Doc.: IEEE 802.11-07/2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 1 Protecting Associations Attacks – Some Considerations Date: 2007-11-15.

Slides:

Advertisements

Similar presentations

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Advertisements

Doc.: IEEE /2441r2 Submission SA Teardown Protection for w Date:

Doc.: IEEE /0881r0 Submission July 2012 Anna Pantelidou, Renesas Mobile CorporationSlide 1 PS Mode Enhancements with Timing Indication Date:

Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:

Doc.: IEEE /0150r1 Submission Jan 2015 Ganesh Venkatesan (Intel Corporation)Slide 1 GCR using SYNRA for GLK Date: Authors:

Doc.: IEEE /173r1 Submission Byoung-Jo Kim, AT&T March 2003 Slide 1 Coexistence of Legacy & RSN STAs in Public WLAN Byoung-Jo “J” Kim AT&T Labs-Research.

Doc.: IEEE /1000r0 Submission July 2011 Jihyun Lee, LG ElectronicsSlide 1 TGai FILS Proposal Date: Authors: NameAffiliationsAddressPhone .

Doc.: IEEE /1042 Submission NameAffiliationsAddressPhone Giwon ParkLG Electronics LG R&D Complex 533, Hogye- 1dong, Dongan-Gu, Anyang, Kyungki,

Doc.: IEEE /376r1 Submission March 2012 Anna Pantelidou, Renesas Mobile CorporationSlide 1 On The BSS Max Idle Period Date: Authors:

Doc.: IEEE /0508r0 Submission May 2007 Matthew Gast, Trapeze NetworksSlide 1 EAP Method Requirements for Emergency Services Notice: This document.

Doc.: IEEE /0256r0 Submission February 2007 A. Centonza, D. StephensonSlide 1 Limitations on the Use of EBR Notice: This document has been prepared.

Doc.: IEEE Submission Nov 2013 Betty Zhao et. al., HuaweiSlide 1 Service Discovery with Association Date: Authors:

Doc.: IEEE /0060r1 Submission January 2011 Minyoung Park, Intel Corp.Slide 1 Low Power Capability Support for ah Date: Authors:

SECURITY HACKER’S ASPECT IN WLAN ENVIRONMENT 通工所研二楊川民.

Submission doc.: IEEE 11-12/0281r0 March 2012 Jarkko Kneckt, NokiaSlide 1 Recommendations for association Date: Authors:

Doc.: IEEE /0648r0 Submission May 2014 Chinghwa Yu et. al., MediaTekSlide 1 Performance Observation of a Dense Campus Network Date:

Doc.: IEEE /0089r0 Submission Listen interval update Jan 2013 Slide 1 Date: Authors: Jinsoo Choi, LG Electronics.

Doc.: IEEE /0201r0 Submission March 2005 Michael Montemurro and Matt SmithSlide 1 Communications with a target AP prior to roaming. Notice: This.

Doc.: IEEE r Submission November 2004 Bob Beach, Symbol TechnologiesSlide 1 Fast Roaming Using Multiple Concurrent Associations Bob.

Doc.: IEEE /0623r0 Submission May 2006 Sood, Walker, ZhaoSlide 1 A Method to Protect TGr Reservation Scheme Notice: This document has been prepared.

Lecture 24 Wireless Network Security

Doc.: IEEE /1063r0 Submission Nov 2005 Jon Edney, NokiaSlide 1 The Lock-out Problem - an Analysis Notice: This document has been prepared to assist.

Doc.: IEEE /1294r0 Submission November 2008 Kenan Xu, Nortel NetworksSlide 1 Enhancing BSS Transition Management Date: Authors:

Doc.: IEEE /1378r0 Submission November 2008 Darwin Engwer, Nortel NetworksSlide 1 Improving Multicast Reliability Date: Authors:

Doc.: IEEE /2215r4 Submission August 2007 Ganesh Venkatesan, Intel CorporationSlide 1 Proposal –Radio Resource Measurement Capability Enabled.

