MIP6 Working Group G. Giaretta
Internet Draft I. Guardini
Expires: April 2005 E. Demaria
TILab
J. Bournelle
M. Laurent-Maknavicius
GET/INT
October 2004
Application Master Session Key (AMSK) for Mobile IPv6
<draft-giaretta-mip6-amsk-00.txt>
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, I
certify that any applicable patent or other IPR claims of which I am
aware have been disclosed, and any of which I become aware will be
disclosed, in accordance with RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
The Extensible Authentication Protocol (EAP) defines an extensible
framework for performing network access authentication. Most EAP
authentication algorithms, also known as "methods", export keying
material that can be used with lower layer ciphersuites. It is also
possible for EAP peers to exploit the EAP keying framework to derive
Application Master Session Keys (AMSKs) for specific applications.
This document defines how to generate an Application Master Session
Key (AMSK) specific to Mobile IPv6. This AMSK can be used by Mobile
Node and Home Agent as the shared secret needed to bootstrap Mobile
IPv6 protocol operation.
Giaretta, et al. Expires - April 2005 [Page 1]
Internet-Draft AMSK for Mobile IPv6 October 2004
Table of Contents
1. Introduction................................................3
2. Terminology.................................................4
3. Operational Flow............................................6
4. AMSK derivation.............................................8
5. Usage Scenario..............................................9
6. Security Considerations....................................10
Acknowledgments.................................................11
References......................................................11
Authors' Addresses..............................................13
Intellectual Property Statement.................................14
Giaretta, et al. Expires - April 2005 [Page 2]
Internet-Draft AMSK for Mobile IPv6 October 2004
1. Introduction
Mobile IPv6 (MIPv6) requires that Mobile Nodes (MNs) and Home Agents
(HAs) share a security association to protect binding management
signaling. The MIPv6 protocol specification mandates the use of IPsec
for this purpose [1] and therefore requires the MN to be provisioned
with the data needed to bootstrap an IPsec Security Association (SA)
with its Home Agent. This is one of the main issues of the so called
Mobile IPv6 bootstrapping problem [2].
The IPsec SA between MN and HA can be established from a shared
secret using IKE with Pre-Shared Key (PSK) authentication [3]. In
scenarios where network access control is based on EAP that shared
secret (i.e. PSK) can be derived from the EAP key hierarchy [4].
Clearly this solution requires the use of an EAP method capable to
export keying material to other applications.
This document defines how to generate an Application Master Session
Key (AMSK) specific to Mobile IPv6. This AMSK can be used by MN and
HA as the PSK needed to establish the IPsec Security Association
through IKE.
Giaretta, et al. Expires - April 2005 [Page 3]
Internet-Draft AMSK for Mobile IPv6 October 2004
2. Terminology
Most of the terms used in this document are defined in this section;
more detailed general mobility and EAP terminology can be found in
[5] and [4].
MSK Master Session key
Keying material that is derived between the EAP peer and server
and exported by the EAP method. The MSK is at least 64 octets
in length.
EMSK Extended Master Session Key
Additional keying material derived between the peer and server
that is exported by the EAP method. The EMSK is at least 64
octets in length, and is never shared with a third party.
AMSK Application Master Session Key
Keys derived from the EMSK which are cryptographically separate
from each other.
MN Mobile Node
A node that can change its point of attachment from one link to
another, while still being reachable via its home address.
HA Home Agent
A router on a mobile node's home link with which the mobile
node has registered its current care-of address. While the
mobile node is away from home, the home agent intercepts
packets on the home link addressed to the mobile node's home
address, encapsulates them, and tunnels them to the mobile
node's registered care-of address.
BU Binding Update
A message indicating a mobile node's current mobility binding,
and in particular its care-of address.
BA Binding Acknowledgement
A message used to acknowledge receipt of a Binding Update.
Giaretta, et al. Expires - April 2005 [Page 4]
Internet-Draft AMSK for Mobile IPv6 October 2004
AAA server
A server that provides authentication, authorization and
accounting services. It is the server that terminates the EAP
authentication method with the peer.
