Internet DRAFT - draft-hepworth-mipshop-mih-design-considerations

draft-hepworth-mipshop-mih-design-considerations






MIPSHOP                                                      E. Hepworth
Internet-Draft                                                R. Hancock
Intended status: Informational                                      Roke
Expires: April 26, 2007                                  S. Sreemanthula
                                                   Nokia Research Center
                                                               S. Faccin
                                                       Intel Corporation
                                                        October 23, 2006


      Design Considerations for the Common MIH Protocol Functions
          draft-hepworth-mipshop-mih-design-considerations-01

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 26, 2007.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   The MIPSHOP working group is currently developing functionality to
   support media independent handover services, which are intended to
   aid IP handover mechanisms between heterogeneous wired and wireless
   access systems.  These handover services provide a mechanism by which



Hepworth, et al.         Expires April 26, 2007                 [Page 1]

Internet-Draft          MIH Design Considerations           October 2006


   information such as the presence of neighbouring links and networks,
   and their associated characteristics, can be delivered to mobile and
   other network nodes for the purposes of supporting better handover
   decisions.  A key component of the solution is the set of protocols
   that is used to deliver the various types of information to the
   appropriate destination node.  A separate problem statement draft
   outlines a structure for this set of protocols as a unified set of
   common functions, supporting a more diverse set of application
   specific protocols.  This draft outlines the key considerations that
   have to be considered when selecting or designing protocols for such
   common functionality.  This draft is offered for use as a mechanism
   to capture working group discussions on the design of the common
   protocol functions during their initial development, without imposing
   a particular solution on the discussion process.  It is not intended
   as a long term output.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Inter-layer Interactions . . . . . . . . . . . . . . . . . . .  4
   3.  Protocol Design Considerations . . . . . . . . . . . . . . . .  5
     3.1.  Initial Discovery and Routing  . . . . . . . . . . . . . .  5
     3.2.  Signalling Peer Changes  . . . . . . . . . . . . . . . . .  8
     3.3.  Message Transport  . . . . . . . . . . . . . . . . . . . .  9
     3.4.  State Management . . . . . . . . . . . . . . . . . . . . . 10
     3.5.  Mutiplexing and Extensibility  . . . . . . . . . . . . . . 12
     3.6.  Network Layer Interactions . . . . . . . . . . . . . . . . 12
     3.7.  Message Security . . . . . . . . . . . . . . . . . . . . . 13
     3.8.  Overload Management  . . . . . . . . . . . . . . . . . . . 14
     3.9.  Failure Handling . . . . . . . . . . . . . . . . . . . . . 15
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 15
   5.  Conclusions  . . . . . . . . . . . . . . . . . . . . . . . . . 16
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
   Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . . 17
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
   Intellectual Property and Copyright Statements . . . . . . . . . . 19














Hepworth, et al.         Expires April 26, 2007                 [Page 2]

Internet-Draft          MIH Design Considerations           October 2006


1.  Introduction

   The MIPSHOP working group is currently developing functionality to
   support media independent handover services, which are intended to
   aid IP handover mechanisms between heterogeneous access systems, both
   wired and wireless.  These handover services provide a mechanism by
   which information such as the presence of neighbouring links and
   networks, and their associated characteristics, can be delivered to
   mobile and other network nodes for the purposes of supporting better
   handover decisions.  An initial set of handover services, and the
   information that these services exchange between two peers, is under
   development within IEEE 802.21.  These services are referred to as
   the Media Independent Handover Services (MIH Services) and the
   initial set consists of the event, command and information services
   (ES, CS and IS); there are also System Management messages which
   configure the operation of the other MIH protocols themselves.  The
   transport security and related aspects associated with delivery of
   these messages across the network at the IP level (including over the
   air where direct layer 2 transport is not being used) will not be
   addressed by IEEE 802.21.  It is the expectation that this area will
   be addressed by the MIPSHOP working group.

   An architectural framework and set of common requirements is proposed
   in the problem statement draft [1], which includes a decomposition of
   the overall MIH problem into a common part and a set of MIH services
   that are layered over the top.  It is intended that the common part
   is suitable not only for the delivery of IEEE 802.21 MIH services
   (ES/CS/IS), but can also be applied to non-802.21 architectures and
   handover services.

