Light Weight Access Point Protocol (LWAPP) Pat R. Calhoun Bob O’Hara Rohit Suri Nancy Cam Winget Scott Kelly Michael Williams Sue Hares draft-ohara-capwap-lwapp-03.txt.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
Migration Considerations and Techniques to MPLS-TP based Networks and Services Nurit Sprecher / Nokia Siemens Networks Yaacov Weingarten / Nokia Siemens.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
CAPWAP Architecture draft-mani-ietf-capwap-arch-00 Mahalingam Mani Avaya Bob O’Hara Airespace Lily Yang Intel.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Security at the Network Layer: IPSec
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
67th IETF San Diego IETF BMWG WLAN Switch Benchmarking Jerry Perser, Tom Alexander, Muninder Singh Sambi,
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
CAPWAP Editor’s Report Pat R. Calhoun Cisco Systems, Inc.
OmniRAN SoA and Gap Analysis Date: [ ] Authors: NameAffiliationPhone Antonio de la Juan Carlos
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
1 FIPS 140 Validation for a “System-on-a-Chip” September 27, 2005 NIST Physical Testing Workshop.
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Wireless and Security CSCI 5857: Encoding and Encryption.
CAPWAP related draft-shao-opsawg-capwap-hybridmac-00 draft-chen-opsawg-capwap-extension-00 draft-zhang-opsawg-capwap-eap-00.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)
CAPWAP Overview Saag Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy
Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
Yang Shi, Chris Elliott, Yong Zhang IETF 73 rd 18 Nov 2008, Minneapolis CAPWAP WG MIB Drafts Report.
Doc.: IEEE /137r2 Submission June 2000 Tim Godfrey, IntersilSlide 1 TGe Requirements Version r2 8 June 2000.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
CAPWAP Overview SAAG Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy
Status of CAPWAP Architecture Draft Lily Yang Intel Corp. March 3, th IETF meeting.
Doc.: IEEE /1572r0 Submission December 2004 Harkins and AbobaSlide 1 PEKM (Post-EAP Key Management Protocol) Dan Harkins, Trapeze Networks
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
1 Presentation_ID © 1999, Cisco Systems, Inc. Cisco All-IP Mobile Wireless Network Reference Model Presentation_ID.
Light Weight Access Point Protocol (LWAPP) Pat R. Calhoun draft-ohara-capwap-lwapp-01.txt.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
March 2007 CAPWAP Protocol Specification Editors' Report March 2007
Topic #1 DTLS Related Issues Pat R. Calhoun. Issue 226: Transition to Join State Current CAPWAP state machine requires knowledge of DTLS state machine.
CAPWAP Taxonomy Recommendations Pat R. Calhoun, Cisco Systems Bob O’Hara, Cisco Systems Inderpreet Singh, Chantry Networks.
Lecture 24 Wireless Network Security
March 2006 CAPWAP Protocol Specification Update March 2006
CAPWAP Threat Analysis 66 th IETF, Montreal 10 July 2006 Scott KellyCharles Clancy.
Submission doc.: IEEE 11-12/0553r4 May 2012 Jarkko Kneckt, NokiaSlide 1 Response Criteria of Probe Request Date: Authors:
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
62 nd IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan March 2005.
Doc.: IEEE /1093r0 Submission November 2005 Hitoshi MORIOKA, ROOT Inc.Slide 1 MISP based Authentication Framework Notice: This document has been.
Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.
Doc.: IEEE /008r0 Submission January 2003 N. Cam-Winget, D. Smith, K. AmannSlide 1 Proposed new AKM for Fast Roaming Nancy Cam-Winget, Cisco Systems.
61 st IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan Panasonic 8 November, 2004.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
Wireless Network Security CSIS 5857: Encoding and Encryption.
CAPWAP Threat Analysis draft-kelly-capwap-threat-analysis th IETF, San Diego 6 November 2006 Scott KellyCharles Clancy.
July 2007 CAPWAP Protocol Specification Editors' Report July 2007
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
Issue EAPoL-Key message generation at WTP or AC Issue 199, summarized as:...the WTP maintains the KeyRSC while the AC requires this information to.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
PANA Issues and Resolutions
Shi Yang David T. Perkins IETF 70th 3 Dec 2007, Vancouver
Topic #1 & #5 “All that has to do with header formats”
SU-MIMO Type for Group Addressed Frames
Issue Discussion: KeyRSC (43)
AP Functional Needs of CAPWAP
WLAN Architectural Considerations for IETF CAPWAP
WLAN Architectural Considerations for IETF CAPWAP
Presentation transcript:

Light Weight Access Point Protocol (LWAPP) Pat R. Calhoun Bob O’Hara Rohit Suri Nancy Cam Winget Scott Kelly Michael Williams Sue Hares draft-ohara-capwap-lwapp-03.txt

Introduction LWAPP is a candidate protocol for CAPWAP that supports both Split and Local MAC approaches The protocol specification is mature and complete –Products have been shipping for well over 2 years –LWAPP specs have been available through individual contributions for well over 18 months –Many comments have been received (both technical and editorial), which have been included in the specification.

Introduction (cont.) LWAPP Version 03 was submitted to the IETF This document comprises of many changes: –Addresses all comments and issues identified in Charles Clancy’s security review: ( –Addresses all non-conforming objectives listed in LWAPP self evaluation version 00 –Complete text for Local MAC support was added Although initially supported, normative text was missing –Support for IPv6 –Added significant amount of behavioral text to aid in interoperability e.g., BSSID/SSID Mapping recommendation

Why use Frames? An AC can perform its task better if it has complete information –e.g., BSSID enforcement at the AC Signal strength allows AC to make access policy decisions based on RF information Also useful for Local MAC –Proxy MAC allows WTP to make access control decisions, while providing visibility to the AC

Addressing Security Review Comments We worked directly with Charles in addressing identified issues, ensuring the solution was technically (and cryptographically) sound, including: –Simplified the state machine to provide key confirmation for all security mechanisms supported –Mutual Derivation of LWAPP Session Keys and Initialization Vector –Unified Key Exchange protocol for both X.509 (asymmetric) and pre-shared key (symmetric) security modes –Included an X.509 certificate profile to ease interoperability (and eliminate man-in-the-middle attacks) –Text describing the use of i, and how to handle handoffs in conjunction with i to avoid vulnerabilities Makes use of NIST approved cryptographic algorithms only

Basic LWAPP Architecture AC WTP STA AssocReq Data Frame AssocReq LWAPP (C=0) Data Frame LWAPP (C=0) AssocResp AssocResp LWAPP (C=0)

Advantages of using frames The design goal behind LWAPP was to allow for extensions to be added with minimal (if any) protocol changes. Minimize lag time between IEEE extension publication and ability to deliver CAPWAP based solutions LWAPP is also efficient on AP processor as it only requires tunneling –Local MAC requires additional processing on AP to provide Proxy MAC

LWAPP Configuration Mgmt AC WTP Config Request (Override Configuration) (SSID=foobar, RSN, WMM) Config Update (Configuration) (e.g., External Antenna) Override Configuration By default, WTP uses AC configuration, but can have its own override configuration for APs that require different configuration from the norm (e.g, corner of building AP requires only left antenna to be enabled). Global Configuration

Advantages of Configuration Mgmt Allows for centralized (global AC) configuration policies to be enforced Allows for localized configuration override for specific WTPs Allows for WTP to provide localized configuration to one of many ACs, without a need for a global WTP configuration database No complex configuration versioning problem

Modes of Operation Split MACEncryption at WTPMandatory to implement for Split MAC Split MACEncryption in ACOptional Local MACEncryption at WTPMandatory to implement Small number of modes of operation Provides sufficient flexibility Mandatory to implement modes guarantee interoperability

