Some LB 62 Motions January 13, 2003 January 2004

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
Doc.: IEEE /275 Submission September 2000 David Halasz, Cisco Systems, Inc.Slide 1 IEEE 802.1X for IEEE David Halasz, Stuart Norman, Glen.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
IEEE Wireless LAN Standard
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.
Lecture 24 Wireless Network Security
Doc.: IEEE /1281r1 Submission NameAffiliationsAddressPhone Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
Wireless Network Security CSIS 5857: Encoding and Encryption.
September 2002 doc.: IEEE /568r0 David Skellern, Cisco SystemsSlide 1Submission RRM Architectural Framework David Skellern Wireless Networking.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
Lecture 7 (Chapter 17) Wireless Network Security Prepared by Dr. Lamiaa M. Elshenawy 1.
Doc.: IEEE /2539r0 Submission September 2007 Tony Braskich, MotorolaSlide 1 Overview of an abbreviated handshake with sequential and simultaneous.
Doc.: IEEE /1115r2 Submission J Chhabra, A. R. Prasad, J. Walker, H. AokiSlide s Security concepts Jasmeet Chhabra, Intel
Doc.: IEEE /0103r0 Submission January 2004 Jesse Walker, Intel CorporationSlide 1 Some LB 62 Motions January 14, 2003.
History and Implementation of the IEEE 802 Security Architecture
Robust Security Network (RSN) Service of IEEE
CSE 4905 WiFi Security II WPA2 (WiFi Protected Access 2)
History and Implementation of the IEEE 802 Security Architecture
Wireless Protocols WEP, WPA & WPA2.
Lecture 29 Security in IEEE Dr. Ghalib A. Shah
P802.11aq Waiver request regarding IEEE RAC comments
P802.11aq Waiver request regarding IEEE RAC comments
Keying for Fast Roaming
FILS presentation on High Level Security Requirements
802.1X and key interactions Tim Moore November 2001
Wireless Mesh Networks
Pre-association Security Negotiation for 11az SFD Follow up
Wireless LANS & PANS Lecture # 3.
– Chapter 5 (B) – Using IEEE 802.1x
Motions to Address Some Letter Ballot 52 Comments
TGai FILS Authentication Protocol
Pre-association Security Negotiation for 11az SFD Follow up
Mesh Security Proposal
Coexistence of Legacy & RSN STAs in Public WLAN
PEKM (Post-EAP Key Management Protocol)
Resolutions to orphan comments
Nancy Cam-Winget, Cisco Systems Inc
CID: 4551, LB84, Section 6.1.5, Figure 18 Authors: May 2006
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
Proposed Modifications to e-D4.0 Direct Link Protocol
AP Architecture Thoughts
Jesse Walker and Emily Qi Intel Corporation
Pre-Association Negotiation of Management Frame Protection (PANMFP)
Roaming Keith Amann, Spectralink
doc.: IEEE /454r0 Bob Beach Symbol Technologies
GCMP Restriction Date: Authors: January 2011 May 2010
Link Setup Flow July 2011 Date: Authors: Name Company
Mesh Security Proposal
Section 6.1.5, Figure 18 Authors: May 2006 Date: Month Year
A Joint Proposal for Security
Suggested Clarification of s ESS Mesh Terminology
Responses to Clause 5 Comments
Keying for Fast Roaming
P802.11aq Waiver request regarding IEEE RAC comments
P802.11aq Waiver request regarding IEEE RAC comments
Overview of Improvements to Key Holder Protocols
TGi Draft 1 Clause – 8.5 Comments
Overview of Improvements to Key Holder Protocols
Link Setup Flow July 2011 Date: Authors: Name Company
TGi Draft 1 Clause – 8.5 Comments
Comment Resolution Motions
Presentation transcript:

