|
List Info
Thread: Issue 376: Proposed Resolution (Section 1)
|
|
| Issue 376: Proposed Resolution (Section
1) |
 
United States |
2007-02-25 17:41:43 |
In the next few messages, I will propose specific changes to
address Issue
376. This message will concentrate on changes to the
abstract and Section
1. Other messages will deal with other sections of the
document.
Abstract
The so called network discovery and selection problem
affects network
access, particularly in the presence of multiple
available wireless
accesses and roaming. This problem has been the subject
of
discussions in various standards bodies. This document
summarizes
the discussion held about this problem in the Extensible
Authentication Protocol (EAP) working group at the IETF.
The problem
is defined and divided into subproblems, and some
constraints for
possible solutions are outlined. The document also
provides a
discussion of the limitations of certain classes of
solution,
including some that have been previously defined.
Suggest changing to:
When multiple access network are available, roaming
users may have difficulty in selecting which network
to connect to, and how to authenticate with that
network.
This document defines the network discovery and
selection problem, dividing it into multiple
sub-problems.
Some constraints on potential solutions are outlined,
and
the limitations of several solutions (including existing
ones)
are discussed.
1. Introduction
The network discovery and selection problem affects
network access
and wireless access networks in particular. Aspects of
the problem
will appear when any of the following conditions are
true:
[BA] Suggest changing to:
When multiple access network are available, roaming
users may have difficulty in selecting which network
to connect to, and how to authenticate with that
network.
The problem arises when any of the following conditions
are
true:
[BA] The next few paragraphs state conditions under which
the problem
can occur, but don't clearly state what bad things will
happen in
each circumstance:
o There is more than one available network attachment
point, and the
different attachment points may have different
characteristics or
belong to different operators. In the case of virtual
operators,
access network infrastructure including e.g. the
access points can
be shared by multiple operators. In order to choose
between the
network attachment points, it may be helpful to
determine which
realms are supported and the capabilities access
network
supporting those realms. Otherwise, the mobile
station might
frequently roam into networks that are not able to
satisfy the
roaming connectivity needs or provide services the
mobile station
(and the subscriber) are seeking for. This would of
course lower
the general quality of offered services.
o The user has multiple sets of credentials. For
instance, the user
could have one set of credentials from a public
service provider
and set from the user's employer. In this case it may
be helpful
to provide additional information to enable the
correct credential
set to be determined. Otherwise, it could happen that
for example
a network access authentication repeatedly fails
because of
incorrectly selected and offered set of credentials.
o There is more than one way to provide roaming between
the visited
realm used for access and user's home realm, and
service
parameters or pricing differs between them. For
instance, the
visited access realm could have both a direct
relationship with
the home realm and an indirect relationship through a
roaming
consortium. In some scenarios, current AAA protocols
may not be
able to route the requests to the home realm unaided,
just based
on the domain in the given Network Access Identifier
(NAI)
[RFC4282]. In addition, payload packets can get
routed or
tunneled differently, based on the roaming
relationship path in
use. This may have an impact on the available
services or their
pricing.
[BA] Suggest changing to:
o More than one network attachment point is available,
and the
attachment points differ in capability or belong to
different
operators. In this case, a roaming user may have
difficulty
determining which attachment points offering the
desired services
it can successfully authenticate to. In order to
choose between
multiple attachment points, it can be helpful to
determine which
realms are supported and the capabilities that the
networks support
o The user has multiple sets of credentials. In this
case, the
user may not be able to determine which credentials to
use with
which attachment point, or even whether any
credentials it
possesses will allow it to authenticate successfully.
This
can result in multiple unsuccessful authentication
attempts
for each attachment point, wasting valuable time and
resulting
in user frustration. For example, the user
could have one set of credentials from a public
service provider
and set from an employer. In order to choose between
multiple
attachment points, it can be helpful to provide
additional
information to enable the correct credentials to be
determined.
o There are multiple potential roaming paths between the
visited
realm and the user's home realm, and service
parameters or
pricing differs between them. In this case, the
access network
may not be able to determine the roaming path that
best matches
the user's preferences. This can lead to the user
being
charged more than necessary, or not obtaining the
desired
services. For example, the visited access realm could
have
both a direct relationship with the home realm and an
indirect
relationship through a roaming consortium. Current
AAA protocols
may not be able to route the access request to the
home AAA sever
purely based on the realm within the Network Access
Identifier (NAI)
[RFC4282]. In addition, payload packets can be routed
or
tunneled differently, based on the roaming
relationship path.