   This draft outlines detailed design considerations for the common
   part delivery mechanism, with the goal of providing a basis for
   discussing different solutions and providing a means to ensure that
   important solution requirements are considered by subsequent
   proposals.  This draft is not intended as a comprehensive analysis of
   different solutions, but does include some discussion of solution
   characteristics and possible solution options as examples where
   appropriate.  It is assumed that the requirements on the common part
   imposed by the IEEE 802.21 MIH services are wholly captured in the
   problem statement draft [1].  This draft is offered for use as a
   mechanism to capture working group discussions on the design of the
   common protocol functions during their initial development, without
   imposing a particular solution on the discussion process.  It is not
   intended as a long term output.

   The structure of this document is as follows.  Section 2 introduces
   some general design goals for the common part, Section 3 describes a
   set of design considerations that should be taken into account when



Hepworth, et al.         Expires April 26, 2007                 [Page 3]

Internet-Draft          MIH Design Considerations           October 2006


   developing a solution, Section 4 provides security considerations,
   and Section 5 summarises the conclusions and open issues.


2.  Inter-layer Interactions

   The framework presented in [1] decomposes the MIH protocol problem
   into two parts; the Information and Information Exchange mechanism,
   and the functionality common to all MIH services.  This is
   subsequently referred to as common protocol functionality.  The
   intention of the separation is to allow all MIH services access to
   this functionality from a single protocol module without having to
   re-implement or re-integrate the same functionality individually for
   each MIH service.  The problem statement presents an outline of this
   decomposition; however, the precise details of the split of
   functionality and interaction between the layers need to be refined
   as the design of the common part proceeds.  Indeed, one important
   design consideration is that it should be possible to define these
   interactions precisely and in an easily implementable manner.  This
   section indicates some specific inter-layer interaction issues that
   need to be taken into account in this way.

   One of the key questions is how MIH service peer identity knowledge
   is split between the service and the common part.  In other words,
   does the MIH service have knowledge about the location of a peer (in
   terms of IP address), or does it simply pass a message to the common
   protocol functionality and expect it to be delivered.  If the MIH
   service manages the resolution of peer identities to IP addresses,
   issues such as NAT traversal can become more complicated (as
   discussed in Section 3.6).

   It is assumed that the peer entities supporting an MIH service hold
   some sort of service layer state information (such as link
   measurements or event subscriptions) that is being accessed or
   updated in some way.  So, a second issue is whether there is any
   relationship between the management of this state lifetime and the
   common protocol functionality.  This draft assumes that service layer
   state lifetime is transparent to the common protocol functionality,
   and operations such as soft state refresh are not explicitly visible
   at the lower level.  However, note that the common protocol
   functionality can be used to transmit refresh messages generated by
   an MIH service if such a refresh mechanism is required, but the
   generation and timing of these messages is the responsibility of the
   MIH service.

   In the overall problem description it can be seen that some
   signalling transactions involve a sequence of three or more nodes
   rather than a simple peer to peer communication.  There is therefore



Hepworth, et al.         Expires April 26, 2007                 [Page 4]

Internet-Draft          MIH Design Considerations           October 2006


   a question of whether the common protocol functionality should be
   explicitly aware of the complete chain of nodes involved in a
   transaction, or whether it should see only the directly adjacent
   peers.  In this draft, we assume the latter case; therefore, the
   concatenation of message exchanges along a sequence of nodes is
   something that has to be managed within the MIH service itself; it
   may even be an implementation issue for the MIH services, in the same
   way that chains of SIP signalling nodes can be built up out of back-
   to-back user agents.

   In the long term, in order to make the inter-layer separation
   precise, a service interface between the MIH service and the common
   protocol functionality should be defined.  This service interface
   would expose a set of functionality that can be used by the MIH
   service to discover and send messages to peer entities, and could
   allow the common protocol functionality to be configured to suit
   particular needs associated with an MIH service.


3.  Protocol Design Considerations

   There are a number of key considerations that should be considered
   when designing a solution to support MIH message delivery.  These are
   described in the following subsections.

3.1.  Initial Discovery and Routing

   When an MN joins a network, it must be able to discover various
   network nodes that support the MIH services that it wishes to use.
   The location of the MIH services in the network is not fixed.  Some
   may be supported locally by the access network, whilst others may be
   supported by a node deeper in the network, or a sequence of such
   nodes.  The sequence may reach back all the way to the user's home
   network.

