IEEE 802.21 MEDIA INDEPENDENT HANDOVER
DCN: 21-08-0102-00-0sec
Title: Use Cases for MIH Services and MIH Protocol
Threats
Date Submitted: April 02, 2008
Presented at Security Study Group Teleconference
on April 02, 2008
Authors or Source(s):
Shubhranshu Singh (Samsung) Marc Meylemans (Intel),
Subir Das (Telcordia Technologies)
Abstract:
This document provides some deployment
scenarios of MIH services and discusses the common
security threats of MIH Protocol
IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE 802.21 Working
Group. It is offered as a basis for discussion and is not binding on the
contributing individual(s) or organization(s). The material in this
document is subject to change in form and content after further study.
The contributor(s) reserve(s) the right to add, amend or withdraw
material contained herein.
The contributor grants a free, irrevocable license to the IEEE to
incorporate material contained in this contribution, and any
modifications thereof, in the creation of an IEEE Standards publication;
to copyright in the IEEE’s name any IEEE Standards publication even
though it may include portions of this contribution; and at the IEEE’s
sole discretion to permit others to reproduce in whole or in part the
resulting IEEE Standards publication. The contributor also
acknowledges and accepts that this contribution may be made public
by IEEE 802.21.
The contributor is familiar with IEEE patent policy, as stated in Section 6
of the IEEE-SA Standards Board bylaws
<http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and in
Understanding Patent Issues During IEEE Standards Development
http://standards.ieee.org/board/pat/faq.pdf>
Deployment Scenarios (1/4)
Scenario 1:
MN is in the home network
and the MIH services (e.g.,
IS, ES, CS) are provided by
the home network.
hPoS
PoA
Access
Network
Mobile Node
Core Network
Home Network
Note: This and the following scenarios
assumes PoA and PoS are separate entities
however in some specific cases they might
be co-located. We’ll address issues involved
in such cases separately.
Deployment Scenarios (2/4)
Scenario2:
MN is in the visited network
and MIH services are
provided by the home
network
hPoS
Home Network
PoA
Visited
Network
Mobile Node
Deployment Scenarios (3/4)
Scenario3:
MN is in the visited network
and MIH services are also
provided by the visited
network. There is a
relationship between home
and visited networks
vPoS
hPoS
Home Network
PoA
Visited
Network
Mobile Node
Deployment Scenarios (4/4)
Scenario4:
MN is in the visited or Home
network and MIH services
are provided by 3rd Party
network.
3rd Party
Network
PoS
PoA
Home or
Visited
Network
Mobile Node
What are the Issues?
• How to secure MIH Protocol message exchange?
• How to secure the access to MIH services?
• How to secure discovery of MIHF network entity?
What are the Common
Threats?
•
•
•
•
•
•
Message Modification
Message Hijacking/Replay
False Identity of MIHF
Denial of Service
No MIH Service Access Control
False Network MIHF Entity Information
Message Modification Issues
• Some intermediate node may be capable of snooping,
altering and forwarding the MIH packets
• IE in Information services could be altered in Request or
Response messages
• MIH events can be modified e.g., to change threshold
values or even event ids and parameters
• Commands such as, Handover-candidate response or
Handover-commit from MN or network could be modified to
affect handover (packets buffered/rerouted)
Having means for data protection (integrity and encryption)
between source and target MIHFs at underlying layer can
mitigate this security threat
Hijacking/Replay Issues
• An ongoing session with one MIHF can be hijacked while
providing the response or future packets from a different
MIHF node
• A certain event or command can be stored from one
session and replayed later to the same node
Having means to verify the authenticity of the peer MIHF’s
packet can mitigate this security threat
False Identity of MIHF
• Any node can provide an MIHF ID to gain access to the
network MIHF entity
• Service Request or Response messages can be generated
with any known/expired MIHF ID for which the service is not
authorized or allowed
– MIH events can be send to change threshold values or other
parameters
– MIH Commands such as, Handover-candidate response or
Handover-commit can be send to affect handover
Having means for data origin authentication from the source
MIHF can mitigate this security threat
Denial of Service Issues
• MIH events or commands can be originated by
spoofing the MIHF ID
• Spoofing can be done as either a mobile node or a
network entity that has the MIHF
• Any event or command can be triggered falsely to
affect the network selection and handover
– e.g., Link-Going-Down, Link-Down and
Handover-commit
Having means to verify the authenticity of the MN
MIHF ID or network entity that has the MIHF can
mitigate this security threat
MIH Access Control Issues
• MIH access control is what MIH services the users can
receive
• Operator may apply subscription profile to the user for
customization (e.g, may be linked with MIHF ID)
– User can only use certain access technologies or can only query
about certain access technologies
– Various roaming plans or information may be available depending
on subscription profile
Having means for authenticating MIHF ID can mitigate this
security threat
False Network MIHF Entity
Information
• This is a discovery issue
• IEEE 802.21 defines MIH Function discovery at layer 2 and
IETF defines at higher layers
– Discovery without proper security may lead to finding MIHF that may
not be trustworthy
– L2 broadcast discovery is a good example, any entity can respond
that it is MIH Function capable
• Our scope should be limited to L2 discovery
– We can not work on something that we have not defined
Having means to protect information at lower layer can
mitigate this security threat. If it uses management plane
before association (e.g. 802.11) nothing much we can do
What is Available/Recommended
• In all scenarios:
•
•
Either Media Specific transport (e.g. L2) or
Media independent transport (e.g., L3 and above)
• Media Specific Transport (e.g., MN  PoA)
• Security is provided by the link layers (except management
plane, e.g., 802.11)
• Media Independent Transport (e.g., MN  PoA or PoA
 PoS)
• Use IPsec, TLS, DTLS
Next Steps?
•
Update TR to reflect the agreed upon deployment scenarios
•
Perform threat analysis for the agreed upon deployment scenarios
and capture them in the TR
•
•
In particular, capture the threats and assumptions specific to deployment
scenarios
Based on the threat analysis, discuss/decide what is already
available and what is specific to MIH Protocol