IEEE 802.21 MEDIA INDEPENDENT HANDOVER
DCN: 21-08-0080-02-0sec-security-signaling-during-handoverstutorial
Title: Media-Independent Handover Security Tutorial
Date Submitted: March 18, 2008
Presented at IEEE 802.21 session #25 in Orlando
Authors or Source(s):
Yoshihiro Ohba (Toshiba), Marc Meylemans (Intel), Subir Das
(Telcordia Technologies)
Abstract: This document provides a tutorial on Media-Independent
Handover Security
21-08-0080-02-0sec 1

This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE
802.21.
’ s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE ’ s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
802.21.
’ s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE ’ s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
The contributor is familiar with IEEE patent policy, as outlined in the IEEE-SA Standards Board Operations Manual
< http://standards.ieee.org/guides/opman/sect6.html#6.3
Understanding Patent Issues During IEEE Standards Development
> >
> and in
Section 6.3 of
Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf
Section 6 of the
> and in
21-08-0080-02-0sec 2

• Overview of IEEE 802.21
• Network Access Security Model
• Intra-technology Handovers
•
Overview of existing link-layer security signaling optimizations
• Inter-technology Handovers
•
Overview of potential approaches
• Proposed Directions
21-08-0080-02-0sec 3

http://www.ieee802.org/21/Tutorials/802%2021-IEEE-Tutorial.ppt
21-08-0080-02-0sec 4

•
(e.g., 802.3 <> 802.11 <> 802.16 <> Cellular)
•
•
•
L2 Triggers and Measurement Reports
•
•
802.11, 802.16 radios
Enables Network Initiated Handovers
Information Service
•
•
Optimum Network Discovery and Selection
Lower Power operation for Multi-Radio devices
Handover Messages
•
Between Mobile Node (MN) <>Point of Service (PoS) (e.g., BS/AP)
•
Between PoS
1
<> PoS
2
(Resource Query, HO Indication)
• Further Information is available at www.ieee802.org/21
21-08-0080-02-0sec 5

Connection
Management
Handover
Policy
State Change
Predictive
Handover Management
Network Initiated
Mobility Management Protocols
802.21 MIH Function
Smart
Triggers
L2 Triggers and Events
Messages
Handover
Messages
Service
Information
Client Initiated
Network Initiated
Vertical Handovers
WLAN Cellular WMAN
Protocol and Device Hardware
Network Information
Available Networks
Neighbor Maps
Network Services
21-08-0080-02-0sec 6

Remote
MIHF
MIH
Services
(ES,
CS,
IS)
MIH Protocol
MIH Protocol
Transport
(Layer 2 or
Layer 3)
Media-Independent
Handover Function
(MIHF)
MIH Users
Layer 3 or
Higher Layer
Mobility Protocol
MIH Services
(ES, CS, IS) LLC_SAP
Link Layer
(IEEE 802.3,
IEEE 802.11,
IEEE 802.16)
SAPs defined in IEEE 802.21 Specification
21-08-0080-02-0sec 7

Challenge Motivation
Efficient Network
Discovery and Selection
Low Latency Handovers
Service Provider’s Control in Target Network
Selection
Inter-Network Neighbor Advertisements reduce power consumption in scanning. The 802.11 module will only turn on if 802.11 coverage is available
Requires inter-RAT interface. Speeds up handoff procedure (passing security keys, resource reservation).
Enables service providers to enforce handoff policies and decisions. Requires inter-RAT measurement reporting
Service Continuity Eliminate L3 mobility signaling in inter-RAT mobility by keeping L3 anchor in the previous RAT access gateway. Requires inter-RAT interface
Target Preparation is the Key aspect of Optimized Handovers
21-08-0080-02-0sec 8

1. Inter-RAT Neighbor
Advertisements.
AG-RAT1 3. Network-initiated Handovers
Require Measurement Reports and H/O messages over Core
Network and air-interface
Mobile Station
(MS)
2. Inter-Access Gateway
I/f Pass network context from Source to Target for
Optimized Handovers
R
AG
Information
Server
Common Core
HLR
HSS
HA
AAA
21-08-0080-02-0sec
AG-RAT2
AG: Access Gateway
RAT: Radio Access Technology
HA: Home Agent
9

1H
2004
2H
2004
1H
2005
2H
2005
1H
2006
2H
2006
Year
2007
Year
2008
2009-
2010
802.21 WG
Created
14 Initial
Proposals
WG Letter
Ballot
Initiate Amendments to
802.11u, 802.16g.
IETF (MIPSHOP) on L3
Sponsor
Ballot
802.21
Deployment*
802.21 Spec
Ratified *
Call For
Proposals
Down selection Initial
802.21 Draft Text
Two New Study Groups (July – 2007)
Security in Handovers
Multi-Radio Power Management
*Projected Timelines
21-08-0080-02-0sec 10