   The process of discovering a suitable peer and establishing a route
   towards it has a number of aspects that need to be considered.  The
   first of these is how MIH services are identified.  For an MN
   interested in a particular MIH service, the identity of the service
   must be usable in some discovery and name resolution procedure that
   ultimately returns an IP address to the interested MN.  Therefore,
   the name space within which MIH services are identified has an
   interaction with the set of possible discovery mechanisms.  For
   example, use of a particular discovery procedure may require
   extensions to support a new namespace or new registrations within an
   existing one.  The selection of a suitable peer and its subsequent
   use may be based on a number of aspects including the capabilties of
   the MIH peer and the ability to setup a secure communications channel



Hepworth, et al.         Expires April 26, 2007                 [Page 5]

Internet-Draft          MIH Design Considerations           October 2006


   to that device.  Therefore, the discovery process has interactions
   with other transport layer functionality, which may need to be
   considered as part of the discovery procedure itself.

   In the simplest case, the selection of an appropriate peer can be
   left entirely to the network, based purely on the service identifier.
   Where the MIH service is entirely implemented in the local access
   network, this is probably sufficient.  In such a scenario, the MN
   could send a query to the network requesting support for a particular
   MIH service, and allow the network to select the most appropriate MIH
   peer.  Some options for this are discussed below.

   More sophisticated services may require interactions further into the
   network, for example involving the user's home operator; this would
   be an example of "proxy operation".  This may be influenced by
   configuration information provided by the MN, such as operator
   identity.  There are two basic approaches that can be considered:

   o  a simple method, especially from the MN perspective, is to treat
      this as a generalisation of the basic case where the discovery
      process is repeated recursively along the proxy chain.

   o  a more complex method is to require the MN to discover the
      complete set of nodes up to and including the signalling endpoint.
      This gives more control over the process to the MN at the cost of
      having to expose more details about inter-network relationships.

   A particular issue is the precision with which the initial discovery
   process takes place.  One possibility is that the initial discovery
   detects a candidate set of nodes supporting any MIH services;
   subsequently, messages within the MIH protocols themselves determine
   the detailed capabilities of each node, and decide which nodes to use
   for which specific purpose.  The alternative is that the initial
   discovery process incorporates these selection criteria directly,
   which allows a more targeted discovery of the initial candidate set,
   at the cost of requiring a richer definition of the set of possible
   service at the layer boundary between the MIH services and the common
   protocol functions.  The first approach is simplest and may be
   appropriate in limited scale networks (or where the equivalent
   functionality is being developed at Layer 2).  However, it can easily
   lead to scaling difficulties in larger scale networks, where, even
   though the final set of communicating nodes may be small, the size of
   the candidate set could be very large.  Therefore, the ability of the
   initial discovery criteria to include such additional criteria needs
   to be considered.  The openness in this question is reflected in the
   openness of the term 'MIH service'; in the 802.21 context for
   example, it could refer either to the complete set of 802.21 MIH
   services, or to a specific one, such as IS.  This issue affects



Hepworth, et al.         Expires April 26, 2007                 [Page 6]

Internet-Draft          MIH Design Considerations           October 2006


   primarily the discovery process; for the rest of this document, we
   continue to use the term MIH service, always bearing in mind this
   spectrum of possibilities for what it could refer to.

   The discovery and routing functionality could either be invoked
   directly by the MIH service, or could be integrated with the common
   protocol functionality.  In the former case, the MIH service would be
   responsible for carrying out the discovery exchange with the network,
   and would have to indicate the results of the discovery procedure to
   the common part to allow delivery of mesasges to the appropriate
   peer.  In the latter case, the MIH service would simply request the
   delivery of a message from the common protocol functionality, and
   leave the discovery and resolution procedures to the lower layers.
   Either approach is feasible, but the following issues should be
   considered when designing a solution:

   o  support for discovery before full IP connectivity.  In some cases,
      the MN may want to communicate with an MIH service before full IP
      connectivity is available.

   o  transparency of the network topology.  The internal structure of
      the network should be hidden from the MIH service, which allows
      arbitrary network deployments, and changes to those deployments
      without impacting the MIH service.

   o  localisation of information.  The information associated with
      supporting a particular MIH service should be located in as few
      places as possible to aid failure recovery, and reduce
      requirements on MNs to hold large amounts of state information.

   o  elimination of duplicates and reduction of round trips.  To reduce
      latency and network load, the required information should be
      discovered using as few signalling messages as possible both in
      the initial discovery case and post handoff where it is necessary
      to check that the signalling relationships are still valid.  For
      example, if a peer for a particular MIH service has already been
      discovered that can be used for an alternative MIH service as
      well, it would be preferable to avoid performing a duplicate
      discovery procedure when the information is already known.

   o  adaptation of the discovery mechanisms.  Some approaches to
      discovery may be particularly applicable to specific technologies
      or in particular administrative environments and therefore a
      single perfect solution may not be attainable.  However, it is
      important to localise the impact of this variability as much as
      possible.

