21-07-xxxx-00-0000 1

MIH protocol security

Maryna Komarova (ENST)

21-07-xxxx-00-0000 2

General security issues and threats

• Both the MIH User and NE MIHF may be the subject of an attack, therefore purposes are:

• MIH user protection from a fake MIH IS• MIH IS protection form malicious users

• Information received by the MIH User from MIHF is used to perform next steps and, hence, it is critical to protect it from altering, modification and provide message origin authentication.

• Due to the short battery life on the MN it is essentially to avoid processing of fake information by the MN.

21-07-xxxx-00-0000 3

Requirements

• Security of MIHF discovery• There are two kinds of transport mechanisms: the first one is

the lower layer transport (L2) and the second one is the higher layer transport (L3).

• MIHF discovery: over media-specific L2 or L3 mechanism• MIH Capability discovery – either over MIH or over media-

specific broadcast messages

• Security of MIH Protocol• Re-using existing transport protocols• Re-using existing solutions for authentication,

confidentiality, message authentication and integrity providing;

• Channel security protocol selection may be implementation dependent;

• Minimum impact on the handover latency

21-07-xxxx-00-0000 4

MIHF services

• To discover MIHF either MIH or link-specific broadband transport is used.

• No authentication is assumed in the process of MIHF discovery and MIH Capability discovery.

• MIH pairing, from the MN’s point of view, means authorization for the MIHF to send commands. Hence, the MN authorizes some important actions to an unauthenticated entity.

• MIHF registration assumes only identification of peers but it assumes any authentication and any means for integrity protection and message authentication of commands and events sent.

21-07-xxxx-00-0000 5

MIHF service-specific security requirements

• Information Service• Discovery may operate as well as within as outside administrative

domain boundaries.• “It is important to note that, with certain access networks an MN should

be able to obtain IEEE 802.21 related information elements before the MN is authenticated with the PoA.”

• In order to protect the user from wrong information receiving, the IS should be authenticated to the user (MIHF-to-user authentication);

• Definition of different sets of information available for users in authenticated and non-authenticated states;

• Event Service and Command Service• Mutual authentication between the MIHF and the MIH User (simple

authentication is not sufficient, particularly in case of communication with the remote MIHF);

• Secure channel establishment;• Providing confidentiality, integrity protection and message origin

authentication.

21-07-xxxx-00-0000 6

Authorization rights management

• The user should be able to select the most reliable IS among all available;

• After authentication different users are allowed to access different services.

• Per-user management of access rights is• Costly;• Users may not be known in advance (if belonging to a

different administrative domain);• User may not disclose its identity to the visiting network;

• Role-based management of access rights may be implemented instead.

• The role may be based on the user’s state (unauthenticated/authenticated) or subscription (home/visiting).

21-07-xxxx-00-0000 7

Choice of MIIS

• The current 802.21 draft does not specify the location of the MIIS. Such a way, the IS may be located in the serving, candidate or home network or even it can be managed by the third party authority.

• To choose the set of candidate networks the MN must use only trusted and verified information.

• The MN may receive contradictory or conflicting information. That is why it is desirable to define some trust rating for IS.

• This trust rating may be based on the previous experience: it is positive when the provided information was correct and it is negative if provided information was not correct. For handover decision making the MN chooses the set of IS with the highest rating.

• Is the evaluation of trust to the IS is in the scope of the SG?

• May some score be added to the IS according to the quality of the previous information provided to the MN?

21-07-xxxx-00-0000 8

Related works

• Mobility Services Transport: Problem Statement draft-ietf-mipshop-mis-ps-04 considers

• End-to-end signalling and transport over IP• End-to-end signalling and partial transport over IP• End-to-end Network-to-Network signalling

• Transport of Media Independent Handover Messages Over IP draft-rahman-mipshop-mih-transport-03.txt

• Proposes use of IPSec for transport and IKE

• Design Considerations for the Common MIH Protocol Functions draft-hepworth-mipshop-mih-design-considerations-01

• Necessity of Authentication, Authorization ans credential management.