Download presentation
Presentation is loading. Please wait.
Published byMaurice Pearson Modified over 9 years ago
1
21-07-xxxx-00-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-0463-00-0000 Title: MIH Protocol Security Date Submitted: December, 2007 Presented at IEEE 802.21 Security SG Teleconference Authors or Source(s): Maryna Komarova (ENST) Abstract:
2
21-07-xxxx-00-00002 IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/guide.html> Section 6.3 of the IEEE-SA Standards Board Operations Manualhttp://standards.ieee.org/guides/opman/sect6.html#6.3 http://standards.ieee.org/board/pat/guide.html IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf> Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6 http://standards.ieee.org/board/pat/faq.pdf
3
21-07-xxxx-00-00003 MIH protocol security Maryna Komarova (ENST)
4
21-07-xxxx-00-00004 General security issues and threats Both the MIH User and NE MIHF may be the subject of an attack, therefore purposes are: MIH user protection from a fake MIH IS MIH IS protection form malicious users Information received by the MIH User from MIHF is used to perform next steps and, hence, it is critical to protect it from altering, modification and provide message origin authentication. Due to the short battery life on the MN it is essentially to avoid processing of fake information by the MN.
5
21-07-xxxx-00-00005 Requirements Security of MIHF discovery There are two kinds of transport mechanisms: the first one is the lower layer transport (L2) and the second one is the higher layer transport (L3). MIHF discovery: over media-specific L2 or L3 mechanism MIH Capability discovery – either over MIH or over media- specific broadcast messages Security of MIH Protocol Re-using existing transport protocols Re-using existing solutions for authentication, confidentiality, message authentication and integrity providing; Channel security protocol selection may be implementation dependent; Minimum impact on the handover latency
6
21-07-xxxx-00-00006 MIHF services To discover MIHF either MIH or link-specific broadband transport is used. No authentication is assumed in the process of MIHF discovery and MIH Capability discovery. MIH pairing, from the MN’s point of view, means authorization for the MIHF to send commands. Hence, the MN authorizes some important actions to an unauthenticated entity. MIHF registration assumes only identification of peers but it assumes any authentication and any means for integrity protection and message authentication of commands and events sent.
7
21-07-xxxx-00-00007 MIHF service-specific security requirements Information Service Discovery may operate as well as within as outside administrative domain boundaries. “It is important to note that, with certain access networks an MN should be able to obtain IEEE 802.21 related information elements before the MN is authenticated with the PoA.” In order to protect the user from wrong information receiving, the IS should be authenticated to the user (MIHF-to-user authentication); Definition of different sets of information available for users in authenticated and non-authenticated states; Event Service and Command Service Mutual authentication between the MIHF and the MIH User (simple authentication is not sufficient, particularly in case of communication with the remote MIHF); Secure channel establishment; Providing confidentiality, integrity protection and message origin authentication.
8
21-07-xxxx-00-00008 Authorization rights management The user should be able to select the most reliable IS among all available; After authentication different users are allowed to access different services. Per-user management of access rights is Costly; Users may not be known in advance (if belonging to a different administrative domain); User may not disclose its identity to the visiting network; Role-based management of access rights may be implemented instead. The role may be based on the user’s state (unauthenticated/authenticated) or subscription (home/visiting).
9
21-07-xxxx-00-00009 Choice of MIIS The current 802.21 draft does not specify the location of the MIIS. Such a way, the IS may be located in the serving, candidate or home network or even it can be managed by the third party authority. To choose the set of candidate networks the MN must use only trusted and verified information. The MN may receive contradictory or conflicting information. That is why it is desirable to define some trust rating for IS. This trust rating may be based on the previous experience: it is positive when the provided information was correct and it is negative if provided information was not correct. For handover decision making the MN chooses the set of IS with the highest rating. Is the evaluation of trust to the IS is in the scope of the SG? May some score be added to the IS according to the quality of the previous information provided to the MN?
10
21-07-xxxx-00-000010 Related works Mobility Services Transport: Problem Statement draft-ietf- mipshop-mis-ps-04 considers End-to-end signalling and transport over IP End-to-end signalling and partial transport over IP End-to-end Network-to-Network signalling Transport of Media Independent Handover Messages Over IP draft-rahman-mipshop-mih-transport-03.txt Proposes use of IPSec for transport and IKE Design Considerations for the Common MIH Protocol Functions draft-hepworth-mipshop-mih-design- considerations-01 Necessity of Authentication, Authorization ans credential management.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.