Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

RE: [802.21] 802.21 Security PAR: Initial write-up



Hi Yoshi,

It's looking much better. How about changing " ... based on ..." to "... mainly based on ..."?  This would not confine our scope of solution.

Regards,
Ron  


> -----Original Message-----
> From: Yoshihiro Ohba [mailto:yohba@TARI.TOSHIBA.COM]
> Sent: Sunday, January 13, 2008 1:10 AM
> To: STDS-802-21@LISTSERV.IEEE.ORG
> Subject: Re: [802.21] 802.21 Security PAR: Initial write-up
> 
> Hi Ron,
> 
> On Fri, Jan 11, 2008 at 09:59:13PM -0500, Ron Pon wrote:
> (snip)
> > > >
> > > > 13. Purpose of the Proposed Project - It would probably be helpful
> if
> > > stronger reasoning is given.  Also addressing Vivek's previous
> comment.
> > > How about this (Some snipped from parts of the TR):
> > > >
> > > > "The purpose of this project is two fold: One is to improve seamless
> > > transition between heterogeneous 802 access networks for real time
> > > sensitive applications by optimizing network access control when a
> mobile
> > > node transitions from one access network to another. Optimization of
> > > security signaling is especially applicable in handover scenarios
> where
> > > the mobile node must briefly break its active connection before being
> able
> > > to make a connection to the target access network. The second purpose
> is
> > > to provide an adequate level of protection for the MIH services and
> > > protocols by specifying standard mechanisms for MIH system
> authentication,
> > > access control, protocol integrity protection and protocol data
> > > confidentiality. In the current IEEE P802.21 draft [1] the general
> problem
> > > space of security for the MIH protocol and services is unspecified.
> MIH
> > > level security will be an important factor to the providers that wants
> to
> > > deploy these MIH services in their network and is concerned ab!
> > > >  out it negatively affecting existing network services."
> > > >
> > >
> > > - "when a mobile node transitions from one access network to another"
> > > seems redundant.
> > [Ron] OK
> >
> > >
> > > - We are not sure we need to define access control.  Access control
> > > may be implemented on top of adequate protection for MIH protocol.
> > [Ron] We are thinking the same. I did not mean to imply that we will
> define any new access control. What I meant is that authorization may be
> required between MIH entities. Does something like that need to be in the
> project description?
> 
> I agree that MIH-level authorization should be described somewhere in the
> PAR.
> 
> >
> > >
> > > - We are not sure we need to specify new mechanisms for MIH system
> > > authentication, protocol integrity protection and protocol data
> > > confidentiality.  It may be sufficient to reuse existing mechanisms
> > > with some additional stuff.
> > [Ron] We are thinking the same. I did not mean to imply that we will
> define any new mechanisms. I think these protection functions still to be
> considered during this security project.
> >
> > >
> > > - It would be better to avoid referencing a draft standard.
> > [Ron] OK
> >
> > >
> > > Here is my suggestion:
> > >
> > > "The purpose of this project is two fold: One is to improve seamless
> > > transition between 802 networks across different access technologies
> > > and/or different administrative domains for real time sensitive
> > > applications by optimizing network access authentication signaling.
> > > Optimization of such security signaling is especially applicable in
> > > handover scenarios where the mobile node must briefly break its active
> > > connection before being able to make a connection to the target access
> > > network. The second purpose is to provide an adequate level of
> > > protection for the MIH protocols based on mutually authenticating MIH
> > > entities. MIH level security will be an important factor to the
> > > providers that wants to deploy these MIH services in their networks
> > > without introducing new security threats."
> > [Ron] OK, but how about changing the sentence "The second purpose is to
> provide an adequate level of protection for the MIH protocols based on
> mutually authenticating MIH entities." to "The second purpose is to
> provide an adequate level of protection for the MIH system"? I don't think
> mutual authentication alone will be sufficient.
> 
> I believe that mutually authenticating MIH entities is the key feature
> to provide MIH level security, as security associations to protect MIH
> protocol needs to be bound to mutual authentication.  Said that,
> how about the following?
> 
> "The purpose of this project is two fold: One is to improve seamless
> transition between 802 networks across different access technologies
> and/or different administrative domains for real time sensitive
> applications by optimizing network access authentication signaling.
> Optimization of such security signaling is especially applicable in
> handover scenarios where the mobile node must briefly break its active
> connection before being able to make a connection to the target access
> network. The second purpose is to provide an adequate level of
> protection for the MIH protocol based on mutually authenticating MIH
> entities to which security associations for protecting the MIH
> protocol need to be bound, which will eventually enable authorization
> for the MIH services in a secure manner.  MIH level security will be
> an important factor to the providers that wants to deploy these MIH
> services in their networks without introducing new security threats."
> 
> >
> > >
> > > Also, Section 18 problem #1 should be also revised to:
> > >
> > > " #1 Security signaling during handover, especially signaling needed
> > > for network access authentication and authorization, is a significant
> > > part of the entire handover latency between between 802 networks
> > > across different access technologies and/or different administrative
> > > domains.  Mechanisms to reduce such a latency are required to improve
> > > the user experience during handover.
> > > "
> > [Ron] Yes, this seems redundant now. How about just deleting this part
> from Section 18?
> 
> I agree.
> 
> Yoshihiro Ohba
> 
> 
> >
> > >
> > > Best Regards,
> > > Yoshihiro Ohba
> > >
> > > >
> > > > Regards,
> > > > Ron
> > > >
> > > > > -----Original Message-----
> > > > > From: Yoshihiro Ohba [mailto:yohba@TARI.TOSHIBA.COM]
> > > > > Sent: Monday, December 31, 2007 11:19 AM
> > > > > To: STDS-802-21@LISTSERV.IEEE.ORG
> > > > > Subject: [802.21] 802.21 Security PAR: Initial write-up
> > > > >
> > > > > Please find the attached file for initial PAR write-up on 802.21
> > > > > Security.  For efficient use of face-to-face meeting in Taipei, I
> > > > > would like to start email discussion on PAR now using this thread,
> and
> > > > > your feedback is appreciated.
> > > > >
> > > > > Happy New Year!
> > > > >
> > > > > Yoshihiro Ohba
> > > > >
> > > > > P.S. Vivek: Can you upload the file to the server?
> > > >
> > > >
> >