Wireless LANs: The 802.1X Revolution Slide 1 Internet World Wireless West, December 2001 Wireless...

Wireless LANs: The 802.1X Revolution Slide Wireless LANs: The 802.1X Revolution Slide 11

Internet World Wireless West, December 2001Internet World Wireless West, December 2001

Wireless LANs: Wireless LANs: The 802.1X RevolutionThe 802.1X Revolution

Dr. Bernard AbobaDr. Bernard Aboba

Network Architect, WindowsNetwork Architect, Windows

[email protected]@microsoft.com

http://www.drizzle.com/~aboba/IEEE/http://www.drizzle.com/~aboba/IEEE/



What We’ll Talk AboutWhat We’ll Talk AboutStandards and resourcesStandards and resourcesNetworking – the next decadeNetworking – the next decadeEthernet everywhere!Ethernet everywhere! Introduction to IEEE 802.1XIntroduction to IEEE 802.1XDeploying IEEE 802.1X with 802.11Deploying IEEE 802.1X with 802.11 IEEE 802.1X ApplicationsIEEE 802.1X ApplicationsWhat we won’t talk aboutWhat we won’t talk about

Details of WEP attacks and proposed fixesDetails of WEP attacks and proposed fixesWhich 802.11, 802.1X or RADIUS vendors Which 802.11, 802.1X or RADIUS vendors

are the best.are the best.



Standards GroupsStandards Groups IEEEIEEE

802.1X “Network Port Authentication”802.1X “Network Port Authentication” 802.1w “Spanning tree rapid convergence”802.1w “Spanning tree rapid convergence” 802.11e – Quality of Service802.11e – Quality of Service 802.11f – Inter-Access Point Protocol802.11f – Inter-Access Point Protocol 802.11i – Extended security802.11i – Extended security

IETFIETF RADIUS & AAA – authentication, RADIUS & AAA – authentication,

authorization, accountingauthorization, accounting PPPEXT – Extensible Authentication PPPEXT – Extensible Authentication

Protocol (EAP)Protocol (EAP) IPsec and IPSRA – IPsec and VPNsIPsec and IPSRA – IPsec and VPNs



How to Learn MoreHow to Learn More The “Unofficial 802.11 Security” Web Site:The “Unofficial 802.11 Security” Web Site:

http://http://www.drizzle.com/~aboba/IEEEwww.drizzle.com/~aboba/IEEE// IEEEIEEE

IEEE 802 web page: IEEE 802 web page: http://grouper.ieee.org/groups/802/dots.htmlhttp://grouper.ieee.org/groups/802/dots.html

Get IEEE 802 program provides free access to Get IEEE 802 program provides free access to standards older than 6 months standards older than 6 months

Anyone can participate, don’t have to be an IEEE Anyone can participate, don’t have to be an IEEE membermemberDon’t have to attend meetings to comment on draftsDon’t have to attend meetings to comment on draftsMeeting attendance is required for voting rightsMeeting attendance is required for voting rights

IETFIETF IETF web page: IETF web page: http://http://www.ietf.orgwww.ietf.org// Relevant WGs: MANET, PPPEXT, AAA, MIP, IPsec, Relevant WGs: MANET, PPPEXT, AAA, MIP, IPsec,

IPSRAIPSRA IETF draft archive: IETF draft archive: ftp.isi.eduftp.isi.edu, , ftp.ietf.orgftp.ietf.org



Networking – The Next Networking – The Next DecadeDecade



The Internet Revolution The Internet Revolution Continues…Continues…

Name a business that Name a business that won’t won’t be be affected by the Internetaffected by the Internet

Name an aspect of your life that Name an aspect of your life that won’t won’t change because of the change because of the InternetInternet

Chances are that that business or Chances are that that business or aspect of life hasn’t changed much aspect of life hasn’t changed much since 2000 BC either!since 2000 BC either!



By 2009…By 2009… Almost Almost everythingeverything will be connected will be connected

to the Internetto the InternetAppliances, automobiles, personal Appliances, automobiles, personal

communicators, screens (large and communicators, screens (large and small), even your small), even your watchwatch..

3 billion Internet-capable wireless 3 billion Internet-capable wireless devicesdevices

The Internet will be:The Internet will be:Telephone, answering machine, Telephone, answering machine,

television, radio, movie theatre, clock, television, radio, movie theatre, clock, store, cell phone, pager, post office, store, cell phone, pager, post office, mailbox, library, security system, mailbox, library, security system, gaming platform, musical instrument, gaming platform, musical instrument, learning center, storage medium, and learning center, storage medium, and much, much more!much, much more!



Some relationships…Some relationships… 1 Mbps of wired bandwidth requires 1 Mbps of wired bandwidth requires

approximately 1 MIP of CPU power to process approximately 1 MIP of CPU power to process itit 1 Gbps ~ 1000 MIPS ~ 1 Ghz CPU1 Gbps ~ 1000 MIPS ~ 1 Ghz CPU

Wireless LAN bandwidth is approximately 2 Wireless LAN bandwidth is approximately 2 orders of magnitude behind wired LANsorders of magnitude behind wired LANs But rate of growth is the same!But rate of growth is the same!

1 bit of bandwidth requires approximately 10 1 bit of bandwidth requires approximately 10 KB of storage KB of storage per clientper client 300 bps (early modem) ~ 3 MB storage (PC XT)300 bps (early modem) ~ 3 MB storage (PC XT) 1 Mbps (ADSL) ~ 10 GB storage (typical PC storage)1 Mbps (ADSL) ~ 10 GB storage (typical PC storage) As bandwidth increases, so does file size; today we As bandwidth increases, so does file size; today we

have CD-quality Internet audio; tomorrow, have CD-quality Internet audio; tomorrow, broadcast quality videobroadcast quality video



0.01

0.1

1

10

100

1000

10000

1986

1988

1990

1992

1994

1996P

erf

orm

an

ce in

Mfl

op

/s

Micros

Supers

8087 802876881

80387

R2000

i860

RS6000/540Alpha

RS6000/590Alpha

Cray 1S

Cray X-MP

Cray 2 Cray Y-MP Cray C90Cray T90

1998

Gilder’s Law vs. Moore’s Law:Gilder’s Law vs. Moore’s Law:The Last Twenty YearsThe Last Twenty Years

1982

1984

Sp

eed

in

Mb

ps

Ethernet

EthernetStorage

Sto

rag

e in

MB

802.11

Source: Gordon Bell, Microsoft ResearchSource: Gordon Bell, Microsoft Research



Local-Area WirelessLocal-Area WirelessLocal Area NetworkLocal Area Network

TechnologyTechnology

802.11 (FHSS) 2.4 GHz802.11 (FHSS) 2.4 GHz

1 Mbps1 MbpsFreq. Hopped Spread SpectrumFreq. Hopped Spread Spectrum

802.11 (DSSS) 2.4 GHz802.11 (DSSS) 2.4 GHz

1 or 2 Mbps1 or 2 Mbps

Direct Sequence Spread Spectrum Direct Sequence Spread Spectrum

HiperlanHiperlan23.5 Mbps23.5 Mbps

High Performance Radio LANHigh Performance Radio LAN

P802.11b (DSSS) 2.4 GHzP802.11b (DSSS) 2.4 GHz

11 Mbps11 Mbps

Direct Sequence Spread SpectrumDirect Sequence Spread Spectrum

P802.11a 5 GHzP802.11a 5 GHz

InitialInitialShipmentsShipments

InitialInitialShipmentsShipments

FinalFinalSpecificationSpecification

SpecificationsSpecificationsApprovedApproved

Initial MobileInitial MobileShipmentsShipments

19991999 20002000 20012001 20022002 20032003Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4

54 Mbps54 MbpsDirect Sequence Spread SpectrumDirect Sequence Spread Spectrum

Materials from Andrew Seybold-Microsoft Exchange Conference 1999Materials from Andrew Seybold-Microsoft Exchange Conference 1999



SAN/WAN/LAN ConvergenceSAN/WAN/LAN Convergence

200519951985197519652

3

4

5

6

7

8

9

10

POTS

WAN

LAN

SAN/backpanels

1 Mb

1 Gb

1 Kb

POTS @17%/year

ISDN

ADSL




0.1

1

10

100

1000

10000

100000

2004

2006

2008

2010

2012

2014P

erf

orm

an

ce in

Gfl

op

/s Microprocessor performance

2016

The Next Twenty YearsThe Next Twenty Years

2000

2002

Sp

eed

in

Gb

ps

Wired EthernetStorage

Sto

rag

e in

GB

802.11



In a decade we will have:In a decade we will have: Huge storageHuge storage

1 TB disks will be mass market (<$200)1 TB disks will be mass market (<$200) Very fast wired networkingVery fast wired networking

100 Gb Ethernet will be mass market (< $100)100 Gb Ethernet will be mass market (< $100) Ubiquitous wireless networkingUbiquitous wireless networking

3 billion units worldwide!3 billion units worldwide! 1 Gb wireless LANs: a viable replacement for wired NICs1 Gb wireless LANs: a viable replacement for wired NICs 10 Mbps wireless WANs10 Mbps wireless WANs

More powerful More powerful personal computerspersonal computers 10+ Ghz processors10+ Ghz processors 4x resolution (2K x 2K) displays competitive w/paper4x resolution (2K x 2K) displays competitive w/paper Large, wall-sized and watch-sized displaysLarge, wall-sized and watch-sized displays

A new generation of personal communicatorsA new generation of personal communicators PDAs, PIMs, cell phones, watches, etc. PDAs, PIMs, cell phones, watches, etc.

