eap Mailing List

View Index by: Date - Thread - Author
RE: AMSK for Mobile IPv6
From: Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjirimotorola.com)
Date: Fri, 4 Nov 2005 16:24:55 -0500 (EST) 
Hi Julien,

Your perception is exactly what everybody that is not in tune with day
to day of EAP list is assuming. EAP does the authentication between peer
and server, some master keys are generated for the peer and stored at
the AAA server. Now we can go ask the AAA server to use those master
keys to generate keys for other applications, in your case an AMSK for
MN-MIPv6 HA (an HA that is btw not an authenticator), but there are some
catches that are being surfaced:
        1) AMSK is derived from EMSK, but EMSK is not available to AAA
server.
        2) later "AMSK requests" have to go from AAA server to EAP
server, but EAP server has now deleted the EMSK.

Madjid

-----Original Message-----
From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] On Behalf
Of Julien Bournelle
Sent: Thursday, November 03, 2005 7:54 AM
To: eap [at] frascone.com
Subject: [eap] AMSK for Mobile IPv6

Hi,

 I read your threads but I'm not sure to have well understand all the
ideas beyond EAP keying and specifically concerning the AMSK.

 I'd like to briefly explain why and how an ASMK could be interesting
for Mobile IPv6.

 One assume that the Mobile Node has an EAP client for network
authentication access.

 To use Mobile IPv6, the mobile node needs an Home Agent. The MN and HA
needs a pre-shared key but the mobile node may not know the HA  before
using Mobile IPv6 (cf. bootstrapping problem).

 Thus one idea could be to use a AMSK or a derived key from AMSK for
this purpose.

 The EAP peer and server derive MSK and EMSK. The  AAA server requests
to the EAP server an 'AMSK for Mobile IPv6'.

 A mobility management entity (not the EAP lower layer) on the mobile
node requests locally the 'AMSK for Mobile IPv6' to the EAP layer. 

 Then, if we want that the mobile node shares a key with the HA, this
implies that the HA requests a key to the AAA server. 

 MN <------> HA <-------> AAA

 So we'll need exchange between MN and HA and between HA and AAA.
 I stay vague here. But one can imagine that the 'AMSK for Mobile IPv6'
 is used by the MN to authenticate himself to the AAA.

 This pre-shared key will be derived at MN and AAA from the "AMSK for
Mobile IPv6" and then transported from the AAA to the HA.

 SO the 'AMSK for Mobile IPv6' is cached on the AAA server and MN but
not transported. The key derived for MN-HA is deleted on the AAA and
transported to the HA.

 Does such a mechanism seem correct respective to EAP keying framework ?

 Thanks,

 regards,
--
julien.bournelle at int-evry.fr
_______________________________________________
eap mailing list
eap [at] frascone.com
http://mail.frascone.com/mailman/listinfo/eap
  • AMSK for Mobile IPv6 Julien Bournelle, November 3 2005
    • RE: AMSK for Mobile IPv6 Nakhjiri Madjid-MNAKHJI1, November 4 2005

Results generated by Tiger Technologies using MHonArc.