Handover Keys using AAA (draft-vidya-mipshop-fast-handover-aaa-01.txt)

Slides:



Advertisements
Similar presentations
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
Advertisements

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
MIP Extensions: FMIP & HMIP
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
Fast handovers for PMIPv6 Hidetoshi Yokota KDDI Lab Kuntal Chowdhury Starent Networks Rajeev Koodli Nokia Siemens Networks Basavaraj Patil Nokia Siemens.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
All Rights Reserved © Alcatel-Lucent 2007, ##### 1 | Presentation Title | January 2007 UMB Security Evolution Proposal Abstract: This contribution proposes.
1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.
August 2, 2005draft-vidya-mipshop-fast-handover-aaa-00 Handover Keys using AAA (draft-vidya-mipshop-fast-handover-aaa-00.txt) Vidya Narayanan Narayanan.
1 NetLMM Vidya Narayanan Jonne Soininen
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
Overview of draft–16 for MIPv6 MIPv6 Design Team March 19 th, 2002.
Mobility for IP: Performance, Signaling and Handoff Optimization (MIPSHOP) IETF 73, November 2008 Vijay Devarapalli
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
1 Mobility for IPv6 [MIP6] November 12 th, 2004 IETF61.
San Diego, August 2004 IETF 60 th – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-01) Gerardo Giaretta.
RFC 4068bis draft-ietf-mipshop-fmipv6-rfc4068bis-01.txt Rajeev Koodli.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
Diameter Mobile IPv6: HA-to-AAAH support draft-ietf-dime-mip6-split-01.txt Julien Bournelle (Ed.) Gerardo Giaretta Hannes Tschofenig Madjid Nakhjiri.
MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,
San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.
CAPWAP Threat Analysis
IEEE MEDIA INDEPENDENT HANDOVER DCN:
Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00
Extending EAP Keying Vidya Narayanan Lakshminath Dondeti
Network –based fast handovers for local mobility (NFLM)
Distributing a Symmetric FMIPv6 Handover Key using SEND
Thomas C. Schmidt HAW Hamburg
Open issues with PANA Protocol
RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
Network Based Connectivity and Mobility Management for IPv4 draft-chowdhury-netmip4-00.txt Kuntal Chowdhury IETF-65.
Media-Independent Pre-authentication (MPA) Framework
PANA Issues and Resolutions
Hokey Architecture Deployment and Implementation
draft-ietf-dime-erp-02
EAP-GEE Lakshminath Dondeti Vidya Narayanan
Carrying Location Objects in RADIUS
for IP Mobility Protocols
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Fast Handover for Multicast in Proxy Mobile IPv6
ERP extension for EAP Early-authentication Protocol (EEP)
draft-jeyatharan-netext-pmip-partial-handoff-02
Handover Keys Using AAA (draft-vidya-mipshop-handover-keys-aaa-03.txt)
802.1X and key interactions Tim Moore November 2001
CARD Designteam A. Singh, D. Funato, H. Chaskar, M. Liebsch
IEEE MEDIA INDEPENDENT HANDOVER
Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008
IETF Liaison Report May 2004 Dorothy Stanley – Agere Systems
IETF Liaison Report November 2004 Dorothy Stanley – Agere Systems
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: March 18, 2010 Presented at IEEE session.
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
3GPP and SIP-AAA requirements
Roaming timings and PMK lifetime
802.11i Bootstrapping Using PANA
Security Activities in IETF in support of Mobile IP
PAA-2-EP protocol PANA wg - IETF 58 Minneapolis
Roaming timings and PMK lifetime
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: May 13, 2010 Presented at IEEE session.
Roaming timings and PMK lifetime
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
Qin Wu Zhen Cao Yang Shi Baohong He
NFD Tunnel Authentication
Presentation transcript:

Handover Keys using AAA (draft-vidya-mipshop-fast-handover-aaa-01.txt) Vidya Narayanan Narayanan Venkitaraman Hannes Tschofenig Gerardo Giaretta Julien Bournelle November 7, 2005 draft-vidya-mipshop-fast-handover-aaa-01

draft-vidya-mipshop-fast-handover-aaa-01 Example Topology AP2.1 MN AP2.2 AR2 AAAH Server AP1.1 AR1 MN AP1.2 Objective is to create a shared key between MN and AR using AAA November 7, 2005 draft-vidya-mipshop-fast-handover-aaa-01

