Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Agg in Docssis

    Hochgeladen von

    ARUNKUMAR K
    12 Ansichten15 Seiten
    This document discusses the need for segregated data services in 802.11 networks and presents some requirements and examples. It notes that most 802.11 networks require some mechanism to distinguish between different types of users or services, ranging from home networks separating visitors from residents to more complex enterprise systems. It provides two example scenarios showing how segregated services could work. The document then lists some tentative requirements for adding segregated services/VLANs to 802.11, such as advertising available services, associating with a specific service, using multiple security channels between devices, labeling transit frames, and protecting segregated data. It discusses some current practices and work in progress related to each requirement.

    Originalbeschreibung:

    agg in docssis

    Originaltitel

    agg in docssis

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PPT, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    This document discusses the need for segregated data services in 802.11 networks and presents some requirements and examples. It notes that most 802.11 networks require some mechanism to distinguish between different types of users or services, ranging from home networks separating visitors from residents to more complex enterprise systems. It provides two example scenarios showing how segregated services could work. The document then lists some tentative requirements for adding segregated services/VLANs to 802.11, such as advertising available services, associating with a specific service, using multiple security channels between devices, labeling transit frames, and protecting segregated data. It discusses some current practices and work in progress related to each requirement.

    Copyright:

    © All Rights Reserved
    Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    12 Ansichten15 Seiten

    Agg in Docssis

    Hochgeladen von

    ARUNKUMAR K
    This document discusses the need for segregated data services in 802.11 networks and presents some requirements and examples. It notes that most 802.11 networks require some mechanism to distinguish between different types of users or services, ranging from home networks separating visitors from residents to more complex enterprise systems. It provides two example scenarios showing how segregated services could work. The document then lists some tentative requirements for adding segregated services/VLANs to 802.11, such as advertising available services, associating with a specific service, using multiple security channels between devices, labeling transit frames, and protecting segregated data. It discusses some current practices and work in progress related to each requirement.

    Copyright:

    © All Rights Reserved
    Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 15

    July 2007 doc.: IEEE 802.

    11-07/2161r1

    Segregated Data Services in 802.11


    Date: 2007-07-17
    Authors:
    Name Affiliations Address Phone email
    Donald Eastlake 3rd Motorola 111 Locke Drive, Marlboro, +1-508-786-7554 Donald.Eastlake@motorola.com
    MA 01757 USA
    ComNets, RWTH Aachen
    University Kopernikusstr. 16,
    Guido R. Hiertz Philips 52074 Aachen, Federal
    +49-241-802-5829 hiertz@ieee.org
    Republic of Germany
    Philips Research, HTC 27 (WL
    Dee Denteneer Philips 1.132), 5656 AE Eindhoven, +31-402-746-937 dee.denteneer@philips.com
    The Netherlands
    Nancy Cam-Winget Cisco Systems 190 W Tasman +1-408-853-0532 ncamwing@cisco.com
    San Jose CA 95134 USA
    BelAir 603 March Road, Ottawa, ON, +1 613 254 7070
    Stephen Rayment Canada K2K 2M5 x112
    srayment@belairnetworks.com
    Networks
    Tony Metke Motorola 1301 E. Algonquin Road +1-847-576-0092 Tony.Metke@motorola.com
    Mail Stop: 1232
    Schaumberg, IL 60196 USA

    Submission Slide 1 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    Abstract

    Essentially all 802.11 networks need VLANs or a similar


    mechanism for segregated data services. The need
    varies from a mild requirement to distinguish
    “visitors” from “residents” in a one AP home network
    to much stronger and more complex requirements in
    enterprise, municipal, and other systems. Scenarios and
    requirements for adding segregated services / VLANs
    to IEEE 802.11 are presented along with some
    comments on existing or prospective mechanisms.

    Submission Slide 2 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    Motivation
    • Segregating traffic for “visitors” who should only have
    access to the Internet and limited facilities, from
    “insider” traffic.
    • Provision of different services for free and
    subscriptions services in Hot Zone or Municipal
    systems. (May also segregate subscription service
    through different carriers.)
    • In mesh environments, ability to safely forward data
    through nodes with limited trust.
    • To enable aggregation of traffic over a single
    infrastructure for efficient deployment.
    • Dedicated traffic segregation by type, such as VoIP
    Submission Slide 3 Donald Eastlake 3rd, Motorola
    July 2007 doc.: IEEE 802.11-07/2161r1

    Example Scenario I
    (unified infrastructure,
    Internet
    single interface end stations)

    Firewall
    Protected
    Services
    MAP 2

    MAP 1

    AP 2

    Local Station
    Local Station Local Station

    Guest Station
    Local VLAN Local Station

    Guest VLAN
    Guest Station
    Wired Connection
    Submission Slide 4
    July 2007 doc.: IEEE 802.11-07/2161r1

    Example Scenario II
    (diverse mesh,
    Internet
    multi-interface mesh points)
    Organization 1
    Infrastructure

