[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: Possible preauth BOF Request

To: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>
Subject: Re: FW: Possible preauth BOF Request
From: Bernard Aboba <aboba@internaut.com>
Date: Mon, 30 Jan 2006 23:11:55 -0800 (PST)
Cc: "Aaa-Doctors (E-mail)" <aaa-doctors@ops.ietf.org>
In-reply-to: <7D5D48D2CAA3D84C813F5B154F43B155092F554B@nl0006exch001u.nl.lucent.com>
References: <7D5D48D2CAA3D84C813F5B154F43B155092F554B@nl0006exch001u.nl.lucent.com>

The BOF Charter talks about missing features of several link layers such 
as IEEE 802.16e, IEEE 802.11i and 3GPP2.  Since pre-authentication support 
is closely tied to link layer features such as scanning mechanisms and key 
caching support, it seems like this would need to be handled by those 
standards bodies, rather than the IETF.   For example, IEEE 802.11r is now 
defining new "over the DS" authentication technology for IEEE 802.11.  Is 
the intent of this BOF to make modifications to the IEEE 802.11 
specification?  For example, the MPA document would appear to 
require changes in the 802.lX state machine (since PANA packets 
will be silently discarded prior to completion of authentication). 

In general, pre-authentication requires discovery of points of attachment, 
something which is generally not possible between two unrelated domains of 
administration.  So I'm a bit puzzled about what is meant by "inter-domain 
pre-authentication" here. 

There has been previous work on "pre-emptive keying", such as the 
RADIUS extension proposed by myself and Bill Arbaugh several years ago:
http://www.watersprings.org/pub/id/draft-irtf-aaaarch-handoff-04.txt

This draft was discussed during the early RADEXT BOFs, but there was not 
enough support for it within the WG, so this work did not make it into the 
RADEXT WG charter.  Since this approach was also rejected by IEEE 802.11r, 
I'd be concerned whether it is likely to be deployed by operators. 

> -----Original Message-----
> From: iab-bounces@ietf.org [mailto:iab-bounces@ietf.org]On Behalf Of
> Margaret Wasserman
> Sent: Sunday, January 29, 2006 07:56
> To: iesg@ietf.org; iab@ietf.org
> Subject: Heads Up: Possible preauth BOF Request
> 
> 
> 
> Hi All,
> 
> The INT area is expecting to receive a BOF request to consider the
> preauth work that was started in the PANA WG (see below).  
> 
> ----
> 
> The following is the work description of preauth.  Alper Yegin and I
> are thinking of having a BoF in the next IETF meeting on this subject.
> The problem statement and architecture work was initially presented in
> MOBOPTS RG in the previous three IETF meetings, but after discussion
> with several people, I feeled that this kind of work is not a long
> term research item any more but can be a standardization item.
> 
> Your comments are very much appreciated.
> 
> ------------------------------------------------------
> Pre-authentication and Heterogeneous Handover (preauth)
> [Rev0.1]
> 
> Motivation
> ----------
> 
> There has been no solution for seamlessly performing handover across
> heterogeneous networks which may belong to different administrative
> domains and/or may support different link-layer technologies.  For
> example, IEEE 802.16e deals with mobility, but it does not support
> seamless handover across different operators.  3GPP2 is currently
> defining a new mode of operation in which PPP encapsulation is not
> used for carrying IP datagrams.  It would be preferable if the new
> mode is designed to support seamless handover across different
> operators.  In the IETF, there are several IP mobility optimization
> protocols defined including FMIPv6 and HMIPv6, and possibly NETLMM,
> however, overall handover performance including authentication and
> authorization delay has not been considered.  In fact, authentication
> and authorization can be the most time consuming procedure especially
> for heterogeneous handover in which authorization by a central
> authority such as a AAA server would be required.
> 
> The purpose of this work is to improve the overall performance of
> heterogeneous handover by allowing authentication and authorization
> required for a target network to be performed prior to handover.  Note
> that IEEE 802.11i defines pre-authentication at link-layer, but it is
> not applicable to inter-subnet handover.
> 
> 
> Scope
> -----
> 
> - Developing problem statement and an architecture that are centered
> around pre-authentication for seamlessly performing heterogeneous
> handovers including inter-domain and/or inter-technology handovers.
> The architecture may discuss, in addition to pre-authentication,
> optimization technologies related to pre-authentication.  The
> architecture also addresses AAA related issues for pre-authentication,
> including the issues of distinguishing
> pre-authentication/pre-authorization sessions from normal
> authentiation/authorization sessions.
> 
> - Developing a light-weight pre-authentication protocol that does not
> carry EAP itself but takes advantage of EMSK created as a result of
> EAP-based network access authentication.  
> 
> - Defining mechanisms for bootstrapping security from
> pre-authentication for several mobility optimization protocols such as
> FMIPv6.  Specifically, key derivation mechanisms and algorithms for
> the mobility optimization protocols will be defined.  The scope also
> includes bootstrapping link-layer security mechanisms from
> pre-authentication.
> 
> 
> Related Groups
> --------------
> 
> PANA WG: PANA defines EAP transport over UDP (draft-ietf-pana-pana)
> and a pre-authentication extension which is EAP-based
> (draft-ietf-pana-preauth).  The non-EAP based light-weight
> pre-authentication protocol mentioned above may or may not re-use
> PANA.  There may be some overlapping scope between PANA and preauth in
> terms of protocol work, but the entire scope of preauth may not be
> fully covered by the work of PANA.
> 
> MOBOPTS RG: MOBOPTS does not define a protocol and it deals with many
> different research issues in parallel, and a separate group might be
> suitable if the industry thinks that the work needs to be done in a
> short time range.
> 
> MIPSHOP WG: MIPSHOP is centered around mobility optimization for
> Mobile IPv6, but it does do not deal with seamlessly performing
> heterogeneous handover.  Instead, pre-authentication related work
> should be applicable to any mobility optimization mechanism.  Also, a
> new mobility optimization mechanism other than FMIPv6 and HMIPv6 may
> be needed for seamless heterogeneous handover.
> 
> 
> Related Document
> ----------------
> 
> draft-ietf-pana-preauth-00.txt
> 
> draft-ohba-mobopts-heterogeneous-requirement-00.txt
> 
> draft-ohba-mobopts-mpa-{framework,implementation}-01.txt
> 
> draft-vidya-mipshop-handover-keys-aaa-01.txt
> 
> (anything else?)
> ------------------------------------------------------
> 
> Regards,
> Yoshihiro Ohba
>

References:
- FW: Possible preauth BOF Request
  - From: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>

Prev by Date: FW: Possible preauth BOF Request
Next by Date: Please review documents on IESG Agenda for February 16, 2006
Previous by thread: FW: Possible preauth BOF Request
Next by thread: Please review documents on IESG Agenda for February 16, 2006
Index(es):
- Date
- Thread