Re: [Ecrit] draft-ietf-ecrit-unauthenticated-access-03
Henning Schulzrinne <hgs@cs.columbia.edu> Mon, 21 November 2011 14:34 UTC
Return-Path: <hgs@cs.columbia.edu>
X-Original-To: ecrit@ietfa.amsl.com
Delivered-To: ecrit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4CFB21F8AD9 for <ecrit@ietfa.amsl.com>; Mon, 21 Nov 2011 06:34:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.599
X-Spam-Level:
X-Spam-Status: No, score=-5.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LG4GpIgTzfvG for <ecrit@ietfa.amsl.com>; Mon, 21 Nov 2011 06:34:00 -0800 (PST)
Received: from brinza.cc.columbia.edu (brinza.cc.columbia.edu [128.59.29.8]) by ietfa.amsl.com (Postfix) with ESMTP id E93EC21F8ABD for <ecrit@ietf.org>; Mon, 21 Nov 2011 06:33:59 -0800 (PST)
Received: from dhcp-13-72.cs.columbia.edu (dhcp-13-72.cs.columbia.edu [128.59.13.72]) (user=hgs10 mech=PLAIN bits=0) by brinza.cc.columbia.edu (8.14.4/8.14.3) with ESMTP id pALEXoI1028262 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 21 Nov 2011 09:33:50 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: Henning Schulzrinne <hgs@cs.columbia.edu>
In-Reply-To: <B5714D3C-F1C8-45BE-9CBA-ADBA9DF419B8@bbn.com>
Date: Mon, 21 Nov 2011 09:33:48 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <209B5BA6-9569-4FC2-9771-D1B367CA54A9@cs.columbia.edu>
References: <58EF06B3-2C98-4FD6-91F0-A9A15820A909@gmx.net> <B5714D3C-F1C8-45BE-9CBA-ADBA9DF419B8@bbn.com>
To: Richard Barnes <rbarnes@bbn.com>
X-Mailer: Apple Mail (2.1251.1)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on 128.59.29.8
Cc: ECRIT Org <ecrit@ietf.org>
Subject: Re: [Ecrit] draft-ietf-ecrit-unauthenticated-access-03
X-BeenThere: ecrit@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ecrit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ecrit>
List-Post: <mailto:ecrit@ietf.org>
List-Help: <mailto:ecrit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2011 14:34:00 -0000
Some comments inline. On Nov 21, 2011, at 9:08 AM, Richard Barnes wrote: >> 1) No Access Authentication (NAA) >> >> I suggested to address the fraud problem that results from a host that attaches to a network using some special link layer authentication procedure without actually having credentials for that specific network by not routing the emergency calls via the VSP but instead contacting the PSAP directly. >> >> From the feedback during the meeting I believe folks are fine with that approach but are looking forward to see the details. > > This approach actually makes me nervous. As others have pointed out in several contexts, code paths that only get exercised in emergencies tend to be less reliable than the normal code paths. So we might RECOMMEND that the calling device go directly to the PSAP, we should allow that it MAY use a VSP. Agreed. This may also be difficult to do due to the architecture of ESInets (hierarchical LoST routing, policy filters at the edge of the ESInet, etc.) > > The fraud risks are probably not that daunting. As with the trustworthy-location / PSAP protection cases, there are several "softer" mitigations that can be applied here. For example, you could limit the type and number of flows per endpoint to something that looks like VoIP, e.g., allowing a single SIP or TLS session and some number of RTP/SRTP flows. This may start to sound like DPI, but really you can do it mostly at the TCP/IP layer. I suspect the fraud concern would be "free phone calls". It seems hard to distinguish an emergency voice call from a regular phone call. One could restrict such calls by bandwidth or duration, but that comes with its own set of issues. (Realistically, few people are going to shell out $10 to make a five-minute phone call via WiFi, so the lost revenue seems small. Counterargument would be the per-minute access offered by Skype.) For large operators, you could imagine a more sophisticated solution that allows the operator to check whether an unauthenticated access call is indeed an emergency call by querying a database (e.g., by IP address). Such calls are presumably going to be pretty rare. It is not clear whether such a mechanism is worth the deployment, operational and false-negative cost. > > >> 2) Deployment Reality >> >> Bernard and Martin had some comments about the current deployment limitations of many access networks. For example, many hotspots require user interactions prior to get network access granted. There is not really anything we can do about it other than mentioning the challenges in a limitation section. I suggested to introduce such a section. > > The general question is how endpoints determine which state they're in -- namely, do they have a real Internet connection or not. There are actually some deployed solutions to this today. If you look at Mac OS X Lion or recent versions of iOS, they do a test HTTP query to an Apple server and see if they get the right response back. I understand that Blackberry devices do something similar. > > It might be worthwhile to write an RFC standardizing a mechanism for this, to make the whole system more predictable in general (not just in emergency cases). I've been meaning to bring this up in APPSAWG, but haven't gotten around to it. As I mentioned earlier, the HotSpot 2.0 initiative tackles this problem, as far as I can tell. It also tries to avoid splash screens, to deal with mobile devices and seamless handoff. > > >> 3) Lack of authorization to perform network access >> >> The document currently considers the Zero-Balance ASP where an emergency caller is not authorized to make the emergency call. This lack of authorization is visible at the application layer. Bernard suggested to add a discussion about lack of authorization at the network layer as well. >> I am OK with adding such text. > > The more I think about it, the more absurd this case seems. ASPs should allow emergency calls. Rather than requiring special handling on the client side, we should provide guidance to ASPs on how to determine whether a call is an emergency call, using LoST. > > (Someone should build a service that builds a global list of PSAP/ESRP URIs from LoST and distributes it to interested parties. You could even do something clever like make it a Bloom filter.) It might help if we divide the problem into three cases: (1) Large, national operators, such as Boingo. They can offer a LoST server and outbound SIP proxy that's keyed to the LoST server URLs. They already maintain white lists of URLs for unpaid access, so this does not seem that hard. (2) Local paid WiFi, such as in hotels. Somewhat problematic. May need some kind of access duration/speed restriction. (3) Free WiFi with disclaimer screens (Starbucks, Panera, etc.). Fraud is not a major concern. Henning
- [Ecrit] draft-ietf-ecrit-unauthenticated-access-03 Hannes Tschofenig
- Re: [Ecrit] draft-ietf-ecrit-unauthenticated-acce… Henning Schulzrinne
- Re: [Ecrit] draft-ietf-ecrit-unauthenticated-acce… Richard Barnes
- Re: [Ecrit] draft-ietf-ecrit-unauthenticated-acce… Henning Schulzrinne
- Re: [Ecrit] draft-ietf-ecrit-unauthenticated-acce… Richard L. Barnes