Re: [802.21] Security SG: Scope issues
Hi all,
Please, see my opinion on scope-related issues below.
Issue 1: Should we support non-EAP in addition to EAP?
I think that we don't need to support non-EAP in addition to EAP because
most of 802 networks support EAP. 3GPP proposes UMA (Unlicensed Mobile
Access ) for inter-technology (but inter-domain) handover that also uses
EAP for authentication.
It is difficult to find a single solution supporting both EAP and non-EAP.
Issue 2: Should we support handover to/from non-802 networks in
addition to handover within 802 networks?
We should support handover to/from non-802 networks since dual-mode
(cellular/802) devices are widely used today. If we will not support
handover to/from 802 networks, the study group will not match the scope
of 802.21.
Issue 3: Should we support inter-administrative-domain handover?
Yes, we should support inter-administrative domain handover. Users may
have multiple subscriptions and service providers create federations. In
such circumstances the user will certainly handover from one access
network belonging to one administrative domain to another access network
belonging to another administrative domain.
Will the MIH level security be discussed during the SG conference call
today?
I would like to summarize my points on this issue:
1. The security solutions to protect MIHF and communication between them
should be implementation dependent.
2. We should define security objectives for each entity participating in
handover preparation such as in which case we need mutual
authentication/one side authentication, which information requires only
integrity protection and which requires confidentiality and message
authentication.
3. It is necessary to define which identitie are used by MNs and by
network entities and how different authorization rights are mapped to
different identities.
4. Anyway, we should analyse different security solutions (such as
IPSec, TLS, authentication) in terms of performance and resource
consumption and provide a kind of recommendation information for MIH
level security deployment.
There are several works on this subject done in Mipshop:
*Mobility Services Transport: Problem Statement draft-ietf-mipshop-mis-ps-04
*
*Transport of Media Independent Handover Messages Over IP
draft-rahman-mipshop-mih-transport-03.txt
**Design Considerations for the Common MIH Protocol Functions
draft-hepworth-mipshop-mih-design-considerations-01 *
Please, find more detailed problem statemen in attachment.
Best regards,
Maryna Komarova
Yoshihiro Ohba a écrit :
>In November meeting, we had a straw poll related to scope issues on
>SSOH (Security Signaling Optimization during Handover) problem. The
>result was:
>
> Support EAP: Yes(20)/No(0)
> Support Non-EAP: Yes(10)/ No(7)
> Support inter-technology handover: Yes(21)/No(0)
>
>We need more detailed discussion to make a decision. Please state
>your opinion (as detailed as possible) on the scope-related issues
>listed below by next Security SG teleconference on December 18, 2007.
>If those issues are resolved, we will be in a good position to come to
>an agreement on PAR/5C in January!
>
>Issue 1: Should we support non-EAP in addition to EAP?
>
>Issue 2: Should we support handover to/from non-802 networks in
>addition to handover within 802 networks?
>
>Issue 3: Should we support inter-administrative-domain handover?
>
>The definition of "administrative domain" is given below:
>
>"
>Administrative Domain
>
> A collection of End Systems, Intermediate Systems, and
> subnetworks operated by a single organization or administrative
> authority. The components which make up the domain are assumed
> to interoperate with a significant degree of mutual trust among
> themselves, but interoperate with other Administrative Domains
> in a mutually suspicious manner.
>
> Administrative Domains can be organized into a loose hierarchy
> that reflects the availability and authoritativeness of
> authentication and authorization information. This hierarchy does
> not imply administrative containment, nor does it imply a strict
> tree topology.
>"
>
>Best Regards,
>Yoshihiro Ohba
>
>
--
Cordialement,
Maryna Komarova
doctorante
Département Informatique et Réseaux
ENST (Telecom-Paris)
37/39 rue Dareau
75634 Paris, France
MIH_protocol_security.ppt