Re: [MEXT] [!! SPAM] Re: Well-known problem with authentication/etc. in wireless networks

[<Basavaraj.Patil@nokia.com>]

Hi Charlie,

Inline:

On 8/25/11 3:23 PM, "ext Charles E. Perkins" <charliep@computer.org> wrote:

>
>Hello Pete,
>
>Your analysis of operator concerns is quite correct,
>it seems to me, but on the other hand maybe the IETF
>would be able to alleviate operator concerns once
>they are properly understood.  And, if operators
>could be assured that they would suffer no harm by
>following some revised IETF protocol steps, there
>would be a good chance for progress.
>
>Address assignment is perhaps the stickiest case.
>Here are some observations:
>- The UE doesn't necessarily have to know its
>   care-of address until after handover is complete
>   (and, according to [netext], not even then)
>- The access network does not have to complete the
>   assignment of the care-of address until it has
>   verified the authentication
>- As mentioned before, the home agent is a viable
>   candidate for AAA relay, actually appearing as the
>   AAA server to the access network
>- An IPv6 address can't really be considered a
>   valuable resource if it isn't routable, and so
>   even if UE knew its IPv6 care-of address, it would
>   not get any benefit until authentication completes.
>
>If there is any disagreement about these points, I would
>be surprised, but every day brings new surprises.  I am
>proposing that we should try to make a higher-performance
>handover specification that is less complicated than, say,
>S101/S102/S103.  Almost anything the IETF could possibly
>do would be less complicated than those, and I fully
>expect much easier to configure, administer, and operate.
>
>So, the problem statement could be:
>
>Enable Mobile IP to provide high-performance mobility management that
>is better able to be deployed in modern wireless access networks
>that already utilize alternate access authentication protocols.
>Determine the suitability of network-based versus client-based
>variations of the candidate solutions.

I think that the above problem statement is still fairly vague.
What would be the benchmark mobility protocol against which you could
evaluate whether you have a high-performance mobility management protocol?
I think we can work on optimizations to Mobile IP which would make it more
attractive from a deployment perspective.
Simplifying Mobile IP would also help in making it more viable for use in
wireless/cellular networks.
Mobile IP (DSMIP6) can be deployed and used in current gen cellular
networks when the MN is attached to a wifi network or a non-3GPP access
network (S2c reference point in 3GPP). That¹s a start. Relevant use-cases
would ensure that the HA is a part of the P-GW and mobile hosts
implement/support client functionality.

