| RE: Issue 286: Security | <– Date –> <– Thread –> |
From: Adrangi, Farid (farid.adrangi intel.com)
|
|
| Date: Sun, 13 Feb 2005 18:18:22 -0500 (EST) | |
My two cents inline. Farid > -----Original Message----- > From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] > On Behalf Of Bernard Aboba > Sent: Sunday, February 13, 2005 12:09 PM > To: eap [at] frascone.com > Subject: [eap] Issue 286: Security > > > It seems that the crux of the issue here is the appropriateness of the > network disclosure mechanisms. > > For example, as I understand it in 802.11u, there is a > proposal whereby > the STA would disclose the networks with which it has a > relationship in > the Probe Request, and the AP would respond with the subset > of that list > that it supports in the Probe Response. > > The discovery mechanism in this draft is somewhat different: the AAA > proxy discloses its roaming relationships to the peer without the peer > first indicating what networks it supports. > > The questions this issue raises are: > > 1. Is the disclosure negotiation described in this document > appropriate? > What are the security implications? > This is a valid question rasied by Glen. And we are hoping we can use Glen's security expertise to undertand the security implications that weren't already addressed in the draft. > 2. Does the document need to be modified so as to have the > peer indicate > the networks it supports? Interesting question. A few questions: 1) Would operators want to reveal all their roaming partners to any access network? 2) How does this work with manual selection (supported by Release 6 3GPP) where the client may not be pre-provisioned with roaming information? 3) Assuming that this is okay, why would there be a need for AAA or AP network advertisement? For example, the peer (user [at] anyisp.com) can indicate its route preferences in EAP-Identity/Response as follows: user [at] anyisp.com; anyisp.com!user [at] isp1; anyisp.com!user [at] isp2; anyisp.com!user [at] isp3 This means the AAA proxy should route the packet directly to anyisp.com first if possible, if not then it should try to route it through isp1 , if not, it should try isp2, and so on. > _______________________________________________ > eap mailing list > eap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/eap >
-
Issue 286: Security Bernard Aboba, February 13 2005
- Re: Issue 286: Security Jari Arkko, February 13 2005
- Re: Issue 286: Security Jari Arkko, February 14 2005
- RE: Issue 286: Security Adrangi, Farid, February 13 2005
- Re: Issue 286: Security Jari Arkko, February 14 2005
-
RE: Issue 286: Security Bari, Farooq, February 13 2005
- RE: Issue 286: Security Bernard Aboba, February 13 2005
- Re: Issue 286: Security Jari Arkko, February 14 2005
Results generated by Tiger Technologies using MHonArc.