This may have an impact on the available services or
their
pricing.
[BA] The next paragraph could be cleaned up a bit:
In Section 2 the network discovery and selection problem
is defined
and divided into subproblems, and some design issues for
possible
solutions are outlined in Section 3. Section 4 gives the
conclusions
and some suggestions on how to proceed for the rest.
Appendix A
discusses existing mechanisms which help solve at least
parts of the
problem. The terms "network" and
"realm" have sometimes been used
interchangeably within the context of selection and
discovery. It
should be noted that a realm can be reachable from more
than one
access network types and selection of a realm may not
imply certain
network capabilities.
Suggest changing to:
In Section 2 the network discovery and selection problem
is defined
and divided into subproblems, and some potential solution
constraints
are outlined in Section 3. Section 4 provides
conclusions
and suggestions for future work. Appendix A
discusses existing solutions to portions of the problem.
[BA] The following sentences belong in the terminology
section:
The terms "network" and "realm" have
sometimes been used
interchangeably within the context of selection and
discovery. It
should be noted that a realm can be reachable from more
than one
access network types and selection of a realm may not
imply certain
network capabilities.
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|
|
| Re: Issue 376: Proposed Resolution
(Section 1.1) |
United States |
2007-02-26 08:15:08 |
Decorated NAI
A NAI specifying a source route. See RFC4282
[RFC4282] Section
2.7 for more information.
[BA] "RFC4282" -> "RFC 4282"
Realm
Realm portion of an NAI [RFC4282].
[BA] Change to "The realm portion of..."
Network Selection
This refers to selection of an operator/ISP in order
to access the
network. The process of network selection can occur
either at the
beginning of a new session or during a handoff in case
the user is
mobile. The selection is dependent upon for example
the selection
of realm for the operator, authentication credentials
for the
user/device and the roaming agreements. The realm
Selection can
in turn also depend upon Access Technology Selection
and/or Bearer
Selection.
[BA] I don't understand how network selection can occur at
the beginning
of a session -- doesn't it need to occur before the session
begins?
Also, I don't understand how network selection can occur
during an L2
handoff. The "realm" of an operator doesn't make
sense -- isn't a
realm is a characteristic of the home AAA server? Suggest
rewriting to:
Selection of an operator/ISP for network access.
Network Selection
occurs prior to network access authentication.
Network Discovery
This refers to a mechanisms that a node uses to
discover available
networks prior the realm selection takes place. The
discovery
process may be passive or active from a node point of
view.
Typically the discovery mechanism varies depending on
the access
technology. It is also possible that there are
multiple discovery
mechanisms within one access technology depending on
the network
deployment.
[BA] Suggest rewriting to:
The mechanism used to discover available networks. The
discovery
mechanism may be passive or active, and depends on the
access
technology. In passive network discovery, the node
listens for
network announcements; in active network discovery the
node
solicits network announcements. It is possible for an
access
technology to utilize both passive and active network
discovery
mechanisms.
Realm Selection
This refers to selection of the realm of the
operator/ISP used to
access the network.
[BA] This doesn't make sense to me -- the realm is a
characteristic of
the home AAA server. Suggest rewriting to:
The selection of the realm (and corresponding NAI) used to
access the
network.
Network Access Server
The Network Access Server (NAS) is the device that
clients connect
to in order to get access to the network. In PPTP
terminology,
this is referred to as the PPTP Access Concentrator
(PAC), and in
L2TP terminology, it is referred to as the L2TP
Access
Concentrator (LAC). In IEEE 802.11, it is referred to
as an
Access Point.
[BA] I would change to:
Network Access Server
The device that peers connect to in order to obtain
access to the
network. In PPTP terminology,
this is referred to as the PPTP Access Concentrator
(PAC), and in
L2TP terminology, it is referred to as the L2TP
Access
Concentrator (LAC). In IEEE 802.11, it is referred to
as an
Access Point.
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|
|
| Re: Issue 376: Proposed Resolution
(Section 2) |
United States |
2007-02-26 08:26:46 |
Section 2
This problem spans multiple protocol layers and has been
the subject
of discussions in IETF, 3GPP, and IEEE. This document
summarizes the
discussion held about this problem in the Extensible
Authentication
Protocol working group at IETF. There are a set of
somewhat
orthogonal problems being discussed under the rubric of
"network
discovery and selection".
