AAA based Keying for Wireless Handovers: Problem Statement - - PowerPoint PPT Presentation

aaa based keying for wireless handovers problem statement
SMART_READER_LITE
LIVE PREVIEW

AAA based Keying for Wireless Handovers: Problem Statement - - PowerPoint PPT Presentation

Dec 23, 2022 117 likes •296 views

AAA based Keying for Wireless Handovers: Problem Statement draft-nakhjiri-aaa-hokey-ps-03 Madjid Nakhjiri (Huawei USA/Motorola Labs) Mohan Parthasarathy (Nokia) Julien Bournelle (GET/INT/FT) Hannes Tschofenig (Siemens) R. Marin Lopez (TARI)

slide-1
SLIDE 1

Nov 2006 1

AAA based Keying for Wireless Handovers: Problem Statement

draft-nakhjiri-aaa-hokey-ps-03

Madjid Nakhjiri (Huawei USA/Motorola Labs) Mohan Parthasarathy (Nokia) Julien Bournelle (GET/INT/FT) Hannes Tschofenig (Siemens)

  • R. Marin Lopez (TARI)

IETF 67 San Diego

slide-2
SLIDE 2

Nov 2006 2

Slide from IETF 65: EAP Keying for fixed peers

Generation of MSK, EMSK,

EAP complete peer

Authenticator

EAP/AAA server

Generation of TSKs

Security Association Protocol (TSKs)

Generation of MSK, EMSK,

EAP over AAA

EAP-XXX Method Authentication

MSK transport

EAP over L2

Transported MSK Generation

  • f TSKs

Use TSKs for link security

Holds Peer credential

EAP complete

slide-3
SLIDE 3

Nov 2006 3

  • Secure Access link: MN-AN SA
  • Access link Handover: create MN-AN2 SA
  • If Authenticator=AN:

– MSK goes to AN1 – MN-AN2 SA: requires new MSK at AN2?

  • Run EAP again?? Handover performance suffers
  • Don’t send MSK to Authenticator,
  • Extend key hierarchy, create a per-authenticator key derived

from previous EAP

Old Access link (Old SA) New link (new SA)

EAP/AAA server

MSK1 MSK2 Auth-1/AN1 Auth2/AN2 MN

Mobility

slide-4
SLIDE 4

Nov 2006 4

Access link established MSK Auth MN

Session Longevity

EAP/AAA server

  • Secure session established: previous lengthy EAP-XXX
  • Session and keys about to expire
  • Run EAP-XXX again?
  • No, perform a “fast re-authentication”

– Use state/keys from previous EAP – Design specific signaling for re-authentication

slide-5
SLIDE 5

Nov 2006 5

Network Management scalability Wireless Access Network Architecture/CAPWAP

MN Access Gateway

AAA server

Access Node Access link Access Gateway

  • Access Nodes (WiMAX: BS, CAPWAP/802.11: WTP/AP)

– providing access links (wireless termination) – Lightweight/ less security-AAA functions/ less need for upgrades

  • Access Gateways (WiMAX: ASN-GW, CAPWAP AC)

– Management functions, backend communications – More trusted, AAA server interaction – Manages mobility across ANs (handovers) without interaction with AAA server – Typically manages one access technology.

slide-6
SLIDE 6

Nov 2006 6

EAP authenticator split to Manage scalability and AN-handover performance

MN Authenticator

  • EAP. AAA

server ANs MSK TSK PMK

  • Splitting the EAP authenticator into 2 solves the intra-authenticator handover

performance problem (SDOs)

  • 1. ASN_GW, R0KH, AC:

– holds key from AAA server, creates per AN keys:

  • 2. AN, WTP, Auth port

– receives Per AN keys, creates SA with peer (MN)

  • It does not solve Inter-authenticator problem
  • Authenticator a logical function, AN/AG physical entities (channel binding)
  • Solutions varies between SDOs: media-independent handover difficult

AG AG

slide-7
SLIDE 7

Nov 2006 7

Goals and Requirements

Prevention of domino effect, Key scope Authentication Of All parties Channel binding Fresh keys, key life times Delay performance Media Independence

Security Requirements

Mobility (handovers) Session longevity (re-auth) Network Mgmt Scalability

Design Goals Mobility Requirements Tools/ideas

Reduce AAA roundtrips EAP based Key Hierarchy Key distribution Protocol design Key Mgmt specifications Consistent terminology

slide-8
SLIDE 8

Nov 2006 8

Problem statement/ To Dos

  • Create consistent terminology
  • Specify security, mobility, management goals
  • Decide levels of key hierarchy