Invisible computingInvisible computing Networked appliances (washing machines, microswave, etc.)Networked appliances (washing machines, microswave, etc.)

Inevitable, continued cyberization… the challenge… Inevitable, continued cyberization… the challenge… interfacing platforms and people.interfacing platforms and people.




By the End of the Decade, By the End of the Decade, 802.11 will be….802.11 will be….

A viable desktop NIC replacementA viable desktop NIC replacement UbiquitousUbiquitous

In 1994, there were less than 3K PPP dialup ports In 1994, there were less than 3K PPP dialup ports in the US… today there are millionsin the US… today there are millions

Wireless ISPs Wireless ISPs will will happenhappen Community nets Community nets willwill happen happen Adhoc networking Adhoc networking willwill extend coverage extend coverage

dramaticallydramatically Dual 802.11/WAN NICs will be commonplace Dual 802.11/WAN NICs will be commonplace

But you already know that!But you already know that!



2009: The Dicotomy2009: The Dicotomy

Bigger, FasterBigger, Faster

200 Million 200 Million units/year: Laptop, units/year: Laptop, Desktop, ServerDesktop, Server

10 Ghz processor10 Ghz processor 100 GbE100 GbE 1+ TB magnetic disk1+ TB magnetic disk

Smaller, CheaperSmaller, Cheaper

500 million units/year: 500 million units/year: PDA/Cell phone/sub-PDA/Cell phone/sub-laptoplaptop

1 Ghz processor1 Ghz processor 1 Gbps Wireless LAN1 Gbps Wireless LAN 10 Mbps wireless WAN10 Mbps wireless WAN 1 GB flash disk1 GB flash disk



ImplicationsImplications IP and Ethernet will be the mainstream IP and Ethernet will be the mainstream

technology for SAN, MAN, WAN technology for SAN, MAN, WAN andand LAN LAN Fiber the primary PHY for 10 GbEFiber the primary PHY for 10 GbE Goodbye Fibre Channel and SONET!Goodbye Fibre Channel and SONET! Goodbye Home RF and Bluetooth!Goodbye Home RF and Bluetooth!

PC architecture will have to change dramatically PC architecture will have to change dramatically to keep up with bandwidth increasesto keep up with bandwidth increases Hardware acceleration is required, even on desktops!Hardware acceleration is required, even on desktops! PC Bus replaced by cross-bar switchPC Bus replaced by cross-bar switch Optical the ultimate interconnect?Optical the ultimate interconnect?

Managing vast storage will be challengingManaging vast storage will be challenging Storage area networks take offStorage area networks take off Remote backup and restoreRemote backup and restore



Implications (cont’d)Implications (cont’d) Latency as the scarcest commodityLatency as the scarcest commodity

Speed of light becomes the major limitationSpeed of light becomes the major limitation Distribution of applications to the edge: Akamai/Digital Distribution of applications to the edge: Akamai/Digital

IslandIsland BW-Delay product will increaseBW-Delay product will increase Applications need to be tolerant of high latency Applications need to be tolerant of high latency

characteristic of wireless WAN characteristic of wireless WAN Need to minimize round-trips!Need to minimize round-trips!

Efficient protocols and caching is criticalEfficient protocols and caching is critical

Everything on IPEverything on IP All PC components have an IP(v6) address (Infiniband)All PC components have an IP(v6) address (Infiniband) SCSI over IP… what’s next?SCSI over IP… what’s next?



Life In the 1 Gbps LaneLife In the 1 Gbps Lane Clock cycles are scarceClock cycles are scarce

Example: 1 Gbps wire speedExample: 1 Gbps wire speed Packet length of 64 bytes ~ 600 bit times ~ 600nsPacket length of 64 bytes ~ 600 bit times ~ 600ns

512 bits + 96 bits inter-frame gap512 bits + 96 bits inter-frame gap For clock rate of 1 Ghz (1 ns), clocks per packet:For clock rate of 1 Ghz (1 ns), clocks per packet:

600 @ 1 Gbps600 @ 1 Gbps 60 @ 10 Gbps60 @ 10 Gbps 6 @ 100 Gbps6 @ 100 Gbps

Problem only gets worse with time!Problem only gets worse with time! Need to carry out within clock budget:Need to carry out within clock budget:

Layer 2: Ethernet, 802.1p, encapsulation/decapsulationLayer 2: Ethernet, 802.1p, encapsulation/decapsulation Layer 3: IP, DiffServ, IPsecLayer 3: IP, DiffServ, IPsec Layer 4: TCP, NATLayer 4: TCP, NAT Layer 5: SSL/TLS, iSCSILayer 5: SSL/TLS, iSCSI Layer 7: XMLLayer 7: XML



Ethernet Everywhere!Ethernet Everywhere!



Ethernet EverywhereEthernet Everywhere Ethernet is becoming the dominant LAN, Ethernet is becoming the dominant LAN,

SAN, MAN, WAN and WLAN mediumSAN, MAN, WAN and WLAN medium Ethernet for metropolitan area and longhaul Ethernet for metropolitan area and longhaul

networksnetworks Ethernet in the First MileEthernet in the First Mile Ethernet in the HomeEthernet in the Home Ethernet in System Area Networks (SANs)Ethernet in System Area Networks (SANs) Authenticated LANsAuthenticated LANs Auto-provisioned LANsAuto-provisioned LANs Fault-tolerant EthernetFault-tolerant Ethernet Wireless EthernetWireless Ethernet

Ethernet ISPsEthernet ISPs Ethernet-based NASes and CPEEthernet-based NASes and CPE



The Benefits of Ubiquitous EthernetThe Benefits of Ubiquitous Ethernet What would it mean if you could offer twice the bandwidth at half the What would it mean if you could offer twice the bandwidth at half the

cost? cost? What would it mean if customers could get more bandwidth for their What would it mean if customers could get more bandwidth for their

Internet connection in seconds, instead of months?Internet connection in seconds, instead of months? What would it mean if you never needed to upgrade a customer’s What would it mean if you never needed to upgrade a customer’s

premise equipment or WAN links?premise equipment or WAN links? What would it mean if you could offer wireless connectivity in any What would it mean if you could offer wireless connectivity in any

hotel, airport, or public space?hotel, airport, or public space? What would it mean if home users could get Internet access hundreds What would it mean if home users could get Internet access hundreds

of times faster than is available today with DSL and Cable Internet?of times faster than is available today with DSL and Cable Internet? What would it mean if customers could backup mission critical data in What would it mean if customers could backup mission critical data in

multiple simultaneous locations in seconds at night, while only paying multiple simultaneous locations in seconds at night, while only paying for the connectivity they need during the day?for the connectivity they need during the day?

This is what Gigabit Ethernet, Wireless LANs (802.11) This is what Gigabit Ethernet, Wireless LANs (802.11) and Network Port Authentication (IEEE 802.1X) and Network Port Authentication (IEEE 802.1X)

Delivers.Delivers.



10 Gb Ethernet10 Gb Ethernet Standardized in IEEE 802.3azStandardized in IEEE 802.3az Goal is to maintain existing 802.3 frame Goal is to maintain existing 802.3 frame

format and size while supporting 10 Gbps full format and size while supporting 10 Gbps full duplex operationduplex operation No support for CSMA/CD!No support for CSMA/CD!

