Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAPWAP Threat Analysis

Published byHarvey Hardy Modified over 7 years ago

Similar presentations

Presentation on theme: "CAPWAP Threat Analysis"— Presentation transcript:

1 CAPWAP Threat Analysis
draft-ietf-capwap-threat-analysis-00 IETF 68, CAPWAP Working Group Charles Clancy & Scott Kelly

2 Document Status Adopted as a working group document Published as -00
Changes Filled in AAA security section Added discussion of channel binding

3 Quick Recap Document not designed to replace security considerations text Security considerations focuses more on low-level protocol details, things CAPWAP-specific Threat analysis looks more at the “big picture” Goal of the document: Provide a little history on 11i/AAA security, and how CAPWAP fits into the mix Document the many different use cases, and describe how such deployment scenarios affect the system security

4 Recent Changes New discussion on channel bindings
Just because STA trust AAA who trusts AC who trusts WTP, why should STA trust WTP? Is trust transitive? Nature of identity STA bootstrapped trust relationship WTP long-term trust relationship AC long-term trust relationship AAA long-term trust relationship

5 Example Attack “Lying NAS problem”: AP has one identity in its security association to the AAA server, but provides another identity to the STA in beacon messages CAPWAP only compounds the problem Problem is that the STA only trusts the AAA server, and not anything else Is this an actual problem? What does knowing all these identities buy us?

6 Fix the problem? Solution 1: 3-party key agreement protocols
Involve all parties in a cross-protocol key agreement In CAPWAP, would need 4-party protocol Infeasible, as CAPWAP can’t change 11i or AAA Solution 2: Channel Bindings After keys are all generated, AAA server encrypts everyone’s identities and sends it to the STA Could be implemented by CAPWAP-specific extensions to an EAP method, need AAA messages to carry CAPWAP WTP/AC info

7 Ideally, how would this work?
STA WTP AC AAA AAA authentication CAPWAP authentication beacons ID(WTP), ID(AC), ID(AAA) AAA(CAPWAP config, ID(WTP), ID(AC)) 802.1X / EAP authentication Channel binding phase — MIC(ID(WP), ID(AC), ID(AAA) ** STA verifies chbind info ** 802.11i 4-way handshake CAPWAP Add-Mobile

8 Implementation? Implementing channel bindings would require an additional RFC describing: Universal WTP / AC identities RADIUS and Diameter transport for identities CAPWAP-specific CHBIND blobs for EAP methods to securely transport Threat Analysis draft simply documents the problem Not a problem if you deployment believes in the transitivity of trust

9 Conclusion New WG document
Some changes since last version, including chbind discussion Would like WG input! Another revision, and then perhaps WGLC

Download ppt "CAPWAP Threat Analysis"

Similar presentations

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.

August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.

NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.
CAPWAP related draft-shao-opsawg-capwap-hybridmac-00 draft-chen-opsawg-capwap-extension-00 draft-zhang-opsawg-capwap-eap-00.

CAPWAP related draft-shao-opsawg-capwap-hybridmac-00 draft-chen-opsawg-capwap-extension-00 draft-zhang-opsawg-capwap-eap-00.
Yang Shi, Chris Elliott, Yong Zhang IETF 73 rd 18 Nov 2008, Minneapolis CAPWAP WG MIB Drafts Report.

Yang Shi, Chris Elliott, Yong Zhang IETF 73 rd 18 Nov 2008, Minneapolis CAPWAP WG MIB Drafts Report.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
6LoWPAN Security Analysis Soohong Daniel Park Ki-Hyung Kim Eunil Seo Samita Chakrabarti Julien Laganier.

6LoWPAN Security Analysis Soohong Daniel Park Ki-Hyung Kim Eunil Seo Samita Chakrabarti Julien Laganier.
Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.

EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
CDB-040224-1 Chris Bonatti (IECA, Inc.) Tel: (+1) 301-548-9569 Proposed PKI4IPSEC Certificate Management Requirements Document IETF #59 – PKI4IPSEC Working.

CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #59 – PKI4IPSEC Working.
1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.

1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.
EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao

EAP Extensions for EAP Re- authentication Protocol (ERP) draft-wu-hokey-rfc5296bis-01 Yang Shi Qin Wu Zhen Cao
6lowpan ND Optimization draft Update Samita Chakrabarti Erik Nordmark IETF 69, 2007 draft-chakrabarti-6lowpan-ipv6-nd-03.txt.

6lowpan ND Optimization draft Update Samita Chakrabarti Erik Nordmark IETF 69, 2007 draft-chakrabarti-6lowpan-ipv6-nd-03.txt.
March 2006 CAPWAP Protocol Specification Update March 2006

March 2006 CAPWAP Protocol Specification Update March 2006
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Emu wg, IETF 70 Steve Hanna, shanna@juniper.net EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,

Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
1 Network Selection Problem Definition Draft-ietf-eap-netsel-problem-01.txt Jari Arkko Bernard Aboba.

1 Network Selection Problem Definition Draft-ietf-eap-netsel-problem-01.txt Jari Arkko Bernard Aboba.
Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

Similar presentations

Ads by Google