Transcript 21-06-0727-01-0000-Security_StudyGroup_proposal.ppt

• IEEE 802.21 MEDIA INDEPENDENT HANDOVER
• DCN:21-06-0727-01-0000
• Title: Proposal for IEEE 802.21 Study Group on Security
Signaling Optimization during Handover
• Date Submitted: November 16, 2006
• Presented at IEEE 802.21 session in Dallas
• Authors or Source(s):
• Yoshihiro Ohba (Toshiba), Subir Das (Telcordia),
• Madjid Nakhjiri (Huawei), Qiaobing Xie (Motorola),
• Junghoon Jee (ETRI), Soohong Daniel Park (Samsung)
• Abstract: This document proposes IEEE 802.21 Study Group on
Security Signaling Optimization during Handover
21-06-0727-01-0000
IEEE 802.21 presentation release statements
• This
document has been prepared to assist the IEEE 802.21 Working Group. It
is offered as a basis for discussion and is not binding on the contributing
•
•
individual(s) or organization(s). The material in this document is subject to
change in form and content after further study. The contributor(s) reserve(s)
the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate
material contained in this contribution, and any modifications thereof, in the
creation of an IEEE Standards publication; to copyright in the IEEE’s name
any IEEE Standards publication even though it may include portions of this
contribution; and at the IEEE’s sole discretion to permit others to reproduce in
whole or in part the resulting IEEE Standards publication. The contributor also
acknowledges and accepts that this contribution may be made public by IEEE
802.21.
The contributor is familiar with IEEE patent policy, as outlined in Section 6.3
of
the
IEEE-SA
Standards
Board
Operations
Manual
<http://standards.ieee.org/guides/opman/sect6.html#6.3>
and
in
Understanding Patent Issues During IEEE Standards Development
http://standards.ieee.org/board/pat/guide.html>
21-06-0727-01-0000
Objectives
• Identify use cases in which security related signaling can add
major delay to seamless handover
• Identify the security related handover issues and scenarios
that can be addressed within IEEE 802.21
• Investigate the feasibility of defining security signaling and
primitives in a media independent manner and can be
executed both pre-handoff and post-handoff stages, e.g.,
•
•
•
A command to turn media-independent keys from higher-layer mechanism,
such as those from IETF, into media-specific keys and distribute the keys
from authenticator to AP/BS
A command for communication between the mobile node and a target
authenticator to carry security signaling messages.
Security-related events
21-06-0727-01-0000
Objectives (cont’d)
• Investigate the feasibility of defining new security-related IEs
to be used by security signaling
• Investigate the feasibility of defining a new functional
element that involves in security signaling across multiple
access technologies
21-06-0727-01-0000
Potential Scope of the Proposed
Project
• The intended study will first identify use cases for proactive and reactive
security signaling optimization that can potentially improve the handover
performance.
• The specification will then specify the signaling and primitives in a media
independent manner (as much as possible) so that it can be integrated within
the base MIH framework. It will apply to scenarios whereby seamless
handover is required between two security domains (e.g., AAA domains)
and/or with multiple heterogeneous network access technologies
• Activities required for accomplishing the above work items (see next slide)
21-06-0727-01-0000
Proposed Activities
• Develop a draft PAR if found appropriate by the Study
Group
• Proposed study group will identify the security related issues
that are critical for handover optimization
• Proposed study group will discuss and understand the IETF
requirements and can satisfy the requirements
• MIH needs to work along with IETF to extend the IETF
L3+ security procedures to cover L2 security needs.
• Proposed study group will be interested to hold joint meeting
with IEEE 802 11r, 802.16e, etc. to discuss and define the
scope appropriately
21-06-0727-01-0000
What is available?
• IEEE 802.11r fast roaming with security
• Optimized security signaling only within ESS
•
No support for inter ESS
• 802.1X requires to run a new EAP session while changing
the point of attachment
• IEEE 802.21 MIH protocol does not have support for security
•
Access authentication and key management is carried outside of MIH
protocol
• IETF HOKEY (Handover Keying) WG is working on
specific secure handover optimization issues (see next slide)
•
•
IETF will not define primitives
IETF work needs to be extended with L2 mechanisms to provide
complete handover security solution
21-06-0727-01-0000
IETF HOKEY WG
• Handover keying
•
•
Define EAP key hierarchy used for handover
Define AAA or other protocols for reactive or proactive distribution or
retrieval of keys by the proper entities
• Re-authentication
•
•
•
EAP authentication exchange that is based on keys derived upon a
preceding full authentication exchange
Requirements: (a) Low-latency, (b) Independent of EAP method
Modification to EAP may be needed
• Pre-authentication
•
•
•
The use of EAP to pre-establish EAP keying material on an
authenticator prior to arrival of the peer at the access network
managed by that authenticator
Originally defined in 802.11i
Define a general solution that works across ESSes and across different
media
21-06-0727-01-0000
Use Case 1: Intra-authenticator handover
• A single authenticator may be
serving multiple networks of
the same or different media
Home AAA domain
AAA server
• After initial authentication, no
additional EAP run is needed
for transitions under the
authenticator
AAA domain 1
Authenticator
WiFi, WiMAX
or Cellular
AP/
BS
WiFi, WiMAX
or Cellular
AP/
BS
AP/
BS
MN
21-06-0727-01-0000
AP/
BS
Use Case 2: Inter-authenticator handover
across AAA domains
• Case 2: Two authenticators belong to
different AAA domains
•
Home AAA domain
AAA server
The handover can be intratechnology or inter-technology
• MN may use the same AAA server or
different AAA servers for different
AAA domains
• MN needs to go through EAP
authentication all the way to its AAA
server
AAA domain 1
AAA domain 2
Authenticator1
Authenticator2
WiFi, WiMAX
and/or Cellular
AP/
BS
WiFi, WiMAX
and/or Cellular
AP/
BS
AP/
BS
MN
•
EAP may performed either
proactively or reactively
21-06-0727-01-0000
AP/
BS
Use Case 3: Inter-authenticator handover
in the same AAA domain
• Case 3: Two authenticators belong
to the same AAA domains
Home AAA domain
•
The handover can be intratechnology or inter-technology
• MN would need to run EAP all the
way to the home AAA server
•
•
Alternatively visited domain’s
AAA server may perform
authentication if it has MN’s
credentials transferred from the
home AAA server
EAP may performed either
proactively or reactively
21-06-0727-01-0000
AAA server
AAA domain 2 AAA server
Authenticator1
Authenticator2
WiFi, WiMAX
and/or
Cellular
AP/
BS
WiFi, WiMAX
and/or
Cellular
AP/
BS
AP/
BS
MN
AP/
BS
Comments in Sept. Meeting
• Comment: Technical analysis shows that sudden drop in the
transitions between WiFi and cellular is less than 1%
• Answers
• Underlying assumption of the analysis is not clear
•
•
For example, if MN is moving very fast, then sudden drop rate may be
more
There are other types of transitions to consider as well
•
WiFi to WiFi (inter-ESS), WiFi to WiMAX or WiMAX to WiMAX
21-06-0727-01-0000
Comments in Sept. Meeting (cont’d)
• Comment: In 3GPP networks, when a terminal is authenticated
to different AAA servers, the AAA server will shut down the 1st
connection. You will lose the first connection while you are
connecting to the 2nd one
• Answers
•
In such a case, only reactive handover would be possible
•
There are many other cases where proactive handover is
feasible
•
Both proactive and reactive security signaling optimization
should be considered
21-06-0727-01-0000
References
• [RFC3748] B. Aboba, et al., “Extensible Authentication Protocol (EAP)”,
RFC 3748, June 2004.
• [HOKEY-PS] M. Nakhjiri, et al., “AAA based Keying for Wireless
Handovers: Problem Statement”, Internet-Draft, draft-nakhjiri-aaa-hokeyps-03, Work in Progress, June 2006.
• [EAPEXT-PS] L. Dondeti and V. Narayanan, “EAP Extensions Problem
Statement”, draft-dondeti-eapext-ps-00.txt, Work in Progress, June 2006.
• [PREAUTH-PS] Y. Ohba, et al., “Pre-authentication Problem Statement”,
Internet-Draft, draft-ohba-preauth-ps-00, Work in Progress, October 2006.
21-06-0727-01-0000