Re: [STDS-802-16-MOBILE] [security] Pre-authentication discussion (resend)
DJ,
Comments inline.
Johnston, Dj wrote:
>Jeff,
>
>For pre-authentication, I am proposing a routable PKM packet.
>Specifically, a PKM message format that contains a BSID field. The BS
>uses this field to map to some BS-BS transport address and send the
>packets on their way.
>
>All normal PKMv2 maessages can be carried in this routable form.
>
>
This isn't really routing packets. As Yong Chang said, the Serving BS
is acting as a proxy.
Some reasons for preferring the other approach are in the previous
email. I would add the fact that most of the PKM messages make no sense
at all in a "remote" scenario.
But more fundamentally: ..... there is no reason for the serving BS to
be actively involved in the exchange. There's no architectural need for
changes in the MAC that I can see, since the aim is to set up a Secure
Association and established a shared Master Key.
I think this remains true even with the new features you have proposed
ie. the AAID.
>Thus an MSS can pre-authenticate remotely.
>
>Along with this, AA aging is required to prevent AA state building up
>and some guideline on how many BSs an MSS may try to pre-auth to. I'm
>thinking of something like 3-4 as a maximum, so that MSSs can't just
>pre-auth with everything and create an excessing system load.
>
>
Yes absolutely. In this respect the requirements of .16 are somewhere
between 3G - which I understand has rapid aging - and .11.
Regards,
- Jeff
Jeff Mandin
Security Adhoc Chair
>DJ
>
>
>-----Original Message-----
>From: owner-stds-802-16-mobile@listserv.ieee.org
>[mailto:owner-stds-802-16-mobile@listserv.ieee.org] On Behalf Of Jeff
>Mandin
>Sent: Monday, June 07, 2004 10:41 AM
>To: STDS-802-16-MOBILE@listserv.ieee.org
>Subject: [STDS-802-16-MOBILE] [security] Pre-authentication discussion
>(resend)
>
>
> From the discussion about post-handoff authentication, there seems to
>be consensus in the adhoc for Jung-won's idea that two mechanisms will
>co-exist:
>
> 1) Pre-authentication
> 2) Backbone Transfer of Derived Context (suitably secured obviously)
>
>I'd like to hear adhoc-ers' views on how generally to support
>pre-authentication in PKMv2.
>
>The mechanism we choose for supporting pre-authentication has
>potentially significant implications. The requirements for pre-auth
>support would be:
>
> 1. Well-understood behaviour
>
> 2. Facilitate pre-auth to a BS on the same provider or a different
>provider.
>
> 3. Enable establishment of the shared-secret Pairwise Master Key
>and determination of success/failure of the authentication
>
> 4. Do not preclude pre-auth to different media (via 802.21 or
>what-have-you). Similarly, do not preclude pre-auth to an unadvertised
>neighbor.
>
>802.1X authentication satisfies all of these. The caveat is that for the
>moment 802.1X can only be used within a single IP subnet; but extending
>it to work over IP has been discussed a lot and seems trivial.
>
>
>- Jeff Mandin
>Security Adhoc Chair
>
>
>