Presentation is loading. Please wait.

Presentation is loading. Please wait.

ERP extension for EAP Early-authentication Protocol (EEP)

Published byGrant Parsons Modified over 6 years ago

Similar presentations

Presentation on theme: "ERP extension for EAP Early-authentication Protocol (EEP)"— Presentation transcript:

1 ERP extension for EAP Early-authentication Protocol (EEP)
Denghui, Qin Wu,Yungui Wang IETF 76 Hiroshima, Japan November 08-13, 2009

2 Motivation This document is intended to propose to extend the ERP for EAP Early-authentication that is used to delivery keying materials to the target authenticator(s) prior to arrival of the peer. Assumption: The serving authenticator is unaware of the target authenticator (s).

3 Overview This document mostly reflects the “authenticated anticipatory keying usage model” defined in section 6.2 of [draft-ietf-hokey-preauth-ps-09].

4 pMSK: pre-established MSK for EAP Early-authentication
Overview Peer: CA Discovery (out of scope of this document); Initiate the EAP Early-authentication exchange; SA: Serving Authenticator Trigger the EAP Early-authentication exchange; Forward the EAP Early-authentication messages transparently; CA: Candidate Authenticator Receive the EE keying materials (pMSK, etc.) from EE server; EE (EAP Early-authentication) Server: Authenticate and Authorize the CA (s) through channel binding mechanism [draft-ietf-emu-chbind]; Derive and transport the EE keying materials to CA (s); EE server is collocated with the peer’s home AAA server. pMSK: pre-established MSK for EAP Early-authentication

5 Informational Flow Peer SA CA1 CAx EE Server 1. CA Discovery
2. EAP-Initiate/Early-auth-Start 3. EAP-Initiate/Early-auth (CA List) 4. AAA (EAP-Initiate/Early-auth (CA List)) One or more than one CA is authorized and authenticated

6 Informational Flow Peer SA CA1 CAx Server
5. EE keying materials derived 6. AAA (pMSK) pMSK1 pMSK x pMSK1...x 7. AAA (EAP-Finish/Early-auth) 8. EAP-Finish/Early-auth pMSK: pre-established MSK for EAP Early-authentication

7 EEP re-uses ERP Packets
EAP-Initiate/re-auth-Start EAP-Initiate/re-auth EAP-Finish/re-auth

8 EAP-Initiate/re-auth-Start
Type: re-auth-Start New Flag ‘E’, to indicate early-authentication.

9 EAP-Initiate/Early-auth
Type: re-auth-Start New Flag: ‘E' - to indicate early-authentication. NOTE: ‘B’ flag is not retained due to without bootstrapping in EEP.

10 New TLV: NAS-Identifier: As defined in [RFC5296], it is carried in a TLV payload. Here, the Type is TBD. It is used to indicate the identifier of CA. One or more than one NAS-Identifier may be represented in the EAP-Initiate/Early-auth packet.

11 EAP-Finish/Early-auth
Type: re-auth New Flag: ‘E' - to indicate early-authentication. NOTE: ‘B’ flag is not retained due to without bootstrapping in EEP.

12 New TLV: EEP-Key: It is carried in a TLV payload for the key container. The type is TBD. One or more than one EEP-key may be present in an EAP-Finish/Early-auth packet. EEP-Key ::= { sub-TLV: NAS-Identifier } { sub-TLV: pMSK-lifetime } { sub-TLV: pRK-lifetime } { sub-TLV: Cryptosuites }

13 Sub-TLVs: NAS-Identifier: It is carried in a sub-TLV payload. The Type is tbd. It is used to indicate the identifier of candidate authenticator. There is exact one NAS-Identifier is represent in the EEP-Key. pMSK-lifetime: It is carried in a sub-TLV payload. The Type is TBD. The value field is a 32-bit field and contains the lifetime of the pMSK in seconds. If the 'L' flag is set, the pMSK Lifetime attribute SHOULD be present. pRK-lifetime: It is carried in a sub-TLV payload. The Type is TBD. The value field is a 32-bit field and contains the lifetime of the pRK in seconds. If the 'L' flag is set, the pRK Lifetime attribute SHOULD be present. List of Cryptosuites: This is a sub-TLV payload. The Type is TBD. The value field contains a list of cryptosuites, each of size 1 octet. The cryptosuite values are as specified in Figure 3. The server SHOULD include this attribute if the cryptosuite used in the EAP-Initiate/Early-auth message was not acceptable and the message is being rejected. The server MAY include this attribute in other cases. The server MAY use this attribute to signal to the peer about its cryptographic algorithm capabilities.

14 Lower Layer Consideration
Similar to ERP, the lower layer specifications may need to be revised to support EEP. That can be referred to the section 6 of [RFC5296] for additional guidance.

15 AAA Transport AAA transport of EEP message is the same specified as ERP [RFC5296] as well. However, in the document, AAA transport of the EEP message is separated from AAA transport of the EE keying materials which is delivered from the EAP server to the CA(s). Hence, new Diameter EEP application message and new Radius EEP message should be defined to transport EE keying materials.

16 Security Consideration
TBD

17 Thanks

18 Appendix A: after handover
Peer SA CA1 CAx Server 9. CA selection 10. pMSK generation 11. Attachment 12. AAA user session update 13. Session Abort Request

Download ppt "ERP extension for EAP Early-authentication Protocol (EEP)"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
EAP Scenarios and 802.1af Joseph Salowey 1/12/2006.

EAP Scenarios and 802.1af Joseph Salowey 1/12/2006.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.

ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
12/05/2007IETF70 PANA WG1 PANA Network Selection draft-ohba-pana-netsel-00.txt Yoshihiro Ohba.

12/05/2007IETF70 PANA WG1 PANA Network Selection draft-ohba-pana-netsel-00.txt Yoshihiro Ohba.
EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba

August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
2015-10-17Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.

Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.
1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.

1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.
EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao

EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao
EAP Extensions for EAP Early Authentication Protocol (EEP) Hao Wang, Yang Shi, Tina Tsou.

EAP Extensions for EAP Early Authentication Protocol (EEP) Hao Wang, Yang Shi, Tina Tsou.
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-0164-06-0sec Title: Detailed analysis on MIA/MSA architecture Date Submitted: January 5, 2010 Present.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Detailed analysis on MIA/MSA architecture Date Submitted: January 5, 2010 Present.
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.

November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.

EAP Keying Framework Draft-aboba-pppext-key-problem-06.txt EAP WG IETF 56 San Francisco, CA Bernard Aboba.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Glen Zorn Qin Wu Zhen Cao.

EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Glen Zorn Qin Wu Zhen Cao.
ERP/AAK support for Inter-AAA realm handover discussion Hao Wang, Tina Tsou, Richard.

ERP/AAK support for Inter-AAA realm handover discussion Hao Wang, Tina Tsou, Richard.
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0291-00-0000 Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,

Similar presentations

Ads by Google