datatracker.ietf.org
Sign in
Version 5.9.0, 2014-12-18
Report a bug

Handover Keying (HOKEY) Architecture Design
RFC 6697

Internet Engineering Task Force (IETF)                      G. Zorn, Ed.
Request for Comments: 6697                                   Network Zen
Category: Informational                                            Q. Wu
ISSN: 2070-1721                                                T. Taylor
                                                                  Huawei
                                                                  Y. Nir
                                                             Check Point
                                                               K. Hoeper
                                                Motorola Solutions, Inc.
                                                              S. Decugis
                                                           INSIDE Secure
                                                               July 2012

              Handover Keying (HOKEY) Architecture Design

Abstract

   The Handover Keying (HOKEY) Working Group seeks to minimize handover
   delay due to authentication when a peer moves from one point of
   attachment to another.  Work has progressed on two different
   approaches to reduce handover delay: early authentication (so that
   authentication does not need to be performed during handover), and
   reuse of cryptographic material generated during an initial
   authentication to save time during re-authentication.  A basic
   assumption is that the mobile host or "peer" is initially
   authenticated using the Extensible Authentication Protocol (EAP),
   executed between the peer and an EAP server as defined in RFC 3748.

   This document defines the HOKEY architecture.  Specifically, it
   describes design objectives, the functional environment within which
   handover keying operates, the functions to be performed by the HOKEY
   architecture itself, and the assignment of those functions to
   architectural components.  It goes on to illustrate the operation of
   the architecture within various deployment scenarios that are
   described more fully in other documents produced by the HOKEY Working
   Group.

Zorn, et al.                  Informational                     [Page 1]
RFC 6697                HOKEY Architecture Design              July 2012

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6697.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Zorn, et al.                  Informational                     [Page 2]
RFC 6697                HOKEY Architecture Design              July 2012

Table of Contents

   1. Introduction ....................................................3
   2. Terminology .....................................................6
   3. Design Goals ....................................................6
      3.1. Reducing Signaling Overhead ................................7
           3.1.1. Minimized Communications with Home Servers ..........7
           3.1.2. Minimized User Interaction for Authentication .......7
      3.2. Integrated Local Domain Name (LDN) Discovery ...............7
      3.3. Fault-Tolerant Re-Authentication ...........................8
      3.4. Improved Deployment Scalability ............................8
   4. Required Functionality ..........................................8
      4.1. Authentication Subsystem Functional Overview ...............8
      4.2. Pre-Authentication Function (Direct or Indirect) ...........9
      4.3. EAP Re-Authentication Function .............................9
      4.4. EAP Authentication Function ...............................10

[include full document text]