Internet Engineering Task Force (IETF) G. Zorn
Request for Comments: 5904 Network Zen
Category: Informational June 2010
ISSN: 2070-1721
Internet Engineering Task Force (IETF) G. Zorn
Request for Comments: 5904 Network Zen
Category: Informational June 2010
ISSN: 2070-1721
RADIUS Attributes for IEEE 802.16 Privacy Key Management Version 1 (PKMv1) Protocol Support
IEEE 802.16隐私密钥管理版本1(PKMv1)协议支持的RADIUS属性
Abstract
摘要
This document defines a set of Remote Authentication Dial-In User Service (RADIUS) Attributes that are designed to provide RADIUS support for IEEE 802.16 Privacy Key Management Version 1.
本文档定义了一组远程身份验证拨入用户服务(RADIUS)属性,这些属性旨在为IEEE 802.16隐私密钥管理版本1提供RADIUS支持。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5904.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5904.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. PKM-SS-Cert . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. PKM-CA-Cert . . . . . . . . . . . . . . . . . . . . . . . 5
3.3. PKM-Config-Settings . . . . . . . . . . . . . . . . . . . 6
3.4. PKM-Cryptosuite-List . . . . . . . . . . . . . . . . . . . 8
3.5. PKM-SAID . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.6. PKM-SA-Descriptor . . . . . . . . . . . . . . . . . . . . 9
3.7. PKM-AUTH-Key . . . . . . . . . . . . . . . . . . . . . . . 10
3.7.1. AUTH-Key Protection . . . . . . . . . . . . . . . . . 12
4. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 12
5. Diameter Considerations . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
10.1. Normative References . . . . . . . . . . . . . . . . . . . 14
10.2. Informative References . . . . . . . . . . . . . . . . . . 14
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. PKM-SS-Cert . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. PKM-CA-Cert . . . . . . . . . . . . . . . . . . . . . . . 5
3.3. PKM-Config-Settings . . . . . . . . . . . . . . . . . . . 6
3.4. PKM-Cryptosuite-List . . . . . . . . . . . . . . . . . . . 8
3.5. PKM-SAID . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.6. PKM-SA-Descriptor . . . . . . . . . . . . . . . . . . . . 9
3.7. PKM-AUTH-Key . . . . . . . . . . . . . . . . . . . . . . . 10
3.7.1. AUTH-Key Protection . . . . . . . . . . . . . . . . . 12
4. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 12
5. Diameter Considerations . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
10.1. Normative References . . . . . . . . . . . . . . . . . . . 14
10.2. Informative References . . . . . . . . . . . . . . . . . . 14
Privacy Key Management Version 1 (PKMv1) [IEEE.802.16-2004] is a public-key-based authentication and key establishment protocol typically used in fixed wireless broadband network deployments. The protocol utilizes X.509 v3 certificates [RFC2459], RSA encryption [RFC2437], and a variety of secret key cryptographic methods to allow an 802.16 Base Station (BS) to authenticate a Subscriber Station (SS) and perform key establishment and maintenance between an SS and BS.
隐私密钥管理版本1(PKMv1)[IEEE.802.16-2004]是一种基于公钥的认证和密钥建立协议,通常用于固定无线宽带网络部署。该协议利用X.509 v3证书[RFC2459]、RSA加密[RFC2437]和各种密钥加密方法来允许802.16基站(BS)认证用户站(SS)并在SS和BS之间执行密钥建立和维护。
This document defines a set of RADIUS Attributes that are designed to provide support for PKMv1. The target audience for this document consists of those developers implementing RADIUS support for PKMv1; therefore, familiarity with both RADIUS [RFC2865] and the IEEE 802.16-2004 standard is assumed.
本文档定义了一组RADIUS属性,旨在为PKMv1提供支持。本文档的目标受众包括实现对PKMv1的RADIUS支持的开发人员;因此,假设熟悉RADIUS[RFC2865]和IEEE 802.16-2004标准。
Please note that this document relies on IEEE.802.16-2004, which references RFC 2437 and RFC 2459, rather than any more recent RFCs on RSA and X.509 certificates (e.g., RFC 3447 and RFC 5280).
请注意,本文档依赖于IEEE.802.16-2004,其中引用了RFC 2437和RFC 2459,而不是任何关于RSA和X.509证书的最新RFC(例如RFC 3447和RFC 5280)。
CA Certification Authority; a trusted party issuing and signing X.509 certificates.
