doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 1 IEEE /JTC1 Engagement Jesse Walker IEEE 802 Liaison to JTC1/SC6
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 2 Agenda Goals Status Discussion of Backup material Next Steps Backup –Liaison Presentation to JTC1/SC6 in October –Strawman response to JTC1/SC6 Input –Strawman response to China’s submission –Strawman response to China’s i comments
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 3 Goals Develop response to input from JTC1/SC6 Develop separate response to China –To their submission –To their i comments Develop position for Frankfurt meeting Authorize responses and position at January 2005 IEEE Meeting
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 4 Status (1) China has submitted WAPI to ISO/IEC JTC1/SC6 for consideration as an international standard –China’s right as a National Body –Under its rules, JTC1/SC6 must vote on whether to accept such work item from National Bodies At October JTC1/SC6 meeting IEEE 802 welcomed China’s contribution as an optional standard complementing i –WAPI implementation still optional under China’s policy –IEEE 802 feels the market can decide when to use which security standard –Compatibility with the rest of most important issue JTC1/SC6 has not removed i from fast track adoption JTC1/SC6 has forwarded China’s text to IEEE 802 for processing Through administrative error, the JTC1/SC6 Secretariat (Ms. Jooran Lee, Korea) removed China’s submission JTC1/SC6/WG1 Project Editor (Mr. Robin Tasker, U.K.) has invited China to resubmit its proposal
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 5 Status (2) JTC1/SC6 resolution on WAPI: –SC6 instructs its Secretariat to forward the Chinese NB contribution (National Standard of China, GB ) found in 6N12687 to the IEEE 802 (and specifically IEEE ) for information. Documents forwarded: –6N12687 doc 11/ r0 (WAPI) –ChinaCommentB doc 11/ r0 (Spectrum rules) –6N12732 doc 11/ (China’s comments on i) JTC1/SC6 authorized meeting of WG1 in Frankfurt –February 21-25, 2005 –Purpose: Discuss China’s submission and China’s comments on i
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 6 Discussion See backup material –802 Liaison presentation to October JTC1/SC6 meeting –Strawman response to JTC1/SC6 input –Strawman response to China’s submission –Strawman response to China’s i comments
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 7 Next Steps Create ad hoc Task Group to draft response to JT1/SC6 –Chair: Create ad hoc Task Group to draft response to China’s submission –Chair: Create ad hoc Task Group to draft response to China’s i comments –Chair: Next meeting: 12 PM EST, January 13, 2005 –Agenda: take reports on progress in ad hoc Task Groups
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 8 Backup
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide Liaison Presentation at October JTC1/SC6 Meeting
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 10 IEEE Preliminary Liaison Response to China Position Statement and Work Item Proposal 6 N Bruce Kraemer, IEEE Task Group n Chair Al Petrick, IEEE Working Group Vice Chair Jesse Walker, IEEE Standard i Editor
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 11 Preliminary Response IEEE fully supports China’s desire to improve WLAN security beyond what was originally provided by Wired Equivalent Privacy (WEP) in 1999 –IEEE 802 members recently invested >3 years in the development of i extensions to dramatically improve security (N7537) –WEP was not removed, i features were added –Security development is not complete and continues to evolve within Advanced Security study group N7506 and N7537 are not mutually exclusive. Both can reside within as security mechanisms and be invoked when and where needed.
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 12 Preliminary Response IEEE 802 WG offers its full range of expertise to assist in the development of additional security systems that are both robust and well integrated into the IEEE Std environment –IEEE 802 WG wishes to ensure broadest worldwide participation of all interested technical experts –IEEE 802 WG is very receptive to holding meetings in Asia and has already done so for groups such as to better enable Chinese to engage in IEEE 802 standards work is making arrangements for a meeting in Beijing in May 2005 –IEEE WG will be discussing the details of the Chinese comments (N12732) and a more formal IEEE Liaison Response in San Antonio the week of November 15. Request the addresses of those who prepared N12732 to continue discussion Liaison responses will be provided to SC6 soon thereafter
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 13 Preliminary Response WAPI’s success will require technical review by or collaboration with IEEE WG –IEEE standard process requires: Extensions be forward compatible with all on-going and planned amendments to IEEE Std No single amendment can break any other amendment Technical review inevitably leads to changes –IEEE WG needs ongoing participation by China’s experts, to guarantee it does not break any critical WAPI feature
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 14 Preliminary Response Not all meetings can be held in Beijing –IEEE 802 WG will continue to issue letters of invitation as requested –IEEE 802 WG will investigate methods to expedite issuance of visas –All technical documents are available via internet –If requested, ISO participants can be added to reflectors
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 15 Preliminary Response The core technical expertise for WLAN currently resides within the membership of IEEE WG –6 times per year 500 people from around the world convene for this purpose. – and teleconferences enable development to continue between meetings. –SC6 has recognized that this scale of effort cannot be replicated IEEE 802 WG wishes China’s delegates to note that security is not the only topic of development. 15 projects are currently underway to improve and extend the capabilities of WLANs. Most of those will be brought to ISO for incorporation into China is not contributing to those developments. IEEE 802 WG wishes to better understand under what conditions China would consider contributing to and participating in all aspects of WLAN development
