CAPWAP Security 65 th IETF 20 March 2006 Scott Kelly

Slides:

Advertisements

Similar presentations

Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion.

Advertisements

PAWS: Use Cases I-D: draft-ietf-paws-problem-stmt-usecases-rqmts Basavaraj Patil, Scott Probasco (Nokia) Juan Carlos Zuniga (Interdigital) IETF 82.

Doc.: IEEE /250r2 Submission March 2004 Lily Yang, IETF CAPWAP Design Team EditorSlide WLAN Architectural Considerations for IETF CAPWAP.

1 Data Link Protocols Relates to Lab 2. This module covers data link layer issues, such as local area networks (LANs) and point-to-point links, Ethernet,

Presented by Serge Kpan LTEC Network Systems Administration 1.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

TRILL over IP draft-ietf-trill-over-ip-01.txt IETF 91, Honolulu Margaret Wasserman Donald Eastlake, Dacheng Zhang.

Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.

NETWORKS – NETWORK FUNDAMENTALS. How do computers connect to each other? Wired vs. Wireless Network cards Special device on computer that lets the computer.

Configuring Routing and Remote Access(RRAS) and Wireless Networking

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

WIRELESS LAN SECURITY Using

IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Submission doc.: IEEE 11-12/0589r2 July 2012 Donald Eastlake 3rd, Huawei R&D USASlide 1 General Links Date: Authors:

CAPWAP Overview Saag Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy

Michal Procházka, Jan Oppolzer CESNET.

Module 8: Configuring Network Access Protection

PRESENTATION ON WI-FI TECHNOLOGY

March 15, 2008 PM of FMC 1 Rich Watson Director of Technical Marketing DiVitas Networks – Mountain View March 15, 2008.

Submission November 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report November 2003 Dorothy Stanley – Agere Systems IEEE Liaison To/From.

CAPWAP Overview SAAG Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy

Status of CAPWAP Architecture Draft Lily Yang Intel Corp. March 3, th IETF meeting.

1. Outlines Introduction What is Wi-Fi ? Wi-Fi Standards Hotspots Wi-Fi Network Elements How a Wi-Fi Network Works Advantages and Limitations of Wi-Fi.

Interdomain multicast routing with IPv6 Stig Venaas University of Southampton Jerome Durand RENATER Mickael Hoerdt University Louis Pasteur - LSIIT.

Interdomain IPv6 multicast Stig Venaas UNINETT. PIM-SM and Rendezvous Points Interdomain multicast routing is usually done with a protocol called PIM-SM.

Routing integrity in a world of Bandwidth on Demand Dave Wilson DW238-RIPE

Doc.: IEEE /595r2 Submission May 2002 Lily Yang, Tyan-Shu JouSlide 1 Mesh Relevance in CAPWAP and AP Functional Descriptions L. Lily Yang (Intel.

Components of wireless LAN & Its connection to the Internet

A machine that acts as the central relay between computers on a network Low cost, low function machine usually operating at Layer 1 Ties together the.

The problem Statement of Broadband Wireless Access Technologies Richard, Tom Taylor, Eva Chang, Tina Tsou.

Performance Management of WLANs Simulation of WLAN Manager (WM) Fairness issues related to multi-rate WLAN environment Policy based Service differentiation.

March 2006 CAPWAP Protocol Specification Update March 2006

CAPWAP Threat Analysis 66 th IETF, Montreal 10 July 2006 Scott KellyCharles Clancy.

CAPWAP Arch-Draft Issues IETF 59, Seoul 4 March 2004.

Network Components David Blakeley LTEC HUB A common connection point for devices in a network. Hubs are commonly used to connect segments of a LAN.

62 nd IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan March 2005.

Issue #138 CAPWAP WG Meeting IETF 68, Prague. Issue 138 #138: Support and Negotiation of WTP data encryption in the CAPWAP protocol Proposed solution.

Doc.: IEEE /843r0 Submission Cheng Hong, Tan Pek-Yew, Panasonic Slide 1 November 2003 Interworking – WLAN Control Cheng Hong & Tan Pek Yew Panasonic.

1 Large-scale (Campus) Lan design (Part II)  VLANs  Hierarchical LAN design.

61 st IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan Panasonic 8 November, 2004.

SLAPP Dan Harkins Partha Narasimhan Subbu Ponnuswarmy.

CAPWAP Threat Analysis draft-kelly-capwap-threat-analysis th IETF, San Diego 6 November 2006 Scott KellyCharles Clancy.

