Extensible Authentication Protocol (EAP)

参考资料:rfc3748
一. Extensible Authentication Protocol (EAP),   an authentication framework which supports multiple authentication   methods.  EAP typically runs directly over data link layers such as   Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP.  EAP   provides its own support for duplicate elimination and   retransmission, but is reliant on lower layer ordering guarantees.   Fragmentation is not supported within EAP itself; however, individual   EAP methods may support this.
To date, EAP has been implemented   with hosts and routers that connect via switched circuits or dial-up   lines using PPP [RFC1661].  It has also been implemented with switches and access points using IEEE 802 [IEEE-802].  EAP   encapsulation on IEEE 802 wired media is described in [IEEE-802.1X],   and encapsulation on IEEE wireless LANs in [IEEE-802.11i].

二. EAP was designed for use in network access authentication, where IP   layer connectivity may not be available.  Use of EAP for other   purposes, such as bulk data transport, is NOT RECOMMENDED.

EAP is a lock-step protocol which only supports a single packet in   flight.  As a result, EAP cannot efficiently transport bulk data,   unlike transport protocols such as TCP [RFC793] or SCTP [RFC2960].

三. Conceptually, EAP implementations consist of the following
   components:
   [a] Lower layer.  The lower layer is responsible for transmitting and
       receiving EAP frames between the peer and authenticator.  EAP has
       been run over a variety of lower layers including PPP, wired IEEE
       802 LANs [IEEE-802.1X], IEEE 802.11 wireless LANs [IEEE-802.11],
       UDP (L2TP [RFC2661] and IKEv2 [IKEv2]), and TCP [PIC].  Lower
       layer behavior is discussed in Section 3.
   [b] EAP layer.  The EAP layer receives and transmits EAP packets via
       the lower layer, implements duplicate detection and
       retransmission, and delivers and receives EAP messages to and
       from the EAP peer and authenticator layers.
   [c] EAP peer and authenticator layers.  Based on the Code field, the
       EAP layer demultiplexes incoming EAP packets to the EAP peer and
       authenticator layers.  Typically, an EAP implementation on a
       given host will support either peer or authenticator
       functionality, but it is possible for a host to act as both an
       EAP peer and authenticator.  In such an implementation both EAP
       peer and authenticator layers will be present.
   [d] EAP method layers.  EAP methods implement the authentication
       algorithms and receive and transmit EAP messages via the EAP peer
       and authenticator layers.  Since fragmentation support is not
       provided by EAP itself, this is the responsibility of EAP
       methods, which are discussed in Section 5.
   The EAP multiplexing model is illustrated in Figure 1 below.  Note
   that there is no requirement that an implementation conform to this
   model, as long as the on-the-wire behavior is consistent with it.
  

         +-+-+-+-+-+-+-+-+-+-+-+-+  +-+-+-+-+-+-+-+-+-+-+-+-+         |           |           |  |           |           |         | EAP method| EAP method|  | EAP method| EAP method|         | Type = X  | Type = Y  |  | Type = X  | Type = Y  |         |       V   |           |  |       ^   |           |         +-+-+-+-!-+-+-+-+-+-+-+-+  +-+-+-+-!-+-+-+-+-+-+-+-+         |       !               |  |       !               |         |  EAP  ! Peer layer    |  |  EAP  ! Auth. layer   |         |       !               |  |       !               |         +-+-+-+-!-+-+-+-+-+-+-+-+  +-+-+-+-!-+-+-+-+-+-+-+-+         |       !               |  |       !               |         |  EAP  ! layer         |  |  EAP  ! layer         |         |       !               |  |       !               |         +-+-+-+-!-+-+-+-+-+-+-+-+  +-+-+-+-!-+-+-+-+-+-+-+-+         |       !               |  |       !               |         | Lower ! layer         |  | Lower ! layer         |         |       !               |  |       !               |         +-+-+-+-!-+-+-+-+-+-+-+-+  +-+-+-+-!-+-+-+-+-+-+-+-+                 !                          !                 !   Peer                   ! Authenticator                 +------------>-------------+                     Figure 1: EAP Multiplexing Model

