Transcript PPT Version

GEOPRIV Layer 7 Location
Configuration Protocol; Problem
Statement and Requirements
draft-tschofenig-geopriv-l7-lcp-ps-00.txt
Hannes Tschofenig, Henning Schulzrinne
IETF 66, Montreal, June 2006
Design Team
•
•
•
•
•
•
•
•
•
Henning Schulzrinne
Barbara Stark
Marc Linsner
James Winterbottom
Martin Thomson
Rohan Mahy
Brian Rosen
Jon Peterson
Hannes Tschofenig
Idea
• Obtain
– location information (by value and by
reference)
– subscription URI
• from the access network.
• Do this independent from the underlying
link layer and network topology.
Scenario: DSL Environment
+---------------------------+
+----------+
|
|
| +-------+-------------------+
| Access Network Provider |
| |
|
|
|
|
| |
+-------------+
|
|
+--------+
|
| |
| NTE
|
|
|
| Node
|
|
| |
+-------------+
|
|
+--------+ +----------+ |
| |
|
|
|
| |
| LIS
| |
| |
|
|
|
| +---|
| |
| |
+--------------+
|
|
|
+----------+ |
| |
| Device with |
|
|
|
|
| |
| NAPT and
|
|
+-------+-------------------+
| |
| DHCP server |
|
|
| |
+--------------+
|
<----------------> Access Network | |
|
|
|
Provider demarc | |
|
|
|
| |
+------+
|
|
| |
| End |
|
+--------------------------+ |
| Host |
|
|
+------+
|
|
|
|Customer Premises Networks |
|
|
+---------------------------+
Scenarios (cont.)
• WiMax-like Fixed Access
– Feeding/Fixed Wireless Access Scenario
• Wireless Access
Location Information Server (LIS)
Discovery
• DNS
• Multicast
• Packet interception/Redirection
• Security aspects related to discovery
procedure.
Identifier for Location
Determination
• Properties:
– Known by the End Host
– Possibility for Location Determination
– Security Properties
• A number of identifiers being discussed.
• IP address seems to be the only
reasonable identifier ...
Location-by-Reference and
Location Subscriptions
• Location-by-Reference:
– Avoid sending the location itself.
• Location Subscription:
– Enable node to use SIP mechanisms to
subscribe for location of someone.
Authenticated Calls and Signed
Location Information
• Mechanisms to limit DoS attacks
• What do you sign?
– PIDF-LO or civic/geo-info
– What identity do you sign?
Requirements (1/5)
• L7-1: In a DSL environment the location is that
of the NTE/NAPT, e.g., the DSL or cable
modem. Any devices behind a NAT box or other
in- home device is reported as being at the
location of the NTE/NAPT.
• L7-2: The system should work even if end
systems move, either with or without change of
network attachment point or network address.
Requirements (2/5)
• L7-3: There is no business or trust
relationship between the provider of
application-layer (e.g., SIP, XMPP, H.323)
services and the network operating the
LIS.
• L7-4: There is generally a trust relationship
between the LIS and the L2/L3 provider.
Requirements (3/5)
• L7-5: Residential NAT devices and NTEs in an
DSL environment cannot be modified to support
additional protocols, to pass additional
information through DHCP, etc.
• L7-6: If the L2 and L3 provider for the same host
are different entities, they cooperate and can
establish trust relationships for the purposes
needed to determine end system locations.
Requirements (4/4)
• L7-7: Networks do not always require network
access authentication (example: many open
community wireless networks). The solution
must not assume prior network access
authentication.
• L7-8: End systems may not know the precise
properties of their residential NAT and the
network topology of the access network, but can
determine their IP address(es) via other
mechanisms.
Requirements (5/5)
• L7-9: Multiple devices, located in different
physical locations, may share the same L2/L3
credentials ("account", "user name/password")
with the L2/L3 provider and LIS.
• L7-10: At least one end of a VPN is aware of the
VPN. In an enterprise scenario, the enterprise
side will provide the LIS used by the client and
can thereby detect whether the LIS request was
initiated through a VPN tunnel.
Security Framework
• Threat model: Whom do we trust when it
comes to obtaining location information?
• Different types of adversaries need to be
considered:
– off-path
– on-path
– active
– passive
Security Requirements
We want to prevent that...
• An end system can be pretend to be in an arbitrary
location.
• An end system can pretend to be in a location it was
at a while ago.
• An attacker can observe Alice's location and use it
to generate its own location information.
• An attacker can observe Alice's location.
• An attacker can observe both Alice's location and
her L7 identifier.
• Alice and Bob, located at different location, can
collude and swap location objects and pretend to be
in each other's location.
Questions .. Comments?