eap Mailing List: Updated version of EAP-based network discovery draft

[Adrangi, Farid (farid.adrangi]

Hi Bernard & Jari

Thanks again for your review and comments.  I have made an intermediary
update of the draft based on your comments / feedback - the draft can be
found in
http://mng.ctgisp.com/IETF/EAP/Network%20Selection/draft-adrangi-eap-net
work-discovery-011.txt.
 

On issues (pointed out by Bernard) with the "security considerations"
section, I made some clarification changes:

- Made some clarifications on the information type and what is meant by
a "hint"
- Removed the SSID analogy 
- The "implementation considerations" section contains a text describing
on what conditions an implementation should specify a mediating network
for the AAA routing


As to attack scenarios, we can look at it from both network
advertisement and selection perspectives.

- On network advertisement, I can think of two scenarios

1) client associates with a bogus SSID, starts EAP, and receives some
bogus network information.  In this case, associating with the bogus
SSID is the problem - what ever happens after that obviously is going to
be questionable. 

2) Associating with a valid/legitimate SSID.  In this case, the access
network may advertise only a subset of the mediating networks that it
has roaming agreement with - based on its own preference.  I don't think
this is a security issue - is it?

- On network selection, the access network may route the AAA packets
differently from what specified by the user through the decorated NAI
(described in 2486bis).   In this case, the home network may be able to
detect the problem depending the EAP method.  This was mentioned in the
second paragraph in the "security considerations" section. 

Having said that, we can discuss further if we need more text under
"security considerations".

Please let me know if you have any questions.  Thanks again.

BR,
Farid