pppext-eap-sim-12.txt

使用最广泛的radius的linux的源码

   If the peer has maintained re-authentication state information and 
   if the peer wants to use re-authentication, then the peer transmits 
   the re-authentication identity in EAP-Response/Identity. 

   Else, if the peer has a pseudonym username available, then the peer 
   transmits the pseudonym identity in EAP-Response/Identity. 

   In other cases, the peer transmits the permanent identity in EAP-
   Response/Identity. 

Server Operation in the Beginning of EAP/SIM Exchange 

   If the EAP server has not received any identity (permanent identity, 
   pseudonym identity or re-authentication identity) from the peer when 
   sending the first EAP/SIM request, or if the EAP server has received 
   an EAP-Response/Identity packet but the contents do not appear to be 
   a valid permanent identity, pseudonym identity or a re-
   authentication identity, then the server MUST request an identity 
   from the peer using one of the methods below. 

   The server sends the EAP-Request/SIM/Start message with the 
   AT_PERMANENT_ID_REQ message to indicate that the server wants the 
   peer to include the permanent identity in the AT_IDENTITY attribute 
   of the EAP-Response/SIM/Start message. This is done in the following 
   cases: 

   - The server does not support re-authentication or identity privacy. 

   - The server received an identity that it recognizes as a pseudonym 
   identity but the server is not able to map the pseudonym identity to 
   a permanent identity. 

   The server issues the EAP-Request/SIM/Start packet with the 
   AT_FULLAUTH_ID_REQ attribute to indicate that the server wants the 
 
Haverinen and Salowey  Expires: 27 April, 2004              [Page 15] 


Internet Draft          EAP SIM Authentication        27 October, 2003 


   peer to include a full authentication identity (pseudonym identity 
   or permanent identity) in the AT_IDENTITY attribute of the EAP-
   Response/SIM/Start message.  This is done in the following cases: 

   - The server does not support re-authentication and the server 
   supports identity privacy 

   - The server received an identity that it recognizes as a re-
   authentication identity but the server is not able to map the re-
   authentication identity to a permanent identity 

   The server issues the EAP-Request/SIM/Start packet with the 
   AT_ANY_ID_REQ attribute to indicate that the server wants the peer 
   to include an identity in the AT_IDENTITY attribute of the EAP-
   Response/SIM/Start message, and the server does not indicate any 
   preferred type for the identity. This is done in other cases, such 
   as when the server does not have any identity, or the server does 
   not recognize the format of a received identity. 

Processing of EAP-Request/SIM/Start by the Peer 

   Upon receipt of an EAP-Request/SIM/Start message, the peer MUST 
   perform the following steps. 

   If the EAP-Request/SIM/Start does not include any identity request 
   attribute, then the peer responds with EAP-Response/SIM/Start 
   without AT_IDENTITY. The peer includes the AT_SELECTED_VERSION and 
   AT_NONCE_MT attributes, because the exchange is a full 
   authentication exchange. 

   If the EAP-Request/SIM/Start includes AT_PERMANENT_ID_REQ the peer 
   MUST either respond with EAP-Response/SIM/Start and include the 
   permanent identity in AT_IDENTITY or respond with EAP-
   Response/SIM/Client-Error packet with code "unable to process 
   packet". 

   If the EAP-Request/SIM/Start includes AT_FULL_AUTH_ID_REQ, and if 
   the peer has a pseudonym available, then the peer SHOULD respond 
   with EAP-Response/SIM/Start and includes the pseudonym identity in 
   AT_IDENTITY. If the peer does not have a pseudonym when it receives 
   this message, then the peer MUST either respond with EAP-
   Response/SIM/Start and include the permanent identity in AT_IDENTITY 
   or respond with EAP-Response/SIM/Client-Error packet with code 
   "unable to process packet." The Peer MUST NOT use a re-
   authentication identity in the AT_IDENTITY attribute. 