   Given the above considerations, it seems likely that the most



Hepworth, et al.         Expires April 26, 2007                 [Page 7]

Internet-Draft          MIH Design Considerations           October 2006


   appropriate place to implement the discovery and routing
   functionality is as part of the common protocol functionality.  It is
   possible that the discovery process could be bootstrapped from other
   protocol state or protocol exchanges, but the suitability of these
   approaches and the architectural assumptions associated with their
   use needed to be assessed.  For example, DHCP [3][4] is a possible
   candidate, but would only be most suitable for link technoloiges
   where this is used as an address assignment method.  Another
   possibility is SLP [5], although this is not curently widely
   deployed; mDNS [2] falls into the same category.  DNS itself can also
   be used (for example, SRV records [6] support the discovery process
   for services associated with a particular DNS domain), however, it is
   difficult to use them to do service discovery in a way that
   automatically takes into account the current network point of
   attachment.  Router level advertisements are also an option, but the
   mechanism may be hard to extend to support advertisement of all MIH
   services, so this would be mainly to provide bootstrap to some other
   approach.

3.2.  Signalling Peer Changes

   As well as the initial discovery of the peers for signalling, it must
   also be considered how to handle the case where the correct
   signalling peer changes while the MN is attached to the network.
   Several scenarios can be considered:

   o  The MN point of attachment changes, and according to the local
      network architecture a new signalling peer is now the appropriate
      serving node for it.

   o  The signalling peer fails, and a backup must be used instead.

   o  The network infrastructure is reconfigured internally (changing
      the topology or set of available services at a given node), which
      means that a different peer or set of peers should be used.

   In so far as the common protocol functions take responsibility for
   the initial discovery process, they must also take care of the
   rediscovery and rerouting needed in these types of circumstances.
   (Conversely, if external discovery approaches are used, then it must
   be defined how these handing the peer change problem.)

   A very simple and robust approach is simply to repeat the initial
   discovery process periodically.  This always works after some time
   lag, but leads to an awkward tradeoff between efficiency (which is
   reduced if the repetition rate is high) and reactiveness (which
   requires a high refresh rate).  This problem can be mitigated if a
   long period is used but hints are allowed to trigger the process on



Hepworth, et al.         Expires April 26, 2007                 [Page 8]

Internet-Draft          MIH Design Considerations           October 2006


   particular events.  Indeed, the MIH services themselves can be used
   to deliver such triggers during periods of correct operation,
   requiring fallback to periodic discovery only to handle failure
   scenarios.

   Whatever approach is used here, it should be noted that there needs
   to be an interaction between the service layer and common protocol to
   convey not just the possibility that rediscovery is needed, but also
   to indicate that a peer change has taken place.

3.3.  Message Transport

   Message transport is responsible for the actual delivery of messages
   between peer entities, and should be configurable to suit the needs
   of the particular MIH service, for example, reliable versus expedited
   delivery.  Note that it is not assumed that a single instance of the
   common protocol functions has to be configured and used in exactly
   the same way by all the MIH services at any given node.  Different
   services might request different levels of transport support from a
   single instance; indeed, a service might request different transport
   characteristics for different transaction types.  The main transport
   considerations include:

   Congestion Avoidance:  some form of congestion control is required to
      guarantee that MIH service operation cannot damage the network.
      This is particularly critical for services that may transport
      large volumes of data (e.g. to prevent them issuing large numbers
      of parallel requests if messages are already being dropped because
      of congestion effects).  Congestion control could either be
      provided in a specialised way as part of a custom transport
      protocol directly over IP, or provided through the use of an
      existing protocol such as TCP or SCTP.  In the latter case,
      standard transport parameter estimation algorithms may need to be
      assessed in order to work out their suitability for different MIH
      services.  It is assumed that the various MIH services do not have
      specialised requirements for congestion handling.

