IEEE 802.21 MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September, 2007 Presented at IEEE 802.21 session #22,
Download ReportTranscript IEEE 802.21 MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September, 2007 Presented at IEEE 802.21 session #22,
IEEE 802.21 MEDIA INDEPENDENT HANDOVER
Title: An Architecture for Security Optimization During Handovers Date Submitted: September, 2007 Presented at IEEE 802.21 session #22, Hawaii Authors or Source(s):
Subir Das (Telcordia), Yoshihiro Ohba (Toshiba)
Abstract: This document describes an 802.21-based architecture for security optimization during handovers 21-07-0122-03-0000 1
IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE contribution; and at the IEEE 802.21.
’ ’ s name any IEEE Standards publication even though it may include portions of this s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual < http://standards.ieee.org/guides/opman/sect6.html#6.3
http://standards.ieee.org/board/pat/guide.html
> > and in
Understanding Patent Issues During IEEE Standards Development
21-07-0122-03-0000 2
•
Architectural Alternatives and Recommendation
Key hierarchy based transition for intra-domain and intra-technology handover assumes distributed authenticator model • Each SDO (e.g., 802.11, WiMAX) is defining its own distributed authenticator model • Therefore, it would be difficult to define a unified distributed authenticator model across multiple technologies • Key hierarchy based transition for inter-domain and inter-technology handover as defined by IETF HOKEY WG can work with both integrated and distributed authenticator models • On the other hand, can we always assume that the key hierarchy is available across multi-provider’s domain? It seems to have some deployment issues since it requires a lot more tightly coupled security policies in place and also needs changes to existing AAA infrastructure • Authentication based transition (pre-authentication) can work with both integrated and distributed authenticator models • Recommendation to 802.21 Security Study Group: Focus on authentication based transition for the time being • In parallel, SG can evaluate the applicability of key hierarchy based transition as defined in IETF HOKEY WG 21-07-0122-03-0000 3
Functional Elements of Authentication Based Transition
• MN (Mobile Node) • In addition to the functionalities defined in 802.21 specification, MN has the following functionality: •
EAP Peer
• PoA (Point of Attachment) • In addition to the functionalities defined in 802.21 specification, PoA has the following functionality: • • •
EAP Authenticator Pre-authentication Forwarding for indirect pre-authentication
PoA acts as MIH PoS • On the other hand, SG should also consider the cases where EAP based authentication is not used 21-07-0122-03-0000 4
Functional Element Mapping to the 802.21 Communication Model
Candidate PoA MIH PoS R2 R4 R5 MIH MN R1 MIH PoS Serving PoA R4 Non-PoS MIH Non-PoA Network Entity R3 R5 MIH PoS Non-PoA Network Entity R4
Only R1, R2 and R5 are involved in authentication based transition
21-07-0122-03-0000 5
Pre-authentication Signaling Flows
Direct Pre-authentication
Candidate PoA
MN-CA Signaling (via serving network) EAP over higher layers (HL)
R2 MIH PoS
EAP over AAA
Home AAA Server R5 MIH MN R1 MIH PoS Serving PoA
Indirect Pre-authentication
Candidate PoA
SA-CA Signaling EAP over HL
MIH PoS
EAP over AAA MN-SA Signaling EAP over L2/HL
R2 Home AAA Server R5 MIH R1 MIH PoS Serving PoA 6
Issues Need to be addressed
• Which EAP over higher layer protocol can we use?
• IETF defined L3 protocol or • 802.21 MIH protocol ?
• Do we need to support both direct and indirect pre authentication?
• Authenticator discovery and context binding issues? 21-07-0122-03-0000 7