Giaretta, et al. Expires - April 2005 [Page 5]
Internet-Draft AMSK for Mobile IPv6 October 2004
3. Operational Flow
Figure 1 shows how the AMSK defined in this document is derived and
distributed. The procedure requires an EAP method capable to export
dynamic keys (e.g. EAP-FAST [6], PEAPv2 [7], EAP-SIM [8], EAP-AKA
[9]) and involves the following steps:
- the MN and the AAA server of the home domain undertake the EAP
exchange for user authentication. The EAP method must support the
derivation of an Extended Master Session Key (EMSK) on EAP peers;
- at the end of EAP exchange, MN and AAA server (i.e. the EAP peers)
derive MSK and EMSK;
- MN and AAA server derive an AMSK for MIPv6 from the EMSK. The key
derivation function is described in section 4. The lifetime of the
AMSK is managed as a system parameter and must not be higher than
the lifetime of the EMSK (as stated in [4]). As a default choice
the two lifetimes should be equal;
- the AAA server sends the AMSK and the associated lifetime to the
Home Agent (HA) using a suitable AAA-HA protocol (e.g. a new
Diameter application), whose definition is out of the scope of the
present document. The AAA server must specify a MN's identifier
(e.g. NAI) to allow the HA to bind the AMSK with incoming MIPv6
signaling;
- afterwards the Mobile IPv6 AMSK can be used by the MN and the
designated HA to derive the Pre-Shared Key (PSK) for IPsec
bootstrapping (see section 5.1).
Giaretta, et al. Expires - April 2005 [Page 6]
Internet-Draft AMSK for Mobile IPv6 October 2004
AAA
MN +-----------------------+ server +-----------------+ HA
/-------------------------\
/ EAP \
\ exchange /
\-------------------------/
+------+ +------+
| EMSK | | EMSK |
+------+ +------+
+------------+ +------------+
| MIP6-AMSK | | MIP6-AMSK |
| derivation | | derivation |
+------------+ +------------+
/------------------\
/ MIPv6-AMSK \
\ transfer /
\------------------/
Figure 1 - Message Flow
Giaretta, et al. Expires - April 2005 [Page 7]
Internet-Draft AMSK for Mobile IPv6 October 2004
4. AMSK derivation
The Mobile IPv6 AMSK is derived through the key derivation function
specified in [4] and shown below for the sake of clarity.
KDF (K,L,D,O) = T1 | T2 | T3 | T4 | ...
where:
T1 = prf (K, S | 0x01)
T2 = prf (K, T1 | S | 0x02)
T3 = prf (K, T2 | S | 0x03)
T4 = prf (K, T3 | S | 0x04)
prf = HMAC-SHA1
K = EMSK
L = key label
D = application data
O = OutputLength (2 bytes)
S = L | " " | D | O
The application specific parameters are set as follows:
- key label = "MIPv6-key"
- application data = Home Agent address
- output length = 128 bits
The application data is needed to guarantee the generation of
independent AMSKs for different HAs and different MNs. The former is
guaranteed by the availability of the HA address in the application
data. The latter is guaranteed by the EMSK, that is bound to the EAP
session and therefore MN-specific. If the MN has several home
addresses allocated by the same HA, it can use the same AMSK for all
the correspondent IKE sessions.
Avoiding the insertion of the home address in the application data
has the additional advantage of allowing the MN to derive the AMSK
even if it does not know its home address. This is what might happen
in some dynamic home address assignment scenarios.
As specified in [4], the lifetime of keys calculated from key
material exported by EAP methods can not be longer than the lifetime
of the exported keying material. As a default choice the lifetime of
AMSK for MIPv6 is set equal to the lifetime of the EMSK and must be
sent by the AAA server to the HA.
Giaretta, et al. Expires - April 2005 [Page 8]
Internet-Draft AMSK for Mobile IPv6 October 2004
5. Usage Scenario
The Mobile IPv6 AMSK, eventually truncated, can be directly used as
the PSK needed to bootstrap the IPsec Security Association between MN
and HA through IKE.
Since the key serves only for identity verification and not for
ciphering purposes, there is no need to re-generate the PSK at
regular intervals. However, the MIPv6 AMSK, and consequently also the
PSK, must be refreshed whenever a new EMSK is generated (i.e. during
re-authentication events). Nonetheless, the derivation of a new PSK
should not cause the immediate re-negotiation of a new IKE SA or
IPsec SA. Any on-going IKE SA or IPsec SA should continue till its
expiration. Instead, the negotiation (or re-negotiation) of a new IKE
SA or IPsec SA must use the new pre-shared key derived from the
latest MIPv6 AMSK.
