Presentation is loading. Please wait.

Presentation is loading. Please wait.

21-07-0122-02-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER Title: Security Optimization During Handovers Date Submitted: July, 2007 Presented at IEEE 802.21.

Similar presentations


Presentation on theme: "21-07-0122-02-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER Title: Security Optimization During Handovers Date Submitted: July, 2007 Presented at IEEE 802.21."— Presentation transcript:

1 IEEE MEDIA INDEPENDENT HANDOVER Title: Security Optimization During Handovers Date Submitted: July, 2007 Presented at IEEE session #21, San Francisco Authors or Source(s): Yoshihiro Ohba (Toshiba), Subir Das (Telcordia), Marc Meylemans (Intel), Suman Sharma (Intel), Madjid Nakhjiri (Huawei), Qiaobing Xie (Motorola), Junghoon Jee (ETRI), Soohong Daniel Park (Samsung), Minho Lee (Samsung), Robert Hsieh (Deutsche Telekom), Srinivas Sreemanthula (Nokia), Michael Williams (Nokia), Ajay Rajkumar (Alcatel-Lucent), Guyves Achtari (Nortel) Abstract: Security Study Group proposal

2 IEEE presentation release statements This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEEs name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEEs sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual and in Understanding Patent Issues During IEEE Standards Development Section 6.3 of the IEEE-SA Standards Board Operations Manualhttp://standards.ieee.org/guides/opman/sect6.html#6.3

3 Security Study Group Proposal

4 Current WG PAR PAR says: The purpose is to improve the user experience of mobile devices by facilitating handover between 802 networks whether or not they are of different media types, including both wired and wireless, where handover is not otherwise defined and to make it possible for mobile devices to perform seamless handover where the network environment supports it. These mechanisms may also be useable for handovers between 802 networks and non 802 networks. IEEE WG decided not to address the security aspect of handovers as part of the current project (see 5 Criteria document) Due to lack of a well defined problem space for security

5 Problem Scope Problem 1: Security Signaling Optimization during Handover Problem 2: MIH level security mechanism Related contributions: Security_StudyGroup_proposal.ppt Security_Issues_in_Transition.ppt Hokey_ ppt mih-security.ppt

6 Problem 1: Security Signaling Optimization during Handovers

7 What is the Problem? Security-related signaling can add significant delays to seamless handover efforts and in many cases service continuity can not be met, in particular, for real-time applications This becomes even more problematic when handovers occur between heterogeneous networks (e.g. inter-technology, inter-administrative domains with single or dual radio scenarios)

8 Usage Scenario 1 Example: A mobile device can make a transition between two different networks within the same administrative domain Transition between two different subnets based on the same media, e.g Transition between two different subnets based on different media, e.g and Authenticator1 Authenticator2 WiFi, WiMAX and/or Cellular AAA/EAP server MN WiFi, WiMAX and/or Cellular Subnet 1 Subnet 2 Single Administrative Domain* * An administrative domain is a logical network that is administered by a single authority using its own authentication and authorization mechanisms

9 Potential Solution Approach Key Hierarchy-based Transition Since in the same administrative domain, no intrinsic reason to authenticate again on transition An already established key hierarchy is all that is needed to support transition Re-key is still needed between mobile device and the new point of attachment –New context (e.g., association parameters between mobile device and the new point of attachment) must be bound to the new key

10 Usage Scenario 2 Example: A mobile device can make a transition between two networks deployed by different administrative domains Transition between two administrative domains based on the same media, e.g Transition between two administrative domains based on different media, e.g and Authenticator1 Authenticator2 AAA/EAP server WiFi, WiMAX and/or Cellular MN AAA/EAP server Domain1 Domain2 Multiple Administrative Domains

11 Potential Solution Approach Authentication-based Transition Since different administrative domains, in general authentication can not be avoided There is no reason for the new domain to trust keys from the old domain, and no reason for mobile device to trust the new domain with keys it used with its old domain Some administrative domains may have roaming agreements –We cant always assume appropriate roaming agreements that allow key hierarchy based transition across administrative domains

12 Whats Available Today? In principle, the Key Hierarchy-based transition problem is being addressed by IETF HOKEY WG HOKEY is defining a key hierarchy meant to support transitions across subnet boundaries; focus is on transitions within the same administrative domain HOKEY key hierarchy at authenticator-level, but HOKEY will not work on key hierarchy below authenticator HOKEY will not define any protocol or mechanism, if required, between Point of Attachments and mobile devices to effect this No standards group seems chartered to work on the Authentication-based transition problem Some variant pre-authentication scheme (e.g., doc ) seems like one plausible approach to this problem

