Network Working Group V. Narayanan Internet-Draft L. Dondeti Intended status: Informational QUALCOMM, Inc. Expires: April 18, 2007 October 15, 2006 Problem Statement on EAP Efficient Re-authentication and Key Management draft-vidya-eap-reauth-ps-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 18, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Abstract The extensible authentication protocol (EAP), specified in RFC3748 [1] is a generic framework for network access authentication, in which a peer engages in a full EAP conversation each time. A full EAP conversation involves several roundtrips between the peer and the authentication server in the home domain, and that is not acceptable for fast roaming. In this document, we explain the requirements for low-latency EAP re-authentication and associated key management. Narayanan & Dondeti Expires April 18, 2007 [Page 1] Internet-Draft EAPext PS October 2006 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. EAP Efficient Re-authentication Problem Statement . . . . . . 4 4. Design goals and constraints . . . . . . . . . . . . . . . . . 5 5. Extending the EAP keying hierarchy to support re-authentication . . . . . . . . . . . . . . . . . . . . . . 5 5.1. Root key selection for efficient EAP re-authentication . . 5 5.2. Specification of the EMSK hierarchy and key derivation thereof . . . . . . . . . . . . . . . . . . . . . . . . . 6 6. Use Cases and Related Work . . . . . . . . . . . . . . . . . . 6 6.1. IEEE 802.11r Applicability . . . . . . . . . . . . . . . 7 6.2. CAPWAP Applicability . . . . . . . . . . . . . . . . . . . 7 6.3. Inter-technology Roaming . . . . . . . . . . . . . . . . . 8 6.4. Inter-domain Roaming . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 10.1. References . . . . . . . . . . . . . . . . . . . . . . . . 9 10.2. References . . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Intellectual Property and Copyright Statements . . . . . . . . . . 11 Narayanan & Dondeti Expires April 18, 2007 [Page 2] Internet-Draft EAPext PS October 2006 1. Introduction The extensible authentication protocol (EAP), specified in RFC3748 [1] is a generic framework supporting multiple authentication methods. The primary purpose of EAP is network access control and a key generating method is recommended for that purpose. The EAP keying hierarchy defines two keys that are derived at the top level - the master session key (MSK) and the extended MSK (EMSK). In the most common deployment scenario, an EAP peer and server authenticate each other through a third party known as the authenticator. The authenticator or an entity controlled by the authenticator enforces access control. After successful authentication, the server transports the MSK to the authenticator; the authenticator and the peer derive transient session keys (TSK) using the MSK as the authentication key or a key derivation key and use the TSK and use the TSK for per-packet access enforcement. The EAP model of authentication is unfortunately not efficient in case of mobile and wireless networks for the following reasons: When a peer associates with an authenticator, it is expected to run an EAP method irrespective of whether it has been authenticated to the network recently and has unexpired keying material. A full or even a reduced roundtrip EAP method execution involves several roundtrips between the EAP peer and the server. Each EAP conversation runs between the peer and its home domain, resulting in unacceptable latency. There have been attempts to solve the problem of efficient re- authentication in various ways. However, those solutions are either EAP method-specific, EAP lower-layer specific, or otherwise limited in scope, or do not conform to the AAA keying requirements specified in [4]. In this document, we provide a detailed description of EAP efficient re-authentication protocol requirements. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [2]. This document follows the terminology that has been defined in RFC3748 [1] and the EAP Keying I-D. In addition, this document uses the following terms: Narayanan & Dondeti Expires April 18, 2007 [Page 3] Internet-Draft EAPext PS October 2006 Usage Specific Root Key (USRK) is keying material derived from the EMSK for a particular usage definition as specified in this document. It is used to derive child keys in a way defined by its usage definition. USRKs are defined and specified in [5]. 3. EAP Efficient Re-authentication Problem Statement When a peer moves from one authenticator and reattaches to another authenticator, it is required to engage in a full EAP exchange with the authentication server in its home domain [1]. There are two issues with this requirement: o A full EAP method exchange at every authenticator - An EAP conversation with a full EAP method run takes several round trips and significant time to complete, causing delays in handoff times. Some methods [6] specify the use of keys and state from the initial authentication to finish subsequent authentications in fewer roundtrips. However, even in those cases, several roundtrips to the EAP server are involved. Furthermore, most EAP methods do not offer such a fast re-authentication feature. In summary, it is undesirable to have to run a full EAP method each time a peer associates with a new authenticator; furthermore, it is desirable to specify a method-independent efficient re- authentication protocol. Key material from the full authentication can be used to enable efficient re-authentication. o A full EAP method exchange with the authentication server in the home domain - The other issue of EAP authentication is that the peer needs to talk to the EAP server in the home domain. In some networks, e.g., UMTS networks, the