Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

Slides:



Advertisements
Similar presentations
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
Advertisements

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Security Association Establishment for Handover Protocols Jari Arkko Ericsson Research NomadicLab.
November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,
50 th IETF BURP BOF, March 20, 2001 Applicability of a User Registration Protocol Yoshihiro Ohba (Toshiba America Research, Inc.) Henry Haverinen (Nokia)
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.
3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
IETF70 DIME WG1 ; ; Diameter Routing Extensions (draft-tsou-dime-base-routing-ext.
1 Local Security Association (LSA) The Temporary Shared Key (TSK) draft-le-aaa-lsa-tsk-00.txt Stefano M. Faccin, Franck Le.
1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.
1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.
AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.
Doc.: IEEE /xxxr0 Submission November, 2004 Jim TomcikSlide 1 cdma2000-WLAN Interworking Jim Tomcik Raymond Hsu
August 2, 2005draft-vidya-mipshop-fast-handover-aaa-00 Handover Keys using AAA (draft-vidya-mipshop-fast-handover-aaa-00.txt) Vidya Narayanan Narayanan.
Doc.: IEEE /209r0 Submission 1 March GPP SA2Slide 1 3GPP System – WLAN Interworking Principles and Status From 3GPP SA2 Presented.
1 Background and Introduction. 2 Outline History Scope Administrative.
PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont.
+ Solution Overview (LR procedure) The whole sequence for localized routing Local routing capability detection Local routing Initiation LR scope or LR.
1 HRPD Roamer Authentication Zhibi Wang, Sarvar Patel, Simon Mizikovsky, Nancy Lee.
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
Draft-ietf-aaa-diameter-mip-15.txt Tom Hiller et al Presented by Pete McCann.
1 Alternative (Future) Proposals for MIPv6 Security MIP6 BOF/WG IETF-57 Jari Arkko, Ericsson Research NomadicLab Charlie Perkins, Nokia Research Center.
IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.
Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.
1 Mobility for IPv6 [MIP6] November 12 th, 2004 IETF61.
1 MIP6-IETF63 Mobility for IPv6 [MIP6] Tuesday, August 2, Afternoon Session II & Afternoon Session III IETF63 Chair(s): Basavaraj.
San Diego, August 2004 IETF 60 th – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-01) Gerardo Giaretta.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
Diameter Mobile IPv6: HA-to-AAAH support draft-ietf-dime-mip6-split-01.txt Julien Bournelle (Ed.) Gerardo Giaretta Hannes Tschofenig Madjid Nakhjiri.
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.
August 4, 2004EAP WG, IETF 601 Authenticated service identities for EAP (draft-arkko-eap-service-identity-auth-00) Jari Arkko Pasi Eronen.
MIPv4-Diameter Update Tom Hiller Lucent Technologies.
Thoughts on Bootstrapping Mobility Securely Chairs, with help from James Kempf, Jari Arkko MIP6 WG/BOF 57 th IETF Vienna Wed. July 16, 2003.
V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.
Booting up on the Home Link
Open issues with PANA Protocol
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
Handover Keys using AAA (draft-vidya-mipshop-fast-handover-aaa-01.txt)
Carrying Location Objects in RADIUS
for IP Mobility Protocols
ERP extension for EAP Early-authentication Protocol (EEP)
Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: March 18, 2010 Presented at IEEE session.
Presentation transcript:

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo Giaretta Ivano Guardini Elena Demaria Telecom Italia Lab (TILab) Julien Bournelle Maryline Laurent-Maknavicius GET/INT

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap-02 2 Overview Solution for bootstrapping Mobile IPv6 relying on a AAA infrastructure Bootstrapping is performed during the authentication phase for network access –the basic assumption is that network access and mobility services are provided by the same entity (i.e. Integrated ASP) –re-use of network access credentials The interaction between the MN and the Home AAA server is realized using EAP –exploits the capability of several EAP methods to carry arbitrary parameters together with authentication data

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap-02 3 Protocol architecture Mobile Node Router or Access Point (pass through) AAA Server AAA Client Home Agent AAA-HA Protocol Configuration Data EAP Exchange EAP Lower Layer AAA Protocol (Diameter/RADIUS) Authentication for network access MIPv6 Authorization and Configuration