Design point is LAN, MAN Design point is LAN, MAN andand WAN WAN LAN: 1310 nm bandLAN: 1310 nm band MAN and WAN: 1550 nm bandMAN and WAN: 1550 nm band

Completion likely 2Q 2002Completion likely 2Q 2002 Dramatic cost advantages over SONET likely: Dramatic cost advantages over SONET likely:

$50K/port for OC-192 SONET vs. $200/port for $50K/port for OC-192 SONET vs. $200/port for 10 Gb Ethernet by 200410 Gb Ethernet by 2004



Ethernet ISPsEthernet ISPs

WayportWayport OnFibreOnFibre

http://lw.pennwellnet.com/content/Articles/Article_Layout.cfm?http://lw.pennwellnet.com/content/Articles/Article_Layout.cfm?ARTICLE_ID=66610&VERSION_NUM=1&PUBLICATION_ID=13&Section=CurrentIssueARTICLE_ID=66610&VERSION_NUM=1&PUBLICATION_ID=13&Section=CurrentIssue

TelseonTelseon http://www.cmetric.com/frames.htmlhttp://www.cmetric.com/frames.html http://www.zdnet.com/sr/stories/news/0,4538,2532509,00.htmlhttp://www.zdnet.com/sr/stories/news/0,4538,2532509,00.html http://www.internettelephony.com/asp/itemDisplay.asp?ItemID=8750http://www.internettelephony.com/asp/itemDisplay.asp?ItemID=8750 http://www.nwfusion.com/news/2000/0327sf.htmlhttp://www.nwfusion.com/news/2000/0327sf.html http://www.zdnet.com/intweek/stories/news/0,4164,2523589,00.htmlhttp://www.zdnet.com/intweek/stories/news/0,4164,2523589,00.html

YipesYipes http://www.yipes.com/http://www.yipes.com/ http://www.nwfusion.com/archive/2000/87509_02-14-2000.htmlhttp://www.nwfusion.com/archive/2000/87509_02-14-2000.html http://www.yipes.com/press_box/buzz/media_quotes.html#nwfhttp://www.yipes.com/press_box/buzz/media_quotes.html#nwf



The Ethernet Network Access Server The Ethernet Network Access Server (NAS)(NAS)

To offer economical Ethernet-based access we need To offer economical Ethernet-based access we need a new class of network access server – the a new class of network access server – the EtherNAS. EtherNAS.

The EtherNAS is managed like a dialup NAS but The EtherNAS is managed like a dialup NAS but offers thousands of times the bandwidth.offers thousands of times the bandwidth.

IEEE 802.11 APs supporting 802.1X and RADIUS are IEEE 802.11 APs supporting 802.1X and RADIUS are the first (but not the last) EtherNASes the first (but not the last) EtherNASes

Key standards include:Key standards include: IEEE 802IEEE 802 RFC 2865 - 2869: RADIUSRFC 2865 - 2869: RADIUS IEEE 802.1X: Network Port AuthenticationIEEE 802.1X: Network Port Authentication



The Ethernet CPEThe Ethernet CPE To offer economical Ethernet-based access To offer economical Ethernet-based access

on customer premises need a new class of on customer premises need a new class of Ethernet CPE device Ethernet CPE device

The EtherCPE is as easy to set up as a SOHO The EtherCPE is as easy to set up as a SOHO router, but offers many times the bandwidthrouter, but offers many times the bandwidth PHY: 802.11 or 1-10 Gbps Ethernet over Fiber PHY: 802.11 or 1-10 Gbps Ethernet over Fiber

interfaceinterface Low costLow cost

Today: $500 for 1 GbEToday: $500 for 1 GbE 2002: $2502002: $250

Built in mini-DHCP/DNS serverBuilt in mini-DHCP/DNS server Support for bridging, routingSupport for bridging, routing IEEE 802.1X authentication and auto-provisioningIEEE 802.1X authentication and auto-provisioning



Introduction to Introduction to IEEE 802.1XIEEE 802.1X



What is Network Access Authentication?What is Network Access Authentication?

A mechanism by which access to the network is A mechanism by which access to the network is restricted to authorized entitiesrestricted to authorized entities Identities used are typically userIDsIdentities used are typically userIDs NB: each user on a multi-user machine does not need to NB: each user on a multi-user machine does not need to

authenticate once the link is up, so this doesn’t guarantee authenticate once the link is up, so this doesn’t guarantee that only the authenticated user is accessing the networkthat only the authenticated user is accessing the network

Once authenticated, the session needs to be Once authenticated, the session needs to be authorizedauthorized Authorization can include things like VLANID, rate limits, Authorization can include things like VLANID, rate limits,

filters, tunneling, etc.filters, tunneling, etc. To prevent hijacking, you need per-packet To prevent hijacking, you need per-packet

authentication as wellauthentication as well Encryption orthogonal to authenticationEncryption orthogonal to authentication Per-packed MIC based on key derived during the Per-packed MIC based on key derived during the

authentication process, linking each packet to the identity authentication process, linking each packet to the identity claimed in the authenticationclaimed in the authentication

No MIC support in PPP and WEP!No MIC support in PPP and WEP!



Network Access AlternativesNetwork Access Alternatives Network access authentication has already been Network access authentication has already been

implemented at every layer. implemented at every layer. PHYPHY

Example: 802.11bExample: 802.11b Pros: no MAC or TCP/IP changes required (all support in Pros: no MAC or TCP/IP changes required (all support in

firmware)firmware) Cons: requires firmware changes in NICs and NASes to Cons: requires firmware changes in NICs and NASes to

support new auth methods, requires NAS to understand support new auth methods, requires NAS to understand new auth types, slows delivery of bug fixes (e.g. WEP v1.0), new auth types, slows delivery of bug fixes (e.g. WEP v1.0), hard to integrate into AAAhard to integrate into AAA

MACMAC Examples: PPP , 802.1XExamples: PPP , 802.1X Pros: no firmware changes required for new auth methods, Pros: no firmware changes required for new auth methods,

easier to fix bugs, easy to integrate into AAA, no network easier to fix bugs, easy to integrate into AAA, no network access needed prior to authentication, extensible (RFC access needed prior to authentication, extensible (RFC 2284)2284)

Cons: requires MAC layer changes unless implemented in Cons: requires MAC layer changes unless implemented in driverdriver



Network Access Alternatives (cont’d)Network Access Alternatives (cont’d)

IPIP Examples: hotel access (based on ICMP re-direct to access Examples: hotel access (based on ICMP re-direct to access

web server)web server) Pros: no client MAC or TCP/IP changes required (for ICMP Pros: no client MAC or TCP/IP changes required (for ICMP

re-direct method)re-direct method) Cons: Doesn’t work for all apps, no mutual authentication, Cons: Doesn’t work for all apps, no mutual authentication,

partial network access required prior to auth, need to find partial network access required prior to auth, need to find access control server if not at first hop, typically not access control server if not at first hop, typically not extensible, may not derive encryption keys, no accounting extensible, may not derive encryption keys, no accounting (no logoff)(no logoff)

UDP/TCPUDP/TCP Examples: Proprietary token card protocolsExamples: Proprietary token card protocols Pros: No client MAC or TCP/IP changes required – can be Pros: No client MAC or TCP/IP changes required – can be

implemented purely at the application layerimplemented purely at the application layer Cons: requires client software, partial network access Cons: requires client software, partial network access

required prior to auth, need to find access control server if required prior to auth, need to find access control server if not at first hop, typically not extensible, no accounting (no not at first hop, typically not extensible, no accounting (no logoff)logoff)



Why Do Auth at the Link Layer?Why Do Auth at the Link Layer? It’s fast, simple, and inexpensiveIt’s fast, simple, and inexpensive

Most popular link layers support it: PPP, IEEE 802Most popular link layers support it: PPP, IEEE 802 Cost matters if you’re planning on deploying 1 million ports!Cost matters if you’re planning on deploying 1 million ports!

Client doesn’t need network access to authenticateClient doesn’t need network access to authenticate No need to resolve names, obtain an IP address prior to authNo need to resolve names, obtain an IP address prior to auth

NAS devices need minimal layer 3 functionalityNAS devices need minimal layer 3 functionality 802.11 access points, 1 Gbps switch ports go for $300, 802.11 access points, 1 Gbps switch ports go for $300,

support 802.1D, 802.1X, SNMP & RADIUS, may have no layer 3 support 802.1D, 802.1X, SNMP & RADIUS, may have no layer 3 filtering supportfiltering support

Authentication, AAA support typically a firmware upgradeAuthentication, AAA support typically a firmware upgrade

In a multi-protocol world, doing auth at link layer In a multi-protocol world, doing auth at link layer enables authorizing all protocols at the same timeenables authorizing all protocols at the same time Doing it at the network layer would mean adding Doing it at the network layer would mean adding

authentication within IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUIauthentication within IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI Would also mean authorizing within multiple layersWould also mean authorizing within multiple layers Result: more delayResult: more delay



What is IEEE 802.1X?What is IEEE 802.1X? The IEEE standard for authenticated and auto-provisioned LANs.The IEEE standard for authenticated and auto-provisioned LANs.

Ratified June 2001Ratified June 2001 Based on EAP, IETF RFC 2284Based on EAP, IETF RFC 2284

A framework for authentication and key managementA framework for authentication and key management IEEE 802.1X derives keys which can be used to provide per-packet IEEE 802.1X derives keys which can be used to provide per-packet

authentication, integrity and confidentialityauthentication, integrity and confidentiality Typically used along with well-known key derivation algorithms (e.g. Typically used along with well-known key derivation algorithms (e.g.

