One document matched: draft-yegin-fmip-sa-00.txt
MIPSHOP Working Group A. Yegin
Internet-Draft Samsung
Expires: October 2, 2007 K. Chowdhury
Starent Networks
March 31, 2007
FMIPv6 Security Association
draft-yegin-fmip-sa-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 2, 2007.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes a mechanism to dynamically generate a
security association between the mobile node and the FMIPv6 access
router to secure the FMIPv6 protocol messages. The mechanism relies
on generating a local security association based on the network
access authentication.
Yegin & Chowdhury Expires October 2, 2007 [Page 1]
Internet-Draft FMIPv6 Security Association March 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. FMIPv6 Security Association . . . . . . . . . . . . . . . . . 4
2.1 Key Derivation . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Key Distribution . . . . . . . . . . . . . . . . . . . . . 4
3. Using the SA . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Support for non-EAP-based Architectures . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. Normative References . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . 9
Yegin & Chowdhury Expires October 2, 2007 [Page 2]
Internet-Draft FMIPv6 Security Association March 2007
1. Introduction
The current Fast Handovers for Mobile IPv6 (FMIPv6) protocol
[RFC4068] lacks a mechanism to secure the signaling between the
mobile node (MN) and the access router (AR). At the core of this
problem is the absence of a security association (SA) between the two
nodes. When the SA is present, it can be used with Binding
Authorization Data for FMIPv6 (BADF) option to provide authentication
and integrity protection for the protocol messages.
EAP [RFC3748] is used in various mobile and wireless network
architectures (e.g., WiFi, WiMAX, cdma2K). One important feature of
EAP is its ability to dynamically generate a secret key shared by the
EAP peer running on the MN and the authenticator running on the
network access server (NAS). This shared secret key (MSK -- master
session key [RFC3748]) can be utilized to derive another secret key
(FMIP-key) to be shared by the MN and the AR in the access network.
This document describes how FMIP-key can be derived and used to
secure FMIPv6 protocol messages.
Yegin & Chowdhury Expires October 2, 2007 [Page 3]
Internet-Draft FMIPv6 Security Association March 2007
2. FMIPv6 Security Association
FMIPv6 security association (FMIP-SA) includes four parameters: The
peer identifier (FMIP-PID), the shared secret key (FMIP-key), the SPI
(FMIP-SPI), and the SA lifetime (FMIP-lifetime).
FMIP-PID of the MN is the Identity used during the EAP
authentication. FMIP-PID of the AR is the IP address of the AR.
FMIP-key is generated according to the following subsections.
FMIP-SPI value MUST be set to 1 upon initial EAP authentication with
the authenticator, increased by 1 for each subsequent EAP re-
authentication with the same authenticator, and set back to 1 after
wrapping around.
FMIP-lifetime is set to the lifetime of the MSK.
2.1 Key Derivation
The following formula is used to generate FMIP-key.
FMIP-key = HMAC-SHA1(MSK, "FMIPv6 key derivation" | MN-ID | AR-
IPaddr)
MSK is the secret key generated by the EAP method execution and
shared by the MN and the NAS [RFC3748].
MN-ID is the Indetity presented by the MN during the EAP
authentication.
AR-IPaddr is the IP address of the AR used for FMIPv6 protocol
messaging.
2.2 Key Distribution
Since the EAP peer and FMIPv6 mobile node implementations reside on
the same MN, derivation and delivery of the FMIP-SA is internal to
that node. There is no additional protocol needed to carry the SA
parameters.
In typical architectures and deployments, the AR and the NAS are co-
located. In case they are not, there needs to be a protocol to carry
the SA parameters from the NAS to the AR. The choice and details of
that protocol are architecture-specific and therefore outside the
scope of this document.
Yegin & Chowdhury Expires October 2, 2007 [Page 4]
Internet-Draft FMIPv6 Security Association March 2007
3. Using the SA
The dynamically generated SA can be directly used with Binding
Authorization Data for FMIPv6 (BADF) option.
Yegin & Chowdhury Expires October 2, 2007 [Page 5]
Internet-Draft FMIPv6 Security Association March 2007
4. Support for non-EAP-based Architectures
The same mechanism can be used with any architecture as long as there
is an equivalent of MSK shared between the MN and the NAS. Since
such a key would be architecture specific, it is hard to define it in
a generic but interoperable way in this document.[TBD: Give an
example from 3GPP.]
Yegin & Chowdhury Expires October 2, 2007 [Page 6]
Internet-Draft FMIPv6 Security Association March 2007
5. Security Considerations
TBD.
Yegin & Chowdhury Expires October 2, 2007 [Page 7]
Internet-Draft FMIPv6 Security Association March 2007
6. IANA Considerations
This document has no actions for IANA.
7. Normative References
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)",
RFC 3748, June 2004.
[RFC4068] Koodli, R., "Fast Handovers for Mobile IPv6", RFC 4068,
July 2005.
Authors' Addresses
Alper E. Yegin
Samsung
Phone:
Email: alper01.yegin@partner.samsung.com
Kuntal Chowdhury
Starent Networks
Phone:
Email: kchowdhury@starentnetworks.com
Yegin & Chowdhury Expires October 2, 2007 [Page 8]
Internet-Draft FMIPv6 Security Association March 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Yegin & Chowdhury Expires October 2, 2007 [Page 9]
| PAFTECH AB 2003-2026 | 2026-04-22 23:06:51 |