequence
Number field, and the Key ID field, and sets the Authentication
Data field to zero. After this, the device generates a digest for
the entire PCP message (including the PCP header and
AUTHENTICATION_TAG option) using the transport key and the
associated MAC algorithm, and inserts the generated digest into
the Authentication Data field.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Authentication Data Validation</span>
When a device receives a common PCP message with an
AUTHENTICATION_TAG option for common PCP messages, the device needs
to use the Session ID transported in the option to locate the proper
SA and then find the associated transport key (using the key ID in
the option) and the MAC algorithm. If no proper SA or transport key
is found or the sequence number is invalid (see <a href="#section-6.5">Section 6.5</a>), the PCP
device stops processing the PCP message and silently discards the
message. After storing the value of the Authentication field of the
AUTHENTICATION_TAG option, the device fills the Authentication field
with zeros. Then, the device generates a digest for the message
(including the PCP header and AUTHENTICATION_TAG option) with the
transport key and the MAC algorithm. If the value of the newly
generated digest is identical to the stored one, the device can
ensure that the message has not been tampered with, and the
validation succeeds. Otherwise, the PCP device stops processing the
PCP message and silently discards the message.
Similarly, when a device receives a PA message with a
PA_AUTHENTICATION_TAG option for PCP authentication, the device needs
to use the Session ID transported in the Opcode to locate the proper
SA and then find the associated transport key (using the key ID in
the option) and the MAC algorithm. If no proper SA or transport key
is found or the sequence number is invalid (see <a href="#section-6.4">Section 6.4</a>), the PCP
device stops processing the PCP message and silently discards the
message. After storing the value of the Authentication field of the
PA_AUTHENTICATION_TAG option, the device fills the Authentication
field with zeros. Then, the device generates a digest for the
message (including the PCP header and PA_AUTHENTICATION_TAG option)
with the transport key and the MAC algorithm. If the value of the
newly generated digest is identical to the stored one, the device can
ensure that the message has not been tampered with, and the
validation succeeds. Otherwise, the PCP device stops processing the
PCP message and silently discards the message.
<span class="grey">Cullen, et al. Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Retransmission Policies for PA Messages</span>
Because EAP relies on the underlying protocols to provide reliable
transmission, after sending a PA message, a PCP client/server
MUST NOT send out any subsequent messages until it has received a
PA message with a proper sequence number from the peer. If no such
message is received, the PCP device will resend the last message
according to retransmission policies. This specification uses the
retransmission policies specified in <a href="#section-8.1.1">Section 8.1.1</a> of the base PCP
specification [<a href="./rfc6887" title=""Port Control Protocol (PCP)"">RFC6887</a>]. In base PCP, such retransmission policies
are only applied by PCP clients. However, in this specification,
such retransmission policies are also applied by the PCP servers. If
the "maximum retransmission" duration (in seconds) has elapsed and no
expected response is received, the device will terminate the session
and discard the current SA.
As discussed in <a href="#section-3.1.3">Section 3.1.3</a>, in order to avoid unnecessary
retransmission, the device receiving a PA message MUST send a
PA-Acknowledgement message to the sender of the PA message when it
cannot send a PA response immediately. The PA-Acknowledgement
message is used to indicate the receipt of the PA message. When the
sender receives the PA-Acknowledgement message, it will stop the
retransmission.
Note that the last PA messages transported within the phases of
session initiation, session re-authentication, and session
termination do not have to follow the above policies, since the
devices sending out those messages do not expect any further
PA messages.
When a device receives a retransmitted last incoming PA message from
its session partner, it MUST try to answer it by sending the last
outgoing PA message again. However, if the duplicate message has the
same sequence number but is not bitwise identical to the original
message, then the device MUST discard it. In order to perform this
function, the device may need to maintain the last incoming message
and the associated outgoing messages. In this case, if no outgoing
PA message has been generated for the received duplicate PA message
yet, the device needs to send a PA-Acknowledgement message. The rate
of replying to duplicate PA messages MUST be limited to provide
robustness against denial-of-service (DoS) attacks. The details of
rate limiting are outside the scope of this specification.