核证机关;颁发和签署X.509证书的受信任方。
For further information on the following terms, please see Section 7 of [IEEE.802.16-2004].
有关下列术语的更多信息,请参见[IEEE.802.16-2004]第7节。
SA Security Association
南非安全协会
SAID Security Association Identifier
所述安全关联标识符
TEK Traffic Encryption Key
TEK流量加密密钥
The following subsections describe the Attributes defined by this document. This specification concerns the following values:
以下小节描述了本文档定义的属性。本规范涉及以下值:
137 PKM-SS-Cert
137 PKM SS证书
138 PKM-CA-Cert
138 PKM CA证书
139 PKM-Config-Settings
139 PKM配置设置
140 PKM-Cryptosuite-List
140 PKM加密套件列表
141 PKM-SAID
141 PKM-SAID
142 PKM-SA-Descriptor
142 PKM SA描述符
143 PKM-Auth-Key
143 PKM身份验证密钥
Description
描述
The PKM-SS-Cert Attribute is variable length and MAY be transmitted in the Access-Request message. The Value field is of type string and contains the X.509 certificate [RFC2459] binding a public key to the identifier of the Subscriber Station.
PKM SS Cert属性长度可变,可在访问请求消息中传输。值字段的类型为字符串,包含将公钥绑定到用户站标识符的X.509证书[RFC2459]。
The minimum size of an SS certificate exceeds the maximum size of a RADIUS attribute. Therefore, the client MUST encapsulate the certificate in the Value fields of two or more instances of the PKM-SS-Cert Attribute, each (except possibly the last) having a length of 255 octets. These multiple PKM-SS-Cert Attributes MUST appear consecutively and in order within the packet. Upon receipt, the RADIUS server MUST recover the original certificate by concatenating the Value fields of the received PKM-SS-Cert Attributes in order.
SS证书的最小大小超过RADIUS属性的最大大小。因此,客户端必须将证书封装在PKM SS Cert属性的两个或多个实例的值字段中,每个实例(可能最后一个除外)的长度为255个八位字节。这些多个PKM SS证书属性必须在数据包中连续有序地出现。收到证书后,RADIUS服务器必须通过依次连接收到的PKM SS证书属性的值字段来恢复原始证书。
A summary of the PKM-SS-Cert Attribute format is shown below. The fields are transmitted from left to right.
PKM SS证书属性格式的摘要如下所示。字段从左向右传输。
1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
137 for PKM-SS-Cert
PKM SS证书137
Len
伦恩
> 2
> 2
Value
价值
The Value field is variable length and contains a (possibly complete) portion of an X.509 certificate.
值字段长度可变,包含X.509证书的一部分(可能是完整的)。
Description
描述
The PKM-CA-Cert Attribute is variable length and MAY be transmitted in the Access-Request message. The Value field is of type string and contains the X.509 certificate [RFC2459] used by the CA to sign the SS certificate carried in the PKM-SS-Cert attribute (Section 3.1) in the same message.
PKM CA Cert属性长度可变,可在访问请求消息中传输。值字段的类型为字符串,包含CA用于对同一消息中PKM SS Cert属性(第3.1节)中携带的SS证书进行签名的X.509证书[RFC2459]。
The minimum size of a CA certificate exceeds the maximum size of a RADIUS attribute. Therefore, the client MUST encapsulate the certificate in the Value fields of two or more instances of the PKM-CA-Cert Attribute, each (except possibly the last) having a length of 255 octets. These multiple PKM-CA-Cert Attributes MUST appear consecutively and in order within the packet. Upon receipt, the RADIUS server MUST recover the original certificate by concatenating the Value fields of the received PKM-CA-Cert Attributes in order.
CA证书的最小大小超过RADIUS属性的最大大小。因此,客户端必须将证书封装在PKM CA Cert属性的两个或多个实例的值字段中,每个实例(可能最后一个除外)的长度为255个八位字节。这些多个PKM CA证书属性必须在数据包中按顺序连续出现。收到证书后,RADIUS服务器必须通过依次连接收到的PKM CA证书属性的值字段来恢复原始证书。
A summary of the PKM-CA-Cert Attribute format is shown below. The fields are transmitted from left to right.
