Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-16-MOBILE] [security] Pre-authentication discussion (resend)



Jeff,

For pre-authentication, I am proposing a routable PKM packet.
Specifically, a PKM message format that contains a BSID field. The BS
uses this field to map to some BS-BS transport address and send the
packets on their way.

All normal PKMv2 maessages can be carried in this routable form.

Thus an MSS can pre-authenticate remotely.

Along with this, AA aging is required to prevent AA state building up
and some guideline on how many BSs an MSS may try to pre-auth to. I'm
thinking of something like 3-4 as a maximum, so that MSSs can't just
pre-auth with everything and create an excessing system load.

DJ


-----Original Message-----
From: owner-stds-802-16-mobile@listserv.ieee.org
[mailto:owner-stds-802-16-mobile@listserv.ieee.org] On Behalf Of Jeff
Mandin
Sent: Monday, June 07, 2004 10:41 AM
To: STDS-802-16-MOBILE@listserv.ieee.org
Subject: [STDS-802-16-MOBILE] [security] Pre-authentication discussion
(resend)


 From the discussion about post-handoff authentication, there seems to
be consensus in the adhoc for Jung-won's idea that two mechanisms will
co-exist:

    1)  Pre-authentication
    2) Backbone Transfer of Derived Context (suitably secured obviously)

I'd like to hear adhoc-ers' views on how generally to support
pre-authentication in PKMv2.

The mechanism we choose for supporting pre-authentication has
potentially significant implications.  The requirements for pre-auth
support would be:

     1. Well-understood  behaviour

     2. Facilitate pre-auth to a BS on the same provider or a different
provider.

     3. Enable establishment of the shared-secret Pairwise Master Key
and determination of success/failure of the authentication

     4. Do not preclude pre-auth to different media (via 802.21 or
what-have-you).  Similarly, do not preclude pre-auth to an unadvertised
neighbor.

802.1X authentication satisfies all of these. The caveat is that for the
moment 802.1X can only be used within a single IP subnet; but extending
it to work over IP has been discussed a lot and seems trivial.


- Jeff Mandin
Security Adhoc Chair