   Reliability:  some MIH services require reliable delivery of their
      messages and this has to be achieved efficiently in an environment
      (i.e. mobile/wireless) where data transfer latency can be highly
      variable between different technology types and data loss may be
      high.  This reliability can either be implemented within the MIH
      services themselves or provided by the common transport.  While
      implementation within the MIH service is technically possible, it
      does not make best use of the sophistication that has been
      achieved in transport layer optimisation in recent years.  For
      example, a full implementation would need to consider
      functionality such as windowing, adaptive retransmission timeouts



Hepworth, et al.         Expires April 26, 2007                 [Page 9]

Internet-Draft          MIH Design Considerations           October 2006


      and loss detection mechanisms, which are non-trivial to design.
      In addition, relying on the service layer to handle all
      reliability issues opens the question of whether timer values
      should be based on message transfer latency or application
      processing latency, and these two can differ significantly.
      Allowing the option of a reliable transport service means that the
      additional recovery mechanisms within the service layer can be
      made very simple and robust because they do not need to be
      optimised for efficient recovery of message loss within the
      network.

   Fragmentation:  the transport protocol must be capable of performing
      fragmentation when the amount of data in a message to be sent is
      too big to fit into a single IP packet.  IP fragmentation could be
      used, but would require Path MTU discovery procedures to be
      supported, unless very conservative path MTU estimates could be
      assumed by default.  However, note that fragmentation at the IP
      layer amplifies packet loss rates because the loss of a single
      fragment destroys the entire packet, and also the entire packet
      has to be retransmitted.  Therefore, it is preferable to support
      the fragmentation requirements within a reliable transport.

   Re-ordering and Head of Line Blocking:  depending on the lower layer
      in use, messages may arrive out of order.  If the transport does
      not provide in order delivery, it will be the responsibility of
      the MIH services themselves to handle this problem.  In addition,
      head of line blocking may be an issue in cases where multiple MIH
      services are using a single connection between two peer entities.

   Duplicate Message Detection:  multiple copies of a message may arrive
      at a node.  Does the transport layer provide duplicate message
      detection, or is this left up to the MIH service?

3.4.  State Management

   The operation of the MIH services requires the existence of service
   layer state within the network, for example, registrations of
   interest for particular types of events or location information to
   configure the delivery of neighbourhood lists.  Various transaction
   models can be identified that allow different entities to initiate an
   MIH message exchange to set up such state.  The transaction sequences
   that are permitted to install and manipulate this state will most
   likely be MIH specific (it is unlikely that a single transaction
   model will be applicable to all MIH services), but even so there will
   be impacts on the common protocol functionality, for example,
   influencing the symmetry required in the message delivery mechanism.
   In addition, the dependency of one set of MIH transactions on another
   has to be considered, for example, can transactions be nested, or can



Hepworth, et al.         Expires April 26, 2007                [Page 10]

Internet-Draft          MIH Design Considerations           October 2006


   they overlap with each other.

   Example transaction sequences include:

   1.  MN initiated only; where exchanges can only be initiated by the
       MN, and the network only responds to explicit requests for
       information.

   2.  MN and NN intiated; where both the MN can request information,
       and the NN can deliver information asynchronously to the MN.

   The current MIH services that have been identified require MN and NN
   initiated exchanges as a minimum.

   The types of state information that are manipulated during an MIH
   exchange include:

   o  MIH Service Layer State: information related to the particular MIH
      service, that is accessed and maintained by that service.

   o  Peer State: including peer capabilities, and any negotiated
      parameters.

   o  Routing State: such as next hop information for routing to a peer
      entity.

   o  Security State: associated with a particular message exchange.

   o  Transport State: counters and timers associated with the delivery
      of individual message fragments (datagrams) and their
      retransmission and reassembly.

   The first type of state is MIH service specific, and should be
   transparent to the common protocol functionality.  The latter four
   types could be managed by either the MIH service or the common
   protocol functionality, although the second option seems preferable
   (as will be discussed in Section 3.1 and Section 3.7).  A fundamental
   question that has to be considered is how these different types of
   state information are related to each other.  For example, if a
   connection to a peer entity is lost, is the MIH service state now
   considered to be invalid?  Typically, it is preferable to avoid such
   hard dependencies between the state at different layers, since it
   reduces the freedom within the common protocol part to manage
   connections most efficiently.  In other words, the service layer
   state is assumed to be managed entirely within the service layer
   itself.