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 16 Strawman Response to JTC1/SC6
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 17 Response to JCT1/SC6 IEEE 802 thanks JTC1/SC6 for its inputs IEEE 802 offers to initiate process leading to creation of an IEEE Task Group to process China’s submission in 6N12687 and ChinaCommentB as an amendment to IEEE –Amendment would add China’s National Standard as an alternative security method to IEEE i, not replace IEEE i –On completion, IEEE 802 would forward amendment to JTC1/SC6 for ratification –Based on similar work (incorporation of Japan’s regulatory requirements in IEEE ), this is estimated as requiring 2 years IEEE 802 does not believe other approaches would result in an amendment compatible with IEEE Std
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 18 Strawman Response to China’s Submission
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 19 Response to China’s Submission (1) IEEE 802 thanks China for their contribution IEEE 802 desires China’s citizens to participate in the IEEE WG and in a Task Group to incorporate China’s National Standard as an amendment in particular Under IEEE 802 IPR policy submission by China’s citizens will be treated equally with all other submissions IEEE WG welcomes the formation of a TG to integrate China’s submission into as an amendment to IEEE Std –Consensus that Task Group should hold interim meetings dealing with China’s submission in China –IEEE 802 dedicated to working to minimize visa problems for IEEE 802 Plenary meetings in the U.S.
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 20 Response to China’s Submission (2) Interest of the IEEE TG is to integrate China’s submission into the Standard, not alter its design –This will likely require some small changes to make it forward compatible with IEEE amendments under development –But all changes must meet approval of China’s experts Intent is to make this an alternative to i, not replace i –Let the market decide when to use each Under U.S. Law discussion of classified algorithms prohibited –Either China must publicly disclose its block cipher algorithm, or else its experts must not discuss China’s block cipher algorithm at IEEE 802 meetings
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 21 Response to China’s Submission (3) Project success requires participation by China’s citizens
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 22 Strawman Response to China’s i Comments
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 23 China’s i Comments In JTC1/SC6 doc 6N12732 China makes the following claims about IEEE Std i No mutual authentication is specified in the standard Shared key must be set up for each AP and the authentication server manually Authentication protocol is complex There is a problem for the security of master key
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 24 No Mutual Authentication Specified Issue: IEEE Std i specifies no mutual authentication algorithm Response: This is by design and intent –802.11i deals with MAC layer, not application or system level functions Authentication is a system level function Authentication is out of scope, so i explicitly declares it assumes mutual authentication –Market requires different authentication mechanisms for different market segments
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 25 No Mutual Authentication Specified Market has said it must have different authentication mechanisms for different market segments –Examples Enterprises want EAP-TLS, PEAP+ MSCHAPv2, and PEAP+ OTP 3G operators want EAP-SIM China Mobile wants to use EAP-CAVE Home users want to use pre-shared keys (no authentication) –Reuse of investment in VPN, remote access authentication technology essential to make deployment economically feasible –Operators, Enterprises want to issue their own credentials Unwilling to expose customers’ real identities to competitors Unwilling to expose employees’ real identities to outsiders Leaving authentication for market to specify is no different than China’s submission leaving block cipher to individual nations to specify
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 26 Authentication Protocol Complex Issue: Concern that IEEE Std 802.1X authentication does not scale Response: Categorically false. IEEE TGi adopted IEEE STd 802.1X framework precisely to address scaling issues –Authentication server centralizes authentication, access control decision –This approach well-tuned to economics –Operational experience shows it does indeed scale very well Example: networks with ~10000 APs have been deployed without problems
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 27 AP-AS Key Setup Manual Issue: the AP-AS channel requires manual key setup Response: Categorically false. IEEE Std i does not specify relationship between AS and AP –Outside IEEE 802’s scope –Instead within scope of IETF AAA WG IETF AAA defines multiple mechanisms for AP-AS key setup –Manual configuration –IKE (IPsec key agreement) – used with RADIUS –TLS key agreement – used with Diameter Other automated keying mechanisms exist for other transports (e.g., LDAP)
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 28 Security of the Master Key (1) Issue: Session key negotiated between AS and client, not between AP and client –The AS can compromise the session key –The session key can be compromised when transported to the AP Response: The differences between security of on-line trusted 3 rd (TTP) party model and off-line TTP China’s submission uses a matter of taste, not a security issue –TTP subject to compromise in both models: On-line model also compromised by attacking key transfer Off-line model also compromised by blocking access to revocation list
doc.: IEEE /1547r0 Submission December 2004 Jesse Walker, Liaison to JTC1/SC6Slide 29 Security of the Master Key (2) Response: Operational experience shows On-line model performance better than for Off-line model –Off-Line model operations three orders of magnitude more expensive than On-Line model operations –On-Line model better suited to WLAN economics