1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.

Slides:



Advertisements
Similar presentations
WLAN IW Enhancement for IMS Support
Advertisements

Mobile IPv4 FA CoA Support in WLAN Interworking Raymond Hsu Qualcomm Inc. Notice: QUALCOMM Incorporated grants a free, irrevocable license.
Mobile IPv4 FA CoA Support in WLAN Interworking Raymond Hsu, Qualcomm Inc., Sanket S. Nesargi, Nortel, Nanying Yin,
Dynamic HA Assignment for MIPv4 in WLAN Interworking Raymond Hsu, Qualcomm Inc., Wing C. Lau, Qualcomm Inc., Notice:
MIP6-HA-Local-Assignment-Capability indication to MS Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners.
1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.
IP Connectivity for E911 in HRPD/PDS Networks Page 1 IP Connectivity for Emergency Calls in HRPD/PDS Networks 3GPP2 Meeting, 1/07 IP Connectivity for Emergency.
XHRPD Example Scenario for MSS Masa Shirota Qualcomm Inc. July 15, GPP2 Dalian Meeting Recommendation: FYI Notice QUALCOMM Incorporated grants a.
1 Notice Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained.
HRPD Femto Local IP Access: Overview Peerapol Tinnakornsrisuphap Qualcomm October 27 th, GPP2 Seoul,
1 IP Service Authorization Support and Mobility Selection for X.S0011-E Source: QUALCOMM Inc.: Masa Shirota, George Cherian, Jun Wang,
1 UATI-IP address mapping Peerapol Tinnakornsrisuphap David Ott Qualcomm.
1 May 14, 2007 Zhibi Wang, Simon Mizikovsky – Alcatel-Lucent Vidya Narayanan, Anand Palanigounder – QUALCOMM ABSTRACT: Access authentication architecture.
3GPP2 Network Evolution: Inter-working Across Technologies January 08, 2007 QUALCOMM Inc Notice Contributors grant a free, irrevocable license to 3GPP2.
1 cdma2000® Data Service Transition to NULL Support Jun Wang Ravi Patwardhan June 5, 2003 Recommendation -
© Alcatel-Lucent | M2M Numbering | April 12, GPP2 M2M TITLE Numbering in 3GPP2 for M2MSOURCE Mike Dolan, Alcatel-Lucent, Mike.
Broadcast Area Based Management for BCMCS Quanzhong Gao Weidong Wu 04/05/2005.
Security Framework for (e)HRPD 1 S GPP2 TSG-S WG4 Source: QUALCOMM Incorporated Contact(s): Anand Palanigounder
IP Packet Tunneling and Routing in UMB March 26 th, 2007 Qualcomm/Alcatel-Lucent/Hitachi Notice Contributors grant a free, irrevocable license to 3GPP2.
80-VXXX-X A July 2008 Page 1 QUALCOMM Confidential and Proprietary PCC Support for cdma2000 QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota
1 Notice Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained.
QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.
Broadcast/Multicast Priority List JUNHYUK SONG SAMSUNG Incorporated grants a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate.
QUALCOMM PROPRIETARY 3GPP2 Network Evolution Architecture Dec. 04, 2006 Lucent Technologies Nortel Networks Qualcomm Inc. Hitachi, Ltd Huawei Technologies.
1 A13 Proxy for supporting HRPD Handout from femto AP to macro AN Peerapol Tinnakornsrisuphap David Ott
1 Flow Mobility Support QUALCOMM Inc. George Cherian, Jun Wang, Masa Shirota
X xxx China Telecom Requirements on Accounting at HA/LMA Title: Accounting at HA/LMA for cdma2000 (Work Item # 3GPP ) Sources: China Telecom.
C August 24, 2004 Page 1 SMS Spam Control Nobuyuki Uchida QUALCOMM Incorporated Notice ©2004 QUALCOMM Incorporated. All rights reserved.
Page 1 January 16, 2008 Source: 3GPP2 TSG-S WG4 (Security) Contacts: Anand Palanigounder, Chair, TSG-S WG4 ( Zhibi Wang,
Proposed 1x Device Binding Solution Based on SX & SX GPP2 TSG-SX WG4 SX Source(s): Qualcomm Incorporated.
80-VXXX-X A July 2008 Page 1 QUALCOMM Confidential and Proprietary PMIP Comparison QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota
80-VXXX-X A July 2008 Page 1 QUALCOMM Confidential and Proprietary PCC Support for cdma2000 QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota
Proposed Solution for Device Binding 3GPP2 TSG-S WG4 S Source: Qualcomm Incorporated Contact(s): Anand Palanigounder,
May 12, 2008 Alcatel Lucent, Cisco, Motorola, Nortel, Verizon ABSTRACT: Proposed is additional key hierarchy and derivation for EPS access over eHRPD.
Mobility Management in WLAN IW Inma Carrion, Vijay DevarapalliNokia Raymond HsuQualcomm Inc. Pete McCann, Frank AlfanoLucent Serge ManningSprint Notice:
1 Authentication and User Profile April 24, 2007 Jun Wang QUALCOMM Inc. Notice Contributors grant a free, irrevocable license to 3GPP2 and its Organization.
