[Mobopts] Fwd: RG Last Call for Media-independent Pre-Authentication Document

To: "mobopts at irtf.org" <mobopts at irtf.org>
Subject: [Mobopts] Fwd: RG Last Call for Media-independent Pre-Authentication Document
From: "Rajeev Koodli" <rajeev.koodli at gmail.com>
Date: Wed, 4 Jun 2008 11:33:24 -0700
Cc: Nakhjiri Madjid-VXT746 <Madjid.Nakhjiri at motorola.com>
Delivered-to: ietfarch-mobopts-web-archive at core3.amsl.com
Delivered-to: mobopts at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=l4wPQAr7G/2RUW/5EnsobdgN7bhY5RSUW/SzyVonltg=; b=L165GC9iFHQz3Ln2lLVw3bLcoXhQ00GGcdbnGYcLw6iaOTUaqiWW+2F//8PkpLKXx4 ZXdt35H4sD0xxv2Lh8pBMjLAlBzGVhg5WHYxtKF49upDLJoVdcRFuyNguWaRjXmc884X R+3uC2kNvZIcRKHylK4UNY/6JO2NGWxRxzbkg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=rkrQ2YfB0Ma9KsQDuL9F7mNlI+z/2/9Q9p9Y5FTeDNeNk9bR+NGAKS6BowAw3N18xY /6NiBT0RlTEihBS6m1TpwgvTtDCl4/eMVe8XTOp25MbKDRN/B3pRPOo2ZsE/thBL4R+B WIuFDZNp2gP1PGiTQHn26a8jN+ZJVz251f3l4=
In-reply-to: <13E2E485D9AA7240A1C55B0B464198B201E46202@ct11exm63.ds.mot.com>
List-archive: <https://www.ietf.org/mailman/private/mobopts>
List-help: <mailto:mobopts-request@ietf.org?subject=help>
List-id: Mobility Optimizations <mobopts.ietf.org>
List-post: <mailto:mobopts@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mobopts>, <mailto:mobopts-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mobopts>, <mailto:mobopts-request@ietf.org?subject=unsubscribe>
References: <4D35478224365146822AE9E3AD4A266602706812@exchtewks3.starentnetworks.com> <3d57679a0805161455l60264f1as95047174ebd0b0ed@mail.gmail.com> <13E2E485D9AA7240A1C55B0B464198B201DF500C@ct11exm63.ds.mot.com> <3d57679a0805221945r4d43416bwbf560b46ecc41749@mail.gmail.com> <3d57679a0805291124p2bb61609je8b3a3a89428e907@mail.gmail.com> <13E2E485D9AA7240A1C55B0B464198B201E46202@ct11exm63.ds.mot.com>
Sender: mobopts-bounces at ietf.org

A Review. Thanks Madjid.

---------- Forwarded message ----------
From: Nakhjiri Madjid-VXT746 <madjid.nakhjiri at motorola.com>
Date: Thu, May 29, 2008 at 5:24 PM
Subject: RE: [Mobopts] RG Last Call for Media-independent
Pre-Authentication Document
To: Rajeev Koodli <rajeev.koodli at gmail.com>
Cc: Nakhjiri Madjid-VXT746 <madjid.nakhjiri at motorola.com>

...........................

 I unfortunately think the doc has too much background material and
abstraction that takes the user through a lot of text (15 pages)
before it introduces any of its framework concepts and that makes
reviewing very tough if you are time constraint, sorry

I think one of the strong points that any doc about Pre-auth needs to
make is that many of the procedures such as handover keying and
reauthentication deal with cases where there is a single source of
trust at the top and all underlying AAA domains trust that top source
of trust and any keys it generates and distributes. In cases of
multiple operators without roaming relationship, or without agreement
to participate in a key management scheme, you do have to perform a
pre-auth function to establish the security mechanisms without
assuming a common source of trust.

the first paragraph of the intro can be toned down a bit with respect
to ordering of the challenges.

Is this expects to solve the seamless mobility problem even when there
is a single L2 interface? (intro) As much as this being a noble goal,
I think with the advances in Silicon and wireless devices, this is
overcomplication of the requirements. I do agree that the
multi-interface assumption has been one of the barriers for 802.21
though. I am wondering how a mobile performs pre-auth with an
authentication agent of a new access technology, while still connected
to the old one if it is single interface, also not clear how the
mobile acquires the IP address of this agent, as section 6.3 states if
it is not tuned to the new technology, sorry if I have not gone to end
of the document and not being far.
Third, a mobility
   optimization mechanism needs to support not only multi-interface
   terminals where multiple simultaneous connectivity through multiple
   interfaces can be expected, but also single-interface terminals.
section 1.1.
I am not sure if the document needs to go into a serial analysis of
every source of delay in the system. Since this is about pre-auth and
IP address acquisition, etc, it could simply just talk about those
things. so section 1.1 can undergo a serious diet.
A QoS style description of delay would not be needed either, IMO. On
the other hand, what that section really is missing is a description
of issues around reestablishing link security (authentication, link
key management, access authorization) in conjunction to network access
and handovers (inter or intra domain), because that is really the
focus of a pre-auth framework.

section 2
This type of Inter-technology handover is often
   called as Vertical Handover since the mobile makes movement between
   two different cell sizes.
I don't think Vertical handover is defined based on cell size, it is
defined based on the type of access technology (as listed).

I think an important point about Inter-domain, is not just where the
mobile is authenticated, but also where his user profile, credentials
are stored and where his payment is associated to. Because that will
define the difference between home and visited domains from the
security standpoint, the mobile has an initial and permanent trust
relationship with its home and any interaction with a visited domain
is based on a temporary and transitive trust established based on a
mobile-home trust and a home-visited domain roaming relationship.

I know it is a sticky subject, but probably AA (authentication agent)
needs to provide some IETF or other wireless examples (EAP
authenticator, ASN GW, etc) and also how the Authentication signaling
is to traverse over the new network if there is only one interface.

The parts with pre-configuration are ok from 802.21 perspective,
however I don't think this doc or framework should get into decisions
of which network to use is a network discover issue that assumes a
general broadcasting broker (I think 802.21 calls it information
server).
 Decision regarding which
   candidate network the mobile needs to pre-authenticate with will
   depend upon several policies, such as signaling overhead, bandwidth
   requirement (QoS), mobile's location, communication cost, and
   handover robustness etc.
This just makes the framework for this protocol too large, and
academic, specially if things like specific server (that nobody would
take ownership of in a inter-domain scenario) come in.

.......................
_______________________________________________
Mobopts mailing list
Mobopts at ietf.org
https://www.ietf.org/mailman/listinfo/mobopts

Follow-Ups:
- [Mobopts] Revised version of Media Independent Pre-Authentication Framework (MPA) document
  - From: Ashutosh Dutta

References:
- [Mobopts] RG Last Call for Media-independent Pre-Authentication Document
  - From: Koodli, Rajeev

Prev by Date: Re: [Mobopts] IRSG review of draft-irtf-mobopts-location-privacy-solutions-08.txt
Next by Date: [Mobopts] MPA review
Previous by thread: [Mobopts] RG Last Call for Media-independent Pre-Authentication Document
Next by thread: [Mobopts] Revised version of Media Independent Pre-Authentication Framework (MPA) document
Index(es):
- Date
- Thread

[Mobopts] Fwd: RG Last Call for Media-independent Pre-Authentication Document

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.