MIP6 Working Group G. Giaretta Internet Draft I. Guardini Expires: April 2005 E. Demaria TILab J. Bournelle M. Laurent-Maknavicius GET/INT October 2004 Application Master Session Key (AMSK) for Mobile IPv6 Status of this Memo This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract The Extensible Authentication Protocol (EAP) defines an extensible framework for performing network access authentication. Most EAP authentication algorithms, also known as "methods", export keying material that can be used with lower layer ciphersuites. It is also possible for EAP peers to exploit the EAP keying framework to derive Application Master Session Keys (AMSKs) for specific applications. This document defines how to generate an Application Master Session Key (AMSK) specific to Mobile IPv6. This AMSK can be used by Mobile Node and Home Agent as the shared secret needed to bootstrap Mobile IPv6 protocol operation. Giaretta, et al. Expires - April 2005 [Page 1] Internet-Draft AMSK for Mobile IPv6 October 2004 Table of Contents 1. Introduction................................................3 2. Terminology.................................................4 3. Operational Flow............................................6 4. AMSK derivation.............................................8 5. Usage Scenario..............................................9 6. Security Considerations....................................10 Acknowledgments.................................................11 References......................................................11 Authors' Addresses..............................................13 Intellectual Property Statement.................................14 Giaretta, et al. Expires - April 2005 [Page 2] Internet-Draft AMSK for Mobile IPv6 October 2004 1. Introduction Mobile IPv6 (MIPv6) requires that Mobile Nodes (MNs) and Home Agents (HAs) share a security association to protect binding management signaling. The MIPv6 protocol specification mandates the use of IPsec for this purpose [1] and therefore requires the MN to be provisioned with the data needed to bootstrap an IPsec Security Association (SA) with its Home Agent. This is one of the main issues of the so called Mobile IPv6 bootstrapping problem [2]. The IPsec SA between MN and HA can be established from a shared secret using IKE with Pre-Shared Key (PSK) authentication [3]. In scenarios where network access control is based on EAP that shared secret (i.e. PSK) can be derived from the EAP key hierarchy [4]. Clearly this solution requires the use of an EAP method capable to export keying material to other applications. This document defines how to generate an Application Master Session Key (AMSK) specific to Mobile IPv6. This AMSK can be used by MN and HA as the PSK needed to establish the IPsec Security Association through IKE. Giaretta, et al. Expires - April 2005 [Page 3] Internet-Draft AMSK for Mobile IPv6 October 2004 2. Terminology Most of the terms used in this document are defined in this section; more detailed general mobility and EAP terminology can be found in [5] and [4]. MSK Master Session key Keying material that is derived between the EAP peer and server and exported by the EAP method. The MSK is at least 64 octets in length. EMSK Extended Master Session Key Additional keying material derived between the peer and server that is exported by the EAP method. The EMSK is at least 64 octets in length, and is never shared with a third party. AMSK Application Master Session Key Keys derived from the EMSK which are cryptographically separate from each other. MN Mobile Node A node that can change its point of attachment from one link to another, while still being reachable via its home address. HA Home Agent A router on a mobile node's home link with which the mobile node has registered its current care-of address. While the mobile node is away from home, the home agent intercepts packets on the home link addressed to the mobile node's home address, encapsulates them, and tunnels them to the mobile node's registered care-of address. BU Binding Update A message indicating a mobile node's current mobility