Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Association Establishment for Handover Protocols Jari Arkko Ericsson Research NomadicLab.

Published byGarey Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Association Establishment for Handover Protocols Jari Arkko Ericsson Research NomadicLab."— Presentation transcript:

1 Security Association Establishment for Handover Protocols Jari Arkko Ericsson Research NomadicLab

2 Outline l Scope l Problem l Solutions

3 Scope -- Movements AR AP AAA MN AR AP RRRR

4 Scope -- Movements AR AP AAA MN AR AP RRRR As it moves to a new place, the MN needs to talk to (1) Access points

5 Scope -- Movements AR AP AAA MN AR AP RRRR As it moves to a new place, the MN needs to talk to (1) Access points (2) AAA

6 Scope -- Movements AR AP AAA MN AR AP RRRR As it moves to a new place, the MN needs to talk to (1) Access points (2) AAA (3) Access routers

7 Scope -- Movements AR AP AAA MN AR AP RRRR As it moves to a new place, the MN needs to talk to (1) Access points (2) AAA (3) Access routers (4) Possibly other routers

8 Scope - The Access Router zThe focus of this presentation is the communication with the access router zCurrent general case is that no security is used for this communication, plain forwarding/ND/ICMP is just used zThis does not hold for all protocols -- many mobility protocols need a security association between the MN and the AR yExamples: Context Transfer, Fast Handover, CARD yDifferent types of security associations are needed in different cases

9 The Problem zCurrent mobility protocols themselves do not provide security association establishment zConfiguration of pair-wise security associations between all MNs and ARs is not practical zReliance to a trusted 3rd party might not answer to important authorization questions (e.g., can *this* node request *that* stream to be moved with FMIP?) zWhat are the options?

10 Options for SA establishment 1/2 zIKE? yIssue 1: Shared key provisioning between MN and an arbitrary visited network router yIssue 2: Authorization? zKey derivation as side effect of network access AAA yFor instance, branch off new key hierarchy from EAP reserved keys yCan be defined for network access purposes, needs a new system-level security design draft in EAP WG yIssue 1: may require a new node to be involved in addition to the AAA and AP -- how to send keys to that? yIssue 2: theoretical vs. practical availability of an underlying AAA run -- e.g. likelihood of UAM vs. 802.1X authentication -- though maybe not an issue if you are doing fast movements (?)

11 Options for SA establishment 2/2 zKey derivation as side effect of network access AAA cont’d yIssue 3: inter-admin handovers -- e.g. from my home AR to the city AR, no roaming may be involved if I just have two credentials zSEND-like solution? yOne-sided certificates for routers (SEND RS/RA part) -- used in CARD yIssue: certificate revokation checks? yAddress ownership (IPR may apply) -- used in draft-kempf- mobopts-handover-key-00.txt zA single mechanism vs. allowing multiple?

12 Framework - Fundamentals zSource of trust -- pairwise config vs. trusted 3rd party (CA or AAA) vs. intrinsic proofs such as address ownership zDeployment -- need per mobile node configuration or not? zAuthorization -- what can you do with the AR?

13 Framework - Protocol Design Issues zReuse -- independent vs. reuse of security for another purpose zLayering -- interaction with a lower layer vs. independent yUsing a branch of EAP AMSK vs. rerunning EAP zSeparation of SA establishment and use -- but what about authorization? zType of an SA? yLikely “application” specific yBut ability to use MIPv6 BAD would often be useful zEfficiency -- look at the # messages and timing of the whole flow

14 Tentative Proposal zRely on router certificates whenever possible yExample: CARD, SEND yManufacturing and configuring MNs is easy yWorked well for the web yApplicable when no trust for the MN is needed zUse “application specific” security for MN if really needed yExample: draft-kempf-handover-key-00.txt yMay not need any configuration! zSeparate certs/ownership vs. use of this yBetter separation than assuming a kmgmt protocol that provides a shared secret

Download ppt "Security Association Establishment for Handover Protocols Jari Arkko Ericsson Research NomadicLab."

Similar presentations

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Fast and Secure Universal Roaming Service for Mobile Internet Yeali S. Sun, Yu-Chun Pan, Meng-Chang Chen.

Fast and Secure Universal Roaming Service for Mobile Internet Yeali S. Sun, Yu-Chun Pan, Meng-Chang Chen.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
1 DHCP-based Fast Handover protocol NTT Network service systems laboratories 2005. 3. 10 Takeshi Ogawa draft-ogawa-fhopt-00.txt 62nd IETF - Minneapolis.

1 DHCP-based Fast Handover protocol NTT Network service systems laboratories Takeshi Ogawa draft-ogawa-fhopt-00.txt 62nd IETF - Minneapolis.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.

1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
1 Arkko et al, DIMACS Workshop Nov ‘04 Secure and Efficient Network Access DIMACS Workshop, November 3 rd, 2004, Piscataway, NJ, USA Jari Arkko Ericsson.

1 Arkko et al, DIMACS Workshop Nov ‘04 Secure and Efficient Network Access DIMACS Workshop, November 3 rd, 2004, Piscataway, NJ, USA Jari Arkko Ericsson.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
21-07-xxxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0463-00-0000 Title: MIH Protocol Security Date Submitted: December, 2007 Presented.

21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH Protocol Security Date Submitted: December, 2007 Presented.
Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-01.txt) (draft-ohba-mobopts-mpa-implementation-01.txt) Ashutosh Dutta, Telcordia.

Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-01.txt) (draft-ohba-mobopts-mpa-implementation-01.txt) Ashutosh Dutta, Telcordia.
I-D: draft-rahman-mipshop-mih-transport-01.txt Transport of Media Independent Handover Messages Over IP 67 th IETF Annual Meeting MIPSHOP Working Group.

I-D: draft-rahman-mipshop-mih-transport-01.txt Transport of Media Independent Handover Messages Over IP 67 th IETF Annual Meeting MIPSHOP Working Group.
November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,

November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and 802.11i IKEv2 EAP authentication.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
21-07-0387-00-00011 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0387-00-0001 Title: Problem Statement for Authentication Signaling Optimization Date.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Problem Statement for Authentication Signaling Optimization Date.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Similar presentations

Ads by Google