| Re: Re: AMSKs for MIPv6 | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Sat, 5 Nov 2005 18:41:01 -0500 (EST) | |
Bernard Aboba wrote:
So that works today, I think.
--Jari
Is an EAP exchange being run between the MN and AAA server, with the HA serving as the "EAP authenticator"?
There are multiple scenarios. If the scenario is according to your assumption above, then there may be no need at all for new protocols or keys. Specifically, MNs can, already today use EAP authentication to the home agent via draft-ietf-mip6-ikev2-ipsec, IKEv2, and IKEv2 EAP mode. This implies that AAA server delivers an MSK to the HA which is then subsequently used by IKEv2 authentication process; DH keys are used in IKEv2 to get keys for the actual IPsec SA which protects the BUs.
So that works today, I think.
What Julien, Gerardo et al are addressing is probably a different scenario, however. I'm not quite sure what the complete list of scenarios is. But one scenario that I can think of is where there's a desire to avoid a second AAA transaction from the HA by using an AMSK from an EAP authentication that already happened for other purposes. I remain personally unconvinced that such an optimization is needed, because there's a lot of protocol design, implementation effort, and assumptions to eliminate a few roundtrips from something that only needs to happen once (not on every movement).
A third scenario is when not IPsec but mip6-auth-option is used when there's no credential that fits mip6-auth-option usage directly. (If such credential were available, then we would not need anything beyond mip6-auth-option. Note also that such credential may exist through roaming relationship, not necessarily needed to have it in HA or local AAA.) The only practical case that I can think of where this becomes a problem is where MN has an EAP credential (e.g. SIM, TLS) for the home network but that credential is not fit for usage in mip6-auth-option because it needs to be a plain shared secret.
Anyway, in that scenario EAP-based AMSKs could potentially be used as the shared secrets for mip6-auth-option. This seems largely inline with what EAP keying framework allows to do, but of course the devil is in the details, and there'd have to be a document that describes the security analysis of the system. I tend to agree with you Bernard that the HA needs to be involved in some way.
Julien, Gerardo, Avi -- what are the scenarios where you'd like to use AMSK?
--Jari
-
Re: AMSKs for MIPv6 Bernard Aboba, November 3 2005
- Re: Re: AMSKs for MIPv6 Jari Arkko, November 5 2005
-
Re: Re: AMSKs for MIPv6 Julien Bournelle, November 6 2005
- Re: Re: AMSKs for MIPv6 Jari Arkko, November 6 2005
- RE: Re: AMSKs for MIPv6 Avi Lior, November 3 2005
- RE: Re: AMSKs for MIPv6 Gerardo Giaretta, November 4 2005
Results generated by Tiger Technologies using MHonArc.