|
============================================================
Mobopts Research Group Meeting March 8, 2005, 1:00pm to 3:00pm IETF 62, Minneapolis ============================================================ Minutes taken by Christian Vogt, chvogt@tm.uka.de ------------------------------------------------------------ Agenda ------------------------------------------------------------ 1. Intro, Update, RG focus areas Chairs, 5 minutes 2. Security Association Establishment and Handover Protocols: Summary and Way(s) Forward (Discussion) Jari Arkko, 15 minutes 3. CTP for PANA Julien Bournelle, 10 minutes draft-bournelle-pana-ctp-02.txt 4. Media Independent Pre-Authentication Yoshihiro Ohba, 20 minutes draft-ohba-mobopts-mpa-framework-00.txt 5. Media Independent Handover Services and Interoperability (IEEE 802.21) Ajay Rajkumar, 15 minutes 6. Unified L2 Abstractions for L3-Driven Fast Handovers (Implementation Update) Koki Mitani, 10 minutes 7. Network-initiated Fast Handover in Mobile IPv6 Telemaco Melia, 15 minutes draft-melia-mobopts-niho-fmip-00 8. DHCP Options for Fast Handovers Takeshi Ogawa, 10 minutes draft-ogawa-fhopt-00.txt. 9. Early Binding Updates and Credit-Based Authorization Christian Vogt, 10 minutes draft-vogt-mobopts-early-binding-updates-00.txt draft-vogt-mobopts-credit-based-authorization-00.txt 10. Location Privacy, 10 minutes, discussion ------------------------------------------------------------ 1. Intro, Update, RG focus areas Chairs, 5 minutes ------------------------------------------------------------ Agenda bashing RG document status - irtf-mobopts-mip6-ro-enhancements-00 - irtf-mobopts-bootstrap-key both in good shape and quite mature. Community review next. Documents will get reviewers sections as incentives for reviewers. Mailing list discussion Ask questions rather than just posting the URL for a document. (Both is needed, but questions get folks going) ------------------------------------------------------------ 2. Security Association Establishment and Handover Protocols: Summary and Way(s) Forward (Discussion) Jari Arkko, 15 minutes ------------------------------------------------------------ CTP, FMIP, CARD require a SA btw. MN and AR, but little work has so far been done on this. None of these protocols have themselves mechanisms for establishing the SA. ==> Additional mechanism. Vijay Varapalli: You could also think of a mechanism where there is no authentication. Vidya Narayanan: We are also preparing a handover-key generation protocol. We have a preliminary version of the draft. -00 version by next IETF. Rajeev Koodli: Please post it to the mailing list. Rajeev Koodli: We need a solution to go with the existing handover protocol. James Kempf: Security must conform to the Housley criteria. Be careful with respect to AAA. Alper Yegin: The variety of deployment scenarios is challanging. Jari Arkko: We need to solve the problem. If AAA is not necessary, then fine. Hannes Tschofenig: Suggest that folks read the EAP keying framework. Vidya Narayanan: Bootstrapping procedures can/should be different than a per-handover mechanism because it is done only once (or infrequently). Do we need a trust relationship between access routers. ------------------------------------------------------------ 3. CTP for PANA Julien Bournelle, 10 minutes draft-bournelle-pana-ctp-02.txt ------------------------------------------------------------ James Kempf: Security Directiors may see problems. Context transfers are sometimes problematic. Protocol very complex. Alper Yegin: I am concerned about complexitiy. We are here looking at three approaches at once. We need the PANA-friendly approach, but that's the one we would need int hte Pana WG. Rajeev Koodli: How urgently do you need a solution standardized in Pana WG? Alper Yegin: I can't tell you a point in time... Let's not try to solve all proposals at once. ------------------------------------------------------------ 4. Media Independent Pre-Authentication Yoshihiro Ohba, 20 minutes draft-ohba-mobopts-mpa-framework-00.txt ------------------------------------------------------------ Johoon: Do you have any provisioning for ping-pong handovers. Yoshihiro Ohba: This is something that has been considered. But it is work in progress. JinHyeock Choi: Do you pre-authenticate