Doc.: IEEE /2977r0 Submission November 2007 Ganesh Venkatesan, Intel CorporationSlide 1 VTS SG PAR Scope Topics Date: Authors:

Doc.: IEEE /0027r0 Submission January 2006 Slide 1 WiNOT Consortium: Proposal for online enrollment cluster Notice: This document has been prepared.

Doc.: IEEE /0079r0 Submission Interference Signalling Enhancements Date: xx Mar 2010 Allan Thomson, Cisco SystemsSlide 1 Authors:

Doc.: IEEE /xxxxr0 July 2011 Padam Kafle, Nokia Submission Simplification of Enablement Procedure for TVWS Authors: Date: July 18, 2011 NameCompanyAddressPhone .

Doc.: IEEE /1000r1 Submission July 2011 Jihyun Lee, LG ElectronicsSlide 1 TGai FILS Proposal Date: Authors: NameAffiliationsAddressPhone .

Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.

SubmissionJoe Kwak, InterDigital1 Simplified 11k Security Joe Kwak InterDigital Communications Corporation doc: IEEE /552r0May 2004.

Doc.: IEEE /1426r00 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi- tech District,

Doc.: IEEE k Submission July 2004 Bernard Aboba, MicrosoftSlide 1 IEEE k Security: A Conceptual Model Bernard Aboba Microsoft.

SubmissionJoe Kwak, InterDigital1 STA disassociation behavior Joe Kwak, Marian Rudolf InterDigital doc: IEEE /106r0January 2004.

Doc.: IEEE /1378r2 Submission Nov 2012 Using saved IP to make a connection Date: Authors: Name AffiliationsAddressPhone Chen YanmingChina.

Submission doc.: IEEE /1309r0 November 2012 Non-TIM Mode Negotiation Date: Slide 1 Authors: Kaiying Lv, ZTE.

SubmissionJoe Kwak, InterDigital1 PHY measurements for interference reduction from 11h Joe Kwak, Marian Rudolf InterDigital doc: IEEE /537r0July.

Doc.: IEEE /1115r0 Submission November 2009 Samir Hodroj, T-Mobile USASlide 1 Firmware Notification Date: Authors:

Doc.: IEEE /1299r0 Submission Dec 2009 Allan Thomson, Cisco SystemsSlide 1 BSS Transition Improvements Date: xx Authors:

Submission doc.: IEEE r1 March 2012 Dan Harkins, Aruba NetworksSlide 1 The Pitfalls of Hacking and Grafting Date: Authors:

Submission doc.: IEEE /1064r0 September 2015 Jarkko Kneckt, NokiaSlide 1 Long Range, Low Power Design Criteria Date: Authors:

Doc.: IEEE /0537r0 Submission May 2010 Kazuyuki Sakoda, Sony CorporationSlide 1 General frame format comment resolution overview Date:

Doc.: IEEE /0199r0 Submission March 2005 Kapil Sood, Intel; Bob O’Hara, AirespaceSlide 1 Policy Enforcement For Resources and Security Notice:

P802.11aq Waiver request regarding IEEE RAC comments

Coexistence of Legacy & RSN STAs in Public WLAN

Group-addressed GAS Date: Authors: December 2016 July 2013

Avoiding duplicated queries in 11aq

Proposed Modifications in TGh Draft Proposal

Group-addressed GAS Date: Authors: December 2016 July 2013

Beacon Protection Date: Authors: July 2018 July 2018

Beacon Protection Date: Authors: May 2018 January 2018

Usage Model for Power Saving AP

Directed Multicast Service (DMS)

Mechanism to update current session parameters

CID#89-Directed Multicast Service (DMS)

Group-addressed GAS Date: Authors: November 2016 July 2013

A Simplified Solution For Critical A-MPDU DoS Issues

Possible Enhancement for Broadcast Services over WLAN

Beacon Protection Date: Authors: July 2018 July 2018

SA Teardown Protection for w

WUR Security Proposal Date: Authors: September 2017

WUR Security Proposal Date: Authors: September 2017

Interference Signalling Enhancements

Month Year doc.: IEEE yy/xxxxr0 May 2006

Beacon Protection Date: Authors: May 2018 January 2018

Power Efficient WUR AP Discovery

Use of EAPOL-Key messages

Directed Multicast Service (DMS)

