[Search] [pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00 01 02                                                      
   MIP6 Working Group                                       G. Giaretta
   Internet Draft                                           I. Guardini
   Expires: April 2005                                       E. Demaria
                                                                  TILab
                                                           J. Bournelle
                                                 M. Laurent-Maknavicius
                                                                GET/INT
                                                           October 2004


           Application Master Session Key (AMSK) for Mobile IPv6
                     <draft-giaretta-mip6-amsk-00.txt>

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of section 3 of RFC 3667. By submitting this Internet-Draft, I
   certify that any applicable patent or other IPR claims of which I am
   aware have been disclosed, and any of which I become aware will be
   disclosed, in accordance with RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Abstract

   The Extensible Authentication Protocol (EAP) defines an extensible
   framework for performing network access authentication. Most EAP
   authentication algorithms, also known as "methods", export keying
   material that can be used with lower layer ciphersuites. It is also
   possible for EAP peers to exploit the EAP keying framework to derive
   Application Master Session Keys (AMSKs) for specific applications.
   This document defines how to generate an Application Master Session
   Key (AMSK) specific to Mobile IPv6. This AMSK can be used by Mobile
   Node and Home Agent as the shared secret needed to bootstrap Mobile
   IPv6 protocol operation.




Giaretta, et al.         Expires - April 2005                 [Page 1]


Internet-Draft           AMSK for Mobile IPv6             October 2004


Table of Contents

   1.   Introduction................................................3
   2.   Terminology.................................................4
   3.   Operational Flow............................................6
   4.   AMSK derivation.............................................8
   5.   Usage Scenario..............................................9
   6.   Security Considerations....................................10
   Acknowledgments.................................................11
   References......................................................11
   Authors' Addresses..............................................13
   Intellectual Property Statement.................................14







































Giaretta, et al.         Expires - April 2005                 [Page 2]


Internet-Draft           AMSK for Mobile IPv6             October 2004


1. Introduction

   Mobile IPv6 (MIPv6) requires that Mobile Nodes (MNs) and Home Agents
   (HAs) share a security association to protect binding management
   signaling. The MIPv6 protocol specification mandates the use of IPsec
   for this purpose [1] and therefore requires the MN to be provisioned
   with the data needed to bootstrap an IPsec Security Association (SA)
   with its Home Agent. This is one of the main issues of the so called
   Mobile IPv6 bootstrapping problem [2].

   The IPsec SA between MN and HA can be established from a shared
   secret using IKE with Pre-Shared Key (PSK) authentication [3]. In
   scenarios where network access control is based on EAP that shared
   secret (i.e. PSK) can be derived from the EAP key hierarchy [4].
   Clearly this solution requires the use of an EAP method capable to
   export keying material to other applications.

   This document defines how to generate an Application Master Session
   Key (AMSK) specific to Mobile IPv6. This AMSK can be used by MN and
   HA as the PSK needed to establish the IPsec Security Association
   through IKE.






























Giaretta, et al.         Expires - April 2005                 [Page 3]


Internet-Draft           AMSK for Mobile IPv6             October 2004


2. Terminology

   Most of the terms used in this document are defined in this section;
   more detailed general mobility and EAP terminology can be found in
   [5] and [4].

   MSK   Master Session key

         Keying material that is derived between the EAP peer and server
         and exported by the EAP method. The MSK is at least 64 octets
         in length.

   EMSK  Extended Master Session Key

         Additional keying material derived between the peer and server
         that is exported by the EAP method. The EMSK is at least 64
         octets in length, and is never shared with a third party.

   AMSK  Application Master Session Key

         Keys derived from the EMSK which are cryptographically separate
         from each other.

   MN    Mobile Node

         A node that can change its point of attachment from one link to
         another, while still being reachable via its home address.

   HA    Home Agent

         A router on a mobile node's home link with which the mobile
         node has registered its current care-of address.  While the
         mobile node is away from home, the home agent intercepts
         packets on the home link addressed to the mobile node's home
         address, encapsulates them, and tunnels them to the mobile
         node's registered care-of address.

   BU    Binding Update

         A message indicating a mobile node's current mobility binding,
         and in particular its care-of address.

   BA    Binding Acknowledgement

         A message used to acknowledge receipt of a Binding Update.






