eap Mailing List: Issue: Section 1 Problem Statement

[Bernard Aboba (bernard_aboba]

Issue: Section 1 Problem Statement
Submitter name: Bernard Aboba
Submitter email address: aboba [at] internaut.com
Date Submitted: May 23, 2007
Reference:
Document: NETSEL-07
Comment type: Editorial
Priority: S
Section: 1
Rationale/Explanation of issue:

 

In reading over Section 1, it is not clear to me that the essence of the problem has been clearly stated.

 

I believe that the central issue here is that a user can encounter networks for which there is no preconfiguration.

 

Also, I think there is an assumption that the networks that a user can encounter may restrict access to the Internet in some way so that all Internet services may not be accessible.

 

I believe that these assumptions need to be more clearly spelled out.  Find enclosed below a rewrite of Section 1 that hopefully makes these assumptions more clear.

 

"1.  Introduction

 

   Today, network access clients are typically preconfigured
   with a list of access networks, and corresponding identities
   and credentials.  However, as network access mechanisms
   and operators have proliferated, it has become increasingly
   likely that users will encounter networks for which no
   preconfigured settings are available, yet which offer
   desired services and the ability to successfully authenticate 
   with the user's home AAA server.  In such a situation, 
   users can have difficulty in determining which network to
   connect to, and how to authenticate to that network.

 

   The problem arises when any of the following conditions are true:

 

   o  More than one network attachment point is available, and the
      attachment points differ in their roaming arrangements or 
      access to services, or belong to operators which the
      network access client is not preconfigured for.
      In this case, a user may have difficulty determining
      what services are available at each network attachment point, and
      which attachment points it can successfully authenticate to. 
      For example, the user may not have pre-configured an identity
      and associated credentials for use with a network,  yet it is
      possible that the user's home AAA server is reachable from
      that network, enabling the user to successfully authenticate.  
      While the local network's capabilities may be advertised, 
      where access to the Internet is restricted, it can
      be difficult for the user to determine apriori what services
      will be available upon connection.

 

   o  The user has multiple sets of credentials.  Where no
      preconfiguration exists, it is possible that the user will
      not be able to determine which credentials to use with which
      attachment point, or even whether any credentials it possesses
      will allow it to authenticate successfully.  An
      identity and associated credentials can be usable for authentication
      with multiple networks, and not all of these networks will be
      preconfigured.  For example, the user could have one set of 
      credentials from  a public service provider and  another set 
      from an employer, and a network might enable authentication
      with one or more of these credentials.  Yet, without
      preconfiguration, multiple unsuccessful authentication attempts 
      could be needed for each attachment point in order to determine
      what credentials are usable, wasting valuable time and 
      resulting in user frustration.   In order to choose between multiple 
      attachment points, it can be helpful to provide additional 
      information to enable the correct credentials to be determined.

 

   o  There are multiple potential roaming paths between the visited
      realm and the user's home realm, and service parameters or pricing
      differs between them.  In this situation, there could be multiple
      ways for the user to successfully authenticate using the same 
      identity and credentials, yet the cost of each approach might
      differ. In this case, the access network may not be
      able to determine the roaming path that best matches the user's
      preferences.  This can lead to the user being charged more than
      necessary, or not obtaining the desired services.  For example,
      the visited access realm could have both a direct relationship
      with the home realm and an indirect relationship through a roaming
      consortium.  Current Authentication, Authorization and Accounting
      (AAA) protocols may not be able to route the access request to the
      home AAA sever purely based on the realm within the Network Access
      Identifier (NAI) [RFC4282].  In addition, payload packets can be
      routed or tunneled differently, based on the roaming relationship
      path.  This may have an impact on the available services or their
      pricing.

 

   In Section 2 the network discovery and selection problem is defined
   and divided into subproblems.  Some solution constraints are outlined
   in Section 3.  Section 4 provides conclusions and suggestions for
   future work.  Appendix A discusses existing solutions to portions of
   the problem."