Hepworth, et al.         Expires April 26, 2007                [Page 11]

Internet-Draft          MIH Design Considerations           October 2006


3.5.  Mutiplexing and Extensibility

   Multiple MIH services have already been defined, and it is highly
   likely that different MIH services will be co-located within single
   nodes (this will definitely be true of the MN, and may be true for
   infrastructure nodes depending on the MIH deployment).  A
   consideration that needs to be addressed is how multiple MIH services
   are handled by the common protocol functionality.

   One option would be to hide the presence of multiple MIH services
   completely.  However, this would limit the ability of a node to talk
   to different MIH peers depending on which service is being used, if
   the discovery is handled as part of the common protocol
   functionality.  An alternative is to expose the multiple MIH services
   individually to the common protocol functionality, and allow it to
   multiplex MIH service messages at the transport level if appropriate
   (for example, if both messages are destined for the same peer entity
   and have the same transport requirements).

   In addition, the extensibility of the MIH services needs to be
   considered.  For example, if multiple versions of an MIH service are
   available, this may impact the common protocol functionality in terms
   of discovery of compatible MIH service implementations (see
   Section 3.1).

3.6.  Network Layer Interactions

   The MIH functionality interacts with the network layer in two
   distinct ways.

   Firstly, the signalling messages must be able to pass through the
   network between signalling peers even when the network infrastructure
   contains addressing boundaries and firewalls where policies on
   allowed traffic types are imposed.  Therefore, it is important to
   limit the protocols used to support the common functionality as far
   as possible to those that such middlebox devices can be configured to
   process and support.  For example, standard transport protocols such
   as TCP or UDP are relatively easy to deploy especially if
   transactions are initiated from the internal side of the middlebox
   whereas ICMP extensions are much more problematic.

   Secondly, if some parts of the MIH service payload contain addressing
   information, such as the current IP address associated with a device
   or addresses of other access routers, NAT traversal becomes much more
   difficult as the NAT may have to change these payloads.  It is
   preferable to standardise the location of such information across all
   the different MIH services so that NATs do not have to support
   different Application Layer Gateways for each and every MIH service



Hepworth, et al.         Expires April 26, 2007                [Page 12]

Internet-Draft          MIH Design Considerations           October 2006


   that has been or will be defined.  This suggests that addressing
   information should be carried at the lowest possible level in the MIH
   protocol stack.

3.7.  Message Security

   Message security is needed to protect the information exchanges
   between MIH service peers.  This section focuses on authentication
   and authorisation aspects associated with MIH service support; DoS
   and overload situations are considered in Section 3.8.

   It is highly desirable to reuse standard channel security protocols,
   but there are still several possible protocol choices.  There are a
   number of considerations:

   Authentication and Key Management:  authentication can either be
      performed unilaterally, where only one party confirms the identity
      of the other, or mutually, where both parties confirm each other's
      identity.  For some MIH services, it is important that mutual
      authentication is possible, since the information exchanged
      initiates complex processing in both peers.  Although this does
      not necessarilty imply that the MIH service must perform the
      authentication itself, it may still be important for the service
      to be aware of the authenticated identity of the peer it is
      communicating with.  Because standard channel security protocols
      necessarily include peer authentication to provide keying
      material, it is natural to think of the authentication
      functionality as being part of the common protocol functionality.

   Credential Reuse:  message security depends on the existence of
      credentials to identify the peers taking part in the signalling
      exchange; the credentials are used in the protocols to provide
      node authentication and keying material for message protection
      itself.  Different protocols can exploit different credential
      types and so it may be possible to select protocols in order to
      build on existing relationships in the network.

   Authorisation:  authorisation controls who is allowed to perform what
      actions on state information and message exchanges between MIH
      peers.  It may also be possible to build MIH trust models that
      reuse existing relationships in the network, for example, if an
      MIH service is provided locally by an access network to an MN, the
      fact that the information is being relayed by a trusted AP may
      indicate to the MN that the information is from a valid source.
      In cases where the MIH service is provided by an operator deeper
      in the network, roaming relationships could be re-used to support
      delivery of MIH information.  However, in this draft we assume
      that the authorisation problem is handled primarily within the MIH



Hepworth, et al.         Expires April 26, 2007                [Page 13]

Internet-Draft          MIH Design Considerations           October 2006


      services themselves.

