- The location is that of the "carrier termination point", e.g., the DSL or cable modem. Any devices behind a NAT box or other in-home device is reported as being at the location of the carrier termination point. - The system should work even if end systems move, either with or without change of network attachment point or network address. The system must work under the following assumptions: - There is no business or trust relationship between the provider of application-layer (SIP, XMPP, H.323, ...) services and the LIS. - There is generally a trust relationship between the LIS and the L2/L3 provider. - Residential NAT devices cannot be modified to support additional protocols, pass additional information through DCHP, etc. - If the L2 and L3 provider for the same host are different entities, they cooperate and can establish trust relationships for the purposes needed to determine end system locations. - Networks do not always require authentication (example: many open community wireless networks). [TBD: But essentially all DSL and cable modems seem to use some form of authentication, e.g., for PPPoE.] - There are intermediate entities, such as residential NAT devices, that obscure the client's MAC address so that it is not visible to the LIS. - End systems may not know the precise properties of their residential NAT, but can determine their IP address(es) via mechanisms such as STUN. - Multiple devices, located in different physical locations and active simultaneously, may share the same L2/L3 trust relationship ("account", "user name/password") with the L2/L3 provider and LIS. - At least one end of a VPN is aware of the VPN. In an enterprise scenario, the enterprise side will provide the LIS used by the client. - [Open issue] Where L2/L3 authentication is used, the L2/L3 provider can (may not) be able to determine whether a particular network address was handed out to that identity. Security As common elsewhere, we distinguish several kinds of attackers. As always, Alice is the "good guy" and Trudy the attacker. Attackers can be - off-path (cannot see packets between Alice and the LIS) or - on-path (can see such packets) On-path attackers may be - passive (can only observe) - semi-active (can inject packets with a bogus IP address, but cannot prevent the delivery of packets from the end system or modify these packets) - active (can inject and modify packets at will) Scenarios we may want to prevent include: [S1] An end system can be pretend to be in an arbitrary location. [S2] An end system can pretend to be in a location it was at a while ago. [S3] An attacker can observe Alice's location and use it to generate its own location information. [S4] An attacker can observe Alice's location. [S5] An attacker can observe both Alice's location and her L7 identifier. [S6] Alice and Bob, located at different location, can collude and swap LOs and pretend to be in each other's location. It may be impossible to find a solution that addresses all security concerns, yet satisfies the assumptions.