Exploring EAP-AKA Fast Re-authentication Enhancement
| Qin Wu |
| RFC5296 ERP and RFC4187 EAP-AKA both include support for fast re-authentication. | |
| AKA has been widely deployed in 3GPP system, while ERP has not be deployed in the real-life environment. | |
Relevant Work on
ERP Fast Re-authentication
Relevant work on EAP-AKA Fast Re-authentication
| 1. How to identify the fast re-authentication? | ||
| For ERP, two new EAP codes (Initiate, Finish) are specified for re-authentication. | ||
| For EAP-AKA, a special identity (fast re-authentication identity) is generated to support re-authentication. The identity is one-time identity. The new identity is delivered during re-authentication processing. | ||
| O1:The identity is one-time identity, which is delivered within EAP-AKA exchange each time. It brings one more round trip time. | ||
| 2.Where is the re-authentication terminated? | ||
| For ERP, the re-authentication is terminated at local ER server, not home EAP server. | ||
| For EAP-AKA, the re-authentication is terminated at home EAP server, not in local domain. | ||
| O2:The total time of EAP-AKA is increased due to the additional round trip time between local server and home server. | ||
| Is it possible/necessary to further reduce latency with optimization of the EAP-AKA method? | |
| www.ietf.org |