diff options
Diffstat (limited to 'rfc/rfc2716.txt')
-rw-r--r-- | rfc/rfc2716.txt | 1347 |
1 files changed, 1347 insertions, 0 deletions
diff --git a/rfc/rfc2716.txt b/rfc/rfc2716.txt new file mode 100644 index 00000000..71b4a84b --- /dev/null +++ b/rfc/rfc2716.txt @@ -0,0 +1,1347 @@ + + + + + + +Network Working Group B. Aboba +Requests for Commments: 2716 D. Simon +Category: Experimental Microsoft + October 1999 + + + PPP EAP TLS Authentication Protocol + +Status of this Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (1999). All Rights Reserved. + +1. Abstract + + The Point-to-Point Protocol (PPP) provides a standard method for + transporting multi-protocol datagrams over point-to-point links. PPP + also defines an extensible Link Control Protocol (LCP), which can be + used to negotiate authentication methods, as well as an Encryption + Control Protocol (ECP), used to negotiate data encryption over PPP + links, and a Compression Control Protocol (CCP), used to negotiate + compression methods. The Extensible Authentication Protocol (EAP) is + a PPP extension that provides support for additional authentication + methods within PPP. + + Transport Level Security (TLS) provides for mutual authentication, + integrity-protected ciphersuite negotiation and key exchange between + two endpoints. This document describes how EAP-TLS, which includes + support for fragmentation and reassembly, provides for these TLS + mechanisms within EAP. + +2. Introduction + + The Extensible Authentication Protocol (EAP), described in [5], + provides a standard mechanism for support of additional + authentication methods within PPP. Through the use of EAP, support + for a number of authentication schemes may be added, including smart + cards, Kerberos, Public Key, One Time Passwords, and others. To date + however, EAP methods such as [6] have focussed on authenticating a + client to a server. + + + + + +Aboba & Simon Experimental [Page 1] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + However, it may be desirable to support mutual authentication, and + since PPP encryption protocols such as [9] and [10] assume existence + of a session key, it is useful to have a mechanism for session key + establishment. Since design of secure key management protocols is + non-trivial, it is desirable to avoid creating new mechanisms for + this. The EAP protocol described in this document allows a PPP peer + to take advantage of the protected ciphersuite negotiation, mutual + authentication and key management capabilities of the TLS protocol, + described in [12]. + +2.1. Requirements language + + In this document, the key words "MAY", "MUST, "MUST NOT", "optional", + "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as + described in [11]. + +3. Protocol overview + +3.1. Overview of the EAP-TLS conversation + + As described in [5], the EAP-TLS conversation will typically begin + with the authenticator and the peer negotiating EAP. The + authenticator will then typically send an EAP-Request/Identity packet + to the peer, and the peer will respond with an EAP-Response/Identity + packet to the authenticator, containing the peer's userId. + + From this point forward, while nominally the EAP conversation occurs + between the PPP authenticator and the peer, the authenticator MAY act + as a passthrough device, with the EAP packets received from the peer + being encapsulated for transmission to a RADIUS server or backend + security server. In the discussion that follows, we will use the term + "EAP server" to denote the ultimate endpoint conversing with the + peer. + + Once having received the peer's Identity, the EAP server MUST respond + with an EAP-TLS/Start packet, which is an EAP-Request packet with + EAP-Type=EAP-TLS, the Start (S) bit set, and no data. The EAP-TLS + conversation will then begin, with the peer sending an EAP-Response + packet with EAP-Type=EAP-TLS. The data field of that packet will + encapsulate one or more TLS records in TLS record layer format, + containing a TLS client_hello handshake message. The current cipher + spec for the TLS records will be TLS_NULL_WITH_NULL_NULL and null + compression. This current cipher spec remains the same until the + change_cipher_spec message signals that subsequent records will have + the negotiated attributes for the remainder of the handshake. + + + + + + +Aboba & Simon Experimental [Page 2] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + The client_hello message contains the client's TLS version number, a + sessionId, a random number, and a set of ciphersuites supported by + the client. The version offered by the client MUST correspond to TLS + v1.0 or later. + + The EAP server will then respond with an EAP-Request packet with + EAP-Type=EAP-TLS. The data field of this packet will encapsulate one + or more TLS records. These will contain a TLS server_hello handshake + message, possibly followed by TLS certificate, server_key_exchange, + certificate_request, server_hello_done and/or finished handshake + messages, and/or a TLS change_cipher_spec message. The server_hello + handshake