RE: [802.21] Security SG: Scope issues
Yoshi,
IMO, we would be letting the public down if we come out with a Standard that has too limited applicability. The scope should be set broad enough to address most use cases, but the specification work can be phased so that it does not take too long to get anything out. I.e. It is OK to define a narrow scope for now, so long as it is clear that the work will not stop there. At the same time, we should make sure that phase 1 specifications address sufficient market applicability and does not block or make it difficult for expanding to wider solutions later on.
If you all agree, then the question should be what use case scenarios should be included in phase 1. Please see my specific responses inserted inline below.
Regards,
Ron
> -----Original Message-----
> From: Yoshihiro Ohba [mailto:yohba@TARI.TOSHIBA.COM]
> Sent: Wednesday, December 12, 2007 9:37 AM
> To: STDS-802-21@LISTSERV.IEEE.ORG
> Subject: [802.21] Security SG: Scope issues
>
> In November meeting, we had a straw poll related to scope issues on
> SSOH (Security Signaling Optimization during Handover) problem. The
> result was:
>
> Support EAP: Yes(20)/No(0)
> Support Non-EAP: Yes(10)/ No(7)
> Support inter-technology handover: Yes(21)/No(0)
>
> We need more detailed discussion to make a decision. Please state
> your opinion (as detailed as possible) on the scope-related issues
> listed below by next Security SG teleconference on December 18, 2007.
> If those issues are resolved, we will be in a good position to come to
> an agreement on PAR/5C in January!
>
> Issue 1: Should we support non-EAP in addition to EAP?
[Ron] Yes. Even thought EAP would cover both 802.16 and 802.11, it is only addressing Layer 2 network access. 802.16 and most cellular networks use Mobile IP for layer 3 mobility. Pre-authentication does not have much value if it can not provide full network access. An integrated or common pre-authentication mechanism for both layer 2 and layer 3 network access is required for seamless roaming. Ideally, MIH should provide an agnostic mechanism for pre-authentication, but if that is too difficult then we may need to go with specific mechanisms for each.
Another reason for supporting non-EAP is that most Hotspots today use web portals for access control rather than 802.1x. In this case, pre-authentication needs to be negotiated with the web portal.
>
> Issue 2: Should we support handover to/from non-802 networks in
> addition to handover within 802 networks?
[Ron] Yes, but not for the initial phase because it is difficult to solve. However we should try to make the specification such that non-802 networks can implement. Yes because most Mobile Carrier networks are non-802.
>
> Issue 3: Should we support inter-administrative-domain handover?
[Ron] Yes, because Mobile Carriers would want the ability to roam with the many 802.11 Hotspots not operated by themselves. Also, because roaming between mobile carrier and enterprise is a major market driver for 802.21.
>
> The definition of "administrative domain" is given below:
>
> "
> Administrative Domain
>
> A collection of End Systems, Intermediate Systems, and
> subnetworks operated by a single organization or administrative
> authority. The components which make up the domain are assumed
> to interoperate with a significant degree of mutual trust among
> themselves, but interoperate with other Administrative Domains
> in a mutually suspicious manner.
>
> Administrative Domains can be organized into a loose hierarchy
> that reflects the availability and authoritativeness of
> authentication and authorization information. This hierarchy does
> not imply administrative containment, nor does it imply a strict
> tree topology.
> "
>
> Best Regards,
> Yoshihiro Ohba