Quality of Service The LWAPP Spec contains complete QoS handling, including: –Marking of tunneled packets between AC and WTP –Configuration of e EDCA Parameter in the WTP –Enforcement of e at the WTP –Configuration of e/802.1P/DSCP table mapping

Objectives Comparison Feature Compliance Rating Logical Groups S Support for Traffic Separation S Wireless Terminal Transparency S Configuration Consistency S Firmware Trigger S Monitoring and Exchange of System-wide Resource State S Resource Control Objective S CAPWAP Protocol Security S System-wide Security S IEEE i Considerations S Interoperability Objective S Protocol Specifications S Vendor Independence S Vendor Flexibility S Multiple Authentication Mechanisms S Support for Future Wireless Technologies S Support for New IEEE Requirements S Interconnection Objective S Access Control S Support for Non-CAPWAP WTPs S Technical Specifications S AP Fast Handoff S

Questions?

Backup

LWAPP Packet Formats LWAPP Header: |VER| RID |C|F|L| Frag ID | Length | | Status/WLANs | Payload... | Control Packets (C=1): | Message Type | Seq Num | Msg Element Length | | Session ID | | Msg Element [0..N] | Data Packets (C=0): | RSSI | SNR | Frame : Status Field Payload

Revised LWAPP State Machine / \ | v | | C| Idle | | | / | ^ |s x| | | | v | | | | | | | | v |y | | C| Discovery | q| \ > | | b | Reset | | | |d f| ^ | Configure | > | | | | | p ^ | |e v | | ^ | | v |i 2| | | C| Sulking | | | C| Join |--->| Join-Confirm | | | g z | | |h m| 3| |4 | | | | | v |o |\ | | | \\ / \ >| Image Data |C \ / n Key Confirmation Phase

Unified Key Exchange Join-Req(SID, XNonce, WTP-Cert) Join-Resp(SID, RSA-E(wtp-Kpub, XNonce XOR ANonce), AC-Cert) Join-Ack(AES(RK0E, WNonce), AES-CMAC(SK1M, Join-Ack)) Join-Confirm(AES-CMAC(SK1M, Join-Confirm)) *SK1=KDF(WNonce || ANonce, string || SID || WTP-MAC || AC-MAC) SK1E (Encryption Key), SK1M (MIC’ing Key), SK1R (Rekey Key), IV RK0=KDF(psk, string || SID || WTP-MAC || AC-MAC) RK0E (Encryption Key), RK0M(MIC’ing Key) First frame uses IV from AC, SK1E plumbed into crypto engine Join-Resp(SID, AES(RK0E, XNonce XOR ANonce), AES-CMAC(RK0M, Join-Resp)) PSK: CERT: Join-Ack(RSA-E(ac-Kpub, WNonce), AES-CMAC(SK1M, Join-Ack)) *WTP generates K1 *AC generates K1

Proposed ReKey Exchange Rekey-Req(new-SID, XNonce) Rekey-Ack(AES(RK0E, WNonce), AES-CMAC(SK2M, Join-Ack)) Rekey-Confirm(AES-CMAC(SK2M, Join-Confirm)) RK0=KDF(SK1R, string || SID || WTP-MAC || AC-MAC) RK0E (Encryption Key), RK0M(MIC’ing Key) SK2E & new IV plumbed into crypto engine SK1R replaced with SK2R Rekey-Resp(new-SID, AES(RK0E, XNonce XOR ANonce), AES-CMAC(RK0M, Join-Resp)) *WTP generates K2 *AC generates K2 *SK2=KDF(WNonce || ANonce, string || SID || WTP-MAC || AC-MAC) SK2E (Encryption Key), SK2M (MIC’ing Key), SK2R (Rekey Key), IV

X.509 Certificate Profile Latest LWAPP specification includes an X.509 certificate profile to facilitate interoperability The X.509 profile defines a field that indicates a device’s CAPWAP role (AC or WTP) Embedding the role eliminates the possibility for man-in-the-middle attacks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.