Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [802.21] Security SG: Scope issues



Hi all,
Please, see my opinion on scope-related issues below.

Issue 1: Should we support non-EAP in addition to EAP?

I think that we don't need to support non-EAP in addition to EAP because 
most of 802 networks support EAP. 3GPP proposes UMA (Unlicensed Mobile 
Access ) for inter-technology (but inter-domain) handover that also uses 
EAP for authentication.
It is difficult to find a single solution supporting both EAP and non-EAP.

Issue 2: Should we support handover to/from non-802 networks in
addition to handover within 802 networks?

We should support handover to/from non-802 networks since dual-mode 
(cellular/802) devices are widely used today. If we will not support 
handover to/from 802 networks, the study group will not match the scope 
of 802.21.

Issue 3: Should we support inter-administrative-domain handover?

Yes, we should support inter-administrative domain handover. Users may 
have multiple subscriptions and service providers create federations. In 
such circumstances the user will certainly handover from one access 
network belonging to one administrative domain to another access network 
belonging to another administrative domain.

Will the MIH level security be discussed during the SG conference call 
today?
I would like to summarize my points on this issue:
1. The security solutions to protect MIHF and communication between them 
should be implementation dependent.
2. We should define security objectives for each entity participating in 
handover preparation such as in which case we need mutual 
authentication/one side authentication, which information requires only 
integrity protection and which requires confidentiality and message 
authentication.
3. It is necessary to define which identitie are used by MNs and by 
network entities and how different authorization rights are mapped to 
different identities.
4. Anyway, we should analyse different security solutions (such as 
IPSec, TLS, authentication) in terms of performance and resource 
consumption and provide a kind of recommendation information for MIH 
level security deployment.
There are several works on this subject done in Mipshop:
*Mobility Services Transport: Problem Statement draft-ietf-mipshop-mis-ps-04
*
*Transport of Media Independent Handover Messages Over IP 
draft-rahman-mipshop-mih-transport-03.txt
**Design Considerations for the Common MIH Protocol Functions 
draft-hepworth-mipshop-mih-design-considerations-01 *

Please, find more detailed problem statemen in attachment.

Best regards,
Maryna Komarova

Yoshihiro Ohba a écrit :

>In November meeting, we had a straw poll related to scope issues on
>SSOH (Security Signaling Optimization during Handover) problem.  The
>result was:
>
>  Support EAP: Yes(20)/No(0) 
>  Support Non-EAP: Yes(10)/ No(7)
>  Support inter-technology handover: Yes(21)/No(0)
>
>We need more detailed discussion to make a decision.  Please state
>your opinion (as detailed as possible) on the scope-related issues
>listed below by next Security SG teleconference on December 18, 2007.
>If those issues are resolved, we will be in a good position to come to
>an agreement on PAR/5C in January!
>
>Issue 1: Should we support non-EAP in addition to EAP?
>
>Issue 2: Should we support handover to/from non-802 networks in
>addition to handover within 802 networks?
>
>Issue 3: Should we support inter-administrative-domain handover?
>
>The definition of "administrative domain" is given below:
>
>"
>Administrative Domain
>
>  A collection of End Systems, Intermediate Systems, and
>  subnetworks operated by a single organization or administrative
>  authority.  The components which make up the domain are assumed
>  to interoperate with a significant degree of mutual trust among
>  themselves, but interoperate with other Administrative Domains
>  in a mutually suspicious manner.
>
>  Administrative Domains can be organized into a loose hierarchy
>  that reflects the availability and authoritativeness of
>  authentication and authorization information.  This hierarchy does
>  not imply administrative containment, nor does it imply a strict
>  tree topology.
>"
>
>Best Regards,
>Yoshihiro Ohba
>  
>


-- 
Cordialement,
Maryna Komarova
doctorante
Département Informatique et Réseaux 
ENST (Telecom-Paris)
37/39 rue Dareau
75634 Paris, France

MIH_protocol_security.ppt