Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hokey Architecture Deployment and Implementation

Published byLouisa Mosley Modified over 6 years ago

Similar presentations

Presentation on theme: "Hokey Architecture Deployment and Implementation"— Presentation transcript:

1 Hokey Architecture Deployment and Implementation
Qin Wu Hoeper Katrin

2 Hokey Architectural Deployment and Implementation
Objective Deploying ERP and EAP early authentication protocol in the mobile environment. Also there are useful scenarios which need to be addressed. Motivation Provide guidelines to make progress on Diameter ERP document Design ERP or Early authentication enabling architecture Enable the deployment of hokey architecture in real life environment investigate scalability and performance issues that Re-authentication and Early authentication might raise.

3 Problem Description Different Deployment has different scenario for Re-authentication and Early authentication.

4 Deployments Consideration
The hokey server is separated from the home AAA server and deployed in the home domain and the hokey proxy is separated from AAA proxy and deployed in the local domain. Deployment 2: The hokey server is collocated with the home AAA server and is collocated with AAA proxy and deployed in the local domain. Deployment 3: The hokey server is separated from AAA proxy and deployed in each local domain. There is no hokey server in the home domain Deployment 4: The hokey server is collocated with AAA proxy and deployed in each local domain. There is no hokey server in the home domain

5 Re-authentication Scenario A
Home AAA Domain Local ER Server/Local EAP server Transport DSRK, Home ER Server/Home EAP server The Mobile know the local domain name a Mobile Visited AAA Domain Previous NAS DHCPv6 server b New NAS Mobile a. Explicit ERP bootstrapping occurs in the initial full authentication with the home ER server when the peer firstly attaches to one domain or enter into a new domain. It is used to re-authentication the peer in the home domain and transport the local root key to the local ER server b. when the peer associate with the new authenticator, ERP in the local domain is used to re-authenticate the peer in the local domain.

6 Re-authentication Scenario B
Home AAA Domain Local ER Server/Local EAP server Transport DSRK, Local Domain name Home ER Server/Home EAP Server The Mobile doesn’t know the local domain name a Mobile Visited AAA Domain DHCPv6 server Previous NAS b New NAS Mobile a. Explicit ERP bootstrapping occurs in the initial full authentication with the home ER server when the peer firstly attaches to one domain or enter into a new domain. It is used to re-authentication the peer in the home domain and transport the local root key to the local ER server. Also it is used to request the local domain name for the peer. b. when the peer associate with the new authenticator, ERP in the local domain is used to re-authenticate the peer in the local domain.

7 Re-authentication Scenario C
Home AAA Domain Local ER Server/Local EAP Server Transport DSRK To Local server Home ER Server/Home EAP Server The Mobile doesn’t know the local domain name Previous NAS a Mobile Visited AAA Domain DHCPv6 server b c New NAS Mobile a. Implicit bootstrapping occurs in the initial EAP full authentication when the peer first attaches to one domain or enter into a new domain and is used to transport local root key to the local ER server b. When the peer moves to the new NAS and doesn’t know the local domain name, Explicit ERP bootstrapping is used to request local domain name for the peer and is used to re-authenticate the peer in the local domain. c. The peer use local domain name available to perform ERP with the local ER server without involvement of the home EAP server.

8 Re-authentication Scenario D
Home AAA Domain Local ER Server/Local EAP Server Transport DSRK To Local server Home EAP Server The Mobile doesn’t know the local domain name a Mobile Visited AAA Domain DHCPv6 server Previous NAS/DHCP Relay b c Mobile New NAS a. In the Initial EAP full authentication (Implicit bootstrapping), the local ER server request DSRK from home EAP server. b. The peer use DHCP procedure to request local domain name. c. When Re-authentication occurs after initial EAP full authentication, the peer use local domain name available to perform ERP with the local ER server without involvement of the home EAP server.

9 Early Authentication Scenario A
Local EAP Serve/ Hokey Server Home AAA Domain Transport Candidate NAS Home EAP Server a Mobile a Visited AAA Domain Previous NAS New NAS1 Transport key b AAA Proxy Visited AAA Domain Mobile b Transport key New NAS2 a. Before the mobile moves to the new NAS, the mobile or the previous NAS discovers candidate NAS and transports it to the AAA server. b. The AAA server in the home domain transports the key to the new NAS2.