– Map hierarchy levels to key holders – Define key derivation function and parameters – Define messaging to exchange the parameters – Define key management rules

  • How far down the key hierarchy can IETF go?
  • Do the needed protocols exist?
slide-9
SLIDE 9

Nov 2006 9

New Terminology/ Concepts

  • Handover Root Key (HRK)

– Used as the root of key hierarchy for handover (and re-auth) – AAA server is HRK holder – HRK is used to create per-ADC keys (ADMSKs)

  • Access Domain Controller (ADC)

– Top level key holder in an access domain (holds ADMSK) – Responsible for keying needs within an Access Domain (reduce the need to AAA interactions). – 802.11r calls this Mobility domain controller (MDC):

  • MDC or ADC?
slide-10
SLIDE 10

Nov 2006 10

Access Domain controllers

MN Access domain 2

  • EAP. AAA

server ANs ADMSK1 TSK

  • ADC is a key holder and a AAA client

– It can be the authenticator, but does not have to be – ADC is a AAA client (it receives ADMSK from AAA server) – Both authenticator-split and flat architectures can be supported. – ADC provisions the access domain ANs with keys – Access domain can be mapped to an access technology region, if needed

ADC ADC HRK ADMSK2 Access domain 1

slide-11
SLIDE 11

Nov 2006 11

Tough problems

  • Terminology, Terminology, terminology
  • What key to use to derive handover root key?

– MSK or as USRK from EMSK? (created at EAP server?)

  • Compatibility with other SDOs? Backward compatibility?
  • Architecture:

– ADC part of the authenticator? Positioning ADC vs Authenticator? – Access technology mapping – To accomodate physically separate ADC and AN?

  • Channel binding/ key derivation parameters/ Messaging

– ADC and AN collocated (EAP keying) or not (SDO)

  • Messaging

– Exchange parameters for key derivation (e.g. ADC-ID)

  • Channel binding

– EAP keying item: ADC and AN are both part of Authenticator – Handover keying with deeper hierarchy?

slide-12
SLIDE 12

Nov 2006 12

Problem: IETF scope? LSAP-MK should be defined in Info RFCs, IMHO

  • Intra ADC handover: Key management and key derivation inside same

ADC (Is this within IETF scope? Info RFCs?)

  • Inter ADC handover: Key Management and key derivation through

different ADCs but same AAA, without running EAP again.

MN ADMSK-1 AAA server

AN3

HRK

LSAP

LSAP-MK2

ADC1 ADMSK-2 ADC2

LSAP-MK1

AN1 AN2

LSAP-MK3

AD1 AD2 Inter-ADC HO Intra-ADC HO

slide-13
SLIDE 13

Nov 2006 13

Positioning of EAP authenticator wrt ADC (alternative 1)

AAA server ADC1/ Key Holder 1 AN2

MN

AD1 AD2

AN3 AN1: port1 Authenticator EAP signaling Non-EAP signaling Channel binding issues ADMSK1 LSAP-MK LSK ADC2

slide-14
SLIDE 14

Nov 2006 14

Positioning of EAP authenticator wrt ADC (alternative 1)

AAA server AN2

MN

AD1 AD2

AN3 AN1 Authenticator EAP signaling LSK ADC2 ADMSK1 LSAP-MK ADC1/ Key Holder 1

slide-15
SLIDE 15

Nov 2006 15

Backup:Related charter deliverables

  • Re-authentication (including handover) and key

management problem statement

– Security and performance goals.

  • Choice of MSK or EMSK in HRK (not a

deliverable, but important)

  • Handover Root Key (HRK) and key hierarchy

derivation and management specification

  • Handover/re-authentication protocol specification
  • Key distribution protocol specifications
slide-16
SLIDE 16

Nov 2006 16

Backup: Why ADC instead of Authenticator

  • Allows for easier management of heterogeneous roaming/

handovers (e.g. per-domain technology)

– Combine key mgmt with mobility mgmt

  • Handover root key transport/caching behavior

– HRK (e.g. MSK) is kept at AAA server, not sent to authenticator – A per ADC master keys (ADMSK) are sent to ADC

  • Separation of EAP auth. and handover keying signaling

– Key mgmt and mobility mgmt can be inside an ADC, independent

  • f entity that acts as pass-thru Auth,

– Pass-thru auth either in AN or ADC

  • More crisp key usage guidelines

– Authenticator master key<->Authenticator port master key? – Use ADC master key (ADMSK) and AN master key (LSAP_MK) instead