HOKEY WG Notes

advertisement
HOKEY WG Notes
Dorothy Stanley (Aruba Networks)
Agenda: IETF-76 HOKEY agenda
Handover Keying (HOKEY) Working Group
Chairs : Glen Zorn (gwz@net-zen.net)
Tina Tsou (Ting ZOU) (tena@huawei.com
Jabber : hokey@jabber.ietf.org
URL : http://tools.ietf.org/wg/hokey/
Agenda : Version 1.0 (draft)
Meeting : IETF 76; Hiroshima, Japan
=========================================================
Date : Tuesday 10th, November 2009
Time : 15:20 - 17:00
Location: Cattleya West
=========================================================
Welcome & Administrivia (10 minutes)
Bluesheets
Jabber scribe
Minute Takers
Document Status (5 minutes)
1. Hokey architecture <draft-hoeper-hokey-arch-design-01.txt>
Sebastien Decugis (15 minutes)
2. Local Domain Name Discovery for ERP <draft-wu-hokey-ldn-discovery-00.txt>
Qin Wu/TBD (15 minutes)
3. The architectural choices available if one wanted to have a local ERP server
independent of the Diameter proxy
Tom Taylor (15 minutes)
4. Early Authentication solutions
Hui Deng (15 minutes)
5. Token based handover key derivation for Re-authentication
Shu Liu (15 minutes)
Wrap-Up (5 minutes)
1. Chair reminded participants to sign the blue sheets
2. Chair asks for note takers and jabber scribe. Dorothy Stanley volunteers to take notes.
3. Document status: The remaining 2 docs have passed WGLC and are in the tender
clutches of the IESG.
4. First presentation: HOKEY Architecture draft: Sebastien Decugis (15 minutes)
- Motivation: Currently unclear how necessary handover infrastructure is deployed
and can be integrated into existing EAP infrastructures
- Goals: Lower signaling overhead; Minimize communication in home devices
- Integrate Local Domain Name Discovery. Described system overview and
components, relation sip between HOKEY key management and HOKEY
authentication, and HOKEY authorization.
- Describes deployment scenarios: Home HOKEY Service, non roaming case.,
visited HOKEY Service, Hybrid Service
- Question on the deployment scenario, hybrid case, when you hand off between
the domains can you use ERP? Can, not recommended, issue is authorization.
Also of discovery of ER server.
- Divide use case into two, Same or different visited network – inter or intra
domain. Could be both visited, but in varying domains.
- Conclusion – Request to accept the draft as a WG item. Chair asks for group’s
input on open issues, encourage review of the draft, and early feedback.
- Is there interest in the drafts – Who has read the draft – a few hands are raised.
- Believe work is important; summarize the components for the user community.
- Adopt as a WG item now, Chair asks for a hum – adopt, not adopt. Some but not
definitive level. Wait for adoption of the charter before adopting this as a WG
item.
5. Second presentation – Tom Taylor: Can a Local ERP Server be separated from a
Diameter Proxy?
- Open Questions: additional architecture goals, local Domain Name Discovery,
ERP capability discovery.
- Discussion in DIME about ERP applications. Raised a number of architectural
questions.
- Describes components
- Information flows required during initial authentication phase. Follows RFC
5296. Information flows required during re-authentication phase.
- Review of possible solutions.
- Question – Getting DSRK; Local ER server has to retrieve the key. Need a
way to get the key.
- Use NAI as the query late, had the home domain, need to indicate the local
domain. Known by the client.
- Assume that a single ER server can serve multiple domains? No. Can use only
its own domain. Does a string match on the NAI. present during the initial
authentication.
- ERP, key name, don’t use user name. Requirement is that it comes back in reauthentication signaling.
-
Interesting analysis. Can Home EAP server be de-correlated from HOKEY
functions.
- On path proposal – Local server advertises, second and third are not on path
proposals. All are feasible, engineering problem to select one. EAP server and
Diameter servers collocated? Should not be assumed. Causes problems with
Diameter and routing. With RADIUS have to be on path. With Diameter,
don’t have to assume this. Gain flexibility in deployment and implementations,
including fault tolerance. Do need to distinguish between ER-Diameter Agent
and NAS-ER Server.
6. Local Domain Name Discovery for ERP <draft-wu-hokey-ldn-discovery-00.txt>
Qin Wu/TBD (15 minutes)
- Example of Local Domain Name
- Use DHCP to request local domain name; domain name must be available to
the peer during or after the full EAP authentication
- Description of scenario as explained in RFC5296.
- Description of additional scenario for re-authentication
- Should this be adopted as a WG item?
- Discussion: WG chair asks for a hum. Moderate level of interest. Volunteers
for reviewing the document – 2 volunteers.
7. ERP extension for EAP Early Authentication Solutions Hui Deng (15 minutes)
- Overview of current document solutions, and terminology
- Overview of the information flow
- EAP Early Authentication Protocol (EEP) re-uses the ERP packets,
summarizes the extensions – new flag, New TLV.
- Lower layer specifications may need to be revised to support EEP.
- New Diameter EEP application message is needed, to transport EE keying
materials.
- Discussion - Step 1 Information Flow. Why would peer discover the possible
NAS? Usually peer doesn’t know or care where authenticator is located.
- Peer only knows the physical link of the base station, query the network
before link is established.
- Current WiMax architecture. ASN gateways serves N base stations. Can have
authenticator function. First one is not the anchor authenticator. Don’t
understand the CA discovery.
- Consider 2 scenarios – homogeneous scenario, from one technology, e.g.
802.21.
- CA discovery is pre-handover.
- Mobile hands over from one coverage area to another – control plane. Only
need to check when cross a boundary.
- Format of the message – how to indicate different server destinations.
8. Token based handover key derivation for Re-authentication
Shu Liu (15 minutes)
- Objective is to provide fresh, valid re-authenticaiton root key to the
authenticator when inter-authenticator handover within the dame local ER
server happens.
- Description of the problem
-
Summary of requirements for the solution
Re-use existing authentication credentials, centralized management, access
control protection.
Straw-man proposal – authentication token.
Comment – use of an incremental counter will not expose information to an
attacker. Basic MAC property. Don’t believe this is a problem.
How is rMSK compromised?
When peer moves, RMSK is the same, sequence number is re-used?
Doesn’t matter. If have a strong PRF.
Probably not a real problem. Onus on the authors to prove that it is.
History on key generation – WIMax, 3GPP, EAP draft, Hokey draft. Only one
not aligned is the HOKEY draft.
Meeting adjourned 5pm Local time.
Download