21-08-0080-02-0sec 11

Step 1: Network access authentication
Step 2: Secure association
Step 3: Access control and ciphering
MN PoA
Entities involved:
•
•
•
MN: Mobile Node
PoA: Point of Attachment (e.g., Access
Point)
AS: Authentication Server (e.g., AAA server)
Step 1: Network Access Authentication
Step 2: Secure Association
Step 3: Access Control and Ciphering
MN changes its PoA due to handover
Network access security is all about how to bind the three steps together to provide appropriate security properties for network access with the use of security associations (SAs)
21-08-0080-02-0sec 12
AS

SA mp
SA ma
: An SA between MN and PoA
: An SA between MN and AS
SA pa
: An SA between PoA and AS
• SA pa is pre-established through AAA or other protocols
• SA will be established through a mutually authenticated key establishment as an access authentication (in Step 1)
• SA mp is dynamically established with creation of a Session Key
MN
21-08-0080-02-0sec
SA ma
AS
SA mp
SA pa
PoA
13

MN* PoA* AS*
EAP-Request
EAP-Response
EAP-Request
EAP-Success
AAA{EAP-Response}
AAA{EAP-Request}
AAA{EAP-Success, MSK }
* Note: MN, PoA and
AS are EAP peer, authenticator and server, respectively, and represent one deployment model.
• MN and AS conduct EAP to establish SA mp
• EAP (Extensible Authentication Protocol) exports two keys:
•
•
MSK (Master Session Key) distributed from AS to PoA protected by SA
EMSK (Extended Master Session Key) – used for other purpose pa
• EAP is transported at link-layer as well as higher layers
•
•
Link-layer EAP transport in IEEE 802: 802.1X, PKMv2
Higher-layer EAP transport: PANA (Protocol for carrying Authentication for
Network Access), IKEv2 (Internet Key Exchange version 2), RADIUS/Diameter
21-08-0080-02-0sec 14

• A link-layer specific procedure to attach to a PoA in a secure manner
Step 2-1: Provide and verify proof of each other ’ s possession of the session key corresponding to SA mp
Step 2-2: Create access control filters and ciphering keys
•
The ciphering keys are used in Access Control and
Ciphering (Step 3)
21-08-0080-02-0sec 15

• Access control enforces link-layer data frames to be exchanged between MN and PoA only after a successful run of Network
Access Authentication and Secure Association
• Link-layer data frames are cryptographically protected with the use of ciphering keys depending on underlying link-layer technologies
21-08-0080-02-0sec 16

• Approximately 90% of the latency originates from the EAP signaling during network access authentication (full authentication)
• EAP authentication takes on average 100s of ms, while the layer 2 key management (4-way handshake (HS) in 802.11 and 3-way handshake in
802.16) takes on average less than 10ms.
802.11
802.16
21-08-0080-02-0sec
MN: Mobile Node
AP: Access Point
BS: Base Station
AAA: AAA server
17

•
•
21-08-0080-02-0sec 18

21-08-0080-02-0sec 19

• Several handover solutions available today are centered around intra-technology handovers (AP to AP, BS to BS and typically within the same AAA domain)
• IEEE 802.11 solutions:
•
Pre-authentication (as defined in 802.11i)
•
Fast BSS Transition (under Sponsor Ballot in TGr)
• IEEE 802.16 solution:
•
Handover Process Optimization (as defined in 802.16e)
• IEEE 802.1 solution
•
Roaming (reconnect) solution (under letter Ballot in 802.1af)
• Main goal of the above solutions is to decrease the time it takes to do an EAP-based network access authentication
21-08-0080-02-0sec 20

•
STA Associated to AP1, after full
802.11i authentication
• Data traffic flows via AP1
• STA selects AP2 as Target, and initiates pre-Authentication for
AP2
• EAP Authentication is sent via
AP1
•
AP2 receives MSK from EAP
Server
•
STA derives MSK for AP2
• STA performs 802.11i 4-Way
Handshake with AP2, using
MSK
(STA, AP2)
• Data Traffic Flows via AP2
• Transition complete
Conceptual Flow
AAA server
AP1 AP2
MSK
PTK
MSK
PTK
Internet
802.11 Access
Network
STA
21-08-0080-02-0sec 21

•
STA Associated to AP1
• Data traffic flows via AP1
•
STA Moves and Selects AP2 as
Target
• 802.11r Auth Request
• Request PMK-R1
AP2
•
Derive PMK-R1
AP2 from R0KH for AP2
• Response w/ PMK-R1
AP2
•
802.11r Auth Response to AP2
• AP2 & STA Derive PTK
•
802.11r Reassociation Request and Response
•
Data traffic flows via AP2
• Transition complete
PMK-R0
PMK-R1
AP2
Conceptual Flow
AAA server
AP1 AP2 PMK-R1
AP2
PTK
Internet
802.11 Mobility
Domain
PMK-R0
PMK-R1
AP2
PTK
STA
21-08-0080-02-0sec 22