<span class="grey">Cullen, et al. Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h3"><a class="selflink" id="section-6.4" href="#section-6.4">6.4</a>. Sequence Numbers for PCP Auth Messages</span>
PCP uses UDP to transport signaling messages. As an unreliable
transport protocol, UDP does not guarantee ordered packet delivery
and does not provide any protection from packet loss. In order to
ensure that the EAP messages are exchanged in a reliable way, every
PCP message exchanged during EAP authentication must carry a
monotonically increasing sequence number. During a PA session, a PCP
device needs to maintain two sequence numbers for PA messages: one
for incoming PA messages and one for outgoing PA messages. When
generating an outgoing PA message, the device adds the associated
outgoing sequence number to the message and increments the sequence
number maintained in the SA by 1. When receiving a PA message from
its session partner, the device will not accept it if the sequence
number carried in the message does not match the incoming sequence
number maintained in the device. After confirming that the received
message is valid, the device increments the incoming sequence number
maintained in the SA by 1.
The above rules are not applicable to PA-Acknowledgement messages
(i.e., PA messages containing a RECEIVED_PAK option). A
PA-Acknowledgement message does not transport any EAP message and
only indicates that a PA message is received. Therefore, reliable
transmission of PA-Acknowledgement messages is not required. For
instance, after sending out a PA-Acknowledgement message, a device
generates an EAP response. In this case, the device does not have to
confirm whether the PA-Acknowledgement message has been received by
its session partner or not. Therefore, when receiving or sending out
a PA-Acknowledgement message, the device MUST NOT increase the
corresponding sequence number stored in the SA. Otherwise, loss of a
PA-Acknowledgement message will cause a mismatch in sequence numbers.
Another exception is the message retransmission scenario. As
discussed in <a href="#section-6.3">Section 6.3</a>, when a PCP device does not receive any
response from its session partner, it needs to retransmit the last
outgoing PA message, following the retransmission procedure specified
in <a href="./rfc6887#section-8.1.1">Section 8.1.1 of [RFC6887]</a>. The original message and duplicate
messages MUST be bitwise identical. When the device receives such a
duplicate PA message from its session partner, it MUST send the last
outgoing PA message again. In such cases, the maintained incoming
and outgoing sequence numbers will not be affected by the message
retransmission.
<span class="grey">Cullen, et al. Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h3"><a class="selflink" id="section-6.5" href="#section-6.5">6.5</a>. Sequence Numbers for Common PCP Messages</span>
When transporting common PCP messages within a PA session, a PCP
device needs to maintain a sequence number for outgoing common
PCP messages and a sequence number for incoming common PCP messages.
When generating a new outgoing PCP message, the PCP device updates
the Sequence Number field in the AUTHENTICATION_TAG option with the
outgoing sequence number maintained in the SA and increments the
outgoing sequence number by 1.
When receiving a PCP message from its session partner, the PCP device
will not accept it if the sequence number carried in the message is
smaller than the incoming sequence number maintained in the device.
This approach can protect the PCP device from replay attacks. After
confirming that the received message is valid, the PCP device will
update the incoming sequence number maintained in the PCP SA with the
sequence number of the incoming message.
Note that the sequence number in the incoming message may not exactly
match the incoming sequence number maintained locally. As discussed
in the base PCP specification [<a href="./rfc6887" title=""Port Control Protocol (PCP)"">RFC6887</a>], if a PCP client is no longer
interested in the PCP transaction and has not yet received a
PCP response from the server, then it will stop retransmitting the
PCP request. After that, the PCP client might generate new
PCP requests for other purposes, using the current SA. In this case,
the sequence number in the new request will be larger than the
sequence number in the old request and so will be larger than the
incoming sequence number maintained in the PCP server.