[BA] Suggest changing to:
The network discovery and selection problem can be broken
down into
multiple sub-problems. These include:
o The problem of "discovery of points of
attachment". This is the
problem of discovering points of attachment available
in the
vicinity, and the capabilities associated with these
points of
attachment.
o The problem of "Identifier selection". This
is the problem of
selecting which identity (and credentials) to use to
authenticate
in a given point of attachment to the network.
o The problem of "AAA routing" which involves
figuring out how to
route the authentication conversation originating from
the
selected identity back to the home realm.
o The problem of "Payload routing" which
involves figuring how the
payload packets are routed, where more advanced
mechanisms than
destination-based routing is needed. However, while
being an
interesting problem, this document does not attempt to
do any
analysis or suggestions on it.
[BA] Suggest changing to:
o Discovery of points of attachment. This involves the
discovery
of points of attachment in the vicinity, as well as their
capabilities.
o Identifier selection. This involves selection of the
NAI (and credentials) used to authenticate to the selected
ponit of attachment.
o AAA routing. This involves routing of the AAA
conversation back to the home AAA server, based on the
realm
of the selected NAI.
o Payload routing. This involves the routing of data
packets, in
the situation wh ere mechanisms more advanced than
destination-based
routing are required. While this problem is interesting, it
is not
discussed further in this document.
o The problem of "network capability
discovery". This is the
problem of discovering the capabilities of a
particular
destination network. For example, it may be important
to know
whether a given network supports enrollment, what the
charges are,
etc.
[BA] I'm not sure what "network capability
discovery" means. Is this
about discovery the capabilities of the access network, or
of the
home realm? On the assumption that this is about the home
realm,
I suggest that the text be changed to the following:
o Realm capability discovery. This involves discovering
the
capabilities of a home AAA server, such as whether the
home AAA server supports enrollment.
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|
|
| Re: Issue 376: Proposed Resolution
(Section 1) |
|
2007-02-26 16:51:43 |
Hi Bernard,
I would propose to replace the term "roaming user"
with "user" in you
proposed changes as this problem can exist even when the
user is not
roaming e.g. when multiple networks with different
capabilities exist
with user's home operator at a geographic location. Is that
change
acceptable?
BR,
Farooq Bari
farooq.bari att.com
+1 425 580 5526
> -----Original Message-----
> From: Bernard Aboba [mailto:bernard_abobahotmail.com]
> Sent: Sunday, February 25, 2007 3:42 PM
> To: eapfrascone.com
> Subject: [eap] Issue 376: Proposed Resolution (Section
1)
>
> In the next few messages, I will propose specific
changes to address
Issue
> 376. This message will concentrate on changes to the
abstract and
Section
> 1. Other messages will deal with other sections of the
document.
>
> Abstract
>
> The so called network discovery and selection
problem affects
network
> access, particularly in the presence of multiple
available wireless
> accesses and roaming. This problem has been the
subject of
> discussions in various standards bodies. This
document summarizes
> the discussion held about this problem in the
Extensible
> Authentication Protocol (EAP) working group at the
IETF. The
problem
> is defined and divided into subproblems, and some
constraints for
> possible solutions are outlined. The document also
provides a
> discussion of the limitations of certain classes of
solution,
> including some that have been previously defined.
>
> Suggest changing to:
>
> When multiple access network are available, roaming
> users may have difficulty in selecting which
network
> to connect to, and how to authenticate with that
network.
> This document defines the network discovery and
> selection problem, dividing it into multiple
sub-problems.
> Some constraints on potential solutions are
outlined, and
> the limitations of several solutions (including
existing ones)
> are discussed.
>
> 1. Introduction
>
> The network discovery and selection problem affects
network access
> and wireless access networks in particular. Aspects
of the problem
> will appear when any of the following conditions are
true:
>
> [BA] Suggest changing to:
>
> When multiple access network are available, roaming
> users may have difficulty in selecting which
network
> to connect to, and how to authenticate with that
network.
> The problem arises when any of the following
conditions are
> true:
>
> [BA] The next few paragraphs state conditions under
which the problem
> can occur, but don't clearly state what bad things will
happen in
> each circumstance:
>
> o There is more than one available network
attachment point, and
the
> different attachment points may have different
characteristics
or
> belong to different operators. In the case of
virtual
operators,
> access network infrastructure including e.g. the
access points
can
> be shared by multiple operators. In order to
choose between the
> network attachment points, it may be helpful to
determine which
> realms are supported and the capabilities access
network
> supporting those realms. Otherwise, the mobile
station might
> frequently roam into networks that are not able
to satisfy the
> roaming connectivity needs or provide services
the mobile
station
> (and the subscriber) are seeking for. This would
of course
lower
> the general quality of offered services.