PKM CA证书属性格式的摘要如下所示。字段从左向右传输。
1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
138 for PKM-CA-Cert
PKM CA证书138
Len
伦恩
> 2
> 2
Value
价值
The Value field is variable length and contains a (possibly complete) portion of an X.509 certificate.
值字段长度可变,包含X.509证书的一部分(可能是完整的)。
Description
描述
The PKM-Config-Settings Attribute is of type string [RFC2865]. It is 30 octets in length and consists of seven independent fields, each of which is conceptually an unsigned integer. Each of the fields contains a timeout value and corresponds to a Type-Length-Value (TLV) tuple encapsulated in the IEEE 802.16 "PKM configuration settings" attribute; for details on the contents of each field, see Section 11.9.19 of [IEEE.802.16-2004]. One instance of the PKM-Config-Settings Attribute MAY be included in the Access-Accept message.
PKM配置设置属性的类型为字符串[RFC2865]。它的长度为30个八位字节,由七个独立的字段组成,每个字段在概念上都是无符号整数。每个字段都包含一个超时值,并对应于封装在IEEE 802.16“PKM配置设置”属性中的类型长度值(TLV)元组;有关每个字段内容的详细信息,请参见[IEEE.802.16-2004]第11.9.19节。Access Accept消息中可能包含PKM Config Settings属性的一个实例。
A summary of the PKM-Config-Settings Attribute format is shown below. The fields are transmitted from left to right.
PKM配置设置属性格式的摘要如下所示。字段从左向右传输。
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Auth Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Wait Timeout (cont.) | Reauth Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Reauth Wait Timeout (cont.) | Auth Grace Time
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Grace Time (cont.) | Op Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Op Wait Timeout (cont.) | Rekey Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Rekey Wait Timeout (cont.) | TEK Grace Time
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TEK Grace Time (cont.) | Auth Rej Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Rej Wait Timeout (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Auth Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Wait Timeout (cont.) | Reauth Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Reauth Wait Timeout (cont.) | Auth Grace Time
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Grace Time (cont.) | Op Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Op Wait Timeout (cont.) | Rekey Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Rekey Wait Timeout (cont.) | TEK Grace Time
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TEK Grace Time (cont.) | Auth Rej Wait Timeout
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth Rej Wait Timeout (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
139 for PKM-Config-Settings
139用于PKM配置设置
Len
伦恩
30
30
Auth Wait Timeout
验证等待超时
The Auth Wait Timeout field is 4 octets in length and corresponds to the "Authorize wait timeout" field of the 802.16 "PKM configuration settings" attribute.
Auth Wait Timeout字段的长度为4个八位字节,对应于802.16“PKM配置设置”属性的“授权等待超时”字段。
Reauth Wait Timeout
重新授权等待超时
The Reauth Wait Timeout field is 4 octets in length and corresponds to the "Reauthorize wait timeout" field of the 802.16 "PKM configuration settings" attribute.
重新授权等待超时字段的长度为4个八位字节,对应于802.16“PKM配置设置”属性的“重新授权等待超时”字段。
Auth Grace Time
授权宽限期
The Auth Grace Time field is 4 octets in length and corresponds to the "Authorize grace time" field of the 802.16 "PKM configuration settings" attribute.
Auth Grace Time字段的长度为4个八位字节,对应于802.16“PKM配置设置”属性的“授权宽限时间”字段。
Op Wait Timeout
操作等待超时
The Op Wait Timeout field is 4 octets in length and corresponds to the "Operational wait timeout" field of the 802.16 "PKM configuration settings" attribute.
Op Wait Timeout字段的长度为4个八位字节,对应于802.16“PKM配置设置”属性的“操作等待超时”字段。
Rekey Wait Timeout
重设密钥等待超时
The Rekey Wait Timeout field is 4 octets in length and corresponds to the "Rekey wait timeout" field of the 802.16 "PKM configuration settings" attribute.
Rekey Wait Timeout字段的长度为4个八位字节,对应于802.16“PKM配置设置”属性的“Rekey Wait Timeout”字段。
TEK Grace Time
特克宽限期
The TEK Grace Time field is 4 octets in length and corresponds to the "TEK grace time" field of the 802.16 "PKM configuration settings" attribute.