    Org 2 Organization 2
    Organization 1 Service
    Organization 2 Service

    Org 1 MPP Infrastructure


    Local Mesh Service

    MPP

    Org 1
    MP Org 2
    Org 2 MP
    MP

    Org 1
    MP Org 3
    MP
    Org 2 Org 1
    MP MP

    Submission Slide 5
    July 2007 doc.: IEEE 802.11-07/2161r1

    Tentative Requirements
    1. Advertising Availability of Services
    2. Associating/Authenticating/Authorizing for One or
    more Specific Services
    3. Multiple Service Security Channels Between Two
    Stations
    4. Transit Frame Labelling
    5. Protection of Segregated Data from Unauthorized
    Access
    6. Configuration and Management

    Submission Slide 6 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    1. Advertising Availability of Services

    • Current practice: Transmit multiple Beacons, as is


    done at IEEE 802 meetings.
    • Work in progress: General Advertisement Service
    (GAS) mechanisms in 802.11 TGu (Interworking with
    External Networks).
    – Includes SSIDC (SSID Container IE) for transmission of multiple
    SSIDs (with or without multiple BSSIDs) in a single beacon.
    • Possible new work:
    – Extensions to TGu GAS.
    – Other mechanisms.

    Submission Slide 7 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    2. Associating/Authenticating/Authorizing
    for a Specific Service
    • Current practice: Only one association, 802.11i
    security.
    • Work in progress:
    – TGw (Protected Management Frames) to extends security to some
    control messages
    – TGs (Mesh Networking) with authentication to mesh distinguished
    from authentication to an AP
    – TGu (Interworking with External Networks) different
    credentials/authentication for different back end carriers
    • Possible new work: Different credentials/authentication
    for different Services/VLANs.

    Submission Slide 8 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    3. Multiple Service Security Channels


    Between Two Stations
    • Current Practice:
    – AP can have multiple security associations but each with a
    different end station.
    – Two stations can have multiple IPsec security associations or the
    like at the application level.
    • Work in Progress: TGs (Mesh Networking) permits
    multiple associations but each with a different mesh
    point.
    • Possible new work:
    – Different security associations for different services/VLANs
    – Development of a new Authenticator PAE function that can
    manage multiple SAs with a given neighbor

    Submission Slide 9 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    4. Transit Frame Labelling

    • Current Practice:
    – Current standard explicitly permits 802.1Q-Tag in payload
    (802.11-2007 Annex M) but Q-Tag’s priority and VLAN ID fields
    are otherwise ignored.
    – Only obvious way is to use different MAC addresses.
    • Work in Progress: none...(?)
    • Possible new work:
    – Header addition to distinguish Service/VLAN
    – Other mechanisms

    Submission Slide 10 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    5. Protection of Segregated Data


    from Unauthorized Access
    • Current Practice: Have to use IPsec or some similar
    application level mechanism to protect data at
    intermediate hops.
    • Work in Progress: none...
    • Possible new work:
    – Optional edge-to-edge security between original source station and
    final destination station. But not all services would require this. (If
    VLAN mapping is possible, authentication should be keyed to
    SSID, not VLAN ID.)

    Submission Slide 11 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    6. Configuration and Management

    • Current Practice:
    – SNMP (Simple Network Management Protcol)
    – GVRP (GARP VLAN Registration Protocol)
    – Proprietary command line interfaces and protocols
    • Work in Progress: SNMP MIB (Management
    Information Base) additions by TGu (Interworking
    with External Networks)
    • Possible new work:
    – MIB additions or other mechanisms for configuration and
    management including setting-up and deleting VLANs

    Submission Slide 12 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    Straw Polls
    • Results in WNG SC during morning session on 17 July:

    – Should the 802.11 WNG SC proceed at this time to vote on a


    motion to set up a Study Group?
    Yes: 6 No: 27 Abstain: 18

    – Should 802.11 receive further presentations on the topic of


    segregated data services?
    Yes: 46 No: 0 Abstain: 1

    Submission Slide 13 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    Motion (not voted on in WNG)


    • Moved, To request the IEEE 802.11 Working Group to
    approve and forward to the IEEE 802 Executive
    Committee the creation of a “WLAN Multiple Segregated
    Data Services” Study Group to draft a PAR and 5 Criterion
    for the provision of secure segregated data services in
    802.11, such services to include some or all of the
    following:
    – advertising and associating with such services; labeling frames per
    service; security of data within a service; and the configuration and
    management of such services.
    Moved: Seconded:
    Yes: No: Abstain:

    Submission Slide 14 Donald Eastlake 3rd, Motorola


    July 2007 doc.: IEEE 802.11-07/2161r1

    References
    • Standard 802.11-2007 – WLANs
    • Standard 802.1Q-2005 – VLANs, GVRP
    • Draft 802.11s D1.05 – ESS Mesh Networking
    • Draft 802.11u D1.0 – Interworking with External
    Networks
    • Draft 802.11w D2.0, – Protected Management Frames
    • IETF STD 62 (IETF RFCs 3411 through 3418) – SNMP

    Submission Slide 15 Donald Eastlake 3rd, Motorola

    Das könnte Ihnen auch gefallen