IEEE 802.21 MEDIA INDEPENDENT HANDOVER
DCN: 21-08-0106-00-0sec
Title: Threats for MIH Services: Assumptions and
Use cases
Date Submitted: April 16, 2008
Presented at Security Study Group Teleconference
on April 16, 2008
Authors or Source(s):
Subir Das (Telcordia Technologies), Shubhranshu Singh
(Samsung) Marc Meylemans (Intel)
Abstract: This document describes the threats for MIH
services based on a few assumptions and use cases
1
IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE 802.21 Working
Group. It is offered as a basis for discussion and is not binding on the
contributing individual(s) or organization(s). The material in this
document is subject to change in form and content after further study.
The contributor(s) reserve(s) the right to add, amend or withdraw
material contained herein.
The contributor grants a free, irrevocable license to the IEEE to
incorporate material contained in this contribution, and any
modifications thereof, in the creation of an IEEE Standards publication;
to copyright in the IEEE’s name any IEEE Standards publication even
though it may include portions of this contribution; and at the IEEE’s
sole discretion to permit others to reproduce in whole or in part the
resulting IEEE Standards publication. The contributor also
acknowledges and accepts that this contribution may be made public
by IEEE 802.21.
The contributor is familiar with IEEE patent policy, as stated in Section 6
of the IEEE-SA Standards Board bylaws
<http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and in
Understanding Patent Issues During IEEE Standards Development
http://standards.ieee.org/board/pat/faq.pdf>
2
Common Security Threats
•
•
•
•
Message Modification
Message Hijacking/Replay
False Identity of MIHF
Denial of Service
Note: No distinction has been made between
outsiders and insiders attack
3
Goals
• To address the questions that were
received during last teleconference. In
particular,
– What are the assumptions on MIH
services deployment?
– What are the security features we need?
– Assessment of threats that exists in
different deployment models
4
General Assumptions
•
MIH services are available after successful
network access authentication
Note: Situations where MN accesses MIH services without network
access authentication be considered separately
•
•
If link layer security is in use on the network, it
is established between the MN and the PoA
For simplicity, all MIH services are provided by
one network (e.g., home or visited, 3rd party)
5
Security Features
• Security features needed to mitigate the
threats
– MIH Entity authentication
• Peer entities need to verify their authenticity
– MIH protocol message protection
• Message exchange between peers need to be
secured
6
Non Goals
• Securing peer MIHF entity discovery
– Discovery happens via out of band signaling
except the case when combining with
Capability Discovery
• MIHF discovery should be considered separately
and should be our non-goal
7
Deployment Scenario #1
Scenario 1:
MN is in the home network and the
MIH services (e.g., IS, ES, CS) are
provided by the home network.
hPoS
Core Network
Home Network
PoA
Access
Network
MIH Messages
(L3 comm)
(L2 Comm)
Note: This and the following scenarios
Mobile Node
assume PoA and PoS are separate entities
however in some cases they might be co8
located.
Deployment Scenario #1 (contd..)
• Two possible cases
– Case 1a: hPoS has access to user’s subscription
profile
– Case 1b: hPoS has no access to user’s
subscription profile
9
Addressing Security Features for Case 1a
• Entity authentication
– MIH service specific credentials may be derived from
network access authentication credentials
– Other mechanisms are also possible
• MIH protocol message protection
– Can be achieved by enabling transport security, if transport
security is available
• Need to bind transport SAs with MIH identity
Therefore all common threats can be mitigated
10
Addressing Security Features for Case 1b
• Entity authentication
– Since there is no access to user’s subscription profile,
entity authentication can not be performed
• MIH protocol message protection
– Can be achieved via enabling transport security, if
transport security is available
• Need to bind transport SAs with MIH identity
Therefore all threats can NOT be mitigated
11
Deployment Scenarios #2
Scenario2:
MN is in the visited network
and MIH services are
provided by the home
network
hPoS
Home Network
MIH Messages
(L3 comm)
PoA
Visited
Network
(L2 Comm)
Mobile Node
12
Deployment Scenario #2 (contd..)
• Two possible Cases
– Case 2a: hPoS has access to user’s
subscription profile
– Case 2b: hPoS has no access to user’s
subscription profile
13
Addressing Security Features for Case 2a
• Entity authentication
– MIH service specific credentials may be derived from
network access authentication credentials
– Other mechanisms are also possible
• MIH protocol message protection
– Can be achieved by enabling transport security, if transport
security is available
• Need to bind transport SAs with MIH identity
Therefore all common threats can be mitigated
14
Addressing Security Features for Case 2b
• Entity authentication
– Since there is no access to user’s subscription profile,
entity authentication can not be performed
• MIH protocol message protection
– Can be achieved via enabling transport security, if
transport security is available
• Need to bind transport SAs with MIH identity
Therefore all threats can NOT be mitigated
15
Deployment Scenarios #3
Scenario3:
MN is in the visited network and MIH
services are also provided by the
visited network. There is a roaming
relationship between home and visited
networks
Home Network
MIH Messages
(L3 comm)
vPoS
PoA
(L2 Comm)
MIH Messages
(L3 comm)
Mobile Node
Visited
Network
16
Deployment Scenario #3 (contd..)
• Two possible Cases
– Case 3a: vPoS has access to user’s
subscription profile via roaming relationship
– Case 3b: vPoS has no access to user’s
subscription profile via roaming relationship
17
Addressing Security Features for Case 3a
• Entity authentication
– MIH service specific credentials may be derived from
network access authentication credentials
– Other mechanisms are also possible
• MIH protocol message protection
– Can be achieved by enabling transport security, if transport
security is available
• Need to bind transport SAs with MIH identity
Therefore all common threats can be mitigated
18
Addressing Security Features for Case 3b
• Entity authentication
– Since there is no access to user’s subscription profile,
entity authentication can not be performed
• MIH protocol message protection
– Can be achieved via enabling transport security, if
transport security is available
• Need to bind transport SAs with MIH identity
Therefore all threats can NOT be mitigated
19
Deployment Scenarios #4
Scenario4:
MN is in the visited or Home
network and MIH services are
provided by 3rd Party network.
tPoS
3rd Party
Network
MIH Messages
(L3 comm)
PoA
(L2 Comm)
Mobile Node
Home or
Visited
Network
20
Deployment Scenario #4 (contd..)
• Three possible Cases
– Case 4a: tPoS has access to its own user’s
subscription profile
– Case 4b: tPoS has access to user’s
subscription profile via user’s home network
(through agreement)
– Case 4c: tPoS has no access to user’s
subscription profile
21
Addressing Security Features for Case 4a &4b
• Entity authentication
– MIH service specific credentials may be derived from
network access authentication credentials
– Other mechanisms are also possible
• MIH protocol message protection
– Can be achieved by enabling transport security, if transport
security is available
• Need to bind transport SAs with MIH identity
Therefore all common threats can be mitigated
22
Addressing Security Features for Case 4c
• Entity authentication
– Since there is no access to user’s subscription profile,
entity authentication can not be performed
• MIH protocol message protection
– Can be achieved via enabling transport security, if
transport security is available
• Need to bind transport SAs with MIH identity
Therefore all threats can NOT be mitigated
23
What Should We Do Then?
•
•
•
•
Shall we assume that MIH Services are always based
on user’s ‘Subscription’? (except pre-attachment
case)
If not, can we handle the complexity and address the
issues within the time frame?
Opinions/Thoughts?
Consensus?
24
Next Steps?
• Capture the discussions in the TR
• Address/resolve additional comments/questions/
thoughts
• …
25