Presentation is loading. Please wait.

Presentation is loading. Please wait.

Responses to Clause 5 Comments

Similar presentations


Presentation on theme: "Responses to Clause 5 Comments"— Presentation transcript:

1 Responses to Clause 5 Comments
Bob Beach Symbol Techologies Bob Beach - Symbol Technologies

2 Comment Summary 175+ Comments Mostly editorial
Nine areas of technical concern Bob Beach - Symbol Technologies

3 Significant Technical Issues
State Diagram Concerns (15) Authentication in IBSS (12) Kerberos applicability (6) Replay Protection for BC/MC (4) AS/AP Trust Issue (3) Legacy Compatibility (3) Deauthentication Frame Usage in ULA (2) What is ESN compliance (2) Security Impact on QoS when roaming (1) Mixed Encrypted/NonEncrypted Streams (1) Disassociation Timeout (1) Deauthentication Question (1) Bob Beach - Symbol Technologies

4 State Diagram Concerns
Comments: 738, 584, 322, 583, 1360, 1151, 28, 711, 1433, 995, 1199,1667,1668,1669,1690 State Diagram is incomplete and/or has formatting errors Some of the problem is that the diagram is for MAC authentication and with ULA there is none Bob Beach - Symbol Technologies

5 Response -1 Purpose of state diagram is only to define which frames are allowed are any given time States 1,2,3 assume MAC authentication State 4 is only ULS Entry is via configuration variable State 4 needs to be split into two states in order to indicates that data frames cannot be send until associated Bob Beach - Symbol Technologies

6 Response -2 Define State 4: ULS, not associated. Allowed frames are:
All Class 1 frames except a-2-iii (authentication) All Class 2 frames State 5: ULS associated All frames allowed in state 4 All frames in Class 3 Entry to state 4 is via configuration variable Bob Beach - Symbol Technologies

7 Response -3 Movement from 4 to 5 is Successful Association
Movement from 5 to 4 is Disassociation Notification Bob Beach - Symbol Technologies

8 Proposed Motion That the Tgi editor prepare text and diagrams that reflect these changes into the working document. Bob Beach - Symbol Technologies

9 Replay Protection Comments: 990, 582, 321, 991
Replay protection using WEP2 (990) Replay protection for BC/MC traffic (582, 321, 991) Bob Beach - Symbol Technologies

10 Response Comments are rejected
BC/MC replay protection not possible in the current Tgi model Bob Beach - Symbol Technologies

11 Authentication in IBSS
Comments: 1006, 1517, 1269,1260,1157, 1517,1551, 1552, 1661, 1662, 1666, 1669, 1688, 1691 Various Problems with proposed mode when using IBSS Essentially not covered Text is very infrastructure oriented Bob Beach - Symbol Technologies

12 Response Contained in separate presentation
Bob Beach - Symbol Technologies

13 Kerberos applicability
Comments ( , 743, 1319) Question whether Kerberos should be mandatory ( , 743) Question applicability of Kerberos for SOHO (1319, 1550, 1665, 1687) Bob Beach - Symbol Technologies

14 Response Contained in separate presentation
Bob Beach - Symbol Technologies

15 AS/AP Trust Issues Comments: 1549, 1664, 1686
Questions concerning whether trust between AS and AP is secure? Bob Beach - Symbol Technologies

16 Response Comments are rejected.
The Tgi security model assumes that the Authentication server is the most trusted entity in the system. All stations, including Access Points, must authenticate with it. It is not a matter of the AP trusting the AS but rather the AP being authenticated by the AS Bob Beach - Symbol Technologies

17 Legacy Compatibility Comments: 1553, 1598, 1670, 1692
Concern about legacy system compatibility with ESN. Specifically, that legacy systems cannot just associate and operate with ESN Bob Beach - Symbol Technologies

18 Response –1 The comments are rejected
Compatibility with legacy systems has been maintained as much as possible. No existing packet formats have been altered and additions have been made in an accepted manner. No new packet types have been defined. Bob Beach - Symbol Technologies

19 Response -2 Legacy stations can scan and probe ESN capable access points. Whether they may associate with such an AP is a site configuration issue. An AP may be configured to support both legacy and ESN stations. An ESN Station can associate with a Legacy AP. Such legacy APs can be easily determined by examining their beacons for the ESN bit. Whether the Station selects to do so is a user decision. Bob Beach - Symbol Technologies

20 What is ESN compliance? Comments: 1258, 1607
Can one implement some elements of ESN or is it an all or nothing choice? Define required elements of Kerberos Bob Beach - Symbol Technologies

21 Response Contained in separate presentation
Bob Beach - Symbol Technologies

22 Security Impact on QoS Comment: 316
Concerned about QoS jitter introduced by authentication delay on roam Bob Beach - Symbol Technologies

23 Response The comment is accepted.
The committee has spent considerable effort to minimize the impact of authentication on QoS devices. The Kerberos authentication sequence on a roam requires fewer packets (3) than does shared key authentication (4). Furthermore the AP may need not communicate with any other entity if suitably configured. Bob Beach - Symbol Technologies

24 Mixed Encrypted/NonEncrypted Streams
Comment: 705 Is it possible for a STA to send both encrypted and nonencrypted streams concurrently? Bob Beach - Symbol Technologies

25 Response The comment is rejected.
Mixed encrypted/nonencrypted data streams are not allowed since there is no way to authenticate identity of sender Bob Beach - Symbol Technologies

26 Disassociation Timeouts
Comment: 336 How long should AP wait for authentication sequence to complete/fail before it disassociates STA? Bob Beach - Symbol Technologies

27 Response The comment is accepted.
When the Tgi MIB is defined, a variable will be added that defines this timeout value Bob Beach - Symbol Technologies

28 Deauthentication Frame Usage
Comments: 601, 602 indicates Deauthentication frames should never be sent with ULA and says the AP should send them when in ULA Bob Beach - Symbol Technologies

29 Response - 1 The comment is accepted
Purpose of text in section 11.3 is to define how a station that was previously MAC authenticated transitions to an ULS authentication. The model is that the AP sends an deauthentication frame to terminate the MAC authentication and then accept the ULS association. Bob Beach - Symbol Technologies

30 Response -2 This approach is reasonable and so the text associated with the state diagram in section 5 will be changed to permit the use of deauthentication frames in states 4 and 5. Bob Beach - Symbol Technologies

31 Deauthentication Frame Usage
Comment: 1598 Question if lack of deauthentication frames at MAC eliminates DOS attacks Bob Beach - Symbol Technologies

32 Response The comment is rejected
DOS attacks may be made at the upper layer. MAC Deauthentication frames are now permitted in an ESN Bob Beach - Symbol Technologies


Download ppt "Responses to Clause 5 Comments"

Similar presentations


Ads by Google