binding, and in particular its care-of address. BA Binding Acknowledgement A message used to acknowledge receipt of a Binding Update. Giaretta, et al. Expires - April 2005 [Page 4] Internet-Draft AMSK for Mobile IPv6 October 2004 AAA server A server that provides authentication, authorization and accounting services. It is the server that terminates the EAP authentication method with the peer. Giaretta, et al. Expires - April 2005 [Page 5] Internet-Draft AMSK for Mobile IPv6 October 2004 3. Operational Flow Figure 1 shows how the AMSK defined in this document is derived and distributed. The procedure requires an EAP method capable to export dynamic keys (e.g. EAP-FAST [6], PEAPv2 [7], EAP-SIM [8], EAP-AKA [9]) and involves the following steps: - the MN and the AAA server of the home domain undertake the EAP exchange for user authentication. The EAP method must support the derivation of an Extended Master Session Key (EMSK) on EAP peers; - at the end of EAP exchange, MN and AAA server (i.e. the EAP peers) derive MSK and EMSK; - MN and AAA server derive an AMSK for MIPv6 from the EMSK. The key derivation function is described in section 4. The lifetime of the AMSK is managed as a system parameter and must not be higher than the lifetime of the EMSK (as stated in [4]). As a default choice the two lifetimes should be equal; - the AAA server sends the AMSK and the associated lifetime to the Home Agent (HA) using a suitable AAA-HA protocol (e.g. a new Diameter application), whose definition is out of the scope of the present document. The AAA server must specify a MN's identifier (e.g. NAI) to allow the HA to bind the AMSK with incoming MIPv6 signaling; - afterwards the Mobile IPv6 AMSK can be used by the MN and the designated HA to derive the Pre-Shared Key (PSK) for IPsec bootstrapping (see section 5.1). Giaretta, et al. Expires - April 2005 [Page 6] Internet-Draft AMSK for Mobile IPv6 October 2004 AAA MN +-----------------------+ server +-----------------+ HA /-------------------------\ / EAP \ \ exchange / \-------------------------/ +------+ +------+ | EMSK | | EMSK | +------+ +------+ +------------+ +------------+ | MIP6-AMSK | | MIP6-AMSK | | derivation | | derivation | +------------+ +------------+ /------------------\ / MIPv6-AMSK \ \ transfer / \------------------/ Figure 1 - Message Flow Giaretta, et al. Expires - April 2005 [Page 7] Internet-Draft AMSK for Mobile IPv6 October 2004 4. AMSK derivation The Mobile IPv6 AMSK is derived through the key derivation function specified in [4] and shown below for the sake of clarity. KDF (K,L,D,O) = T1 | T2 | T3 | T4 | ... where: T1 = prf (K, S | 0x01) T2 = prf (K, T1 | S | 0x02) T3 = prf (K, T2 | S | 0x03) T4 = prf (K, T3 | S | 0x04) prf = HMAC-SHA1 K = EMSK L = key label D = application data O = OutputLength (2 bytes) S = L | " " | D | O The application specific parameters are set as follows: - key label = "MIPv6-key" - application data = Home Agent address - output length = 128 bits The application data is needed to guarantee the generation of independent AMSKs for different HAs and different MNs. The former is guaranteed by the availability of the HA address in the application data. The latter is guaranteed by the EMSK, that is bound to the EAP session and therefore MN-specific. If the MN has several home addresses allocated by the same HA, it can use the same AMSK for all the correspondent IKE sessions. Avoiding the insertion of the home address in the application data has the additional advantage of allowing the MN to derive the AMSK even if it does not know its home address. This is what might happen in some dynamic home address assignment scenarios. As specified in [4], the lifetime of keys calculated from key material exported by EAP methods can not be longer than the lifetime of the exported keying material. As a default choice the lifetime of AMSK for MIPv6 is set equal to the lifetime of the EMSK and must be sent by the AAA server to the HA. Giaretta, et al. Expires - April 2005 [Page 8] Internet-Draft AMSK for Mobile IPv6 October 2004 5. Usage Scenario The Mobile IPv6 AMSK, eventually truncated, can be directly