Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAPWAP Overview SAAG Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy

Published byMartina Lindsey Modified over 9 years ago

Similar presentations

Presentation on theme: "CAPWAP Overview SAAG Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy"— Presentation transcript:

1 CAPWAP Overview SAAG Presentation 65 th IETF 23 March 2006 Scott G. Kelly scott@hyperthought.com T. Charles Clancy clancy@cs.umd.edu

2 23 March 2006CAPWAP Overview2 Agenda Introduction Some background and current scope Security-related protocols, relationships, considerations, requirements Current state of things Conclusion

3 23 March 2006CAPWAP Overview3 Introduction CAPWAP working group is defining a protocol to control and provision wireless access points Things carried over the protocol include –Access Point configuration/control –Network access control decisions –Cryptographic session keys –User data Security is obviously a significant concern Working group wants to invite security area participation Requesting appointment of a security advisor –Provide designated point of contact with security directorate –Help to avoid delays, surprises in document advancement process due to unforeseen security concerns

4 23 March 2006CAPWAP Overview4 Background Early Architecture AP STA AS/AAA Mgmt WLAN ELEMENTS AS: Authentication Server, typically RADIUS AP: wireless access point STA: wireless station (typically a laptop)

5 23 March 2006CAPWAP Overview5 Background Early WLAN deployments rely on “fat” access points –Standalone, individually managed network elements –mgmt scaling issues Limited RF range implies many APs required for significant coverage area –User roaming implies other infrastructure issues Relatively simple trust chain –STA-AP EAPoL WEP –AP-AS EAP over RADIUS

6 23 March 2006CAPWAP Overview6 Current Architecture ( Security Protocol Hierarchy and Interactions) WTP AC STA WTP AC STA AAA RADIUS Optional IPsec CAPWAP 802.1X, 802.11i, WPA Mgmt SNMP HTTP TLS SSH 802.1X, 802.11i, WPA Each layer in hierarchy depends on layers above for security

7 23 March 2006CAPWAP Overview7 Background, cont. Current generation moving to centralized control model, “thin” access points –AC: access controller, centralized point of control –WTP: wireless termination point (new name for access points) Complex interactions –AC-AAA EAP over RADIUS (optional IPsec) –WTP-STA WEP, WPA, WPA2, 802.11i –AC-WTP Intermediate communications impacting all aspects of operations This presents a number of challenges that merit IETF attention

8 23 March 2006CAPWAP Overview8 Complex Trust Relationships WTP AC STA WTP AC STA AAA RADIUS PSK Long-Term EAP Credential PSK/Cert PTK WTP MSK/PMK MK Mgmt Admin Credential Color Coding short-term keys long-term keys

9 23 March 2006CAPWAP Overview9 CAPWAP Interdependencies Protocols, trust relationships, etc Many interdependent security protocols between STA and network CAPWAP is used to bootstrap trust between the STA and WTP using a series of pre-established trust relationships –AAA credential between AC and AS –CAPWAP credential between AC and WTP –EAP credentials between STA and AS –802.11i security context (PTK) between WTP and STA CAPWAP must not degrade security of surrounding components

10 23 March 2006CAPWAP Overview10 CAPWAP Threats Multiple deployment models –Direct L2 connection –Routed L3 connection, one administrative domain –Routed L3 connection, over potentially hostile hops Direct L2 connection –Largely a physical security problem –Post a guard, lock the doors, etc. Routed L3 connection, same administrative domain –Seems similar to L2 at first glance, but… –Mobile systems invalidate many assumptions regarding security of local LAN (soft and chewy inside is now exposed) –Can mitigate with network admission control, VLANs, etc, but CAPWAP cannot assume or mandate these things

11 23 March 2006CAPWAP Overview11 CAPWAP Threats, cont. Routed L3 connection, over potentially hostile hops –Examples Remote WTP scenarios –Employees take WTPs home, connect back to central AC –Branch office WTP, central office AC –Hotspots –some hops may be over wireless Mesh (e.g. metro wifi) –Threat mitigation requires strong crypto Mutual authentication Data integrity verification Confidentiality in many cases

