1. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 1 802 Handoff LinkSec Handoff Issues? David Johnston david.johnston@ieee.org dj.johnston@intel.com

2. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 2 (very) Simplified Anatomy of a L3 Handoff Down at the link layer, a link breaks So, something somewhere up the stack agrees, in its own way to handoff from one place to another –E.G. Mobile IP Consequently, down at the link layer, an attachment switches from one place to another –Association-authentication-authorization in one of several possible orders and flavors –Either by picking a new attachment point for an interface, or picking a new interface Mobile IP reconnects via the net attachment

3. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 3 Pre – auth Requirements Prior to attempting to authenticate, the mobile node may want to know whether it is worth the effort –Does the AP support my L3 network needs? –Do I have a payment method, auth protocol, subscription that will work on the candidate AP? –Can my QoS needs be met? It would be nice for the conduit for this information: –To not be blocked prior to authentication –To be applicable to diverse 802 network types (MSDU transport)

4. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 4 The blocking behavior of 802.1x 802.1x allows access to the MAC Blocks access to all LSAPs above the LLC except for EAPoL until authentication has completed –So only MAC signalling and EAP available prior to authentication –This takes advantage of the common MSDU transport capability of different 802 networks. –A mechanism applicable to diverse 802 network types could not be codified in existing MAC signaling or EAP So current 802 authentication practice impacts on the transfer of handoff related information prior to authentication

5. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 5 EAP Extensions Introduce new EAP methods to enable network detection –Detection bound to some place in the EAP authentication sequence –IEFT Domain LLC MAC PHY MAC LLC PHY EAPolmIP EAP Medium 802.1x/aa controlled/uncontrolled port New Features Here

6. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 6 Amend 802.1aa to add attachment information service –Tied use of 802.1x in 802 case –IEEE 802.1aa Domain LLC MAC PHY MAC LLC PHY EAPolmIP Medium 802.1x/aa controlled/uncontrolled port New Features Here EAP EAPoL Extensions

7. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 7 Controlled/Uncontrolled Port Entity (CUPE) Add new entity above LSAP –Uncontrolled port for insecure data/signaling –Controlled port otherwise –Tied use of 802.1x in 802 case –IEEE 802 Domain LLC MAC PHY MAC LLC PHY EAPolmIP Medium New Features Here EAP (Unsecured) UPE (Secured) CPE 802.1x/aa controlled/uncontrolled port

8. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 8 Beacons Add new management frames/frame content –Uses native 802.[x] management frames for signaling MAC No 802.1x/aa needed New Features Here New Thing

9. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 9 Scheduling Attachment EAP Attached EAPoL EAP Information transfer can only happen within a limited range of time during EAP Attached & Connected Attachment Attached EAPoL EAP Information transfer can only happen within a limited range of time during EAPoL operation Attached & Connected EAPoL Hypothetically, EAPoL could be invoked during the authenticated state for the purposes of information transfer

10. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 10 Scheduling Attachment CUPE Attached EAPoL EAP Information transfer can happen anytime during a connection, with restrictions on what is transferred based on controlled port status Attached & Authorized Attachment Attached EAPoL EAP Information transfer can happen anytime the transmitter chooses, assuming the L2 media supports it Attached & Authorized Beacons/Probes B/P

11. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 11 Extending the auth model be extended to support Handoff Extend set of pre authentication unblocked things from: –MAC signalling –EAPoL To: –MAC signalling –EAPol –Non sensitive handoff related data

12. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 12 So: One requirement Don’t make it impossible for the definition of the distribution of media independent handoff decision data prior to authentication –Allows mobile nodes to handoff based on good information –Enables mobile nodes to choose who they should bother authenticating to.

13. doc.: 802_Handoff_Linksec_Presentation Submission May. 2003 David Johnston, IntelSlide 13 Port == AID?! In 802.11 the port is defined to be attached to an association Prevents authentication before association Is a problem for 802.11 if you have handoff decision data on the uncontrolled port –Increases time to access handoff data –Leaves only the beacon for public data before auth Limited in size, Unsafe to extend Not common across 802 Can the port not be per mobile part MAC address or some such thing?