TLS, SRP, etc.)TLS, SRP, etc.) IEEE 802.1X does not mandate security services – can do IEEE 802.1X does not mandate security services – can do

authentication, or authentication & encryptionauthentication, or authentication & encryption Encryption alone not recommended (but that’s what WEP does)Encryption alone not recommended (but that’s what WEP does)

What 802.1X is What 802.1X is notnot Purely a wireless standard – it applies to all IEEE 802 technologies Purely a wireless standard – it applies to all IEEE 802 technologies

(e.g. Ethernet First Mile applications)(e.g. Ethernet First Mile applications) PPP over Ethernet (PPPOE) – only supports EAP authentication PPP over Ethernet (PPPOE) – only supports EAP authentication

methods (no PAP or CHAP), packets are not encapsulatedmethods (no PAP or CHAP), packets are not encapsulated A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.A cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.

But 802.1X can be used to derive keys for any cipherBut 802.1X can be used to derive keys for any cipher A single authentication method A single authentication method

But 802.1X can support many authentication methods without But 802.1X can support many authentication methods without changes to the AP or NIC firmwarechanges to the AP or NIC firmware



A History of IEEE 802.1XA History of IEEE 802.1X The idea started with customers who wanted to control access to a The idea started with customers who wanted to control access to a

public networkpublic network Universities, government agenciesUniversities, government agencies

Existing approaches were inadequateExisting approaches were inadequate Customers wanted something that could be implemented inexpensively Customers wanted something that could be implemented inexpensively

– on existing switches– on existing switches Customers wanted to utilize existing network access infrastructure Customers wanted to utilize existing network access infrastructure

(RADIUS, LDAP, etc.)(RADIUS, LDAP, etc.) PPPOE – too much overhead PPPOE – too much overhead VPN – too many interoperability issuesVPN – too many interoperability issues DHCP – designed for addressing and configuration, not access controlDHCP – designed for addressing and configuration, not access control

Concept developed by 3Com, HP, and MicrosoftConcept developed by 3Com, HP, and Microsoft We examined alternatives, and settled on a Layer 2 approachWe examined alternatives, and settled on a Layer 2 approach A small group wrote the spec and built prototypesA small group wrote the spec and built prototypes Consensus and running code!Consensus and running code! Not designed by committee!Not designed by committee!

IEEE 802.1X PAR approved in January 1999IEEE 802.1X PAR approved in January 1999 Approved as an IEEE standard June 2001Approved as an IEEE standard June 2001 Specification available at: http://www.drizzle.com/~aboba/IEEE/Specification available at: http://www.drizzle.com/~aboba/IEEE/



802.1X Topologies802.1X Topologies

Authenticator/EtherNASAuthenticator/EtherNAS(e.g. Access Point or (e.g. Access Point or

Bridge)Bridge)

SupplicantSupplicant

Enterprise or ISP Enterprise or ISP NetworkNetwork

Semi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge

AuthenticationAuthenticationServerServer

RADIUS

EAP Over Wireless (EAPOW)


EAP over LAN (EAPOL)

EAP over LAN (EAPOL)EAP Over RADIUS

EAP Over RADIUS

PAEPAE

PAEPAE

EtherCPEEtherCPE

SupplicantSupplicantNon-802.1XNon-802.1X



802.1X Security Philosophy802.1X Security Philosophy Approach: a flexible security frameworkApproach: a flexible security framework

Implement security framework in upper layersImplement security framework in upper layers Enable plug-in of new authentication, key management methods Enable plug-in of new authentication, key management methods

without changing NIC or Access Pointwithout changing NIC or Access Point Leverage main CPU resources for cryptographic calculationsLeverage main CPU resources for cryptographic calculations

How it worksHow it works Security conversation carried out between supplicant and Security conversation carried out between supplicant and

authentication serverauthentication server NIC, Access Point acts as a pass through deviceNIC, Access Point acts as a pass through device

AdvantagesAdvantages Decreases hardware cost and complexityDecreases hardware cost and complexity Enables customers to choose their own security solutionEnables customers to choose their own security solution Can implement the latest, most sophisticated authentication and key Can implement the latest, most sophisticated authentication and key

management techniques with modest hardwaremanagement techniques with modest hardware Enables rapid response to security issuesEnables rapid response to security issues



What is EAP?What is EAP? The Extensible Authentication Protocol (RFC 2284)The Extensible Authentication Protocol (RFC 2284)

Provides a flexible link layer security frameworkProvides a flexible link layer security framework Simple encapsulation protocolSimple encapsulation protocol

No dependency on IPNo dependency on IP ACK/NAK, no windowingACK/NAK, no windowing No fragmentation supportNo fragmentation support

Few link layer assumptionsFew link layer assumptions Can run over any link layer (PPP, 802, etc.)Can run over any link layer (PPP, 802, etc.) Does not assume physically secure linkDoes not assume physically secure link

Methods provide security servicesMethods provide security services Assumes no re-orderingAssumes no re-ordering Can run over lossy or lossless mediaCan run over lossy or lossless media

Retransmission responsibility of authenticator (not needed for Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)802.1X or 802.11)

EAP methods based on IETF standardsEAP methods based on IETF standards Transport Level Security (TLS) (supported in Windows 2000)Transport Level Security (TLS) (supported in Windows 2000) Secure Remote Password (SRP)Secure Remote Password (SRP) GSS_API (including Kerberos)GSS_API (including Kerberos)



EAP ArchitectureEAP Architecture

EAPEAPLayerLayer

MethodMethodLayerLayer

EAPEAPEAPEAP

TLSTLSTLSTLS

MediaMediaLayerLayer

NDISNDIS

APIsAPIs

EAP EAP

APIsAPIs

PPPPPP 802.3802.3 802.5802.5 802.11802.11

SRPSRPSRPSRPAKAAKA

SIMSIM

AKAAKA

SIMSIM



What is RADIUS?What is RADIUS? Remote Access Dial In User ServiceRemote Access Dial In User Service Supports authentication, authorization, and Supports authentication, authorization, and

accounting for network accessaccounting for network access Physical ports (analog, ISDN, IEEE 802)Physical ports (analog, ISDN, IEEE 802) Virtual ports (tunnels, wireless)Virtual ports (tunnels, wireless)

Allows centralized administration and Allows centralized administration and accountingaccounting

IETF statusIETF status Proposed standardProposed standard

RFC 2865, RADIUS authentication/authorizationRFC 2865, RADIUS authentication/authorization RFC 2618-2621, RADIUS MIBsRFC 2618-2621, RADIUS MIBs

InformationalInformational RFC 2866, RADIUS accountingRFC 2866, RADIUS accounting RFC 2867-8, RADIUS Tunneling supportRFC 2867-8, RADIUS Tunneling support RFC 2869, RADIUS extensionsRFC 2869, RADIUS extensions RFC 3162, RADIUS for IPv6RFC 3162, RADIUS for IPv6



EthernetLaptop computer

Switch

Radius Server

IEEE 802.1X ConversationIEEE 802.1X Conversation

EAPOL-Start

EAP-Response/Identity

Radius-Access-Challenge

EAP-Response (credentials)

Access blockedPort connect

Radius-Access-Accept

EAP-Request/Identity

EAP-Request

Access allowed

EAP-Success

Radius-Access-Request


RADIUSEAPOL



Ethernet

Access Point

Radius Server

802.1X On 802.11802.1X On 802.11

EAPOW-Start

EAP-Response/Identity

Radius-Access-Challenge

EAP-Response (credentials)

Access blockedAssociation

Radius-Access-Accept

EAP-Request/Identity

EAP-Request



RADIUS

EAPOW

Laptop computer

Wireless

802.11802.11 Associate-Request

EAP-Success

Access allowedEAPOW-Key (WEP)

802.11 Associate-Response



802.1X authentication in 802.11802.1X authentication in 802.11

IEEE 802.1X authentication occurs after 802.11 IEEE 802.1X authentication occurs after 802.11 association or reassociationassociation or reassociation Association/Reassociation serves as “port up” within 802.1X Association/Reassociation serves as “port up” within 802.1X

state machinestate machine Prior to authentication, access point filters all non-802.1X Prior to authentication, access point filters all non-802.1X

traffic from clienttraffic from client If 802.1X authentication succeeds, access point removes the If 802.1X authentication succeeds, access point removes the

filterfilter

802.1X messages sent to destination MAC address802.1X messages sent to destination MAC address Client, Access Point MAC addresses known after 802.11 Client, Access Point MAC addresses known after 802.11

associationassociationNo need to use 802.1X multicast MAC address in EAP-Start, No need to use 802.1X multicast MAC address in EAP-Start,

