IEEE 802.21 MEDIA INDEPENDENT HANDOVER

Title: An Architecture for Security Optimization During Handovers Date Submitted: September, 2007 Presented at IEEE 802.21 session #22, Hawaii Authors or Source(s):

Subir Das (Telcordia), Yoshihiro Ohba (Toshiba)

Abstract: This document describes an 802.21-based architecture for security optimization during handovers 21-07-0122-03-0000 1

IEEE 802.21 presentation release statements

This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.

The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE contribution; and at the IEEE 802.21.

’ ’ s name any IEEE Standards publication even though it may include portions of this s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual < http://standards.ieee.org/guides/opman/sect6.html#6.3

http://standards.ieee.org/board/pat/guide.html

> > and in

Understanding Patent Issues During IEEE Standards Development

21-07-0122-03-0000 2

•

Architectural Alternatives and Recommendation

Key hierarchy based transition for intra-domain and intra-technology handover assumes distributed authenticator model • Each SDO (e.g., 802.11, WiMAX) is defining its own distributed authenticator model • Therefore, it would be difficult to define a unified distributed authenticator model across multiple technologies • Key hierarchy based transition for inter-domain and inter-technology handover as defined by IETF HOKEY WG can work with both integrated and distributed authenticator models • On the other hand, can we always assume that the key hierarchy is available across multi-provider’s domain? It seems to have some deployment issues since it requires a lot more tightly coupled security policies in place and also needs changes to existing AAA infrastructure • Authentication based transition (pre-authentication) can work with both integrated and distributed authenticator models • Recommendation to 802.21 Security Study Group: Focus on authentication based transition for the time being • In parallel, SG can evaluate the applicability of key hierarchy based transition as defined in IETF HOKEY WG 21-07-0122-03-0000 3

Functional Elements of Authentication Based Transition

• MN (Mobile Node) • In addition to the functionalities defined in 802.21 specification, MN has the following functionality: •

EAP Peer

• PoA (Point of Attachment) • In addition to the functionalities defined in 802.21 specification, PoA has the following functionality: • • •

EAP Authenticator Pre-authentication Forwarding for indirect pre-authentication

PoA acts as MIH PoS • On the other hand, SG should also consider the cases where EAP based authentication is not used 21-07-0122-03-0000 4

Functional Element Mapping to the 802.21 Communication Model

Candidate PoA MIH PoS R2 R4 R5 MIH MN R1 MIH PoS Serving PoA R4 Non-PoS MIH Non-PoA Network Entity R3 R5 MIH PoS Non-PoA Network Entity R4

Only R1, R2 and R5 are involved in authentication based transition

21-07-0122-03-0000 5

Pre-authentication Signaling Flows

Direct Pre-authentication

Candidate PoA

MN-CA Signaling (via serving network) EAP over higher layers (HL)

R2 MIH PoS

EAP over AAA

Home AAA Server R5 MIH MN R1 MIH PoS Serving PoA

Indirect Pre-authentication

Candidate PoA

SA-CA Signaling EAP over HL

MIH PoS

EAP over AAA MN-SA Signaling EAP over L2/HL

R2 Home AAA Server R5 MIH R1 MIH PoS Serving PoA 6

Issues Need to be addressed

• Which EAP over higher layer protocol can we use?

• IETF defined L3 protocol or • 802.21 MIH protocol ?

• Do we need to support both direct and indirect pre authentication?

• Authenticator discovery and context binding issues? 21-07-0122-03-0000 7