802 21 ieee security tutorial

8/8/2019 802 21 IEEE Security Tutorial

http://slidepdf.com/reader/full/802-21-ieee-security-tutorial 1/106

21-08-0080-02-0sec 1

IEEE 802.21 MEDIA INDEPENDENT HANDOVER

DCN: 21-08-0080-02-0sec-security-signaling-during-handovers-tutorial

Title: Media-Independent Handover Security Tutorial

Date Submitted: March 18, 2008

Presented at IEEE 802.21 session #25 in Orlando

Authors or Source(s):

Yoshihiro Ohba (Toshiba), Marc Meylemans (Intel), Subir Das

(Telcordia Technologies)Abstract: This document provides a tutorial on Media-Independent

Handover Security

Wednesday, July 29, 2009



21-08-0080-02-0sec 2

IEEE 802.21 presentation release statements

This document has been prepared to assist the IEEE 802.21 Working Group. It isoffered as a basis for discussion and is not binding on the contributingindividual(s) or organization(s). The material in this document is subject tochange in form and content after further study. The contributor(s) reserve(s)the right to add, amend or withdraw material contained herein.

The contributor grants a free, irrevocable license to the IEEE to incorporate

material contained in this contribution, and any modifications thereof, in thecreation of an IEEE Standards publication; to copyright in the IEEE’s nameany IEEE Standards publication even though it may include portions of thiscontribution; and at the IEEE’s sole discretion to permit others to reproduce inwhole or in part the resulting IEEE Standards publication. The contributor alsoacknowledges and accepts that this contribution may be made public by IEEE

802.21.The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of

the IEEE-SA Standards Board Operations Manual <http://standards.ieee.org/guides/opman/sect6.html#6.3> and in Understanding Patent Issues During

IEEE Standards Development http://standards.ieee.org/board/pat/guide.html>

IEEE 802.21 presentation release statements

This document has been prepared to assist the IEEE 802.21 Working Group. It isoffered as a basis for discussion and is not binding on the contributingindividual(s) or organization(s). The material in this document is subject tochange in form and content after further study. The contributor(s) reserve(s)the right to add, amend or withdraw material contained herein.

The contributor grants a free, irrevocable license to the IEEE to incorporate

material contained in this contribution, and any modifications thereof, in thecreation of an IEEE Standards publication; to copyright in the IEEE’s nameany IEEE Standards publication even though it may include portions of thiscontribution; and at the IEEE’s sole discretion to permit others to reproduce inwhole or in part the resulting IEEE Standards publication. The contributor alsoacknowledges and accepts that this contribution may be made public by IEEE802.21.

The contributor is familiar with IEEE patent policy, as stated in Section 6 of theIEEE-SA Standards Board bylaws <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and in Understanding Patent Issues During IEEE Standards

Development http://standards.ieee.org/board/pat/faq.pdf >


http://standards.ieee.org/board/pat/faq.pdf

http://127.0.0.1:4664/cache?event_id=757737&schema_id=1&s=5X0vID10lu_E6yrIkWkNd4Wz2H8&q=hancock



http://standards.ieee.org/guides/opman/sect6.html























21-08-0080-02-0sec 4

Overview of 802.21

Please refer to the Tutorial presented inJuly 2006

http://www.ieee802.org/21/Tutorials/802%2021-IEEE-Tutorial.ppt




21-08-0080-02-0sec 5

IEEE 802.21 StandardMedia Independent Handover Services

• Optimize Layer 3 and above Handovers• (e.g., 802.3 <> 802.11 <> 802.16 <> Cellular)

• Key Services• L2 Triggers and Measurement Reports

• 802.11, 802.16 radios• Enables Network Initiated Handovers

• Information Service• Optimum Network Discovery and Selection• Lower Power operation for Multi-Radio devices

• Handover Messages• Between Mobile Node (MN) <>Point of Service (PoS) (e.g., BS/AP)

• Between PoS1 <> PoS2 (Resource Query, HO Indication)

• Further Information is available at www.ieee802.org/21


http://www.ieee802.org/21

http://www.ieee802.org/21



21-08-0080-02-0sec 6

IEEE 802.21: Overview

L2 Triggers & MeasurementsState Change

PredictiveNetwork Initiated

Network Information

Available NetworksNeighbor MapsNetwork ServicesHandover Commands

Client InitiatedNetwork Initiated

Vertical Handovers




21-08-0080-02-0sec 6




Network InformationAvailable NetworksNeighbor MapsNetwork ServicesHandover Commands


Vertical Handovers




21-08-0080-02-0sec 6






Vertical Handovers




21-08-0080-02-0sec 6






Vertical Handovers

802.21 MIH Function

Protocol and Device Hardware

Applications (VoIP/RTP)

ConnectionManagement

WLAN Cellular WMAN

L2 Triggersand Events

InformationService

Mobility Management Protocols

SmartTriggers

InformationService

Handover Messages

Handover Management

Handover Policy

Handover Messages I E

E E 8

0 2 . 2

1

I E T F




21-08-0080-02-0sec 7

General MIH Reference Model andService Access Points (SAPs)

M I H

_ L I N K_

S A P

M I H_

S A P

Media-IndependentHandover Function

(MIHF)

RemoteMIHF

M I H

_ N E T_

S A P

MIH ProtocolTransport

(Layer 2 orLayer 3)

LLC_SAP

MIH Users

Layer 3 orHigher Layer

Mobility Protocol

Link Layer(IEEE 802.3,IEEE 802.11,

IEEE 802.16)

SAPs defined in IEEE 802.21 Specification

M I H

_ N E T_

S A P

MIH

Services

(ES,CS,

IS)

MIH ProtocolMIH Services(ES, CS, IS)




21-08-0080-02-0sec 8

Technical Challenges in Handovers

Challenge Motivation

Efficient NetworkDiscovery and Selection

Inter-Network Neighbor Advertisements reducepower consumption in scanning. The 802.11module will only turn on if 802.11 coverage isavailable

Low Latency Handovers Requires inter-RAT interface. Speeds up handoff procedure (passing security keys, resourcereservation).

Service Provider’s Controlin Target NetworkSelection

Enables service providers to enforce handoff policies and decisions. Requires inter-RATmeasurement reporting

Service Continuity Eliminate L3 mobility signaling in inter-RATmobility by keeping L3 anchor in the previous RATaccess gateway. Requires inter-RAT interface




21-08-0080-02-0sec 8

Technical Challenges in Handovers

Challenge Motivation

Efficient NetworkDiscovery and Selection

Inter-Network Neighbor Advertisements reducepower consumption in scanning. The 802.11module will only turn on if 802.11 coverage isavailable

Low Latency Handovers Requires inter-RAT interface. Speeds up handoff procedure (passing security keys, resourcereservation).

Service Provider’s Controlin Target NetworkSelection

Enables service providers to enforce handoff policies and decisions. Requires inter-RATmeasurement reporting

Service Continuity Eliminate L3 mobility signaling in inter-RATmobility by keeping L3 anchor in the previous RATaccess gateway. Requires inter-RAT interface

Target Preparation is the Key aspect of Optimized Handovers




21-08-0080-02-0sec 9

Key Interfaces for Handovers

Mobile Station(MS)

AG-RAT1

AG-RAT2

R AGCommon Core

HAAAA

HSS

HLR

Information

Server

R S

R S

AG: Access Gateway

RAT: Radio Access Technology

HA: Home Agent




21-08-0080-02-0sec 9


Mobile Station(MS)

AG-RAT1

AG-RAT2

R AGCommon Core

HAAAA

HSS

HLR

Information

Server

R S

R S

AG: Access Gateway


HA: Home Agent

1. Inter-RAT NeighborAdvertisements.




21-08-0080-02-0sec 9


Mobile Station(MS)

AG-RAT1

AG-RAT2

R AGCommon Core

HAAAA

HSS

HLR

Information

Server

R S

R S

AG: Access Gateway


HA: Home Agent

2. Inter-Access GatewayI/f Pass network context

from Source to Target for

Optimized Handovers





21-08-0080-02-0sec 9


Mobile Station(MS)

AG-RAT1

AG-RAT2

R AGCommon Core

HAAAA

HSS

HLR

Information

Server

R S

R S

AG: Access Gateway


HA: Home Agent

2. Inter-Access GatewayI/f Pass network context

from Source to Target for

Optimized Handovers


3. Network-initiated Handovers

Require Measurement Reports

and H/O messages over Core

Network and air-interface




21-08-0080-02-0sec 10

802.21 History & Timeline

1H

2004

2H

2004

802.21 WGCreated

Call For Proposals

1H

2005

14 InitialProposals

2H

2005

1H

2006

Down selection Initial802.21 Draft Text

2H

2006

Initiate Amendments to802.11u, 802.16g.IETF (MIPSHOP) on L3

Year

2007

Sponsor Ballot

Year

2008

802.21 Spec

Ratified *

2009-

2010

802.21Deployment*

WG Letter Ballot

*Projected Timelines

Two New Study Groups (July – 2007)- Security in Handovers- Multi-Radio Power Management




21-08-0080-02-0sec 11

Network Access Security Model




21-08-0080-02-0sec 12

Network Access Security Steps

Step 1: Network access authenticationStep 2: Secure association

Step 3: Access control and ciphering

Entities involved:• MN: Mobile Node• PoA: Point of Attachment (e.g., Access

Point)• AS: Authentication Server (e.g., AAA

server)

MN changes its PoA due to handover

MN PoA AS

Step 1: Network Access Authentication

Step 2: Secure Association

Network access security is all about how to bind the three stepstogether to provide appropriate security properties for network access with the use of security associations (SAs)

Step 3: Access Control

and Ciphering




21-08-0080-02-0sec 13

Security Associations (SAs)

SAmp: An SA between MN and PoA

SAma: An SA between MN and ASSApa : An SA between PoA and AS

• SApa is pre-established through AAA or other protocols

• SAma will be established through a mutually authenticated key establishmentas an access authentication (in Step 1)

• SAmp is dynamically established with creation of a Session Key

MN PoA

AS

SAma SA pa

SAmp




21-08-0080-02-0sec 14

Step 1 - Network Access Authentication

• MN and AS conduct EAP to establish SAmp

• EAP (Extensible Authentication Protocol) exports two keys:• MSK (Master Session Key) - distributed from AS to PoA protected by SApa

• EMSK (Extended Master Session Key) – used for other purpose

• EAP is transported at link-layer as well as higher layers• Link-layer EAP transport in IEEE 802: 802.1X, PKMv2• Higher-layer EAP transport: PANA (Protocol for carrying Authentication for

Network Access), IKEv2 (Internet Key Exchange version 2), RADIUS/Diameter

MN* PoA* AS*

EAP-Request

EAP-Response AAA{EAP-Response}

AAA{EAP-Request}EAP-Request

:AAA{EAP-Success,MSK }EAP-Success

* Note: MN, PoA andAS are EAP peer,authenticator andserver, respectively,and represent onedeployment model.:




21-08-0080-02-0sec 16

Step 3 – Access Control and Ciphering

• Access control enforces link-layer data frames to be exchanged

between MN and PoA only after a successful run of NetworkAccess Authentication and Secure Association

• Link-layer data frames are cryptographically protected with the

use of ciphering keys depending on underlying link-layertechnologies


S i Si i



21-08-0080-02-0sec 17

Security Signaling Latency

• Approximately 90% of the latency originates from the EAP signaling

during network access authentication (full authentication)• EAP authentication takes on average 100s of ms, while the layer 2 key

management (4-way handshake (HS) in 802.11 and 3-way handshake in802.16) takes on average less than 10ms.

802.11 802.16

MN: Mobile NodeAP: Access PointBS: Base StationAAA: AAA server




21-08-0080-02-0sec 18

Handover Scenarios

• Two Common Cases• Intra-technology Handovers• Inter-technology Handovers




21-08-0080-02-0sec 19

Intra-Technology Handovers


S l ti A il bl T d



21-08-0080-02-0sec 20

Solutions Available Today

• Several handover solutions available today are centered around

intra-technology handovers (AP to AP, BS to BS and typicallywithin the same AAA domain)

• IEEE 802.11 solutions:• Pre-authentication (as defined in 802.11i)

• Fast BSS Transition (under Sponsor Ballot in TGr)• IEEE 802.16 solution:

• Handover Process Optimization (as defined in 802.16e)

• IEEE 802.1 solution

• Roaming (reconnect) solution (under letter Ballot in 802.1af)

• Main goal of the above solutions is to decrease the time it takesto do an EAP-based network access authentication


802 11i P th ti ti



21-08-0080-02-0sec 21

802.11i - Pre-authentication

AAA server

AP1 AP2

802.11 Access

Network

Internet

Conceptual Flow

STA


802 11i P th ti ti



21-08-0080-02-0sec 21


AAA server

AP1 AP2

802.11 Access

Network

Internet

Conceptual Flow

STA


802 11i Pre authentication



21-08-0080-02-0sec 21


AAA server

AP1 AP2

• STA Associated to AP1, after full802.11i authentication

802.11 Access

Network

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 21


AAA server

AP1 AP2


• Data traffic flows via AP1

802.11 Access

Network

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 21


AAA server

AP1 AP2



• STA selects AP2 as Target, andinitiates pre-Authentication for AP2

MSK

802.11 Access

Network

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 21


AAA server

AP1 AP2




• EAP Authentication is sent viaAP1

MSK

MSK

802.11 Access

Network

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 21


AAA server

AP1 AP2





• AP2 receives MSK from EAPServer

MSK

MSK

8 0 2 . 1 1 i 4

- W a y

H a n d

s h a k

e

PTK

PTK

802.11 Access

Network

Internet

Conceptual Flow

STA


802 11i - Pre-authentication



21-08-0080-02-0sec 21


AAA server

AP1 AP2






• STA derives MSK for AP2 MSK

MSK

PTK

PTK

802.11 Access

Network

Internet

Conceptual Flow

STA




802 11i - Pre-authentication



21-08-0080-02-0sec 21

802.11i Pre authentication

AAA server

AP1 AP2






• STA derives MSK for AP2

• STA performs 802.11i 4-WayHandshake with AP2, usingMSK

(STA, AP2)

• Data Traffic Flows via AP2

MSK

MSK

PTK

PTK

802.11 Access

Network

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 21

802.11i Pre authentication

AAA server

AP1 AP2






• STA derives MSK for AP2

• STA performs 802.11i 4-WayHandshake with AP2, usingMSK

(STA, AP2)

• Data Traffic Flows via AP2

• Transition complete

802.11 Access

Network

Internet

Conceptual Flow

STA


802.11r – Fast BSS Transition



21-08-0080-02-0sec 22

802.11r Fast BSS Transition

802.11 MobilityDomain

AAA server

AP1 AP2

PMK-R0

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22

802.11r Fast BSS Transition


AAA server

AP1 AP2

PMK-R0

Internet

Conceptual Flow

STA




21-08-0080-02-0sec 22

• STA Associated to AP1


• STA Moves and Selects AP2 asTarget


AAA server

AP1 AP2

PMK-R0

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22




• 802.11r Auth Request


AAA server

AP1 AP2

PMK-R0

PMK-R1 AP2

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22





• Request PMK-R1AP2 from R0KH


AAA server

AP1 AP2

PMK-R0

PMK-R1 AP2 PMK-R1 AP2

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22






• Derive PMK-R1AP2 for AP2802.11 MobilityDomain

AAA server

AP1 AP2

PMK-R0


Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22






• Derive PMK-R1AP2 for AP2

• Response w/ PMK-R1AP2 to AP2


AAA server

AP1 AP2

PMK-R0


PTK

PMK-R0

PMK-R1 AP2

PTK

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22








• 802.11r Auth Response


AAA server

AP1 AP2

PMK-R0


PTK

PMK-R0

PMK-R1 AP2

PTK

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22









• AP2 & STA Derive PTK


AAA server

AP1 AP2

PMK-R0


PTK

PMK-R0

PMK-R1 AP2

PTK

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22










• 802.11r Reassociation Requestand Response


AAA server

AP1 AP2

PMK-R0


PTK

PMK-R0

PMK-R1 AP2

PTK

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22













AAA server

AP1 AP2

PMK-R0


PTK

PMK-R0

PMK-R1 AP2

PTK

Internet

Conceptual Flow

STA





21-08-0080-02-0sec 22












• Transition complete


AAA server

AP1 AP2

PMK-R0


PTK

PMK-R0

PMK-R1 AP2

PTK

Internet

Conceptual Flow

STA


802.16e – HO Process optimization



21-08-0080-02-0sec 23

AAA server

802.16 Accessnetwork

BS1 BS2

Corenetwork

Conceptual Flow

Internet

AK1 AK2

MS





21-08-0080-02-0sec 23

AAA server


BS1 BS2

Corenetwork

Conceptual Flow

Internet

AK1 AK2

MS





21-08-0080-02-0sec 23

• MS connected with BS1, data trafficflows AAA server


BS1 BS2

Corenetwork

Conceptual Flow

Internet

AK1 AK2

MS





21-08-0080-02-0sec 23

• MS connected with BS1, data trafficflows

• MS sends HO request (HOoptimization bits set, preferred BSs)to BS1

• BS1 forwards HO request to BS2

AAA server


BS1 BS2

Corenetwork

Conceptual Flow

Internet

AK1 AK2

MS




21-08-0080-02-0sec 23




• BS2 sends HO response back toBS1

• BS1 sends HO response back to MS

AAA server


BS1 BS2

Corenetwork

Conceptual Flow

Internet

AK1 AK2

MS





21-08-0080-02-0sec 23






• MS sends HO indication with BS2 astarget

AAA server


BS1 BS2

Corenetwork

Conceptual Flow

Internet

AK1 AK2

MS





21-08-0080-02-0sec 23







• BS1 forwards MS info andconnection context to BS2 (handover TEKs, associated counters,

negotiated capabilities, CID update,…)

AAA server


BS1 BS2

Corenetwork

Conceptual Flow

Internet

AK1 AK2

MS




21-08-0080-02-0sec 23







• BS1 forwards MS info andconnection context to BS2 (handover TEKs, associated counters,

negotiated capabilities, CID update,…)

• MS ranges and attaches with BS2

• Data traffic flows via BS2

AAA server


BS1 BS2

Corenetwork

Conceptual Flow

Internet

AK1 AK2

MS


IEEE P802.1af and 802.1AE



21-08-0080-02-0sec 24

• IEEE P802.1af – a new revision of 802.1X for port access

control, it provides• Network access authentication, secure association and access control for LAN/

MAN

• Network discovery

• Allows a session key that was established between a Host and a Network

Access Point to be cached and reused when reconnecting back to any Network

Access Points within the same administrative domain

• IEEE 802.1AE - MAC Security• Provides ciphering for LAN/MAN




21-08-0080-02-0sec 25

Inter-Technology Handovers




Dual-radio Handover Flow



21-08-0080-02-0sec 27

Conceptual Flow





21-08-0080-02-0sec 27

• MN connected with Radio 1to AN1, and an applicationsession is active

Conceptual Flow



C t l Fl



21-08-0080-02-0sec 27


• MN moves, Radio 2 On

Conceptual Flow



MN t d ith R di 1 C t l Fl



21-08-0080-02-0sec 27



• MN decides to perform HO toAN2

Conceptual Flow



MN t d ith R di 1 Conceptual Flow



21-08-0080-02-0sec 27




• MN authenticates with AN2using Radio 2

Conceptual Flow



• MN connected with Radio 1 Conceptual Flow



21-08-0080-02-0sec 27





• Subsequent HO proceduresfollow

Conceptual Flow






21-08-0080-02-0sec 27






•Including IP mobilitysignaling and resourcereservation and so on

Conceptual Flow






21-08-0080-02-0sec 27







• Application session continuityis maintained on AN2

Conceptual Flow






21-08-0080-02-0sec 27

MN connected with Radio 1to AN1, and an applicationsession is active






• Application session continuityis maintained on AN2

• Radio 1 off or idle

Conceptual Flow


Single-radio Handover Flow

Conceptual Flow



21-08-0080-02-0sec 28

p




21-08-0080-02-0sec 28

to AN1, and an applicationsession is active



• MN connected with Radio 1t AN1 d li ti

Conceptual Flow



21-08-0080-02-0sec 28


• MN moves and decides toperform HO to AN2



• MN connected with Radio 1t AN1 d li ti

Conceptual Flow



21-08-0080-02-0sec 28



• MN authenticates with AN2via AN1





• MN connected with Radio 1to AN1 and an application

Conceptual Flow



21-08-0080-02-0sec 28





•Including IP mobilitysignaling and resource

reservation and so on




Conceptual Flow



21-08-0080-02-0sec 28






reservation and so on• Radio 1 Off/Idle




Conceptual Flow



21-08-0080-02-0sec 28







• Radio 2 active




Conceptual Flow



21-08-0080-02-0sec 28







• Radio 2 active

• MN attaches to AN2




What is the problem?



21-08-0080-02-0sec 29

• Security-related signaling can increase the latency significantlyin single-radio handover efforts and in many cases servicecontinuity can not be met

• Handover techniques that assume concurrent radio usagecannot be used

• Even for dual-radio devices it might make sense to reduce thesecurity-related signaling, as it decreases the time that bothradios need to be active and thus can increase battery life

• In addition, handovers between networks within the same AAA

domains or different AAA domains pose different challenges


Potential Approach for Intra-AAA-domainHandover – Key Hierarchy-based Transition(1/3)

• Establish a key hierarchy through full authentication upon entry into the



21-08-0080-02-0sec 30

Establish a key hierarchy through full authentication upon entry into theAAA domain

• The key hierarchy may span multiple link-layer technologies

• Network access authentication is based on exchanging proof of possession of the root key between MN and the root key holder through the PoA

Root Key

Session Keyfor PoA_1


… Session Keyfor PoA_N






21-08-0080-02-0sec 30




Root Key









21-08-0080-02-0sec 30

y y g p yAAA domain



Root Key









21-08-0080-02-0sec 30

y y g p yAAA domain



Root Key





Potential Approach for Intra-AAA-domainHandover – Key Hierarchy-based Transition (2/3)

• ERP (EAP Extensions for EAP Re-authentication Protocol) is



21-08-0080-02-0sec 31

( )

defined in IETF for Key Hierarchy-based Transition• The server for ERP can be in a visited domain

• ERP requires one AAA message roundtrip

AAA domain X

Re-authentication Server

(AAA server/proxy)



• ERP (EAP Extensions for EAP Re-authentication Protocol) is



21-08-0080-02-0sec 31

( )

defined in IETF for Key Hierarchy-based Transition• The server for ERP can be in a visited domain

• ERP requires one AAA message roundtrip

AAA domain X


(AAA server/proxy)

ERP signaling




21-08-0080-02-0sec 32

• In this approach, ERP is proactively performed (proactive re-authentication)

• No AAA roundtrip after switching to the target PoA

AAA domain X

Proactive re-authentication


(AAA server/proxy)





21-08-0080-02-0sec 32



AAA domain X


(AAA server/proxy)





21-08-0080-02-0sec 32



AAA domain X

Secure Association


(AAA server/proxy)


Potential Approach for Inter-AAA-DomainHandover – Authentication-based Transition

• Since networks are in different AAA domains in general full



21-08-0080-02-0sec 33

Since networks are in different AAA domains, in general full

authentication can not be avoided

• There is no reason for the new domain to “trust” keys from the old domain, and no reasonfor mobile device to “trust” the new domain with keys it used with its old domain

• Roaming agreements (SLAs) may exist between the two networks, but home operator

might still require the user to authenticate with the home network (AAA) because of security or policy reasons

• A pre-authentication solution is needed that works acrossmultiple AAA domains

AAA domain X AAA domain Y

EAP server



• Since networks are in different AAA domains in general full



21-08-0080-02-0sec 33








EAP server

EAP (RFC 3748)

signaling



• Since networks are in different AAA domains, in general full



21-08-0080-02-0sec 33








EAP server



• Since networks are in different AAA domains, in general full



21-08-0080-02-0sec 33








EAP server

Secure Association


Proposed Direction in 802.21• Proactive authentication is the promising approach to reduce

authentication and key establishment signaling latency



21-08-0080-02-0sec 34

• Needed for secure service continuity across different link-layertechnologies, AAA domains

• Use existing media-specific Secure Association mechanisms

• Proactive authentication can be based on proactive re-authentication, and pre-authentication

• Proactive authentication requires an EAP transport

• The solution that works independent of link-layer technologies

• Our main scope is IEEE 802 technologies, but solution could beapplied to handovers to other technologies




21-08-0080-02-0sec 35

Thank You!


802 21 ieee security tutorial

Documents