Hokey Architecture Deployment and Implementation Qin Wu Hoeper Katrin
Hokey Architectural Deployment and Implementation Objective Deploying ERP and EAP early authentication protocol in the mobile environment. Also there are useful scenarios which need to be addressed. Motivation Provide guidelines to make progress on Diameter ERP document Design ERP or Early authentication enabling architecture Enable the deployment of hokey architecture in real life environment investigate scalability and performance issues that Re-authentication and Early authentication might raise.
Problem Description Different Deployment has different scenario for Re-authentication and Early authentication.
Deployments Consideration The hokey server is separated from the home AAA server and deployed in the home domain and the hokey proxy is separated from AAA proxy and deployed in the local domain. Deployment 2: The hokey server is collocated with the home AAA server and is collocated with AAA proxy and deployed in the local domain. Deployment 3: The hokey server is separated from AAA proxy and deployed in each local domain. There is no hokey server in the home domain Deployment 4: The hokey server is collocated with AAA proxy and deployed in each local domain. There is no hokey server in the home domain
Re-authentication Scenario A Home AAA Domain Local ER Server/Local EAP server Transport DSRK, Home ER Server/Home EAP server The Mobile know the local domain name a Mobile Visited AAA Domain Previous NAS DHCPv6 server b New NAS Mobile a. Explicit ERP bootstrapping occurs in the initial full authentication with the home ER server when the peer firstly attaches to one domain or enter into a new domain. It is used to re-authentication the peer in the home domain and transport the local root key to the local ER server b. when the peer associate with the new authenticator, ERP in the local domain is used to re-authenticate the peer in the local domain.
Re-authentication Scenario B Home AAA Domain Local ER Server/Local EAP server Transport DSRK, Local Domain name Home ER Server/Home EAP Server The Mobile doesn’t know the local domain name a Mobile Visited AAA Domain DHCPv6 server Previous NAS b New NAS Mobile a. Explicit ERP bootstrapping occurs in the initial full authentication with the home ER server when the peer firstly attaches to one domain or enter into a new domain. It is used to re-authentication the peer in the home domain and transport the local root key to the local ER server. Also it is used to request the local domain name for the peer. b. when the peer associate with the new authenticator, ERP in the local domain is used to re-authenticate the peer in the local domain.
Re-authentication Scenario C Home AAA Domain Local ER Server/Local EAP Server Transport DSRK To Local server Home ER Server/Home EAP Server The Mobile doesn’t know the local domain name Previous NAS a Mobile Visited AAA Domain DHCPv6 server b c New NAS Mobile a. Implicit bootstrapping occurs in the initial EAP full authentication when the peer first attaches to one domain or enter into a new domain and is used to transport local root key to the local ER server b. When the peer moves to the new NAS and doesn’t know the local domain name, Explicit ERP bootstrapping is used to request local domain name for the peer and is used to re-authenticate the peer in the local domain. c. The peer use local domain name available to perform ERP with the local ER server without involvement of the home EAP server.
Re-authentication Scenario D Home AAA Domain Local ER Server/Local EAP Server Transport DSRK To Local server Home EAP Server The Mobile doesn’t know the local domain name a Mobile Visited AAA Domain DHCPv6 server Previous NAS/DHCP Relay b c Mobile New NAS a. In the Initial EAP full authentication (Implicit bootstrapping), the local ER server request DSRK from home EAP server. b. The peer use DHCP procedure to request local domain name. c. When Re-authentication occurs after initial EAP full authentication, the peer use local domain name available to perform ERP with the local ER server without involvement of the home EAP server.
Early Authentication Scenario A Local EAP Serve/ Hokey Server Home AAA Domain Transport Candidate NAS Home EAP Server a Mobile a Visited AAA Domain Previous NAS New NAS1 Transport key b AAA Proxy Visited AAA Domain Mobile b Transport key New NAS2 a. Before the mobile moves to the new NAS, the mobile or the previous NAS discovers candidate NAS and transports it to the AAA server. b. The AAA server in the home domain transports the key to the new NAS2.
Early Authentication Scenario B Local EAP Server /Hokey Server Home AAA Domain Mobile Home EAP Server a Visited AAA Domain Previous NAS New NAS1 b b Mobile AAA Proxy b New NAS2 Before the mobile moves to the new NAS, the Previous NAS discover candidate NAS, i.e., New NAS2. b. The NAS forward EAP Pre-authentication signaling to the new NAS2 and the new NAS exchanges with AAA server to finish EAP Pre-authentication.
Early Authentication Scenario C Local EAP Server /Hokey Server Home AAA Domain Home EAP Server Mobile a Visited AAA Domain Previous NAS b b Mobile b AAA Proxy New NAS Before the mobile moves to the new NAS, the Mobile discover candidate NAS, i.e., New NAS2. b. The Mobile send EAP Pre-authentication signaling directly to the new NAS2 and the new NAS exchanges with AAA server to finish EAP Pre-authentication.
ML Discussion Summary Some discussion and supports are received as regarding hokey architecture work. Hokey architecture commented to be useful to progress Diameter ERP work. Routing issues were raised Whether Defining new Diameter application ID can be used to resolve all the routing issue. Whether Decorated NAI can also be used to resolve routing issue. Depend on specific deployment, e.g., Suppose multiple proxies located in the local domain, how routing work? Confusion in RFC5296 addressed In the implicit bootstrapping, whether the AAA server is EAP server? Whether implicit bootstrapping is EAP full authentication described in figure3.
Proposal Adopt it as a new WG item?
Thanks www.ietf.org