IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-00xx-00-0sec Title: Observations, Discussions, and Next Steps Date Submitted: May 13, 2009 Present at IEEE 802.21 meeting in May of 2009 Authors: Lily Chen (NIST) Abstract: This document summarizes the observations on the 802.21a proposals presented at May Interim Meeting, initiates some discussion topics, and suggests possible next steps to be taken for more detailed explorations. 21-09-0060-00-0sec 1
IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf> 21-09-0060-00-0sec 2
Outline Observations Discussion topics Next steps 21-09-0060-00-0sec 3
List of Work Item 1 Proposals For work Item 1, 5 proposals are received (in presented order). EAP-FRM (doc #64, by Rafa Marin-Lopez et al) A new EAP method to execute different fast proactive re-authentication protocols. Authenticator Discovery (doc #63, by Dapeng Liu) New services to be added to 802.21a for authenticator discovery purpose Security Related Information Elements (doc #60, by Lily Chen et al) IEs needed to enable fast establishment of new security connections Media Independent Authenticator (MI-Auth) (doc #66, by Subir Das et al) Use MI-Auth to enable proactive authentication. Pre-distribute contents and keys for pre-authentication and re-authentication (doc #62, by Anirudh Bhatt et al) 21-09-0060-00-0sec 4
Observations on Work Item 1 Proposals The proposals cover the following aspects Protocols and methods to enable fast proactive authentication during the handover (e.g. EAP-FRM). Services (e.g. authenticator discovery) Information Elements Network entities (e.g. MI-Auth) Relationship among all the above IEs may carry information on different authentication protocols, methods, as well as authenticator information. MI-Authenticator is to enable proactive pre-authentication and re-authentications for inter-domain and inter-technology handover. 21-09-0060-00-0sec
Discussion Topics for Work Item 1 Proposals Key question – What is in the 802.21a scope and what is not? Which authentication protocols and methods we should make sure to be facilitated by 802.21a? How detailed the information should be provided for the Information Elements? For each proposal, what is the impact to the existing network landscape? 21-09-0060-00-0sec
List of Work Item 2 Proposals For work item 2, 4 proposals are received. Packet Level Authentication (PLA) (doc #65, by Sumanta Saha et al) The packets are understood as IP packets. Therefore, it is an IPsec like protection. Need to be clarified by the proposers. Authenticate MIH Information Using Digital Signature through Hash Tree (doc # 59, by Antonio Izquierdo et al) Enable re-use and re-package information and maintain origin information authentication. Use TLS to protect MIH messages (doc #66, by Subir Das et al) Establish TLS session between MN and PoS. The messages are protected in both directions for confidentiality and integrity/authenticity. MIH-SAP (Security Module) (doc #62, by Anirudh Bhatt et al) Introduce MIH-SAP security module to facilitate MIH entity authentication and MIH protections. 21-09-0060-00-0sec
Observations on Work Item 2 Proposals The proposals cover the following aspects From protection perspective: MIH protection may provide integrity/authenticity only or both integrity/authenticity and confidentiality. For integrity/authenticity: it can be public key based (signature) or symmetric key based (IPsec or TLS) The protocol for the protections can be IPsec or TLS Information re-use and re-pack with origin authentication Function entity: MIH-SAP The different proposals offer different options. They do not seem conflicting to each other. 21-09-0060-00-0sec
Discussion Topics for Work Item 2 Proposals Can we provide multiple options for MIH protection (e.g. IPsec, TLS, MIH specific)? Do we need any assumption on the transport protocol for MIH if we use IPsec and TLS? How efficient each existing protocols are to be used in protecting MIH? Do we need to explicitly introduce (assume) MIH specific infrastructure support (authentication server, CA, etc)? Do we need to consider all the situations for MIH service? Access authentication (yes or no) MIH specific protection (yes or no) Shall we consider a centralized trust model for IS or distributed trust model? Information comes from a centralized server, signed and verifiable by all the receivers or every PoS generates its own information package and signs it? 21-09-00xx-00-0sec
Next Steps for Work Item 1 Proposals Discuss why the proposed new protocols, methods, entities and IEs are in the scope of 802.21a. Generate tentative text to be included in the Amendment. Discuss applicability of the proposal with existing 802.21 architecture. 21-09-0060-00-0sec
Next Steps for Work Item 2 Proposals Define format for MIH specific protections. Generate tentative text to be included in the Amendment. Discuss applicability if existing security protocols such as IPsec and TLS are used to protect MIH messages. 21-09-0060-00-0sec