11 ROUTING IP Chapter 3. Chapter 3: ROUTING IP2 CHAPTER INTRODUCTION  Understand the function of a router.  Understand the structure of a routing table.

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

Issue EAPoL-Key message generation at WTP or AC Issue 199, summarized as:...the WTP maintains the KeyRSC while the AC requires this information to.

Applicability of Proxy Mobile IPv6 for Service Provider Wi-Fi Deployments Byju Pularikkal Rajeev Koodli Sri Gundavelli.

Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.

Model: DS-600 5x 10/100/1000Mbps Ethernet Port Centralized WLAN management and Access Point Discovery Manages up to 50 APs with access setting control.

MUHAMAD SHAZNI BIN MOHAMMAD SHAH. Gateway Using different protocols for interfacing network by network nodes Contain device such as protocol translator,

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Wireless LANs.

Assignment 3 Jacob Seiz. Hub A hub provides a central access point for a network. Through multiple I/O ports a hub can connect multiple Ethernet devices.

Networks – Network Fundamentals

Large-scale (Campus) Lan design (Part II)

CAPWAP BOF IETF-57, Vienna Inderpreet Singh

Chapter 4: Wireless LANs

Mesh Relevance in CAPWAP and AP Functional Descriptions

D-Link router tech support phone number provides the technical support for client issue concerning to d-link as there’s a team of specialist that are.

D-Link Router Customer Care Number. A D-link router is a basic necessity these days with so much technology around us in offices or homes. We can connect.

Facing issues in D-link router? No Need to get nervous, D-link Router Technical Support is available to provide the best assistance. Expert's help gives.

CAPWAP Architectural Requirements on

Mesh Relevance in CAPWAP and AP Functional Descriptions

Mesh Relevance in CAPWAP and AP Functional Descriptions

WLAN Architectural Considerations for IETF CAPWAP

Current IEEE 802.1CQ Project status

WLAN Architectural Considerations for IETF CAPWAP

AP-AC communications and Functional Architecture

Presentation transcript:

CAPWAP Security 65 th IETF 20 March 2006 Scott Kelly

20 March 2006CAPWAP Working Group2 Why is security important in CAPWAP? Many interdependent security protocols running between the station and the network CAPWAP exposes some of this by breaking the original AP model into two pieces (AC/WTP) This architectural change must not degrade existing security (can’t create a weak link)

20 March 2006CAPWAP Working Group3 Threats Multiple deployment models –Direct L2 connection –Routed connection, one administrative domain –Routed connection, potentially hostile hops Direct L2 connection –Largely a physical security problem Routed connection (L3), same administrative domain –Seems similar to L2 at first glance –But gets interesting due to what the CAT5 dragged home –Mobile systems invalidate many assumptions regarding security of local LAN (soft and chewy inside is now exposed)

20 March 2006CAPWAP Working Group4 Threats, cont. Routed connection over potentially hostile hops –Remote WTP scenarios Employees take WTPs home Branch office WTP, Central office AC Hotspots some hops may be over wireless –Mesh (e.g. metro wifi)

20 March 2006CAPWAP Working Group5 How do we address these threats? When physical security is only concern, fairly simple When L3 within one admin domain, can mitigate various threats with switching, vlans, admission control, etc –But capwap should not impose requirements here When routed over potentially hostile hops, all bets are off CAPWAP protocol must be secure in any of these scenarios One common solution is preferable

20 March 2006CAPWAP Working Group6 DTLS vs Native LWAPP Security This is the invent vs. reuse debate we’ve had before in the IETF Even really smart people make mistakes –PPP (PAP, CHAP, etc) –RADIUS –WEP and other early WLAN security protocols –Several over-the-network password hashes –Finding more examples is left as an exercise to the reader Security, cryptography are very subtle –More than just combining primitives Ongoing broad technical review is critical –SSL/SSH improvements –Md5, sha1 cracks… Using a CAPWAP one-off will not invite this sort of attention Better to use something already reviewed which has broader deployment, and which will continue to attract attention

20 March 2006CAPWAP Working Group7 Where are we now? DTLS has been added to 00 draft The lwapp-dtls draft was in revision when 00 came due –Dtls insertion is rough –There are state machine issues Currently working to resolve various issues –Deletion of JOIN results in loss of important data –DTLS interaction with capwap state machine must be more fully specified At least two people are working on prototypes –Should rapidly uncover any integration issues We should consider a design team to speed the integration process –Goal should be to close all open integration issues asap –Interim meeting(s) if necessary

Questions?