Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
7/13/061 The Problem of Handover Keying IETF 66 Montreal.
AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
July 15, 2002IETF54 PANA WG1 PANA Usage Scenarios Updates (draft-ietf-pana-usage-scenarios-02.txt) Yoshihiro Ohba Subir Das
Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-01.txt) (draft-ohba-mobopts-mpa-implementation-01.txt) Ashutosh Dutta, Telcordia.
November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Problem Statement for Authentication Signaling Optimization Date.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Proposal for IEEE Study Group on Security Signaling Optimization.
IEEE MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September,
2006/7/10IETF66 RADEXT WG1 Pre-authentication AAA Requirements Yoshihiro Ohba Alper Yegin
Basic User Registration Protocol BoF Basavaraj Patil/Nokia Subir Das/Telcordia Technologies IETF-50 March 20, 2001.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
A Framework of Media-Independent Pre-authentication (MPA) for Inter-domain Handover optimization draft-ohba-mobopts-mpa-framework-05.txt Ashutosh Dutta.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
IEEE MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September,
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Pre-authentication Activity Date Submitted: February 26, 2006.
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,
IEEE MEDIA INDEPENDENT HANDOVER DCN:
<draft-ohba-pana-framework-00.txt>
Open issues with PANA Protocol
RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
Media-Independent Pre-authentication (MPA) Framework
IEEE 802 OmniRAN Study Group: SDN Use Case
draft-ietf-dime-erp-02
Handover Keys using AAA (draft-vidya-mipshop-fast-handover-aaa-01.txt)
EAP-GEE Lakshminath Dondeti Vidya Narayanan
Carrying Location Objects in RADIUS
Pre-authentication Overview
for IP Mobility Protocols
EA C451 Vishal Gupta.
Jari Arkko Bernard Aboba
ERP extension for EAP Early-authentication Protocol (EEP)
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
IETF67 B. Patil, Gopal D., S. Gundavelli, K. Chowdhury
CARD Designteam A. Singh, D. Funato, H. Chaskar, M. Liebsch
ERP/AAK support for Inter-AAA realm handover discussion
2002 IPv6 技術巡迴研討會 IPv6 Mobility
IETF Liaison Report November 2003 Dorothy Stanley – Agere Systems
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
PEKM (Post-EAP Key Management Protocol)
IEEE IETF Liaison Report
3GPP2-WLAN Interworking update
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IETF Liaison Report November 2004 Dorothy Stanley – Agere Systems
IEEE IETF Liaison Report
IEEE IETF Liaison Report
IEEE IETF Liaison Report
IEEE IETF Liaison Report
IEEE IETF Liaison Report
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: March 18, 2010 Presented at IEEE session.
IEEE MEDIA INDEPENDENT HANDOVER
Roaming timings and PMK lifetime
802.11i Bootstrapping Using PANA
PAA-2-EP protocol PANA wg - IETF 58 Minneapolis
IEEE MEDIA INDEPENDENT HANDOVER DCN:
Roaming timings and PMK lifetime
IEEE IETF Liaison Report
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: May 13, 2010 Presented at IEEE session.
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER
3GPP2-WLAN Interworking update
IEEE MEDIA INDEPENDENT HANDOVER
IEEE IETF Liaison Report
Presentation transcript:

Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00 Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00.txt) Yoshihiro Ohba (yohba@tari.toshiba.com) Ashutosh Dutta (adutta@research.telcordia.com) Srinivas Sreemanthula (Srinivas.Sreemanthula@nokia.com) Alper Yegin (alper01.yegin@partner.samsung.com) Jul 13, 2006 IETF66 HOAKEY BOF

What is pre-authentication Pre-authentication is network access authentication by performing EAP authentication with a target authenticator via the serving network Pre-authentication was originally defined in IEEE 802.11i where the usage is intra-ESS transitions We are extending the notion of pre-authentication to work across multiple ESS’s and even across multiple access technologies

Expected Improvement with Pre-authentication Network access Authentication and Authorization L2 Handoff Without Pre-authentication Time With Pre-authentication Time Network access Authentication and Authorization with Pre-authentication Possible packet loss or interface activation delay during this period

Scenario 1: Direct Pre-authentication Serving network home network mobile host MN-TA Signaling EAP over L2 (for intra-technology, Intra-subnet pre-authentication) EAP over L3 (for other cases) Internet home AAA server EAP over AAA Target Network Target Authenticator (TA) - Generate MSK with the authenticator-2 by executing EAP through it.

Scenario 2: Indirect Pre-authentication Serving Authenticator (SA) Serving Network home network MN-SA signaling EAP over L2/L3 mobile host Internet SA-TA signaling EAP over L3 home AAA server EAP over AAA Target Network Target Authenticator (TA) - Generate MSK with the authenticator-2 by executing EAP through it.

Basic pre-auth AAA requirements Requirements identified in IETF65 HOAKEY BOF AAA needs to know that this is a pre-authentication not normal authentication User may only be allowed to have a single logon at the same time User may not be allowed pre-authentication Can pre-auth session timeout (see below) attribute serve as an indication of pre-auth or some other attribute is needed? AAA needs to know how long to hold the session before timing out Session timeout for pre-auth may be different for normal session If the mobile moves after timeout then do normal authentication Addressed in draft-aboba-radext-wlan-03.txt What would signal that the host has successfully connected to a target network? Another round of (non-blocking) Access-Req/Accept? Or do we rely on accounting messages? If latter, then they must be mandated for pre-auth case

Other potential pre-auth AAA requirements/issues (presented to RADEXT WG) Extending pre-auth session lifetime Reverting to pre-auth state from full authorized state (related to key caching) Maximum number of pre-auth sessions for different authenticators Information on the serving network Calling-Station-Id Network-initiated pre-authentication Detailed issues are available at: http://www.opendiameter.org/docs/ietf66-radext-preauth-aaa-reqs.ppt

Scope of the pre-authentication work “This group will work on pre-authentication signaling requirements including MN-TA signaling, MN-SA signaling and SA-TA signaling and new or existing attributes of AAA protocols” (from HOKEYP charter http://www.opendiameter.org/pipermail/hokeyp/2006-May/000142.html) Possible work separation: AAA signaling: RADEXT and DIME WGs MN-TA, MN-SA signaling : PANA WG (for L3), L2 SDO (for L2) SA-TA signaling: new IETF WG

Deliverables Pre-authentication problem statement draft (Informational) This draft is intended for detailed problem definition and usage scenarios for pre-authentication. [draft-ohba-hokeyp-preauth-ps-00.txt will be used as the baseline.] Pre-authentication protocol requirements draft (Informational) Requirements of new protocols or new options/attributes for existing protocols for enabling a target authenticator to authenticate the peer attached to the serving network using EAP. The requirements are for both pre-authentication protocols and AAA protocols. Following completion of requirements definitions for a pre-authentication procedure, this group will continue with developing a solution for some portion of pre-authentication signaling if it is identified that the solution needs to be defined in the group

High-Level Requirements on pre-authentication Inter-technology pre-authentication MUST be supported. Inter-subnet pre-authentication MUST be supported. Inter-administrative domain pre-authentication MUST be supported. Direct pre-authentication MUST be supported. Indirect pre-authentication MUST be supported Pre-authentication MUST work with RADIUS and Diameter

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.