Note that, as discussed in the base PCP specification [<a href="./rfc6887" title=""Port Control Protocol (PCP)"">RFC6887</a>], a
PCP client needs to select a nonce in each MAP or PEER request, and
the nonce is sent back in the response. However, it is possible for
a client to use the same nonce in multiple MAP or PEER requests, and
this may cause a potential risk of replay attacks. This attack is
addressed by using the sequence number in the PCP response.
<span class="h3"><a class="selflink" id="section-6.6" href="#section-6.6">6.6</a>. MTU Considerations</span>
EAP methods are responsible for MTU handling, so no special
facilities are required in PCP to deal with MTU issues.
Specifically, EAP lower layers indicate to EAP methods and
Authentication, Authorization, and Accounting (AAA) servers the MTU
of the lower layer. EAP methods such as EAP-TLS [<a href="./rfc5216" title=""The EAP-TLS Authentication Protocol"">RFC5216</a>], TEAP
[<a href="./rfc7170" title=""Tunnel Extensible Authentication Protocol (TEAP) Version 1"">RFC7170</a>], and others that are likely to exceed reasonable MTUs
provide support for fragmentation and reassembly. Others, such as
EAP - Generalized Pre-Shared Key (EAP-GPSK) [<a href="./rfc5433" title=""Extensible Authentication Protocol - Generalized Pre-Shared Key (EAP-GPSK) Method"">RFC5433</a>], assume that
they will never send packets larger than the MTU and use small EAP
packets.
<span class="grey">Cullen, et al. Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
If an EAP message is too long to be transported within a single
PA message, it will be divided into multiple sections and sent within
different PA messages. Note that the receiver may not be able to
know what to do in the next step until it has received all the
sections and reconstructed the complete EAP message. In this case,
in order to guarantee reliable message transmission, after receiving
a PA message, the receiver replies with a PA-Acknowledgement message
to notify the sender to send the next PA message.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. IANA Considerations</span>
The following PCP Opcode has been allocated from the Standards Action
range of the "PCP Opcodes" registry (which is maintained in
<<a href="http://www.iana.org/assignments/pcp-parameters">http://www.iana.org/assignments/pcp-parameters</a>>):
3 AUTHENTICATION.
The following PCP result codes have been allocated from the Standards
Action range of the "PCP Result Codes" registry (which is maintained
in <<a href="http://www.iana.org/assignments/pcp-parameters">http://www.iana.org/assignments/pcp-parameters</a>>):
14 INITIATION: The client includes this PCP result code in its
request to the server for authentication.
15 AUTHENTICATION_REQUIRED: This error response is sent to the
client if EAP authentication is required.
16 AUTHENTICATION_FAILED: This error response is sent to the
client if EAP authentication failed.
17 AUTHENTICATION_SUCCEEDED: This success response is sent to the
client if EAP authentication succeeded.
18 AUTHORIZATION_FAILED: This error response is sent to the client
if EAP authentication succeeded but authorization failed.
19 SESSION_TERMINATED: This PCP result code indicates to the
partner that the PA session must be terminated.
20 UNKNOWN_SESSION_ID: This error response is sent from the
PCP server if there is no known PA session associated with the
Session ID sent in the PA request or common PCP request from the
PCP client.
21 DOWNGRADE_ATTACK_DETECTED: This PCP result code indicates to
the client that the server detected a downgrade attack.
<span class="grey">Cullen, et al. Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
22 AUTHENTICATION_REQUEST: The server indicates to the client that
the PA message contains an EAP request.
23 AUTHENTICATION_REPLY: The client indicates to the server that
the PA message contains an EAP response.
The following PCP options have been allocated from the Standards
Action range (the registry for PCP options is maintained in
<<a href="http://www.iana.org/assignments/pcp-parameters">http://www.iana.org/assignments/pcp-parameters</a>>):
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. NONCE</span>
Name: NONCE.
