Handover Keying (HOKEY) Architecture Design
RFC 6697
Internet Engineering Task Force (IETF) G. Zorn, Ed.
Request for Comments: 6697 Network Zen
Category: Informational Q. Wu
ISSN: 2070-1721 T. Taylor
Huawei
Y. Nir
Check Point
K. Hoeper
Motorola Solutions, Inc.
S. Decugis
INSIDE Secure
July 2012
Handover Keying (HOKEY) Architecture Design
Abstract
The Handover Keying (HOKEY) Working Group seeks to minimize handover
delay due to authentication when a peer moves from one point of
attachment to another. Work has progressed on two different
approaches to reduce handover delay: early authentication (so that
authentication does not need to be performed during handover), and
reuse of cryptographic material generated during an initial
authentication to save time during re-authentication. A basic
assumption is that the mobile host or "peer" is initially
authenticated using the Extensible Authentication Protocol (EAP),
executed between the peer and an EAP server as defined in RFC 3748.
This document defines the HOKEY architecture. Specifically, it
describes design objectives, the functional environment within which
handover keying operates, the functions to be performed by the HOKEY
architecture itself, and the assignment of those functions to
architectural components. It goes on to illustrate the operation of
the architecture within various deployment scenarios that are
described more fully in other documents produced by the HOKEY Working
Group.
Zorn, et al. Informational [Page 1]
RFC 6697 HOKEY Architecture Design July 2012
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6697.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Zorn, et al. Informational [Page 2]
RFC 6697 HOKEY Architecture Design July 2012
Table of Contents
1. Introduction ....................................................3
2. Terminology .....................................................6
3. Design Goals ....................................................6
3.1. Reducing Signaling Overhead ................................7
3.1.1. Minimized Communications with Home Servers ..........7
3.1.2. Minimized User Interaction for Authentication .......7
3.2. Integrated Local Domain Name (LDN) Discovery ...............7
3.3. Fault-Tolerant Re-Authentication ...........................8
3.4. Improved Deployment Scalability ............................8
4. Required Functionality ..........................................8
4.1. Authentication Subsystem Functional Overview ...............8
4.2. Pre-Authentication Function (Direct or Indirect) ...........9
4.3. EAP Re-Authentication Function .............................9
4.4. EAP Authentication Function ...............................10
4.5. Authenticated Anticipatory Keying (AAK) Function ..........10
4.6. Management of EAP-Based Handover Keys .....................10
Show full document text