NETEXT WG S. Gundavelli Internet-Draft Cisco Intended status: Informational M. Liebsch Expires: March 16, 2013 NEC P. Seite France Telecom - Orange September 12, 2012 PMIPv6 inter-working with WiFi access authentication draft-liebsch-netext-pmip6-authiwk-05.txt Abstract Proxy Mobile IPv6, the IETF's protocol for network-based mobility management, requires a completed and successful authentication of the mobile node before it is registered at the mobility anchor. This document describes inter-working between access authentication mechanisms, such as IEEE 802.1X, and the Proxy Mobile IPv6 protocol to enable trusted WiFi access to a network-based mobility management domain. Furthermore, the use of authentication method specific identifiers for unique identification of mobile nodes during setup and maintenance of their mobility session is described, following recommendations of related standards organizations, such as 3GPP and the WiMAX Forum. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 16, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. Gundavelli, et al. Expires March 16, 2013 [Page 1] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Terminology . . . . . . . . . . . . . . . . . 5 3. Functional Objectives . . . . . . . . . . . . . . . . . . . . 6 4. Inter-working with IEEE 802.1X EAP . . . . . . . . . . . . . . 9 4.1. General use with authentication against a RADIUS Server . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. Normative References . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 Gundavelli, et al. Expires March 16, 2013 [Page 2] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 1. Introduction Proxy Mobile IPv6 (PMIPv6) [RFC5213] represents the IETF's protocol for network-based mobility management and is being deployed in various standards, such as the 3rd Generation Partnership Project (3GPP), to complement host mobility. According to the PMIPv6 standard, mobile nodes (MN) do not require a secure interface to the mobility anchor (LMA), as there is no direct signaling for mobility management between the MN and the LMA, but the Mobility Access Gateway (MAG) sets up and maintains a mobility binding on the LMA on behalf of the host by means of a Proxy Binding Update (PBU). [RFC5213] requires a successful authentication of the MN before the MAG sends a PBU to the LMA to set up a mobility binding for the MN. Furthermore, it assumes the MAG to be informed about a mobile node identifier (MN-Identifier), which unambiguously identifies the MN during the mobility session. Such MN-Identifier can be a static identifier or a temporary identifier, which may be derived from a static identifier. This document intends to provide guidelines for PMIPv6 to inter-work with access authentication protocols which have been designed for IEEE 802-type of link technologies. Initial versions of this document focus on IEEE 802.1X and its recommendation to use the Extensible Authentication Protocol (EAP) [RFC3748]. Based on the procedure for general inter-working, more specific use cases are documented for discussion and reference. These use cases include the use of the Wireless LAN technology according to the IEEE 802.11 standard to provide trusted access to 3GPP's packet core network. So far, WLAN has been considered as untrusted access being even provided by third parties and MNs connect through WLAN to the mobile operator network through an established secure tunnel. Stepping towards WLAN trusted access avoids the overhead of an established IPsec tunnel with a packet data gateway in the operator's core network, but requires inter-working between WLAN access authentication and the operator's authentication and identification mechanisms. In the context of trusted WLAN access and network-based mobility management, WLAN security is being used to protect traffic on the wireless link whereas the trust relationship between a MAG and the LMA is used to convey traffic through the operator's core network. The first version of this document discusses inter-working between IEEE 802.1X EAP and PMIPv6 as well as some specific use cases for trusted WLAN access in 3GPP's evolved packet core, which are based on recommended authentication schemes, such as EAP-AKA [RFC5448]. Further use cases with different EAP authentication schemes as well as inter-working between PMIPv6 and web authentication will be added to future versions of this document. Prior to describing details of PMIPv6 inter-working with various access authentication schemes in Gundavelli, et al. Expires March 16, 2013 [Page 3] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 Section 4, Section 3 describes functional objectives to enable trusted WLAN access to mobile operator networks and efficient inter- working between WiFi access authentication and operators' mobility management as well as policy and AAA infrastructure. Gundavelli, et al. Expires March 16, 2013 [Page 4] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 2. Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. This document uses the terminology of [RFC5213]. The following additional terms are used in the context of this draft: o AAA -- Authentication, Authorization and Accounting o EAP -- Extensible Authentication Protocol o PCC -- Policy and Charging Control o PMK -- Pairwise Master Key Gundavelli, et al. Expires March 16, 2013 [Page 5] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 3. Functional Objectives Major motivation and objective to document inter-working between WiFi access authentication and PMIPv6 is to describe complete system operation, message sequences and identification schemes for network- based mobility management using PMIPv6 including IEEE 802.11-based access as proven and widely accepted radio technology and associated authentication mechanisms. Inter-action between access authentication and mobility management allows the specification of missing components in [RFC5213], mainly referring to MAG operation being triggered by successful MN authentication and MN identification. The relevance of WiFi radio access is proven by various standards' initiative in specifying inter-working with IEEE 802.11-based technology. One example is the 3GPP's interest in supporting traffic offload to WLAN networks. Another example is the WiMax Forum's Network Architecture, which consider a WiFi-WiMAX inter-working function to enable access to the WiMAX network through WiFi radio access and to support handover between WiFi and WiMAX radio access. The PMIPv6 standard [RFC5213] assumes a completed and successful access authentication of MNs (or their subscriber) before the MAG registers the MN at an LMA by means of a PBU. One objective of this document is to analyze relevant access authentication schemes and to document the operation of PMIPv6 in dependency of these authentication mechanisms. The EAP procedure as IEEE 802.X recommendation is being considered most relevant at this time. Web- authentication is a further popular access authentication scheme, which can be analyzed and inter-working with PMIPv6 can be specified, even though manual subscriber inter-action during access authentication conflicts with automatic and seamless operation, e.g. during dual radio handover from 3GPP access to WiFi access. A further objective is to analyze the details of preferred authentication schemes, taking 3GPP and WiMAX Forum recommendations into account, and to document the use of common identifiers for access authentication and PMIPv6-based mobility management. Such identifier-specific inter-working must take further requirements, such as unique identification of a MN during the mobility session, into account. Some identifiers, which are generated during access authentication, are unique for an MN, but are not stable and valid beyond a certain radio access point. In such case, the MAG must use a different identifier or resolve such temporary identifier into a unique identifier which is valid beyond a single access point and MAG. A further goal is to analyze inter-working between access Gundavelli, et al. Expires March 16, 2013 [Page 6] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 authentication schemes and PMIPv6 during handover, which may also imply a change in the radio access technology. Treatment of authentication methods, keys and identifiers and associated inter- working with PMIPv6 operation is documented. Figure 1 depicts a high-level view of a WiFi network being integrated into a mobile operator network as trusted access. Instead of using a Security and Mobility Gateway, such as the 3GPP's Packet Data Gateway (PDG), which terminates an IPsec tunnel with the UE, the system relies on concatenated protected links between the UE and the WiFi access network, as well as between the WiFi access network and the LMA. The illustrated setup assumes a MAG function to be co-located with the WiFi Access Point or a WiFi Controller (Ctrlr). Inter- working between WiFi access authentication, PMIPv6 operation and the operator network's AAA and PCC (Policy and Charging Control) infrastructure is achieved by means of associated interfaces with the LMA. Future extensions may consider a direct policy configuration interface with the WiFi access network controller. This version of the inter-working document does not assume a direct policy control interface between the WiFi access network and the operator's PCC system. If needed, the PMIPv6 protocol interface may be proposed to convey associated information. Policy configuration in the WiFi access network is considered out of scope of this documentation. Gundavelli, et al. Expires March 16, 2013 [Page 7] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 +-------+ +-----+ (future option) |Policy | | | +. . . . . . +Control| | AAA | : +---+---+ | | +--+ : | +-----+ |MN|~~~~~~~ : | | +--+ +-II-+ : +---+ +---+ |WiFi| : | | | AP +---+ +---+---+ +-+-+-+ +----+ | | WiFi | PMIPv6 | + +--------+ +----+ Ctrlr/+==============+ LMA | / Packet \ ~~~~~ | | MAG | tunnel | +---< Data > +-II-+ | +-------+ +-----+ \ Network / |WiFi+---+ +--------+ | AP | +----+ WiFi access Network-based <----security &---><-------------------> L2 mobility mobility Figure 1: Integration of the WiFi radio technology to provide trusted access to mobile operator networks Gundavelli, et al. Expires March 16, 2013 [Page 8] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 4. Inter-working with IEEE 802.1X EAP 4.1. General use with authentication against a RADIUS Server IEEE 802.1X recommends EAP for access authentication, which can make use of an Authentication Server using for example the RADIUS protocol between the Authenticator and the Authentication Server. [RFC3579] specifies RADIUS extensions to convey EAP attributes between an Authenticator and the RADIUS server. Figure 2 depicts general inter- working between PMIPv6 and IEEE 802.1X using EAP. +--+ +--------+ +---+ +------++------+ |MN| |WiFi CPE| |LMA| |RADIUS|| DHCP | +--+ | MAG | +---+ |Server||Server| | +--------+ | +------++------+ | | | | | |---EAPOL Start---->| | | | |<---EAP REQ[IDap]--| | | | (1)|--EAP RESP[IDmn]-->|-----RADIUS Access REQ[IDmn]---->| | |<-EAP REQ[Method]--|<--RADIUS Access Chall[EAP REQ]--| | (2)|-EAP RESP[Method]->|----RADIUS Access REQ[Method]--->| | |<-EAP REQ[Method]--|<--RADIUS Access Chall[EAP REQ]--| | |-EAP RESP[Method]->|----RADIUS Access REQ[Method]--->| | |<---EAP SUCCESS----|<-RADIUS Access Accept[EAP SUC]--| | (3)| LMA | | | | assigned | | | (4)|<----EAPOL-Key---->| | | | (5)| |----PBU[SSID,IDmn]-->|<------DHCP------->| | |<-----PBA[IPmn]------| | | | +======IP tunnel======+ | | (6)|---DHCP Discover-->|----DHCP Discover--->| | | |<-DHCP Offer[IPmn]-|<--DHCP Offer[IPmn]--| | | |--DHCP REQ[IPmn]-->|---DHCP REQ[IPmn]...