[STDS-802-16-MOBILE] [security] Pre-authentication discussion
From the discussion about post-handoff authentication, there seems to
be consensus in the adhoc for Jung-won's idea that two mechanisms will
co-exist:
1) Pre-authentication
2) Backbone Transfer of Derived Context (suitably secured obviously)
I'd like to hear adhoc-ers' views on how generally to support
pre-authentication in PKMv2.
The mechanism we choose for supporting pre-authentication has
potentially significant implications. The requirements for pre-auth
support would be:
1. Well-understood behaviour
2. Facilitate pre-auth to a BS on the same provider or a different
provider.
3. Enable establishment of the shared-secret Pairwise Master Key and
determination of success/failure of the authentication
4. Do not preclude pre-auth to different media (via 802.21 or
what-have-you). Similarly, do not preclude pre-auth to an unadvertised
neighbor.
802.1X authentication satisfies all of these. The caveat is that for the
moment 802.1X can only be used within a single IP subnet; but extending
it to work over IP has been discussed a lot and seems trivial.
- Jeff Mandin
Security Adhoc Chair