70 likes | 182 Vues
HMIP and FMIP Security Associations draft-yegin-hmip-sa-00.txt. IETF 67. Summary. EAP-based network access authentication already generates an SA ( SA2 ) between the MN and the access network (NAS) Now generate derivative SAs ( SA3 )between the MN and the mobility servers (MAP, FMIP AR). SA1.
E N D
HMIP and FMIP Security Associationsdraft-yegin-hmip-sa-00.txt IETF 67
Summary • EAP-based network access authentication already generates an SA (SA2) between the MN and the access network (NAS) • Now generate derivative SAs (SA3)between the MN and the mobility servers (MAP, FMIP AR) SA1 SA2 MN (EAP peer) NAS (EAP authenticator) HAAA (EAP authentication server) SA3 MAP or AR Visited network Home network IETF 67 - HMIP/FMIP SA
HMIP SA Generation • After EAP, NAS and MN shares MSK • HMIP-SA • HMIP-PID (peer ID) • MN Identity used during EAP • MAP IP address • HMIP-lifetime • MSK lifetime • HMIP-SPI • 1 at initial EAP auth, ++ for each subsequent re-auth • HMIP-key = HMAC-SHA1(MSK, "HMIPv6 key derivation" | MN-ID | MAP-IPaddr) IETF 67 - HMIP/FMIP SA
SA Distribution • MN • Internal • MAP • Delivery from NAS to MAP • RADIUS, Diameter, proprietary – architecture dependent IETF 67 - HMIP/FMIP SA
Using the SA • Use HMIP-SA with • ietf-mip6-ikev2-ipsec or, • RFC4285 IETF 67 - HMIP/FMIP SA
Non-EAP-based Architectures? • The same mechanism can be used with any architecture as long as there is an equivalent of MSK shared between the MN and the NAS. IETF 67 - HMIP/FMIP SA
Application to FMIP • FMIP-key = HMAC-SHA1(MSK, “FMIPv6 key derivation" | MN-ID | AR-IPaddr) IETF 67 - HMIP/FMIP SA