Re: [802.21] Security SG: Scope issues
Maryna,
Thanks for your opinion.
We shall discuss your slides on MIH level secuirty as well.
Yoshihiro Ohba
On Tue, Dec 18, 2007 at 12:55:05PM +0100, komarova wrote:
> Hi all,
> Please, see my opinion on scope-related issues below.
>
> Issue 1: Should we support non-EAP in addition to EAP?
>
> I think that we don't need to support non-EAP in addition to EAP because
> most of 802 networks support EAP. 3GPP proposes UMA (Unlicensed Mobile
> Access ) for inter-technology (but inter-domain) handover that also uses
> EAP for authentication.
> It is difficult to find a single solution supporting both EAP and non-EAP.
>
> Issue 2: Should we support handover to/from non-802 networks in
> addition to handover within 802 networks?
>
> We should support handover to/from non-802 networks since dual-mode
> (cellular/802) devices are widely used today. If we will not support
> handover to/from 802 networks, the study group will not match the scope
> of 802.21.
>
> Issue 3: Should we support inter-administrative-domain handover?
>
> Yes, we should support inter-administrative domain handover. Users may
> have multiple subscriptions and service providers create federations. In
> such circumstances the user will certainly handover from one access
> network belonging to one administrative domain to another access network
> belonging to another administrative domain.
>
> Will the MIH level security be discussed during the SG conference call
> today?
> I would like to summarize my points on this issue:
> 1. The security solutions to protect MIHF and communication between them
> should be implementation dependent.
> 2. We should define security objectives for each entity participating in
> handover preparation such as in which case we need mutual
> authentication/one side authentication, which information requires only
> integrity protection and which requires confidentiality and message
> authentication.
> 3. It is necessary to define which identitie are used by MNs and by
> network entities and how different authorization rights are mapped to
> different identities.
> 4. Anyway, we should analyse different security solutions (such as
> IPSec, TLS, authentication) in terms of performance and resource
> consumption and provide a kind of recommendation information for MIH
> level security deployment.
> There are several works on this subject done in Mipshop:
> *Mobility Services Transport: Problem Statement draft-ietf-mipshop-mis-ps-04
> *
> *Transport of Media Independent Handover Messages Over IP
> draft-rahman-mipshop-mih-transport-03.txt
> **Design Considerations for the Common MIH Protocol Functions
> draft-hepworth-mipshop-mih-design-considerations-01 *
>
> Please, find more detailed problem statemen in attachment.
>
> Best regards,
> Maryna Komarova
>
> Yoshihiro Ohba a crit :
>
> >In November meeting, we had a straw poll related to scope issues on
> >SSOH (Security Signaling Optimization during Handover) problem. The
> >result was:
> >
> > Support EAP: Yes(20)/No(0)
> > Support Non-EAP: Yes(10)/ No(7)
> > Support inter-technology handover: Yes(21)/No(0)
> >
> >We need more detailed discussion to make a decision. Please state
> >your opinion (as detailed as possible) on the scope-related issues
> >listed below by next Security SG teleconference on December 18, 2007.
> >If those issues are resolved, we will be in a good position to come to
> >an agreement on PAR/5C in January!
> >
> >Issue 1: Should we support non-EAP in addition to EAP?
> >
> >Issue 2: Should we support handover to/from non-802 networks in
> >addition to handover within 802 networks?
> >
> >Issue 3: Should we support inter-administrative-domain handover?
> >
> >The definition of "administrative domain" is given below:
> >
> >"
> >Administrative Domain
> >
> > A collection of End Systems, Intermediate Systems, and
> > subnetworks operated by a single organization or administrative
> > authority. The components which make up the domain are assumed
> > to interoperate with a significant degree of mutual trust among
> > themselves, but interoperate with other Administrative Domains
> > in a mutually suspicious manner.
> >
> > Administrative Domains can be organized into a loose hierarchy
> > that reflects the availability and authoritativeness of
> > authentication and authorization information. This hierarchy does
> > not imply administrative containment, nor does it imply a strict
> > tree topology.
> >"
> >
> >Best Regards,
> >Yoshihiro Ohba
> >
> >
>
>
> --
> Cordialement,
> Maryna Komarova
> doctorante
> Dpartement Informatique et Rseaux
> ENST (Telecom-Paris)
> 37/39 rue Dareau
> 75634 Paris, France
>