Presentation is loading. Please wait.

Presentation is loading. Please wait.

EAP Extensions for EAP Early Authentication Protocol (EEP) Hao Wang, Yang Shi, Tina Tsou.

Published byDamon Morgan Modified over 9 years ago

Similar presentations

Presentation on theme: "EAP Extensions for EAP Early Authentication Protocol (EEP) Hao Wang, Yang Shi, Tina Tsou."— Presentation transcript:

1 EAP Extensions for EAP Early Authentication Protocol (EEP) Hao Wang, Yang Shi, Tina Tsou

2 EEP in Hokey architecture Hokey Goal: Minimize handover delay Re-authentication (Problem Statement, RFC5169) Early authentication (Problem Statement, RFC5836) ERP/AAK (draft-ietf-hokey-erp-aak-02) Pre-authentication usage model Authenticated anticipatory keying usage model IndirectDirect EEP (draft-hao-hokey-eep-00) ERP (RFC5296) Support both intra-AAA-realm and inter-AAA-realm handover Only consider intra-AAA-realm Handover PANA Extension (RFC 5873, Experimental) 2 approaches 2 models 2 sub-models Support both intra-AAA-realm and inter-AAA-realm handover

3 Application problem of early authentication models Models ScenariosIntra-AAA-Realm handoverInter-AAA-Realm handover Direct pre-authenticationNeed to establish the direct IP communication between MH and CAP. Indirect pre-authenticationNeed to establish the direct IP communication between SAP and CAP. Need to maintain the trust relationship for each pairs of SAP and CAP. Authenticated Anticipatory KeyOK!Need to establish the trust relationship between AAAs. Security context transfer must be allowed. Early authentication Model Discussion (Refer to RFC5836)

4 SAP-AAA SAPCAP MH AAA CAP-AAA EAP over AAA EAP over L3 New indirect pre-authentication model EAP over AAA EAP over L3 EAP over L2 or L3 SAP-AAA SAPCAP MH CAP-AAA Original indirect pre-authentication model A improved Indirect pre-authentication model for Inter-AAA-Realm handover OriginalNew Trust relationshipEstablished between APsEstablished between AAAs IP Communications across network “Many” for every pair of APsOnly one between AAAs. Shared by all APs Whether it can be established depend on network topology More applicable because AAA servers usually are distributed on high layer network

5 Early authentication Model Discussion (Refer to RFC5836) There is no best model for all cases! Inter-AAA-Realm handoverIntra-AAA-Realm handover Authenticated Anticipatory Key Trust relationship can be established Between SAP network and CAP network? Proper model Security transfer between AAAs is allowed? Direct IP communication can be Established between MH and CAP? NoYes Direct pre-authentication Authenticated Anticipatory Key New Indirect pre-authentication YesNo Possible to do Early authentication? NoYes Proper model The basic design idea of EEP is “adopting proper model based on scenario”. ①②

6 Inter-AAA-realm handover problem statement CAP-AAA SAP Internet SAP-AAA CAP ① Problem 1. The trust relationship needs to be established between SAP-AAA and CAP-AAA. Problem 3. In new indirect model, SAP, SAP-AAA should forward EAP authentication packets to CAP-AAA instead of processing them locally. Problem 4. Frequent MH handover may lead to obsolete early authentication sessions on AAA servers. ③ ④ Problem 2. MH need to know which early authentication model should be used. ② ③

7 Problem 1: Establish the trust relationship between AAAs How to establish the trust relationship is out of scope of this document. But we can consider 3 cases: Full, Semi and No trust relationship. Relation between AAAsFull Trust RelationshipSemi Trust RelationshipNo Trust Relationship Accept the other acting as an AAA proxyYes No Trust the other’s authentication resultYesNo Security context transferYesNo For Full Trust Relationship: EAP authentication is not required. So the AAK model is adapt to this case. For Semi Trust Relationship: MH need to do full EAP authentication with CAP-AAA through SAP-AAA. So the New indirect pre-authentication model is adapt to this case. For No Trust Relationship: MH need to do full early authentication directly. So the Direct pre-authentication model is adapt to this case.

