Re: [MEXT] [!! SPAM] Re: Well-known problem with authentication/etc. in wireless networks

[Pete McCann <mccap@petoni.org>]

Hi, Charlie,

On Thu, Aug 25, 2011 at 4:23 PM, Charles E. Perkins
<charliep@computer.org> wrote:
>
> Hello Pete,
>
> Your analysis of operator concerns is quite correct,
> it seems to me, but on the other hand maybe the IETF
> would be able to alleviate operator concerns once
> they are properly understood.  And, if operators
> could be assured that they would suffer no harm by
> following some revised IETF protocol steps, there
> would be a good chance for progress.
>
> Address assignment is perhaps the stickiest case.
> Here are some observations:
> - The UE doesn't necessarily have to know its
>  care-of address until after handover is complete
>  (and, according to [netext], not even then)

Some agent somewhere has to know it prior to binding it to a
home address.

> - The access network does not have to complete the
>  assignment of the care-of address until it has
>  verified the authentication

What do you mean by "complete"?

> - As mentioned before, the home agent is a viable
>  candidate for AAA relay, actually appearing as the
>  AAA server to the access network
> - An IPv6 address can't really be considered a
>  valuable resource if it isn't routable, and so
>  even if UE knew its IPv6 care-of address, it would
>  not get any benefit until authentication completes.

I assume a visited network would allocate at least
a /64 and probably more (a shorter prefix) if it wanted
to enable NEMO.  Depending on the amount of address
space allocated to that particular point of attachment,
I could imagine it being quickly exhausted by an attacker
that didn't have to pass authentication.  And given that
cells are getting smaller and more numerous, there will
be less and less address space allocated to each one.

> If there is any disagreement about these points, I would
> be surprised, but every day brings new surprises.  I am
> proposing that we should try to make a higher-performance
> handover specification that is less complicated than, say,
> S101/S102/S103.  Almost anything the IETF could possibly
> do would be less complicated than those, and I fully
> expect much easier to configure, administer, and operate.

If we could simply convince 3GPP operators to allow direct
Internet access as the default option (in the LIPA style) I
think it would tend to dramatically cut down on the complex
interfaces.  Right now the default option seems to be home-routed
traffic and hiding mobility from the UE as much as possible.

> So, the problem statement could be:
>
> Enable Mobile IP to provide high-performance mobility management that
> is better able to be deployed in modern wireless access networks
> that already utilize alternate access authentication protocols.
> Determine the suitability of network-based versus client-based
> variations of the candidate solutions.

It would be nice if EAP could be used as an air interface authentication
method in an LTE network.  If we had that and direct LIPA style connectivity
it would be possible to build something interesting on top.

-Pete