HRPD Connection Layer Protocols for Inter-technology Handoff March 31 st, 2008 Peerapol Tinnakornsrisuphap
Title: Placement of ROHC, Authenticator and Requirements for a robust Mobility Management Scheme Abstract: This contribution proposes a new architectural.
Dec GPP2 TSG-X PDS 1 BCMCS Higher-Layer Encryption Raymond Hsu, Jun Wang Qualcomm Inc. Dec Notice QUALCOMM Incorporated grants a free, irrevocable.
July 21, 2008 Alcatel Lucent ABSTRACT: Proposed is key derivation for eHRPD RAN Handoff. RECOMMENDATION: Review and approve. Notice Contributors grant.
1 | L2-Tunnel based – Inter-tech. HO | October 29, 2007 Title: An L2-Tunnel based method for UMB-HRPD Inter-Technology handoff Source: Alcatel-Lucent,
Active Call Hand-in in cdma2000 1x Airvana Qualcomm October 27 th, GPP2 Seoul, Korea Notice ©2008. All rights reserved. The contributors grants a.
Supporting Local Breakout in HRPD Femto Peerapol Tinnakornsrisuphap Qualcomm Doug Knisely
August 25, 2008 Alcatel Lucent ABSTRACT: 1x System Reliability is important in the face of major events, such as an earthquake. There are several ways.
3GPP2 Network Evolution: UMB->HRPD Handoff October 16, 2007 Qualcomm Inc. Contact: Jun Wang Notice Contributors grant a free, irrevocable license to 3GPP2.
Remote access to Local IP network via Femto Peerapol Tinnakornsrisuphap Anand Palanigounder
10/27/2008X xx-0021 Femto Initialization Aspects: Femto AP Auto- configuration procedures Source: QUALCOMM Inc Chandru Sundarrman
X xxx ZTE Discussion on cdma2000 Charging with PCC Title: Inter-RAT RAN information management protocol Stack Sources: NSN Contact: Scott Marin,
Page 1 Notice © All rights reserved. Qualcomm Incorporated grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate.
Comment to Limited Idle Mode Nortel Networksgrants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other copyrightable.
1 Remote IP Access - Stage 2 Architecture proposal for adoption Peerapol Tinnakornsrisuphap Anand.
Jun Wang Anand Palanigounder Peerapol Tinnakornsrisuphap
EHRPD-LTE Inter Technology Spectrum Optimization Source: Qualcomm Incorporated Contact: Jun Wang/George Cherian September 9, 2013 Notice ©2013. All rights.
Tunneling Protocol Structures for UMB to HRPD Interworking Linhai He Peerapol Tinnakornsrisuphap
X xx CT+ZTE PCC for cdma2000 MS Init Call Flows 1 1 Title: PCC for cdma2000 – MS-Init Call Flow Example Sources: CTC, ZTE Contact: CHINA TELECOM.
1 Title: Performance of Default Parameters for 1xEV-DO RTCMAC Source: Christopher Lott, QUALCOMM Incorporated , Date: Februrary.
1 HRPD Fast Handoff Jun Wang and Raymond Hsu Qualcomm Inc Notice: QUALCOMM Incorporated grants a free, irrevocable license to 3GPP2 and its Organization.
80-VXXX-X A July 2008 Page 1 QUALCOMM Confidential and Proprietary PCC Support for cdma2000 QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota
1 Notice (c) ZTE CORPORATION. ZTE Corporation, grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other.
1 3GPP2 A TITLE: TITLE: Energy Saving Mode Architecture ThoughtsSOURCE Scott Marin,
1 SAMSUNG BCMCS Security Architecture and Key Management JUNHYUK SONG SAMSUNG Incorporated grants a free, irrevocable license to 3GPP2 and its Organization.
0 软交换应用的探讨 赵慧玲 2004 年 05 月 Dynamically Coverage Management By Caiqin Zhu(Catherine Zhu) China Telecom Apr © GPP2 China Telecom.
1 PPP Free Operation Mobility Management January 16, 2006 Jun Wang, Pete Barany, Raymond Hsu Qualcomm Inc Notice: Contributors grant free, irrevocable.
Signaling Packet Routing for Layer 3 approach in UMB-HRPD/1x interworking KDDI Corporation, Tsunehiko Chiba, Osamu.
C August 19, 2003 Page 1 SMS Push Teleservice Nobuyuki Uchida QUALCOMM Incorporated Notice ©2003 QUALCOMM Incorporated. All rights reserved.QUALCOMM.
1 MSI (Multiple Service Instances) Ravindra Patwardhan QUALCOMM Incorporated Review and approve for D Notice QUALCOMM.
WLAN IW Enhancement for Multiple Authentications Support QUALCOMM Inc.: Raymond Hsu, QUALCOMM Inc.: Masa Shirota,
Clarifications on Work Split among TSG-X/A for 3GPP2 Network Evolution March 26, 2007 Airvana/Alcatel-Lucent/CTC/Fujitsu/ Hitachi/KDDI/NEC/Qualcomm/ZTE.
1 IP Service Authorization Support and Mobility Selection Source: QUALCOMM Inc.: Masa Shirota, George Cherian, Jun Wang,
Source: Qualcomm Incorporated Contact: Jun Wang, George Cherian March 1, 2010 Page 1 3GPP2 Femtocell Phase II Femto Access Control Enhancement Notice ©
Presentation transcript:

1 IPsec-based MIP6 Security Qualcomm Inc. Starent Inc. Notice: Contributors grant free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. Contributors are also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution.This document has been prepared by the contributors to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on the contributors. The contributors specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of the contributors other than provided in the copyright statement above.

2 Goals Protect MIP6 signaling Integrity protect BU/BA Optional encryption for route optimization support Minimize messages exchanged

3 Failure Recovery Operation MIP6 Session Initialization Handoff Operation IPsec SA Binding Update (Protected with IPsec) AAA (Get IPsec SA) AAA (IPsec SA) Binding Acknowledgement (Protected with IPsec) Handoff Binding Update (Protected with IPsec) Binding Acknowledgement (Protected with IPsec) IPsec SA MNHA1AAAHA2 Failure Recovery (HA2 allocated) Binding Update (Protected with IPsec) AAA (Get IPsec SA) AAA (IPsec SA) Binding Acknowledgement (Protected with IPsec) Option 1 (Manual IPsec Keying)

4 Set up manual keying parameters at the MN and AAA server Keys, SPI, Algorithms need to be configured When MN sends the first BU, HA retrieves the IPsec SA from the AAA server BU/BA protected with IPsec Subsequent BUs (after the first one) don’t need any AAA interaction This option needs zero key management related messaging The IPsec SA is not unique to the {MN,HA} pair If the HAs are well trusted and belong to the same operator, this may be okay. But, it could be an issue if HA is dynamically assigned in a visited operator. This option requires additional configuration (IPsec SA) at the MN and AAA server

5 Failure Recovery Operation MIP6 Session Initialization Handoff Operation First Time Power-up Operation MNHA1HA3 Binding Update (Protected with IPsec) AAA (Get IPsec SA) AAA (IPsec SA) Binding Acknowledgement (Protected with IPsec) Handoff Binding Update (Protected with IPsec) Binding Acknowledgement (Protected with IPsec) IKEv2 and IPsec SAs Setup IKE & IPsec SAs Stored in non- volatile memory Failure Recovery (HA2 allocated) Binding Update (Protected with IPsec) AAA (Get IPsec SA) AAA (IPsec SA) Binding Acknowledgement (Protected with IPsec) MN-AAA Key HA2 IKE & IPsec SAs Stored in non- volatile memory Option 2 (Optimized IKEv2-based Operation for Dynamic IPsec Keying) AAA MN-AAA Key AAA (IKE & IPsec SAs for MN) AAA (Ack)

