21-07-0291-00-0sec-hokey-preauth-ps
Download
Report
Transcript 21-07-0291-00-0sec-hokey-preauth-ps
IEEE 802.21 MEDIA INDEPENDENT HANDOVER
DCN: 21-07-0291-00-0000
Title: EAP Pre-authentication Problem Statement in IETF
HOKEY WG
Date Submitted: September, 14th, 2007
Presented at IEEE 802.21 session #22 in Hawaii
Authors or Source(s):
Yoshihiro Ohba
Abstract: This document explains EAP pre-authentication activity
in IETF HOKEY WG. This document also describes high-level
issues that need to be discussed in the 802.21 Security SG about
pre-authentication
1
IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE 802.21 Working Group. It is
offered as a basis for discussion and is not binding on the contributing
individual(s) or organization(s). The material in this document is subject to
change in form and content after further study. The contributor(s) reserve(s)
the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate
material contained in this contribution, and any modifications thereof, in the
creation of an IEEE Standards publication; to copyright in the IEEE’s name
any IEEE Standards publication even though it may include portions of this
contribution; and at the IEEE’s sole discretion to permit others to reproduce in
whole or in part the resulting IEEE Standards publication. The contributor also
acknowledges and accepts that this contribution may be made public by IEEE
802.21.
The contributor is familiar with IEEE patent policy, as stated
in in
Section
6 of
outlined
Section
6.3the
of
IEEE-SA
Standards
Board
bylaws
the IEEE-SA
Standards
Board
Operations Manual
<http://standards.ieee.org/guides/bylaws/sect6-7.html#6>
and in
in
<http://standards.ieee.org/guides/opman/sect6.html#6.3> and
Understanding Patent Issues During IEEE Standards Development
http://standards.ieee.org/board/pat/faq.pdf>
http://standards.ieee.org/board/pat/guide.html>
2
Outline
• Introduction of IETF HOKEY activity about EAP
pre-authentication
– http://www.ietf.org/internet-drafts/draft-ietf-hokey-preauth-ps-00.txt
– The content of the preauth-ps draft is explained in this presentation
• Pre-authentication-related issues that need to be
discussed in 802.21 SSG
3
EAP pre-authentication
• Definition [I-D.ietf-eap-keying-15]
“The use of EAP to pre-establish EAP keying
material on an authenticator prior to arrival of
the peer at the access network managed by that
authenticator”
• Example usage of EAP pre-authentication: IEEE
802.11i pre-authentication
– Defined for intra-ESS transitions
4
Scenario 1: Direct Pre-authentication
Serving
network
home
network
mobile
MN-CA Signaling
host
EAP over L2 or L3
Internet
home AAA server
Candidate
Network
EAP over AAA
Candidate Authenticator (CA)
- Generate MSK with the authenticator-2 by executing EAP through it.
5
Scenario 2: Indirect Pre-authentication
Serving Authenticator (SA)
Serving Network
home
network
MN-SA signaling
mobile
EAP over L2/L3
host
SA-CA signaling
EAP over L3
Candidate
Network
Internet
home AAA server
EAP over AAA
Candidate Authenticator (CA)
- Generate MSK with the authenticator-2 by executing EAP through it.
6
Indirect Pre-authentication
Layering Model
Mobile
Node
EAP
Peer
MN-SA
Signaling
Layer
Serving
Authenticator
Pre-authentication Forwarding
MN-SA
Signaling
Layer
SA-CA
Signaling
Layer
Candidate
Authenticator
EAP
Authenticator
SA-CA
Signaling
Layer
7
Pre-authentication AAA Requirements
• AAA requirements related to EAP pre-authentication need
to be identified (See draft-nakhjiri-preauth-aaa-req-00 for
details)
–
–
–
–
–
–
–
–
Distinguishing normal authentication from pre-authentication
Pre-authentication life-time
Re-pre-authentication
Post handover procedure
Session resumption or key caching
Multiple pre-authentication
Provisioning of serving network information
Network-controlled pre-authentication
• AAA requirements may affect MN-CA, MN-SA and SACA signaling design
8
HOKEY Charter in pre-authentication
• “EAP re-authentication and EAP preauthentication authenticator are expected to use
the same layer and the same protocol as the
original EAP authentication used for the
authenticator.”
• Reason for this restriction: Inter-technology preauthentication has technical issues that need to be
studied
– Authenticator discovery
– Context binding
9
Pre-authentication issue 1:
Authenticator discovery
•
In general, pre-authentication requires an address of a target authenticator to
be discovered either by a mobile node or by a serving authenticator prior to
handover
•
An authenticator discovery protocol is typically defined as a separated
protocol from a pre-authentication protocol
•
When a target authenticator uses link-layer EAP transport for both normal
authentication and pre-authentication, target authenticator discovery is
typically defined in each link-layer technology
– E.g., 802.11k and 802.16e
•
For other cases, a mechanism for discovering an IP address of target
authenticator is needed
– (IP address, link-layer address) mapping needs to be resolved
10
Pre-authentication issue 2:
Context binding
• A mechanisms is needed to bind link-layer independent context carried
over pre-authentication signaling to the link-layer specific context of
the link to be established between the mobile node and the target
authenticator
– Link-layer independent context: the identities of peer and authenticator
as well as MSK
– Link-layer specific context: link-layer addresses of peer and target
authenticator.
• Two possible approaches to address the context binding issue
– Approach 1: communicating the lower-layer context as opaque data via
pre-authentication signaling
– Approach 2: use of normal EAP authentication after handover with using
the same link-layer independent context for both pre-authentication and
normal authentication
11
Pre-authentication applicability
(quote from I-D.hokey-preauth-ps)
• “This framework has general applicability to various
deployment scenarios in which proactive signaling can
take effect. In other words, applicability of EAP preauthentication is limited to the scenarios where candidate
authenticators can be easily discovered, an accurate
prediction of movement can be easily made.”
• “Also the effectiveness of EAP pre-authentication may be
less significant for particular inter-technology handover
scenarios where simultaneous use of multiple technologies
is not a major concern or where there is sufficient radiocoverage overlap among different technologies.”
12
Pre-authentication protocol work
• IETF HOKEY WG has decided to focus on preauth problem statement and not to work on actual
pre-authentication protocol
– L2-agnostic pre-authentication protocol is to be defined
in IETF
• PANA WG is defining pre-authentication extension for PANA
• There is no context binding issue because there is no link-layer
specific context
– L2-aware pre-authentication protocol should be defined
outside IETF
• IEEE 802.21 may define it, with addressing authenticator
discovery and context binding issues
– Defining new AAA attributes for pre-auth should be
done in IETF DIME and RADEXT WGs
13
High-level questions for 802.21
• Should a pre-authentication protocol be
defined in 802.21?
• Should 802.21work on an EAP preauthentication only or non-EAP preauthentication as well?
14