IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-08-0106-00-0sec Title: Threats for MIH Services: Assumptions and Use cases Date Submitted: April 16, 2008 Presented at Security Study Group Teleconference on April 16, 2008 Authors or Source(s): Subir Das (Telcordia Technologies), Shubhranshu Singh (Samsung) Marc Meylemans (Intel) Abstract: This document describes the threats for MIH services based on a few assumptions and use cases
IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf>
Common Security Threats Message Modification Message Hijacking/Replay False Identity of MIHF Denial of Service Note: No distinction has been made between outsiders and insiders attack
Goals To address the questions that were received during last teleconference. In particular, What are the assumptions on MIH services deployment? What are the security features we need? Assessment of threats that exists in different deployment models
General Assumptions MIH services are available after successful network access authentication Note: Situations where MN accesses MIH services without network access authentication be considered separately If link layer security is in use on the network, it is established between the MN and the PoA For simplicity, all MIH services are provided by one network (e.g., home or visited, 3rd party)
Security features needed to mitigate the threats MIH Entity authentication Peer entities need to verify their authenticity MIH protocol message protection Message exchange between peers need to be secured
Securing peer MIHF entity discovery Non Goals Securing peer MIHF entity discovery Discovery happens via out of band signaling except the case when combining with Capability Discovery MIHF discovery should be considered separately and should be our non-goal
Deployment Scenario #1 Scenario 1: MN is in the home network and the MIH services (e.g., IS, ES, CS) are provided by the home network. hPoS Core Network Home Network PoA MIH Messages (L3 comm) Access Network (L2 Comm) Note: This and the following scenarios assume PoA and PoS are separate entities however in some cases they might be co-located. Mobile Node
Deployment Scenario #1 (contd..) Two possible cases Case 1a: hPoS has access to user’s subscription profile Case 1b: hPoS has no access to user’s subscription profile
Addressing Security Features for Case 1a Entity authentication MIH service specific credentials may be derived from network access authentication credentials Other mechanisms are also possible MIH protocol message protection Can be achieved by enabling transport security, if transport security is available Need to bind transport SAs with MIH identity Therefore all common threats can be mitigated
Addressing Security Features for Case 1b Entity authentication Since there is no access to user’s subscription profile, entity authentication can not be performed MIH protocol message protection Can be achieved via enabling transport security, if transport security is available Need to bind transport SAs with MIH identity Therefore all threats can NOT be mitigated
Deployment Scenarios #2 Scenario2: MN is in the visited network and MIH services are provided by the home network hPoS Home Network MIH Messages (L3 comm) PoA Visited Network (L2 Comm) Mobile Node
Deployment Scenario #2 (contd..) Two possible Cases Case 2a: hPoS has access to user’s subscription profile Case 2b: hPoS has no access to user’s subscription profile
Addressing Security Features for Case 2a Entity authentication MIH service specific credentials may be derived from network access authentication credentials Other mechanisms are also possible MIH protocol message protection Can be achieved by enabling transport security, if transport security is available Need to bind transport SAs with MIH identity Therefore all common threats can be mitigated
Addressing Security Features for Case 2b Entity authentication Since there is no access to user’s subscription profile, entity authentication can not be performed MIH protocol message protection Can be achieved via enabling transport security, if transport security is available Need to bind transport SAs with MIH identity Therefore all threats can NOT be mitigated
Deployment Scenarios #3 Scenario3: MN is in the visited network and MIH services are also provided by the visited network. There is a roaming relationship between home and visited networks Home Network MIH Messages (L3 comm) PoA vPoS Visited Network (L2 Comm) MIH Messages (L3 comm) Mobile Node
Deployment Scenario #3 (contd..) Two possible Cases Case 3a: vPoS has access to user’s subscription profile via roaming relationship Case 3b: vPoS has no access to user’s subscription profile via roaming relationship
Addressing Security Features for Case 3a Entity authentication MIH service specific credentials may be derived from network access authentication credentials Other mechanisms are also possible MIH protocol message protection Can be achieved by enabling transport security, if transport security is available Need to bind transport SAs with MIH identity Therefore all common threats can be mitigated
Addressing Security Features for Case 3b Entity authentication Since there is no access to user’s subscription profile, entity authentication can not be performed MIH protocol message protection Can be achieved via enabling transport security, if transport security is available Need to bind transport SAs with MIH identity Therefore all threats can NOT be mitigated
Deployment Scenarios #4 Scenario4: MN is in the visited or Home network and MIH services are provided by 3rd Party network. tPoS 3rd Party Network MIH Messages (L3 comm) PoA Home or Visited Network (L2 Comm) Mobile Node
Deployment Scenario #4 (contd..) Three possible Cases Case 4a: tPoS has access to its own user’s subscription profile Case 4b: tPoS has access to user’s subscription profile via user’s home network (through agreement) Case 4c: tPoS has no access to user’s subscription profile
Addressing Security Features for Case 4a &4b Entity authentication MIH service specific credentials may be derived from network access authentication credentials Other mechanisms are also possible MIH protocol message protection Can be achieved by enabling transport security, if transport security is available Need to bind transport SAs with MIH identity Therefore all common threats can be mitigated
Addressing Security Features for Case 4c Entity authentication Since there is no access to user’s subscription profile, entity authentication can not be performed MIH protocol message protection Can be achieved via enabling transport security, if transport security is available Need to bind transport SAs with MIH identity Therefore all threats can NOT be mitigated
What Should We Do Then? Shall we assume that MIH Services are always based on user’s ‘Subscription’? (except pre-attachment case) If not, can we handle the complexity and address the issues within the time frame? Opinions/Thoughts? Consensus?
Next Steps? Capture the discussions in the TR Address/resolve additional comments/questions/ thoughts …