RE: [802.21] Security SG: Scope issues
>
>Issue 2: Should we support handover to/from non-802 networks in
>addition to handover within 802 networks?
>
>We should support handover to/from non-802 networks since dual-mode
>(cellular/802) devices are widely used today. If we will not support
>handover to/from 802 networks, the study group will not match the scope
>of 802.21.
>
It's one thing to say that this group should support non-802 networks (such as from 3GPP and possibly others) and another to ACTUALLY support it. It would be beneficial if the proponents of this work also realize what it takes to get such work (done in IEEE 802) to apply to other SDOs and evaluate this feasibility upfront and have a plan for accomplishing this. Are the other non-802 network based SDOs also interested in this and would they prefer the work being done in IEEE 802 or in their own standard group? This may be a two way street but then is there sufficient interest in this group to participate in these different SDOs and get this done?
I am not saying that this should not be done. But some thought needs to be given to this and interest levels need to be gauged appropriately with level of effort/commitment required. Without that you run the risk of this becoming more of an academic exercise.
Kind Regards
-Vivek
-----Original Message-----
On Behalf Of komarova
Sent: Tuesday, December 18, 2007 3:55 AM
To: Yoshihiro Ohba;
Subject: Re: [802.21] Security SG: Scope issues
Hi all,
Please, see my opinion on scope-related issues below.
Issue 1: Should we support non-EAP in addition to EAP?
I think that we don't need to support non-EAP in addition to EAP because
most of 802 networks support EAP. 3GPP proposes UMA (Unlicensed Mobile
Access ) for inter-technology (but inter-domain) handover that also uses
EAP for authentication.
It is difficult to find a single solution supporting both EAP and non-EAP.
Issue 2: Should we support handover to/from non-802 networks in
addition to handover within 802 networks?
We should support handover to/from non-802 networks since dual-mode
(cellular/802) devices are widely used today. If we will not support
handover to/from 802 networks, the study group will not match the scope
of 802.21.
Issue 3: Should we support inter-administrative-domain handover?
Yes, we should support inter-administrative domain handover. Users may
have multiple subscriptions and service providers create federations. In
such circumstances the user will certainly handover from one access
network belonging to one administrative domain to another access network
belonging to another administrative domain.
Will the MIH level security be discussed during the SG conference call
today?
I would like to summarize my points on this issue:
1. The security solutions to protect MIHF and communication between them
should be implementation dependent.
2. We should define security objectives for each entity participating in
handover preparation such as in which case we need mutual
authentication/one side authentication, which information requires only
integrity protection and which requires confidentiality and message
authentication.
3. It is necessary to define which identitie are used by MNs and by
network entities and how different authorization rights are mapped to
different identities.
4. Anyway, we should analyse different security solutions (such as
IPSec, TLS, authentication) in terms of performance and resource
consumption and provide a kind of recommendation information for MIH
level security deployment.
There are several works on this subject done in Mipshop:
*Mobility Services Transport: Problem Statement draft-ietf-mipshop-mis-ps-04
*
*Transport of Media Independent Handover Messages Over IP
draft-rahman-mipshop-mih-transport-03.txt
**Design Considerations for the Common MIH Protocol Functions
draft-hepworth-mipshop-mih-design-considerations-01 *
Please, find more detailed problem statemen in attachment.
Best regards,
Maryna Komarova
Yoshihiro Ohba a écrit :
>In November meeting, we had a straw poll related to scope issues on
>SSOH (Security Signaling Optimization during Handover) problem. The
>result was:
>
> Support EAP: Yes(20)/No(0)
> Support Non-EAP: Yes(10)/ No(7)
> Support inter-technology handover: Yes(21)/No(0)
>
>We need more detailed discussion to make a decision. Please state
>your opinion (as detailed as possible) on the scope-related issues
>listed below by next Security SG teleconference on December 18, 2007.
>If those issues are resolved, we will be in a good position to come to
>an agreement on PAR/5C in January!
>
>Issue 1: Should we support non-EAP in addition to EAP?
>
>Issue 2: Should we support handover to/from non-802 networks in
>addition to handover within 802 networks?
>
>Issue 3: Should we support inter-administrative-domain handover?
>
>The definition of "administrative domain" is given below:
>
>"
>Administrative Domain
>
> A collection of End Systems, Intermediate Systems, and
> subnetworks operated by a single organization or administrative
> authority. The components which make up the domain are assumed
> to interoperate with a significant degree of mutual trust among
> themselves, but interoperate with other Administrative Domains
> in a mutually suspicious manner.
>
> Administrative Domains can be organized into a loose hierarchy
> that reflects the availability and authoritativeness of
> authentication and authorization information. This hierarchy does
> not imply administrative containment, nor does it imply a strict
> tree topology.
>"
>
>Best Regards,
>Yoshihiro Ohba
>
>
--
Cordialement,
Maryna Komarova
doctorante
Département Informatique et Réseaux
ENST (Telecom-Paris)
37/39 rue Dareau
75634 Paris, France