Presentation transcript:

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 1 Protecting Associations Attacks – Some Considerations Date: Authors:

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 2 Abstract Analysis and considerations for design proposed in w-sa-teardown-protection.ppt and w-sa-teardown-protection-text Security Design/Implementation Deployment And, some plausible alternatives

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide w D3.0 11w protects deauths/disassoc which Eliminates a sub-class of DoS attacks Removes mechanism for clients to recover from inadvertent disconnects Still leaves the window open for masqueraded Association DoS attacks –Problem is that the protection of deauth/disassoc does not allow clients to recover

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 4 Proposal from Legitimate Case Non-AP STA sends (Re)association AP rejects association, but starts ping AP pings the STA Only failure drops the SA and disables encryption STA tries again Non-AP STAAP Response Timeout Ping Request SA Terminated Association Request Association Response Reject: Try Again Later EAPOL Pings Ignored Association Request Association Response

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 5 Proposal from Attacker Case Attacker sends (Re)association AP pings the STA AP stops processing the Association AP and STA continue using old association and SA Non-AP STAAP Response Timeout Ping Request Ping Response Association Request Attacker Association Response Reject: Try Again Later

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 6 Security Considerations Cascade “Ping” floods –Each message by the attacker causes at least 3 messages in the WLAN –Even legitimate Associations cause multiple messages in the WLAN Changes the effects of the Association attack –From Client lockout to a flooding attack A new, more lethal attack –Attacker just needs to modify his script to masquerade all valid STAs on WLAN and send create unstoppable “ping” floods –What does it do to (Enterprise) WLAN radio environment?

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 7 Security Considerations “Power Drain” Attacks –On STAs in Power Save Mode –STAs in Power-Save mode now need to be awoken to respond to these “pings” Attacker not only creates floods, but also drains battery

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 8 Design/Implementation Considerations How will “Comeback Later” value be set? –Too long => Legitimate users suffer –Too short => Serves no useful purpose, as ping will immediately follow Design Complexity –Association state machine changes leads to multitude of new client behaviors –STA may start a re-Scan –AP Selection: Drop AP in “prohibited” AP-list –Power Save algorithms Complexity increases implementation costs

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 9 Deployment Considerations Enterprises need Stable Client environment –Introduction of 11w will immediately cause unknown and different client behaviors –Serious problem for large enterprises with Multiple vendor products Co-existing voice/video/data WLANs “Can I turn-off Association Mitigation feature?” –Not without turning off entire 11w!

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 10 Deployment Considerations What is the operational impact –Enterprise Study or Simulations of the proposal is needed –How do extra high priority messages (“ping floods”) impact voice and data WLANs? What is User experience due to association delays Immediate Enterprise problem: –Control erratic client behavior – Client Manageability –This proposal causes immediate churn Where attacks happen – Home/Operator –Is 11w a home/operator feature? –Are some parts of 11w more pertinent to home?

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 11 Suggestions Add Capability Bit to allow 11w deployment flexibility –Bit 0: TGw mandatory protects Unicast Action Frames and BIP –Bit 1: Protects unicast disassociate/deauthenticate/associate –Capability bit allows enterprises to roll-out 11w without drastic client association behavior Allow basic Client recovery procedures using “ping” –No enforcement of the “Ping Procedure”

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 12 Other Alternatives An adequate solution for containing such attacks is a difficult proposition. Here are preliminary other ideas: AP to support multiple simultaneous EAP Authentications Change the 11i Association handshake procedure –Authenticate before Associate

doc.: IEEE /2913r0 Submission November 2007 Kapil Sood, Intel CorporationSlide 13 Summary The current proposal ( / ) has significant unmeasured impact –Security, Design, Deployment, User Complexity and Costs may deter implementation and deployments Mandatory proposed solution may out-weigh the perceived benefits of 11w –For broad adoption: 11w should be incremental, not radical