Issue #138 CAPWAP WG Meeting IETF 68, Prague. Issue 138 #138: Support and Negotiation of WTP data encryption in the CAPWAP protocol Proposed solution.

Slides:

Advertisements

Similar presentations

Migration Considerations and Techniques to MPLS-TP based Networks and Services Nurit Sprecher / Nokia Siemens Networks Yaacov Weingarten / Nokia Siemens.

Advertisements

Head Restraint GTR Status to AC th Session of WP.29 March 2007 Informal document No. WP , March 2007, agenda item II

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

CAPWAP Editor’s Report Pat R. Calhoun Cisco Systems, Inc.

Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.

Report from the “Smart Object Security Workshop 23 rd March 2012, Paris” Presenter: Hannes Tschofenig.

BUYING PROCESS MAPS. 2 What is a BPM? A Buying Process Map (BPM) is a sales tool that maps the decision making process used to purchase a product, service.

CAPWAP Overview Saag Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy

Industry Canada 1 Bob Leafloor Colman Ho Peter Chau Industry Canada January 2003 (ENUM) T E lephone NU mber M apping.

Submission February 2014 Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AR 20 March 2014 Authors: NameCompanyPhone .

CAPWAP Overview SAAG Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy

CAPWAP Issues: QoS Mahalingam Mani IETF 67 6 Nov 2006, San Diego.

Status of CAPWAP Architecture Draft Lily Yang Intel Corp. March 3, th IETF meeting.

XCON WG IETF-73 Meeting Instant Messaging Sessions with a Centralized Conferencing (XCON) System draft-boulton-xcon-session-chat-02 Authors: Chris Boulton.

Yang Shi (Richard), Yong Zhang IETF 74 th 26 March 2009, San Francisco CAPWAP WG MIB Drafts Report.

Doc.: IEEE /595r2 Submission May 2002 Lily Yang, Tyan-Shu JouSlide 1 Mesh Relevance in CAPWAP and AP Functional Descriptions L. Lily Yang (Intel.

Topic #1 DTLS Related Issues Pat R. Calhoun. Issue 226: Transition to Join State Current CAPWAP state machine requires knowledge of DTLS state machine.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Status Update of CAPWAP Architecture Taxonomy Lily Yang (Editor) Intel Corp. August 4, th IETF meeting.

CAPWAP Taxonomy Recommendations Pat R. Calhoun, Cisco Systems Bob O’Hara, Cisco Systems Inderpreet Singh, Chantry Networks.

IPv6 Site-Local Discussion Bob Hinden & Margaret Wasserman IETF 56 San Francisco March 2003.

CCSDS march 2008 meeting – Crystal City 1 TC/TM space links security SEA / SLS cross area meeting.

March 2006 CAPWAP Protocol Specification Update March 2006

Doc.: IEEE /080r0 Submission February 2004 Welborn, MotorolaSlide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)

CAPWAP Arch-Draft Issues IETF 59, Seoul 4 March 2004.

Base Specification for Multicast in BGP/MPLS VPNs draft-raggarwa-l3vpn-2547-mvpn-00.txt Rahul Aggarwal Juniper Networks.

62 nd IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan March 2005.

Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.

CAPWAP Security 65 th IETF 20 March 2006 Scott Kelly

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

61 st IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan Panasonic 8 November, 2004.

Slide 1 July 2006, Montreal, QuebecIETF DNSEXT 2929bis Donald E. Eastlake 3 rd

64th IETF Vancouver November 2005 Choosing a PCC-PCE Protocol.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

Issues Discussions CAPWAP Interim Jan 24-25, 2007 Mahalingam Mani.

SLAPP Dan Harkins Partha Narasimhan Subbu Ponnuswarmy.

Doc.: IEEE /0147r0 Submission January 2012 Rolf de Vegt (Qualcomm)) Slide ai Spec Development Process Update Proposal Date:

July 2007 CAPWAP Protocol Specification Editors' Report July 2007

PWE3 Control Word Mandate: draft-delregno-pwe3-mandatory-control-word Nick DelRegno PWE3 WG IETF 79.

December 5, 2007IETF 70 L3VPN WG1 MVPN Profiles Why do we need “profiles”? –By design, architecture provides many choices: PE-PE C-multicast routing info.

ECC Design Team: Initial Report Brian Minard, Tolga Acar, Tim Polk November 8, 2006.

Re-cap & Next Steps Mahalingam Mani. The WG Now and from Now The main deliverables have progressed close to completion for this charter Problem statement.

MPTCP – MULTIPATH TCP WG meeting Tuesday 23 rd & Friday 26 th March 2010 Anaheim, ietf-77.

IETF CAPWAP Protocol Objectives China Mobile,Huawei Technology, Intel Corporation,ZTE,RITT Nov. 8,2004.