EAP-Request/Identity messagesEAP-Request/Identity messages Prior to 802.1X authentication, access point only accepts Prior to 802.1X authentication, access point only accepts

packets with source = Client and Ethertype = EAPOL packets with source = Client and Ethertype = EAPOL



802.1X and Per-STA Session Keys802.1X and Per-STA Session Keys

How does 802.1X derive per-Station unicast session keys?How does 802.1X derive per-Station unicast session keys? Can use any EAP method supporting secure dynamic key derivationCan use any EAP method supporting secure dynamic key derivation

EAP-TLS (RFC 2716)EAP-TLS (RFC 2716) EAP-SRPEAP-SRP EAP-AKA, EAP-SIM (for compatibility with cellular)EAP-AKA, EAP-SIM (for compatibility with cellular) Security DynamicsSecurity Dynamics

Keys derived on client and the RADIUS serverKeys derived on client and the RADIUS server RADIUS server transmits key to access pointRADIUS server transmits key to access point

RADIUS attribute encrypted on a hop-by-hop basis using shared RADIUS attribute encrypted on a hop-by-hop basis using shared secret shared by RADIUS client and serversecret shared by RADIUS client and server

Unicast keys can be used to encrypt subsequent traffic, including Unicast keys can be used to encrypt subsequent traffic, including EAPOW-key packet (for carrying multicast/global keys)EAPOW-key packet (for carrying multicast/global keys)

Per-Station unicast session keys not requiredPer-Station unicast session keys not required If only multicast/global keys are supported, then session key is only If only multicast/global keys are supported, then session key is only

used to encrypt the multicast/global keyused to encrypt the multicast/global key



802.1X and Multicast/Global Keys802.1X and Multicast/Global Keys

How can 802.1X transfer multicast/global How can 802.1X transfer multicast/global keys?keys?An EAPOL packet type is defined for use in An EAPOL packet type is defined for use in

transporting multicast/global keys: EAPOW-Keytransporting multicast/global keys: EAPOW-KeyEAPOW-Key packet type used to transmit one or EAPOW-Key packet type used to transmit one or

more keys from access point to client (or vice more keys from access point to client (or vice versa)versa)

EAPOW-Key packets only sent after EAPOW EAPOW-Key packets only sent after EAPOW authentication succeedsauthentication succeeds

EAPOW-Key packets are encrypted using derived EAPOW-Key packets are encrypted using derived per-STA encryption keyper-STA encryption key



802.1X and Ad-Hoc Networking802.1X and Ad-Hoc Networking

What is ad-hoc networking?What is ad-hoc networking?Station communicating directly with other stationsStation communicating directly with other stations

How does ad-hoc networking work with How does ad-hoc networking work with 802.lX?802.lX?Both Stations initiate EAPOL conversationBoth Stations initiate EAPOL conversationAll stations authenticate with each other All stations authenticate with each other

Otherwise mutual authentication required and Otherwise mutual authentication required and algorithm to select authenticatoralgorithm to select authenticator

RADIUS not used in ad-hoc modeRADIUS not used in ad-hoc modeTypically implies that user credentials are stored Typically implies that user credentials are stored

on Stationson Stations



Key Management for Ad-Hoc Key Management for Ad-Hoc NetworkingNetworking

RequirementsRequirementsPassword-based mutual authenticationPassword-based mutual authenticationSecure key generationSecure key generation

Evaluation of existing EAP methodsEvaluation of existing EAP methodsEAP-TLS: supports mutual authentication, keying, EAP-TLS: supports mutual authentication, keying,

but assumes both participants have a certificatebut assumes both participants have a certificateEAP-SRP: supports mutual authentication, but not EAP-SRP: supports mutual authentication, but not

assumes “client” and “server”assumes “client” and “server”

802.1X will work in adhoc mode if required802.1X will work in adhoc mode if requiredShared key is easiest mechanism in most casesShared key is easiest mechanism in most cases



Other issues with AdhocOther issues with Adhoc Interconnections not organizedInterconnections not organized

Multiple interconnections to destinationsMultiple interconnections to destinations ““Hidden” stationsHidden” stations Loops in the networkLoops in the network

L2 Spanning tree requiredL2 Spanning tree required Removes loops, organizes STAs to form a coherent Removes loops, organizes STAs to form a coherent

LANLAN Problem: convergence time of 802.1D too slowProblem: convergence time of 802.1D too slow

Not easy to connect both via adhoc and APNot easy to connect both via adhoc and AP Two interfaces need to be exposedTwo interfaces need to be exposed Requires STAs to act as a bridgeRequires STAs to act as a bridge Creates potential security issuesCreates potential security issues



Adhoc Networking AdvancesAdhoc Networking Advances

Goal: allow devices to talk to each other without Goal: allow devices to talk to each other without a network administratora network administrator Focus of IETF ZEROCONF WGFocus of IETF ZEROCONF WG

Fast spanning tree convergenceFast spanning tree convergence IEEE 802.1wIEEE 802.1w

IPv4 linklocal addressingIPv4 linklocal addressing Draft-ietf-zeroconf-ipv4-linklocal-0x.txtDraft-ietf-zeroconf-ipv4-linklocal-0x.txt

IPv4 automatic multicast addressingIPv4 automatic multicast addressing Draft-thaler-zeroconf-multicast-0x.txtDraft-thaler-zeroconf-multicast-0x.txt

Mini-DHCP serverMini-DHCP server Draft-aboba-dhc-mini-0x.txtDraft-aboba-dhc-mini-0x.txt

Multicast DNSMulticast DNS Draft-ietf-dnsext-mdns-0x.txtDraft-ietf-dnsext-mdns-0x.txt

uPnPuPnP Draft-cai-ssdp-v1-0x.txtDraft-cai-ssdp-v1-0x.txt



Extending Coverage with AdhocExtending Coverage with Adhoc

Authenticator/EtherNASAuthenticator/EtherNAS(e.g. Access Point or (e.g. Access Point or

Bridge)Bridge)SupplicantSupplicant

Enterprise or ISP Enterprise or ISP NetworkNetwork

Semi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge

AuthenticationAuthenticationServerServer

RADIUS





EAP Over RADIUS

EAP Over RADIUS

AdhocAdhocPeerPeer

AdhocAdhocPeerPeer

AdhocAdhocPeerPeer

AdhocAdhocPeerPeer



Deploying IEEE 802.1X Deploying IEEE 802.1X With 802.11With 802.11



Deployment Issues with 802.11Deployment Issues with 802.11 User-based authentication and accountingUser-based authentication and accounting

802.11-1997 only allows users to be identified by MAC 802.11-1997 only allows users to be identified by MAC addressaddress

How do I know who is on my network?How do I know who is on my network? How can I do user-based access control, accounting and How can I do user-based access control, accounting and

auditing?auditing? What happens if a machine is stolen?What happens if a machine is stolen? Proprietary key management solutions require separate Proprietary key management solutions require separate

user databasesuser databases Secure roamingSecure roaming

Why can’t you just “plug in and connect” anywhere in the Why can’t you just “plug in and connect” anywhere in the world?world?

Key managementKey management 802.11-1997 supports per-user keys, but most 802.11-1997 supports per-user keys, but most

implementations only support global keysimplementations only support global keys What if the global key(s) are compromised?What if the global key(s) are compromised? Static keys difficult to manage on clients, access pointsStatic keys difficult to manage on clients, access points



WEP Summary of AttacksWEP Summary of Attacks Downloadable procedures Downloadable procedures

To crack the Key:To crack the Key:

http://airsnort.sourceforge.net/http://airsnort.sourceforge.net/http://sourceforge.net/projects/wepcrack/http://sourceforge.net/projects/wepcrack/

To brute force enter into WLAN, select THC-RUT from To brute force enter into WLAN, select THC-RUT from

http://www.thehackerschoice.com/http://www.thehackerschoice.com/releases.phpreleases.php

Attacks based on Attacks based on [Walker], [Arbaugh], [Berkeley team], [Walker], [Arbaugh], [Berkeley team], [Fluhrer/Shamir][Fluhrer/Shamir]

Lack of IV replay protectionLack of IV replay protection Short IV sequence spaceShort IV sequence space RC4 vulnerabilities due to WEP’s implementationRC4 vulnerabilities due to WEP’s implementation Linear properties of CRC32 (allows bit flipping)Linear properties of CRC32 (allows bit flipping) ))

Lack of keyed MICLack of keyed MIC Use of shared keysUse of shared keys



Quest to Improve WEPQuest to Improve WEP How can we improve WEP security andHow can we improve WEP security and

Retain (most) performanceRetain (most) performanceEnhance without greatly reducing line ratesEnhance without greatly reducing line rates