-Basavaraj

>
>
>Regards,
>Charlie P.
>
>
>
>On 8/25/2011 12:54 PM, Pete McCann wrote:
>> Hi, Charlie,
>>
>> The problem seems to be we have the following three steps that have
>> to be carried out in order:
>>
>> 1) access authentication
>> 2) address assignment
>> 3) mobility management
>>
>> (3) depends on (2) because you can't bind your home address to a
>> care-of address until you have a care-of address.  (2) depends on (1)
>> because operators don't like to give out resources until they know they
>> will get paid.
>>
>> It's possible to combine all these things into one protocol (perhaps
>>PANA
>> could have been that vehicle, if certain decisions had not been made)
>>but
>> the IETF seems to like breaking problems down into layered solutions.
>>
>> -Pete
>>
>> On Thu, Aug 25, 2011 at 3:19 PM, Charles E. Perkins
>> <charliep@computer.org>  wrote:
>>> Hello Pete,
>>>
>>> Yes, putting Mobile IP inside of EAP would be one approach.
>>> It would have some interesting advantages.  Other approaches
>>> might be more properly done in [netext] -- or perhaps have
>>> already been looked; I could have possibly missed some of
>>> the relevant discussion there.
>>>
>>> Regards,
>>> Charlie P.
>>>
>>>
>>>
>>> On 8/25/2011 11:40 AM, Pete McCann wrote:
>>>>
>>>> Hi, Julien,
>>>>
>>>> Are you talking about EAP inside IKEv2?  That presupposes that the MN
>>>> is already attached to the network somewhere and has an IP address
>>>>(i.e.,
>>>> it has already passed access authentication).
>>>>
>>>> It may be interesting to look at whether access authentication and
>>>> mobility
>>>> management can be combined.  For example, we could put Mobile IP (or
>>>> some variant of it) inside an EAP exchange used for access
>>>>authentication.
>>>> Charlie, are you proposing something like this?
>>>>
>>>> -Pete
>>>>
>>>> On Thu, Aug 25, 2011 at 1:44 PM, Julien
>>>>Laganier<julien.ietf@gmail.com>
>>>>   wrote:
>>>>>
>>>>> Charlie,
>>>>>
>>>>> I am not sure I understand what is missing in MIPv6; a MN and an HA
>>>>> can already mutually authenticate using EAP, and this is incidentally
>>>>> what 3GPP leverages on, together with the EAP-AKA method. What is
>>>>> missing?
>>>>>
>>>>> --julien
>>>>>
>>>>> On Wed, Aug 24, 2011 at 12:06 PM, Charles E. Perkins
>>>>> <charliep@computer.org>    wrote:
>>>>>>
>>>>>> Hello folks,
>>>>>>
>>>>>> It's now 2011.  Mobile IP was standardized late in
>>>>>> 1996, after work had already been started nearly
>>>>>> ten years before.  Over two decades! -- and regardless
>>>>>> of lip service to fixed/mobile convergence we still
>>>>>> don't have seamless mobility in user devices across
>>>>>> heterogeneous media, and standards organizations
>>>>>> (notably 3GPP) are not properly taking advantage of
>>>>>> what Mobile IP can do. The losers are the end-users,
>>>>>> which means all of us.
>>>>>>
>>>>>> There are many reasons for this, but one of the
>>>>>> main reasons has to do with authentication at the
>>>>>> access network.  EAP in various forms is being
>>>>>> utilized for this purpose, and Mobile IP is not,
>>>>>> even though there has never been any reported
>>>>>> failure of the RFC 5944 or RFC 4285 or RFC 6275
>>>>>> (to my knowledge).  Moreover, unless there is
>>>>>> something wrong with the cryptography that also
>>>>>> has not been reported, these authentication methods
>>>>>> enable _mutual_ authentication between the network
>>>>>> and the client, not just client authentication.
>>>>>>
>>>>>> In order for Mobile IP to enable the real promise
>>>>>> of high performance heterogeneous networking, we
>>>>>> have to do some more work.  I would like to initiate
>>>>>> some more discussion about this.  DMM is interesting
>>>>>> in its own right, but it's not at all the whole
>>>>>> story.  Moreover, with proper design, it is likely
>>>>>> the supposed burden of signaling to the home agent
>>>>>> can be substantially reduced.  As one simple example,
>>>>>> if handovers are accomplished locally between trusted
>>>>>> access agents (routers, 802.11 access controllers, ...)
>>>>>> then the actual timing of tunnel redirection from the
>>>>>> home agent becomes much less critical.  This is also
>>>>>> intricately intertwined with authentication.
>>>>>>
>>>>>> If the Home Agent were recognized as a robust security
>>>>>> appliance, then it could naturally sit on the network
>>>>>> boundary as an IP-addressable device.  Mobile IP
>>>>>> authentication could become the primary means of
>>>>>> validating user access, instead of an afterthought
>>>>>> to enable IP-address preservation after all the heavy
>>>>>> lifting has been done a lower levels.
>>>>>>
>>>>>> I would like to propose that in this working group we
>>>>>> should go about making this happen.  It seems to be
>>>>>> important, and undeniably aligned with our working
>>>>>> group responsibilities.
>>>>>>
>>>>>> Regards,
>>>>>> Charlie P.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> MEXT mailing list
>>>>>> MEXT@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/mext
>>>>>>
>>>>> _______________________________________________
>>>>> MEXT mailing list
>>>>> MEXT@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/mext
>>>>>
>>>>
>>>
>>>
>>
>
>_______________________________________________
>MEXT mailing list
>MEXT@ietf.org
>https://www.ietf.org/mailman/listinfo/mext