message contains a TLS version number, another random + number, a sessionId, and a ciphersuite. The version offered by the + server MUST correspond to TLS v1.0 or later. + + If the client's sessionId is null or unrecognized by the server, the + server MUST choose the sessionId to establish a new session; + otherwise, the sessionId will match that offered by the client, + indicating a resumption of the previously established session with + that sessionID. The server will also choose a ciphersuite from those + offered by the client; if the session matches the client's, then the + ciphersuite MUST match the one negotiated during the handshake + protocol execution that established the session. + + The purpose of the sessionId within the TLS protocol is to allow for + improved efficiency in the case where a client repeatedly attempts to + authenticate to an EAP server within a short period of time. While + this model was developed for use with HTTP authentication, it may + also have application to PPP authentication (e.g. multilink). + + As a result, it is left up to the peer whether to attempt to continue + a previous session, thus shortening the TLS conversation. Typically + the peer's decision will be made based on the time elapsed since the + previous authentication attempt to that EAP server. Based on the + sessionId chosen by the peer, and the time elapsed since the previous + authentication, the EAP server will decide whether to allow the + continuation, or whether to choose a new session. + + In the case where the EAP server and authenticator reside on the same + device, then client will only be able to continue sessions when + connecting to the same NAS or tunnel server. Should these devices be + set up in a rotary or round-robin then it may not be possible for the + peer to know in advance the authenticator it will be connecting to, + and therefore which sessionId to attempt to reuse. As a result, it is + likely that the continuation attempt will fail. In the case where the + EAP authentication is remoted then continuation is much more likely + to be successful, since multiple NAS devices and tunnel servers will + remote their EAP authentications to the same RADIUS server. + + + +Aboba & Simon Experimental [Page 3] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + If the EAP server is resuming a previously established session, then + it MUST include only a TLS change_cipher_spec message and a TLS + finished handshake message after the server_hello message. The + finished message contains the EAP server's authentication response to + the peer. If the EAP server is not resuming a previously established + session, then it MUST include a TLS server_certificate handshake + message, and a server_hello_done handshake message MUST be the last + handshake message encapsulated in this EAP-Request packet. + + The certificate message contains a public key certificate chain for + either a key exchange public key (such as an RSA or Diffie-Hellman + key exchange public key) or a signature public key (such as an RSA or + DSS signature public key). In the latter case, a TLS + server_key_exchange handshake message MUST also be included to allow + the key exchange to take place. + + The certificate_request message is included when the server desires + the client to authenticate itself via public key. While the EAP + server SHOULD require client authentication, this is not a + requirement, since it may be possible that the server will require + that the peer authenticate via some other means. + + The peer MUST respond to the EAP-Request with an EAP-Response packet + of EAP-Type=EAP-TLS. The data field of this packet will encapsulate + one or more TLS records containing a TLS change_cipher_spec message + and finished handshake message, and possibly certificate, + certificate_verify and/or client_key_exchange handshake messages. If + the preceding server_hello message sent by the EAP server in the + preceding EAP-Request packet indicated the resumption of a previous + session, then the peer MUST send only the change_cipher_spec and + finished handshake messages. The finished message contains the + peer's authentication response to the EAP server. + + If the preceding server_hello message sent by the EAP server in the + preceeding EAP-Request packet did not indicate the resumption of a + previous session, then the peer MUST send, in addition to the + change_cipher_spec and finished messages, a client_key_exchange + message, which completes the exchange of a shared master secret + between the peer and the EAP server. If the EAP server sent a + certificate_request message in the preceding EAP-Request packet, then + the peer MUST send, in addition, certificate and certificate_verify + handshake messages. The former contains a certificate for the peer's + signature public key, while the latter contains the peer's signed + authentication response to the EAP server. After receiving this + packet, the EAP server will verify the peer's certificate and digital + signature, if requested. + + + + + +Aboba & Simon Experimental [Page 4] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + If the peer's authentication is unsuccessful, the EAP server SHOULD + send an EAP-Request packet with EAP-Type=EAP-TLS, encapsulating a TLS + record containing the appropriate TLS alert message. The EAP server + SHOULD send a TLS alert message rather immediately terminating the + conversation so as to allow the peer to inform the user of the cause + of the failure and possibly allow for a restart of the conversation. + + To ensure that the peer receives the TLS alert message, the EAP + server MUST wait for the peer to reply with an EAP-Response packet. + The EAP-Response packet sent by the peer MAY encapsulate a TLS + client_hello handshake message, in which case the EAP server MAY + allow the EAP-TLS conversation to be restarted, or it MAY contain an + EAP-Response packet with EAP-Type=EAP-TLS and no data, in which case + the EAP-Server MUST send an EAP-Failure packet, and terminate the + conversation. It is up to the EAP server whether to allow restarts, + and if so, how many times the conversation can be restarted. An EAP + Server implementing restart capability SHOULD impose a limit on the + number of restarts, so as to protect against denial of service + attacks. + + If the peers authenticates successfully, the EAP server MUST respond + with an EAP-Request packet with EAP-Type=EAP-TLS, which includes, in + the case of a new TLS session, one or more TLS records containing TLS + change_cipher_spec and finished handshke messages. The latter + contains the EAP server's authentication response to the peer. The + peer will then verify the hash in order to authenticate the EAP + server. + + If the EAP server authenticates unsuccessfully, the peer MAY send an + EAP-Response packet of EAP-Type=EAP-TLS containing a TLS Alert + message identifying the reason for the failed authentication. The + peer MAY send a TLS alert message rather than immediately terminating + the conversation so as to allow the EAP server to log the cause of + the error for examination by the system administrator. + + To ensure that the EAP Server receives the TLS alert message, the + peer MUST wait for the EAP-Server to reply before terminating the + conversation. The EAP Server MUST reply with an EAP-Failure packet + since server authentication failure is a terminal condition. + + If the EAP server authenticates successfully, the peer MUST send an + EAP-Response packet of EAP-Type=EAP-TLS, and no data. The EAP-Server + then MUST respond with an EAP-Success message. + + + + + + + + +Aboba & Simon Experimental [Page 5] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + +3.2. Retry behavior + + As with other EAP protocols, the EAP server is responsible for retry + behavior. This means that if the EAP server does not receive a reply + from the peer, it MUST resend the EAP-Request for which it has not + yet received an EAP-Response. However, the peer MUST NOT resend EAP- + Response packets without first being prompted by the EAP server. + + For example, if the initial EAP-TLS start packet sent by the EAP + server were to be lost, then the peer would not receive this packet, + and would not respond to it. As a result, the EAP-TLS start packet + would be resent by the EAP server. Once the peer received the EAP-TLS + start packet, it would send an EAP-Response encapsulating the + client_hello message. If the EAP-Response were to be lost, then the + EAP server would resend the initial EAP-TLS start, and the peer would + resend the EAP-Response. + + As a result, it is possible that a peer will receive duplicate EAP- + Request messages, and may send duplicate EAP-Responses. Both the + peer and the EAP-Server should be engineered to handle this + possibility. + +3.3. Fragmentation + + A single TLS record may be up to 16384 octets in length, but a TLS + message may span multiple TLS records, and a TLS certificate message + may in principle be as long as 16MB. The group of EAP-TLS messages + sent in a single round may thus be larger than the PPP MTU size, the + maximum RADIUS packet size of 4096 octets, or even the Multilink + Maximum Received Reconstructed Unit (MRRU). As described in [2], the + multilink MRRU is negotiated via the Multilink MRRU LCP option, which + includes an MRRU length field of two octets, and thus can support + MRRUs as large as 64 KB. + + However, note that in order to protect against reassembly lockup and + denial of service attacks, it may be desirable for an implementation + to set a maximum size for one such group of TLS messages. Since a + typical certificate chain is rarely longer than a few thousand + octets, and no other field is likely to be anwhere near as long, a + reasonable choice of maximum acceptable message length might be 64 + KB. + + If this value is chosen, then fragmentation can be handled via the + multilink PPP fragmentation mechanisms described in [2]. While this + is desirable, there may be cases in which multilink or the MRRU LCP + option cannot be negotiated. As a result, an EAP-TLS implementation + MUST provide its own support for fragmentation