HMIP and FMIP Security Associations draft-yegin-hmip-sa-00.txt

1. HMIP and FMIP Security Associationsdraft-yegin-hmip-sa-00.txt IETF 67

2. Summary • EAP-based network access authentication already generates an SA (SA2) between the MN and the access network (NAS) • Now generate derivative SAs (SA3)between the MN and the mobility servers (MAP, FMIP AR) SA1 SA2 MN (EAP peer) NAS (EAP authenticator) HAAA (EAP authentication server) SA3 MAP or AR Visited network Home network IETF 67 - HMIP/FMIP SA

3. HMIP SA Generation • After EAP, NAS and MN shares MSK • HMIP-SA • HMIP-PID (peer ID) • MN Identity used during EAP • MAP IP address • HMIP-lifetime • MSK lifetime • HMIP-SPI • 1 at initial EAP auth, ++ for each subsequent re-auth • HMIP-key = HMAC-SHA1(MSK, "HMIPv6 key derivation" | MN-ID | MAP-IPaddr) IETF 67 - HMIP/FMIP SA

4. SA Distribution • MN • Internal • MAP • Delivery from NAS to MAP • RADIUS, Diameter, proprietary – architecture dependent IETF 67 - HMIP/FMIP SA

5. Using the SA • Use HMIP-SA with • ietf-mip6-ikev2-ipsec or, • RFC4285 IETF 67 - HMIP/FMIP SA

6. Non-EAP-based Architectures? • The same mechanism can be used with any architecture as long as there is an equivalent of MSK shared between the MN and the NAS. IETF 67 - HMIP/FMIP SA

7. Application to FMIP • FMIP-key = HMAC-SHA1(MSK, “FMIPv6 key derivation" | MN-ID | AR-IPaddr) IETF 67 - HMIP/FMIP SA