Presentation is loading. Please wait.

Presentation is loading. Please wait.

ERP/AAK support for Inter-AAA realm handover discussion Hao Wang, Tina Tsou, Richard.

Published byGloria Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "ERP/AAK support for Inter-AAA realm handover discussion Hao Wang, Tina Tsou, Richard."— Presentation transcript:

1 ERP/AAK support for Inter-AAA realm handover discussion Hao Wang, Tina Tsou, Richard

2 Inter-AAA realm handover application scenarios Scenario 1:intra-operator authenticationScenario 2: Inter-operator authentication Home AAA and CAP-AAABelongs to the same operatorBelongs to the different operators Establish the trust relationshipTight trust relationship between AAALoose trust relationship between AAA Early authenticationw/ofull EAP method exchangew/o and w/ full EAP method exchange Request DSRK and EMSK NameDerived pMSK from DSRKDerive new DSRK and pMSK from EMSK or Make one new EMSK Attach to the CAPUsing pMSK derived by DSRKUsing MSK derived in EAP authentication or pMSK derived from the same EMSK and different DSRK The Roles of AAA servers after handoverHome AAA is not changed CAP-AAA act as a Local AAA server a.Home AAA is changed,CAP-AAA act as the new Home AAA b. Home AAA is not changed CAP-AAA SAP Internet Home AAA CAP Local AAA/SAP-AAA Early authentication DSRK Request, Domain Name DSRK, EMSK Name Keep the early authentication sessions for early authentication life time. ② ③ ④ Attach to the CAP Establish Trust Relationship between AAA ①

3 Inter-AAA realm handover problem statement (Based on RFC 5836 AAK Model) Local AAA/SAP-AAA CAP-AAA SAP Internet Home AAA CAP ① ③ ④ ② Problem 1. The trust relationship needs to be established between Home AAA and CAP-AAA. Problem 2. CAPs are discovered through EAP Lower layer. Early authentication is done through EAP layer. So MH needs to know whether the discovered CAPs can be early authenticated through Home AAA or not. Problem 4. SAP-AAA and Home AAA should forward EAP early authentication packets to CAP-AAA instead of processing them locally. Problem 3. Full EAP method exchange may be required in early authentication. Problem 5. Frequent MH handover may lead to redundant obsolete early authentication sessions on AAA servers. Problem 6. Higher possibility of information inconsistency between MH and CAP-AAA. For example: After handover, MH start to use pMSK for EAP lower layer key derivation. But the early authentication session on CAP-AAA has just been expired without notifying MH.

4 Topic 1: Reuse the Re-authentication messages or define new messages? The existing normal authentication session on AAA server is the prerequisite of EAP Re- authentication process. In intra-AAA realm handover, early authentication happened between MH and Home AAA. There is a normal authentication exist in Home AAA, So Re-authentication process can be reused. (Such as methods defined in draft-ietf-hokey-erp-aak-02) In inter-AAA realm handover, early authentication happened between MH and CAP-AAA. There is no normal authentication exist in CAP-AAA, Reuse Re-authentication messages may cause logic confusion. Comments: Suggest to reuse Initiate and Finish EAP codes defined in ERP, but add new message types to differentiate from EAP Re-authentication process. For example: Define EAP Initiate/Pre-auth and EAP Finish/Pre-auth messages Topic 2: How to announce the inter-AAA realm handover capability? To avoid redundant trigger message at the beginning, New start message should not be defined. Comments: Suggest to modify ERP/Re-auth-Start message and add new flag bit to announce the support of new messages. The MH who did not support new messages will ignore the flag bits and do early authentication using ERP/AAK (Defined in draft-ietf-hokey-erp-aak-02). ERP/AAK support inter-AAA realm handover discussion

