| Re: Issue 286: Security | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Mon, 14 Feb 2005 01:18:21 -0500 (EST) | |
Bernard Aboba wrote:
--Jari
It seems that the crux of the issue here is the appropriateness of the network disclosure mechanisms.
For example, as I understand it in 802.11u, there is a proposal whereby the STA would disclose the networks with which it has a relationship in the Probe Request, and the AP would respond with the subset of that list that it supports in the Probe Response.
The discovery mechanism in this draft is somewhat different: the AAA proxy discloses its roaming relationships to the peer without the peer first indicating what networks it supports.
The questions this issue raises are:
1. Is the disclosure negotiation described in this document appropriate? What are the security implications?
2. Does the document need to be modified so as to have the peer indicate the networks it supports?
There may be a difference with regards to the type of service being offered. In private networks (company X) we are likely to want some secrecy and limit login attemps from outsiders as a matter of principle.
In a commercial networks (public network access from operator Y), in principle, we would likely want just as many customers as we can get.
Of course, the security of the underlying link layer attachment procedures and the used authentication methods affects the above a lot. In a world with perfect protocols, none of this would matter, really, because outsiders could not get in or even cause DoS. But even in that world, corporate network managers would probably want to limit things, just to be sure.
Does the draft explain enough about its area of applicability? I suppose it is primarily intended for public network access? Glen, would it help if more text was added about this?
Privacy of the networks also comes into the question. Some networks may wish to stay private. As far as I know we don't have good support for network-side privacy in our protocols. But it probably makes sense for a network that wants privacy to NOT use its own virtual SSID or announce its presence in Farid's list of roaming networks. Does the draft talk about this?
We also have different types of solutions. The networks can announce what's available, either in the form of different SSIDs or through the roaming relationship advertisements suggested here. Or the clients can announce what they have and then the network can act based on that. I'm not sure which one is better. Both have issues: clients announcing what they have might enable some attacks against the clients or lose some of the privacy we have (oh, you're a member of Cisco and Seattle city and IETF... hmm... you must be...). And the network announcing what it has may lead to disclosure of too much information about the network. Finally, even if we don't do anything its probably easy to probe at least some of this information anyway. Say, its quite likely that a random access point offers roaming via Vodafone (just to pick the name of a big operator) or corporate access to the IBM network (just to pick a large company).
The best suggestion that I can come up with is to document these issues in the draft and to state the applicability limits of the proposed mechanisms. Does anyone have other suggestions? Glen, would this help resolve your issue?
--Jari
-
Issue 286: Security Bernard Aboba, February 13 2005
- Re: Issue 286: Security Jari Arkko, February 13 2005
- Re: Issue 286: Security Jari Arkko, February 14 2005
-
RE: Issue 286: Security Adrangi, Farid, February 13 2005
- Re: Issue 286: Security Jari Arkko, February 14 2005
- RE: Issue 286: Security Bari, Farooq, February 13 2005
Results generated by Tiger Technologies using MHonArc.