Some LB 62 Motions January 13, 2003 January 2004 doc.: IEEE 802.11-02/XXX Nov. 2002 January 2004 Some LB 62 Motions January 13, 2003 Jesse Walker, Intel Corporation David Halasz, Cisco

doc.: IEEE 802.11-02/XXX Nov. 2002 January 2004 Motion 1 Motion: IEEE 802.11 Task Group I adopts 802_11i-D7.1.doc as the basis for further work Note: Adoption of this motion would accept the following editorial changes: 4-22, 25, 27, 29-52, 54-57, 59-74, 76-122, 124-153, 155-161, 163, 165-167, 171-180, 184, 188, 192, 195, 197, 204-206, 210, 214, 215, 225, 226, 238, 241, 257, 300, 316, 330, 333, 340-342, 348, 390, 394, 395, 408, 409, 411-413, 422, 423, 432-453, 455-457, 460-472, 479, 481-484, 491, 492, 494, 497, 501, 503, 504, 508, 514, 516-519, 531-537, 541, 542, 544-553, 556, 559-574, 576, 578, 579, 585, 588, 590, 593, 594, 609, 610, 614, 631-633, 636-638, 640-643, 645, 647, 648, 650, 652, 654, 656, 658-663, 672, 679-682, 688, 689, 691, 693-700, 702, 703, 705, 707, 712. Jesse Walker, Intel Corporation David Halasz, Cisco

January 2004 Motion 2: Comment 298 Comment 298 observes that 802.1X does not provide key management services. Motion: Address Comment 298 on 5.1.1.4 by adopting the text: In an RSNA, IEEE 802.11 provides functions to protect Data frames, IEEE 802.1X provides authentication and frame filtering, and IEEE 802.11 and IEEE 802.1X collaborate to provide key management Jesse Walker, Intel Corporation

January 2004 Motion 3: Comment 292 Comment 295 asks that we bring 802.11i’s usage of 802.1X into line with 802.1X. Motion: Address Comment 292 on 5.2.2.2 by text it suggests: The first component is an IEEE 802.1X Port Access Entity (PAE). PAEs are present on all STAs in an RSNA and control the forwarding of data to and from the MAC. The PAE in an AP adopts the Authenticator role, while the PAEs in other STAs in the BSS adopt the Supplicant role. In an IBSS, the PAE in each STAs adopts both roles simultaneously Jesse Walker, Intel Corporation

January 2004 Motion 4: Comments 284, 285 Motion: Address Comments 284, 285 by replacing the text from 5.4.2.2 Once the IEEE 802.1X AKM completes successfully, the IEEE 802.1X Controlled Port unblocks to allow data traffic with the text: Once the AKM completes successfully, data protection is enabled to prevent unauthorized access, and the IEEE 802.1X Controlled Port unblocks to allow protected Data traffic. Jesse Walker, Intel Corporation

January 2004 Motion 5: Comment 295 Motion: Address Comment 295 by replacing the text from 5.4.3.2 with No facilities are provided to move an RSNA during Reassociation, so the old RSNA will be deleted, and a new RSNA will need to be constructed Jesse Walker, Intel Corporation

January 2004 Motion 6: Comment 296 Comment 296 observes 1st paragraph we are adding to 5.4.3 does not make sense. Motion: Address Comment 296 by replacing 1st paragraph we are adding with: In a WLAN that does not support the establishment of RSNAs, Authentication and Confidentially services were defined with the intention of providing similar security characteristics to those achieved by restricting physical access to a wired LAN. A wired LAN provides a level of Authentication as only users with physical access to the LAN can connect, and a level of Confidentiality as only users with physical access can monitor data flows Jesse Walker, Intel Corporation