Easily upgrade deployed systemsEasily upgrade deployed systemsAvoid hardware upgradesAvoid hardware upgrades

Retain interoperabilityRetain interoperabilityAllow most deployed systems to upgradeAllow most deployed systems to upgradeAllow for incremental deploymentAllow for incremental deploymentAllow legacy systems to continue to work Allow legacy systems to continue to work

without improvementswithout improvements

Provide better protection until AES is availableProvide better protection until AES is available



Improving WEP’s SecurityImproving WEP’s Security Recommended Practice includesRecommended Practice includes

1.1. Per-link keys Per-link keys Unique key per STAUnique key per STA

2.2. IV Sequencing IV Sequencing

– Check for monotonically increasing IVs Check for monotonically increasing IVs

– Weak IV avoidanceWeak IV avoidance

3.3. 104-bit keys104-bit keys

– IV + Key = 128-bitsIV + Key = 128-bits

4.4. Rapid RekeyRapid Rekey Derive WEP keys from master keyDerive WEP keys from master key Change encryption key frequentlyChange encryption key frequently



802.1X Authentication802.1X Authentication 802.1X users identified by usernames, not MAC 802.1X users identified by usernames, not MAC

addressesaddresses Enables user-based authentication, authorization, Enables user-based authentication, authorization,

accountingaccounting For use with 802.1X, EAP methods supporting For use with 802.1X, EAP methods supporting

mutual authentication are recommendedmutual authentication are recommended Need to mutually authenticate to guarantee key is Need to mutually authenticate to guarantee key is

transferred to the right entitytransferred to the right entity Prevents man-in-the-middle and rogue server attacksPrevents man-in-the-middle and rogue server attacks

Common EAP methods support mutual Common EAP methods support mutual authenticationauthentication TLS: server and client must supply a certificate, prove TLS: server and client must supply a certificate, prove

possession of private keypossession of private key SRP: permits mutual authentication via weak shared SRP: permits mutual authentication via weak shared

secret without risk of dictionary attack on the wiresecret without risk of dictionary attack on the wire Tunneled TLS: enables any EAP method to run, Tunneled TLS: enables any EAP method to run,

protected by TLSprotected by TLS



Advantages of IEEE 802.1XAdvantages of IEEE 802.1X Open standards basedOpen standards based

Leverages existing standards: EAP (RFC 2284), Leverages existing standards: EAP (RFC 2284), RADIUS (RFC 2865, 2866, 2867, 2868, 2869)RADIUS (RFC 2865, 2866, 2867, 2868, 2869)

Enables interoperable user identification, Enables interoperable user identification, centralized authentication, key managementcentralized authentication, key management

Enables automated provisioning of LAN Enables automated provisioning of LAN connectivityconnectivity

User-based identificationUser-based identificationIdentification based on Network Access Identifier Identification based on Network Access Identifier

(RFC 2486) enables support for roaming access in (RFC 2486) enables support for roaming access in public spaces (RFC 2607). public spaces (RFC 2607).

Enables a new class of wireless Internet AccessEnables a new class of wireless Internet Access Dynamic key managementDynamic key management

Improved security for wireless (802.11) Improved security for wireless (802.11) installationsinstallations



WEPv1.0 w/802.1XWEPv1.0 w/802.1X Improved key derivationImproved key derivation

Per-user unicast keys instead of global unicast keyPer-user unicast keys instead of global unicast key Unicast key may be changed periodically to avoid stalenessUnicast key may be changed periodically to avoid staleness Support for standards-based key derivation techniquesSupport for standards-based key derivation techniques

Examples: TLS, SRPExamples: TLS, SRPKerberos V without PKINIT not recommended for use with Kerberos V without PKINIT not recommended for use with

802.11802.11 Additional fixes still under discussionAdditional fixes still under discussion

Authentication for reassociate, disassociateAuthentication for reassociate, disassociate WEP deficiencies still presentWEP deficiencies still present

No keyed MICNo keyed MIC Improper usage of RC4 stream cipherImproper usage of RC4 stream cipher No IV replay protectionNo IV replay protection

Long term solution: Need a “real” cipher!Long term solution: Need a “real” cipher! AES proposals under discussionAES proposals under discussion AES-OCB versus AES-CTR mode and CBC-MAC with XCBC AES-OCB versus AES-CTR mode and CBC-MAC with XCBC

extensionsextensions



802.1X Implementations802.1X Implementations Implementations available nowImplementations available now

IEEE 802.1X support included in Windows XPIEEE 802.1X support included in Windows XP Firmware upgrades available from AP and NIC Firmware upgrades available from AP and NIC

vendorsvendors Interoperability testing underwayInteroperability testing underway

802.1X OS support 802.1X OS support Microsoft: Windows XPMicrosoft: Windows XP Cisco: Windows 9x, NT4, 2000, Mac OS, LinuxCisco: Windows 9x, NT4, 2000, Mac OS, Linux

RADIUS servers supporting EAPRADIUS servers supporting EAP Microsoft Windows 2000 ServerMicrosoft Windows 2000 Server Cisco ACSCisco ACS Funk RADIUSFunk RADIUS Interlink Networks (formerly MERIT) RADIUS Interlink Networks (formerly MERIT) RADIUS

serverserver



Vendors Supporting 802.1XVendors Supporting 802.1X

Microsoft, AirWave, Compaq, Dell, IBM, Intel, HP, Symbol, Toshiba, Telson, Microsoft, AirWave, Compaq, Dell, IBM, Intel, HP, Symbol, Toshiba, Telson, WayportWayport http://www.microsoft.com/presspass/press/2001/Mar01/03-http://www.microsoft.com/presspass/press/2001/Mar01/03-

26XPWirelessPR.asp26XPWirelessPR.asp 3Com3Com

http://emea.3com.com/news/news01/mar26.htmlhttp://emea.3com.com/news/news01/mar26.html AgereAgere

http://www.networkmagazine.com/article/COM20010629S0009http://www.networkmagazine.com/article/COM20010629S0009 http://www.lucent.com/micro/NEWS/PRESS2001/080801a.htmlhttp://www.lucent.com/micro/NEWS/PRESS2001/080801a.html

EnterasysEnterasys http://www.dialelectronics.com.au/articles/c4/0c0023c4.asphttp://www.dialelectronics.com.au/articles/c4/0c0023c4.asp http://www.computingsa.co.za/2001/03/26/News/new07.htmhttp://www.computingsa.co.za/2001/03/26/News/new07.htm

IntersilIntersil http://www.intersil.com/pressroom/20010403_802_1xWindows_XPFINAL_English.asphttp://www.intersil.com/pressroom/20010403_802_1xWindows_XPFINAL_English.asp

CiscoCisco Catalyst switchesCatalyst switches

http://www.redcorp.com/products/09084608.asphttp://www.redcorp.com/products/09084608.asp 802.11 access points802.11 access points

http://www.security-informer.com/english/http://www.security-informer.com/english/crd_security_495312.htmlcrd_security_495312.html

http://cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.pdfhttp://cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.pdf



Windows Wireless ArchitectureWindows Wireless Architecture

NDIS 5.1NDIS 5.1

NetworkingNetworking APIs APIs

NDIS WANNDIS WAN

PPTPPPTP AsyncAsync BluetoothBluetooth

EthernetEthernet TRTR 802.11802.11

TCP/IPTCP/IP ProtocolProtocolstacksstacks

WinSock 2.0WinSock 2.0

RSVPRSVP

Packet schedulerPacket scheduler

Packet classifierPacket classifier

TAPI 3.0 TAPI 3.0 Dial-upDial-up

Networking Networking APIsAPIs

IP packetIP packetfilteringfiltering

IPIP forwarder forwarder

RoutingRoutingAPIsAPIs

NetworkNetworkstreamingstreaming

(DirectX)(DirectX)

RNDISRNDIS

DHCPDHCP

IGMPIGMP

802.1X802.1X DNSDNS

IRDPIRDP

NetworkingNetworking Services Services

Affected byAffected byWirelessWireless

Route tableRoute table

Network Network LocationLocation

802.1D802.1D

NetBTNetBT

UPnPUPnP



Windows XP Wireless FeaturesWindows XP Wireless Features

Extensible security with 802.1XWireless Roaming

Support for 802.1X built-in (EAP-TLS, MD-5)Support for 802.1X built-in (EAP-TLS, MD-5)Automated configuration via SSID detectionAutomated configuration via SSID detection



Windows XP Wireless (cont’d)Windows XP Wireless (cont’d)

Improved driver supportImproved driver support

Internet Connection Firewall (ICF)Internet Connection Firewall (ICF)



Microsoft’s 802.1X Microsoft’s 802.1X DeploymentDeployment

Largest known 802.11b deploymentLargest known 802.11b deployment Now running IEEE 802.1X exclusivelyNow running IEEE 802.1X exclusively