   If the EAP-Request/SIM/Start includes AT_ANY_ID_REQ, and if the peer 
   has maintained re-authentication state information and the peer 
   wants to use re-authentication, then the peer responds with EAP-
   Response/SIM/Start and includes the re-authentication identity in 
   AT_IDENTITY. Else, if the peer has a pseudonym identity available, 
   then the peer responds with EAP-Response/SIM/Start and includes the 
   pseudonym identity in AT_IDENTITY. Else, the peer responds with EAP-
 
Haverinen and Salowey  Expires: 27 April, 2004              [Page 16] 


Internet Draft          EAP SIM Authentication        27 October, 2003 


   Response/SIM/Start and includes the permanent identity in 
   AT_IDENTITY. 

   An EAP/SIM exchange may include several EAP/SIM/Start rounds. The 
   server may issue a second EAP-Request/SIM/Start, if it was not able 
   to recognize the identity the peer used in the previous AT_IDENTITY 
   attribute. At most three EAP/SIM/Start rounds can be used. 
   AT_ANY_ID_REQ can only be used in the first EAP-Request/SIM/Start, 
   in other words AT_ANY_ID_REQ MUST NOT be used in the second or third 
   EAP-Request/SIM/Start. AT_FULLAUTH_ID_REQ MUST NOT be used if the 
   previous EAP-Request/SIM/Start included AT_PERMANENT_ID_REQ. The 
   peer operation in cases when it receives an unexpected attribute is 
   specified in Section 4.5.1. 

Attacks against Identity Privacy 

   The section above specifies two possible ways the peer can operate 
   upon receipt of AT_PERMANENT_ID_REQ. This is because a received 
   AT_PERMANENT_ID_REQ does not necessarily originate from the valid 
   network, but an active attacker may transmit an EAP-
   Request/SIM/Start packet with an AT_PERMANENT_ID_REQ attribute to 
   the peer, in an effort to find out the true identity of the user. If 
   the peer does not want to reveal its permanent identity, then the 
   peer sends the EAP-Response/SIM/Client-Error packet with the error 
   code "unable to process packet", and the authentication exchange 
   terminates.  

   Basically, there are two different policies that the peer can employ 
   with regard to AT_PERMANENT_ID_REQ. A "conservative" peer assumes 
   that the network is able to maintain pseudonyms robustly. Therefore, 
   if a conservative peer has a pseudonym username, the peer responds 
   with EAP-Response/SIM/Client-Error to the EAP packet with 
   AT_PERMANENT_ID_REQ, because the peer believes that the valid 
   network is able to map the pseudonym identity to the peer's 
   permanent identity. (Alternatively, the conservative peer may accept 
   AT_PERMANENT_ID_REQ in certain circumstances, for example if the 
   pseudonym was received a long time ago.) The benefit of this policy 
   is that it protects the peer against active attacks on anonymity. On 
   the other hand, a "liberal" peer always accepts the 
   AT_PERMANENT_ID_REQ and responds with the permanent identity. The 
   benefit of this policy is that it works even if the valid network 
   sometimes loses pseudonyms and is not able to map them to the 
   permanent identity. 

Processing of AT_IDENTITY by the Server 

   When the server receives an EAP-Response/SIM/Start message with the 
   AT_IDENTITY (in response to the server's identity requesting 
   attribute), the server MUST operate as follows. 

   If the server used AT_PERMANENT_ID_REQ, and if the AT_IDENTITY does 
   not contain a valid permanent identity, then the server sends EAP 
   Failure and the EAP exchange terminates. If the server recognizes 
 
Haverinen and Salowey  Expires: 27 April, 2004              [Page 17] 


Internet Draft          EAP SIM Authentication        27 October, 2003 


   the permanent identity and is able to continue, then the server 
   proceeds with full authentication by sending EAP-
   Request/SIM/Challenge. 

   If the server used AT_FULLAUTH_ID_REQ, and if AT_IDENTITY contains a 
   valid permanent identity or a pseudonym identity that the server can 
   map to a valid permanent identity, then the server proceeds with 
   full authentication by sending EAP-Request/SIM/Challenge. If 
   AT_IDENTITY contains a pseudonym identity that the server is not 
   able to map to a valid permanent identity, or an identity that the 
   server is not able to recognize or classify, then the server sends 
   EAP-Request/SIM/Start with AT_PERMANENT_ID_REQ. 