TEK宽限时间字段的长度为4个八位字节,对应于802.16“PKM配置设置”属性的“TEK宽限时间”字段。
Auth Rej Wait Timeout
验证Rej等待超时
The Auth Rej Wait Timeout field is 4 octets in length and corresponds to the "Authorize reject wait timeout" field of the 802.16 "PKM configuration settings" attribute.
Auth Rej Wait Timeout字段的长度为4个八位字节,对应于802.16“PKM配置设置”属性的“授权拒绝等待超时”字段。
Description
描述
The PKM-Cryptosuite-List Attribute is of type string [RFC2865] and is variable length; it corresponds roughly to the "Cryptographic-Suite-List" 802.16 attribute (see Section 11.19.15 of [IEEE.802.16-2004]), the difference being that the RADIUS Attribute contains only the list of 3-octet cryptographic suite identifiers, omitting the IEEE Type and Length fields.
PKM Cryptosuite列表属性类型为string[RFC2865],长度可变;它大致对应于“加密套件列表”802.16属性(参见[IEEE.802.16-2004]第11.19.15节),区别在于RADIUS属性仅包含3个八位字节的加密套件标识符列表,省略了IEEE类型和长度字段。
The PKM-Cryptosuite-List Attribute MAY be present in an Access-Request message. Any message in which the PKM-Cryptosuite-List Attribute is present MUST also contain an instance of the Message-Authenticator Attribute [RFC3579].
PKM Cryptosuite列表属性可能存在于访问请求消息中。存在PKM Cryptosuite列表属性的任何消息还必须包含消息验证器属性[RFC3579]的实例。
Implementation Note
实施说明
The PKM-Cryptosuite-List Attribute is used as a building block to create the 802.16 "Security-Capabilities" attribute ([IEEE.802.16-2004], Section 11.9.13); since this document only pertains to PKM version 1, the "Version" sub-attribute in that structure MUST be set to 0x01 when the RADIUS client constructs it.
PKM Cryptosuite列表属性用作创建802.16“安全功能”属性的构建块([IEEE.802.16-2004],第11.9.13节);由于此文档仅适用于PKM版本1,因此在RADIUS客户端构建该文档时,必须将该结构中的“version”子属性设置为0x01。
A summary of the PKM-Cryptosuite-List Attribute format is shown below. The fields are transmitted from left to right.
PKM Cryptosuite列表属性格式的摘要如下所示。字段从左向右传输。
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
140 for PKM-Cryptosuite-List
140用于PKM加密套件列表
Len
伦恩
2 + 3n < 39, where 'n' is the number of cryptosuite identifiers in the list.
2+3n<39,其中'n'是列表中加密套件标识符的数量。
Value
价值
The Value field is variable length and contains a sequence of one or more cryptosuite identifiers, each of which is 3 octets in length and corresponds to the Value field of an IEEE 802.16 Cryptographic-Suite attribute.
值字段长度可变,包含一个或多个cryptosuite标识符的序列,每个标识符的长度为3个八位字节,对应于IEEE 802.16 cryptosuite属性的值字段。
Description
描述
The PKM-SAID Attribute is of type string [RFC2865]. It is 4 octets in length and contains a PKM Security Association Identifier ([IEEE.802.16-2004], Section 11.9.7). It MAY be included in an Access-Request message.
PKM-SAID属性的类型为string[RFC2865]。长度为4个八位字节,包含PKM安全关联标识符([IEEE.802.16-2004],第11.9.7节)。它可以包含在访问请求消息中。
A summary of the PKM-SAID Attribute format is shown below. The fields are transmitted from left to right.
PKM-SAED属性格式的摘要如下所示。字段从左向右传输。
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | SAID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | SAID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
141 for PKM-SAID
PKM-SAID为141
Len
伦恩
4
4.
SAID
说
The SAID field is two octets in length and corresponds to the Value field of the 802.16 PKM SAID attribute
所述字段长度为两个八位字节,对应于802.16 PKM所述属性的值字段
Description
描述
The PKM-SA-Descriptor Attribute is of type string and is 8 octets in length. It contains three fields, described below, which together specify the characteristics of a PKM security association. One or more instances of the PKM-SA-Descriptor Attribute MAY occur in an Access-Accept message.
