IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Security SG Report Date Submitted: November 20, 2007 Authors or Source(s): Yoshihiro Ohba Abstract: Report of Security SG meeting at IEEE session 23 in Atlanta

IEEE presentation release statements This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEEs name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEEs sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual and in Understanding Patent Issues During IEEE Standards Development Section 6.3 of the IEEE-SA Standards Board Operations Manualhttp://standards.ieee.org/guides/opman/sect6.html#6.3 IEEE presentation release statements This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEEs name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEEs sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6

Outline Two meeting slots: Nov. 17 (Mon) AM2, Nov. 15 (Thu) PM2 4 TR (Technical Report) contributions All contributions address Security Signaling Optimization during Handover (SSOH) One contribution also addresses MIH-level Security Mechanism (MIHS) One contribution for performance evaluation on SSOH One contribution for combining security signaling and QoS resource reservation Discussed PAR and 5C issues There will be 2 nd call for TR contributions before January 2007 meeting

TR contribution on re-authentication TR contribution: MIH_Key_Hierarchy.dochttp:// MIH_Key_Hierarchy.doc Presented slides: MIH%20key-hierarchy%20approaches.ppthttp:// MIH%20key-hierarchy%20approaches.ppt The contribution addresses inter-technology handover between EAP-based technologies using HOKEY re-authentication Re-authentication may be performed proactively via the serving network, or reactively via the target network Proactive re-authentication may require a new work in In reactive re-authentication, native EAP transport defined in each link-layer such as 802.1X may be used with or without modification Need for a new work in is smaller than proactive re- authentication In both proactive and reactive re-authentication, candidate authenticator discovery mechanism is needed

TR contribution on inter-domain handover w/ pre-authentication TR contribution: %20security_signaling_inter-domain.doc %20security_signaling_inter-domain.doc Presented slides: %20security_signaling_inter-domain.ppt %20security_signaling_inter-domain.ppt The contribution addresses inter-domain handover where a direct or indirect trust relationship exists between the serving and target network Pre-authentication is identified as the potential approach In the case of indirect trust relationship, pre-authentication signaling needs be performed along the chain of trust Proxy authenticator is introduced to support pre- authentication across domains with indirect trust relationship

TR contribution on inter-technology handover w/ pre- authentication (1/2) TR contribution: Security%20SG%20Use%20Case.doc Security%20SG%20Use%20Case.doc Presented slides: %20-Use%20Case.ppt %20-Use%20Case.ppt The contribution addresses inter-technology handover between specific technologies: and Pre-authentication is identified as the potential approach The same approach is generally applicable to other technologies as long as the target network supports EAP

TR contribution on inter-technology handover w/ pre- authentication (2/2) TR contribution: MIH_Security_TR_Use_Case_Scenarios.doc MIH_Security_TR_Use_Case_Scenarios.doc Presented slides: Use_Case_Scenario.ppt Use_Case_Scenario.ppt The contribution addresses inter-technology handover to a specific set of technologies that support EAP Inter-domain handover is also supported Handover to Non-EAP technologies are not supported

Performance evaluation on SSOH Authentication%20Signaling%20Performance%20in%20MIH.p pthttp:// Authentication%20Signaling%20Performance%20in%20MIH.p pt NS-2 simulation results are shown on security signaling performance for full authentication, re-authentication and pre- authentication for handover between and Full authentication is based on EAP-TTLS w/MD5 Re-authentication is based on HOKEY ERX Three performance metrics: EAP latency, post-handover security signaling latency and transmission latency Some issues with simulation conditions AAA latency is underestimated Simulation runs unnecessarily EAP during r FT Additional evaluation is encouraged

Combining security signaling and QoS resource reservation secure_Handover_with_QoS.ppthttp:// secure_Handover_with_QoS.ppt The purpose is to provide seamless mobility with QoS Proactive QoS signaling for resource reservations at IP layer using QoS NSLP where anticipation of movement is feasible The proposed approach is to combine network access authentication and QoS signaling Even the two types of signaling are combined, network access authentication needs to complete before QoS reservation

Discussion on PAR and 5C PAR-related material: SSG_Scope_Issues.ppt SSG_Scope_Issues.ppt 5C-related material: Annex A of Support for Non-EAP authentication was discussed heavily Straw poll was taken Support for handover with EAP: Yes(20)/No(0) Support for handover with Non-EAP: Yes(10)/ No(7) Support for inter-technology handover: Yes(21)/No(0) Open issues Definition of administrative domain needs to be revised to cover a scenario where multiple ESSes are served by a single AAA server Clarification on relationship with Linksec is needed

Security SG Milestones November 2007 All contributions intended to be included in the TR need to be submitted before the meeting Detailed submission guidelines will be posted to the reflector PAR/5C discussion January 2008 All major studies are expected to be done PAR/5C discussion February 2008 Submit PAR/5C to IEEE 802 EC to create a TG March 2008 Completion of TR Discuss feedback on PAR/5C Joint Meeting with Link Security Task Group Done

Next Steps Jan Meeting SSOH: Security Signaling Optimization during Handover MIHS: MIH-level Security mechanism 4 TR Contributions 1 TR Contribution On SSOH TR Contributions on MIHS, etc. Baseline TR Nov Meeting PAR/5C Mar Meeting TR PAR/5C Submission to EC (by Feb 14, 2008) Presentation of PAR to general 802 membership Approval by EC Coordination w/ other WGs Approval by WG PAR Submission to IEEE-SA Standards Board Submission Deadline: Jan. 7, 2008