📄 draft-cam-winget-eap-fast-03.txt
字号:
S EAP-FAST start
R Reserved (must be zero)
L bit (length included) is set to indicate the presence of
the four octet Message Length field, and MUST be set for the
first fragment of a fragmented TLS message or set of
messages. The M bit (more fragments) is set on all but the
last fragment. The S bit (EAP-FAST Start) is set in an EAP-
FAST Start message.
Cam-Winget, et al. Expires April 22, 2006 [Page 17]
Internet-Draft EAP-FAST October 2005
Ver
This field contains the version of the protocol. This document
describes version 1 (001 in binary) of EAP-FAST.
Message Length
The Message Length field is four octets, and is present only if
the L bit is set. This field provides the total length of the
message that may be fragmented over the data fields of multiple
packets.
Data
In the case of a EAP-FAST Start request (i.e. when the S bit is
set) the Data field consists of the A-ID described in
Section 4.1.1. In other cases when the Data field is present
it consists of an encapsulated TLS packet in TLS record format.
An EAP-FAST packet with Flags and Version fields but with zero
length data field to used to indicate EAP-FAST acknowledgement
for either a fragmented message, a TLS Alert message or a TLS
Finished message.
4.1.1 Authority ID Data
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (0x04) | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ID
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
0x04 for Authority ID
Length
The Length filed is two octets, which contains the length of
the ID field in octets.
ID
Hint of the identity of the server. It should be unique across
the deployment.
Cam-Winget, et al. Expires April 22, 2006 [Page 18]
Internet-Draft EAP-FAST October 2005
4.2 EAP-FAST TLV Format and Support
The TLVs defined here are standard Type-Length-Value (TLV) objects.
The TLV objects could be used to carry arbitrary parameters between
EAP peer and EAP server within the protected TLS tunnel.
The EAP peer may not necessarily implement all the TLVs supported by
the EAP server. To allow for interoperability, TLVs are designed to
allow an EAP server to discover if a TLV is supported by the EAP
peer, using the NAK TLV. The mandatory bit in a TLV indicates
whether support of the TLV is required. If the peer or server does
not support a TLV marked mandatory, then it MUST send a NAK TLV in
the response, and all the other TLVs in the message MUST be ignored.
If an EAP peer or server finds an unsupported TLV which is marked as
optional, it can ignore the unsupported TLV. It MUST NOT send an NAK
TLV for a TLV that is not marked mandatory.
Note that a peer or server may support a TLV with the mandatory bit
set, but may not understand the contents. The appropriate response
to a supported TLV with content that is not understood is defined by
the individual TLV specification.
EAP implementations compliant with this specification MUST support
TLV exchanges, as well as processing of mandatory/optional settings
on the TLV. Implementations conforming to this specification MUST
support the following TLVs:
Result TLV
NAK TLV
Error TLV
EAP-Payload TLV
Intermediate-Result TLV
Crypto-Binding TLV
Request-Action TLV
4.2.1 General TLV Format
TLVs are defined as described below. The fields are transmitted from
left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cam-Winget, et al. Expires April 22, 2006 [Page 19]
Internet-Draft EAP-FAST October 2005
M
0 Optional TLV
1 Mandatory TLV
R
Reserved, set to zero (0)
TLV Type
A 14-bit field, denoting the TLV type. Allocated Types
include:
0 Reserved
1 Reserved
2 Reserved
3 Result TLV
4 NAK TLV
5 Error TLV
7 Vendor-Specific TLV
9 EAP-Payload TLV
10 Intermediate-Result TLV
11 PAC TLV [I-D.cam-winget-eap-fast-provisioning]
12 Crypto-Binding TLV
18 Server-Trusted-Root TLV [I-D.cam-winget-eap-fast-
provisioning]
19 Request-Action TLV
20 PKCS#7 TLV [I-D.cam-winget-eap-fast-provisioning]
Length
The length of the Value field in octets.
Value
The value of the TLV.
4.2.2 Result TLV
The Result TLV provides support for acknowledged success and failure
messages for protected termination within EAP-FAST. If the Status
field does not contain one of the known values, then the peer or EAP
server MUST treat this as a fatal error of Unexpected_TLVs_Exchanged.
The behavior of the Result TLV is further discussed in Section 3.3.2
and Section 3.4.2. An Result TLV indicating failure MUST NOT be
accompanied by the following TLVs: NAK, EAP-Payload TLV, or Crypto-
Cam-Winget, et al. Expires April 22, 2006 [Page 20]
Internet-Draft EAP-FAST October 2005
Binding TLV. Result TLV is defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Status |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
M
Mandatory, set to one (1)
R
Reserved, set to zero (0)
TLV Type
3 for Result TLV
Length
2
Status
The Status field is two octets. Values include:
1 Success
2 Failure
4.2.3 NAK TLV
The NAK TLV allows a peer to detect TLVs that are not supported by
the other peer. An EAP-FAST packet can contain 0 or more NAK TLVs.
A NAK TLV should not be accompanied by other TLVs. A NAK TLV MUST
NOT be sent in response to a message containing a Result TLV, instead
a Result TLV of failure should be sent indicating failure and an
Error TLV of Unexpected_TLVs_Exchanged. The NAK TLV is defined as
follows:
Cam-Winget, et al. Expires April 22, 2006 [Page 21]
Internet-Draft EAP-FAST October 2005
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NAK-Type | TLVs....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
M
Mandatory, set to one (1)
R
Reserved, set to zero (0)
TLV Type
4 for NAK TLV
Length
>=6
Vendor-Id
The Vendor-Id field is four octets, and contains the Vendor-Id
of the TLV that was not supported. The high-order octet is 0
and the low-order 3 octets are the SMI Network Management
Private Enterprise Code of the Vendor in network byte order.
The Vendor-Id field MUST be zero for TLVs that are not Vendor-
Specific TLVs.
NAK-Type
The NAK-Type field is two octets. The field contains the Type
of the TLV that was not supported. A TLV of this Type MUST
have been included in the previous packet.
TLVs
This field contains a list of TLVs, each of which MUST NOT have
the mandatory bit set. These optional TLVs are for future
extensibility to communicate why the offending TLV was
Cam-Winget, et al. Expires April 22, 2006 [Page 22]
Internet-Draft EAP-FAST October 2005
determined to be unsupported.
4.2.4 Error TLV
The Error TLV allows an EAP peer or server to indicate errors to the
other party. An EAP-FAST packet can contain 0 or more Error TLVs.
The Error-Code field describes the type of error. Error Codes 1-999
represent successful outcomes (informative messages), 1000-1999
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -