Download
1 / 7
70 likes | 82 Views
This document outlines the establishment of security associations (SAs) in EAP-based network access authentication, focusing on generating derivative SAs (SA3) between the mobile node (MN) and mobility servers like MAP and FMIP.AR. It covers aspects such as SA distribution, HMIP-SA generation, and application to FMIP, utilizing key derivation mechanisms for enhanced security. The proposed method is adaptable across architectures with equivalent Master Session Keys (MSK) shared between MN and the network access server.
E N D
HMIP and FMIP Security Associationsdraft-yegin-hmip-sa-00.txt IETF 67
Summary • EAP-based network access authentication already generates an SA (SA2) between the MN and the access network (NAS) • Now generate derivative SAs (SA3)between the MN and the mobility servers (MAP, FMIP AR) SA1 SA2 MN (EAP peer) NAS (EAP authenticator) HAAA (EAP authentication server) SA3 MAP or AR Visited network Home network IETF 67 - HMIP/FMIP SA
HMIP SA Generation • After EAP, NAS and MN shares MSK • HMIP-SA • HMIP-PID (peer ID) • MN Identity used during EAP • MAP IP address • HMIP-lifetime • MSK lifetime • HMIP-SPI • 1 at initial EAP auth, ++ for each subsequent re-auth • HMIP-key = HMAC-SHA1(MSK, "HMIPv6 key derivation" | MN-ID | MAP-IPaddr) IETF 67 - HMIP/FMIP SA
SA Distribution • MN • Internal • MAP • Delivery from NAS to MAP • RADIUS, Diameter, proprietary – architecture dependent IETF 67 - HMIP/FMIP SA
Using the SA • Use HMIP-SA with • ietf-mip6-ikev2-ipsec or, • RFC4285 IETF 67 - HMIP/FMIP SA
Non-EAP-based Architectures? • The same mechanism can be used with any architecture as long as there is an equivalent of MSK shared between the MN and the NAS. IETF 67 - HMIP/FMIP SA
Application to FMIP • FMIP-key = HMAC-SHA1(MSK, “FMIPv6 key derivation" | MN-ID | AR-IPaddr) IETF 67 - HMIP/FMIP SA
