Internet DRAFT - draft-ietf-pana-mobopts

draft-ietf-pana-mobopts






Network Working Group                                  D. Forsberg (Ed.)
Internet-Draft                                                     Nokia
Expires: April 24, 2006                                          Y. Ohba
                                                                 Toshiba
                                                                B. Patil
                                                                   Nokia
                                                           H. Tschofenig
                                                                 Siemens
                                                                A. Yegin
                                                                 Samsung
                                                        October 21, 2005


                      PANA Mobility Optimizations
                     draft-ietf-pana-mobopts-01.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 24, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This specification describes PANA optimizations for handling



Forsberg (Ed.), et al.   Expires April 24, 2006                 [Page 1]

Internet-Draft                PANA MobOpts                  October 2005


   mobility.  Proposed optimizations aim reducing protocol latency and
   signaling associated with PANA-based network access AAA.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Requirements notation  . . . . . . . . . . . . . . . . . . . .  4
   3.  Framework  . . . . . . . . . . . . . . . . . . . . . . . . . .  5
   4.  Protocol Details . . . . . . . . . . . . . . . . . . . . . . .  6
   5.  Deployment Considerations  . . . . . . . . . . . . . . . . . .  8
   6.  Keying Considerations  . . . . . . . . . . . . . . . . . . . .  9
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 11
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 11
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
   Intellectual Property and Copyright Statements . . . . . . . . . . 14

































Forsberg (Ed.), et al.   Expires April 24, 2006                 [Page 2]

Internet-Draft                PANA MobOpts                  October 2005


1.  Introduction

   A PaC using PANA [I-D.ietf-pana-pana] MUST execute full EAP/PANA upon
   inter-subnet (inter-PAA) movement.  In case seamless mobility is
   desirable, having to execute full EAP authentication with a AAA
   server would incur undesirable latency.  This document outlines the
   required extensions to the base PANA specification to eliminate the
   need to execute EAP each time the PaC performs an inter-PAA handover.

   The scheme described in this document allows creation of a new PANA
   session with a new PAA based on an existing session with another PAA.
   Generation of the new PANA session does not require executing EAP-
   based authentication.  Instead, a context-transfer-based scheme is
   used to bring in relevant state information from the previous PAA to
   the new PAA.

   It should be noted that this document is limited to describing AAA
   optimizations on the PANA protocol.  Additional optimizations aiming
   at EAP or specific AAA backend protocols (e.g., RADIUS, Diameter) can
   be defined independently.  Furthermore, specification of the required
   context-transfer mechanism is left to other documents
   ([I-D.bournelle-pana-ctp]).





























Forsberg (Ed.), et al.   Expires April 24, 2006                 [Page 3]

Internet-Draft                PANA MobOpts                  October 2005


2.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].














































Forsberg (Ed.), et al.   Expires April 24, 2006                 [Page 4]

Internet-Draft                PANA MobOpts                  October 2005


3.  Framework

   The call flow depicting mobility-optimized PANA execution is shown
   below.



            PaC                   newPAA             prePAA
             |                       |                  |
          1  |<---------- live PANA session ----------->|
             |                       |                  |
          2  x move from subnet1     |                  |
             | to subnet2            |                  |
             |                       |                  |
             |         PDI           |                  |
          3  |---------------------->|                  |
             |         PSR           |                  |
          4  |<----------------------|                  |
             |         PSA           |                  |
          5  |---------------------->|      CT-req      |
          6  |                       |----------------->|
             |                       |      CT-resp     |
          7  |         PBR           |<-----------------|
          8  |<----------------------|                  |
             |         PBA           |                  |
          9  |---------------------->|                  |



   In this flow, the PaC is already authorized and connected to subnet1,
   where prePAA resides (step 1).  Later, the PaC performs a handover
   from subnet1 to subnet2 (step 2).  Following the movement, PANA
   discovery and handshake phases are executed (steps 3-5).  In response
   to the parameters included in the PSA, PANA session context is
   transferred from the prePAA to the newPAA (steps 6,7).  Finally,
   PANA-Bind exchange signals the successful PANA authorization (steps
   8,9).  In this flow, EAP authentication does not take place.