12 23 March 2006CAPWAP Overview12 Additional CAPWAP Security Considerations “Splitting the MAC” introduces security complexity, subtleties Functionality previously handled by AP is now divided between WTP and AC Examples –If 802.11 crypto is terminated at the WTP, security context must arrive there securely (via AC), and WTP must implement 802.11 data security functions Otherwise, AC implements 802.11 data security functions –Since user/station authentication is mediated by the AC, it must securely interact with AS WTP forwards 802.1X frames to AC AC-WTP communications must not be weak link in chain

13 23 March 2006CAPWAP Overview13 CAPWAP Protocol Security Requirements AC ↔ AAA STA ↔ AAA STA ↔ WTP Management ↔ AC NOT CURRENTLY IN SCOPE (but important to be aware of) IN SCOPE AC ↔ WTP –Authentication is unique, strong, mutual, and explicit –Communications protected by strong ciphersuite

14 23 March 2006CAPWAP Overview14 Current State of CAPWAP 4 competing protocol proposals were evaluated –WG created independent eval team –Protocols: LWAPP,SLAPP,WiCoP,CTP WG chose LWAPP as basis for new CAPWAP protocol LWAPP provides its own proprietary security mechanisms Eval team (and others) recommended replacing this with DTLS

15 23 March 2006CAPWAP Overview15 LWAPP Security Protocol, cont. T. Charles Clancy (UMD) conducted security review, proposed improvements Protocol subsequently modified to meet wg objectives draft requirements and Clancy suggestions LWAPP/DTLS draft submitted by Kelly & Rescorla DTLS added to capwap-00 draft as proposed security mechanism Numerous operational details yet to be specified, but no show-stoppers uncovered or anticipated WG still discussing, hopefully to reach closure soon

16 23 March 2006CAPWAP Overview16 Compare/Contrast DTLS vs LWAPP Standards-based protocol TLS is well reviewed (DTLS is equivalent from security perspective) Widely deployed on the Internet (TLS) Negotiation capability provides for algorithm agility Several freely available implementations Built-in DoS protection Employs security best practices –Unidirectional crypto keys –Each side contributes to IVs –Security parameter verification via message hash Continued benefit from broad deployment and scrutiny Home-grown protocol Latest incarnation has only one public review Little deployment experience No algorithm negotiation – crypto change requires protocol forklift No known open source implementations No DoS protection A few questionable security practices –Same key used for transmit/receive –One side controls IV generation –No verification of negotiable parameters (psk vs cert) One-off (capwap-only) deployment severely limits exposure to scrutiny DTLSLWAPP

17 23 March 2006CAPWAP Overview17 SUMMARY Security is clearly an integral concern for CAPWAP IEEE efforts primarily focused on STA+WTP+AS AC  WTP interactions introduce various subtleties It’s easy to get security wrong, even when clueful people are involved – more skilled reviewers mitigates the risk CAPWAP would clearly benefit from additional security community participation Group is requesting a security advisor –Designated point of contact with security directorate –Avoid delays in document advancement due to security concerns Questions?

Download ppt "CAPWAP Overview SAAG Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy"

Similar presentations

Doc.: IEEE 802.11-00/087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Doc.: IEEE 802.11-04/250r2 Submission March 2004 Lily Yang, IETF CAPWAP Design Team EditorSlide 1 802.11 WLAN Architectural Considerations for IETF CAPWAP.

Doc.: IEEE /250r2 Submission March 2004 Lily Yang, IETF CAPWAP Design Team EditorSlide WLAN Architectural Considerations for IETF CAPWAP.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
1 Wireless LAN Security Kim W. Tracy NEIU, University Computing

1 Wireless LAN Security Kim W. Tracy NEIU, University Computing
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Michal Rapco 05, 2005 Security issues in Wireless LANs.

Michal Rapco 05, 2005 Security issues in Wireless LANs.

Similar presentations

Ads by Google