Some thoughts on MN

1
Some thoughts on MN AR SA establishment

• Many mobility protocols need security association
  (not necessarily Ipsec) between a Mobile Node and
  a network node, typically an access router
• Examples Context Transfer, Fast Handover, CARD
• The mobility protocols themselves cannot
  establish a security association
• What are the options?

2
Options for SA establishment

• AAA based access authentication?
• Used in 3GPP2
• A way to derive keys which can be used later for
  Mobile IPv6 BU
• SEND-based
• Public hotspots?
• IKE?
• Issue Certificate provisioning between MN and an
  arbitrary visited network router
• EAP-based keying?
• EAP-over-any-access-network?
• Keep Type-specific authentication mechanism open
• Note specifying a single mechanism appears not
  worthwhile. Instead, a framework may be the best
  option available

3
Framework

• Assuming that a framework is the way to go
  forward, what are the specific requirements?
• An option such as BAD is almost necessary
• BAD would work readily with Mobility Header
  messages
• Perhaps it is a good idea to have all MN AR
  messaging to use MH messages?
• We need a reference (ID, RFC) which can be used
  to address the security considerations of
  mobility protocols