Forsberg (Ed.), et al.   Expires April 24, 2006                 [Page 5]

Internet-Draft                PANA MobOpts                  October 2005


4.  Protocol Details

   A mobile PaC's network access authentication performance can be
   enhanced by deploying a context-transfer-based mechanism, where some
   session attributes are transferred from the previous PAA to the new
   one in order to avoid performing a full EAP authentication (reactive
   approach).  Additional mechanisms that are based on the proactive AAA
   state establishment at one or more candidate PAAs may be developed in
   the future (see for example [I-D.irtf-aaaarch-handoff]').  The
   details of a context-transfer-based mechanism is provided in this
   section.

   Upon changing its point of attachment, a PaC that wants to quickly
   resume its ongoing PANA session without running EAP MAY send its
   unexpired PANA session identifier in its PANA-Start-Answer message.
   Along with the Session-Id AVP, a MAC AVP MUST be included in this
   message.  The MAC AVP is computed by using the PANA_MAC_KEY shared
   between the PaC and its previous PAA that has an unexpired PANA
   session with the PaC.  This action signals the PaC's desire to
   perform the mobility optimization.  In the absence of a Session-Id
   AVP in this message, the PANA session takes its usual course (i.e.,
   EAP-based authentication is performed).

   If a PAA receives a session identifier in the PANA-Start-Answer
   message, and it is configured to enable this optimization, it SHOULD
   retrieve the PANA session attributes from the previous PAA.  The
   identity of the previous PAA is determined by looking at the
   DiameterIdentity part of the PANA session identifier.  The MAC AVP
   can only be verified by the previous PAA, therefore a copy of the
   PANA message MUST be provided to the previous PAA.  The mechanism
   required to send a copy of the PANA-Start-Answer message from current
   PAA to the previous PAA, and to retrieve the session attributes is
   outside the scope of PANA protocol.  The Context Transfer Protocol
   [I-D.ietf-seamoby-ctp] might be useful for this purpose.

   When the previous or current PAA is not configured to enable this
   optimization, the current PAA can not retrieve the PANA session
   attributes, or the PANA session has already expired (i.e., session
   lifetime is zero), the PAA MUST send the PANA-Auth-Request message
   with a new session identifier and let the PANA exchange take its
   usual course.  As a result the PaC will engage in EAP-based
   authentication and create a fresh PANA session from scratch.

   In case the current PAA can retrieve the on-going PANA session
   attributes from the previous PAA, the PANA session continues with a
   PANA-Bind exchange.

   As part of the context transfer, an intermediate AAA-Key material is



Forsberg (Ed.), et al.   Expires April 24, 2006                 [Page 6]

Internet-Draft                PANA MobOpts                  October 2005


   provided by the previous PAA to the current PAA.

      AAA-Key-int = The first N bits of
                    HMAC-SHA1(AAA-Key, DiameterIdentity | Session-ID)


   The value of N depends on the integrity protection algorithm in use,
   i.e., N=160 for HMAC-SHA1.  DiameterIdentity is the identifier of the
   current (new) PAA.  Session-ID is the identifier of the PaC's PANA
   session with the previous PAA.

   The current PAA and the PaC compute the new AAA-Key by using the
   nonce values and the AAA-Key-int.

      AAA-Key-new = The first N bits of
                    HMAC-SHA1(AAA-Key-int, PaC_nonce | PAA_nonce)


   New PANA_MAC_KEY is computed based on the algorithm described in
   [I-D.ietf-pana-pana], by using the new AAA-Key and the new Session-ID
   assigned by the current PAA.  The MAC AVP contained in the PANA-Bind-
   Request and PANA-Bind-Answer messages MUST be generated and verified
   by using the new PANA_MAC_KEY.  The Session-ID AVP MUST include a new
   session identifier assigned by the current PAA.  A new PANA session
   is created upon successful completion of this exchange.


























Forsberg (Ed.), et al.   Expires April 24, 2006                 [Page 7]

Internet-Draft                PANA MobOpts                  October 2005


5.  Deployment Considerations

   Correct operation of this optimization relies on many factors,
   including applicability of authorization state from one network
   attachment to another.  [I-D.ietf-eap-keying] identifies this
   operation as "fast handoff" and provides deployment considerations.
   Operators are recommended to take those guidelines into account when
   using this optimization in their networks.











































Forsberg (Ed.), et al.   Expires April 24, 2006                 [Page 8]

Internet-Draft                PANA MobOpts                  October 2005


6.  Keying Considerations

   Upon PaC's movement to a another PAA (new PAA) and request to perform
   a context transfer based optimization, the previous PAA computes a
   AAA-Key-int based on the AAA-Key, ID of new PAA, and the session ID.
   This AAA-Key-int is delivered to the new PAA, and used in the
   computation of the AAA-Key-new, which further takes a pair of nonce
   values into account.  After this point on, the AAA-Key-new becomes
   the AAA-Key between the PaC and the new PAA.