PKM SA描述符属性为字符串类型,长度为8个八位字节。它包含三个字段,如下所述,共同指定PKM安全关联的特征。PKM SA描述符属性的一个或多个实例可能出现在Access Accept消息中。
A summary of the PKM-SA-Descriptor Attribute format is shown below. The fields are transmitted from left to right.
PKM SA描述符属性格式的摘要如下所示。字段从左向右传输。
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | SAID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SA Type | Cryptosuite |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | SAID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SA Type | Cryptosuite |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
142 for PKM-SA-Descriptor
142用于PKM SA描述符
Len
伦恩
8
8.
SAID
说
The SAID field is two octets in length and contains a PKM SAID (Section 3.5).
所述字段长度为两个八位字节,包含PKM SAED(第3.5节)。
SA Type
SA型
The SA Type field is one octet in length. The contents correspond to those of the Value field of an IEEE 802.16 SA-Type attribute.
SA类型字段的长度为一个八位字节。内容与IEEE 802.16 SA类型属性的值字段的内容相对应。
Cryptosuite
加密套件
The Cryptosuite field is 3 octets in length. The contents correspond to those of the Value field of an IEEE 802.16 Cryptographic-Suite attribute.
Cryptosuite字段的长度为3个八位字节。这些内容与IEEE 802.16加密套件属性的值字段的内容相对应。
Description
描述
The PKM-AUTH-Key Attribute is of type string, 135 octets in length. It consists of 3 fields, described below, which together specify the characteristics of a PKM authorization key. The PKM-AUTH-Key Attribute MAY occur in an Access-Accept message. Any packet that contains an instance of the PKM-AUTH-Key Attribute MUST also contain an instance of the Message-Authenticator Attribute [RFC3579].
PKM AUTH Key属性的类型为字符串,长度为135个八位字节。它由3个字段组成,如下所述,共同指定PKM授权密钥的特征。PKM AUTH Key属性可能出现在Access Accept消息中。包含PKM AUTH Key属性实例的任何数据包也必须包含消息验证器属性[RFC3579]的实例。
A summary of the PKM-AUTH-Key Attribute format is shown below. The fields are transmitted from left to right.
PKM AUTH Key属性格式的摘要如下所示。字段从左向右传输。
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Lifetime
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Lifetime (cont.) | Sequence | Key...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Len | Lifetime
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Lifetime (cont.) | Sequence | Key...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
143 for PKM-AUTH-Key
143用于PKM身份验证密钥
Len
伦恩
135
135
Lifetime
一生
The Lifetime field is 4 octets in length and represents the lifetime, in seconds, of the authorization key. For more information, see Section 11.9.4 of [IEEE.802.16-2004].
生存期字段的长度为4个八位字节,表示授权密钥的生存期(以秒为单位)。有关更多信息,请参见[IEEE.802.16-2004]第11.9.4节。
Sequence
序列
The Sequence field is one octet in length. The contents correspond to those of the Value field of an IEEE 802.16 Key-Sequence-Number attribute (see [IEEE.802.16-2004], Section 11.9.5).
序列字段的长度为一个八位字节。内容与IEEE 802.16密钥序列号属性的值字段的内容相对应(参见[IEEE.802.16-2004],第11.9.5节)。
Key
钥匙
The Key field is 128 octets in length. The contents correspond to those of the Value field of an IEEE 802.16 AUTH-Key attribute. The Key field MUST be encrypted under the public key from the Subscriber Station certificate (Section 3.1) using RSA encryption [RFC2437]; see Section 7.5 of [IEEE.802.16-2004] for further details.
密钥字段的长度为128个八位字节。内容与IEEE 802.16认证密钥属性的值字段的内容相对应。密钥字段必须使用RSA加密[RFC2437]在来自用户站证书(第3.1节)的公钥下进行加密;有关更多详细信息,请参见[IEEE.802.16-2004]第7.5节。
Implementation Note
实施说明
It is necessary that a plaintext copy of this field be returned in the Access-Accept message; appropriate precautions MUST be taken to ensure the confidentiality of the key.
必须在Access Accept消息中返回此字段的纯文本副本;必须采取适当的预防措施以确保密钥的机密性。
The PKM-AUTH-Key Attribute (Section 3.7) contains the AUTH-Key encrypted with the SS's public key. The BS also needs the AK, so a second copy of the AK needs to be returned in the Access-Accept message.
