Doc.: IEEE 802.11-07/2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 1 A-MPDU Security Issues Notice: This document has been prepared to assist.

Slides:



Advertisements
Similar presentations
Doc.: IEEE nan Submission September 2008 Phil BeecherSlide SG-NAN closing report for Waikoloa, HI, Sept 2008 Date: 11-sept-2008.
Advertisements

Doc.: IEEE /0085r2 Submission January 2005 Stephen McCann, Siemens Roke ManorSlide 1 TGu Closing Report Notice: This document has been prepared.
Doc.: IEEE /1116r0 Submission July 2006 Harry Worstell, AT&T.Slide 1 TGp Closing Report Notice: This document has been prepared to assist IEEE.
Doc.: IEEE /0029r0 Submission July 2006 Steve Shellhammer, QualcommSlide 1 Coexistence Scenario – A Pair of Unlicensed Wireless Networks, one.
Doc.: IEEE Submission 2/8/2014 Dee Denteneer, Philips et al.Slide 1 A BTE issue; also related to Beacon Bloat Notice: This document has.
Doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 1 BA Reordering for A-MPDU Notice: This document has been.
Doc.: IEEE /xxxxr0 Submission July 2006 Tom Siep, Cambridge Silicon Radio PlcSlide 1 Discussion of Definitions in 0023r2 Notice: This document.
Doc.: IEEE /0365r0 Submission July 2007 Monisha Ghosh, PhilipsSlide 1 Rate ¼ Convolution Code IEEE P Wireless RANs Date: Authors:
Doc.: IEEE /0077r0 Submission September 2007 Rich Kennedy, OakTree WirelessSlide 1 5GHz RLANs and the Spectrum Challenges from the Weather Radar.
Doc.: IEEE /0178r0 Submission January 2006 Clint Chaplin, Wi-Fi AllianceSlide 1 Wi-Fi Alliance Liaison Report Notice: This document has been prepared.
Doc.: IEEE /1514r0 Submission September 2006 Clint Chaplin, Wi-Fi AllianceSlide 1 Wi-Fi Alliance Liaison Report Notice: This document has been.
Doc.: IEEE /0132r0 Submission May, 2008 Gabor BajkoSlide 1 Proposal to define ES specific IEs Notice: This document has been prepared to assist.
Doc.: IEEE /1465r0 Submission September 2006 K. Kim et al.Slide 1 RA-OLSR Text Updates Notice: This document has been prepared to assist IEEE.
Doc.: IEEE /1812r0 Submission November 2006 Eldad Perahia (Intel)Slide 1 More RX Procedure Notice: This document has been prepared to assist IEEE.
Doc.: IEEE /0797r0 Submission May 2006 Steve Whitesell for Ariel Sharon as TIA LiaisonSlide 1 Liaison to TIA TR-41.4 from IEEE Notice:
Doc.: IEEE /1007r0 Submission September 2005 Fred Haisch, Proxim WirelessSlide 1 Alternative Lock-up Solution Notice: This document has been prepared.
Doc.: IEEE /1785r1 Submission November 2006 Kazuyuki SakodaSlide 1 Some editorial updates on broadcast and so on Notice: This document has been.
Doc.: IEEE /0023r0 Submission July 2005 Steve Shellhammer, Qualcomm Inc.Slide 1 Questions to the Contention-based Protocol (CBP) Study Group Notice:
Doc.: IEEE /0282r0 Submission March, 2006 B Aboba, M Lefkowitz, K SoodSlide 1 Fast Transition in Neighbor Reports Notice: This document has been.
Doc.: IEEE /1829r1 Submission November 2006 Assaf Kasher et al. (Intel)Slide 1 Heff Defintion Notice: This document has been prepared to assist.
Doc.: IEEE /1524r1 Submission September 2006 Deric Waters, Texas InstrumentsSlide 1 Pilot Values in HT Duplicate Mode Notice: This document has.
Doc.: IEEE /2209r0 Submission July 2007 Qi Wang, Broadcom CorporationSlide 1 PICS table entry on co-located interference reporting Date:
Doc.: IEEE /1381r0 Submission September 2006 Assaf Kasher, IntelSlide 1 No use of Identity Matrix when extension LTFs are used Notice: This document.
Doc.: IEEE /1587r0 Submission October 2006 Eldad Perahia (Intel)Slide 1 Regarding Defining HT Duplicate Modes for Other Code Rates and Modulations.
Doc.: IEEE /0756r0 Submission May 2006 Todor CooklevSlide 1 HD video and multimedia over : an update Notice: This document has been prepared.
Doc.: IEEE /1750r0 Submission November 2006 james woodyatt / Apple Computer, Inc.Slide 1 40 MHz Operation in 2.4G with Greenfield Notice: This.
Doc.: IEEE /0930r0 Submission July 2006 Nancy Cam-Winget, Cisco Slide 1 Editor Updates since Jacksonville Notice: This document has been prepared.
LB84 General AdHoc Group Sept. Closing TGn Motions
[ Interim Meetings 2006] Date: Authors: July 2005
Motions Date: Authors: January 2006
IEEE White Space Radio Contribution Title
LB73 Noise and Location Categories
LB73 Noise and Location Categories
Waveform Generator Source Code
March 2014 Election Results
TGp Closing Report Date: Authors: July 2007 Month Year
Attendance and Documentation for the March 2007 Plenary
Attendance and Documentation for the March 2007 Plenary
[ Policies and Procedure Summary]
[ Policies and Procedure Summary]
Motion to accept Draft p 2.0
3GPP liaison report July 2006
[place presentation subject title text here]
(Presentation name) For (Name of group) (Presenter’s name,title)
TGp Closing Report Date: Authors: March 2006 Month Year
TGu-changes-from-d0-02-to-d0-03
TGp Closing Report Date: Authors: May 2007 Month Year
Reflector Tutorial Date: Authors: July 2006 Month Year
TGv Redline D0.07 Insert and Deletion
TGv Redline D0.06 Insert and Deletion
Experimental DTV Sensor
TGu-changes-from-d0-01-to-d0-02
LB73 Noise and Location Categories
TGy draft 2.0 with changebars from draft 1.0
TGv Redline D0.10 Insert and Deletion
WAPI Position Paper Sept 2005 Sept 2005 IEEE WG
Redline of draft P802.11w D2.2 Date: Authors:
TGr Proposed Draft Revision Notice
TGu-changes-from-d0-02-to-d0-03
[ Policies and Procedure Summary]
Beamforming and Link Adaptation Motions
Draft P802.11s D1.03 WordConversion
Questions to the Contention-based Protocol (CBP) Study Group
Motion to go to Letter Ballot
EC Motions – July 2005 Plenary
TGu-changes-from-d0-04-to-d0-05
TGu-changes-from-d0-03-to-d0-04
TGu Motions Date: Authors: May 2006 May 2006
WAPI Position Paper Sept 2005 Sept 2005 IEEE WG
TGr Proposed Draft Revision Notice
Presentation transcript:

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 1 A-MPDU Security Issues Notice: This document has been prepared to assist IEEE It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEEs name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEEs sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE Working Group. If you have questions, contact the IEEE Patent Committee Administrator at. Date: Authors:

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 2 General Problem n A-MPDU packets may transmit MSDU packets out of order. –The receiver is responsible for buffering the packets and reordering to maintain the original packet order as per n/D2.00 clause Block ACK reordering in n with implicit (HT- Immediate) Block ACK enables A-MPDU DoS attacks all legitimate traffic can be discarded.

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 3 General Issue Clause Rx reordering buffer control specifies how receive packets are buffered to maintain order under block ack: –Packets are classified into categories based on the sequence number of the incoming packet (SN) and the current window of expected sequence numbers. –WinStart_B is the next expected sequence number that has not yet been received and WinEnd_B is the end of the window –(WinEnd_B = WinStart_B + WinSize_B - 1). WinSize_B can be up to 64. A receiver only processes packets that are within the expected window: –WinStart_B <= SN <= WinEnd_B –All other packets are discarded The expected window can be moved forward by a single packet such that all legitimate packets will be treated as outside the window and discarded

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 4 1st method to block ALL traffic A data packet with SN that is after the expected window: WinEnd_B < SN is < (WinStart_B ). Clause moves the window forward: – WinEnd_B = SN – WinStart_B = SN - WinSize_B + 1 All legitimate traffic is now discarded as all of the packets will be treated as before the window and discarded as per The bad packet would be held waiting for the packets within the *new* window that precede the attack packet SN. –RSN protection doesnt help since MPDU decryption is done AFTER Block ACK Reordering

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 5 2 nd method to block all traffic A Block Ack Request (BAR) packet with an SSN (starting sequence number) of (WinStart_B ) is transmitted Clause categorizes BAR packets based on SSN into two categories: 1) WinStart_B < SSN < (WinStart_B ) -- within or after the expected window 2) (WinStart_B ) < SSN < WinStart_B -- before the expected window The attack packet moves the window forward as per as follows: – WinStart_B = SSN – WinEnd_B = SSN + WinSize_B - 1 All legitimate traffic is now discarded, until the new window is reached. A legitimate BAR packet will not correct the problem as it will be treated as a type (2) BAR packet and will *not* adjust the window.

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 6 Suggestions Proposal to address SN window modification: –Use sequential encryption PNs for the A-MPDU sub-frames. A-MPDU sequential sequence numbers would still be required for the low level retransmission and block acking mechanism. CCMP is constructed such that it is feasible to reuse PN across TIDs provided it is only used once per TID –Validation of MIC should be done before Block ACK reordering –Block ACK reordering validates PN versus SN –ADDBA exchange must be updated to include starting PN BAR vulnerability still remains to be addressed: –Do not accept BAR packets outside the window –Only accept BAR packets that legitimately shift the window past a hole in the SN space for a discarded packet –Should extend CCMP to protect Block ACKs?

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 7 Straw Poll Should TGn address these A-MPDU security issues before sponsor ballot?

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 8 Comments?

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 9 TGn MAC

doc.: IEEE /2163r0 Submission July 2007 Cam-Winget, Smith, WalkerSlide 10 Legitimate BAR to Shift Window Clause : After sending data within an A-MPDU with the Ack Policy field set to Normal Ack, the originator may send a BlockAckReq when it discards a data MPDU due to exhausted MSDULifetime. The purpose of the Block- AckReq, in this case, is to shift the recipient window past the hole in the SN space created by the discarded data.