Clients running Windows XPClients running Windows XPAuthentication based on certificates (EAP TLS)Authentication based on certificates (EAP TLS)Centralized management via Windows 2000 Centralized management via Windows 2000

RADIUS server (IAS) and Active DirectoryRADIUS server (IAS) and Active Directory Deployment based on Cisco Access Deployment based on Cisco Access

PointsPoints Multiple 802.11 NIC vendors supportedMultiple 802.11 NIC vendors supported



Deployment IssuesDeployment Issues Shared use APsShared use APs

Driver should be prepared for multiple SSIDs included in Beacons Driver should be prepared for multiple SSIDs included in Beacons and Probe Responsesand Probe Responses

Drivers and laptopsDrivers and laptops Spurious media sense events on some NICsSpurious media sense events on some NICs Defective PCMCIA controllers on some laptopsDefective PCMCIA controllers on some laptops Poor antenna design on some laptops with built-in wireless NICsPoor antenna design on some laptops with built-in wireless NICs

Rogue APsRogue APs Problem is not just connecting to them (solved by SSID Problem is not just connecting to them (solved by SSID

preference), but preference), but radio interferenceradio interference User versus machine certificatesUser versus machine certificates

Machine certs imply authentication at boot; user certs imply Machine certs imply authentication at boot; user certs imply authentication on user loginauthentication on user login

Management (SMS, group policy, etc.) are easier if machine is Management (SMS, group policy, etc.) are easier if machine is always on the networkalways on the network

Certificate managementCertificate management Need to get clients set up with proper machine and user Need to get clients set up with proper machine and user

certificatescertificates Solution: deployment of enrollment scriptsSolution: deployment of enrollment scripts



Diagnosing 802.1XDiagnosing 802.1X RADIUS accountingRADIUS accounting

Termination-Cause attribute provides information Termination-Cause attribute provides information on reasons why a session endedon reasons why a session ended

Connection-Info attribute provides information on Connection-Info attribute provides information on link performancelink performance

802.1X MIB802.1X MIB Provides information on failures at each stage of Provides information on failures at each stage of

the authentication processthe authentication process ““Failure fractions” derived from MIB variables Failure fractions” derived from MIB variables

ideally suited for reporting and quality control ideally suited for reporting and quality control chartscharts

Provides same accounting information as Provides same accounting information as RADIUS accountingRADIUS accounting SNMP supports “pull model” accountingSNMP supports “pull model” accounting



Evaluating Access PointsEvaluating Access Points ““MUST Haves”MUST Haves”

802.11802.11 Support for multiple SSIDs in Beacon, Probe ResponseSupport for multiple SSIDs in Beacon, Probe Response 802.11 MIB802.11 MIB

802.1X802.1X 802.1X MIB802.1X MIB

SNMPv3SNMPv3 RADIUS RADIUS

Authentication Authentication andand accounting accounting Termination-Cause & Connect-InfoTermination-Cause & Connect-Info

Full support for draft-congdon-radius-8021x-16.txtFull support for draft-congdon-radius-8021x-16.txt ““SHOULD haves”SHOULD haves”

IEEE 802.11f IAPPIEEE 802.11f IAPP VPN support (IETF Standards!)VPN support (IETF Standards!) Dynamic VLAN supportDynamic VLAN support



802.1X Applications802.1X Applications Shared use APsShared use APs

Multiple ISPs sharing the same access pointMultiple ISPs sharing the same access point Wholesale wireless accessWholesale wireless access

Wireless outsourcing for enterprise customers Global Wireless outsourcing for enterprise customers Global roamingroaming

Public Ethernet tapsPublic Ethernet taps Roaming access to 802.11 in airports, malls, hotels, etc.Roaming access to 802.11 in airports, malls, hotels, etc.

Seamless mobilitySeamless mobility Dynamic VLANsDynamic VLANs Compulsory wireless or wired tunnelingCompulsory wireless or wired tunneling Management of LAN-LAN tunnelsManagement of LAN-LAN tunnels VPN management outsourcingVPN management outsourcing

Automated provisioningAutomated provisioning Instant bandwidth upgrades Instant bandwidth upgrades



SummarySummary The IEEE 802.1X standard enables a new The IEEE 802.1X standard enables a new

class of Ethernet-based Internet Accessclass of Ethernet-based Internet Access IEEE 802.1X also enables a new generation of IEEE 802.1X also enables a new generation of

applications, including ubiquitious wireless applications, including ubiquitious wireless roaming, automated provisioning and fibre to roaming, automated provisioning and fibre to the homethe home

Support for IEEE 802.1X is built into Support for IEEE 802.1X is built into Windows XP client. Windows XP client.

Windows 2000 RADIUS server already Windows 2000 RADIUS server already supports IEEE 802.1X applicationssupports IEEE 802.1X applications



For More InformationFor More Information Unofficial 802.11 security web pageUnofficial 802.11 security web page

http://www.drizzle.com/~aboba/IEEE/http://www.drizzle.com/~aboba/IEEE/ AESAES

http://www.nist.gov/aeshttp://www.nist.gov/aes IEEE 802.1XIEEE 802.1X

http://grouper.ieee.org/groups/802/1/pages/802.1x.htmlhttp://grouper.ieee.org/groups/802/1/pages/802.1x.html Kerberos/GSS-APIKerberos/GSS-API

http://www.ietf.org/rfc/rfc1510.txt (Kerberos V)http://www.ietf.org/rfc/rfc1510.txt (Kerberos V) http://www.ietf.org/rfc/rfc2743.txt (GSS-API)http://www.ietf.org/rfc/rfc2743.txt (GSS-API) http://www.ietf.org/internet-drafts/draft-ietf-cat-iakerb-05.txthttp://www.ietf.org/internet-drafts/draft-ietf-cat-iakerb-05.txt

RADIUSRADIUS http://www.ietf.org/rfc/rfc2138.txthttp://www.ietf.org/rfc/rfc2138.txt http://www.ietf.org/rfc/rfc2139.txthttp://www.ietf.org/rfc/rfc2139.txt http://www.ietf.org/rfc/rfc2548.txthttp://www.ietf.org/rfc/rfc2548.txt http://www.ietf.org/rfc/rfc2865.txthttp://www.ietf.org/rfc/rfc2865.txt http://www.ietf.org/rfc/rfc2866.txthttp://www.ietf.org/rfc/rfc2866.txt http://www.ietf.org/rfc/rfc2867.txthttp://www.ietf.org/rfc/rfc2867.txt http://www.ietf.org/rfc/rfc2868.txthttp://www.ietf.org/rfc/rfc2868.txt http://www.ietf.org/rfc/rfc2869.txthttp://www.ietf.org/rfc/rfc2869.txt http://www.ietf.org/rfc/rfc3162.txthttp://www.ietf.org/rfc/rfc3162.txt

EAPEAP http://www.ietf.org/rfc/rfc2284.txthttp://www.ietf.org/rfc/rfc2284.txt http://www.ietf.org/rfc/rfc2716.txthttp://www.ietf.org/rfc/rfc2716.txt http://www.ietf.org/internet-drafts/draft-ietf-pppext-rfc2284bis-00.txthttp://www.ietf.org/internet-drafts/draft-ietf-pppext-rfc2284bis-00.txt



Feedback?Feedback?



802.1X Applications802.1X Applications



The Role of RADIUSThe Role of RADIUS RADIUS is the key to enabling 802.1X applicationsRADIUS is the key to enabling 802.1X applications RADIUS enables per-user compulsory tunneling assignmentRADIUS enables per-user compulsory tunneling assignment

More flexible than static or realm-based tunnelingMore flexible than static or realm-based tunneling What if [email protected] is to be given Internet access, but [email protected] What if [email protected] is to be given Internet access, but [email protected]

should be tunneled to the marketing tunnel server?should be tunneled to the marketing tunnel server? RADIUS enables per-user VLAN assignmentRADIUS enables per-user VLAN assignment

More flexible than static per-port or MAC-based VLAN assignment More flexible than static per-port or MAC-based VLAN assignment RADIUS enables accounting and auditingRADIUS enables accounting and auditing

Both switch/AP and tunnel server can use RADIUSBoth switch/AP and tunnel server can use RADIUS Allows enterprise to audit usage, do alarmingAllows enterprise to audit usage, do alarming BIGCO can match accounting records from tunnel server with accounting records BIGCO can match accounting records from tunnel server with accounting records

from ISP for auditing purposesfrom ISP for auditing purposes RADIUS enables use of a single userID/password pairRADIUS enables use of a single userID/password pair

Both bridge/access point and tunnel server can authenticate against the same Both bridge/access point and tunnel server can authenticate against the same databasedatabase

RADIUS server backendRADIUS server backend LDAP backend LDAP backend



Why Are Shared Use Why Are Shared Use APs Important?APs Important?