Value: 4.
Purpose: See <a href="#section-5.3">Section 5.3</a>.
Valid for Opcodes: AUTHENTICATION.
Length: 4 octets.
May appear in: Request and response.
Maximum occurrences: 1.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. AUTHENTICATION_TAG</span>
Name: AUTHENTICATION_TAG.
Value: 5.
Purpose: See <a href="#section-5.4">Section 5.4</a>.
Valid for Opcodes: MAP, PEER, ANNOUNCE.
Length: variable.
May appear in: Request and response.
Maximum occurrences: 1.
<span class="grey">Cullen, et al. Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. PA_AUTHENTICATION_TAG</span>
Name: PA_AUTHENTICATION_TAG.
Value: 6.
Purpose: See <a href="#section-5.5">Section 5.5</a>.
Valid for Opcodes: AUTHENTICATION.
Length: variable.
May appear in: Request and response.
Maximum occurrences: 1.
<span class="h3"><a class="selflink" id="section-7.4" href="#section-7.4">7.4</a>. EAP_PAYLOAD</span>
Name: EAP_PAYLOAD.
Value: 7.
Purpose: See <a href="#section-5.6">Section 5.6</a>.
Valid for Opcodes: AUTHENTICATION.
Length: variable.
May appear in: Request and response.
Maximum occurrences: 1.
<span class="h3"><a class="selflink" id="section-7.5" href="#section-7.5">7.5</a>. PRF</span>
Name: PRF.
Value: 8.
Purpose: See <a href="#section-5.7">Section 5.7</a>.
Valid for Opcodes: AUTHENTICATION.
Length: 4 octets.
May appear in: Request and response.
Maximum occurrences: as many as fit within maximum PCP message size.
<span class="grey">Cullen, et al. Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h3"><a class="selflink" id="section-7.6" href="#section-7.6">7.6</a>. MAC_ALGORITHM</span>
Name: MAC_ALGORITHM.
Value: 9.
Purpose: See <a href="#section-5.8">Section 5.8</a>.
Valid for Opcodes: AUTHENTICATION.
Length: 4 octets.
May appear in: Request and response.
Maximum occurrences: as many as fit within maximum PCP message size.
<span class="h3"><a class="selflink" id="section-7.7" href="#section-7.7">7.7</a>. SESSION_LIFETIME</span>
Name: SESSION_LIFETIME.
Value: 10.
Purpose: See <a href="#section-5.9">Section 5.9</a>.
Valid for Opcodes: AUTHENTICATION
Length: 4 octets.
May appear in: Response.
Maximum occurrences: 1.
<span class="h3"><a class="selflink" id="section-7.8" href="#section-7.8">7.8</a>. RECEIVED_PAK</span>
Name: RECEIVED_PAK.
Value: 11.
Purpose: See <a href="#section-5.10">Section 5.10</a>.
Valid for Opcodes: AUTHENTICATION.
Length: 4 octets.
May appear in: Request and response.
Maximum occurrences: 1.
<span class="grey">Cullen, et al. Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
<span class="h3"><a class="selflink" id="section-7.9" href="#section-7.9">7.9</a>. ID_INDICATOR</span>
Name: ID_INDICATOR.
Value: 12.
Purpose: See <a href="#section-5.11">Section 5.11</a>.
Valid for Opcodes: AUTHENTICATION.
Length: variable.
May appear in: Response.
Maximum occurrences: 1.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Security Considerations</span>
As described in this specification, after a successful EAP
authentication process is performed between two PCP devices, an MSK
will be exported. The MSK will be used to derive the transport keys
to generate MAC digests for subsequent PCP message exchanges.