>| | | (7)|<-DHCP Ack[IPmn]---|<--DHCP Ack[IPmn]----| | | | | | | | |<------data--------+======IP tunnel======+--->- - | | | | | | | Figure 2: PMIPv6 inter-working with WPA2-802.1X access authentication against a RADIUS server After the MN has associated with a WiFi Access Point, the EAPOL procedure starts (1). EAP attributes are mapped by the WiFi AP/Ctrlr Gundavelli, et al. Expires March 16, 2013 [Page 9] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 between EAPOL on the wireless link and RADIUS operation on the link towards the RADIUS server. The RADIUS server selects one or multiple authentication methods, which are performed with the MN in a challenge-response procedure (2). As a result of a successful EAP procedure, the RADIUS server may assign an LMA to the MN and signal the LMA identifier or the LMA IP address to the MAG function in the WiFi access network (3). The MN and the WiFi Access Point can now negotiate the Session Key to protect the wireless access (4). At that time, the MAG can take the EAP success as trigger to initiate the PBU registration of the MN with the LMA (5). The keys and identifiers being used and generated differ between the EAP and authentication method. In general, the MAG should not use the generated Session Key or security association identifier, as scope is limited to the the MN's association with the Access Point. More suitable is an identifier being negotiated during the authentication procedure with the RADIUS server, e.g. based on the Pairwise Master Key (PMK) or any identifier which derives from the PMK without including single Access Point specific information, such as the AP's MAC address. One example, which will be described in more detail in future versions of this document, is the use of the International Mobile Subscriber Identity (IMSI) to derive a NAI at the Authentication Server. This IMSI-based NAI is then used as MN- Identifier in the PBU. Such approach is being proposed in 3GPP for trusted access to the mobile operator network through non-3GPP type radio access networks [3GPP-TS23.402] [3GPP-TS33.402]. As a result of the MN's registration, the LMA performs DHCP with a DHCP server to retrieve a valid IP address for the MN (IPmn). The assigned IP address is then signaled to the MAG in the PBA. The MN learns about this IP address from the DHCP procedure (6). After successful completion of the DHCP procedure (7), the MN can use the protected wireless link to communicate with the network infrastructure. Gundavelli, et al. Expires March 16, 2013 [Page 10] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 5. Security Considerations This document analyzes and documents inter-working between WiFi access authentication and PMIPv6 mobility management to enable trusted access to a mobile operator network which uses network-based mobility management. The document refers to standard operation of PMIPv6 [RFC5213] as well as well accepted WiFi authentication mechanisms, such as EAP using a RADIUS server as authentication server, without introducing new messages or message sequences. Solely the inter-working of access authentication and PMIPv6 is described by means of message sequence charts. Furthermore, the use of identifiers, which are built during access authentication, for MN identification in the PMIPv6-based mobility management protocol is described. Hence, the documented inter-working should not introduce any new security threats. Gundavelli, et al. Expires March 16, 2013 [Page 11] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 6. IANA Considerations This document is based on standardized protocols for WiFi access authentication and network-based mobility management. No additional protocol messages and options are specified so far in this document. Gundavelli, et al. Expires March 16, 2013 [Page 12] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 7. Normative References [3GPP-TS23.402] "3GPP TS 23.402; 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Architecture enhancements for non-3GPP accesses (Release 10)", . [3GPP-TS33.402] "3GPP TS 33.402; 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security aspects of non-3GPP accesses (Release 9)", . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003. [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. [RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008. [RFC5448] Arkko, J., Lehtovirta, V., and P. Eronen, "Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA')", RFC 5448, May 2009. Gundavelli, et al. Expires March 16, 2013 [Page 13] Internet-Draft PMIP6 inter-working with WiFi AuthN September 2012 Authors' Addresses Sri Gundavelli Cisco 170 West Tasman Drive San Jose, CA 95134, USA Email: sgundave@cisco.com Marco Liebsch NEC Laboratories Europe Kurfuersten-Anlage 36 D-69115 Heidelberg, Germany Email: liebsch@neclab.eu Pierrick Seite France Telecom - Orange 4, rue du clos courtel BP 91226 Cesson-Sevigne, 35512 France Email: pierrick.seite@orange-ftgroup.com Gundavelli, et al. Expires March 16, 2013 [Page 14]