Maryna Komarova (ENST)

Slides:



Advertisements
Similar presentations
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: Initiate An Exercise for Generating a 21a Document Date Submitted: September 21, 2009.
Advertisements

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE
xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: LB1c-handover-issues.ppt Title: MIH Security – What is it? Date Submitted:
sec IEEE MEDIA INDEPENDENT HANDOVER DCN: sec-mih-level-security-considerations Title: MIH-level Security Considerations.
xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: LB1c-handover-issues.ppt Title: MIH Security – What is it? Date Submitted:
21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH Protocol Security Date Submitted: December, 2007 Presented.
I-D: draft-rahman-mipshop-mih-transport-01.txt Transport of Media Independent Handover Messages Over IP 67 th IETF Annual Meeting MIPSHOP Working Group.
21-06-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: The amendment for the MIH_Scan primitive Date Submitted: April,
68 th IETF, Prague Czech Republic Issues with L2 abstractions and how they affect QOS-based handovers Nada Golmie Advanced Networking Technologies Division.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Problem Statement for Authentication Signaling Optimization Date.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIIS and Its Higher Layer Transport Requirements: Ad hoc Update and Discussion on.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH_Handover primitives and scenarios Date Submitted: April, 30,
sec1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: L3 Transport for MIH Services Date Submitted: July 19, 2007 Presented at IEEE
Some use cases and requirements for handover Information Services Greg Daley MIPSHOP Session IETF 64.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Analysis on Identifiers Date Submitted: January 9, 2006 Presented.
MIPSHOP – November, 2005 Event Services and Command Services for Media Independent Handover Presentation prepared by: Srini Sreemanthula Presented by:
21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx Title: Subscription ID Scope Date Submitted: June, 14 th, 2007 Presented.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Sec Title: Considerations on use of TLS for MIH protection Date Submitted: January 14, 2010.
xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx Title: Information Service Flow Update Date Submitted: October 22, 2006.
Requirements For Handover Information Services MIPSHOP – IETF #65 Srinivas Sreemanthula (Ed.)
Doc.: IEEE /0310r0 Submission Sept 2007 Srinivas Sreemanthula Slide 1 IEEE MEDIA INDEPENDENT HANDOVER DCN: MIH-Security-Options.ppt.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IEEE d base ideas and prototype implementation Date Submitted: Presented at.
August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx Title: MIH security issues Date Submitted: July, 02, 2007 Presented at.
Problem Statement: Media Independent Handover Signalling draft-hepworth-mipshop-mih-problem-statement-01 Ele Hepworth (*), Greg Daley, Srinivas Sreemanthula,
sec1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: TGa_Proposal_Antonio_Izquierdo (Protecting the Information Service.
Cryptography: an overview
Cryptography: an overview
Transport of Media Independent HO Messages over IP
IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER DCN: srho
draft-corujo-ps-common-interfaces-lmm-00
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER
Media Independent Coexistence
IEEE MEDIA INDEPENDENT HANDOVER DCN:
draft-ipdvb-sec-01.txt ULE Security Requirements
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Cryptography: an overview
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER DCN: bcst
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-0sec
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Media Independent Coexistence
Media Independent Coexistence
Media Independent Coexistence
Media Independent Coexistence
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER
Presentation transcript:

Maryna Komarova (ENST) MIH protocol security Maryna Komarova (ENST) 21-07-xxxx-00-0000

General security issues and threats Both the MIH User and NE MIHF may be the subject of an attack, therefore purposes are: MIH user protection from a fake MIH IS MIH IS protection form malicious users Information received by the MIH User from MIHF is used to perform next steps and, hence, it is critical to protect it from altering, modification and provide message origin authentication. Due to the short battery life on the MN it is essentially to avoid processing of fake information by the MN. 21-07-xxxx-00-0000

Requirements Security of MIHF discovery There are two kinds of transport mechanisms: the first one is the lower layer transport (L2) and the second one is the higher layer transport (L3). MIHF discovery: over media-specific L2 or L3 mechanism MIH Capability discovery – either over MIH or over media-specific broadcast messages Security of MIH Protocol Re-using existing transport protocols Re-using existing solutions for authentication, confidentiality, message authentication and integrity providing; Channel security protocol selection may be implementation dependent; Minimum impact on the handover latency 21-07-xxxx-00-0000

MIHF services To discover MIHF either MIH or link-specific broadband transport is used. No authentication is assumed in the process of MIHF discovery and MIH Capability discovery. MIH pairing, from the MN’s point of view, means authorization for the MIHF to send commands. Hence, the MN authorizes some important actions to an unauthenticated entity. MIHF registration assumes only identification of peers but it assumes any authentication and any means for integrity protection and message authentication of commands and events sent. 21-07-xxxx-00-0000

MIHF service-specific security requirements Information Service Discovery may operate as well as within as outside administrative domain boundaries. “It is important to note that, with certain access networks an MN should be able to obtain IEEE 802.21 related information elements before the MN is authenticated with the PoA.” In order to protect the user from wrong information receiving, the IS should be authenticated to the user (MIHF-to-user authentication); Definition of different sets of information available for users in authenticated and non-authenticated states; Event Service and Command Service Mutual authentication between the MIHF and the MIH User (simple authentication is not sufficient, particularly in case of communication with the remote MIHF); Secure channel establishment; Providing confidentiality, integrity protection and message origin authentication. 21-07-xxxx-00-0000

Authorization rights management The user should be able to select the most reliable IS among all available; After authentication different users are allowed to access different services. Per-user management of access rights is Costly; Users may not be known in advance (if belonging to a different administrative domain); User may not disclose its identity to the visiting network; Role-based management of access rights may be implemented instead. The role may be based on the user’s state (unauthenticated/authenticated) or subscription (home/visiting). 21-07-xxxx-00-0000

Choice of MIIS The current 802.21 draft does not specify the location of the MIIS. Such a way, the IS may be located in the serving, candidate or home network or even it can be managed by the third party authority. To choose the set of candidate networks the MN must use only trusted and verified information. The MN may receive contradictory or conflicting information. That is why it is desirable to define some trust rating for IS. This trust rating may be based on the previous experience: it is positive when the provided information was correct and it is negative if provided information was not correct. For handover decision making the MN chooses the set of IS with the highest rating. Is the evaluation of trust to the IS is in the scope of the SG? May some score be added to the IS according to the quality of the previous information provided to the MN? 21-07-xxxx-00-0000

Related works Mobility Services Transport: Problem Statement draft-ietf-mipshop-mis-ps-04 considers End-to-end signalling and transport over IP End-to-end signalling and partial transport over IP End-to-end Network-to-Network signalling Transport of Media Independent Handover Messages Over IP draft-rahman-mipshop-mih-transport-03.txt Proposes use of IPSec for transport and IKE Design Considerations for the Common MIH Protocol Functions draft-hepworth-mipshop-mih-design-considerations-01 Necessity of Authentication, Authorization ans credential management. 21-07-xxxx-00-0000