CAPWAP Overview Saag Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy

Agenda Introduction Some background and current scope Security-related protocols, relationships, considerations, requirements Current state of things Conclusion

Introduction Defining a protocol to control and provision wireless access points Things carried over protocol include –Access Point configuration/control –Network access control decisions –Cryptographic session keys Security is obviously a significant concern –Compromised communications may result in infrastructure take-over Working group wants to invite security area participation Requesting appointment of a security advisor –Formal liaison with security area –Avoid delays in document advancement due to security concerns –Provide security community connection for security reviews, advice

Background Early Architecture AP STA AS/AAA Mgmt WLAN ELEMENTS AS: Authentication Server, typically RADIUS AP: wireless access point STA: wireless station (typically a laptop)

Current Architecture ( Security Protocol Hierarchy and Interactions) WTP AC STA WTP AC STA AAA RADIUS IPsec CAPWAP 802.1X, i, WPA Mgmt SNMP HTTP TLS SSH 802.1X, i, WPA Each layer in hierarchy depends on layers above for security

Complex Trust Relationships WTP AC STA WTP AC STA AAA RADIUS PSK Long-Term EAP Credential PSK/Cert PTK WTP MSK/PMK MK Mgmt Admin Credential Color Coding short-term keys long-term keys

Why is security important in CAPWAP? Many interdependent security protocols between station and network CAPWAP must not degrade existing security (can’t become weak link) Multiple deployment models –Direct L2 connection Physical security solves most problems –Routed connection, one administrative domain Mobile network elements introduce infrastructure risks –Routed connection, potentially hostile hops Remote WTP scenarios –Employees take WTPs home –Branch office WTP, Central office AC –Hotspots –some hops may be over wireless Mesh (e.g. metro wifi)

Additional CAPWAP Security Considerations “Splitting the MAC” introduces security complexity If crypto is terminated at the WTP, security context must arrive there securely (via AC), and WTP must implement data security functions –Otherwise, AC implements data security functions Since user/station authentication is mediated by the AC, it must securely interact with AS –WTP forwards 802.1x frames to AC AC-WTP communications must not be a weak link; they require –Strong mutual authentication –Data integrity verification –Confidentiality (depends on deployment nuances, threats)

CAPWAP Protocol Security Requirements AC ↔ AAA STA ↔ AAA STA ↔ WTP Management ↔ AC NOT CURRENTLY IN SCOPE (but requirements nonetheless) IN SCOPE AC ↔ WTP –Authentication is unique, strong, mutual, and explicit –Communications protected by strong ciphersuite

Current State of CAPWAP 4 competing protocol proposals were evaluated –WG created independent eval team –Protocols: LWAPP,SLAPP,WiCoP,CTP WG chose LWAPP as basis for new CAPWAP protocol LWAPP provides its own proprietary security mechanisms Eval team (and others) recommended replacing this with DTLS

LWAPP Security Protocol, cont. T. Charles Clancy (UMD) conducted security review, proposed improvements Protocol subsequently modified to meet wg objectives draft requirements and Clancy suggestions LWAPP/DTLS draft submitted by Kelly & Rescorla DTLS added to capwap-00 draft as proposed security mechanism Numerous operational details yet to be specified, but no show-stoppers uncovered or anticipated WG still discussing, hopefully to reach closure soon

Compare/Contrast DTLS vs LWAPP Standards-based protocol TLS is well reviewed (DTLS is equivalent from security perspective) Widely deployed on the Internet (TLS) Negotiation capability provides for algorithm agility Several freely available implementations Built-in DoS protection Employs security best practices –Unidirectional crypto keys –Each side contributes to IVs –Security parameter verification via message hash Continued benefit from broad deployment and scrutiny Home-grown protocol Latest incarnation has only one public review Little deployment experience No algorithm negotiation – crypto change requires protocol forklift No known open source implementations No DoS protection A few questionable security practices –Same key used for transmit/receive –One side controls IV generation –No verification of negotiable parameters (psk vs cert) One-off (capwap-only) deployment severely limits exposure to scrutiny DTLSLWAPP

SUMMARY Security is clearly an integral concern for CAPWAP IEEE efforts primarily focused on STA+WTP+AS AC  WTP interactions introduce various subtleties It’s easy to get security wrong, even when clueful people are involved – more eyes on the problem mitigates the risk CAPWAP would clearly benefit from additional security community participation Group needs formal security advisor Formal liaison with security area –Avoid delays in document advancement due to security concerns –Provide security community connection for security reviews, advice Questions?

Background Early WLAN deployments rely on “fat” access points –Standalone, individually managed network elements –Limited range implies mgmt scaling issues –User roaming implies other infrastructure issues Current generation moving to centralized control model, “thin” access points This presents a number of challenges that merit IETF attention

Background, cont. Next Generation WLAN Architecture WTP AC STA AAA Mgmt WTP AC STA New Terms AC: Access Controller WTP: Wireless Termination Point CAPWAP Domain

Current CAPWAP Scope There are many security-related interactions among wlan elements –Management Plane AAA/AS AC WTP –Arguably, should be managed entirely by AC –AC-WTP communications –WTP-STA communications Much of the related security is out of scope (provided by various IEEE protocols, RADIUS/EAP extensions) Current CAPWAP scope covers only AC-WTP communications Obviously don’t want to introduce weak link

Preaching to the choir CAPWAP group has familiar question Homegrown vs standards-based security? This is a debate we’ve had before in IETF –Roll your own security protocol? –Or use a standard, well-scrutinized one instead? Getting to closure on this ASAP is a priority for capwap wg

LWAPP Security Overview Initial protocol was certificate-based –WTP generates random session ID, forwards this with cert to AC –AC validates cert, generates crypto keys, encrypts with WTP public key, signs encrypted keys + session ID, returns these to WTP (RSA key wrap) –WTP unwraps keys, uses AES-CCM for subsequent control channel communications This protocol had a number of shortcomings

CAPWAP Attack Containment WTP AC STA WTP AC STA AAA WTP Compromise Affected Nodes Unaffected Nodes