6 Option 2 (Optimized IKEv2-based Operation for Dynamic IPsec Keying) Set up both IKE and IPsec SA with HA3 at the time of first power-up operation The IKE and IPsec SAs can be set up via IKEv2/EAP. This is done when the MN powers up for the very first time and can be refreshed at an appropriate time (e.g., once per day). The IKE and IPsec SAs are then uploaded to the AAA server by HA3 using the HA- AAA interface. Both IKE and IPsec SAs to be stored in non-volatile memory of MN and AAA, avoiding the need to run IKEv2 again (e.g., at failure recovery time) Only MN-AAA key to be configured at the AAA server and MN. If MS wants to initiate a MIP6 session and obtains a dynamic HA (e.g., HA1), MN can use the same IPsec SA (established during power-up with HA3) to protect BU sent to HA1. No need for full IKEv2/EAP exchange between MN and HA1, because HA1 fetches the IPsec SA from the AAA. Subsequent BUs (after the first one) don’t need this AAA interaction. The IPsec SA is not unique to the {MN,HA} pair. If the HAs are well trusted and belong to the same operator, this may be okay This is optimal for home domain operation (i.e., when the HA is in the home domain) The handoff and failure recovery operation are similar to Option 1 The failure/recovery case shown is a system failure that causes the MN to bootstrap again upon recovery, e.g., from HA1 to HA2. Again, No need for full IKEv2/EAP exchange between MN and HA2, because HA2 fetches the IPsec SA from the AAA. Failure/recovery of HAs also can be handled by hot standby methods

7 Failure Recovery Operation MIP6 Session Initialization Handoff Operation First Time Power-up Operation MNHA1HA3 Binding Update (Protected with IPsec) AAA (Get IPsec SA for MN-HA1) AAA (IPsec SA for MN-HA1) Binding Acknowledgement (Protected with IPsec) Handoff Binding Update (Protected with IPsec) Binding Acknowledgement (Protected with IPsec) IKEv2 and IPsec SAs Setup IKE & IPsec SAs Stored in NV memory Failure Recovery (HA2 allocated) Binding Update (Protected with IPsec) AAA (Get IPsec SA for MN-HA2) AAA (IPsec SA for MN-HA2) Binding Acknowledgement (Protected with IPsec) MN-AAA Key HA2 Option 2a (Optimized IKEv2-based Operation for HA in Visited Domain) AAA MN-AAA Key AAA (IKE & IPsec SAs for MN-HA3) AAA (Ack) IKE_SA_INIT Request (IPsec SA for MN-HA1) IKE_SA_INIT Response (IPsec SA for MN-HA1) IKE_SA_INIT Request (IPsec SA for MN-HA2) IKE_SA_INIT Response (IPsec SA for MN-HA2) AAA (IPsec SA for MN-HA1) AAA (Ack) AAA (IPsec SA for MN-HA2) AAA (Ack) IKE & IPsec SAs Stored in NV memory

8 Option 2a (Optimized IKEv2-based Operation for HA in Visited Domain) Set up both IKE and IPsec SA with HA3 (in MN’s home domain) at the time of first power-up operation (same as option 2) If MN wants to initiate a MIP6 session and obtains a dynamic HA (e.g., HA1) in the visited domain, MN establishes an IPsec SA with HA3 that uploads the IPsec SA to the home AAA server. This requires only a single roundtrip of create child SA exchange. MN uses this IPsec SA to protect BU sent to HA1. No need for full IKEv2/EAP exchange between MN and HA1, because HA1 fetches the IPsec SA from the home AAA. Subsequent BUs (after the first one) don’t need this AAA interaction. The IPsec SA is unique to the {MN,HA} pair Optimal when a visited domain allocates HA to the MN The failure/recovery case shown is a system failure that causes the MN to bootstrap again upon recovery, e.g., from HA1 to HA2. If a different HA is assigned upon failure recovery, MN establishes a new IPsec SA with HA3 that uploads the IPsec SA to the home AAA server. This requires only a single roundtrip of create child SA exchange. Again, No need for full IKEv2/EAP exchange between MN and HA2, because HA2 fetches the IPsec SA from the AAA. Failure/recovery of HAs also can be handled by hot standby methods

9 Additional Points The IP address of the HA that bootstraps IKE SA and IPsec SA can be given to the MN via DHCPv6 3GPP2 vendor specific AAA attributes can be defined to distribute IPsec SA Attributes needed for the security-bootstrapping HA (in home domain) to upload the SAs to the home AAA server Attributes needed for the dynamically-assigned HA (in visited or home domain) to fetch the SAs from the home AAA server This proposal can co-exist with the regular MIP6 security mechanism of always performing IKEv2 with the assigned HA. But, how MN knows which mechanism to use (e.g., in roaming scenarios) needs further study.

10 Conclusion & Recommendation Conclusion: Option 2 provides all the features with the maximum flexibility Avoids any additional configuration Zero re-keying messages needed for home domain operation Two messages (single roundtrip) needed for visited domain operation Two messages (single roundtrip) needed for failure/recovery operation Recommendation: Use option 2 when HA is in the home network and option 2a when HA is in the visited network

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.