The ERP proposal [rfc5296] is the solution adopted by the IETF HOKEY working group for improving the EAP keying architecture. The aim of ERP is to avoid having the wireless station repeat the entire EAP exchange with every new EAP authenticator it encounters. The ERP proposal specifies extensions to EAP and the EAP keying hierarchy to support an EAP method-independent protocol for efficient re-authentication between the peer and an EAP re-authentication server.

The ERP proposal defines two bootstrapping modes; implicit and explicit. In the implicit bootstrapping mode the peer performs an EAP authentication with its home AAA server. During the authentication, the local AAA server includes ERP information to request a Key (DSRK) from the home AAA server that will be used for later phases of the ERP protocol. The local EAP Reauthentication (ER) server, presumably collocated with the local AAA server, extracts the DSRK from EAP success message send by the home EAP server upon successful EAP authentication.

When the station performs a handoff, it uses the ERP extension to authenticate with the local ER server instead of performing a full EAP authentication with the home EAP server. In order to use the ERP extension with a new access point, the station needs to derive the DSRK from the EMSK. For this, the station needs the domain name of the ER server that holds the DSRK that resulted from the initial EAP authentication.

The implicit bootstrapping mode assumes the use of link layer specific announcements that advertise the local domain name. These announcements are issued by ERP capable access points and are called EAP-Initiate/Re-auth-Start packets. If the wireless station misses the announcement or it recieves an EAP-Request/Identity message before the EAP-Initiate/Re-auth-Start message, the wireless station needs to perform additional processing to obtain the domain name of the local ER server that holds the DSRK. This case is referred to as explicit bootstrapping mode. In this mode, the wireless station sends an EAP-Ininite/Re-auth message with the bootstrapping flag set. The bootstrapping message is sent back to the wireless station's home AAA server. The home AAA server issues an EAP-Finish/Re-auth that includes a DSRK and the domain name of the local ER server. The explicit bootstrapping mode thus must happen after the initial full EAP authentication has occurred. The wireless station can initiate the explicit bootstrapping mode to obtain the local domain name through the initial access point through which it has performed the initial full EAP authentication or through a new access point.

The ERP proposal, adopted by IETF as solution for reducing EAP authentication delays, has some issues with regards to deployment costs. In deed, ERP involves changes on the access points. These changes mainly consists in processing the EAP-Initiate/Re-auth and issuance of the EAP-Initiate/Re-Auth-Start advertisement messages. Such change requires upgrading the access points or buying new ones. For large scale access networks, the cost of such operations may become an issue.

More resources

Labels: wireless, security, performance