CAPWAP Threat Analysis

Slides:



Advertisements
Similar presentations
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
Advertisements

August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.
CAPWAP related draft-shao-opsawg-capwap-hybridmac-00 draft-chen-opsawg-capwap-extension-00 draft-zhang-opsawg-capwap-eap-00.
Yang Shi, Chris Elliott, Yong Zhang IETF 73 rd 18 Nov 2008, Minneapolis CAPWAP WG MIB Drafts Report.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
6LoWPAN Security Analysis Soohong Daniel Park Ki-Hyung Kim Eunil Seo Samita Chakrabarti Julien Laganier.
Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #59 – PKI4IPSEC Working.
1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.
EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao
6lowpan ND Optimization draft Update Samita Chakrabarti Erik Nordmark IETF 69, 2007 draft-chakrabarti-6lowpan-ipv6-nd-03.txt.
March 2006 CAPWAP Protocol Specification Update March 2006
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
1 Network Selection Problem Definition Draft-ietf-eap-netsel-problem-01.txt Jari Arkko Bernard Aboba.
Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.
CAPWAP Threat Analysis draft-kelly-capwap-threat-analysis th IETF, San Diego 6 November 2006 Scott KellyCharles Clancy.
Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.
July 2007 CAPWAP Protocol Specification Editors' Report July 2007
Diameter SIP Application
August 2, 2005IETF63 EAP WG AAA-Key Derivation with Lower-Layer Parameter Binding (draft-ohba-eap-aaakey-binding-01.txt) Yoshihiro Ohba (Toshiba) Mayumi.
1 Extensible Authentication Protocol (EAP) Working Group IETF-57.
Issue EAPoL-Key message generation at WTP or AC Issue 199, summarized as:...the WTP maintains the KeyRSC while the AC requires this information to.
MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.
San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.
August 4, 2004EAP WG, IETF 601 Authenticated service identities for EAP (draft-arkko-eap-service-identity-auth-00) Jari Arkko Pasi Eronen.
Hybrid-MAC Model for CAPWAP draft-ietf-opsawg-capwap-hybridmac-00 Presenting: Hui Deng:
EAP Applicability IETF-86 Joe Salowey. Open Issues Open Issues with Retransmission and re- authentication Remove text about lack of differentiation in.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Radius Extensions for Key Management in WLAN Network Li Xue Bo Gao.
Robust Security Network (RSN) Service of IEEE
Informing AAA about what lower layer protocol is carrying EAP
Open issues with PANA Protocol
OGSA-WG Basic Profile Session #1 Security
Diameter NASreq (RFC 4005) and RADIUS Compatibility
Hokey Architecture Deployment and Implementation
Katrin Hoeper Channel Bindings Katrin Hoeper
Handover Keys using AAA (draft-vidya-mipshop-fast-handover-aaa-01.txt)
Carrying Location Objects in RADIUS
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Jari Arkko Bernard Aboba
editor: Stephen Farrell,
Topic #1 & #5 “All that has to do with header formats”
ERP extension for EAP Early-authentication Protocol (EEP)
Discussions on FILS Authentication
Softwire Security Update
IETF-70 EAP Method Update (EMU)
CAPWAP Working Group IETF 66 Montreal
Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008
Migration-Issues-xx Where it’s been and might be going
draft-ipdvb-sec-01.txt ULE Security Requirements
PEKM (Post-EAP Key Management Protocol)
Issue Discussion: KeyRSC (43)
IETF Liaison Report May 2004 Dorothy Stanley – Agere Systems
IETF Liaison Report November 2004 Dorothy Stanley – Agere Systems
STIR WG IETF-100 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-01) November, 2017 Ray P. Singh, Martin Dolly, Subir Das,
IEEE IETF Liaison Report
RFC 5539 Update Status draft-badra-netconf-rfc5539bis-00
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER
IEEE MEDIA INDEPENDENT HANDOVER DCN:
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Sept 2003 PMK “sharing” Tim Moore Tim Moore, Microsoft.
Qin Wu Zhen Cao Yang Shi Baohong He
Update for “Multicast Considerations over IEEE 802 Wireless Media”
IEEE IETF Liaison Report
Presentation transcript:

CAPWAP Threat Analysis draft-ietf-capwap-threat-analysis-00 IETF 68, CAPWAP Working Group Charles Clancy & Scott Kelly

Document Status Adopted as a working group document Published as -00 Changes Filled in AAA security section Added discussion of channel binding

Quick Recap Document not designed to replace security considerations text Security considerations focuses more on low-level protocol details, things CAPWAP-specific Threat analysis looks more at the “big picture” Goal of the document: Provide a little history on 11i/AAA security, and how CAPWAP fits into the mix Document the many different use cases, and describe how such deployment scenarios affect the system security

Recent Changes New discussion on channel bindings Just because STA trust AAA who trusts AC who trusts WTP, why should STA trust WTP? Is trust transitive? Nature of identity STA bootstrapped trust relationship WTP long-term trust relationship AC long-term trust relationship AAA long-term trust relationship

Example Attack “Lying NAS problem”: AP has one identity in its security association to the AAA server, but provides another identity to the STA in 802.11 beacon messages CAPWAP only compounds the problem Problem is that the STA only trusts the AAA server, and not anything else Is this an actual problem? What does knowing all these identities buy us?

Fix the problem? Solution 1: 3-party key agreement protocols Involve all parties in a cross-protocol key agreement In CAPWAP, would need 4-party protocol Infeasible, as CAPWAP can’t change 11i or AAA Solution 2: Channel Bindings After keys are all generated, AAA server encrypts everyone’s identities and sends it to the STA Could be implemented by CAPWAP-specific extensions to an EAP method, need AAA messages to carry CAPWAP WTP/AC info

Ideally, how would this work? STA WTP AC AAA AAA authentication CAPWAP authentication 802.11 beacons ID(WTP), ID(AC), ID(AAA) AAA(CAPWAP config, ID(WTP), ID(AC)) 802.1X / EAP authentication Channel binding phase — MIC(ID(WP), ID(AC), ID(AAA) ** STA verifies chbind info ** 802.11i 4-way handshake CAPWAP Add-Mobile

Implementation? Implementing channel bindings would require an additional RFC describing: Universal WTP / AC identities RADIUS and Diameter transport for identities CAPWAP-specific CHBIND blobs for EAP methods to securely transport Threat Analysis draft simply documents the problem Not a problem if you deployment believes in the transitivity of trust

Conclusion New WG document Some changes since last version, including chbind discussion Would like WG input! Another revision, and then perhaps WGLC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.