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap-02 4 Advantages No changes needed on access equipment –easier deployment (in roaming scenarios) –works with existing equipment (e.g. IEEE 802.1X APs) –works with any EAP lower layer (e.g X, PANA) Both RADIUS and Diameter can be used between NAS and AAA infrastructure MN-HA IPsec SA can be setup from the keying material exported by the EAP method –see draft-giaretta-mip6-amsk-00

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap-02 5 Advantages (cont.) The solution can be easily extended to bootstrap non-IPsec SAs –see draft-ietf-mip6-auth-protocol-00 Bootstrapping can be performed also from IPv4 networks supporting EAP –using draft-soliman-v4v6-mipv4-01 for subsequent Mobile IPv6 protocol operations The same approach could be used also for MIPv4 bootstrapping

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap-02 6 Transport of bootstrapping data MIPv6 Authorization TLV MIPv6 Authorization TLV MIPv6 Authorization AVP MIPv6 Authorization IKEv2 Payload PEAPv2 EAP-FAST EAP-SIM EAP-AKA EAP-TTLSEAP-IKEv2 MIPv6 bootstrapping data are encoded in TLVs carried by a generic MIPv6-Authorization container Only the container needs to be adapted to the actual message format of the employed EAP method MIPv6 bootstrapping TLVs

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap-02 7 Message flow AAA Server Home Agent MIPv6-Authorization-TLV (Service-Status, [Service-Options]) MIPv6-Authorization-TLV (Service-Selection, [Service-Options], [Home-Agent-Address], [Home-Address], [Interface-Identifier], [IKE-Authentication-Options]) AAA-HA protocol MIPv6-Authorization-TLV (Home-Agent-Address, Home-Address, IKE-Bootstrap-Info, Authorization Lifetime) MIPv6-Authorization-TLV (Negotiation-Result) HA selection MIPv6 state installation

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap-02 8 Message flow: step 1 AAA Server Home Agent MIPv6-Authorization-TLV (Service-Status, [Service-Options]) Service-Status-TLV to communicate the availability (or unavailability) of MIPv6 service Service-Options-TLV (optional) to specify other service options the MN can ask for –HA in the visited domain (not specified yet) –other service options may be added in the future

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap-02 9 Message flow: step 2 AAA Server Home Agent MIPv6-Authorization-TLV (Service-Selection, [Service-Options], [Home-Agent-Address], [Home-Address], [Interface-Identifier], [IKE-Authentication-Options]) Service-Selection-TLV to specify if the MN wants to activate MIPv6 protocol operation Configuration hints (optional) –Home Agent Address, Home Address, Interface Identifier IKE-Authentication-Options-TLV (optional) to specify the IKE peer authentication methods supported by the MN

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap Message flow: step 3 AAA Server Home Agent AAA-HA protocol HA selection MIPv6 state installation AAAH selects a suitable Home Agent and the peer authentication method to be used in IKE phase 1 AAAH interacts with the HA to dynamically configure the MIPv6 state –authorization lifetime of the MIPv6 service granted to the MN –security parameters (e.g. pre-shared key) –SNMPv3 or a new Diameter Application could be used for this purpose

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap Message flow: step 4 AAA Server Home Agent MIPv6-Authorization-TLV (Home-Agent-Address, Home-Address, IKE-Bootstrap-Info, Authorization Lifetime) AAAH continues the EAP session sending all MIPv6 configuration data to the MN –Home-Address-TLV –Home-Agent-Address-TLV –IKE-Bootstrap-Information-TLV specifies selected IKE phase 1 peer authentication method and associated cryptographic material –Authorization-Lifetime-TLV

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap Message flow: step 5 AAA Server Home Agent MIPv6-Authorization-TLV (Negotiation-Result) MN sends a Negotiation-Result-TLV –allows the MN to refuse the proposed configuration –may be useful in case the AAAH cannot provide some of the options previosly requested by the MN (e.g. a specific HA)

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap Open issues (from mip6 mailing-list) Negotiation of dynamic home address assignment using IKEv2 –should we consider also IKEv1? Should MN and AAAH negotiate also the IKE version to be used between MN and HA?

November, 2004 IETF 61 st – mip6 WG draft-giaretta-mip6-authorization-eap Next steps Feedback from EAP WG? WG item?