   The AAA-Key-int can be deleted as soon as AAA-Key-new is derived.
   The lifetime of AAA-Key-new is bounded by the lifetime of AAA-Key.







































Forsberg (Ed.), et al.   Expires April 24, 2006                 [Page 9]

Internet-Draft                PANA MobOpts                  October 2005


7.  Security Considerations

   The mobility optimization described in this document involves the
   previous PAA (possessing the AAA-Key) providing a AAA-Key-new to the
   current PAA of the PaC.  There are security risks stemming from
   potential compromise of PAAs.  Compromise of the current PAA does not
   yield compromise of the previous PAA, as the AAA-Key cannot be
   computed from a compromised AAA-Key-new.  But a compromised previous
   PAA along with the intercepted nonce values on the current link leads
   to the compromise of AAA-Key-new.  Operators should be aware of the
   potential risk of using this optimization.

   An operator can reduce the risk exposure by forcing the PaC to
   perform an EAP-based authentication immediately after the PaC gains
   access to new link via the optimized PANA execution.




































Forsberg (Ed.), et al.   Expires April 24, 2006                [Page 10]

Internet-Draft                PANA MobOpts                  October 2005


8.  References

8.1.  Normative References

   [I-D.ietf-eap-keying]
              Aboba, B., "Extensible Authentication Protocol (EAP) Key
              Management Framework", draft-ietf-eap-keying-07 (work in
              progress), July 2005.

   [I-D.ietf-pana-pana]
              Forsberg, D., "Protocol for Carrying Authentication for
              Network Access (PANA)", draft-ietf-pana-pana-10 (work in
              progress), July 2005.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

8.2.  Informative References

   [I-D.bournelle-pana-ctp]
              Bournelle, J., "Use of Context Transfer Protocol (CxTP)
              for PANA", draft-bournelle-pana-ctp-03 (work in progress),
              June 2005.

   [I-D.ietf-seamoby-ctp]
              Loughney, J., "Context Transfer Protocol",
              draft-ietf-seamoby-ctp-11 (work in progress), August 2004.

   [I-D.irtf-aaaarch-handoff]
              Arbaugh, W. and B. Aboba, "Experimental Handoff Extension
              to RADIUS", draft-irtf-aaaarch-handoff-04 (work in
              progress), November 2003.



















Forsberg (Ed.), et al.   Expires April 24, 2006                [Page 11]

Internet-Draft                PANA MobOpts                  October 2005


Authors' Addresses

   Dan Forsberg
   Nokia Research Center
   P.O. Box 407
   FIN-00045 NOKIA GROUP
   Finland

   Phone: +358 50 4839470
   Email: dan.forsberg@nokia.com


   Yoshihiro Ohba
   Toshiba America Research, Inc.
   1 Telcordia Drive
   Piscataway, NJ  08854
   USA

   Phone: +1 732 699 5305
   Email: yohba@tari.toshiba.com


   Basavaraj Patil
   Nokia
   6000 Connection Dr.
   Irving, TX  75039
   USA

   Phone: +1 972-894-6709
   Email: Basavaraj.Patil@nokia.com


   Hannes Tschofenig
   Siemens Corporate Technology
   Otto-Hahn-Ring 6
   81739 Munich
   Germany

   Email: Hannes.Tschofenig@siemens.com












Forsberg (Ed.), et al.   Expires April 24, 2006                [Page 12]

Internet-Draft                PANA MobOpts                  October 2005


   Alper E. Yegin
   Samsung Advanced Institute of Technology
   75 West Plumeria Drive
   San Jose, CA  95134
   USA

   Phone: +1 408 544 5656
   Email: alper.yegin@samsung.com











































Forsberg (Ed.), et al.   Expires April 24, 2006                [Page 13]

Internet-Draft                PANA MobOpts                  October 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Forsberg (Ed.), et al.   Expires April 24, 2006                [Page 14]