Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAPWAP Security 65 th IETF 20 March 2006 Scott Kelly

Published byBrandon Wilkerson Modified over 9 years ago

Similar presentations

Presentation on theme: "CAPWAP Security 65 th IETF 20 March 2006 Scott Kelly"— Presentation transcript:

1 CAPWAP Security 65 th IETF 20 March 2006 Scott Kelly scott@hyperthought.com

2 20 March 2006CAPWAP Working Group2 Why is security important in CAPWAP? Many interdependent security protocols running between the station and the network CAPWAP exposes some of this by breaking the original AP model into two pieces (AC/WTP) This architectural change must not degrade existing security (can’t create a weak link)

3 20 March 2006CAPWAP Working Group3 Threats Multiple deployment models –Direct L2 connection –Routed connection, one administrative domain –Routed connection, potentially hostile hops Direct L2 connection –Largely a physical security problem Routed connection (L3), same administrative domain –Seems similar to L2 at first glance –But gets interesting due to what the CAT5 dragged home –Mobile systems invalidate many assumptions regarding security of local LAN (soft and chewy inside is now exposed)

4 20 March 2006CAPWAP Working Group4 Threats, cont. Routed connection over potentially hostile hops –Remote WTP scenarios Employees take WTPs home Branch office WTP, Central office AC Hotspots some hops may be over wireless –Mesh (e.g. metro wifi)

5 20 March 2006CAPWAP Working Group5 How do we address these threats? When physical security is only concern, fairly simple When L3 within one admin domain, can mitigate various threats with switching, vlans, admission control, etc –But capwap should not impose requirements here When routed over potentially hostile hops, all bets are off CAPWAP protocol must be secure in any of these scenarios One common solution is preferable

6 20 March 2006CAPWAP Working Group6 DTLS vs Native LWAPP Security This is the invent vs. reuse debate we’ve had before in the IETF Even really smart people make mistakes –PPP (PAP, CHAP, etc) –RADIUS –WEP and other early WLAN security protocols –Several over-the-network password hashes –Finding more examples is left as an exercise to the reader Security, cryptography are very subtle –More than just combining primitives Ongoing broad technical review is critical –SSL/SSH improvements –Md5, sha1 cracks… Using a CAPWAP one-off will not invite this sort of attention Better to use something already reviewed which has broader deployment, and which will continue to attract attention

7 20 March 2006CAPWAP Working Group7 Where are we now? DTLS has been added to 00 draft The lwapp-dtls draft was in revision when 00 came due –Dtls insertion is rough –There are state machine issues Currently working to resolve various issues –Deletion of JOIN results in loss of important data –DTLS interaction with capwap state machine must be more fully specified At least two people are working on prototypes –Should rapidly uncover any integration issues We should consider a design team to speed the integration process –Goal should be to close all open integration issues asap –Interim meeting(s) if necessary

8 Questions?

Download ppt "CAPWAP Security 65 th IETF 20 March 2006 Scott Kelly"

Similar presentations

Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion.

Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion.
PAWS: Use Cases I-D: draft-ietf-paws-problem-stmt-usecases-rqmts Basavaraj Patil, Scott Probasco (Nokia) Juan Carlos Zuniga (Interdigital) IETF 82.

PAWS: Use Cases I-D: draft-ietf-paws-problem-stmt-usecases-rqmts Basavaraj Patil, Scott Probasco (Nokia) Juan Carlos Zuniga (Interdigital) IETF 82.
Doc.: IEEE 802.11-04/250r2 Submission March 2004 Lily Yang, IETF CAPWAP Design Team EditorSlide 1 802.11 WLAN Architectural Considerations for IETF CAPWAP.

Doc.: IEEE /250r2 Submission March 2004 Lily Yang, IETF CAPWAP Design Team EditorSlide WLAN Architectural Considerations for IETF CAPWAP.
1 Data Link Protocols Relates to Lab 2. This module covers data link layer issues, such as local area networks (LANs) and point-to-point links, Ethernet,

1 Data Link Protocols Relates to Lab 2. This module covers data link layer issues, such as local area networks (LANs) and point-to-point links, Ethernet,
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
TRILL over IP draft-ietf-trill-over-ip-01.txt IETF 91, Honolulu Margaret Wasserman Donald Eastlake, Dacheng Zhang.

TRILL over IP draft-ietf-trill-over-ip-01.txt IETF 91, Honolulu Margaret Wasserman Donald Eastlake, Dacheng Zhang.
Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.

Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.
NETWORKS – NETWORK FUNDAMENTALS. How do computers connect to each other? Wired vs. Wireless Network cards Special device on computer that lets the computer.

NETWORKS – NETWORK FUNDAMENTALS. How do computers connect to each other? Wired vs. Wireless Network cards Special device on computer that lets the computer.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
WIRELESS LAN SECURITY Using

WIRELESS LAN SECURITY Using
IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Submission doc.: IEEE 11-12/0589r2 July 2012 Donald Eastlake 3rd, Huawei R&D USASlide 1 General 802.11 Links Date: 2012-05-08 Authors:

Submission doc.: IEEE 11-12/0589r2 July 2012 Donald Eastlake 3rd, Huawei R&D USASlide 1 General Links Date: Authors:
CAPWAP Overview Saag Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy

CAPWAP Overview Saag Presentation 65 th IETF 23 March 2006 Scott G. Kelly T. Charles Clancy
Michal Procházka, Jan Oppolzer CESNET.

Michal Procházka, Jan Oppolzer CESNET.

Similar presentations

Ads by Google