Transcript IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0446-00-0000 Title: Security SG Report Date Submitted: November 20, 2007 Authors or Source(s): Yoshihiro Ohba Abstract: Report of Security SG.

IEEE 802.21 MEDIA INDEPENDENT HANDOVER
DCN: 21-07-0446-00-0000
Title: Security SG Report
Date Submitted: November 20, 2007
Authors or Source(s):
Yoshihiro Ohba
Abstract: Report of Security SG meeting at IEEE 802.21 session
23 in Atlanta
21-07-0446-00-0000
1
IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE 802.21 Working Group. It is
offered as a basis for discussion and is not binding on the contributing
individual(s) or organization(s). The material in this document is subject to
change in form and content after further study. The contributor(s) reserve(s)
the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate
material contained in this contribution, and any modifications thereof, in the
creation of an IEEE Standards publication; to copyright in the IEEE’s name
any IEEE Standards publication even though it may include portions of this
contribution; and at the IEEE’s sole discretion to permit others to reproduce in
whole or in part the resulting IEEE Standards publication. The contributor also
acknowledges and accepts that this contribution may be made public by IEEE
802.21.
The contributor is familiar with IEEE patent policy, as stated
outlined
in in
Section
Section
6 of
6.3the
of
the IEEE-SA
IEEE-SA
Standards
Standards
Board
Board
bylaws
Operations Manual
<http://standards.ieee.org/guides/opman/sect6.html#6.3> and
<http://standards.ieee.org/guides/bylaws/sect6-7.html#6>
and in
in
Understanding Patent Issues During IEEE Standards Development
http://standards.ieee.org/board/pat/guide.html>
http://standards.ieee.org/board/pat/faq.pdf>
21-07-0446-00-0000
2
Outline
• Two meeting slots: Nov. 17 (Mon) AM2, Nov. 15 (Thu) PM2
• 4 TR (Technical Report) contributions
• All contributions address Security Signaling Optimization
during Handover (SSOH)
• One contribution also addresses MIH-level Security
Mechanism (MIHS)
• One contribution for performance evaluation on SSOH
• One contribution for combining security signaling and QoS
resource reservation
• Discussed PAR and 5C issues
• There will be 2nd call for TR contributions before January 2007
meeting
21-07-0446-00-0000
3
TR contribution on re-authentication
• TR contribution: http://www.ieee802.org/21/doctree/Security_SG/21-070402-02-0000-MIH_Key_Hierarchy.doc
• Presented slides: http://www.ieee802.org/21/doctree/Security_SG/21-070402-03-0000-MIH%20key-hierarchy%20approaches.ppt
• The contribution addresses inter-technology handover between EAP-based
technologies using HOKEY re-authentication
• Re-authentication may be performed proactively via the serving network, or
reactively via the target network
• Proactive re-authentication may require a new work in 802.21
• In reactive re-authentication, native EAP transport defined in each link-layer
such as 802.1X may be used with or without modification
• Need for a new work in 802.21 is smaller than proactive reauthentication
• In both proactive and reactive re-authentication, candidate authenticator
discovery mechanism is needed
21-07-0446-00-0000
4
TR contribution on
inter-domain handover w/ pre-authentication
• TR contribution:
http://www.ieee802.org/21/doctree/Security_SG/21-07-038700-0000-%20security_signaling_inter-domain.doc
• Presented slides:
http://www.ieee802.org/21/doctree/Security_SG/21-07-038701-0000-%20security_signaling_inter-domain.ppt
• The contribution addresses inter-domain handover where a
direct or indirect trust relationship exists between the serving
and target network
• Pre-authentication is identified as the potential approach
• In the case of indirect trust relationship, pre-authentication
signaling needs be performed along the chain of trust
• “Proxy authenticator” is introduced to support preauthentication across domains with indirect trust relationship
21-07-0446-00-0000
5
TR contribution on
