Transcript PPT Version
Handover Keys Using AAA
(draft-vidya-mipshop-handover-keys-aaa-03.txt)
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Changes since Dallas
Two reviews received (official MOBDIR and unofficial SECDIR) and
comments incorporated
Summary of changes:
Replay protection mechanism using timestamps alone
Sequence number field removed; no need for both sequence number and
timestamps
Timestamp allows stateless AAA server function
Error codes streamlined
Fixed IANA section
Defined PRF
Message summary added for clarification
MAC Option to be pulled into RFC4068bis
Draft will be revised after update of 4068bis
Technical work is mostly complete
Extensive reviews received
Appendices to be submitted as RADEXT and DIME documents
Satisfied all criteria for adoption as WG document
Adoption?
Backup Slides
Example Topology
AP2.1
AR2
MN
AP2.2
AAAH
Server
AP1.1
AR1
MN
AP1.2
Protocol Overview
MN
AR1
AR2
AAA
Server
HMK Generated
HMK Generated
HKReq
RADIUS Access Request
([MN ID, Msg ID, Seq #,
MN Nonce], MN-AAA MAC)
([HKReq, NAS IP], AR-AAA MAC)
RADIUS Access Accept
([AAA Nonce, Lifetime] AAA-MN MAC, [HK1], ARn-AAA Key)
HKResp
Generate HK1
MN Handoff
To AR2
Decrypt HK1
([AAA Nonce, Lifetime] AAA-MN MAC)
FNA([FBU], HK1)
[FBU], HK1
Validate FBU
FBAck
FBAck
Validate MAC
Generate HK1
Draft Goals
Establish a handover key between MN
and AR to secure FBU/FBAck
Simple, single roundtrip protocol
Draft Status
No current open issues
Previous discussion – CoA validation prior
to handover key derivation
Discussion on how to update the draft and
move forward
IP Address Validation
Strictly in the context of FMIP
Purpose – validate the CoA of the MN
while deriving the handover key
IP Address Validation Mechanisms
Controlled networks may have their own means
of IP address validation
On links such as PPP, IPv6CP can provide tight
control over IP address assignment
Some technologies would allow binding of L2
credentials to IP addresses at the time of network
access
Other more definitive methods also possible
Consensus on providing guidance in the security
considerations section