and reassembly. + + + + +Aboba & Simon Experimental [Page 6] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + Since EAP is a simple ACK-NAK protocol, fragmentation support can be + added in a simple manner. In EAP, fragments that are lost or damaged + in transit will be retransmitted, and since sequencing information is + provided by the Identifier field in EAP, there is no need for a + fragment offset field as is provided in IPv4. + + EAP-TLS fragmentation support is provided through addition of a flags + octet within the EAP-Response and EAP-Request packets, as well as a + TLS Message Length field of four octets. Flags include the Length + included (L), More fragments (M), and EAP-TLS Start (S) bits. The L + flag is set to indicate the presence of the four octet TLS Message + Length field, and MUST be set for the first fragment of a fragmented + TLS message or set of messages. The M flag is set on all but the last + fragment. The S flag is set only within the EAP-TLS start message + sent from the EAP server to the peer. The TLS Message Length field is + four octets, and provides the total length of the TLS message or set + of messages that is being fragmented; this simplifies buffer + allocation. + + When an EAP-TLS peer receives an EAP-Request packet with the M bit + set, it MUST respond with an EAP-Response with EAP-Type=EAP-TLS and + no data. This serves as a fragment ACK. The EAP server MUST wait + until it receives the EAP-Response before sending another fragment. + In order to prevent errors in processing of fragments, the EAP server + MUST increment the Identifier field for each fragment contained + within an EAP-Request, and the peer MUST include this Identifier + value in the fragment ACK contained within the EAP-Reponse. + Retransmitted fragments will contain the same Identifier value. + + Similarly, when the EAP server receives an EAP-Response with the M + bit set, it MUST respond with an EAP-Request with EAP-Type=EAP-TLS + and no data. This serves as a fragment ACK. The EAP peer MUST wait + until it receives the EAP-Request before sending another fragment. + In order to prevent errors in the processing of fragments, the EAP + server MUST use increment the Identifier value for each fragment ACK + contained within an EAP-Request, and the peer MUST include this + Identifier value in the subsequent fragment contained within an EAP- + Reponse. + +3.4. Identity verification + + As part of the TLS negotiation, the server presents a certificate to + the peer, and if mutual authentication is requested, the peer + presents a certificate to the server. + + Note that since the peer has made a claim of identity in the EAP- + Response/Identity (MyID) packet, the EAP server SHOULD verify that + the claimed identity corresponds to the certificate presented by the + + + +Aboba & Simon Experimental [Page 7] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + peer. Typically this will be accomplished either by placing the + userId within the peer certificate, or by providing a mapping between + the peer certificate and the userId using a directory service. + + Similarly, the peer MUST verify the validity of the EAP server + certificate, and SHOULD also examine the EAP server name presented in + the certificate, in order to determine whether the EAP server can be + trusted. Please note that in the case where the EAP authentication is + remoted that the EAP server will not reside on the same machine as + the authenticator, and therefore the name in the EAP server's + certificate cannot be expected to match that of the intended + destination. In this case, a more appropriate test might be whether + the EAP server's certificate is signed by a CA controlling the + intended destination and whether the EAP server exists within a + target sub-domain. + +3.5. Key derivation + + Since the normal TLS keys are used in the handshake, and therefore + should not be used in a different context, new encryption keys must + be derived from the TLS master secret for use with PPP encryption. + For both peer and EAP server, the derivation proceeds as follows: + given the master secret negotiated by the TLS handshake, the + pseudorandom function (PRF) defined in the specification for the + version of TLS in use, and the value random defined as the + concatenation of the handshake message fields client_hello.random and + server_hello.random (in that order), the value PRF(master secret, + "client EAP encryption", random) is computed up to 128 bytes, and the + value PRF("", "client EAP encryption", random) is computed up to 64 + bytes (where "" is an empty string). The peer encryption key (the + one used for encrypting data from peer to EAP server) is obtained by + truncating to the correct length the first 32 bytes of the first PRF + of these two output strings. TheEAP server encryption key (the one + used for encrypting data from EAP server to peer), if different from + the client encryption key, is obtained by truncating to the correct + length the second 32 bytes of this same PRF output string. The + client authentication