Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00

Published byMarvin Cook Modified over 6 years ago

Similar presentations

Presentation on theme: "Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00"— Presentation transcript:

1 Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00
Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00.txt) Yoshihiro Ohba Ashutosh Dutta Srinivas Sreemanthula Alper Yegin Jul 13, 2006 IETF66 HOAKEY BOF

2 What is pre-authentication
Pre-authentication is network access authentication by performing EAP authentication with a target authenticator via the serving network Pre-authentication was originally defined in IEEE i where the usage is intra-ESS transitions We are extending the notion of pre-authentication to work across multiple ESS’s and even across multiple access technologies

3 Expected Improvement with Pre-authentication
Network access Authentication and Authorization L2 Handoff Without Pre-authentication Time With Pre-authentication Time Network access Authentication and Authorization with Pre-authentication Possible packet loss or interface activation delay during this period

4 Scenario 1: Direct Pre-authentication
Serving network home network mobile host MN-TA Signaling EAP over L2 (for intra-technology, Intra-subnet pre-authentication) EAP over L3 (for other cases) Internet home AAA server EAP over AAA Target Network Target Authenticator (TA) - Generate MSK with the authenticator-2 by executing EAP through it.

5 Scenario 2: Indirect Pre-authentication
Serving Authenticator (SA) Serving Network home network MN-SA signaling EAP over L2/L3 mobile host Internet SA-TA signaling EAP over L3 home AAA server EAP over AAA Target Network Target Authenticator (TA) - Generate MSK with the authenticator-2 by executing EAP through it.

6 Basic pre-auth AAA requirements
Requirements identified in IETF65 HOAKEY BOF AAA needs to know that this is a pre-authentication not normal authentication User may only be allowed to have a single logon at the same time User may not be allowed pre-authentication Can pre-auth session timeout (see below) attribute serve as an indication of pre-auth or some other attribute is needed? AAA needs to know how long to hold the session before timing out Session timeout for pre-auth may be different for normal session If the mobile moves after timeout then do normal authentication Addressed in draft-aboba-radext-wlan-03.txt What would signal that the host has successfully connected to a target network? Another round of (non-blocking) Access-Req/Accept? Or do we rely on accounting messages? If latter, then they must be mandated for pre-auth case

7 Other potential pre-auth AAA requirements/issues (presented to RADEXT WG)
Extending pre-auth session lifetime Reverting to pre-auth state from full authorized state (related to key caching) Maximum number of pre-auth sessions for different authenticators Information on the serving network Calling-Station-Id Network-initiated pre-authentication Detailed issues are available at:

8 Scope of the pre-authentication work
“This group will work on pre-authentication signaling requirements including MN-TA signaling, MN-SA signaling and SA-TA signaling and new or existing attributes of AAA protocols” (from HOKEYP charter Possible work separation: AAA signaling: RADEXT and DIME WGs MN-TA, MN-SA signaling : PANA WG (for L3), L2 SDO (for L2) SA-TA signaling: new IETF WG

9 Deliverables Pre-authentication problem statement draft (Informational) This draft is intended for detailed problem definition and usage scenarios for pre-authentication. [draft-ohba-hokeyp-preauth-ps-00.txt will be used as the baseline.] Pre-authentication protocol requirements draft (Informational) Requirements of new protocols or new options/attributes for existing protocols for enabling a target authenticator to authenticate the peer attached to the serving network using EAP. The requirements are for both pre-authentication protocols and AAA protocols. Following completion of requirements definitions for a pre-authentication procedure, this group will continue with developing a solution for some portion of pre-authentication signaling if it is identified that the solution needs to be defined in the group

10 High-Level Requirements on pre-authentication
Inter-technology pre-authentication MUST be supported. Inter-subnet pre-authentication MUST be supported. Inter-administrative domain pre-authentication MUST be supported. Direct pre-authentication MUST be supported. Indirect pre-authentication MUST be supported Pre-authentication MUST work with RADIUS and Diameter

Download ppt "Pre-authentication Problem Statement (draft-ohba-hokeyp-preauth-ps-00"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
7/13/061 The Problem of Handover Keying IETF 66 Montreal.

7/13/061 The Problem of Handover Keying IETF 66 Montreal.
AAA-Mobile IPv6 Frameworks Alper Yegin IETF 62. 2 Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.

AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
July 15, 2002IETF54 PANA WG1 PANA Usage Scenarios Updates (draft-ietf-pana-usage-scenarios-02.txt) Yoshihiro Ohba Subir Das

July 15, 2002IETF54 PANA WG1 PANA Usage Scenarios Updates (draft-ietf-pana-usage-scenarios-02.txt) Yoshihiro Ohba Subir Das
Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-01.txt) (draft-ohba-mobopts-mpa-implementation-01.txt) Ashutosh Dutta, Telcordia.

Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-01.txt) (draft-ohba-mobopts-mpa-implementation-01.txt) Ashutosh Dutta, Telcordia.
November 200461st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,

November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,
21-07-0387-00-00011 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0387-00-0001 Title: Problem Statement for Authentication Signaling Optimization Date.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Problem Statement for Authentication Signaling Optimization Date.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba

August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
21-06-0727-01-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN:21-06-0727-01-0000 Title: Proposal for IEEE 802.21 Study Group on Security Signaling Optimization.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Proposal for IEEE Study Group on Security Signaling Optimization.
21-07-0301-01-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September,

IEEE MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September,
2006/7/10IETF66 RADEXT WG1 Pre-authentication AAA Requirements Yoshihiro Ohba Alper Yegin

2006/7/10IETF66 RADEXT WG1 Pre-authentication AAA Requirements Yoshihiro Ohba Alper Yegin
Basic User Registration Protocol BoF Basavaraj Patil/Nokia Subir Das/Telcordia Technologies IETF-50 March 20, 2001.

Basic User Registration Protocol BoF Basavaraj Patil/Nokia Subir Das/Telcordia Technologies IETF-50 March 20, 2001.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.

Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
A Framework of Media-Independent Pre-authentication (MPA) for Inter-domain Handover optimization draft-ohba-mobopts-mpa-framework-05.txt Ashutosh Dutta.

A Framework of Media-Independent Pre-authentication (MPA) for Inter-domain Handover optimization draft-ohba-mobopts-mpa-framework-05.txt Ashutosh Dutta.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.

Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
21-07-0122-03-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September,

IEEE MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September,
21-06-0557-00-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN:21-06-0557-00-0000 Title: IETF Pre-authentication Activity Date Submitted: February 26, 2006.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Pre-authentication Activity Date Submitted: February 26, 2006.

Similar presentations

Ads by Google