[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AAA for Handovers

To: radiusext@ops.ietf.org
Subject: AAA for Handovers
From: Narayanan Vidya-CVN065 <vidya@motorola.com>
Date: Wed, 10 Aug 2005 09:56:58 -0500
Cc: aaa-wg@merit.edu, Korus Mike-CMK013 <M.Korus@motorola.com>

Title: Message

All,

I had a brief chat with Jari Arkko on this topic in Paris and he suggested I bring it up on the RADEXT mailing list.

A while ago, some work was done in the IRTF on RADIUS for handovers in the aaaarch-handoff draft, but it seems to have rather died now. Currently, there seems to be no efforts to advance such work in the IETF or IRTF. I was wondering if reviving some work along the same lines might be an option people would support or desire.

Some thoughts on why this work would be useful:

It is quite evident that performing an entire EAP method exchange upon handoff introduces significant increase in handoff times. It seems that people are getting around going to the AAA server every time by defining evolving keys and introducing local KDCs. An example is the path 802.11r is taking. 802.11r has introduced an evolving key hierarchy that allows the STA to handoff without having to perform a full EAP exchange. It is generally accepted (at least seems to be) that this is inherently less secure than performing regular EAP - however, this is viewed as important to be able to have acceptable handoff times. Being of the IETF mentality, to me, these mechanisms do not seem to satisfy all the Housley criteria as they should. However, without changes in AAA, I don't have a better answer to reducing handoff times.

Thinking about this a little further, it seems like such a design is becoming popular due to the lack of a method in AAA to pre-authenticate to multiple authenticators (NAS-es) and proactively distribute keys to the NAS-es. If there was a way to do this, it would be possible to derive multiple keys at the AAA server for a mobile node corresponding to target NAS devices and proactively push the keys to those devices without the need for a complete authentication and key derivation upon handoff. It would allow significant reduction in the signaling required to establish keys at NAS-es.

It seems to me that if the IETF worked on this and matured it enough, people would be willing to use it to provide more secure faster handoffs. Especially since some work was done in this space earlier on, it seems like it might be worth looking into. The IRTF draft was ahead of its time when it was written - but, it seems like the timing for such a task would be perfect now.

Any thoughts?

Thanks,

Vidya

Follow-Ups:
- Re: AAA for Handovers
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: RE: RADEXT WG last call on draft-ietf-radext-ieee802-00.txt
Next by Date: RE: AAA for Handovers
Previous by thread: Presentations online
Next by thread: Re: AAA for Handovers
Index(es):
- Date
- Thread