key (the one used for computing MACs for + messages from peer to EAP server), if used, is obtained by truncating + to the correct length the third 32 bytes of this same PRF output + string. The EAP server authentication key (the one used for + computing MACs for messages from EAP server to peer), if used, and if + different from the peer authentication key, is obtained by truncating + to the correct length the fourth 32 bytes of this same PRF output + string. The peer initialization vector (IV), used for messages from + peer to EAP server if a block cipher has been specified, is obtained + by truncating to the cipher's block size the first 32 bytes of the + second PRF output string mentioned above. Finally, the server + initialization vector (IV), used for messages from peer to EAP server + + + +Aboba & Simon Experimental [Page 8] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + if a block cipher has been specified, is obtained by truncating to + the cipher's block size the second 32 bytes of this second PRF + output. + + The use of these encryption and authentication keys is specific to + the PPP encryption mechanism used, such as those defined in [9] and + [10]. Additional keys or other non-secret values (such as IVs) can + be obtained as needed for future PPP encryption methods by extending + the outputs of the PRF beyond 128 bytes and 64 bytes, respectively. + +3.6. ECP negotiation + + Since TLS supports ciphersuite negotiation, peers completing the TLS + negotiation will also have selected a ciphersuite, which includes key + strength, encryption and hashing methods. As a result, a subsequent + Encryption Control Protocol (ECP) conversation, if it occurs, has a + predetermined result. + + In order to ensure agreement between the EAP-TLS ciphersuite + negotiation and the subsequent ECP negotiation (described in [6]), + during ECP negotiation the PPP peer MUST offer only the ciphersuite + negotiated inEAP-TLS. This ensures that the PPP authenticator MUST + accept the EAP-TLS negotiated ciphersuite in order for the + onversation to proceed. Should the authenticator not accept the + EAP-TLS negotiated ciphersuite, then the peer MUST send an LCP + terminate and disconnect. + + Please note that it cannot be assumed that the PPP authenticator and + EAP server are located on the same machine or that the authenticator + understands the EAP-TLS conversation that has passed through it. Thus + if the peer offers a ciphersuite other than the one negotiated in + EAP-TLS there is no way for the authenticator to know how to respond + correctly. + +3.7. CCP negotiation + + TLS as described in [12] supports compression as well as ciphersuite + negotiation. However, TLS only provides support for a limited number + of compression types which do not overlap with the compression types + used in PPP. As a result, during the EAP-TLS conversation the EAP + endpoints MUST NOT request or negotiate compression. Instead, the PPP + Compression Control Protocol (CCP), described in [13] should be used + to negotiate the desired compression scheme. + + + + + + + + +Aboba & Simon Experimental [Page 9] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + +3.8. Examples + + In the case where the EAP-TLS mutual authentication is successful, + the conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- PPP LCP Request-EAP + auth + PPP LCP ACK-EAP + auth -> + <- PPP EAP-Request/ + Identity + PPP EAP-Response/ + Identity (MyID) -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS Start) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS client_hello)-> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS certificate, + TLS client_key_exchange, + [TLS certificate_verify,] + TLS change_cipher_spec, + TLS finished) -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS change_cipher_spec, + TLS finished) + PPP EAP-Response/ + EAP-Type=EAP-TLS -> + <- PPP EAP-Success + PPP Authentication + Phase complete, + NCP Phase starts + + ECP negotiation + CCP negotiation + + + +Aboba & Simon Experimental [Page 10] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + In the case where the EAP-TLS mutual authentication is successful, + and fragmentation is required, the conversation will appear as + follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- PPP LCP Request-EAP + auth + PPP LCP ACK-EAP + auth -> + <- PPP EAP-Request/ + Identity + PPP EAP-Response/ + Identity (MyID) -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS Start, S bit set) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS client_hello)-> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) + (Fragment 1: L, M bits set) + PPP EAP-Response/ + EAP-Type=EAP-TLS -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (Fragment 2: M bit set) + PPP EAP-Response/ + EAP-Type=EAP-TLS -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (Fragment 3) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS certificate, + TLS client_key_exchange, + [TLS certificate_verify,] + TLS change_cipher_spec, + TLS inished)(Fragment 1: + L, M bits set)-> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + + + +Aboba & Simon Experimental [Page 11] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + PPP EAP-Response/ + EAP-Type=EAP-TLS + (Fragment 2)-> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS change_cipher_spec, + TLS finished) + PPP EAP-Response/ + EAP-Type=EAP-TLS -> + <- PPP EAP-Success + PPP Authentication + Phase complete, + NCP Phase starts + + ECP negotiation + CCP negotiation + + In the case where the server authenticates to the client + successfully, but the client fails to authenticate to the server, the + conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- PPP LCP Request-EAP + auth + PPP LCP ACK-EAP + auth -> + <- PPP EAP-Request/ + Identity + PPP EAP-Response/ + Identity (MyID) -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS Start) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS client_hello)-> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + TLS certificate_request, + TLS server_hello_done) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS certificate, + TLS client_key_exchange, + + + +Aboba & Simon Experimental [Page 12] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + TLS certificate_verify, + TLS change_cipher_spec, + TLS finished) -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS change_cipher_spec, + TLS finished) + PPP EAP-Response/ + EAP-Type=EAP-TLS -> + <- PPP EAP-Request + EAP-Type=EAP-TLS + (TLS Alert message) + PPP EAP-Response/ + EAP-Type=EAP-TLS -> + <- PPP EAP-Failure + (User Disconnected) + + In the case where server authentication is unsuccessful, the + conversation will appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- PPP LCP Request-EAP + auth + PPP LCP ACK-EAP + auth -> + <- PPP EAP-Request/ + Identity + PPP EAP-Response/ + Identity (MyID) -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS Start) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS client_hello)-> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS certificate, + TLS client_key_exchange, + [TLS certificate_verify,] + + + +Aboba & Simon Experimental [Page 13] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + TLS change_cipher_spec, + TLS finished) -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS change_cipher_spec, + TLS finished) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS change_cipher_spec, + TLS finished) + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS Alert message) -> + <- PPP EAP-Failure + (User Disconnected) + + In the case where a previously established session is being resumed, + and both sides authenticate successfully, the conversation will + appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- PPP LCP Request-EAP + auth + PPP LCP ACK-EAP + auth -> + <- PPP EAP-Request/ + Identity + PPP EAP-Response/ + Identity (MyID) -> + <- PPP EAP-Request/ + EAP-Request/ + EAP-Type=EAP-TLS + (TLS Start) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS client_hello)-> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS server_hello, + TLS change_cipher_spec + TLS finished) + + + + + + + +Aboba & Simon Experimental [Page 14] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS change_cipher_spec, + TLS finished) -> + <- PPP EAP-Success + PPP Authentication + Phase complete, + NCP Phase starts + + ECP negotiation + + CCP negotiation + + In the case where a previously established session is being resumed, + and the server authenticates to the client successfully but the + client fails to authenticate to the server, the conversation will + appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- PPP LCP Request-EAP + auth + PPP LCP ACK-EAP + auth -> + <- PPP EAP-Request/ + Identity + PPP EAP-Response/ + Identity (MyID) -> + <- PPP EAP-Request/ + EAP-Request/ + EAP-Type=EAP-TLS + (TLS Start) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS client_hello) -> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS server_hello, + TLS change_cipher_spec, + TLS finished) + PPP EA-Response/ + EAP-Type=EAP-TLS + (TLS change_cipher_spec, + TLS finished) -> + <- PPP EAP-Request + EAP-Type=EAP-TLS + (TLS Alert message) + + + + +Aboba & Simon Experimental [Page 15] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + PPP EAP-Response + EAP-Type=EAP-TLS -> + <- PPP EAP-Failure + (User Disconnected) + + In the case where a previously established session is being resumed, + and the server authentication is unsuccessful, the conversation will + appear as follows: + + Authenticating Peer Authenticator + ------------------- ------------- + <- PPP LCP Request-EAP + auth + PPP LCP ACK-EAP + auth -> + <- PPP EAP-Request/ + Identity + PPP EAP-Response/ + Identity (MyID) -> + <- PPP EAP-Request/ + EAP-Request/ + EAP-Type=EAP-TLS + (TLS Start) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS client_hello)-> + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + (TLS server_hello, + TLS change_cipher_spec, + TLS finished) + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS change_cipher_spec, + TLS finished) + <- PPP EAP-Request/ + EAP-Type=EAP-TLS + PPP EAP-Response/ + EAP-Type=EAP-TLS + (TLS Alert message) -> + <- PPP EAP-Failure + (User Disconnected) + + + + + + + + + +Aboba & Simon Experimental [Page 16] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + +4. Detailed description of the EAP-TLS protocol + +4.1. PPP EAP TLS Packet Format + + A summary of the PPP EAP TLS Request/Response packet format is shown + below. The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Data... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Code + + 1 - Request + 2 - Response + + Identifier + + The identifier field is one octet and aids in matching responses + with requests. + + Length + + The Length field is two octets and indicates the length of the EAP + packet including the Code, Identifier, Length, Type, and Data + fields. Octets outside the range of the Length field should be + treated as Data Link Layer padding and should be ignored on + reception. + + Type + + 13 - EAP TLS + + Data + + The format of the Data field is determined by the Code field. + + + + + + + + + + + +Aboba & Simon Experimental [Page 17] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + +4.2. PPP EAP TLS Request Packet + + A summary of the PPP EAP TLS Request packet format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Flags | TLS Message Length + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | TLS Message Length | TLS Data... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Code + + 1 + + Identifier + + The Identifier field is one octet and aids in matching responses + with requests. The Identifier field MUST be changed on each + Request packet. + + Length + + The Length field is two octets and indicates the length of the EAP + packet including the Code, Identifier, Length, Type, and TLS + Response fields. + + Type + + 13 - EAP TLS + + Flags + + 0 1 2 3 4 5 6 7 8 + +-+-+-+-+-+-+-+-+ + |L M S R R R R R| + +-+-+-+-+-+-+-+-+ + + L = Length included + M = More fragments + S = EAP-TLS start + R = Reserved + + + + + +Aboba & Simon Experimental [Page 18] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + The L bit (length included) is set to indicate the presence of the + four octet TLS Message Length field, and MUST be set for the first + fragment of a fragmented TLS message or set of messages. The M bit + (more fragments) is set on all but the last fragment. The S bit + (EAP-TLS start) is set in an EAP-TLS Start message. This + differentiates the EAP-TLS Start message from a fragment + acknowledgement. + + TLS Message Length + + The TLS Message Length field is four octets, and is present only + if the L bit is set. This field provides the total length of the + TLS message or set of messages that is being fragmented. + + TLS data + + The TLS data consists of the encapsulated TLS packet in TLS record + format. + +4.3. PPP EAP TLS Response Packet + + A summary of the PPP EAP TLS Response packet format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Flags | TLS Message Length + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | TLS Message Length | TLS Data... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Code + + 2 + + Identifier + + The Identifier field is one octet and MUST match the Identifier + field from the corresponding request. + + Length + + The Length field is two octets and indicates the length of the EAP + packet including the Code, Identifir, Length, Type, and TLS data + fields. + + + +Aboba & Simon Experimental [Page 19] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + Type + + 13 - EAP TLS + + Flags + + 0 1 2 3 4 5 6 7 8 + +-+-+-+-+-+-+-+-+ + |L M S R R R R R| + +-+-+-+-+-+-+-+-+ + + L = Length included + M = More fragments + S = EAP-TLS start + R = Reserved + + The L bit (length included) is set to indicate the presence of the + four octet TLS Message Length field, and MUST be set for the first + fragment of a fragmented TLS message or set of messages. The M bit + (more fragments) is set on all but the last fragment. The S bit + (EAP-TLS start) is set in an EAP-TLS Start message. This + differentiates the EAP-TLS Start message from a fragment + acknowledgement. + + TLS Message Length + + The TLS Message Length field is four octets, and is present only + if the L bit is set. This field provides the total length of the + TLS message or set of messages that is being fragmented. + + TLS data + + The TLS data consists of the encapsulated TLS packet in TLS record + format. + + + + + + + + + + + + + + + + + +Aboba & Simon Experimental [Page 20] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + +5. References + + [1] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD + 51, RFC 1661, July 1994. + + [2] Sklower, K., Lloyd, B., McGregor, G., Carr, D. and T. Coradetti, + "The PPP Multilink Protocol (MP)", RFC 1990, August 1996. + + [3] Simpson, W., Editor, "PPP LCP Extensions", RFC 1570, January + 1994. + + [4] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", RFC + 1321, April 1992. + + [5] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication + Protocol (EAP)", RFC 2284, March 1998. + + [6] Meyer, G., "The PPP Encryption Protocol (ECP)", RFC 1968, June + 1996. + + [7] National