Lower layer: 传输不一定可靠，错误检测机制，不一定是安全的，最小MTU为1020字节, packet ordering guarantees

四、After EAP authentication is complete, the peer will typically transmit and receive data via the authenticator. It is desirable to provide assurance that the entities transmitting data are the same ones that successfully completed EAP authentication. To accomplish  this, it is necessary for the lower layer to provide per-packet integrity, authentication and replay protection, and to bind these per-packet services to the keys derived during EAP authentication. Otherwise, it is possible for subsequent data traffic to be modified,spoofed, or replayed.
Where keying material for the lower layer ciphersuite is itself provided by EAP, ciphersuite negotiation and key activation are controlled by the lower layer. In PPP, ciphersuites are negotiated within ECP so that it is not possible to use keys derived from EAP authentication until the completion of ECP. Therefore, an initial
EAP exchange cannot be protected by a PPP ciphersuite, although EAP re-authentication can be protected.
In IEEE 802 media, initial key activation also typically occurs after completion of EAP authentication. Therefore an initial EAP exchange typically cannot be protected by the lower layer ciphersuite, although an EAP re-authentication or pre-authentication exchange can be protected.

五、EAP包格式

0                   1                   2                   30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Code       | Identifier | Length      |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Data ...+-+-+-+-+

The Code field is one octet and identifies the Type of EAP packet.EAP Codes are assigned as follows:1 Request2 Response3 Success4 FailureSince EAP only defines Codes 1-4, EAP packets with other codesMUST be silently discarded by both authenticators and peers.

总结： 这个文档里面也提到了一些security攻击的问题，但这个文档没有EAP-TLS这些内容，只是EAP层的东西。EAP-TLS架在EAP层之上。
             对于EAP包中的data部分的解释方法不同，这就形成了不同的认证方法如EAP-TLS和EAP-TTLS等

	
				
	
					   
Extensible Authentication Protocol (EAP)
	  	   
Extensible Authentication Protocol (EAP)
	  	   
rfc4017:Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs注记
	  	   
RFC2284 PPP Extensible Authentication Protocol
	  	   
基于局域网的扩展认证协议EAPOL   Extensible Authentication Protocol
	  	   
EAP Authentication Protocols for WLANs
	  	   
EAP Authentication Protocols for WLANs
	  	   
Extensible Messaging and Presence Protocol (XMPP): Core
	  	   
RFC3080 - The Blocks Extensible Exchange Protocol Core
	  	   
XMPP ----Extensible Messaging and Present Protocol
	  	   
Extensible Messaging and Presence Protocol (XMPP) 简介
	  	   
EAP: unknown authentication type 26; Naking
	  	   
The NTLM Authentication Protocol
	  	   
The NTLM Authentication Protocol
	  	   
The NTLM Authentication Protocol
	  	   
The NTLM Authentication Protocol
	  	   
No matching authentication protocol错误
	  	   
No matching authentication protocol错误
	     		  
	  	   
ORACLE 修改数据库的字符集编码为UTF-8【转】
	  	   
OpenCV 随机森林 相关结构定义
	  	   
java + ffmped + mencoder搭建视频处理平台
	  	   
天下事有难易乎？为之则难者亦易矣；不为则易者亦难矣
	  	   
cookie
	  	   
Extensible Authentication Protocol (EAP)
	  	   
无标题栏窗口，如何通过点击状态栏窗口最小化和恢复
	  	   
win7使用IE9登录中国银行网银无法输入密码的解决方法
	  	   
浏览器中javascript的执行过程
	  	   
给开发人员的时间管理建议
	  	   
10大现役军用运输机运输能力排行榜
	  	   
如何转换不合理存储的表 多值依赖
	  	   
win7中国银行网银无法登陆的解决
	  	   
学习笔记（三十一）