IEEE MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September, 2007 Presented at IEEE session #22, Hawaii Authors or Source(s): Subir Das (Telcordia), Marc Meylemans (Intel), Shubhranshu Singh (Samsung), Ajay Rajkumar (Alcatel- Lucent) Abstract: This document describes some architectural observations, recommendations and highlight some issues for Security Study Group

IEEE presentation release statements This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual and in Understanding Patent Issues During IEEE Standards Development Section 6.3 of the IEEE-SA Standards Board Operations Manualhttp://standards.ieee.org/guides/opman/sect6.html#6.3

Usage scenario 1 Example: A mobile device can make a transition between two different networks within the same administrative domain Transition between two different subnets based on the same media, e.g Transition between two different subnets based on different media, e.g and Authenticator1 Authenticator2 WiFi, WiMAX and/or Cellular AAA/EAP server MN WiFi, WiMAX and/or Cellular Subnet 1 Subnet 2 Single Administrative Domain* * An administrative domain is a logical network that is administered by a single authority using its own authentication and authorization mechanisms

Usage scenario 2 Example: A mobile device can make a transition between two networks deployed by different administrative domains Transition between two administrative domains based on the same media, e.g Transition between two administrative domains based on different media, e.g and Authenticator1 Authenticator2 AAA/EAP server WiFi, WiMAX and/or Cellular MN AAA/EAP server Domain1 Domain2 Multiple Administrative Domains

Architectural Observations Key hierarchy based transition for intra-domain and intra-technology handover seems to have their own authentication model For example, , WiMAX From perspective, the desired goal may be to have one authentication model that span across multiple technologies However, it would be VERY DIFFICULT to define such a unified authentication model across multiple technologies Key hierarchy based transition for inter-domain and inter-technology handover as defined by IETF HOKEY WG may achieve the similar goal as desired by However, can we assume that the EAP-based key hierarchy is always available across multi-provider’s domain? Authentication based transition (pre-authentication) may also achieve the same goal as desired by Recommendation to Security Study Group: First, focus on native authentication based transition Second, evaluate the applicability of key hierarchy based transition as defined in HOKEY WG

Functional Elements of Authentication Based Transition MN (Mobile Node) In addition to the functionalities defined in specification, MN has the following functionality: EAP Peer PoA (Point of Attachment) In addition to the functionalities defined in specification, PoA has the following functionality: EAP Authenticator Pre-authentication Forwarding for indirect pre-authentication PoA acts as MIH PoS On the other hand, SG should also consider the cases where EAP based authentication is not used

Functional Element Mapping to the Communication Model Serving PoA R3 MIH MN R1 R2 R4 MIH PoS Non-PoA Network Entity MIH PoS Non-PoS MIH R4 R5 Candidate PoA Non-PoA Network Entity Only R1, R2 and R5 are involved in authentication based transition

Pre-authentication Signaling Flows Serving PoA MIH MN R1 MIH PoS MIH PoS R5 Candidate PoA Home AAA Server MN-CA Signaling (via serving network) EAP over L2 or higher layers (HL) EAP over AAA Serving PoA MIH MN R1 R2 MIH PoS MIH PoS R5 Candidate PoA Home AAA Server MN-SA Signaling EAP over L2/HL EAP over AAA SA-CA Signaling EAP over L2/HL Direct Pre-authentication Indirect Pre-authentication R2 SA  Serving Access Network CA  Candidate Access Network

Some Issues? Which higher layer protocol can we use for EAP? IETF defined L3 protocol or MIH protocol ? Do we need to support both direct and indirect pre- authentication? Authenticator discovery and context binding issues? ….