5 Topic 3: The new functions need to be extended to support inter-AAA handover. (Refer to Inter-AAA realm handover problem statement) (For Problem 2) New NAS-Id-NAI (Format: NAS-id@realm name) TLV to identify the CAPs in other realms. (For Problem 2) Support probe mechanism before early authentication to avoid repeating authentication failure. (For Problem 3) Support MH to negotiate whether EAP full authentication is required with CAP-AAA. (For Problem 4) Inform authenticator, SAP-AAA, Home AAA and CAP-AAA of the early authentication startup. Establish the routing path. After being informed, SAP-AAA and Home AAA should forward EAP early authentication packets to CAP-AAA. And CAP-AAA should take following EAP method exchange as an early authentication. (For Problem 4) Restrict MH to start early authentication with CAPs one by one. (For Problem 5) Support bidirectional state transition a. From early authenticated state to normal authenticated and authorized state. b. From normal authenticated and authorized state to early authenticated state. (Adapt to the situation where MH keep moving between 2 AAA realms.) ERP/AAK support inter-AAA realm handover discussion

6 (For Problem 5) Support to release the obsolete early authentication sessions proactively to avoid resource consumption. (For Problem 6) Support early authentication lifetime extension to solve the problem that the lifetime is expiring when MH is anticipated to move. (For Problem 6) Mutually authenticated (one round trip) and verify the key possession after handover. (For Problem 6) New result code TLV to let MH know the detailed reason of early authentication faiure. Comments: 1. Problem 1 is out of scope of this discussion. 2. Currently the reserved flag bits in ERP messages are less. Defining message types is more flexible for future function extension. 3. New messages can cover both intra-AAA and inter-AAA realm handover scenarios. ERP/AAK support inter-AAA realm handover discussion

Download ppt "ERP/AAK support for Inter-AAA realm handover discussion Hao Wang, Tina Tsou, Richard."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-0014-00-0sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE 802.21.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE
EAP Scenarios and 802.1af Joseph Salowey 1/12/2006.

EAP Scenarios and 802.1af Joseph Salowey 1/12/2006.
21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Doc.: IEEE 802.11-12/0032r0 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0032r0 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
Chapter 8 Web Security.

Chapter 8 Web Security.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.

ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-11-0164-02-0sec Title: ERP proposal Date Submitted: October 11, 2011 Authors or Source(s): Fernando Bernal-Hidalgo,

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: ERP proposal Date Submitted: October 11, 2011 Authors or Source(s): Fernando Bernal-Hidalgo,
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
21-07-0xxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0xxx-00-0000 Title: Proposal for adding a key hierarchy based approach in the security.

xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx Title: Proposal for adding a key hierarchy based approach in the security.
1 May 14, 2007 Zhibi Wang, Simon Mizikovsky – Alcatel-Lucent Vidya Narayanan, Anand Palanigounder – QUALCOMM ABSTRACT: Access authentication architecture.

1 May 14, 2007 Zhibi Wang, Simon Mizikovsky – Alcatel-Lucent Vidya Narayanan, Anand Palanigounder – QUALCOMM ABSTRACT: Access authentication architecture.
21-07-0387-00-00011 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0387-00-0001 Title: Problem Statement for Authentication Signaling Optimization Date.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Problem Statement for Authentication Signaling Optimization Date.
RFC5296BIS CHANGES PROPOSAL Sebastien Decugis. Presentation outline  Quick reminder on ERP (RFC5296)  2 change proposals  Problem description  Solution.

RFC5296BIS CHANGES PROPOSAL Sebastien Decugis. Presentation outline  Quick reminder on ERP (RFC5296)  2 change proposals  Problem description  Solution.
2015-10-17Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.

Hokey IETF 81 Quebec1 EAP Extensions for EAP Re- authentication Protocol draft-ietf-hokey-rfc5296bis-04 Qin Wu Zhen Cao Yang Shi Baohong He.
1 Reoptimization of Point-to-Multipoint Traffic Engineering Loosely Routed LSPs draft-tsaad-mpls-p2mp-loose-path-reopt-03 Author list: Tarek Saad

1 Reoptimization of Point-to-Multipoint Traffic Engineering Loosely Routed LSPs draft-tsaad-mpls-p2mp-loose-path-reopt-03 Author list: Tarek Saad
July 16, 20031 Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

Similar presentations

Ads by Google