10 Early Authentication Scenario B
Local EAP Server /Hokey Server Home AAA Domain Mobile Home EAP Server a Visited AAA Domain Previous NAS New NAS1 b b Mobile AAA Proxy b New NAS2 Before the mobile moves to the new NAS, the Previous NAS discover candidate NAS, i.e., New NAS2. b. The NAS forward EAP Pre-authentication signaling to the new NAS2 and the new NAS exchanges with AAA server to finish EAP Pre-authentication.

11 Early Authentication Scenario C
Local EAP Server /Hokey Server Home AAA Domain Home EAP Server Mobile a Visited AAA Domain Previous NAS b b Mobile b AAA Proxy New NAS Before the mobile moves to the new NAS, the Mobile discover candidate NAS, i.e., New NAS2. b. The Mobile send EAP Pre-authentication signaling directly to the new NAS2 and the new NAS exchanges with AAA server to finish EAP Pre-authentication.

12 ML Discussion Summary Some discussion and supports are received as regarding hokey architecture work. Hokey architecture commented to be useful to progress Diameter ERP work. Routing issues were raised Whether Defining new Diameter application ID can be used to resolve all the routing issue. Whether Decorated NAI can also be used to resolve routing issue. Depend on specific deployment, e.g., Suppose multiple proxies located in the local domain, how routing work? Confusion in RFC5296 addressed In the implicit bootstrapping, whether the AAA server is EAP server? Whether implicit bootstrapping is EAP full authentication described in figure3.

13 Proposal Adopt it as a new WG item?

14 Thanks

Download ppt "Hokey Architecture Deployment and Implementation"

Similar presentations

21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
Network Discovery and Selection/Re-selection. 2 OUTLINE Network Model Use-case Scenario Solution IP Addressing.

Network Discovery and Selection/Re-selection. 2 OUTLINE Network Model Use-case Scenario Solution IP Addressing.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.

ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.

IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.
Dynamic IPv4 Provisioning for Lightweight 4over6 draft-liu-softwire-lw4over6-dhcp-deployment-04 C. Liu (Presenter), Q. Sun, J. Wu 1.

Dynamic IPv4 Provisioning for Lightweight 4over6 draft-liu-softwire-lw4over6-dhcp-deployment-04 C. Liu (Presenter), Q. Sun, J. Wu 1.
November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,

November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,
RFC5296BIS CHANGES PROPOSAL Sebastien Decugis. Presentation outline  Quick reminder on ERP (RFC5296)  2 change proposals  Problem description  Solution.

RFC5296BIS CHANGES PROPOSAL Sebastien Decugis. Presentation outline  Quick reminder on ERP (RFC5296)  2 change proposals  Problem description  Solution.
Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.

Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.
2015-10-17Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.

Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
1 Motorola PMIPv4 Call Flows: Bearer Setup with Dual Anchoring Parviz YeganiVojislav VuceticAlmon Tang (408) 832-5729 (732) 706-0496 (847) 435-2715

1 Motorola PMIPv4 Call Flows: Bearer Setup with Dual Anchoring Parviz YeganiVojislav VuceticAlmon Tang (408) (732) (847)
Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.
CP-a060003 Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS 23.167 Keith Drage.

CP-a Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS Keith Drage.
IETF70 DIME WG1 ; ; Diameter Routing Extensions (draft-tsou-dime-base-routing-ext.

IETF70 DIME WG1 ; ; Diameter Routing Extensions (draft-tsou-dime-base-routing-ext.
1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.

1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.
RADIUS issues in IPv6 deployments draft-hu-v6ops-radius-issues-ipv6-01 J. Hu, YL. Ouyang, Q. Wang, J. Qin,

RADIUS issues in IPv6 deployments draft-hu-v6ops-radius-issues-ipv6-01 J. Hu, YL. Ouyang, Q. Wang, J. Qin,

Similar presentations

Ads by Google