with the new AP? Yoshihiro Ohba: Yes, you can do that, and we did it. JinHyeock Choi: How long does this pre-authentication last Yoshihiro Ohba: See backup slides. JinHyeock Choi: Pre-authentication may work if you have sufficient time before the handover, but this may not always be the case. JinHyeock Choi: What is the benefit of this approach? Problem: You cannot send the Binding Update from the old link because you have to do the CoA test on the new link. Christian Vogt: You can send an (Early) Binding Update before the HO and do the CoA test afterwards. The EBU/CBA proposals might be a good pointer. ------------------------------------------------------------ 5. Media Independent Handover Services and Interoperability (IEEE 802.21) Ajay Rajkumar, 15 minutes ------------------------------------------------------------ Ajay Rajkumar is the chair of the IEEE 802.21 WG Basic assumption: The terminal has multiple interfaces Four traffic categories: real-time, streaming, best effort, and X (Doesn't remember the fourth category. Might be background.) Information Services (slide 5): MT could tell something about link quality, error rate, bandwith, delay. Network could provide information about load. You need an entity in the network to facilitate this kind of information provisioning. Where is IEEE 802.21? At L2, because IP is what we want to continue across MIH. Lower layer provides information, upper layer can request information or make commands. In which network entities does the MIH sit (in particular on the network side)? It could sit in every element, for information provisioning, e.g.. There may be L2 and L3 transport mechanisms, depending on how many hops have to be crossed. Comments please on the list in the interest of time. ------------------------------------------------------------ 6. Unified L2 Abstractions for L3-Driven Fast Handovers (Implementation Update) Koki Mitani, 10 minutes ------------------------------------------------------------ Comments please on the list in the interest of time. ------------------------------------------------------------ 7. Network-initiated Fast Handover in Mobile IPv6 Telemaco Melia, 15 minutes draft-melia-mobopts-niho-fmip-00 ------------------------------------------------------------ Interest to the group? Rajeev Koodli: Yes, we are interested in ít, mostly in results. Comments please on the list in the interest of time. ------------------------------------------------------------ 8. DHCP Options for Fast Handovers Takeshi Ogawa, 10 minutes draft-ogawa-fhopt-00.txt. ------------------------------------------------------------ Comments please on the list in the interest of time. ------------------------------------------------------------ 9. Early Binding Updates and Credit-Based Authorization Christian Vogt, 10 minutes draft-vogt-mobopts-early-binding-updates-00.txt draft-vogt-mobopts-credit-based-authorization-00.txt ------------------------------------------------------------ Measurement results for Early Binding Updates compared to standard Mobile IPv6 with respect to TCP bulk-data downloads. Rajeev Koodli: Can you post these results to the mailing list? Christian Vogt: Yes, will send link to project webpage. Comments please on the list in the interest of time. ------------------------------------------------------------ 10. Location Privacy, 10 minutes, discussion ------------------------------------------------------------ Skipped in the interest of time. Mobopts Agenda Intro Sec association establishment Update RG status irtf-mobopts-mip6-ro-enhancements-00 irtf-mobopts-bootstrap-key Fairly stable Review process - reviewers' names will be included in the review section of the draft Drafts submitted, ML discussion Jari's presentation Scope - movements Problem - Current mobility protocols do not provide SA establishment COnfig of pairwise SA bet MN-AR are not practical Options for SA IKE? Key derivation as side effect of network access AAA - discussed 3 issues may require a new node other than AP and AAA - issue1 theoretical vs, practical availability of an underlying AAA run branch off new key hierarchy from EAP reserved keys If this solution for practical deployment problem ? SEND like solution? One sided certificates for routers - used in CARD Issue: certificate revikation