Protocol Overview AAA Server MN AR1 AR2 HKReq RADIUS Access Request HMK Generated HMK Generated HKReq ([MN ID, Msg ID, Seq #, CoA], MN-AAA Auth Option) RADIUS Access Request ([[MN ID, Msg ID, Seq #, CoA], MN-AAA MAC, NAS IP], AR-AAA MAC) Validate MAC Generate HK1 RADIUS Access Accept ([Nonce, Lifetime] MN-AAA Auth Option, [HK1], ARn-AAA Key) HKResp Decrypt HK1 Generate HK1 ([Nonce, Lifetime] MN-AAA Auth Option) MN Handoff To AR2 FNA([FBU], HK1) [FBU], HK1 Validate FBU FBAck FBAck November 7, 2005 draft-vidya-mipshop-fast-handover-aaa-01

Protocol Overview – Salient Points Handover Master Key (HMK) shared between MN and AAAH May be derived using EAP AMSK at time of power-up or first network access HMK derived at the MN and AAA (EAP) Server Not transported anywhere else May be a pre-shared key between MN and AAAH Handover Key (HK) Derivation HK = HMAC-SHA1(HMK, AR ID | MN ID | AAA-MN Nonce, “Handover Key”) HK derived with each AR AR verifies MN CoA and binds it to the HK HK may be derived indirectly with another AR through current AR May be needed to derive a new key with a given AR after lifetime expires E.g. pre-authentication before handoff Lifetime value provided by AAA server; enforced by AR and MN MN verifies HK with AR after handoff if pre-authentication was used Used to bind HK to CoA of MN and to verify key is valid at AR The protocol is similar to the MIP-AAA model November 7, 2005 draft-vidya-mipshop-fast-handover-aaa-01

Additions/Changes since last version Moved from UDP-based to Mobility Header type HKReq and HKResp are now new MH types Allows re-use of many already defined mobility options Follows the model of FMIP control messages Address Validation/Binding Added details on CoA validation Highlights of the procedure AR performs NDP upon receiving HKReq with a non-NULL CoA Message ID from HKReq added in the NS from AR as an option MN that sent HKReq MUST NOT respond with NA Address validated if no other response is received for the NS Procedure similar to AR performing PND upon receiving HI or FNA The AR *may* use other available means of address validation (as it may do so for the HI/FNA processing) November 7, 2005 draft-vidya-mipshop-fast-handover-aaa-01

draft-vidya-mipshop-fast-handover-aaa-01 To-Dos Derivation of Handover Master Key using EAP Key Hierarchy Targeting separate I-D on the topic (use Appendix A in draft as basis) Need EAP WG to solidify AMSK definition RADIUS Attributes Definition Targeting separate I-D on the topic (use Appendix B in draft as basis) Diameter AVPs/Application Definition Need to investigate possible re-use of NASREQ application Targeting separate I-D on the topic (use Appendix C in draft as basis) November 7, 2005 draft-vidya-mipshop-fast-handover-aaa-01

MN-AR Authentication Option (draft-narayanan-mn-ar-auth-option-00) Defines a new Mobility Sub-option for carrying MN-AR Authentication Data Based on the “Authentication Protocol for MIP6” Protocol Gist: Authentication Data = First (96, HMAC_SHA1(MN-AR Shared key, Mobility Data)) Mobility Data = care-of address | home address | MH Data Used in draft-vidya-handover-keys-aaa-01 to include MN-AR Auth Data in HKReq/HKResp Also suitable for carrying MN-AR Auth Data in FBU/FBAck in FMIPv6 Concerns on the dependency on information document Raised on ML Technically, the re-use makes sense Integrate into 4068bis? November 7, 2005 draft-vidya-mipshop-fast-handover-aaa-01

draft-vidya-mipshop-fast-handover-aaa-01 Accept as WG item? QUESTIONS? November 7, 2005 draft-vidya-mipshop-fast-handover-aaa-01

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.