PKM认证密钥属性(第3.7节)包含使用SS公钥加密的认证密钥。BS还需要AK,因此需要在Access Accept消息中返回AK的第二个副本。
It is RECOMMENDED that the AK is encapsulated in an instance of the MS-MPPE-Send-Key Attribute [RFC2548]. However, see Section 4.3.4 of RFC 3579 [RFC3579] for details regarding weaknesses in the encryption scheme used.
建议将AK封装在MS MPPE发送密钥属性[RFC2548]的实例中。但是,请参见RFC 3579[RFC3579]第4.3.4节,了解所用加密方案中的弱点的详细信息。
If better means for protecting the Auth-Key are available (such as RADIUS key attributes with better security properties, or means of protecting the whole Access-Accept message), they SHOULD be used instead of (or in addition to) the MS-MPPE-Send-Key Attribute.
如果可以使用更好的方法来保护身份验证密钥(例如具有更好安全属性的RADIUS密钥属性,或保护整个Access Accept消息的方法),则应使用它们来代替(或补充)MS MPPE Send Key属性。
The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity.
下表提供了在哪些类型的数据包中可以找到哪些属性以及数量的指南。
Request Accept Reject Challenge Acct-Req # Attribute
0+ 0 0 0 0 137 PKM-SS-Cert [Note 1]
0+ 0 0 0 0 138 PKM-CA-Cert [Note 2]
0 0-1 0 0 0 139 PKM-Config-Settings
0-1 0 0 0 0 140 PKM-Cryptosuite-List
0-1 0 0 0 0 141 PKM-SAID
0 0+ 0 0 0 142 PKM-SA-Descriptor
0 0-1 0 0 0 143 PKM-Auth-Key
0 0-1 0 0 0 MS-MPPE-Send-Key
[Note 3]
Request Accept Reject Challenge Acct-Req # Attribute
0+ 0 0 0 0 137 PKM-SS-Cert [Note 1]
0+ 0 0 0 0 138 PKM-CA-Cert [Note 2]
0 0-1 0 0 0 139 PKM-Config-Settings
0-1 0 0 0 0 140 PKM-Cryptosuite-List
0-1 0 0 0 0 141 PKM-SAID
0 0+ 0 0 0 142 PKM-SA-Descriptor
0 0-1 0 0 0 143 PKM-Auth-Key
0 0-1 0 0 0 MS-MPPE-Send-Key
[Note 3]
[Note 1] No more than one Subscriber Station Certificate may be transferred in an Access-Request packet.
[注1]一个接入请求数据包中最多只能传输一个用户站证书。
[Note 2] No more than one CA Certificate may be transferred in an Access-Request packet.
[注2]一个访问请求数据包中最多只能传输一个CA证书。
[Note 3] MS-MPPE-Send-Key is one possible attribute that can be used to convey the AK to the BS; other attributes can be used instead (see Section 3.7.1).
[注3]MS-MPPE-Send-Key是可用于将AK传送到BS的一个可能属性;可以使用其他属性(参见第3.7.1节)。
The following table defines the meaning of the above table entries.
下表定义了上述表格条目的含义。
0 This attribute MUST NOT be present in packet 0+ Zero or more instances of this attribute MAY be present in packet 0-1 Zero or one instance of this attribute MAY be present in packet 1 Exactly one instance of this attribute MUST be present in packet
0此属性不得出现在数据包0中+数据包0-1中可能出现此属性的零个或多个实例数据包1中可能出现此属性的零个或一个实例数据包1中必须出现此属性的一个实例
Since the Attributes defined in this document are allocated from the standard RADIUS type space (see Section 7), no special handling is required by Diameter nodes.
由于本文档中定义的属性是从标准半径类型空间分配的(参见第7节),因此直径节点不需要特殊处理。
Section 4 of RFC 3579 [RFC3579] discusses vulnerabilities of the RADIUS protocol.
RFC 3579[RFC3579]第4节讨论了RADIUS协议的漏洞。
Section 3 of the paper "Security Enhancements for Privacy and Key Management Protocol in IEEE 802.16e-2005" [SecEn] discusses the operation and vulnerabilities of the PKMv1 protocol.
