Secure WNM Requirements Month Year May 2005 May 2005 Secure WNM Requirements Authors: Date:2005-05-10 Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <stuart.kerry@philips.com> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <patcom@ieee.org>. Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Month Year May 2005 May 2005 Abstract This document provides threat analysis and protection service requirements for Wireless Network Management. Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Agenda Possible Service Categories for WNM Threat Analysis for WNM Month Year May 2005 May 2005 Agenda Possible Service Categories for WNM Threat Analysis for WNM Requirements for TGw Requirements for TGv Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Month Year May 2005 May 2005 Purpose of 802.11v (from PAR) Enables management of attached stations in a centralized or in a distributed fashion (e.g. monitoring, configuring, and updating) through a layer 2 mechanism. Control and setting MIB parameter over the air have security implications Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Possible Service Categories for 802.11v Month Year May 2005 May 2005 Possible Service Categories for 802.11v Configuration Management Performance and Resource Management Operations Management Fault and Security Management Accounting Management Location Services, etc. (refereed to doc.:0076r00 by John Klein, et al) Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Threats to Wireless Network Mangements Month Year May 2005 May 2005 Threats to Wireless Network Mangements Forgery Attack Masquerade Delay Attack Disclosure Denial of Service Traffic Analysis Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Month Year May 2005 May 2005 Forgery Attack The essence of this threat is that an unauthorized entity could change any management parameter, including those related to configuration, operations, and accounting WNM management message could be reordered and replay to effect unauthorized management operations For example, unauthorized entity can modify “Direct Roam” message (for load balancing) to direct the STA to another AP Requirement: Need Forgery Protection - TGw Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Month Year May 2005 May 2005 Masquerade Management operations that are not authorized for some entity may be attempted by that entity by assuming the identity of an authorized entity For example, an unauthorized AP, who is not authorized for STA’s firmware update, may attempt to update STA’s firmware Requirement: Need to advertise and negotiate the authorized entity for manageable services - TGv Need Authentication and Authorization Protection - TGw STA and AP Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Month Year May 2005 May 2005 Delay Attack WNM management message could be delayed to effect invalid management operations. For example, a delayed “Direct Roam” message (for Load Balancing) may not be valid any more. Requirement: Need Delay Protection – TGw ? Need Timeliness protection to protect against message delay - TGv Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Disclosure Requirement:  Need Confidentiality Protection - TGw Month Year May 2005 May 2005 Disclosure An entity could observe exchanges between an AP and a STA and thereby learn the values of managed objects and learn of notify-able events For example, the observation of a set of command of location information and management (for Location Service) would enable an attacker to learn asset tracking Because of privacy concerns, Manager (AP) and Agent (STA) may not want a third party to know their accounting parameter setting (for Accounting Management) Also, need to be consistent with SNMP v3 policy for confidentiality Requirement:  Need Confidentiality Protection - TGw Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Denial-of-service An attacker may prevent exchange between AP and STA Month Year May 2005 May 2005 Denial-of-service An attacker may prevent exchange between AP and STA Wireless Network Connection Failure Disrupt all type of exchanges Forgery management message can create novel denial-of-service attacks #1 and #2 are not a new denial-of-service threat. Accordingly, there can be no requirement to protect against them. #3 needs Forgery protection - TGw Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Month Year May 2005 May 2005 Traffic Analysis An attacker may observe the general pattern of management traffic between AP and STA Many Wireless Network traffic patterns are predictable and therefore there is no need significant advantage to protecting against observing these traffic patterns. No need to protect against this attack Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Protection Requirements for TGw (summary) Month Year May 2005 May 2005 Protection Requirements for TGw (summary) Authentication Protection Authorization Protection Forgery Protection Replay Protection Delay Protection Confidentiality Protection Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Protection Requirements for TGv (1) Month Year May 2005 May 2005 Protection Requirements for TGv (1) Requirement: Need to advertise and negotiate the authorized entity for specific manageable services: Provide policy advertisement, discovery, negotiation mechanisms for the manageable services that AP and STA agree upon Indicate the possible reactions that STA could response Preserve 802.11 design that operates in unlicensed band Usage scenarios should cover for Enterprise, Home, and Hotspot Emily Qi, Intel Corporation Emily Qi, Intel Corporation

Protection Requirements for TGv (2) Month Year May 2005 May 2005 Protection Requirements for TGv (2) Requirement: Timeliness protection to protect against message delay: The manager (sender) should dictates that a message must be received within a reasonable time window, to avoid delay attacks. The time window should be chosen to be as small as possible given the accuracy of the clocks involved and round-trip communication delays The receiver should conduct a timeliness checking when message arrives Emily Qi, Intel Corporation Emily Qi, Intel Corporation

May 2005 Feedback? Emily Qi, Intel Corporation