From: Bernard Aboba
[mailto:bernard_aboba [at] hotmail.com]
Sent: Thursday, May 24, 2007 8:34
AM
To: Bari,
Farooq; eap [at] frascone.com
Subject: RE: [eap] Issue: Section
1 Problem Statement
Oops, forgot about the QoS
issue. Here is another stab at it:
""1. Introduction
Today, network access clients are typically
preconfigured
with a list of access networks, and corresponding
identities
and credentials. However, as network access
mechanisms
and operators have proliferated, it has become increasingly
likely that users will encounter networks for which no
preconfigured settings are available, yet which offer
desired services and the ability to successfully
authenticate
with the user's home realm. It is also possible that
preconfigured settings will not be adequate in some situations.
In such a situation, users can have difficulty in determining
which network to connect to, and how to authenticate to that
network.
The problem arises when any of the following conditions are true:
o Within a single network, more than one network attachment
point
is available, and the attachment points differ
in their roaming
arrangements, or access to services. While
the link layer
capabilities of a point of attachment may be
advertised,
higher layer capabilities such as roaming
arrangements,
end-to-end quality of service or Internet access
restrictions may not be. As a result, a
user may have
difficulty determining what services are
available at each network attachment point, and
which
attachment points it can successfully
authenticate to.
For example, it is possible that a roaming
agreement will
only enable a user to authenticate to the home
realm from
some points of attachment, but not others.
Similarly, it
is possible that access to the Internet may be
restricted
at some points of attachment, but not others or
that
end-to-end quality of service may not be
available in all
locations. In these situations, the network
access client
cannot assume that all points of attachment
within a network
offer identical capabilities.
o Multiple networks are available for which the user has no
corresponding pre-configuration. The user may
not
have pre-configured an identity and associated
credentials
for use with a network, yet it is possible that
the
user's home realm is reachable from that
network,
enabling the user to successfully
authenticate.
However, unless the roaming arrangements are
advertised,
the network access client cannot determine
apriori whether
successful authentication is likely. In
this situation,
it is possible that the user will need to try
multiple
networks in order to find one to which it can
successfully
authenticate, or it is possible that the user
will not be
able to obtain access at all, even though
successful
authentication is feasible.
o The user has multiple sets of credentials. Where
no
preconfiguration exists, it is possible that the
user will
not be able to determine which credentials to
use with which
attachment point, or even whether any
credentials it possesses
will allow it to authenticate
successfully. An
identity and associated credentials can be
usable for authentication
with multiple networks, and not all of these
networks will be
preconfigured. For example, the user could
have one set of
credentials from a public service provider
and another set
from an employer, and a network might enable
authentication
with one or more of these credentials.
Yet, without
preconfiguration, multiple unsuccessful
authentication attempts
could be needed for each attachment point in
order to determine
what credentials are usable, wasting valuable
time and
resulting in user frustration. In order to
choose between multiple
attachment points, it can be helpful to provide
additional
information to enable the correct credentials to
be determined.
o There are multiple potential roaming paths between the
visited
realm and the user's home realm, and service
parameters or pricing
differs between them. In this situation,
there could be multiple
ways for the user to successfully authenticate
using the same
identity and credentials, yet the cost of each
approach might
differ. In this case, the access network may not
be
able to determine the roaming path that best
matches the user's
preferences. This can lead to the user
being charged more than
necessary, or not obtaining the desired
services. For example,
the visited access realm could have both a direct
relationship
with the home realm and an indirect relationship
through a roaming
consortium. Current Authentication,
Authorization and Accounting
(AAA) protocols may not be able to route the
access request to the
home AAA sever purely based on the realm within
the Network Access
Identifier (NAI) [RFC4282]. In addition,
payload packets can be
routed or tunneled differently, based on the
roaming relationship
path. This may have an impact on the
available services or their
pricing.
In Section 2 the network discovery and selection problem is
defined
and divided into subproblems. Some solution constraints are
outlined
in Section 3. Section 4 provides conclusions and suggestions
for
future work. Appendix A discusses existing solutions to
portions of
the problem."
att.com)