January 2004 Motion 7: Comments on 5.4.3.2 Motion: Address Comments 221-223, 299, and 548 by replacing the body of 5.4.3.2 with the text IEEE 802.11 attempts to control LAN access via the authentication service. IEEE 802.11 authentication is an SS. This service may be used by all STAs to establish their identity to STAs with which they communicate, in both ESS and IBSS networks. If a mutually acceptable level of authentication has not been established between two STAs, an association shall not be established. IEEE 802.11 authentication operates at the link level between IEEE 802.11 STAs. IEEE 802.11 does not provide either end-to-end (message origin to message destination) or user-to-user authentication. IEEE 802.11 defines two authentication methods, Open System Authentication and Shared Key Authentication. Open System Authentication admits any STA to the LAN. Shared Key Authentication relies on WEP to demonstrate knowledge of a WEP encryption key. The IEEE 802.11 authentication mechanism also allows definition of new authentication methods. An RSNA also supports authentication based on IEEE 802.1X, or Pre-Shared Keys (PSKs). IEEE 802.1X authentication utilizes the Extensible Authentication Protocol (EAP, RFC 2284) to authenticate STAs and the AS with one another. This standard does not specify a mandatory-to-implement EAP method. Clause 8.4.4 describes the IEEE 802.1X Authentication and PSK within IEEE 802.11 IBSS. In an RSNA, IEEE 802.1X Supplicant’s and Authenticators exchange protocol information via the IEEE 802.1X Uncontrolled Port. The IEEE 802.1X Controlled Port is blocked from passing general data traffic between the STA and the AP until an IEEE 802.1X authentication procedure completes successfully over the IEEE 802.1X Uncontrolled Port. The Open System Authentication algorithm is used in both BSS and IBSS RSNA, though Open System Authentication is optional in an RSNA IBSS. RSNA disallows the uses of Shared Key Authentication. Management information base (MIB) functions are provided to support the standardized authentication schemes. A STA may be authenticated with many other STAs at any given instant. Jesse Walker, Intel Corporation

Comments 302, 574, 672 Motion: Make 5.4.3.2 read: January 2004 Comments 302, 574, 672 Motion: Make 5.4.3.2 read: The deauthentication service is invoked when an existing authentication is to be terminated. Deauthentication is an SS. In an ESS, because IEEE 802.11 authentication is a prerequisite for Association, the act of deauthentication shall cause the STA to be disassociated. The deauthentication service may be invoked by either authenticated party (non-AP STA or AP). Deauthentication is not a request; it is a notification. Deauthentication shall not be refused by either party. When an AP sends a deauthentication notice to an associated STA, the association shall also be terminated. In an RSNA, Deauthentication also destroys any related PTKSAs and GTKSAs that exists in the STA and closes the associated IEEE 802.1X Controlled Port. If PMK caching is not enabled, Deauthentication also destroys the PMKSA from which the deleted PTKSA was derived. Note that the existence of IEEE 802.11 Authentication is not a pre-requisite for invoking the Deauthentication service in the IBSS case. Jesse Walker, Intel Corporation

Comment 225 Motion: In 5.4.3.3, replace: January 2004 Comment 225 Motion: In 5.4.3.3, replace: If this default is not acceptable to one party or the other, data frames shall not be successfully communicated between the LLC entities. with If this policy is unacceptable to sender, it shall not send Data frames, and if unacceptable to the receiver, it shall discard received Data frames. Jesse Walker, Intel Corporation

January 2004 Comment 303 “Automatic and manual” key management methods discussed in 5.4.3.4 not defined MotionL Reword 5.4.3.4 as: The enhanced confidentiality, data authentication, and replay protection mechanisms require fresh cryptographic keys. The procedures described in this document provide fresh keys by means of the 4-Way and Group Key Handshakes. Jesse Walker, Intel Corporation

Comment 304 Motion: In 5.4.3.5, replace: with January 2004 Comment 304 Motion: In 5.4.3.5, replace: The data origin authenticity mechanism defines a means by which a STA that receives a Data frame from another STA can determine that the MSDU actually originated from that STA with The data origin authenticity mechanism defines a means by which a STA that receives a Data frame can determine which STA actually transmitted the MPDU. Jesse Walker, Intel Corporation

January 2004 Comment 305 Motion: Replace current text of 802.11i D7.1 Clause 5.6 with In an IBSS, each STA must enforce its own security policy. In an ESS, the AP can enforce a uniform security policy across all STAs. Jesse Walker, Intel Corporation

Comments 308, 309 Motion: replace Figure 11 with Figure on this slide January 2004 Comments 308, 309 PMD_SAP 802.1X Uncontrolled Port 802.Controlled Port Station Management Entity MAC_SAP 802.1X PAE in Authenticator/Supplicant Role Motion: replace Figure 11 with Figure on this slide Data Link MAC Layer Management Entity MLME_SAP LAYER MAC RSNA Key Management PHY_SAP MLME-PLME_SAP Physical PLCP Phy Layer Management Entity PLME_SAP LAYER PMD Jesse Walker, Intel Corporation

