Transcript 21-06-0557-02-0000-IETF_Preauthentication

• IEEE 802.21 MEDIA INDEPENDENT HANDOVER
• DCN:21-06-0557-01-0000
• Title: IETF Pre-authentication Activity
• Date Submitted: February 26, 2006
• Presented at IEEE 802.21 session in Denver
• Authors or Source(s):
• Yoshihiro Ohba and Alper Yegin
• Abstract: The purpose of this document is to introduce an IETF
activity on pre-authentication and heterogeneous handover and
facilitate discussion on a possible new work in the 802.21 WG.
21-06-0557-01-0000
IEEE 802.21 presentation release statements
• This
document has been prepared to assist the IEEE 802.21 Working Group. It
is offered as a basis for discussion and is not binding on the contributing
•
•
individual(s) or organization(s). The material in this document is subject to
change in form and content after further study. The contributor(s) reserve(s)
the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate
material contained in this contribution, and any modifications thereof, in the
creation of an IEEE Standards publication; to copyright in the IEEE’s name
any IEEE Standards publication even though it may include portions of this
contribution; and at the IEEE’s sole discretion to permit others to reproduce in
whole or in part the resulting IEEE Standards publication. The contributor also
acknowledges and accepts that this contribution may be made public by IEEE
802.21.
The contributor is familiar with IEEE patent policy, as outlined in Section 6.3
of
the
IEEE-SA
Standards
Board
Operations
Manual
<http://standards.ieee.org/guides/opman/sect6.html#6.3>
and
in
Understanding Patent Issues During IEEE Standards Development
http://standards.ieee.org/board/pat/guide.html>
21-06-0557-01-0000
IETF BOF Information
• A BOF (Bird-Of Feather) meeting is scheduled on March 23 in
65th IETF
• Two different topics are discussed in the BOF (actually two
BOFs are merged into a single BOF):
• PREAUTH (Pre-authentication and Heterogeneous
Handover)
• HOAKEY (Handover and Application Keying)
• In this presentation, we focus on PREAUTH work
• PREAUTH mailing list information:
• http://www.opendiameter.org/mailman/listinfo/preauth
21-06-0557-01-0000
Motivation of the work
• There has been significant amount of work for optimizing IP mobility
management
• FMIPv6, HMIPv6 and NETLMM, etc.
• The focus was on optimizing IP mobility signaling
• Optimizing overall handover performance including network access
authentication and authorization has not been considered
• Network access authentication and authorization can be the most time
consuming procedure
• Authorization by a central authority such as a AAA server would be
needed for a heterogeneous handover in which authorization
characteristics are different before and after a handover
21-06-0557-01-0000
Objective of the work
• The objective is to improve the overall performance of IP
mobility especially for heterogeneous handover
• Approach: Pre-authentication
• An authentication procedure for a target network to
authenticate a mobile prior to handover using the
connectivity to the current network
• We consider pre-authentication over IP
21-06-0557-01-0000
Expected Improvement
with Pre-authentication
Without Pre-authentication
With Pre-authentication
Network access
Authentication and
L2
Handoff Authorization
Time
Time
Network access
Possible Packet Loss Period
Authentication and
Authorization
with Pre-authentication
21-06-0557-01-0000
Scope: Problem Statement and Framework
• Developing problem statement and a framework that are centered around preauthentication for seamlessly performing heterogeneous handover
• The problem statement and framework will cover at least inter-domain, intertechnology handovers
• The problem statement and framework will support both single-interface and multiinterface devices
• The framework will work on link-layer security requirements for the preauthentication to work
• The framework does not depend on particular link-layer technologies, however,
the following specific link-layer technologies will be considered as target
technologies: 802.11, 802.16, cdma2000, GPRS, DSL
21-06-0557-01-0000
Scope: Problem Statement and Framework
(cont’d)
• The framework will work on AAA-related issues that need to be addressed
for developing RADIUS/Diameter related extensions to support preauthentication. Possible issues are:
• How to distinguish pre-authentication from initial entry authentication or
re-authentication
• When to start accounting.
• The framework will follow the EAP keying framework and make necessary
extensions to the EAP keying framework only if the extensions are
unavoidable
21-06-0557-01-0000
Scope: Pre-authentication Protocol
Development
• Developing a pre-authentication protocol over IP
• There are at least two possible types of pre-authentication protocols
• One type (Type 1) is based on running EAP with an authenticator in the
target access network.
•
This is being developed by the PANA WG
The other (Type 2) is based on relying on keys from an earlier EAP
authentication being pre-distributed to authenticators in target access
networks
• PREAUTH group will work on Type 2 pre-authentication protocol
•
21-06-0557-01-0000
PREAUTH model
Domain A
Initial entry authentication protocol (w/EAP)
[any EAP lower layer protocol]
MN
AAA for initial entry authentication
Type 1 pre-authentication protocol (w/EAP)
[draft-ietf-pana-preauth]
Type 2 pre-authentication protocol (w/o EAP)
[new protocol work]
AAA
Server
Technology X
Authenticator
Technology Y
Authenticator
AAA for Type 2 pre-authentication
(pre-distributing key, etc.)
AAA for Type 1
pre-authentication
Technology X
Authenticator
21-06-0557-01-0000
Domain B
AAA
Server
Relevance to 802.21
• Defining a security mechanism is out of the scope of 802.21 for
now
• However, some work related to pre-authentication may be
relevant to 802.21, e.g.,
• Pre-authentication events
• Pre-authentication commands
• Media-independent key installation/management commands
• Issues:
• Is pre-authentication important for 802.21?
• Does 802.21 WG need to revise the PAR to support preauthentication?
• Should a new TG be formed in 802.21 WG to work on preauthentication?
21-06-0557-01-0000