Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [802.21] Security SG: Scope issues



Maryna,

Thanks for your opinion.

We shall discuss your slides on MIH level secuirty as well.

Yoshihiro Ohba



On Tue, Dec 18, 2007 at 12:55:05PM +0100, komarova wrote:
> Hi all,
> Please, see my opinion on scope-related issues below.
> 
> Issue 1: Should we support non-EAP in addition to EAP?
> 
> I think that we don't need to support non-EAP in addition to EAP because 
> most of 802 networks support EAP. 3GPP proposes UMA (Unlicensed Mobile 
> Access ) for inter-technology (but inter-domain) handover that also uses 
> EAP for authentication.
> It is difficult to find a single solution supporting both EAP and non-EAP.
> 
> Issue 2: Should we support handover to/from non-802 networks in
> addition to handover within 802 networks?
> 
> We should support handover to/from non-802 networks since dual-mode 
> (cellular/802) devices are widely used today. If we will not support 
> handover to/from 802 networks, the study group will not match the scope 
> of 802.21.
> 
> Issue 3: Should we support inter-administrative-domain handover?
> 
> Yes, we should support inter-administrative domain handover. Users may 
> have multiple subscriptions and service providers create federations. In 
> such circumstances the user will certainly handover from one access 
> network belonging to one administrative domain to another access network 
> belonging to another administrative domain.
> 
> Will the MIH level security be discussed during the SG conference call 
> today?
> I would like to summarize my points on this issue:
> 1. The security solutions to protect MIHF and communication between them 
> should be implementation dependent.
> 2. We should define security objectives for each entity participating in 
> handover preparation such as in which case we need mutual 
> authentication/one side authentication, which information requires only 
> integrity protection and which requires confidentiality and message 
> authentication.
> 3. It is necessary to define which identitie are used by MNs and by 
> network entities and how different authorization rights are mapped to 
> different identities.
> 4. Anyway, we should analyse different security solutions (such as 
> IPSec, TLS, authentication) in terms of performance and resource 
> consumption and provide a kind of recommendation information for MIH 
> level security deployment.
> There are several works on this subject done in Mipshop:
> *Mobility Services Transport: Problem Statement draft-ietf-mipshop-mis-ps-04
> *
> *Transport of Media Independent Handover Messages Over IP 
> draft-rahman-mipshop-mih-transport-03.txt
> **Design Considerations for the Common MIH Protocol Functions 
> draft-hepworth-mipshop-mih-design-considerations-01 *
> 
> Please, find more detailed problem statemen in attachment.
> 
> Best regards,
> Maryna Komarova
> 
> Yoshihiro Ohba a crit :
> 
> >In November meeting, we had a straw poll related to scope issues on
> >SSOH (Security Signaling Optimization during Handover) problem.  The
> >result was:
> >
> > Support EAP: Yes(20)/No(0) 
> > Support Non-EAP: Yes(10)/ No(7)
> > Support inter-technology handover: Yes(21)/No(0)
> >
> >We need more detailed discussion to make a decision.  Please state
> >your opinion (as detailed as possible) on the scope-related issues
> >listed below by next Security SG teleconference on December 18, 2007.
> >If those issues are resolved, we will be in a good position to come to
> >an agreement on PAR/5C in January!
> >
> >Issue 1: Should we support non-EAP in addition to EAP?
> >
> >Issue 2: Should we support handover to/from non-802 networks in
> >addition to handover within 802 networks?
> >
> >Issue 3: Should we support inter-administrative-domain handover?
> >
> >The definition of "administrative domain" is given below:
> >
> >"
> >Administrative Domain
> >
> > A collection of End Systems, Intermediate Systems, and
> > subnetworks operated by a single organization or administrative
> > authority.  The components which make up the domain are assumed
> > to interoperate with a significant degree of mutual trust among
> > themselves, but interoperate with other Administrative Domains
> > in a mutually suspicious manner.
> >
> > Administrative Domains can be organized into a loose hierarchy
> > that reflects the availability and authoritativeness of
> > authentication and authorization information.  This hierarchy does
> > not imply administrative containment, nor does it imply a strict
> > tree topology.
> >"
> >
> >Best Regards,
> >Yoshihiro Ohba
> > 
> >
> 
> 
> -- 
> Cordialement,
> Maryna Komarova
> doctorante
> Dpartement Informatique et Rseaux 
> ENST (Telecom-Paris)
> 37/39 rue Dareau
> 75634 Paris, France
>