Comment 310 Motion: Revise 5.9 as follows: January 2004 Comment 310 Motion: Revise 5.9 as follows: An RSNA relies on IEEE 802.1X to provide AKM services. The IEEE 802.1X access control mechanisms apply to the association between a STA and an AP, and the IBSS STA to STA peer relationship. The AP performs the Authenticator and, optionally, the Supplicant (for a WDS) and Authentication Server roles. In an ESS, a non-AP STA performs the Supplicant role. In an IBSS, a STA takes on both the Supplicant and Authenticator roles, and may take on the Authentication Server role. Jesse Walker, Intel Corporation

Comments 228, 311, 312 from the 1st paragraph of 5.9.1 January 2004 Comments 228, 311, 312 Motion: Delete the sentence: IEEE 802.1X Supplicants and Authenticators exchange protocol information via the IEEE 802.1X Uncontrolled Port. from the 1st paragraph of 5.9.1 Jesse Walker, Intel Corporation

Comment 314 Motion: Delete the clause: January 2004 Comment 314 Motion: Delete the clause: and optionally to transmit and receive unicast packets from the following paragraph of 5.9.2: If the Authenticator later changes the GTK, it sends the new GTK and GTK sequence number to the Supplicant using the Group Key Handshake, to allow the Supplicant to continue to receive broadcast messages, and optionally to transmit and receive unicast frames. EAPOL-Key frames are used to carry out this exchange. See Figure 4. Jesse Walker, Intel Corporation

January 2004 Comment 226 Motion: delete the parenthetical clause “(for a WDS) from clause 5.9. Jesse Walker, Intel Corporation

Comment 286 Motion: In clause 5.9 replace the text: with: January 2004 Comment 286 Motion: In clause 5.9 replace the text: An RSNA relies on IEEE 802.1X to provide AKM services. with: An RSNA relies on IEEE 802.1X to provide authentication services, and uses the IEEE 802.11 AKM defined in clause 8.5 to provide key management services. Jesse Walker, Intel Corporation

Comment 310 Motion: Replace the sentence January 2004 Comment 310 Motion: Replace the sentence In an IBSS, a STA can take on the Supplicant, Authenticator and Authentication Server roles. at the end of the 1st paragraph in 5.9.3 with: In an IBSS, a STA takes on both the Supplicant and Authenticator roles, and may take on the Authentication Server role. Jesse Walker, Intel Corporation

Comment 316 Motion: Replace the 2nd paragraph of 5.9.3.1 with: January 2004 Comment 316 Motion: Replace the 2nd paragraph of 5.9.3.1 with: In an IBSS, every STA generates its own GTK which it uses for encrypting the group addressed frames it sends. This GTK is given to the other STAs in the IBSS during the 4-Way Handshake so that they can decrypt the frames. Jesse Walker, Intel Corporation

January 2004 Comment 551 Motion: add the blue asterisks and the line in blue to Figure 1 AP STA IEEE 802.11 Probe Request* IEEE 802.11 Probe Response (Security Parameters)* IEEE 802.11 Open System authentication Request IEEE 802.11 Open System authentication Response IEEE 802.11 Association Request (Security Parameters) IEEE 802.11 Association Response IEEE 802.1X Controlled Port Blocked. * A Beacon can report the Security Parameters instead of a Probe Request/Response pair Jesse Walker, Intel Corporation

January 2004 Comment 673 Motion: Remove the “extra” vertical line from figure 2, to bring it into conformity with the other figures Jesse Walker, Intel Corporation

January 2004 Comment 608 Motion: label the arrows in Figure 5 to indicate who initiates Jesse Walker, Intel Corporation

January 2004 Comments 674, 675 Motion: Make the dashed vertical lines in Figures 5 and 6 solid, to bring them into conformity with the other figures Jesse Walker, Intel Corporation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.