An IKEv2-Based Hybrid Authentication Scheme for Simultaneous Access Network and Home Network Authentication

Abstract

To access Internet services supported in a home network, a mobile node must obtain the right to use an access network, and it must be able to contact a home network gateway to access the Internet in the home network. This means that the device must be authenticated by an AP to use the access network, and it must additionally be authenticated by the home network gateway to access its home network. EAP-PEAP is currently the most commonly used authentication protocol in access networks, and IKEv2 is common security protocol for mutual authentication on the Internet. As the procedures in EAP-PEAP and IKEv2 are quite similar, EAP-PEAP can be replaced by IKEv2. If the access network authentication uses IKEv2-based protocols and the home network authentication also uses IKEv2, the IKEv2 messages exchanged in each authentication become duplicated. However, it should be noted that EAP-IKEv2 is not able to carry EAP exchanges. We propose a hybrid authentication mechanism that can be used to authenticate a mobile node for both networks simultaneously. The proposed mechanism is based on the IKEv2-EAP exchanges instead of the EAP exchanges currently used to authenticate the access network, but our scheme adopts the encapsulation method defined by EAP-IKEv2 to transport the IKEv2 message over IEEE 802.11 so as not to change the current access network authentication architecture and the message format used by the authentication protocols. The scheme authenticates both networks through a single IKEv2 authentication, rather than two authentication procedures - one for the access network and one for the home network. This reduces the number of exchanged messages and authentication time.