Session MAC Address Solves Deadlocks March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 Session MAC Address Solves Deadlocks Date: 2005-02-28 Authors: Name Organization E-Mail Jon Edney Nokia email@jon.edney.name Henry Haverinen Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <stuart.kerry@philips.com> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <patcom@ieee.org>. Jon Edney, Nokia Jon Edney, Nokia

March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 Abstract Proposes the use of “Session MAC Address” by STAs in order to prevent authentication / association deadlocks with protected management frames Jon Edney, Nokia Jon Edney, Nokia

The deadlock problem March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 The deadlock problem After first association STA & AP share PTK EAPOL Key messages are now encrypted so re-key requires knowledge of current key. Let's suppose deauth and disassoc messages are protected If STA loses PTK it cannot re-key or disassociate creating a deadlock One solution is to allow an unauthenticated association request while security association still in place - but this is hugely complicated in order avoid DOS attack where unauthorized station breaks a valid security association by association attempts. Jon Edney, Nokia Jon Edney, Nokia

The General Problem March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 The General Problem Security association must be tied to station identity (and/or user) Security association must be properly managed: broken only through lifetime expiry or explicit agreement to break. Implicit breaking is open door to DOS attacks The MAC address is used as the identifier of security association in current systems. If keys are lost the security association can no longer be used which implies the MAC address can no longer be used in the network until the SA expires. Jon Edney, Nokia Jon Edney, Nokia

A General Solution March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 A General Solution Create concept of a “session” MAC address for use with each security association (SA). The session MAC address is created for each SA and valid only for the duration of the SA. STA can establish a new SA using a new session MAC address even if previous SA it still active. SA binds the station identity with the session MAC address. Session MAC address can use “local administration bit” Jon Edney, Nokia Jon Edney, Nokia

Benefits of Session MAC address March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 Benefits of Session MAC address Deadlock problem is solved - if STA loses keys it simply re-establishes a new SA using a different session MAC address The session MAC address cannot obviously be linked to the station identity - the station can be anonymous to onlookers. Jon Edney, Nokia Jon Edney, Nokia

Issues for Session MAC Address Allocation March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 Issues for Session MAC Address Allocation MAC Addresses are usually globally unique but “Local administration bit is available” “Universe” of the MAC address might be just the BSS Intent of Local Administration is a “manual process” where addresses are allocated and logged to prevent duplication Can we create automatic allocation in a way that guarantees no duplication? Allocation by “random number” has been rejected by RAC Automatic allocation might be OK if it assures no duplication Jon Edney, Nokia Jon Edney, Nokia

Session MAC address domain March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 Session MAC address domain Real MAC Address Convert Address AP Network Real MAC PTK Sess. MAC Session MAC Address Real MAC Application Client Convert Address Real MAC Address Jon Edney, Nokia Jon Edney, Nokia

Additional requirement March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 Additional requirement AP must learn real MAC Address of STA Can be sent securely as part of handshake Not needed until DS is open (Real MAC Address not needed for management frames) All existing provisions of 802.11i are unchanged. Jon Edney, Nokia Jon Edney, Nokia

MAC Address Allocation March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 MAC Address Allocation AP is responsible for allocation of MAC addresses Managed (Non-Volatile Storage) Start with low value and allocate block of addresses (say 1024). Write block limit to NV memory. Allocates more blocks as required and update NVM On reboot start with last written bound from NVM Unmanaged (no Non Volatile Storage) Start with true random value Follow block allocation procedure If block exceeds address range loop to low value. Jon Edney, Nokia Jon Edney, Nokia

Distribution of MAC to STA March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 Distribution of MAC to STA The STA needs to obtain a session MAC address from the AP prior to starting the association attempt Various methods are possible: Specific request mechanism Advertising by AP Piggyback on probe messages Need to ensure unique MAC address issued in case of two STA joining in parallel (race condition) Jon Edney, Nokia Jon Edney, Nokia

March 2005 doc.: IEEE 802.11-05/0140r0 March 2005 Summary Use of Session MAC address solves deadlock problem for all schemes and provides MAC address anonymity Jon Edney, Nokia Jon Edney, Nokia