Hi, Gabor, [email protected] wrote: > Hi Pete, > > Some comments inline: > > > -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of ext Peter McCann >> Sent: Wednesday, April 18, 2012 9:02 AM >> To: Rosen, Brian >> Cc: [email protected] >> Subject: Re: [paws] Database Discovery Question >> >> Hi, Brian, >> >> The problem is, the master device cannot be authoritative on whether >> the slave device is approved for use by the regulator. It must rely >> on the WSDB it uses (has a relationship with) to tell it. >> >> At the least, we need a format for device identifiers that can be >> understood by multiple independently operated databases. >> > <GB> yes, this should be part of the data model.
Agreed. >> Maybe the WSDB trusts the master device to collect this information >> securely from the slave devices using slave-to-master credentials. >> > <GB> yes, this is what at least the 802.11af draft amendment is > currently defining for the 802.11 air interface. The slave sends its > identifier to the master, then waits for the enablement signal. The > enablement signal comes after the master was able to successfully > validate the identifier of the slave with the DB. Is there any security or spoofing protection defined in 802.11af? >> Normally, the allocation authority for the identifier space would be a >> trust anchor for the identifier-to-device binding. I agree that the >> master-to-slave interface is out of scope, but there should be some >> mechanism in the marketplace for the master device operator to securely >> bind the identifier presented by the slave to the communication channel >> with the slave device, in the sense that the master device is able to >> know in a secure way that the device it is talking to actually does own >> the regulator-assigned device identifier. It seems natural for the >> master device to rely on its relationship with a database to help with >> this binding. >> > <GB> I see two things here: binding between the > communication channel and identity; and binding between the identity and > the hardware to which it was assigned. The binding between the > communication channel and the identity as presented by slave is there > inherently in the radio. I don't understand this last statement. Do you mean a cryptographically secure binding? What if I spoof my MAC address? > The task to verify that the identity indeed > belongs to the slave should not be the burden of the master device, > rather the DB (if seen necessary). In order for the DB to verify that > the presented identifier indeed belongs to that device, a client cert or > sg similar would be needed. That seems reasonable to me. The slave device has a client cert and somehow demonstrates knowledge of the private key that goes with the cert to the database. After this, the database can send "I approve" to the master device. Assuming that both communication channels (slave to master and master to database) have been authenticated and secured, the master can then tell the slave to go ahead. However, we now require the database be able to validate the credentials of any slave device that may be manufactured/owned by someone other than the manufacturer/owner of the master device. It would seem we need a nationally-scoped trust anchor to achieve this. > Afaik, regulators do not require for client > certs binding the identifier to the hardware. Therefore, the > verification of whether the identifier is the correct one or not seems > to be outside the scope of paws. The master should rely on the lower > layers and the DB for this verification. This statement really confuses me. To me, a binding of an identifier to hardware means that there is some tamper and copy-proof storage for a private key epoxied into the wireless hardware. This private key would be used to authenticate & distribute keying material for a secure channel between the slave and the master. That part is indeed out of scope of PAWS, but the master-to-database messages to validate the slave's credentials are not. -Pete > > - Gabor > > > > -Pete > > Rosen, Brian wrote: >> <As individual, and I should have said that on all of my messages on >> this thread> The credentialling system used between the database >> server and its client (the master) are those of its client. The >> database trusts its client. >> >> The client (the master) may need its customer, the slave, to present >> credentials for service. >> >> This means we assume transitive trust on the ID information from the >> client. The master validates the slave, the database validates the >> master. I would not advocate trying to make anything more complex. >> >> Brian >> >> On Apr 18, 2012, at 11:16 AM, Peter McCann wrote: >> >>> Right, the master queries the database on behalf of the slave, sending >>> the slave's Device ID and location. (See Don's message about >>> validating the FCC ID). My question is, what is the security model >>> for validating the slave's ID? Is there a secure credential >>> associated with the ID, or is it an insecure check of a number against >>> a whitelist? If the former, we will need a credential management >>> system that is able to cross between different databases. If the >>> latter, I wonder if it opens up security problems. >>> >>> -Pete >>> >>> Rosen, Brian wrote: >>>> Perhaps I am confused, but I think in a master/slave environment, the >>>> slave does not query the database, the master does. The slave gets >>>> its allowed spectrum data from the master. There is always the >>>> question of whether the master queries on its own behalf and the >>>> slaves just get assignments within that database response, or whether >>>> the master queries on behalf of the slaves. Might have to support >>>> both models. In many cases, I think it's the latter: the master >>>> queries using the slaves location and parameters. >>>> >>>> The most common master/slave setup is tower and clients, right? >>>> The tower has an Internet connection and can query the database. >>>> The clients of the tower are the slaves. Does the database query >>>> use the location and type data of the slave or the master? >>>> >>>> Brian >>>> >>>> On Apr 18, 2012, at 10:51 AM, Peter McCann wrote: >>>> >>>>> I think it would be a mistake to assume that the slave & master >>>>> devices both have pre-existing relationships with the same database. >>>>> In a commercial service, the slave devices would all come from >>>>> different manufacturers and would certainly have different owners. >>>>> Wouldn't we want them to interoperate with any master device, >>>>> assuming they are RF-compatible? >>>>> >>>>> -Pete >>>>> >>>>> Rosen, Brian wrote: >>>>>> Doesn't the slave get it's database access through the master? >>>>>> If that's true, the problem you are worried about doesn't exist. >>>>>> >>>>>> Brian >>>>>> >>>>>> On Apr 18, 2012, at 10:37 AM, Peter McCann wrote: >>>>>> >>>>>>> I agree with Brian that LoST could be a good model for discovering >>>>>>> the appropriate database for the region you're in. A nation may >>>>>>> decide to subdivide their territory into provinces or states, each >>>>>>> of which maintains its own database. >>>>>>> >>>>>>> I think it would be a mistake to assume that there is a single, >>>>>>> pre-defined relationship for one device with just one database. >>>>>>> In particular, I think there is a thorny issue that will arise >>>>>>> with management of secure credentials on whitespace devices, >>>>>>> illustrated by the first use case in Section 4.2.1 of >>>>>>> draft-ietf-paws-problem-stmt-usecases-rqmts-03. Step 9 of that >>>>>>> use case says: >>>>>>> >>>>>>> 9. Once the master/AP has met all regulatory domain >> requirements >>>>>>> (e.g. validating the Device ID with the trusted database, >>>>>>> etc) the master provides the list of channels locally >>>>>>> available to the slave/user device. >>>>>>> My question is, what if the master device has a relationship with >>>>>>> one database, but the slave device has a relationship with >>>>>>> another? How is the master's database supposed to validate the >>>>>>> credentials of the slave device, if we don't have some sort of >>>>>>> common trust anchor? Or will this "validation" be simply an >>>>>>> insecure check of an ID against a whitelist/blacklist? Who will >>>>>>> allocate Device IDs? Will they be specific to a particular >>>>>>> database operator, or do we need some common top-level allocation >>>>>>> format? >>>>>>> >>>>>>> -Pete >>>>>>> >>>>> >>>>> >>>>> >>> >>> >>> > > > > _______________________________________________ > paws mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/paws _______________________________________________ paws mailing list [email protected] https://www.ietf.org/mailman/listinfo/paws