论文“IEEE 802.16e-2005中隐私和密钥管理协议的安全增强”[SecEn]的第3节讨论了PKMv1协议的操作和漏洞。
If the Access-Request message is not subject to strong integrity protection, an attacker may be able to modify the contents of the PKM-Cryptosuite-List Attribute, weakening 802.16 security or disabling data encryption altogether.
如果访问请求消息不受强完整性保护,攻击者可能会修改PKM Cryptosuite列表属性的内容,从而削弱802.16安全性或完全禁用数据加密。
If the Access-Accept message is not subject to strong integrity protection, an attacker may be able to modify the contents of the PKM-Auth-Key Attribute. For example, the Key field could be replaced with a key known to the attacker.
如果Access Accept消息不受强完整性保护,攻击者可能会修改PKM Auth Key属性的内容。例如,密钥字段可以替换为攻击者已知的密钥。
See Section 3.7.1 for security considerations of sending the authorization key to the BS.
有关向BS发送授权密钥的安全考虑,请参见第3.7.1节。
IANA has assigned numbers for the following Attributes:
IANA已为以下属性分配了编号:
137 PKM-SS-Cert
137 PKM SS证书
138 PKM-CA-Cert
138 PKM CA证书
139 PKM-Config-Settings
139 PKM配置设置
140 PKM-Cryptosuite-List
140 PKM加密套件列表
141 PKM-SAID
141 PKM-SAID
142 PKM-SA-Descriptor
142 PKM SA描述符
143 PKM-Auth-Key
143 PKM身份验证密钥
The Attribute numbers are to be allocated from the standard RADIUS Attribute type space according to the "IETF Review" policy [RFC5226].
根据“IETF审查”政策[RFC5226],从标准RADIUS属性类型空间分配属性编号。
Pasi Eronen provided most of the text in Section 3.7.1.
Pasi Eronen在第3.7.1节中提供了大部分文本。
Thanks (in no particular order) to Bernard Aboba, Donald Eastlake, Dan Romascanu, Avshalom Houri, Juergen Quittek, Pasi Eronen, and Alan DeKok for their mostly useful reviews of this document.
感谢(无特殊顺序)伯纳德·阿博巴、唐纳德·伊斯特莱克、丹·罗马斯卡努、阿夫沙洛姆·胡里、尤尔根·奎特克、帕西·埃隆和艾伦·德科克对本文件的最有用的评论。
[IEEE.802.16-2004] Institute of Electrical and Electronics Engineers, "IEEE Standard for Local and metropolitan area networks, Part 16: Air Interface for Fixed Broadband Wireless Access Systems", IEEE Standard 802.16, October 2004.
[IEEE.802.16-2004]电气和电子工程师协会,“局域网和城域网IEEE标准,第16部分:固定宽带无线接入系统的空中接口”,IEEE标准802.16,2004年10月。
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3579]Aboba,B.和P.Calhoun,“RADIUS(远程认证拨入用户服务)对可扩展认证协议(EAP)的支持”,RFC 3579,2003年9月。
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.
[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,2008年5月。
[RFC2437] Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography Specifications Version 2.0", RFC 2437, October 1998.
[RFC2437]Kaliski,B.和J.Staddon,“PKCS#1:RSA加密规范2.0版”,RFC 2437,1998年10月。
[RFC2459] Housley, R., Ford, W., Polk, T., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", RFC 2459, January 1999.
[RFC2459]Housley,R.,Ford,W.,Polk,T.,和D.Solo,“互联网X.509公钥基础设施证书和CRL配置文件”,RFC 2459,1999年1月。
[RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", RFC 2548, March 1999.
[RFC2548]Zorn,G.,“微软特定于供应商的半径属性”,RFC 2548,1999年3月。
[SecEn] Altaf, A., Jawad, M., and A. Ahmed, "Security Enhancements for Privacy and Key Management Protocol in IEEE 802.16e-2005", Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2008.
[SecEn]Altaf,A.,Jawad,M.,和A.Ahmed,“IEEE 802.16e-2005中隐私和密钥管理协议的安全增强”,第九届ACIS软件工程、人工智能、网络和并行/分布式计算国际会议,2008年。
Author's Address
作者地址
Glen Zorn Network Zen 1463 East Republican Street #358 Seattle, WA 98112 US
美国华盛顿州西雅图市东共和街358号Glen Zorn Network Zen 1463
EMail: gwz@net-zen.net
EMail: gwz@net-zen.net