Giaretta, et al.         Expires - April 2005                 [Page 4]


Internet-Draft           AMSK for Mobile IPv6             October 2004


   AAA server

         A server that provides authentication, authorization and
         accounting services. It is the server that terminates the EAP
         authentication method with the peer.














































Giaretta, et al.         Expires - April 2005                 [Page 5]


Internet-Draft           AMSK for Mobile IPv6             October 2004


3. Operational Flow

   Figure 1 shows how the AMSK defined in this document is derived and
   distributed. The procedure requires an EAP method capable to export
   dynamic keys (e.g. EAP-FAST [6], PEAPv2 [7], EAP-SIM [8], EAP-AKA
   [9]) and involves the following steps:

   - the MN and the AAA server of the home domain undertake the EAP
     exchange for user authentication. The EAP method must support the
     derivation of an Extended Master Session Key (EMSK) on EAP peers;

   - at the end of EAP exchange, MN and AAA server (i.e. the EAP peers)
     derive MSK and EMSK;

   - MN and AAA server derive an AMSK for MIPv6 from the EMSK. The key
     derivation function is described in section 4. The lifetime of the
     AMSK is managed as a system parameter and must not be higher than
     the lifetime of the EMSK (as stated in [4]). As a default choice
     the two lifetimes should be equal;

   - the AAA server sends the AMSK and the associated lifetime to the
     Home Agent (HA) using a suitable AAA-HA protocol (e.g. a new
     Diameter application), whose definition is out of the scope of the
     present document. The AAA server must specify a MN's identifier
     (e.g. NAI) to allow the HA to bind the AMSK with incoming MIPv6
     signaling;

   - afterwards the Mobile IPv6 AMSK can be used by the MN and the
     designated HA to derive the Pre-Shared Key (PSK) for IPsec
     bootstrapping (see section 5.1).





















Giaretta, et al.         Expires - April 2005                 [Page 6]


Internet-Draft           AMSK for Mobile IPv6             October 2004


                                        AAA
          MN +-----------------------+ server +-----------------+ HA

            /-------------------------\
           /            EAP            \
           \          exchange         /
            \-------------------------/
        +------+                      +------+
        | EMSK |                      | EMSK |
        +------+                      +------+

     +------------+                +------------+
     | MIP6-AMSK  |                | MIP6-AMSK  |
     | derivation |                | derivation |
     +------------+                +------------+

                                              /------------------\
                                             /     MIPv6-AMSK     \
                                             \      transfer      /
                                              \------------------/

                         Figure 1 - Message Flow





























Giaretta, et al.         Expires - April 2005                 [Page 7]


Internet-Draft           AMSK for Mobile IPv6             October 2004


4. AMSK derivation

   The Mobile IPv6 AMSK is derived through the key derivation function
   specified in [4] and shown below for the sake of clarity.

   KDF (K,L,D,O) = T1 | T2 | T3 | T4 | ...

         where:
         T1 = prf (K, S | 0x01)
         T2 = prf (K, T1 | S | 0x02)
         T3 = prf (K, T2 | S | 0x03)
         T4 = prf (K, T3 | S | 0x04)

         prf = HMAC-SHA1
         K = EMSK
         L = key label
         D = application data
         O = OutputLength (2 bytes)
         S = L | " " | D | O

   The application specific parameters are set as follows:

   - key label = "MIPv6-key"

   - application data = Home Agent address

   - output length = 128 bits

   The application data is needed to guarantee the generation of
   independent AMSKs for different HAs and different MNs. The former is
   guaranteed by the availability of the HA address in the application
   data. The latter is guaranteed by the EMSK, that is bound to the EAP
   session and therefore MN-specific. If the MN has several home
   addresses allocated by the same HA, it can use the same AMSK for all
   the correspondent IKE sessions.

   Avoiding the insertion of the home address in the application data
   has the additional advantage of allowing the MN to derive the AMSK
   even if it does not know its home address. This is what might happen
   in some dynamic home address assignment scenarios.

   As specified in [4], the lifetime of keys calculated from key
   material exported by EAP methods can not be longer than the lifetime
   of the exported keying material. As a default choice the lifetime of
   AMSK for MIPv6 is set equal to the lifetime of the EMSK and must be
   sent by the AAA server to the HA.





Giaretta, et al.         Expires - April 2005                 [Page 8]


Internet-Draft           AMSK for Mobile IPv6             October 2004


5. Usage Scenario

   The Mobile IPv6 AMSK, eventually truncated, can be directly used as
   the PSK needed to bootstrap the IPsec Security Association between MN
   and HA through IKE.

   Since the key serves only for identity verification and not for
   ciphering purposes, there is no need to re-generate the PSK at
   regular intervals. However, the MIPv6 AMSK, and consequently also the
   PSK, must be refreshed whenever a new EMSK is generated (i.e. during
   re-authentication events). Nonetheless, the derivation of a new PSK
   should not cause the immediate re-negotiation of a new IKE SA or
   IPsec SA. Any on-going IKE SA or IPsec SA should continue till its
   expiration. Instead, the negotiation (or re-negotiation) of a new IKE
   SA or IPsec SA must use the new pre-shared key derived from the
   latest MIPv6 AMSK.



