However, before a transport key has been generated, the PA messages
exchanged within a PA session have little cryptographic protection,
and if there is no already-established security channel between two
session partners, these messages are subject to man-in-the-middle
attacks and DoS attacks. For instance, the initial PA-Server and
PA-Client message exchange is vulnerable to spoofing attacks, as
these messages are not authenticated and integrity protected. In
addition, because the PRF and MAC algorithms are transported at this
stage, an attacker may try to remove the PRF and MAC options
containing strong algorithms from the initial PA-Server message and
force the client to choose the weakest algorithms. Therefore, the
server needs to guarantee that all the PRF and MAC algorithms for
which it provides support are strong enough.
In order to prevent very basic DoS attacks, a PCP device SHOULD
generate state information as little as possible in the initial
PA-Server and PA-Client message exchanges. The choice of EAP method
is also very important. The selected EAP method must (1) be
resilient to attacks that are possible in an insecure network
environment, (2) provide user-identity confidentiality and protection
against dictionary attacks, and (3) support session-key
establishment.
When a PCP proxy [<a href="./rfc7648" title=""Port Control Protocol (PCP) Proxy Function"">RFC7648</a>] is located between a PCP server and
PCP clients, the proxy may perform authentication with the PCP server
before it processes requests from the clients. In addition,
<span class="grey">Cullen, et al. Standards Track [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
re-authentication between the PCP proxy and PCP server will not
interrupt the service that the proxy provides to the clients, since
the proxy is still allowed to send common PCP messages to the
PCP server during that period.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. References</span>
<span class="h3"><a class="selflink" id="section-9.1" href="#section-9.1">9.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
DOI 10.17487/RFC2119, March 1997,
<<a href="http://www.rfc-editor.org/info/rfc2119">http://www.rfc-editor.org/info/rfc2119</a>>.
[<a id="ref-RFC3629">RFC3629</a>] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, <a href="./rfc3629">RFC 3629</a>, DOI 10.17487/RFC3629, November
2003, <<a href="http://www.rfc-editor.org/info/rfc3629">http://www.rfc-editor.org/info/rfc3629</a>>.
[<a id="ref-RFC3748">RFC3748</a>] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, Ed., "Extensible Authentication Protocol
(EAP)", <a href="./rfc3748">RFC 3748</a>, DOI 10.17487/RFC3748, June 2004,
<<a href="http://www.rfc-editor.org/info/rfc3748">http://www.rfc-editor.org/info/rfc3748</a>>.
[<a id="ref-RFC4868">RFC4868</a>] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
384, and HMAC-SHA-512 with IPsec", <a href="./rfc4868">RFC 4868</a>,
DOI 10.17487/RFC4868, May 2007,
<<a href="http://www.rfc-editor.org/info/rfc4868">http://www.rfc-editor.org/info/rfc4868</a>>.
[<a id="ref-RFC5281">RFC5281</a>] Funk, P. and S. Blake-Wilson, "Extensible Authentication
Protocol Tunneled Transport Layer Security Authenticated
Protocol Version 0 (EAP-TTLSv0)", <a href="./rfc5281">RFC 5281</a>,
DOI 10.17487/RFC5281, August 2008,
<<a href="http://www.rfc-editor.org/info/rfc5281">http://www.rfc-editor.org/info/rfc5281</a>>.
[<a id="ref-RFC6887">RFC6887</a>] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", <a href="./rfc6887">RFC 6887</a>,
DOI 10.17487/RFC6887, April 2013,
<<a href="http://www.rfc-editor.org/info/rfc6887">http://www.rfc-editor.org/info/rfc6887</a>>.
[<a id="ref-RFC7170">RFC7170</a>] Zhou, H., Cam-Winget, N., Salowey, J., and S. Hanna,
"Tunnel Extensible Authentication Protocol (TEAP) Version
1", <a href="./rfc7170">RFC 7170</a>, DOI 10.17487/RFC7170, May 2014,
<<a href="http://www.rfc-editor.org/info/rfc7170">http://www.rfc-editor.org/info/rfc7170</a>>.