13 Proposed Direction for Problem 1 Different 802 (e.g. 11r) and 3G (e.g. UMTS AKA) technologies have addressed (or are addressing) latency caused by L2 security signaling in handovers (fast roaming, pre-auth etc.) but these are focused on intra-technology handover scenarios Needs to be looked at from a wider perspective given that Seamless heterogeneous handovers are becoming a reality (inter-technology and inter-administrative domains with single/dual radio operation) E.g., Wi-Fi - 3G, Wi-Fi – WiMAX Each access technology has its own way of managing the security aspect A media independent approach to reduce the security latency during handovers seems to be more appropriate Handover among access technologies that support EAP should be our focus

14 Problem 2: MIH Level Security Mechanism

15 What is the Problem? IEEE services affects user mobility Service providers need to ensure users receive best user experience and satisfaction Mutual confidence in exchange of MIH services is a necessary requirement MIH peer nodes must be confident that MIH messages are exchanged with trusted MIH peer nodes MIH messages are not altered by some other nodes Security becomes an essential ingredient for deployment

16 MIH Access Control Network operator may apply subscription policies to the user for customization, e.g. Users who can only use certain access technologies are allowed to query only about certain access technologies Policy on MIH services are important here Addressed in AccessControlIEs.ppt MIH access control is not network access control Network access control determines whether and how user can access the link resources MIH access control is what the MIH services users can receive Related to MIH security since the policy control is based on authentication and authorization MIH IS/ECS Mobile Node Policy functions

17 Hijacking/Replay Issues MIH IS/ECS An ongoing session with one MIHF can be hijacked by providing the response or future packets from a different node A certain packet for an event or command can be replayed later to the same node Not having the means to verify the authenticity of the MIHF service provider or not having replay protection can lead to negative effects Bad Guy MIHF Mobile Node

18 Denial of Service MIHF Good Guy Mobile Node MIH events or commands can be originated by spoofing the MIHF node ID Spoofing can done as either a mobile node or a network MIHF Any event or command can be triggered falsely to negatively affect the mobility somehow Link-Going-Down, Link-Down and Handover-commit Not having the means to verify the authenticity of the MIHF of a MN or service provider can lead to negative effects Bad Guy Mobile Node MIH source same as other Mobile nodes MIHF Good Guy Mobile Node MIH source same as MIHF Bad Guy MIHF

19 Message Modification by 3 rd party Good Guy MIH IS/ECS Bad Guy MIHF Mobile Node Modify the request and/or response Some intermediate node is capable of snooping, altering and forwarding the MIHF packets IE in Information services could be altered in request or response MIH events can be modified e.g. to change threshold values or even event IDs and parameters Handover-candidate response or Handover-commit from MN or network could be modified to affect mobility (packets buffered/rerouted) Not having the means for data protection (integrity and encryption) from the originating MIHF can lead to negative effects

20 Relation to Transport security MIH should be independent of the underlying transport Transport has no knowledge of MIH semantics Transport is opaque to MIH data, has no way to verify the MIH packet data is authentic MIH can utilize one or more links/transports at the same time E.g. state-1 query in and while on a serving network Identities used at the two layers for secure associations are different If an end-to-end MIH communication path is split into a sequence of hop-by-hop MIH transports and lose the info about the origination point Transport layer security will accordingly not be present in some cases, or at least not end-to-end

21 Proposed Direction for Problem 2 Define protocol mechanisms for mutual authentication (needed) Integrity and replay protection (needed) Confidentiality (optional) Authorization for MIH access control (if any) Define related IEs and TLVs Initial recommendations for base specification Least impact to spec, without loss of functionality utilize existing mechanisms from other SDO (e.g. IETF)

22 Study Group Objectives Identify use cases and investigate issues concerning the 2 identified security problems (i.e., Problems #1 and #2) The SG will work on a PAR defining the scope and requirements to address the two security problems that can lead to a security Task Group under WG The SG will work on a Technical Requirement document to address the two security problems Make sure that all work identified is within the scope of WG and does not attempt to solve a problem that is being worked in other standards forum

23 Q & A?

24 Security SG Motion Motion to get WG approval to form an security Study Group in July 2007 to work on a PAR defining the scope and requirements of the two identified security problems Moved by: Seconded by: Yes: No: Abstain: Result:


Download ppt "21-07-0122-02-00001 IEEE 802.21 MEDIA INDEPENDENT HANDOVER Title: Security Optimization During Handovers Date Submitted: July, 2007 Presented at IEEE 802.21."

Similar presentations


Ads by Google