1. 21-07-xxxx-00-0000 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-xxxx-00-0000 Title: Secure Handover with QoS Support Date Submitted: November, 14, 2007 Presented at IEEE 802.21 session #23 in Atlanta Authors or Source(s): Roland Bless (Institut für Telematik, Universität Karlsruhe (TH)), Michael Grigat (Deutsche Telekom) Abstract: This document discusses synergy issues between security and QoS signaling and suggests that MIH security solution should taken into account exchange of security credential by a different pre-authentication signaling mechanism.

2. 21-07-xxxx-00-0000 IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/guide.html> Section 6.3 of the IEEE-SA Standards Board Operations Manualhttp://standards.ieee.org/guides/opman/sect6.html#6.3 http://standards.ieee.org/board/pat/guide.html IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf> Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6 http://standards.ieee.org/board/pat/faq.pdf

3. 21-07-xxxx-00-0000 Motivation Provide seamless mobility with Quality-of-Service (QoS) Quality-of-Service Signaling for requesting resource reservations (at IP layer) on-demand Using QoS NSLP signaling protocol (->NSIS WG IETF) QoS usage only with authentication and authorization Inter-domain handover may lead to longer signaling exchange -> not really seamless QoS support if signaling starts after handover Idea: pre-reserve resources before performing handover Anticipated handover Signaling for new reservation in next domain via current access before handover is performed Analogy to pre-authentication signaling approach

4. 21-07-xxxx-00-0000 Synergies between QoS and Security Signaling Same problem for QoS signaling as with authentication signaling Signaling and processing takes time Same goal for QoS signaling optimisation => Decrease handover latency Similar solution as for Security: pre-reservation signaling Approach to combine Security and QoS signaling Get credentials for new access via pre-reservation QoS signaling: request reservation and authentication at new access response carries also new credentials Avoids extra pre-authentication signaling in case that MN uses QoS signaling anyway NSIS Session Authentication Object may carry credential (can provide end-to-end integrity)

5. 21-07-xxxx-00-0000 Example: Integration of AAA and QoS signaling RACS Resource and Admission Control Subsystem

6. 21-07-xxxx-00-0000 Example: Message Sequence MNSAAAARACSTAAAARACS MN authenticated QoSestablished Fast Authentication Handover Integrated Signaling MNSAAAARACSTAAAARACS MN authenticated QoSestablished Fast Authentication Handover Integrated Signaling Reserve Response QoS NSLP Notify(Handover complete) Request Diameter Response RACS Resource and Admission Control Subsystem

7. 21-07-xxxx-00-0000 Conclusions Similar handover latency problem for QoS signaling exists If QoS signaling is used, it may carry credential that is otherwise exchanged via separate pre-authentication signaling (e.g., EAP) Reduces latency Saves messages (thus energy) Allows for secure exchange MIH solution should consider that credential may be exchanged by a different pre-authentication signaling

8. 21-07-xxxx-00-0000 References http://www.ietf.org/html.charters/nsis-charter.html http://www.scalenet.de/

9. 21-07-xxxx-00-0000 Comments/Q&A

10. 21-07-xxxx-00-0000 Backup

11. 21-07-xxxx-00-0000 NSIS protocol suite

12. 21-07-xxxx-00-0000 Signaling Security Security QoS signaling messages are transmitted via GIST can be protected by transport via TLS (provides hop-by-hop security) are protected against Denial-of-Service attacks (late state installation) Some content can be integrity protected in an end-to-end fashion by a session authentication object within QoS NSLP