authenticating entity talks to a server in the visited network to support low latency operation. To be appealing to a wide-range of access networks, it is necessary for EAP re-authenticatin to support visited domain authentication. The home EAP/AAA server may enable brokering a trust relationship between the peer and a local EAP/AAA server, so that subsequent authentications can be done between the peer and the visited domain server, without having to traverse the home domain server. The two problems identified above are the primary issues to be resolved. In solving them, there are a number of constraints to conform to and those result in some additional work to be done in the area of EAP keying. Narayanan & Dondeti Expires April 18, 2007 [Page 4] Internet-Draft EAPext PS October 2006 4. Design goals and constraints The following are the goals and constraints in designing the EAP re- authentication and key management protocol: o Low latency operation - Be responsive to handover and re- authentication latency performance objectives within a mobile wireless access network. o EAP lower layer independence - Any keying hierarchy and protocol defined should be lower layer independent in order to provide the capability over heterogeneous technologies. The defined protocols may, however, require some additional support from the lower layers that use it. o Inter-technology hanover - Any keying hierarchy and protocol defined should accommodate inter-technology heterogeneous handover and roaming. o EAP method independence - No changes to EAP methods should be required as a result of the extensions to EAP itself. o AAA protocol compatibility - any extensions to EAP and EAP keying must still be compatible with RADIUS and Diameter. o The designs and protocols must satisfy the AAA key management requirements specified in [4]. o Compatibility and especially co-existence with the currently defined fast transition mechanisms, for instance, IEEE 802.11r is strongly desired. o The keying hierarchy or protocol extensions must not preclude the use of the CAPWAP protocol. 5. Extending the EAP keying hierarchy to support re-authentication To avoid a full EAP method exchange, we reuse key material from an earlier EAP authentication: there are two choices for the root key for re-authentication: the MSK and the EMSK. 5.1. Root key selection for efficient EAP re-authentication After successful authentication, the MSK is delivered to the authenticator and used differently by different lower layers. For instance, IKEv2 uses the MSK for entity authentication alone, while lower layers like 802.11 and 802.16 use it in the secure association Narayanan & Dondeti Expires April 18, 2007 [Page 5] Internet-Draft EAPext PS October 2006 protocol to derive TSKs. Also, different lower layers use different parts of the MSK to derive other keys from it. For example, IEEE 802.11 uses the first 256 bits of the MSK for TSK derivation and 802.11's Task Group r (TGr) uses the second 256 bits to derive PMKs-R1 for fast BSS transition. IEEE 802.16 uses the first 320 bits of the MSK to derive TSKs. Such disparate uses of the MSK at the lower layers makes it infeasible to use that key as the root key for re-authentication in a lower-layer independent fashion. The EMSK key hierarchy on the other hand seems best suited for this purpose, as it is currently unused and can be specified in such a manner as to be acceptable to all lower layers. The proposed use cases for the EMSK are expected to be lower layer agnostic, which is logical, as it allows us to get around the limitations of lower layers. For instance the IEEE 802.11r solution for re-association and re-authentication is limited to a single extended service set (ESS). Presumably 802.11 would require an IETF defined protocol and key hierarchy for efficient roaming between ESSs. Most other lower layers do not currently have a scheme for efficient re- authentication, and they can make use of the protocols and key management mechanisms defined at the IETF. From the discussion so far, it is clear that the EMSK is the appropriate root key for extensions to EAP keying hierarchy. 5.2. Specification of the EMSK hierarchy and key derivation thereof To avoid uncoordinated and potentially unsafe uses of the EMSK, or child key material derived from that key, we propose that one of the first steps to take is to evaluate the use cases for the EAP key material and define the EMSK key derivation, caching and delivery semantics. Next, we note that some use cases requiring extensions to the EAP keying hierarchy need more urgent work than the others: the fast re- authentication application being one such use case. However, given that the key material may need to come from the EMSK hierarchy for this and various other purposes, it is imperative that the key hierarchy development be done in parallel with the usage specific protocol and hierarchy development. 