Beruflich Dokumente
Kultur Dokumente
Submission
November 2001
Authentication and key management methods requiring public key operations (e.g. EAP-TLS) can take
several seconds to complete
TLS continuation can decrease round-trips (from 3.5 to 2.5)
Disconnection time is still significant, particularly if backend authentication server is far away (e.g. hotspot
scenarios).
Submission
November 2001
Hot Spot
802.11 wireless access in airports, hotels, cafes
Authentication is typically password-based
Account at wireless ISP
Wholesale wireless access to corporations may eventually become popular
November 2001
Secure
Support for per-session keys, dynamic key generation
Works with all EAP authentication methods
Secure reassociation requests and responses, as well as disassociation
notifications
Protection against spoofing, denial of service, hijacking
Deployable
Enable deployment of inter-access point protocol (IAPP) without a
registration service
Submission
November 2001
Security improvements
Submission
November 2001
DeAuthentication
Notification
Successful MAC
layer Authentication
State 2
Authenticated,
Unassociated
Deauthentication
notification
Successful
Association or
Reassociation
Class 1 & 2
Frames
Disassociation
Notification
State 3
Authenticated,
and Associated
Submission
Class 1
Frames
Class 1, 2 &
3 Frames
November 2001
Submission
November 2001
STA
APnew
Associate-Request
Associate-Response
ACK
DS
Notified
Reassociate-Request
Disassociate
Reassociate-Response
ACK
Transition Period
~ STA-AP
DS
Notified
November 2001
Deauthentication
notification
Successful MAC
layer Authentication
DeAuthentication
Notification
State 4
ESN Associated
Class 1 & 2
Frames
Class 1, 2 & 3
Frames except
Authentication &
Deauthentication
Disassociation
Notification
State 3
Authenticated,
and Associated
Submission
ESN Association or
Reassociation
ESN
Disassociation
Notification
State 2
Authenticated,
Unassociated
Successful
Association or
Reassociation
Class 1, 2 & 3
Frames
Tim Moore, Bernard Aboba/Microsoft
November 2001
Submission
November 2001
Questions
Should authentication occur before or after
reassociation?
How do we authenticate management frames?
This presentation addresses ReassociationRequest/Response, and Disassociation Notification
frames
Future work will address authentication of other
Management Frames
Association-Request/Response, Beacon, ProbeRequest/Response, Deauthentication, ATIM
Submission
November 2001
Alternatives
Authentication before reassociation
Pros
Enables pre-authentication
Authentication no longer in the critical path for reassociation
Cons
If you authenticate management frames, cryptographic operations remain in the
critical path (since you need to authenticate the Reassociation Request/Response)
If youre already authenticating reassociation request/response, why do more than
canned authentication in addition?
Cons
No pre-authentication
Submission
November 2001
Proposed Approach
802.1X canned success sent from AP to STA if Authenticator IE included within the
Reassociation-Request is valid.
Submission
November 2001
STA
APnew
Associate-Request
Associate-Response
DS
Notified
ACK
802.1X/Identity Request
Transition Period
802.1X/Identity Response
EAP-Response
EAP-Request
Disassociate (Authenticated)
Transition Period
Submission
~ RTTSTA-AP
~ nRTTSTA-AP
DS
Notified
November 2001
November 2001
ESSID#
Number of the ESSID corresponding to this authenticator (for shared use APs)
Authenticator
For Algorithm=1, 128-bit HMAC-MD5(STA MAC address | AP MAC address | Timestamp, key)
Authentication key = session key used to authenticate the EAPOL-Key message
Submission
November 2001
Deployability improvements
Submission
November 2001
New AP contacts the old AP via IAPP to validate the reauthenticationrequest, transfer context
IAPP runs over IP
Implication: New AP needs the IP address of the old AP in order to
communicate with it
802.11 enables the STA to obtain the MAC address of the old & new
APs
Client obtains the MAC address of the old AP when it associates/reassociates with it
Client provides the new AP with the MAC address of the old AP in the
re-association request
Submission
November 2001
1.
2.
Problems:
Enterprise customers do not wish to deploy yet another service
Selecting an AP to run the service requires an election protocol
Registration service designs discussed so far (SLPv2, DNS) have serious flaws
4.
Assumes APs are all on the same subnet, so not a general solution
Note: Having APs on different subnets does not imply change of subnet for the client
(possible for the AP to support dynamic VLANs)
AAA protocols
3.
Recommendation: Choice 4
Submission
November 2001
SLPv2 designed for use in service discovery, not resolving MAC addresses
to IP addresses
Use of SLPv2 as a routable version of InverseARP is inefficient
SLPv2 requires multicast routing to all access points; not widely deployed
SLPv2 limited to use within a single administrative domain prevents
context transfer between domains
Inter-domain context transfer should not be prohibited in situations where the
trust issues can be worked out
Submission
November 2001
Submission
November 2001
November 2001
Address
For Type=1, 32-bit IPv4 address
For Type=2, 128-bit IPv6 address
Submission
November 2001
Meaning
TBD
Reassociation-Request denied
due to failed authenticator
Reassociation-Response denied
due to failed authenticator
Disassociation denied due to
failed authenticator
TBD
TBD
Submission
November 2001
Motion
To amend the TGi draft to include text detailing
usage of the Extended Address and Authenticator
Information Elements.
Submission
November 2001
Feedback?
Submission