>
> o The user has multiple sets of credentials. For
instance, the
user
> could have one set of credentials from a public
service provider
> and set from the user's employer. In this case
it may be
helpful
> to provide additional information to enable the
correct
credential
> set to be determined. Otherwise, it could happen
that for
example
> a network access authentication repeatedly fails
because of
> incorrectly selected and offered set of
credentials.
>
> o There is more than one way to provide roaming
between the
visited
> realm used for access and user's home realm, and
service
> parameters or pricing differs between them. For
instance, the
> visited access realm could have both a direct
relationship with
> the home realm and an indirect relationship
through a roaming
> consortium. In some scenarios, current AAA
protocols may not be
> able to route the requests to the home realm
unaided, just based
> on the domain in the given Network Access
Identifier (NAI)
> [RFC4282]. In addition, payload packets can get
routed or
> tunneled differently, based on the roaming
relationship path in
> use. This may have an impact on the available
services or their
> pricing.
>
> [BA] Suggest changing to:
>
> o More than one network attachment point is
available, and the
> attachment points differ in capability or belong
to different
> operators. In this case, a roaming user may have
difficulty
> determining which attachment points offering the
desired
services
> it can successfully authenticate to. In order to
choose between
> multiple attachment points, it can be helpful to
determine which
> realms are supported and the capabilities that
the networks
support
>
> o The user has multiple sets of credentials. In
this case, the
> user may not be able to determine which
credentials to use with
> which attachment point, or even whether any
credentials it
> possesses will allow it to authenticate
successfully. This
> can result in multiple unsuccessful
authentication attempts
> for each attachment point, wasting valuable time
and resulting
> in user frustration. For example, the user
> could have one set of credentials from a public
service provider
> and set from an employer. In order to choose
between multiple
> attachment points, it can be helpful to provide
additional
> information to enable the correct credentials to
be determined.
>
> o There are multiple potential roaming paths
between the visited
> realm and the user's home realm, and service
parameters or
> pricing differs between them. In this case, the
access network
> may not be able to determine the roaming path
that best matches
> the user's preferences. This can lead to the
user being
> charged more than necessary, or not obtaining the
desired
> services. For example, the visited access realm
could have
> both a direct relationship with the home realm
and an indirect
> relationship through a roaming consortium.
Current AAA
protocols
> may not be able to route the access request to
the home AAA
sever
> purely based on the realm within the Network
Access Identifier
(NAI)
> [RFC4282]. In addition, payload packets can be
routed or
> tunneled differently, based on the roaming
relationship path.
> This may have an impact on the available services
or their
> pricing.
>
> [BA] The next paragraph could be cleaned up a bit:
>
> In Section 2 the network discovery and selection
problem is defined
> and divided into subproblems, and some design issues
for possible
> solutions are outlined in Section 3. Section 4
gives the
conclusions
> and some suggestions on how to proceed for the rest.
Appendix A
> discusses existing mechanisms which help solve at
least parts of
the
> problem. The terms "network" and
"realm" have sometimes been used
> interchangeably within the context of selection and
discovery. It
> should be noted that a realm can be reachable from
more than one
> access network types and selection of a realm may
not imply certain
> network capabilities.
>
> Suggest changing to:
>
> In Section 2 the network discovery and selection
problem is defined
> and divided into subproblems, and some potential
solution
constraints
> are outlined in Section 3. Section 4 provides
conclusions
> and suggestions for future work. Appendix A
> discusses existing solutions to portions of the
problem.
>
> [BA] The following sentences belong in the terminology
section:
>
> The terms "network" and "realm"
have sometimes been used
> interchangeably within the context of selection and
discovery. It
> should be noted that a realm can be reachable from
more than one
> access network types and selection of a realm may
not imply certain
> network capabilities.
>
>
>
____________________________________________________________
_____
> To unsubscribe or modify your subscription options,
please visit:
> http:/
/lists.frascone.com/mailman/listinfo/eap
>
> Arhives: http://lists.
frascone.com/pipermail/eap
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|
|
[1-4]
|
|