Giaretta, et al. Expires - April 2005 [Page 9]
Internet-Draft AMSK for Mobile IPv6 October 2004
6. Security Considerations
Sending the AMSK for Mobile IPv6 from the AAA server to the HA
requires that the protocol used for AAA-HA communication provides
mutual authentication, integrity/reply protection and
confidentiality.
Moreover, since this document is strongly based on EAP [10] and the
EAP Keying Management Framework [4], additional security
considerations are bound to those valid for the EAP Keying Framework
(section 5 of [4]).
Giaretta, et al. Expires - April 2005 [Page 10]
Internet-Draft AMSK for Mobile IPv6 October 2004
Acknowledgments
The authors would like to thank Alpesh Patel for reviewing the
document.
References
[1] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support in IPv6",
RFC 3775, June 2004.
[2] Patel, A. et al. "Problem Statement for bootstrapping Mobile IPv6",
draft-ietf-mip6-bootstrap-ps-00 (work in progress), July 2004.
[3] Arkko, J., Devarapalli, V., Dupont, F., "Using IPsec to Protect
Mobile IPv6 Signaling between Mobile Nodes and Home Agents", RFC
3776, June 2004.
[4] Aboba, B., Simon, D., Arkko, J., Levkowetz, H., "EAP Key Management
Framework", draft-ietf-eap-keying-03(work in progress), July 2004.
[5] Manner, J., Kojo, M. "Mobility Related Terminology", RFC 3753, June
2004.
[6] N.Cam-Winget, D. McGrew, J. Salowey, H.Zhou, "EAP Flexible
Authentication via Secure Tunneling (EAP-FAST)", draft-cam-winget-
eap-fast-00.txt (work in progress), February 2004
[7] Palekar, A. et al., "Protected EAP Protocol (PEAP) Version 2",
draft-josefsson-pppext-eap-tls-eap-08 (work in progress), July 2004.
[8] Haverinen, H. and J. Salowey, "Extensible Authentication Protocol
Method for GSM Subscriber Identity Modules (EAP-SIM)", draft-
haverinen-pppext-eap-sim-13 (work in progress), April 2004.
[9] Arkko, J. and H. Haverinen, "EAP-AKA Authentication", draft-arkko-
pppext-eap-aka-12 (work in progress), April 2004.
[10] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H.
Lefkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748,
June 2004.
Giaretta, et al. Expires - April 2005 [Page 11]
Internet-Draft AMSK for Mobile IPv6 October 2004
[11] Giaretta, G., Guardini, I., Demaria, E., Bournelle, J., Laurent-
Maknavicius, M., "MIPv6 Authorization and Configuration based on
EAP", draft-giaretta-mip6-authorization-eap-02 (work in progress),
October 2004.
Giaretta, et al. Expires - April 2005 [Page 12]
Internet-Draft AMSK for Mobile IPv6 October 2004
Authors' Addresses
Gerardo Giaretta
Telecom Italia Lab
via G. Reiss Romoli, 274
10148 TORINO
Italy
Phone: +39 011 2286904
Email: gerardo.giaretta@tilab.com
Ivano Guardini
Telecom Italia Lab
via G. Reiss Romoli, 274
10148 TORINO
Italy
Phone: +39 011 2285424
Email: ivano.guardini@tilab.com
Elena Demaria
Telecom Italia Lab
via G. Reiss Romoli, 274
10148 TORINO
Italy
Phone: +39 011 2285403
Email: elena.demaria@tilab.com
Julien Bournelle
GET/INT
9 rue Charles Fourier
Evry 91011
France
Email: julien.bournelle@int-evry.fr
Maryline Laurent-Maknavicius
GET/INT
9 rue Charles Fourier
Evry 91011
France
Email: maryline.maknavicius@int-evry.fr
Giaretta, et al. Expires - April 2005 [Page 13]
Internet-Draft AMSK for Mobile IPv6 October 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Giaretta, et al. Expires - April 2005 [Page 14]