   Privacy:  various identifiers will be used by the MIH service and the
      common protocol functionality to support authentication, peer
      discovery and message delivery.  These identifiers will relate in
      some cases to users and organisations whose privacy needs to be
      respected and whose identity should not be freely disclosed except
      to authorised parties.  Therefore, any security solution needs to
      consider how such identifier information is protected.

   The visibility that the MIH service has of the security functionality
   also needs to be thought about.  One extreme would be for the MIH
   service to be responsible for setting up the secure channel over
   which to communicate, but this may require the MIH service to have
   more knowledge about the underlying network topology than is
   otherwise necessary.  Alternatively, the common protocol
   functionality can include the security aspects, and the MIH service
   can request a secure channel from the lower layers when establishing
   a relationship with an MIH peer based on some MIH specific security
   policy.  This has the added advantage that different security
   protocols can more easily be integrated into the MIH protocol suite
   (once into the common part, as opposed to once for every MIH
   service).

3.8.  Overload Management

   Overload management handles situations where a node is flooded with
   messages.  These situations can occur both during normal use, or as a
   result of a flooding attack by a malicious user.  In either case, the
   common protocol functionality has a role to play in handling such
   situations needs to be considered, because these problems are closely
   associated with the message security and congestion control aspects.
   In particular, it is important that overload situations are
   considered for the design of the common protocol functionality as it
   is impossible to support reliability without overload management
   strategies in place.

   The overload issue is related to processing within a node when it
   starts to receive messages faster than it can process them, and what
   facilities are provided within the common protocol functionality and
   MIH service to handle these situations.  In addition, nodes should
   also detect that a peer is overloaded, and try and mitigate the
   situation somehow.  One solution is to provide some rate control
   either at the MIH service, in the common protocol functionality or
   both.  The common protocol functionality cannot entirely solve this
   problem because the adaptation to overload situations may be MIH
   service specific.  However, the overload situation can be detected
   and indicated to the MIH service.  It may be necessary to provide one



Hepworth, et al.         Expires April 26, 2007                [Page 14]

Internet-Draft          MIH Design Considerations           October 2006


   or more signalling channels to cope with different message priorities
   in this case.  Some elements of the common functionality must operate
   even in the absence of a congestion or flow-controlled transport
   connection, such as the initial discovery process.  Typically their
   design must incorporate some sort of robust overload management
   mechanism, such as exponential backoff.  If a standard discovery
   protocol (like DHCP) is being used, this behaviour is built in.

3.9.  Failure Handling

   Nodes may fail at any time, and some mechanism is needed to allow
   graceful recovery.  Failure situations include:

   o  inability to discover a peer - this is related to discovery and
      routing Section 3.1.

   o  the loss of a peer, which must be detected.

   o  local shutdown, and informing current peer nodes.

   As for overload management, the common protocol functionality cannot
   be solely responsible for addressing this issue since some failure
   conditions will affect only the MIH service and not the lower
   communications layers.  Also, the recovery procedure will be partly
   application specific.  However, other failure conditions can be
   detected more rapidly and efficiently at lower layers of the protocol
   stack; for example, rather than implementing a keepalive mechanism
   within each MIH service, a single mechanism at the lower level can be
   used to check the overall status of a given node.  Therefore, the MIH
   service must be partially responsible for detecting the loss of an
   MIH peer, but may use hints provided by the common protocol
   functionality to speed up the detection process.

   For local shutdown cases, it should be the responsibility of the MIH
   services to inform peer nodes of the situation.


4.  Security Considerations

   When developing a solution for supporting the exchange of MIH service
   information between two peer devices, there are a number of security
   issues that need to be taken into account.

   The discovery and information exchange may occur in situations where
   full IP connectivity is unavailable.  In this case, the secure
   transport cannot be provided end-to-end, but could potentially be
   provided between a proxy device and the peer MIH, for example,
   between an access router and appropriate server.  The trust model and



Hepworth, et al.         Expires April 26, 2007                [Page 15]

Internet-Draft          MIH Design Considerations           October 2006


   security implications of supporting this mode of operation needs to
   be investigated.  In the alternative scenario with end-to-end IP
   connectivity, the security issues are slightly simpler though
   securing the discovery remains an issue.  The co-existence of the
   security mechanisms for the full and partial IP connecivity will need
   to be considered.

   The effect of Denial of Service attacks also needs to be managed, for
   example, by reacting to overload situations (see Section 3.8).  State
   information is installed in nodes for both transport and MIH service
   purposes; the processing associated with installing or managing this
   state by nodes in the network should be kept to a minimum prior to
   secure channel setup.

