Embed Size (px)
Citation preview
21-07-0xxx-00-0000
• IEEE 802.21 MEDIA INDEPENDENT HANDOVER
• DCN:21-07-0084-00-0000-LB1c-handover-issues.ppt
• Title: MIH Security – What is it?
• Date Submitted: March, 2007
• Presented at IEEE 802.21 session #NN in Orlando, FL
• Authors or Source(s):
• Abstract: Discuss to clarify MIH security and Access Control aspects
21-07-0xxx-00-0000
IEEE 802.21 presentation release statements
• This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
• The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21.
• The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual <http://standards.ieee.org/guides/opman/sect6.html#6.3> and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/guide.html>
21-07-0xxx-00-0000
Introduction
• IEEE 802.21 services affects user mobility • Service providers need to ensure users receive best user
experience and satisfaction
• Mutual confidence in exchange of MIH services is a necessary requirement
• Mobile nodes must be confident when• Receiving reliable information (IS) from trusted network sources• Receiving/sending events/commands only from trusted network nodes
• Network must be confident that • MIH events/commands are in fact originated from the “said” user• MIH info/events/commands are delivered to destination reliably
(without tampering)
• Security becomes an essential ingredient for deployment
21-07-0xxx-00-0000
MIH Access Control
• Network operator may apply subscription policies to the user for customization, e.g.
• User can only use certain access technologies => can only query about certain access technologies
• Various roaming plans/info depending on subscription plans• Addressed in 21-07-0035-00-0000-AccessControlIEs.ppt
• MIH access control is not network access control• access level control determines whether and how user can
access the link resources
• Related to MIH security since the policy control is based on authentication
21-07-0xxx-00-0000
Policy Based MIH Services
MIH IS/ECS
• Policy is about customizing service specific to the user, usually derived from• subscription relation with the user• Network operation policies• Roaming considerations etc
• Policy setup is either online or offline and enforced in MIHF for that user
• For MIH, policy impacts on a user basis• what information is provided• what events and commands can be generated or processed
• Need to verify the authenticity of the MN for policy based services
MobileNode
Policy functions
21-07-0xxx-00-0000
Discovery Issues
MIHF
• MIHF discovery may lead to finding MIHF that may not be trustworthy
• L2 broadcast discovery is a good example, any one can respond that they are MIHF capable
• Not having means to verify the authenticity of the MIHF service provider can lead to negative effects
MobileNode
Bad GuyMIHF
21-07-0xxx-00-0000
Hijacking/Replay Issues
MIH IS/ECS
• An ongoing session with one MIHF can be hijacked providing the response or future packets from a different node
• A certain event or command can be stored from one session or a packet and replayed later to the same node
• Not having means to verify the authenticity of the MIHF service provider or replay protection can lead to negative effects
Bad GuyMIHF
MobileNode
21-07-0xxx-00-0000
Denial of Service
MIHF
Good GuyMobileNode
• MIH events or commands can be originated by spoofing the MIHF node ID
• Spoofing can done as either a mobile node or a network MIHF
• Any event or command can be triggered falsely to affect the mobility somehow
• Link-Going-Down, Link-Down and Handover-commit
• Not having means to verify the authenticity of the MIHF of MN or service provider can lead to negative effects
Bad GuyMobileNode
MIH source same as otherMobile nodes
MIHF
Good GuyMobileNode
MIH source same as MIHF
Bad GuyMIHF
21-07-0xxx-00-0000
Message Modification by 3rd party
Good GuyMIH IS/ECS
Bad GuyMIHF
MobileNode
Modify the request and/or response
• Some intermediate node is capable of snooping, altering and forwarding the MIHF packets
• IE in Information services could be altered in request or response
• MIH events can be modified e.g. to change threshold values or even event ids and parameters
• Handover-candidate response or Handover-commit from MN or network could be modified to affect mobility (packets buffered/rerouted)
• Not having means for data protection from the originating MIHF can lead to negative effects
21-07-0xxx-00-0000
Requirements
• Need mutual authentication• Network needs to authenticate the user to establish the user
privileges to provide and process any information• Mobile nodes need to authenticate the network to establish the
network node is trustworthy
• Need integrity protection (message authentication)• Network needs to ensure that the user who claims to send the
events/commands is in fact the actual source• Mobile nodes need to ensure that the network node who claims
to send the events/commands is, in fact the actual source• Can also take care of replay attacks (w/ new transaction
numbers)
• Need replay protection
21-07-0xxx-00-0000
Relation to Transport security
• MIH cannot expect these functions from transport
• MIH should be independent of transport
• Transport has no knowledge of MIH semantics• Transport is opaque to MIH data, has no way to verify the
MIH packet data is authentic
• MIH can utilize one or more links/transports at the same time • E.g. state-1 query in 802.11 and 802.16 while on a serving
network
• Transport can be split end to end and lose the info about the origination point
• Transport layer security will not be able to meet these requirements
21-07-0xxx-00-0000
How/When?
• Define protocol mechanisms for • mutual authentication• Integrity protection
• Define related IE
• When? • The sooner, the better
• Add more points/opinons
21-07-0xxx-00-0000
Comments/Q&A