used as the PSK needed to bootstrap the IPsec Security Association between MN and HA through IKE. Since the key serves only for identity verification and not for ciphering purposes, there is no need to re-generate the PSK at regular intervals. However, the MIPv6 AMSK, and consequently also the PSK, must be refreshed whenever a new EMSK is generated (i.e. during re-authentication events). Nonetheless, the derivation of a new PSK should not cause the immediate re-negotiation of a new IKE SA or IPsec SA. Any on-going IKE SA or IPsec SA should continue till its expiration. Instead, the negotiation (or re-negotiation) of a new IKE SA or IPsec SA must use the new pre-shared key derived from the latest MIPv6 AMSK. Giaretta, et al. Expires - April 2005 [Page 9] Internet-Draft AMSK for Mobile IPv6 October 2004 6. Security Considerations Sending the AMSK for Mobile IPv6 from the AAA server to the HA requires that the protocol used for AAA-HA communication provides mutual authentication, integrity/reply protection and confidentiality. Moreover, since this document is strongly based on EAP [10] and the EAP Keying Management Framework [4], additional security considerations are bound to those valid for the EAP Keying Framework (section 5 of [4]). Giaretta, et al. Expires - April 2005 [Page 10] Internet-Draft AMSK for Mobile IPv6 October 2004 Acknowledgments The authors would like to thank Alpesh Patel for reviewing the document. References [1] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. [2] Patel, A. et al. "Problem Statement for bootstrapping Mobile IPv6", draft-ietf-mip6-bootstrap-ps-00 (work in progress), July 2004. [3] Arkko, J., Devarapalli, V., Dupont, F., "Using IPsec to Protect Mobile IPv6 Signaling between Mobile Nodes and Home Agents", RFC 3776, June 2004. [4] Aboba, B., Simon, D., Arkko, J., Levkowetz, H., "EAP Key Management Framework", draft-ietf-eap-keying-03(work in progress), July 2004. [5] Manner, J., Kojo, M. "Mobility Related Terminology", RFC 3753, June 2004. [6] N.Cam-Winget, D. McGrew, J. Salowey, H.Zhou, "EAP Flexible Authentication via Secure Tunneling (EAP-FAST)", draft-cam-winget- eap-fast-00.txt (work in progress), February 2004 [7] Palekar, A. et al., "Protected EAP Protocol (PEAP) Version 2", draft-josefsson-pppext-eap-tls-eap-08 (work in progress), July 2004. [8] Haverinen, H. and J. Salowey, "Extensible Authentication Protocol Method for GSM Subscriber Identity Modules (EAP-SIM)", draft- haverinen-pppext-eap-sim-13 (work in progress), April 2004. [9] Arkko, J. and H. Haverinen, "EAP-AKA Authentication", draft-arkko- pppext-eap-aka-12 (work in progress), April 2004. [10] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H. Lefkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. Giaretta, et al. Expires - April 2005 [Page 11] Internet-Draft AMSK for Mobile IPv6 October 2004 [11] Giaretta, G., Guardini, I., Demaria, E., Bournelle, J., Laurent- Maknavicius, M., "MIPv6 Authorization and Configuration based on EAP", draft-giaretta-mip6-authorization-eap-02 (work in progress), October 2004. Giaretta, et al. Expires - April 2005 [Page 12] Internet-Draft AMSK for Mobile IPv6 October 2004 Authors' Addresses Gerardo Giaretta Telecom Italia Lab via G. Reiss Romoli, 274 10148 TORINO Italy Phone: +39 011 2286904 Email: gerardo.giaretta@tilab.com Ivano Guardini Telecom Italia Lab via G. Reiss Romoli, 274 10148 TORINO Italy Phone: +39 011 2285424 Email: ivano.guardini@tilab.com Elena Demaria Telecom Italia Lab via G. Reiss Romoli, 274 10148 TORINO Italy Phone: +39 011 2285403 Email: elena.demaria@tilab.com Julien Bournelle GET/INT 9 rue Charles Fourier Evry 91011 France Email: julien.bournelle@int-evry.fr Maryline Laurent-Maknavicius GET/INT 9 rue Charles Fourier Evry 91011 France Email: maryline.maknavicius@int-evry.fr Giaretta, et al. Expires - April 2005 [Page 13] Internet-Draft AMSK for Mobile IPv6 October 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Full Copyright Statement Copyright (C) The Internet Society (2004). All Rights Reserved. This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Giaretta, et al. Expires - April 2005 [Page 14]