IETF Logo Mail Archive

Re: [Geopriv] Security Considerations:draft-thomson-geopriv-held-measurements-02.txt

"Thomson, Martin" <Martin.Thomson@andrew.com> Thu, 31 July 2008 14:02 UTC

Return-Path: <geopriv-bounces@ietf.org>
X-Original-To: geopriv-archive@megatron.ietf.org
Delivered-To: ietfarch-geopriv-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 03AFE3A6CBE; Thu, 31 Jul 2008 07:02:53 -0700 (PDT)
X-Original-To: geopriv@core3.amsl.com
Delivered-To: geopriv@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A78D03A6CB7 for <geopriv@core3.amsl.com>; Thu, 31 Jul 2008 07:02:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BLhCd0r9TuCj for <geopriv@core3.amsl.com>; Thu, 31 Jul 2008 07:02:51 -0700 (PDT)
Received: from andrew.com (smtp3.andrew.com [198.135.207.235]) by core3.amsl.com (Postfix) with ESMTP id 657D53A68B8 for <geopriv@ietf.org>; Thu, 31 Jul 2008 07:02:50 -0700 (PDT)
X-SEF-Processed: 5_0_0_910__2008_07_31_09_17_53
X-SEF-16EBA1E9-99E8-4E1D-A1CA-4971F5510AF: 1
Received: from acdcexbh1.andrew.com [10.86.20.91] by smtp3.andrew.com - SurfControl E-mail Filter (5.2.1); Thu, 31 Jul 2008 09:17:53 -0500
Received: from AHQEX1.andrew.com ([10.86.20.21]) by acdcexbh1.andrew.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 31 Jul 2008 09:02:23 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 31 Jul 2008 09:02:30 -0500
Message-ID: <E51D5B15BFDEFD448F90BDD17D41CFF104A2ED39@AHQEX1.andrew.com>
In-Reply-To: <20080731093059.7EC9C502E93@kilo.rtfm.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Geopriv] Security Considerations:draft-thomson-geopriv-held-measurements-02.txt
Thread-Index: Acjy8CoZcVR1ah1TSkOphzEMvghlbgAH6D+Q
References: <20080731093059.7EC9C502E93@kilo.rtfm.com>
From: "Thomson, Martin" <Martin.Thomson@andrew.com>
To: Eric Rescorla <ekr@networkresonance.com>, geopriv@ietf.org
X-OriginalArrivalTime: 31 Jul 2008 14:02:23.0643 (UTC) FILETIME=[0E659EB0:01C8F316]
Subject: Re: [Geopriv] Security Considerations:draft-thomson-geopriv-held-measurements-02.txt
X-BeenThere: geopriv@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Geographic Location/Privacy <geopriv.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/geopriv>
List-Post: <mailto:geopriv@ietf.org>
List-Help: <mailto:geopriv-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/geopriv>, <mailto:geopriv-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: geopriv-bounces@ietf.org
Errors-To: geopriv-bounces@ietf.org

Hi Ekr,

I have text on this topic, but I'm not sure why this never made it in.  I'll seek it out and update the draft.  Until that time, I'd like your feedback on the following ideas.  I will put text to this effect into the draft when I get the opportunity.

For the purposes of outright lying, some elements of information can be directly verified by the LIS.  For these pieces of information, the device provides value only by reducing the overall effort expended by the LIS in generating location information.  The LIS is able to authenticate this information by acquiring the information using its own means.  In many cases checking that the information is correct is far less costly than generating it in the first place.  This is certainly true for the scenarios my company has been looking at in the past 18 months.  Even if this is not the case, the LIS can check on random requests and the check can be made parallel to the continuing processing of the request.

The other case is obviously far more interesting.  There are parts of the measurement information that cannot be validated by the LIS are quite clearly open to lying.  However, you need to look at the goals of this draft.  The point is to make available, to the LIS, information that can be used to improve the accuracy of the information that it provides.  We have to assume that the LIS is able to determine the location of the device using some means, however coarse that is.  The impact of a lie on the final result that is produced can be constrained.  If for instance a device lies about its RTT measurements for WiMAX in such a way that the LIS is still able to use them, the result that is produced can be no further from the real location of the device than the uncertainty on the location information that the LIS is able to determine on its own.

With this view in mind, it's easier to understand the impact of the lie.  The LIS is able to take the spoofed measurement information and either check it entirely, or it is able to constrain the impact of the lie.

We have product that implements these mechanisms already in the cellular wireless space.  Our SMLC, SAS and SUPL servers do this for A-GPS.  We use the cell-based location to check the A-GPS location information.  If the A-GPS position differs excessively from the cell-based one we are able to reject (or just log) the result.

Cheers,
Martin

> -----Original Message-----
> From: geopriv-bounces@ietf.org [mailto:geopriv-bounces@ietf.org] On
> Behalf Of Eric Rescorla
> Sent: Thursday, 31 July 2008 10:31 AM
> To: geopriv@ietf.org
> Subject: [Geopriv] Security Considerations:draft-thomson-geopriv-held-
> measurements-02.txt
> 
> So, as I mentioned on Jabber earlier, the premise of the current
> LCP is that the Device is identified by IP addr, which is hopefully
> somewhat hard to spoof (see previous discussions on that). To
> the extent to which the LIS determines location based on information
> which is unverifiably provided by the Device then that seems
> to have (at least) two implications:
> 
> - It potentially allows a Device to lie about its position to
>   others via location information provided by the LIS.
> - It potentially allows a Device to find out where other devices
>   other than itself if it can determine their measurement info,
>   which isn't obviously private otherwise.
> 
> The security considerations section appears below in its entirety.
> It does not appear to me to address either issue.
> 
>    Location-related measurement data are provided by the Device for the
>    sole purpose of generating more accurate location information.  The
>    LIS SHOULD NOT retain location-related measurement data for any
>    longer than is necessary to generate location information.
> 
>    A LIS MUST NOT reveal location-related measurement data to any other
>    entity unless given explicit permission by the Device.  This
> document
>    does not include any means to indicate such permission.
> 
>    A Device is able to explicitly limit the time that a LIS stores
>    measurement data by adding an expiry time to the measurement data,
>    see Section 4.1.2.
> 
> I should note that this isn't just a matter of documenting these
> issues. It's not clear to me that there are actually good solutions
> for these issues.
> 
> -Ekr
> 
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.  
If you have received it in error, please notify the sender
immediately and delete the original.  Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

v2.23.0 | Report a Bug | By Email