Download presentation
Presentation is loading. Please wait.
Published byIra Conley Modified over 9 years ago
1
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Moving KMP Forward Date Submitted: September 16, 2012 Source: Robert Moskowitz, Verizon Address 1000 Bent Creek Blvd, MechanicsBurg, PA, USA Voice:+1 (248) 968-9809, e-mail: rgm@labs.htt-consult.com Re: Key Managementn over 4e Multipurpose Frames Abstract:Discussion of KMP transport Purpose:To refine our understanding of the transport mechism Notice:This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release:The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.
2
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 2 Moving KMP Forward Robert Moskowitz Palm Springs, CA Sept 19, 2012
3
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 3 Abstract Agreements to date Open items Next steps
4
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 4 Agreements to date Data 'on the wire' format State Machines general content General statements on Security Associations KMP guidelines general format
5
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 5 KMP Transport Use a COMMAND Frame IE for KMP encapsulation – 802.15.4 IE with max size of 2047 – 802.15.7 IE max size of 255 Multiple IEs per frame an option Issue with COMMAND frame, need to file maintenance item
6
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 6 KMP Transport MAC details – Unauthenticated PDUs always use long addresses e.g. KMP rekeying within authenticated PDUs MAY use short addresses – KMP payload MAY be fragmented over multiple IEs/frames Use Forced ACK for fragmentation chaining support
7
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 7 KMP Information Element Frame format – MAC specific information ID/Length – 802.15.4 = 0xa/max2047 – 802.15.7 = 0x03/max255 – Content Control Field – 1 byte KMP fragment
8
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 8 KMP IE Content Octets: 1Octets: 1-2046 Bits: 17 Chaining flag 0 = last/only one 1 = yes, chaining First packet: Multipurpose ID Other packets: Chain count Multipurpose ID: 98-126 98 = KMP Chaining count: 2-96 2 = 2 nd fragment 3 = 3 rd fragment … 96 = 96 th fragment (last possible) KMP Fragment
9
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 9 KMP IE Content KMP fragment – KMP ID – 1 byte 802.1X = 1 HIP = 2 IKEv2 = 3 PANA = 4 SAE, etc. – KMP payload
10
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 10 KMP State Machines Two State Machines – KMP COMMAND Frame Processing Interface between COMMAND processing and KMP Transport Mechanism Basic function is IE processing and fragmentation support – KMP Transport Mechanism
11
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 11 KMP COMMAND frame processing Fragmentation support – Inbound Assemble payload from frame received and send ACK if indicated – Could be a duplicate fragment » ACK lost Deliver payload to KMP on completion
12
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 12 KMP COMMAND frame processing Fragmentation support – Outbound KMP payload divided to fit MPDU Fragment sent with Forced ACK Resend if no ACK returned – ACK may have been lost – MAX retries = ? Next fragment on ACK receipt
13
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 13 KMP Transport Mechanism State machine to handle triggers to/from KMP higher layer – Pass through for KMP payloads – Triggers from MAC events to KMP Security Enabled to start KMP Frame Counter watch to trigger rekey
14
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 14 KMP Transport Mechanism Security enabled trigger – macSecurityEnabled = True on device Start KMP as first transmission to controller – Before Associate? – macSecurityEnabled = True on controller Receipt of unsecured frame force start? Receipt of secure frame with unknown keys – Controller lost keys (eg reboot) force start?
15
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 15 KMP Transport Mechanism Frame counter trigger – macFrameCounter = 0xffffffff – n Where n allows rekeying before key exhaustion Start KMP rekeying With unicast keying either device MAY trigger rekeying? ASSUMPTION: Only coordinators send with group keys and rekey as needed
16
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 16 Security and PAN architecture Pairwise keying is used for unicast traffic – 2 sets of Security Associations (SAs) Peer-to-Peer communications will only be unicast traffic due to the hidden node challenge
17
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 17 Security and PAN architecture Two basic SA tables – Key Table – Device Table
18
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 18 KMP Security Associations Security Association content – What keys? PTK, GTK, etc. – Counters, lifetimes, etc.
19
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 19 KMP Security Associations Group SAs ASSUMPTIONS – There is no MAC Multicast, on Broadcast Question: Did 6lowpan allocate a Multicast MAC address for ND? – Non-coordinator nodes ignore broadcasts – Only Coordinators po
20
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 20 15.4 Specifics Pre 15.4e device support – For 6lowpan PANs Develop a submission to the IETF using the Dispatch Type in RFC 4944 PDUs with the KMP Dispatch Type a length field will be equivalent to the 15.4e KMP IE A 6lowpan device that supports 15.4e SHOULD also support this pre-15.4e mode of operation Who wants to author this?
21
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 21 KMP Guidelines KMP Sections – General KMP description Sub sections as needed, e.g. backend authentication mechanism – Use case(s) – 802.15 Profile References to defining documents Parameter specifics, e.g. in HIP, K=0 – SA definition E.G. Tie into security PID
22
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 22 KMP Guidelines Initial list of KMPs – 802.1X Needs to include an actual key exchange like the 802.11i 4-way handshake – HIP – R. Moskowitz/J. Haapola – IKEv2 – T. Kivinen – PANA – Yoshihiro Ohba – SAE
23
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 23 KMP Guidelines KMP Profiling for 15.9 usage – Change in encapsulation e.g. IKEv2 specified to run over UDP – Additions for SA management e.g. 802.1X does not supply link keys. In 802.11 usage, this is done via the 4- Way Handshake Special attention to broadcast keying management – Others?
24
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 24 KMP Guidelines KMP use cases – Why this KMP? Code size, CPU/battery demand Multi-layer code reuse – Practical examples – Deployment advice Identity installation and registration When performed – Life-cycle management Rekeying
25
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 25 Open Items
26
doc.: IEEE15-12-0458-00-0009-Moving-KMP-Forward Submission September 2012 Robert Moskowitz, Verizon Slide 26 Next Steps
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.