•
MS connected with BS1, data traffic flows
• MS sends HO request (HO optimization bits set, preferred BSs) to BS1
• BS1 forwards HO request to BS2
•
BS2 sends HO response back to
BS1
• BS1 sends HO response back to MS
•
MS sends HO indication with BS2 as target
•
BS1 forwards MS info and connection context to BS2 (handover
TEKs, associated counters, negotiated capabilities, CID update,…)
• MS ranges and attaches with BS2
•
Data traffic flows via BS2
Conceptual Flow
AAA server
Core network
AK1
BS1 BS2
802.16 Access network
AK2
Internet
MS
21-08-0080-02-0sec 23

• IEEE P802.1af – a new revision of 802.1X for port access control, it provides
•
Network access authentication, secure association and access control for
LAN/MAN
•
Network discovery
•
Allows a session key that was established between a Host and a Network
Access Point to be cached and reused when reconnecting back to any Network
Access Points within the same administrative domain
• IEEE 802.1AE - MAC Security
•
Provides ciphering for LAN/MAN
21-08-0080-02-0sec 24

21-08-0080-02-0sec 25

• Dual radio handover : The MN has two radios, and both radios are transmitting at the same time during handovers. Target preparation is done via the target radio.
•
Allows a ‘make-before-break’ handover at L1/L2 and as such service disruption can be avoided.
• Single radio handover: The MN has two radios, but only one radio is transmitting at a time due to co-existence, interference, battery issues. Target preparation is done using the source radio.
•
Limited to ‘break-before-make’ handover at L1/L2 and as such service disruption cannot be avoided without additional optimization
21-08-0080-02-0sec 26

•
MN connected with Radio 1 to AN1, and an application session is active
•
MN moves, Radio 2 On
• MN decides to perform HO to
AN2
•
MN authenticates with AN2 using Radio 2
• Subsequent HO procedures follow
• Including IP mobility signaling and resource reservation and so on
• Application session continuity is maintained on AN2
•
Radio 1 off or idle
Conceptual Flow
AAA server
Access Network
1
Core
Network
Access Network
2
21-08-0080-02-0sec 27

• MN connected with Radio 1 to AN1, and an application session is active
• MN moves and decides to perform HO to AN2
• MN authenticates with AN2 via AN1
•
Subsequent HO procedures follow
• Including IP mobility signaling and resource reservation and so on
• Radio 1 Off/Idle
• Radio 2 active
•
MN attaches to AN2
• Application session continuity is maintained on AN2
Conceptual Flow
Access Network
1
AAA server
Core
Network
Access Network
2
21-08-0080-02-0sec 28

• Security-related signaling can increase the latency significantly in single-radio handover efforts and in many cases service continuity can not be met
•
Handover techniques that assume concurrent radio usage cannot be used
• Even for dual-radio devices it might make sense to reduce the security-related signaling, as it decreases the time that both radios need to be active and thus can increase battery life
• In addition, handovers between networks within the same AAA domains or different AAA domains pose different challenges
21-08-0080-02-0sec 29

• Establish a key hierarchy through full authentication upon entry into the
AAA domain
• The key hierarchy may span multiple link-layer technologies
• Network access authentication is based on exchanging proof of possession of the root key between MN and the root key holder through the PoA
Root Key
Session Key for PoA_1
Session Key for PoA_2
… Session Key for PoA_N
21-08-0080-02-0sec 30

• ERP (EAP Extensions for EAP Re-authentication Protocol) is defined in IETF for Key Hierarchy-based Transition
• The server for ERP can be in a visited domain
• ERP requires one AAA message roundtrip
AAA domain X
Re-authentication Server
(AAA server/proxy)
ERP signaling
21-08-0080-02-0sec 31

• In this approach, ERP is proactively performed (proactive reauthentication)
• No AAA roundtrip after switching to the target PoA
21-08-0080-02-0sec
AAA domain X
Re-authentication Server
(AAA server/proxy)
Proactive re-authentication
Secure Association
32

• Since networks are in different AAA domains, in general full authentication can not be avoided
•
There is no reason for the new domain to “trust” keys from the old domain, and no reason for mobile device to “trust” the new domain with keys it used with its old domain
•
Roaming agreements (SLAs) may exist between the two networks, but home operator might still require the user to authenticate with the home network (AAA) because of security or policy reasons
• A pre-authentication solution is needed that works across multiple AAA domains
EAP server
AAA domain X AAA domain Y
EAP (RFC 3748) signaling
Secure Association
21-08-0080-02-0sec 33

• Proactive authentication is the promising approach to reduce authentication and key establishment signaling latency
•
•
Needed for secure service continuity across different link-layer technologies, AAA domains
Use existing media-specific Secure Association mechanisms
• Proactive authentication can be based on proactive reauthentication, and pre-authentication
• Proactive authentication requires an EAP transport
•
The solution that works independent of link-layer technologies
• Our main scope is IEEE 802 technologies, but solution could be applied to handovers to other technologies
21-08-0080-02-0sec 34

21-08-0080-02-0sec
35