Doc.: IEEE /0946r1 Submission July 2012 A proposal for next generation security in built on changes in ac 16 July 2012 Slide 1 Authors:

The simulated plenary session. What you have to do - 6 steps 1.Study the opinion 2.Choose your group (1 student per group), draft and submit amendments.

Issue EAPoL-Key message generation at WTP or AC Issue 199, summarized as:...the WTP maintains the KeyRSC while the AC requires this information to.

1 PSAMP WGIETF, November 2003PSAMP WG PSAMP Framework Document draft-ietf-psamp-framework-04.txt Duffield, Greenberg, Grossglauser, Rexford: AT&T Chiou:

Hybrid-MAC Model for CAPWAP draft-ietf-opsawg-capwap-hybridmac-00 Presenting: Hui Deng:

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

CAPWAP Threat Analysis

TLS Security Profiles Rob Horn WG-14: Security.

CSE 4905 IPsec II.

Topic #1 & #5 “All that has to do with header formats”

Mesh Relevance in CAPWAP and AP Functional Descriptions

3-2: Solving Systems of Equations using Substitution

Working Group Re-charter Draft Charter Reference Materials

3-2: Solving Systems of Equations using Substitution

Solving Systems of Equations using Substitution

ECE 544 Protocol Design Project: Description and Timeline

Issue Discussion: KeyRSC (43)

3-2: Solving Systems of Equations using Substitution

Mesh Relevance in CAPWAP and AP Functional Descriptions

The simulated plenary session

3-2: Solving Systems of Equations using Substitution

3-2: Solving Systems of Equations using Substitution

3-2: Solving Systems of Equations using Substitution

3-2: Solving Systems of Equations using Substitution

3-2: Solving Systems of Equations using Substitution

IETF-104 (Prague) DHC WG Next steps

Presentation transcript:

Issue #138 CAPWAP WG Meeting IETF 68, Prague

Issue 138 #138: Support and Negotiation of WTP data encryption in the CAPWAP protocol Proposed solution to require WTP encryption at both AC & WTP. –Issue evolved to require WTP to support encryption and allow the AC to choose centralized encryption. (MAY vs MUST) Discusssion/Presentation at Interim Meeting, show of hands did not set consensus –Once we have meeting consensus, then WG list check is needed. –Consensus Call on 2/23/07. Ended on March 1 st w/o consensus –Consensus check on WG list did not have enough participation, less than 2 weeks in order to meet IETF draft deadlines

Issue #138 Originally included several sub-issues Only remaining issue is interoperability for two encryption modes in Split MAC mode –Encryption/decryption performed on the WTP –Encryption/decryption performed on the AC For interoperability, we have two choices: –State that at least one mode is mandatory to implement on both ends (all ACs and WTPs must support that mode) –State that both modes are mandatory to implement on one end (both modes may be optional on the other)

Issue #138 History Our document has historically stated that both modes are optional –Not sufficient to ensure interoperability –Do we need to state a mandatory mode, given that Split MAC operation is already optional? At the interim meeting, we narrowed the choices to two options, but there was no consenus on which to choose –Support for encryption/decryption at the WTP is mandatory at both ends, enc/dec at the AC is optional –Support for both modes is required in all WTPs, both are optional in the ACs

Issue #138 Discussion Points In favor of requiring WTP to support both modes –Both modes will be widely available, each with benefits in different situations –Centralized encryption mode has desirable security properties (centralized control of keys, etc.) In favor of making WTP encrypt/decrypt mandatory and AC decrypt/encrypt optional –Simplifies minimal implementation (only one mandatory mode on each end) –We know that this mode is supported by all WTP and AC hardware solutions (and chipsets) –This mode is compatible with current and future features (in e and n)

Reviewing the options WTPAC Encryption at ACMUSTMAY Encryption at WTP MUSTMAY WTPAC Encryption at ACMAY Encryption at WTP MUST Option 1 Option 2 Option 1: ACs MAY support encryption either in AC or WTP. WTPs MUST support both encryption in WTP or AC. Option 2: All ACs and WTPs MUST support encryption at WTP, and MAY support encyption at AC

Issue 138 Consensus Call Consensus Call on 2/23/07. Ended on March 1 st w/o consensus. 1) To provide system component interoperability, the WTP MUST support encryption/decryption at the WTP, and the WTP MUST support encryption/decryption at the AC. The AC MUST support either encryption/decryption at the WTP or encryption/decryption at the AC. The AC MAY support both encryption/decryption at the WTP and encryption/decryption at the AC. -OR- 2) To provide system component interoperability, the WTP and AC MUST support encryption/decryption at the WTP. The WTP and AC MAY support encryption/decryption at the AC. Note the 2 proposals differ with support of encryption/decryption at the AC. As there has been no objections to the optional use of DTLS in the Data Plane, this portion of issue 138 is closed.

Issue #138 Decision WG needs to reach a decision on this issue for the document to advance –Very few people have voiced an opinion –What do the rest of you think?