eap Mailing List: Re: network discovery & selection: problem definition

[Jari Arkko (jari.arkko]

Michael Richardson wrote:

> An additional area, maybe out of scope:
>     how do I know that these intermediaries are legitimate, vs MITM?

I suppose they still have to be legitimate AAA proxies.
That is, an access network should not send your request to
an unknown intermediary. If it has a business relationship
with three intermediaries int1.com, int2.com, and int3.com,
it will route your request through one of them, even if you
tried to request routing through mitm.org.

Its good that you brought this up! This is a requirement.
And if we don't write it down, an implementation might
actually forget to check this.

An additional issue is that even if the intermediaries
are legitimate, they could be switched. For instance,
an access network could advertise that it has a deal
with elcheapointermediary.net, and then switch the user's
selection to pricey.com instead. To make this relevant,
the pricing would have to be based on the intermediary.
Furthermore, even if were to secure the selection, we
would be unable to guarantee that the QoS or other
properties claimed by the network were indeed provided.
This leads me to think that at the moment, the advertisements
and selections cannot be more than hints, and everyone should
be made aware of that. Typically, non-protocol means
are used to detect problems like that. [Solution space:
Independent of the network selection issue, some of
us have talked about ways to authenticate claims made
by access points and service selections picked by the
client. It looks like we could do it as a backwards
compatible extension of popular EAP methods such as
EAP-TLS or EAP-SIM. I would rather design a general
feature for such protection rather than somethign
specific for network selection.]

--Jari