Some thoughts on MN – AR SA establishment

1. Some thoughts on MN – AR SA establishment • Many mobility protocols need security association (not necessarily Ipsec) between a Mobile Node and a network node, typically an access router • Examples: Context Transfer, Fast Handover, CARD • The mobility protocols themselves cannot establish a security association • What are the options?

2. Options for SA establishment • AAA based access authentication? • Used in 3GPP2 • A way to derive keys which can be used later for Mobile IPv6 BU • SEND-based • Public hotspots? • IKE? • Issue: Certificate provisioning between MN and an arbitrary visited network router • EAP-based keying? • EAP-over-any-access-network? • Keep Type-specific authentication mechanism open • Note: specifying a single mechanism appears not worthwhile. Instead, a framework may be the best option available

3. Framework • Assuming that a framework is the way to go forward, what are the specific requirements? • An option such as BAD is almost necessary • BAD would work readily with Mobility Header messages • Perhaps it is a good idea to have all MN – AR messaging to use MH messages? • We need a reference (ID, RFC) which can be used to address the security considerations of mobility protocols