IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-10-0058-00-srho Title: TGa Updates Date Submitted: March 16, 2010 Presented at IEEE 802.21 session #37 in Orlando Authors or Source(s):  Yoshihiro Ohba (Toshiba) Abstract: This document discusses pre-registration and pre-authentication 21-10-0058-00-srho

IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf>  21-10-0058-00-srho

Purpose of this presentation Trying to help 802.21a and 802.21c task groups to identify the scope of each work Note: Some part of this presentation is made based on author’s own view 21-10-0058-00-srho

EAP-based Security Signaling Optimization Techniques [RFC 5247] defines EAP Pre-Authentication as: The use of EAP to pre-establish EAP keying material on an authenticator prior to arrival of the peer at the access network managed by that authenticator [I-D.ietf-hokey-preauth-ps] defines EAP Early Authentication to cover: EAP pre-authentication (as defined above) Signaling path: MN-CA-AAA EAP authenticator on CA Authenticated Anticipatory Keying Signaling path: MN-SA-AAA-CA EAP authenticator on SA The common thing in all techniques here is to proactively run EAP to establish keying material between MN and CA CA: Candidate Authenticator SA: Serving Authenticator 21-10-0058-00-srho

Pre-registration Pre-registration is to carry out link-layer signaling to create a link-layer state for an MN on a candidate PoA prior to handover The link-layer signaling may include authentication and key establishment signaling The authentication and key establishment signaling may include EAP or non-EAP authentication, or L2 secure association protocol The link-layer state may include key material shared between MN and the candidate L2 PoA How far the link-layer state is expected to proceed before handover may depend on the solution 21-10-0058-00-srho

Non-EAP proactive authentication A View of Works MIH-based pre-registration seems to be in scope of 802.21c, except for security related part Pre-registration (MIH-based, non-MIH-based) Non-EAP proactive authentication L2 EAP pre-authentication L3+ EAP pre-authentication(*) Current harmonized proposal (21-10-0049) on 802.21a Work Item #1 Authenticated Anticipatory Keying EAP Early Authentication Security-related optimization techniques *) In current harmonized 802.21a proposal, L3+ EAP pre-authentication is bundled with MIH service authentication. 21-10-0058-00-srho

Implications of MIH-based Pre-registration MIH-based pre-registration may require a secure MIH tunnel to carry L2 frames To establish the tunnel, MIH service authentication is needed between MN and target PoS (to be defined as part of 802.21a work item #2) Then L2 network access authentication is carried out over the tunnel An optimization technique is discussed in 802.21a, which relates MIH service authentication and L2 network authentication by defining a key hierarchy between them “L3+ EAP pre-authentication” in previous slide Target PoS PoS-PoA tunnel Secure MIH tunnel Target PoA MN 21-10-0058-00-srho

Summary Pre-registration generally covers L2 EAP pre-authentication, but may not cover all security-related optimization techniques MIH-based pre-registration except for security related part may be defined under 802.21c E.g., definition of MIH TLV to carry L2 frame, pre-registration related IEs, events and commands except for security related ones Security related part of MIH-based pre-registration may be defined under 802.21a E.g., General call flows of security signaling and security-related IEs, events and commands, and if needed, a key hierarchy and solutions or guidelines for key distribution 21-10-0058-00-srho