Local Security Association (LSA)
The Temporary Shared Key (TSK)
draft-le-aaa-lsa-tsk-00.txt
Stefano M. Faccin, Franck Le
1
What?
• A secure mechanism to setup a Local Security Association
between the user and the visited domain
• An LSA can be utilized for various purposes, including:
• securing message exchanges between user and the visited
domain
• deriving secondary LSAs between user and visited domain
without involving home domain
• The mechanism proposed in the draft defines a Temporary
Shared Key to setup the LSA
• Mechanisms to setup LSAs can be of benefit to URP as an
edge protocol (LSA between user and the Registration Agent
or Access Router)
2
The Framework
Scope of LT-SA
AAAc
URP
RA
AAAl
Visited Domain
AAAh
Home Domain
NAS
LT-SA
FA
Scope of LSA
Assumptions:
• a long term SA is shared between the user and its home
domain
3
• long term SA used for:
• user/network authentication
• for generation of LSAs
LT-SA
TSK Features
• The Temporary Shared Key is securely established between
the user and the visited domain
• TSK allows subsequent:
4
•
user authentication without involvement of the home domain
•
network authentication without involvement of the home
domain
•
establishment of secondary LSAs (e.g. MN-AR, MN-FA)
TSK Applicability
• applicable to any application, e.g.
• Mobile IPv4:
– Authentication
– Key distribution
• Examples of key distribution scenarios
• key distribution to FA (MIPv4)
• key distribution to HA in Foreign Domain (MIPv4)
• keys for User-AR: data protection over the access link
5
TSK Benefits
• Use of TSK reduces the signaling between the home and
visited domains
• enables frequent user authentications
• Enables frequent refreshing of secondary LSAs
• Use of TSK reduces the time delay of procedures (user
authentication and key distribution)
6
draft-le-aaa-lsa-tsk-00.txt
• The TSK draft describes the procedures for:
7
•
TSK Establishment
•
TSK Distribution
•
TSK Update
•
TSK Revocation
TSK and URP
• Draft-le-aaa-lsa-tsk-00.txt describes the exchange of
information between the user and the visited and home
domains
• No protocol is specified to carry such information
• URP is a good candidate
• Usage of LSA empowers URP as edge protocol
• Relation between URP and AAA from the point of view of LSA
• Registration Agent is AAAc
8
Conclusion
• A potential mechanism for URP to setup a Local Security
Association between the user and the visited/access network:
the TSK
• TSK as the mechanism used together with URP to setup LSA
9