8 CAP-AAA SAP Internet SAP-AAA CAP Problem 2: MH start early authentication SAP-AAA depend on the trust relationship No trust relationship: Inform MH of starting EAP authentication through CAP. Semi trust relationship:Inform MH of starting EAP authentication through SAP-AAA. Full trust relationship: Transfer security context to CAP-AAA and inform MH of the Early authentication result. MH send the NAS-id and domain name of CAP to SAP-AAA. ① ② Security context transfer Full trust relationship EAP authentication Semi trust relationship EAP over PANA No trust relationship

9 CAP-AAA SAP Internet SAP-AAA CAP Problem 3: Forwarding EAP authentication packets (Semi trust relationship and New indirect pre-authentication model) EAP over PANA EAP over AAA SAP-AAA forward EAP packets to CAP-AAA and take the responsibility of virtual NAS and AAA proxy. MH send out the EAP authentication packets to SAP-AAA over PANA (with CAP domain name and E Bit = 1 Refer to RFC5873). SAP forward the packets to SAP-AAA as the normal data. ① ② ③

10 Problem 4: Frequent Handovers CAP-AAA SAP Internet SAP-AAA CAP Discussion: Define special message for MH to release early authentication session proactively. Define special message for MH to reversely change the state from full authenticated to Early authenticated. Frequent handovers

11 Further discussion Problem 1: Authorized before handover or after handover? SAP Internet CAP ① ② MH start early authentication. AAA authorize before handover. Problem: Before handover, MH has not connected with CAP yet. With whom, the authorization information and security context will be bound on CAP?

12 Further discussion Problem 2: How to ensure the information consistency? SAP Internet CAP ① MH start early authentication ② Handover ③ Derive the key for lower layer Early authentication session has just been expired. Problem: Key?

13 EAP Early authentication protocol (EEP) Solution (Authorize after handover and confirm the key simultaneously) SAP Internet CAP ② ③ ④ ① MH start early authentication. Handover ⑤ Derive the key for lower layer. AAA authorize and distribute security context to CAP. MH request to change state from early authenticated to full authenticated and confirm the key.

14 EAP Early authentication protocol (EEP) (EAP Packet and TLV Extension) 1. Design Idea a. Unified packet extension to support different models. b. Balance between reuse and extensibility. 2. EAP Packet Extension 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Type-Data... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Reuse the EAP codes defined in ERP (RFC5296) and extend its usage for early authentication. 5 Initiate 6 Finish New types values are defined: 1 Re-auth-Start: (RFC5296) 2 Re-auth:(RFC5296) 3 Pre-Early-auth: Used before handover. 4 Post-Early-auth: Used after handover.

15 Please give your guidance and comments to this work, Thanks! Wish you join it!

Download ppt "EAP Extensions for EAP Early Authentication Protocol (EEP) Hao Wang, Yang Shi, Tina Tsou."

Similar presentations

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
IP Mobility Support Basic idea of IP mobility management

IP Mobility Support Basic idea of IP mobility management
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Omniran-13-0040-00-0000 1 3GPP Trusted WLAN Access to EPC Use Case Analysis Date: 2013-05-15 Authors: NameAffiliationPhoneEmail Max RiegelNSN+49 173 293.

Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP)
Buu-Minh Ta Charlie Perkins Improved LTE mobility mgmt.

Buu-Minh Ta Charlie Perkins Improved LTE mobility mgmt.
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
IP Mobility Support Basic idea of IP mobility management o understand the issues of network-layer mobility support in IP network o understand the basic.

IP Mobility Support Basic idea of IP mobility management o understand the issues of network-layer mobility support in IP network o understand the basic.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.

ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: 93036 Term: Spring 2001.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
The Network Layer. Network Projects Must utilize sockets programming –Client and Server –Any platform Please submit one page proposal Can work individually.

The Network Layer. Network Projects Must utilize sockets programming –Client and Server –Any platform Please submit one page proposal Can work individually.
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
SANE: A Protection Architecture for Enterprise Networks

SANE: A Protection Architecture for Enterprise Networks
An Integrated QoS, Security and Mobility Framework for Delivering Ubiquitous Services Across All IP-based Networks Haitham Cruickshank University of Surrey.

An Integrated QoS, Security and Mobility Framework for Delivering Ubiquitous Services Across All IP-based Networks Haitham Cruickshank University of Surrey.
21-07-0387-00-00011 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0387-00-0001 Title: Problem Statement for Authentication Signaling Optimization Date.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Problem Statement for Authentication Signaling Optimization Date.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba

August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
21-06-0727-01-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN:21-06-0727-01-0000 Title: Proposal for IEEE 802.21 Study Group on Security Signaling Optimization.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Proposal for IEEE Study Group on Security Signaling Optimization.

Similar presentations

Ads by Google