   The identifier space that is used to support authentication, and how
   privacy is managed for these identities is also a key concern.  The
   use of these identifiers to support authorisation needs to be
   analysed, and these issues are discussed in more detail in section
   Section 3.7.  It is currently assumed that the common protocol
   functionality must provide message (channel) security for the MIH
   services to support message integrity/authentication.


5.  Conclusions

   This Internet Draft outlined a number of design considerations that
   need to be taken into account when developing the common
   functionality required by MIH services to exchange information
   between peers.  The main issue that needs to be considered is how to
   split reponsibility for various parts of the functionality between
   the MIH service and the common protocol part.

   There is good justification for supporting certain aspects of the
   required functionality in a common part that can be used by multiple
   MIH services.  This independence provides a way to hide the specifics
   of a particular network from the MIH service, prevents the same
   functionality being re-implemented multiple times, and supports
   easier integration of new or enhanced protocols into the overall MIH
   solution.

   However, it is also possible that different MIH services will
   ultimately have slightly different requirements from the underlying
   transport, depending both on the type of information managed by the
   MIH service, and the particular message that is being exchanged.
   Therefore, it is important that the transport mode used for
   particular message exchanges can be configured in some way by the MIH
   service to suit its requirements.




Hepworth, et al.         Expires April 26, 2007                [Page 16]

Internet-Draft          MIH Design Considerations           October 2006


   It should also be noted that the common protocol functionality cannot
   be wholly responsible for providing some aspects of the solution, for
   example, reliability and overload management requires support at both
   the lower layer, where information about network conditions is
   readily available, and at the MIH service itself, where specific
   information about the state managed by the service and the strategies
   to react to certain conditions is maintained.

   In terms of the protocols used by the common part, it is clear that a
   single protocol will not be sufficient to meet all identified
   requirements.  Therefore, it is likely that the common part will in
   fact be implemented as multiple protocols that are integrated below a
   simple service interface exposed to the MIH services above.


6.  References

   [1]  Hepworth, E., "Mobility Services: Problem Statement",
        draft-melia-mipshop-mobility-services-ps-00 (work in progress),
        September 2006.

   [2]  Cheshire, S. and M. Krochmal, "Multicast DNS",
        draft-cheshire-dnsext-multicastdns-06 (work in progress),
        August 2006.

   [3]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
        March 1997.

   [4]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M.
        Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)",
        RFC 3315, July 2003.

   [5]  Guttman, E., Perkins, C., Veizades, J., and M. Day, "Service
        Location Protocol, Version 2", RFC 2608, June 1999.

   [6]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
        specifying the location of services (DNS SRV)", RFC 2782,
        February 2000.


Appendix A.  Acknowledgements

   Thanks to Andrew McDonald for his inputs.  This revised version of
   the draft followed comments from Subir Das, Junghoon Jee, Yoshihiro
   Ohba, Akbar Rahman, Behcet Sarikaya and Qiaobing Xie.

   Eleanor Hepworth and Robert Hancock are partly funded by Ambient
   Networks, a research project supported by the European Commission



Hepworth, et al.         Expires April 26, 2007                [Page 17]

Internet-Draft          MIH Design Considerations           October 2006


   under its Sixth Framework Program.  The views and conclusions
   contained herein are those of the authors and should not be
   interpreted as necessarily representing the official policies or
   endorsements, either expressed or implied, of the Ambient Networks
   project or the European Commission.


Authors' Addresses

   Eleanor Hepworth
   Roke Manor Research Ltd
   Roke Manor
   Romsey,   SO51 0ZN
   UK

   Email: eleanor.hepworth@roke.co.uk


   Robert Hancock
   Roke Manor Research Ltd
   Roke Manor
   Romsey,   SO51 0ZN
   UK

   Email: robert.hancock@roke.co.uk


   Srinivas Sreemanthula
   Nokia Research Center
   6000 Connection Dr.
   Irving,   TX 75028
   USA

   Email: srinivas.sreemanthula@nokia.com


   Stefano Faccin
   Intel Corporation
   Santa Clara, CA
   USA

   Email: stefano.m.faccin@intel.com









Hepworth, et al.         Expires April 26, 2007                [Page 18]

Internet-Draft          MIH Design Considerations           October 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Hepworth, et al.         Expires April 26, 2007                [Page 19]