Bureau of Standards, "Data Encryption Standard", FIPS + PUB 46 (January 1977). + + [8] National Bureau of Standards, "DES Modes of Operation", FIPS PUB + 81 (December 1980). + + [9] Sklower, K. amd G. Meyer, "The PPP DES Encryption Protocol, + Version 2 (DESE-bis)", RFC 2419, September 1998. + + [10] Hummert, K., "The PPP Triple-DES Encryption Protocol (3DESE)", + RFC 2420, September 1998. + + [11] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [12] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC + 2246, November 1998. + + [13] Rand, D., "The PPP Compression Control Protocol", RFC 1962, June + 1996. + + + + + + + + + + + +Aboba & Simon Experimental [Page 21] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + +6. Security Considerations + +6.1. Certificate revocation + + Since the EAP server is on the Internet during the EAP conversation, + the server is capable of following a certificate chain or verifying + whether the peer's certificate has been revoked. In contrast, the + peer may or may not have Internet connectivity, and thus while it can + validate the EAP server's certificate based on a pre-configured set + of CAs, it may not be able to follow a certificate chain or verify + whether the EAP server's certificate has been revoked. + + In the case where the peer is initiating a voluntary Layer 2 tunnel + using PPTP or L2TP, the peer will typically already have a PPP + interface and Internet connectivity established at the time of tunnel + initiation. As a result, during the EAP conversation it is capable + of checking for certificate revocation. + + However, in the case where the peer is initiating an intial PPP + conversation, it will not have Internet connectivity and is therefore + not capable of checking for certificate revocation until after NCP + negotiation completes and the peer has access to the Internet. In + this case, the peer SHOULD check for certificate revocation after + connecting to the Internet. + +6.2. Separation of the EAP server and PPP authenticator + + As a result of the EAP-TLS conversation, the EAP endpoints will + mutually authenticate, negotiate a ciphersuite, and derive a session + key for subsequent use in PPP encryption. Since the peer and EAP + client reside on the same machine, it is necessary for the EAP client + module to pass the session key to the PPP encryption module. + + The situation may be more complex on the PPP authenticator, which may + or may not reside on the same machine as the EAP server. In the case + where the EAP server and PPP authenticator reside on different + machines, there are several implications for security. Firstly, the + mutual authentication defined in EAP-TLS will occur between the peer + and the EAP server, not between the peer and the authenticator. This + means that as a result of the EAP-TLS conversation, it is not + possible for the peer to validate the identity of the NAS or tunnel + server that it is speaking to. + + The second issue is that the session key negotiated between the peer + and EAP server will need to be transmitted to the authenticator. + Therefore a mechanism needs to be provided to transmit the session + key from the EAP server to the authenticator or tunnel server that + needs to use the key. The specification of this transit mechanism is + + + +Aboba & Simon Experimental [Page 22] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + + outside the scope of this document. + +6.3. Relationship of PPP encryption to other security mechanisms + + It is envisaged that EAP-TLS will be used primarily with dialup PPP + connections. However, there are also circumstances in which PPP + encryption may be used along with Layer 2 tunneling protocols such as + PPTP and L2TP. + + In compulsory layer 2 tunneling, a PPP peer makes a connection to a + NAS or router which tunnels the PPP packets to a tunnel server. + Since with compulsory tunneling a PPP peer cannot tell whether its + packets are being tunneled, let alone whether the network device is + securing the tunnel, if security is required then the client must + make its own arrangements. In the case where all endpoints cannot be + relied upon to implement IPSEC, TLS, or another suitable security + protocol, PPP encryption provides a convenient means to ensure the + privacy of packets transiting between the client and the tunnel + server. + +7. Acknowledgments + + Thanks to Terence Spies, Glen Zorn and Narendra Gidwani of Microsoft + for useful discussions of this problem space. + +8. Authors' Addresses + + Bernard Aboba + Microsoft Corporation + One Microsoft Way + Redmond, WA 98052 + + Phone: 425-936-6605 + EMail: bernarda@microsoft.com + + + Dan Simon + Microsoft Corporation + One Microsoft Way + Redmond, WA 98052 + + Phone: 425-936-6711 + EMail: dansimon@microsoft.com + + + + + + + + +Aboba & Simon Experimental [Page 23] + +RFC 2716 PPP EAP TLS Authentication Protocol October 1999 + + +9. Full Copyright Statement + + Copyright (C) The Internet Society (1999). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Aboba & Simon Experimental [Page 24] + |