[<a id="ref-RFC7296">RFC7296</a>] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, <a href="./rfc7296">RFC 7296</a>, DOI 10.17487/RFC7296, October
2014, <<a href="http://www.rfc-editor.org/info/rfc7296">http://www.rfc-editor.org/info/rfc7296</a>>.
<span class="grey">Cullen, et al. Standards Track [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
[<a id="ref-RFC7613">RFC7613</a>] Saint-Andre, P. and A. Melnikov, "Preparation,
Enforcement, and Comparison of Internationalized Strings
Representing Usernames and Passwords", <a href="./rfc7613">RFC 7613</a>,
DOI 10.17487/RFC7613, August 2015,
<<a href="http://www.rfc-editor.org/info/rfc7613">http://www.rfc-editor.org/info/rfc7613</a>>.
[<a id="ref-RFC7648">RFC7648</a>] Perreault, S., Boucadair, M., Penno, R., Wing, D., and S.
Cheshire, "Port Control Protocol (PCP) Proxy Function",
<a href="./rfc7648">RFC 7648</a>, DOI 10.17487/RFC7648, September 2015,
<<a href="http://www.rfc-editor.org/info/rfc7648">http://www.rfc-editor.org/info/rfc7648</a>>.
<span class="h3"><a class="selflink" id="section-9.2" href="#section-9.2">9.2</a>. Informative References</span>
[<a id="ref-RFC5216">RFC5216</a>] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
Authentication Protocol", <a href="./rfc5216">RFC 5216</a>, DOI 10.17487/RFC5216,
March 2008, <<a href="http://www.rfc-editor.org/info/rfc5216">http://www.rfc-editor.org/info/rfc5216</a>>.
[<a id="ref-RFC5433">RFC5433</a>] Clancy, T. and H. Tschofenig, "Extensible Authentication
Protocol - Generalized Pre-Shared Key (EAP-GPSK) Method",
<a href="./rfc5433">RFC 5433</a>, DOI 10.17487/RFC5433, February 2009,
<<a href="http://www.rfc-editor.org/info/rfc5433">http://www.rfc-editor.org/info/rfc5433</a>>.
[<a id="ref-RFC5448">RFC5448</a>] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved
Extensible Authentication Protocol Method for 3rd
Generation Authentication and Key Agreement (EAP-AKA')",
<a href="./rfc5448">RFC 5448</a>, DOI 10.17487/RFC5448, May 2009,
<<a href="http://www.rfc-editor.org/info/rfc5448">http://www.rfc-editor.org/info/rfc5448</a>>.
Acknowledgements
Thanks to Dan Wing, Prashanth Patil, Dave Thaler, Peter Saint-Andre,
Carlos Pignataro, Brian Haberman, Paul Kyzivat, Jouni Korhonen,
Stephen Farrell, and Terry Manderson for their valuable comments.
<span class="grey">Cullen, et al. Standards Track [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc7652">RFC 7652</a> PCP Authentication September 2015</span>
Authors' Addresses
Margaret Cullen
Painless Security
356 Abbott Street
North Andover, MA 01845
United States
Phone: +1 781 405 7464
Email: margaret@painless-security.com
URI: <a href="http://www.painless-security.com">http://www.painless-security.com</a>
Sam Hartman
Painless Security
356 Abbott Street
North Andover, MA 01845
United States
Email: hartmans@painless-security.com
URI: <a href="http://www.painless-security.com">http://www.painless-security.com</a>
Dacheng Zhang
Beijing, China
China
Email: zhang_dacheng@hotmail.com
Tirumaleswar Reddy
Cisco Systems, Inc.
Cessna Business Park, Varthur Hobli
Sarjapur Marathalli Outer Ring Road
Bangalore, Karnataka 560103
India
Email: tireddy@cisco.com
Cullen, et al. Standards Track [Page 34]
</pre>
|
