ERP [RFC6942] AVPs

Diameter Support for the EAP Re-authentication Protocol (RFC6942)

This interface defines how the Diameter protocol supports the EAP Re-authentication Protocol (ERP) as specified in [RFC6696]. It details the transport of ERP messages during re-authentication, including both the bootstrapping phase—where a root key is derived from the Extended Master Session Key (EMSK)—and the subsequent one-round-trip re-authentication exchange. Diameter leverages a new Application Identifier for ERP and reuses the existing Diameter EAP commands (DER/DEA) to carry these messages.

Purpose of the Diameter ERP Interface

• The interface enables fast, one-round-trip re-authentication between a peer and an ER server, supporting mutual authentication while reducing latency compared to full EAP exchanges.
• During bootstrapping, a root key derived from the EMSK is distributed from the EAP server to the ER server. This key is then used to derive further keys during subsequent re-authentication exchanges. The interface supports both implicit bootstrapping (with the initial EAP authentication) and explicit bootstrapping (during the first ERP exchange), ensuring secure key management.
• Diameter routing is configured to ensure ERP/DER messages reach an ER server that is topologically close to the peer. In cases where no local ER server is available, messages are routed based on the realm extracted from the keyName-NAI attribute, and appropriate error handling is provided if delivery fails.

Key Elements and Operational Workflow

ERP Bootstrapping:

• A root key for re-authentication is derived from the EMSK created during the initial EAP authentication.
• This root key is transported from the EAP server to the ER server and forms the basis for subsequent key derivations.

Re-authentication Process:

• The peer initiates an ERP exchange by sending an ERP/DER message with the Diameter ERP Application Identifier.
• The authenticator creates the ERP/DER message, and if a local ER server is available, Diameter routing ensures its delivery regardless of the Destination-Realm AVP.
• On receipt, the ER server searches its local database for a valid root key matching the keyName from the User-Name AVP.
• Upon a successful match, the ER server processes the ERP message and responds with an ERP/DEA answer that includes the re-authentication Master Session Key (rMSK).

Fallback and Error Handling:

• If no ER server is available—either in the local or home domain—the ERP/DER message triggers a DIAMETER_UNABLE_TO_DELIVER error, prompting the authenticator to possibly revert to a full EAP authentication procedure.
• The ER server may also act as a proxy by forwarding the message to the home EAP server (after adjusting the Application Id and appending an ERP-RK-Request AVP) if it does not possess the required root key locally.

For complete technical specification of Diameter Support for the EAP Re-authentication Protocol please refer to: [RFC6942]

package com.mobius.software.telco.protocols.diameter.primitives.rfc6942