1. IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-10-0058-00-srho
Title: TGa Updates
Date Submitted: March 16, 2010
Presented at IEEE session #37 in Orlando
Authors or Source(s):
 Yoshihiro Ohba (Toshiba)
Abstract: This document discusses pre-registration and pre-authentication
srho

2. IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws < and in Understanding Patent Issues During IEEE Standards Development
srho

3. Purpose of this presentation
Trying to help a and c task groups to identify the scope of each work
Note: Some part of this presentation is made based on author’s own view
srho

4. EAP-based Security Signaling Optimization Techniques
[RFC 5247] defines EAP Pre-Authentication as:
The use of EAP to pre-establish EAP keying material on an authenticator prior to arrival of the peer at the access network managed by that authenticator
[I-D.ietf-hokey-preauth-ps] defines EAP Early Authentication to cover:
EAP pre-authentication (as defined above)
Signaling path: MN-CA-AAA
EAP authenticator on CA
Authenticated Anticipatory Keying
Signaling path: MN-SA-AAA-CA
EAP authenticator on SA
The common thing in all techniques here
is to proactively run EAP to establish keying material between MN and CA
CA: Candidate Authenticator
SA: Serving Authenticator
srho

5. Pre-registration
Pre-registration is to carry out link-layer signaling to create a link-layer state for an MN on a candidate PoA prior to handover
The link-layer signaling may include authentication and key establishment signaling
The authentication and key establishment signaling may include EAP or non-EAP authentication, or L2 secure association protocol
The link-layer state may include key material shared between MN and the candidate L2 PoA
How far the link-layer state is expected to proceed before handover may depend on the solution
srho

6. Non-EAP proactive authentication
A View of Works
MIH-based pre-registration seems to be in scope of c, except for security related part
Pre-registration (MIH-based, non-MIH-based)
Non-EAP proactive authentication
L2 EAP pre-authentication
L3+ EAP pre-authentication(*)
Current harmonized proposal ( ) on
802.21a Work Item #1
Authenticated Anticipatory Keying
EAP Early Authentication
Security-related optimization techniques
*) In current harmonized a proposal, L3+ EAP pre-authentication
is bundled with MIH service authentication.
srho

7. Implications of MIH-based Pre-registration
MIH-based pre-registration may require a secure MIH tunnel to carry L2 frames
To establish the tunnel, MIH service authentication is needed between MN and target PoS (to be defined as part of a work item #2)
Then L2 network access authentication is carried out over the tunnel
An optimization technique is discussed in a, which
relates MIH service authentication and L2 network authentication by defining a key hierarchy between them
“L3+ EAP pre-authentication” in previous slide
Target
PoS
PoS-PoA
tunnel
Secure
MIH tunnel
Target
PoA MN
srho

8. Summary
Pre-registration generally covers L2 EAP pre-authentication, but may not cover all security-related optimization techniques
MIH-based pre-registration except for security related part may be defined under c
E.g., definition of MIH TLV to carry L2 frame, pre-registration related IEs, events and commands except for security related ones
Security related part of MIH-based pre-registration may be defined under a
E.g., General call flows of security signaling and security-related IEs, events and commands, and if needed, a key hierarchy and solutions or guidelines for key distribution
srho