80 likes | 94 Views
This draft proposes a protocol for handover with shared keys between a mobile node (MN) and access routers (ARs) using AAA servers. The protocol involves generating handover keys and validating MAC addresses. It emphasizes secure key derivation and address validation, following the MIP-AAA model. The document outlines salient points, protocol changes, and addresses to-dos for further development.
E N D
Handover Keys using AAA(draft-vidya-mipshop-fast-handover-aaa-01.txt) Vidya Narayanan Narayanan Venkitaraman Hannes Tschofenig Gerardo Giaretta Julien Bournelle draft-vidya-mipshop-fast-handover-aaa-01
AP2.1 AP2.2 AP1.1 AP1.2 Example Topology AR2 MN AAAH Server AR1 MN Objective is to create a shared key between MN and AR using AAA draft-vidya-mipshop-fast-handover-aaa-01
Protocol Overview AAA Server MN AR1 AR2 HMK Generated HMK Generated HKReq RADIUS Access Request ([MN ID, Msg ID, Seq #, CoA], MN-AAA Auth Option) ([[MN ID, Msg ID, Seq #, CoA], MN-AAA MAC, NAS IP], AR-AAA MAC) Validate MAC Generate HK1 RADIUS Access Accept ([Nonce, Lifetime] MN-AAA Auth Option, [HK1], ARn-AAA Key) HKResp Decrypt HK1 ([Nonce, Lifetime] MN-AAA Auth Option) Generate HK1 MN Handoff To AR2 FNA([FBU], HK1) [FBU], HK1 Validate FBU FBAck FBAck draft-vidya-mipshop-fast-handover-aaa-01
Protocol Overview – Salient Points • Handover Master Key (HMK) shared between MN and AAAH • May be derived using EAP AMSK at time of power-up or first network access • HMK derived at the MN and AAA (EAP) Server • Not transported anywhere else • May be a pre-shared key between MN and AAAH • Handover Key (HK) Derivation • HK = HMAC-SHA1(HMK, AR ID | MN ID | AAA-MN Nonce, “Handover Key”) • HK derived with each AR • AR verifies MN CoA and binds it to the HK • HK may be derived indirectly with another AR through current AR • May be needed to derive a new key with a given AR after lifetime expires • E.g. pre-authentication before handoff • Lifetime value provided by AAA server; enforced by AR and MN • MN verifies HK with AR after handoff if pre-authentication was used • Used to bind HK to CoA of MN and to verify key is valid at AR • The protocol is similar to the MIP-AAA model draft-vidya-mipshop-fast-handover-aaa-01
Additions/Changes since last version • Moved from UDP-based to Mobility Header type • HKReq and HKResp are now new MH types • Allows re-use of many already defined mobility options • Follows the model of FMIP control messages • Address Validation/Binding • Added details on CoA validation • Highlights of the procedure • AR performs NDP upon receiving HKReq with a non-NULL CoA • Message ID from HKReq added in the NS from AR as an option • MN that sent HKReq MUST NOT respond with NA • Address validated if no other response is received for the NS • Procedure similar to AR performing PND upon receiving HI or FNA • The AR *may* use other available means of address validation (as it may do so for the HI/FNA processing) draft-vidya-mipshop-fast-handover-aaa-01
To-Dos • Derivation of Handover Master Key using EAP Key Hierarchy • Targeting separate I-D on the topic (use Appendix A in draft as basis) • Need EAP WG to solidify AMSK definition • RADIUS Attributes Definition • Targeting separate I-D on the topic (use Appendix B in draft as basis) • Diameter AVPs/Application Definition • Need to investigate possible re-use of NASREQ application • Targeting separate I-D on the topic (use Appendix C in draft as basis) draft-vidya-mipshop-fast-handover-aaa-01
MN-AR Authentication Option(draft-narayanan-mn-ar-auth-option-00) • Defines a new Mobility Sub-option for carrying MN-AR Authentication Data • Based on the “Authentication Protocol for MIP6” • Protocol Gist: • Authentication Data = First (96, HMAC_SHA1(MN-AR Shared key, Mobility Data)) • Mobility Data = care-of address | home address | MH Data • Used in draft-vidya-handover-keys-aaa-01 to include MN-AR Auth Data in HKReq/HKResp • Also suitable for carrying MN-AR Auth Data in FBU/FBAck in FMIPv6 • Concerns on the dependency on information document • Raised on ML • Technically, the re-use makes sense • Integrate into 4068bis? draft-vidya-mipshop-fast-handover-aaa-01
Accept as WG item? QUESTIONS? draft-vidya-mipshop-fast-handover-aaa-01