inter-technology handover w/ preauthentication (1/2)
• TR contribution:
http://www.ieee802.org/21/doctree/Security_SG/21-07-040300-0000-Security%20SG%20Use%20Case.doc
• Presented slides:
http://www.ieee802.org/21/doctree/Security_SG/21-07-040301-0000%20-Use%20Case.ppt
• The contribution addresses inter-technology handover between
specific technologies: 802.111 and 802.16
• Pre-authentication is identified as the potential approach
• The same approach is generally applicable to other technologies
as long as the target network supports EAP
21-07-0446-00-0000
6
TR contribution on
inter-technology handover w/ preauthentication (2/2)
• TR contribution:
http://www.ieee802.org/21/doctree/Security_SG/21-07-0390-000000-MIH_Security_TR_Use_Case_Scenarios.doc
• Presented slides:
http://www.ieee802.org/21/doctree/Security_SG/21-07-0391-000000-Use_Case_Scenario.ppt
• The contribution addresses inter-technology handover to a
specific set of technologies that support EAP
•Inter-domain handover is also supported
•Handover to Non-EAP technologies are not supported
21-07-0446-00-0000
7
Performance evaluation on SSOH
• http://www.ieee802.org/21/doctree/Security_SG/21-07-040101-0000Authentication%20Signaling%20Performance%20in%20MIH.p
pt
• NS-2 simulation results are shown on security signaling
performance for full authentication, re-authentication and preauthentication for handover between 802.11 and 802.16
• Full authentication is based on EAP-TTLS w/MD5
• Re-authentication is based on HOKEY ERX
• Three performance metrics: EAP latency, post-handover
security signaling latency and transmission latency
• Some issues with simulation conditions
• AAA latency is underestimated
• Simulation runs unnecessarily EAP during 802.11r FT
• Additional evaluation is encouraged
21-07-0446-00-0000
8
Combining security signaling and QoS
resource reservation
• http://www.ieee802.org/21/doctree/Security_SG/21-07-043500-0000-secure_Handover_with_QoS.ppt
• The purpose is to provide seamless mobility with QoS
• Proactive QoS signaling for resource reservations at IP layer
using QoS NSLP where anticipation of movement is feasible
• The proposed approach is to combine network access
authentication and QoS signaling
• Even the two types of signaling are combined, network access
authentication needs to complete before QoS reservation
21-07-0446-00-0000
9
Discussion on PAR and 5C
• PAR-related material:
http://www.ieee802.org/21/doctree/Security_SG/21-07-039400-0000-SSG_Scope_Issues.ppt
• 5C-related material: Annex A of 21-07-0402-02
• Support for Non-EAP authentication was discussed heavily
• Straw poll was taken
• Support for handover with EAP: Yes(20)/No(0)
• Support for handover with Non-EAP: Yes(10)/ No(7)
• Support for inter-technology handover: Yes(21)/No(0)
• Open issues
• Definition of “administrative domain” needs to be revised to
cover a scenario where multiple ESS’es are served by a
single AAA server
• Clarification on relationship with 802.1 Linksec is needed
21-07-0446-00-0000
10
Security SG Milestones
• November 2007
• All contributions intended to be included in the TR need
to be submitted before the meeting
• Detailed submission guidelines will be posted to the
reflector
• PAR/5C discussion
• January 2008
• All major studies are expected to be done
• PAR/5C discussion
• February 2008
• Submit PAR/5C to IEEE 802 EC to create a TG
• March 2008
• Completion of TR
• Discuss feedback on PAR/5C
• Joint Meeting with 802.1 Link Security Task Group
21-07-0446-00-0000
11
Next Steps
Submission
Deadline:
Jan. 7, 2008
Nov. 2007
Meeting
4 TR Contributions
1 TR Contribution
On SSOH
Jan. 2008
Meeting
Mar. 2008
Meeting
Baseline TR
TR Contributions
on MIHS, etc.
TR
Presentation of PAR to
general 802 membership
PAR/5C
Coordination w/ other WGs
Approval by WG
Approval by EC
PAR/5C Submission to EC
(by Feb 14, 2008)
PAR Submission to
IEEE-SA Standards Board
SSOH: Security Signaling Optimization during Handover
MIHS: MIH-level Security mechanism
21-07-0446-00-0000
12