6. Use Cases and Related Work In order to further clarify the items listed in scope of the proposed work, this section provides some background on related work and the use cases envisioned for the proposed work. Narayanan & Dondeti Expires April 18, 2007 [Page 6] Internet-Draft EAPext PS October 2006 6.1. IEEE 802.11r Applicability One of the EAP lower layers, IEEE 802.11, provides a mechanism to avoid the problem of repeated full EAP exchanges in a limited setting, by introducing a two-level key hierarchy. The EAP authenticator is collocated with what is known as an R0 Key Holder (R0-KH), which of course receives the MSK from the EAP server. A pairwise master key (PMK-R0) is derived from the second half (last 32 octets) of the MSK. Subsequently, the R0-KH derives an PMK-R1 to be handed out to the attachment point of the peer. When the peer moves from one R1-KH to another, a new PMK-R1 is generated by the R0-KH and handed out to the new R1-KH. The transport protocol used between the R0-KH and the R1-KH is not specified at the moment. In some cases, a mobile may seldom move beyond the domain of the R0-KH and this model works well. A full EAP authentication will generally be repeated when the PMK-R0 expires. However, in general cases mobiles may roam beyond the domain of R0-KHs (or EAP authenticators), and the latency of full EAP authentication remains an issue. Another consideration is that there needs to be a key transfer protocol between the R0-KH and the R1-KH; in other words, there is either a star configuration of security associations between the key holder and a centralized entity that serves as the R0-KH, or if the first authenticator is the default R0-KH, there will be a full-mesh of security associations between all authenticators. This is undesirable. Furthermore, in the 802.11r architecture, the R0-KH may actually be located close to the edge, thereby creating a vulnerability: If the R0-KH is compromised, all PMK-R1s derived from the corresponding PMK- R0s will also be compromised. The proposed work on EAP efficient re-authentication protocol aims at addressing the problem in a lower layer agnostic manner that also can operate without some of the restrictions or shortcomings of 802.11r mentioned above. 6.2. CAPWAP Applicability The IETF CAPWAP WG is developing a protocol between what is termed an Access Controller (AC) and Wireless Termination Points (WTP). The AC and WTP can be mapped to a WLAN switch and Access Point respectively. The CAPWAP model supports both split and integrated MAC architectures. The proposed work on EAP efficient re-authentication protocol Narayanan & Dondeti Expires April 18, 2007 [Page 7] Internet-Draft EAPext PS October 2006 addresses an inter-authenticator roaming problem from an EAP perspective. Depending on the architecture of WLAN deployment, this may apply during handoff across ACs or across WTPs. Inter-controller handoffs is a topic yet to be addressed in great detail and the re- authentication work can potentially address that in an effective manner. 6.3. Inter-technology Roaming EAP is used for access authentication by several technogies and is under consideration for use over several other technologies going forward. Given that, it should be feasible to support smoother handoffs across technologies. That is one of the big advantages of using a common authentication protocol. Authentication procedures typically add substantial handoff delays. An EAP peer that has multiple radio technologies (802.11 and GSM, for instance) must perform the full EAP exchange on each interface upon every horizontal or vertical handoff. With a method independent EAP efficient re-authentication, it is feasible to support faster handoffs even in the vertical handoff cases, when the peer may be roaming from one technology to another. 6.4. Inter-domain Roaming In several wireless systems, it is common for mobile devices to roam to domains outside their home domain. For instance, a mobile device whose home domain operator is based in Europe could be attached to an operator network in Asia. Typically, the EAP authentication takes place with the home domain EAP server. Upon handoff across EAP authenticators, the full EAP exchange with the home domain must occur. This adds unreasonable latency to the handoffs occurring within the visited domain. A method independent EAP efficient re-authentication protocol can be carried out within the visited domain with the help of a server located in the visited domain. In this case, it is envisioned that there are inter-domain trust relationships in place, using which a trust relationship can be brokered between the peer and the visited domain server. 7. Security Considerations In this version of the draft, we just note that the "Guidance for AAA Key Management" [4] applies to the protocols and key hierarchies developed to solve the problems listed within. Narayanan & Dondeti Expires April 18, 2007 [Page 8] Internet-Draft EAPext PS October 2006 8. IANA Considerations This document does not request any IANA assignments. 9. Acknowledgments Thanks to Joe Salowey, Bernard Aboba, Russ Housley, Michaela Vanderveen, George Tsirtsis and Hesham Soliman for various discussions on this topic. 10. References 10.1. References [1] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Aboba, B., "Extensible Authentication Protocol (EAP) Key Management Framework", draft-ietf-eap-keying-14 (work in progress), June 2006. 10.2. References [4] Housley, R. and B. Aboba, "Guidance for AAA Key Management", draft-housley-aaa-key-mgmt-04 (work in progress), October 2006. [5] Salowey, J., "Specification for the Derivation of Usage Specific Root Keys (USRK) from an Extended Master Session Key (EMSK)", draft-salowey-eap-emsk-deriv-01 (work in progress), June 2006. [6] Arkko, J. and H. Haverinen, "Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP- AKA)", RFC 4187, January 2006. [7] Narayanan, V. and L. Dondeti, "Gap analysis on the EAP keying hierarchy", draft-vidya-eap-keying-gap-analysis-00 (work in progress), April 2006. Narayanan & Dondeti Expires April 18, 2007 [Page 9] Internet-Draft EAPext PS October 2006 Authors' Addresses Vidya Narayanan QUALCOMM, Inc. 5775 Morehouse Dr San Diego, CA USA Phone: +1 858-845-2483 Email: vidyan@qualcomm.com Lakshminath Dondeti QUALCOMM, Inc. 5775 Morehouse Dr San Diego, CA USA Phone: +1 858-845-1267 Email: ldondeti@qualcomm.com Narayanan & Dondeti Expires April 18, 2007 [Page 10] Internet-Draft EAPext PS October 2006 Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Narayanan & Dondeti Expires April 18, 2007 [Page 11]