   If the server used AT_ANY_ID_REQ, and if the AT_IDENTITY contains a 
   valid permanent identity or a pseudonym identity that the server can 
   map to a valid permanent identity, then the server proceeds with 
   full authentication by sending EAP-Request/SIM/Challenge. 

   If the server used AT_ANY_ID_REQ, and if AT_IDENTITY contains a 
   valid re-authentication identity and the server agrees on using re-
   authentication, then the server proceeds with re-authentication by 
   sending EAP-Request/SIM/Re-authentication (Section 4.3). 

   If the server used AT_ANY_ID_REQ, and if the peer sent an EAP-
   Response/SIM/Start with only AT_IDENTITY (indicating re-
   authentication), but the server is not able to map the identity to a 
   permanent identity, then the server sends EAP-Request/SIM/Start with 
   AT_FULLAUTH_ID_REQ. 

   If the server used AT_ANY_ID_REQ, and if AT_IDENTITY contains a 
   valid re-authentication identity, which the server is able to map to 
   a permanent identity, and if the server does not want to use re-
   authentication, then the server sends EAP-Request/SIM/Start without 
   any identity requesting attributes. 

   If the server used AT_ANY_ID_REQ, and AT_IDENTITY contains an 
   identity that the server recognizes as a pseudonym identity but the 
   server is not able to map the pseudonym identity to a permanent 
   identity, then the server sends EAP-Request/SIM/Start with 
   AT_PERMANENT_ID_REQ. 

   If the server used AT_ANY_ID_REQ, and AT_IDENTITY contains an 
   identity that the server is not able to recognize or classify, then 
   the server sends EAP-Request/SIM/Start with AT_FULLAUTH_ID_REQ. 

4.2.3 Message Sequence Examples (Informative) 

   This section contains non-normative message sequence examples to 
   illustrate how the peer identity can be communicated to the server. 




 
Haverinen and Salowey  Expires: 27 April, 2004              [Page 18] 


Internet Draft          EAP SIM Authentication        27 October, 2003 


Full Authentication 

   This case for full authentication is illustrated in the figure 
   below. In this case, AT_IDENTITY contains either the permanent 
   identity or a pseudonym identity. The same sequence is also used in 
   case the server uses the AT_FULLAUTH_ID_REQ in EAP-
   Request/SIM/Start. 

       Peer                                             Authenticator 
          |                                                       | 
          |                            +------------------------------+ 
          |                            | Server does not have any     | 
          |                            | Subscriber identity available| 
          |                            | When starting EAP/SIM        | 
          |                            +------------------------------+ 
          |                                                       | 
          |          EAP-Request/SIM/Start                        | 
          |          (AT_ANY_ID_REQ, AT_VERSION_LIST)             | 
          |<------------------------------------------------------| 
          |                                                       | 
          |                                                       | 
          | EAP-Response/SIM/Start                                | 
          | (AT_IDENTITY, AT_NONCE_MT,                            | 
          |  AT_SELECTED_VERSION)                                 | 
          |------------------------------------------------------>| 
          |                                                       | 
    

   If the peer uses its full authentication identity and the 
   AT_IDENTITY attribute contains a valid permanent identity or a valid 
   pseudonym identity that the EAP server is able to map to the 
   permanent identity, then the full authentication sequence proceeds 
   as usual with the EAP Server issuing the EAP-Request/SIM/Challenge 
   message. 

Re-authentication 

   The case when the server uses the AT_ANY_ID_REQ and the peer wants 
   to perform re-authentication is illustrated below. 














 
Haverinen and Salowey  Expires: 27 April, 2004              [Page 19] 


Internet Draft          EAP SIM Authentication        27 October, 2003 


       Peer                                             Authenticator 
          |                                                       | 
          |                            +------------------------------+ 
          |                            | Server does not have any     | 
          |                            | Subscriber identity available|