checks? Framework fundamentals Vijay had some comments - not taken notes -Source of Trust - Deployment - need per MN conf? Protocol design issues Reuse Layering Separation of SA establishment Type of SA - app specific, MIP6 BAD Efficiency - look at # of messages and timing of the whole flow Tentative proposal Rely on router cert when possible Example : CARD SEND Use app specific security for MN if really needed draft-kempf-handover-key-00 Separate certs/ownership vs. use of this Vidya - draft on hadover key for AR derived from AAA; expect to publish by next IETF. - Authorization-- what can you do with AR? Teri Davis (boeing) like to use PKI bridges and auhtentication for routers ----I did not record the presenter's name and presentation title as I got busy signing the pink paper---- Use of CxTP for PANA Describe two approches of CxTP (predictive mode, draft-ietf-pana-mobopts-00.txt AAA interaction AAA server wants to know the PAA in charge of PaC - re-auth - abort/terminate session PANA context: session-lifetime elapsed AAA servers identity/PAA-AAA session id Keying material Filtering rules Next steps - separate two approaches? - AAA key-new? - AAA interaction impacts on PANA context - AR_PAA interface not handled here J. Kempf - may have trouble in security area review Alper - run parallel CT sessions For PANA - one solution for PANA mobopts - because their might be many ways do context transfers. Media independent pre-authentication (Ashutosh Datta) draft-ohba-mobopts-mpa-framework-00.txt Outline Motivation - it is desirable to limit jitter, delay L1 - L2 delay L2- delay due to IP address aquisition and config. auth L3 Binding update and media update MPA is a mobile assisted handoff MPA works with any mobility management protocol Function: 1) Pre-authentication/authorizaion 2) Pre-configuration 3) Secured proactive handover Protocl set for the MPA demonstration Pre-auth protoc PANA non-MPA - ~4s delay L2 delay (host AP driver) MPA - ~14ms dealy More analysis needed to evaluate delay in each step -- Ajay Rajkumar - 802.21 handover (media handover servcie and Interoperability) Media independent handover services 802.3, 11, 15, .16 Between 802.xx and cellular - 3GPP standards - 3GPP2 standards - Bet 802.11 ESS (extended service set) Heterogeneous handover mean? - Session continuity at the IP layer - adaptation to new link at layer two - address continuity at layer three - Service COntinuity at application layer Functional requirements Service continuity class of apps Qos Network discovery Information discovery (network selection) Security POwer mgmt Handover policy shall not be defined (not defining policies though - impl will decide them) Active work items - Media independent handover model - event/trigger servic emodel - Information service MIH model - Should it be a layer? - Should an API be defined? - Should transport be defined? Event/Trigger service model - Local triggers from/to MIH What kind of triggers? LINK UP/DOWN - pre-authenticated, post authenticated link up/down - Peer-to-peer remote triggers -Several modes of transports Media specific transport IP based MAC based 802.21 specific ethertype Call for proposals Submission deadline Jan 10, 2005; IEEE meeting next week. - Koki Mitani - L2 abstractions for L3 Fast handover Fmipv6 for BSD : Tarzan Discussed L3 driven Fast handover on predictive Lin6 L3 driven Fast HO was evaluated Current MIp6 extn to reduce HO latency taken into acct only MTIHO Reference scenario was discussed. MTIHO vs NIHO ----- draft-ogawa-fhopt-oo.txt DHCP based Fast HO protocol IP layer F handover is required for realtime, inexpensive way Problem - device upgrade With Fast RA and FMIP, there is no function to reduce the L2 HO processing time. DHCP based Fast HO protocols Christian V. - TCP download with early BU preliminary simulation results Kame-shisha MIP6 implementation Dummynet to simulate delays App - Chargen over TCP Movement : Bet, foreign networks Focus of this preso - signaling no cradit based authorization Home reg = 100ms CN reg = 200ms Early BU - ~100ms TCP thruput gives some advantage after 25 sec with early BU sceanrio 2: Home Agent reg = 200ms CN reg = 400ms, BU 100ms EBU has much advantage here over regular BU. Future work Deeper TCP behavior analysis Different apps (voice) |