Giaretta, et al.         Expires - April 2005                 [Page 9]


Internet-Draft           AMSK for Mobile IPv6             October 2004


6. Security Considerations

   Sending the AMSK for Mobile IPv6 from the AAA server to the HA
   requires that the protocol used for AAA-HA communication provides
   mutual authentication, integrity/reply protection and
   confidentiality.

   Moreover, since this document is strongly based on EAP [10] and the
   EAP Keying Management Framework [4], additional security
   considerations are bound to those valid for the EAP Keying Framework
   (section 5 of [4]).








































Giaretta, et al.         Expires - April 2005                [Page 10]


Internet-Draft           AMSK for Mobile IPv6             October 2004


Acknowledgments

   The authors would like to thank Alpesh Patel for reviewing the
   document.


References

[1] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support in IPv6",
    RFC 3775, June 2004.

[2] Patel, A. et al. "Problem Statement for bootstrapping Mobile IPv6",
    draft-ietf-mip6-bootstrap-ps-00 (work in progress), July 2004.

[3] Arkko, J., Devarapalli, V., Dupont, F., "Using IPsec to Protect
    Mobile IPv6 Signaling between Mobile Nodes and Home Agents", RFC
    3776, June 2004.

[4] Aboba, B., Simon, D., Arkko, J., Levkowetz, H., "EAP Key Management
    Framework", draft-ietf-eap-keying-03(work in progress), July 2004.

[5] Manner, J., Kojo, M. "Mobility Related Terminology", RFC 3753, June
    2004.

[6] N.Cam-Winget, D. McGrew, J. Salowey, H.Zhou, "EAP Flexible
    Authentication via Secure Tunneling (EAP-FAST)", draft-cam-winget-
    eap-fast-00.txt (work in progress), February 2004

[7] Palekar, A. et al., "Protected EAP Protocol (PEAP) Version 2",
    draft-josefsson-pppext-eap-tls-eap-08 (work in progress), July 2004.

[8] Haverinen, H. and J. Salowey, "Extensible Authentication Protocol
    Method for GSM Subscriber Identity Modules (EAP-SIM)", draft-
    haverinen-pppext-eap-sim-13 (work in progress), April 2004.

[9] Arkko, J. and H. Haverinen, "EAP-AKA Authentication", draft-arkko-
    pppext-eap-aka-12 (work in progress), April 2004.

[10] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H.
     Lefkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748,
     June 2004.




Giaretta, et al.         Expires - April 2005                [Page 11]


Internet-Draft           AMSK for Mobile IPv6             October 2004


[11] Giaretta, G., Guardini, I., Demaria, E., Bournelle, J., Laurent-
     Maknavicius, M., "MIPv6 Authorization and Configuration based on
     EAP", draft-giaretta-mip6-authorization-eap-02 (work in progress),
     October 2004.















































Giaretta, et al.         Expires - April 2005                [Page 12]


Internet-Draft           AMSK for Mobile IPv6             October 2004


Authors' Addresses

   Gerardo Giaretta
   Telecom Italia Lab
   via G. Reiss Romoli, 274
   10148 TORINO
   Italy
   Phone: +39 011 2286904
   Email: gerardo.giaretta@tilab.com

   Ivano Guardini
   Telecom Italia Lab
   via G. Reiss Romoli, 274
   10148 TORINO
   Italy
   Phone: +39 011 2285424
   Email: ivano.guardini@tilab.com

   Elena Demaria
   Telecom Italia Lab
   via G. Reiss Romoli, 274
   10148 TORINO
   Italy
   Phone: +39 011 2285403
   Email: elena.demaria@tilab.com

   Julien Bournelle
   GET/INT
   9 rue Charles Fourier
   Evry  91011
   France
   Email: julien.bournelle@int-evry.fr

   Maryline Laurent-Maknavicius
   GET/INT
   9 rue Charles Fourier
   Evry  91011
   France
   Email: maryline.maknavicius@int-evry.fr












Giaretta, et al.         Expires - April 2005                [Page 13]


Internet-Draft           AMSK for Mobile IPv6             October 2004



Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights. Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard. Please address the information to the IETF at
   ietf-ipr@ietf.org.


Full Copyright Statement

   Copyright (C) The Internet Society (2004). All Rights Reserved.

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



Giaretta, et al.         Expires - April 2005                [Page 14]