The IESG has approved the following document: - 'Handover Key Management and Re-authentication Problem Statement ' <draft-ietf-hokey-reauth-ps-09.txt> as an Informational RFC This document is the product of the Handover Keying Working Group. The IESG contact persons are Tim Polk and Sam Hartman. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hokey-reauth-ps-09.txt Technical Summary The current Extensible Authentication Protocol (EAP) keying framework is not designed to support re-authentication and handovers. This is often the cause of unacceptable latency in various delay-sensitive environments (such as mobile wireless networks). The HOKEY Working Group plans to address these problems by designing a generic mechanism to reuse derived EAP keying material for handover. This document describes the Handover Keying (HOKEY) problem statement. Working Group Summary This document is a product of the hokey working group, and represents rough consensus of the working group. Protocol Quality This document has been reviewed extensively and the Document Shepherd believes it to be of high quality. This document was reviewed for the IESG by Tim Polk. Note to RFC Editor Please replace Section 6.2 with the following text: 6.2. IEEE 802.11r Applicability One of the EAP lower layers, IEEE 802.11 [IEEE.802-11R-D9.0], is in the process of specifying a fast handover mechanism. Access Points (APs) are grouped into mobility domains. Initial authentication to any AP in a mobility domain requires execution of EAP, but handover between APs within the mobility domain does not require the use of EAP. Internal to the mobility domain are sets of security associations to support key transfers between APs. In one model, relatively few devices, called R0-KHs, act as authenticators. All EAP traffic traverses an R0-KH, and it derives the initial IEEE 802.11 keys. It then distribute cryptographically separate keys to APs in the mobility domain, as necessary, to support the client mobility. For a deployment with M designated R0-KHs and N APs, this requires M*N security associations. For small M, this approach scales reasonably. Another approach allows any AP to act as an R0-KH, necessitating a full mesh of N2 security associations, which scales poorly. The model that utilizes designated R0-KHs is architecturally similar to the fast re-authentication model proposed by HOKEY. HOKEY, however, allows for handover between authenticators. This would allow an IEEE 802.11r-enabled peer to handover from one mobility domain to another without performing an EAP authentication. _______________________________________________ IETF-Announce@ietf.org https://www.ietf.org/mailman/listinfo/ietf-announce
