1. 1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0291-00-0000 Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September, 14th, 2007 Presented at IEEE 802.21 session #22 in Hawaii Authors or Source(s): Yoshihiro Ohba Abstract: This document explains EAP pre-authentication activity in IETF HOKEY WG. This document also describes high-level issues that need to be discussed in the 802.21 Security SG about pre-authentication

2. 2 IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/guide.html> Section 6.3 of the IEEE-SA Standards Board Operations Manualhttp://standards.ieee.org/guides/opman/sect6.html#6.3 http://standards.ieee.org/board/pat/guide.html IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf> Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6 http://standards.ieee.org/board/pat/faq.pdf

3. 3 Outline Introduction of IETF HOKEY activity about EAP pre-authentication –http://www.ietf.org/internet-drafts/draft-ietf-hokey-preauth-ps-00.txt –The content of the preauth-ps draft is explained in this presentation Pre-authentication-related issues that need to be discussed in 802.21 SSG

4. 4 EAP pre-authentication Definition [I-D.ietf-eap-keying-15] “ The use of EAP to pre-establish EAP keying material on an authenticator prior to arrival of the peer at the access network managed by that authenticator ” Example usage of EAP pre-authentication: IEEE 802.11i pre-authentication –Defined for intra-ESS transitions

5. 5 Scenario 1: Direct Pre-authentication mobile host Candidate Authenticator (CA) home AAA server Serving network Candidate Network home network Internet - Generate MSK with the authenticator-2 by executing EAP through it. MN-CA Signaling EAP over L2 or L3 EAP over AAA

6. 6 Scenario 2: Indirect Pre-authentication mobile host Serving Authenticator (SA) Candidate Authenticator (CA) home AAA server Serving Network Candidate Network home network Internet - Generate MSK with the authenticator-2 by executing EAP through it. EAP over AAA MN-SA signaling EAP over L2/L3 SA-CA signaling EAP over L3

7. 7 Indirect Pre-authentication Layering Model MN-SA Signaling Layer MN-SA Signaling Layer SA-CA Signaling Layer SA-CA Signaling Layer EAP Peer EAP Authenticator Pre-authentication Forwarding Candidate Authenticator Serving Authenticator Mobile Node

8. 8 Pre-authentication AAA Requirements AAA requirements related to EAP pre-authentication need to be identified (See draft-nakhjiri-preauth-aaa-req-00 for details) –Distinguishing normal authentication from pre-authentication –Pre-authentication life-time –Re-pre-authentication –Post handover procedure –Session resumption or key caching –Multiple pre-authentication –Provisioning of serving network information –Network-controlled pre-authentication AAA requirements may affect MN-CA, MN-SA and SA- CA signaling design

9. 9 HOKEY Charter in pre-authentication “EAP re-authentication and EAP pre- authentication authenticator are expected to use the same layer and the same protocol as the original EAP authentication used for the authenticator.” Reason for this restriction: Inter-technology pre- authentication has technical issues that need to be studied –Authenticator discovery –Context binding

10. 10 Pre-authentication issue 1: Authenticator discovery In general, pre-authentication requires an address of a target authenticator to be discovered either by a mobile node or by a serving authenticator prior to handover An authenticator discovery protocol is typically defined as a separated protocol from a pre-authentication protocol When a target authenticator uses link-layer EAP transport for both normal authentication and pre-authentication, target authenticator discovery is typically defined in each link-layer technology –E.g., 802.11k and 802.16e For other cases, a mechanism for discovering an IP address of target authenticator is needed –(IP address, link-layer address) mapping needs to be resolved

11. 11 Pre-authentication issue 2: Context binding A mechanisms is needed to bind link-layer independent context carried over pre-authentication signaling to the link-layer specific context of the link to be established between the mobile node and the target authenticator –Link-layer independent context: the identities of peer and authenticator as well as MSK –Link-layer specific context: link-layer addresses of peer and target authenticator. Two possible approaches to address the context binding issue –Approach 1: communicating the lower-layer context as opaque data via pre-authentication signaling –Approach 2: use of normal EAP authentication after handover with using the same link-layer independent context for both pre-authentication and normal authentication

12. 12 Pre-authentication applicability (quote from I-D.hokey-preauth-ps) “This framework has general applicability to various deployment scenarios in which proactive signaling can take effect. In other words, applicability of EAP pre- authentication is limited to the scenarios where candidate authenticators can be easily discovered, an accurate prediction of movement can be easily made.” “Also the effectiveness of EAP pre-authentication may be less significant for particular inter-technology handover scenarios where simultaneous use of multiple technologies is not a major concern or where there is sufficient radio- coverage overlap among different technologies.”

13. 13 Pre-authentication protocol work IETF HOKEY WG has decided to focus on pre- auth problem statement and not to work on actual pre-authentication protocol –L2-agnostic pre-authentication protocol is to be defined in IETF PANA WG is defining pre-authentication extension for PANA There is no context binding issue because there is no link-layer specific context –L2-aware pre-authentication protocol should be defined outside IETF IEEE 802.21 may define it, with addressing authenticator discovery and context binding issues –Defining new AAA attributes for pre-auth should be done in IETF DIME and RADEXT WGs

14. 14 High-level questions for 802.21 Should a pre-authentication protocol be defined in 802.21? Should 802.21work on an EAP pre- authentication only or non-EAP pre- authentication as well?