Multiple providers are becoming the norm within airportsMultiple providers are becoming the norm within airports Airlines are installing 802.11 networks for use in baggage Airlines are installing 802.11 networks for use in baggage

reconciliation and roving ticket countersreconciliation and roving ticket counters Multiple wireless ISPs often also want to server airport customersMultiple wireless ISPs often also want to server airport customers

Radio interference is an issueRadio interference is an issue In the US and Europe 802.11b networks can support only 3 non-In the US and Europe 802.11b networks can support only 3 non-

overlapping channelsoverlapping channels In France and Japan only one channel is availableIn France and Japan only one channel is available Once the channels are utilized by existing APs, additional APs will Once the channels are utilized by existing APs, additional APs will

interfere and reduce performanceinterfere and reduce performance 802.11 deployment in public spaces is expensive802.11 deployment in public spaces is expensive

In this economic environment, raising capital is difficultIn this economic environment, raising capital is difficult The cost of providing wireless access is inversely proportional to The cost of providing wireless access is inversely proportional to

infrastructure utilizationinfrastructure utilization More economical to build infrastructure and share it among More economical to build infrastructure and share it among

multiple providers, than to build overlapping infrastructuremultiple providers, than to build overlapping infrastructure



What Features Are Needed for What Features Are Needed for Shared Use APs?Shared Use APs?

Support for multiple SSIDs in a single APSupport for multiple SSIDs in a single AP Multiple SSIDs in Beacon, Probe Response not prohibited by 802.11-Multiple SSIDs in Beacon, Probe Response not prohibited by 802.11-

19971997 Only single SSID needed in Association and Reassociation RequestOnly single SSID needed in Association and Reassociation Request

IEEE 802.1XIEEE 802.1X Users identified by userid rather than MAC addressUsers identified by userid rather than MAC address

Network Access Identifier (NAI) supportNetwork Access Identifier (NAI) support Described in RFC 2486Described in RFC 2486 Format is user@domain, where domain identifies the home serverFormat is user@domain, where domain identifies the home server

SNMPv3 supportSNMPv3 support Contexts used to support multiple virtual MIB instancesContexts used to support multiple virtual MIB instances

RADIUS authentication and accountingRADIUS authentication and accounting SSID included in Called-Station-Id attributeSSID included in Called-Station-Id attribute

RADIUS proxies RADIUS proxies RADIUS-based roaming described in RFC 2607RADIUS-based roaming described in RFC 2607 RADIUS authentication and accounting packets routed between AP RADIUS authentication and accounting packets routed between AP

and Home Server by RADIUS proxiesand Home Server by RADIUS proxies



Shared Use APsShared Use APs

Internet BIGCO

IP

Shared Use802.11 AP

Remote [email protected]

Customer RADIUS Server

SSIDA

APAP

RA

DIU

S

RA

DIU

S

RADIUS

RADIUS

Active Directory

•AP advertises multiple SSIDs in Beacon, Probe Response

•Multiple ISPs shared the same AP

•STA associates with a single AP, SSID

•User authentication request routed to home server

SSIDB

SSIDC

RADIUSProxy

RADIUS

RADIUS

ISPAProxy



What Is Wireless Roaming?What Is Wireless Roaming? DefinitionDefinition

The ability to use many wireless Internet The ability to use many wireless Internet Service Providers while maintaining a Service Providers while maintaining a business relationship with only onebusiness relationship with only one

RequirementsRequirements 802.1X-enabled client with 802.11 wireless card802.1X-enabled client with 802.11 wireless card Roaming-capable authentication proxy and serverRoaming-capable authentication proxy and server

Roaming standards developed in IETF Roaming standards developed in IETF ROAMOPS WGROAMOPS WG RFC 2194, Roaming Implementations ReviewRFC 2194, Roaming Implementations Review RFC 2477, Roaming Evaluation CriteriaRFC 2477, Roaming Evaluation Criteria RFC 2486, Network Access IdentifierRFC 2486, Network Access Identifier RFC 2607, Proxies and Policy RFC 2607, Proxies and Policy

ImplementationImplementation



Corporate RADIUSCorporate RADIUSServerServer

802.11 and 802.1X802.11 and 802.1XEnabled airportsEnabled airports

Wireless Global Roaming via Wireless Global Roaming via IEEE 802.11 and 802.1XIEEE 802.11 and 802.1X

Simple, Automatic Detection of 802.11 ConnectivitySimple, Automatic Detection of 802.11 Connectivity

Global login with corporate or ISP userIDs Global login with corporate or ISP userIDs

802.11 and 802.1X802.11 and 802.1XEnabled Hotels and MallsEnabled Hotels and Malls

GlobalGlobalAccess toAccess to

802.11 802.11 WirelessWireless

ConnectivityConnectivity



Wireless RoamingWireless Roaming

In Windows 2000In Windows 2000 Built-in IEEE 802.11 supportBuilt-in IEEE 802.11 support Built-in “media sense” capabilitiesBuilt-in “media sense” capabilities Built-in EAP supportBuilt-in EAP support Internet Authentication ServiceInternet Authentication Service

Roaming-enabled RADIUS serverRoaming-enabled RADIUS server

Coming in XPComing in XP 802.1X support 802.1X support

A complete solution to the global A complete solution to the global wireless roaming problemwireless roaming problem



Bilateral Roaming supportBilateral Roaming support

Cloud

IAS ProxyRoam ing Client

ISP ARADIUS Proxy

fred@ bigco.com

Cloud

IAS Proxy

ISP BRADIUS Proxy

RADIUS Server

PPTP Server

NT DC

BigcoRADIUS Server



Roaming ConsortiaRoaming Consortia

Cloud

IAS ProxyRoam ing Client

ISP ARADIUS

Proxy

fred@ BigCo.com

IAS Proxy

ISP BRADIUS

Proxy

RADIUS Server

PPTP Server

NT DC

BigCo

IAS Proxy

ConsortiumRADIUS

Proxy



Certificate-Based RoamingCertificate-Based Roaming

Cloud

IAS Proxy

Roam ing Client

ISP A RADIUS Server

fred@ Bigco.Com

EAP-TLS

RADIUS Server

PPTP Server

NT DC

Bigco CertificateServer

Certificate RevocationList

ISP A RADIUS server can authenticate ISP A RADIUS server can authenticate [email protected] from the client [email protected] from the client certificate

No need to proxy authenticationNo need to proxy authentication ISP A needs to check Bigco’s certificate revocation ISP A needs to check Bigco’s certificate revocation

listlist



Wholesale Wireless AccessWholesale Wireless Access

AP CAP C

AP BAP B

Public802.11WirelessNetworks

Internet BIGCO

IP

802.11 WirelessAccess Points

Remote [email protected]

Carrier networks

Customer RADIUS Server

ISP ARADIUS Proxy

AP AAP A RA

DIU

S

RA

DIU

SRADIU

S

RADIUS

Active Directory

•User sends authentication request to ISP

•ISP Delegates authentication to Corporation

•Single point of administration



Benefits ofBenefits of Wholesale accountsWholesale accountsThe ISPThe ISP

Increased salesIncreased salesAttach rate of consumer servicesAttach rate of consumer servicesPartner relations with enterprisePartner relations with enterprise

Reduction in costsReduction in costsSimple administration, server mgmt. toolsSimple administration, server mgmt. toolsImproved collection and billingImproved collection and billingReduced size of client storeReduced size of client storeCompensation for client support burdenCompensation for client support burden

Simplified account managementSimplified account managementImproved collections and cash flowImproved collections and cash flowCorporate clientele, automated pmtCorporate clientele, automated pmt



Benefits of Wholesale accounts: Benefits of Wholesale accounts: The EnterpriseThe Enterprise

Ubiquitous 802.11 wireless supportUbiquitous 802.11 wireless support Enables rapid deployment of IEEE 802.11 technology in hotels, Enables rapid deployment of IEEE 802.11 technology in hotels,

airports, mallsairports, malls Users can obtain wireless access using their existing corpnet Users can obtain wireless access using their existing corpnet

accountsaccounts SimplicitySimplicity

Automatic detection of wireless connectivity via “media sense”Automatic detection of wireless connectivity via “media sense” Auto-detection of 802.11 SSIDAuto-detection of 802.11 SSID Pre-configure userID/password pairs if desiredPre-configure userID/password pairs if desired

Easier to provide “backup” providerEasier to provide “backup” provider RADIUS accounting data for auditing and chargebackRADIUS accounting data for auditing and chargeback Reduced carrying costsReduced carrying costs

Leverage ISP capacity and aggregationLeverage ISP capacity and aggregation Shared support burden and ISP expertiseShared support burden and ISP expertise

Improved flexibilityImproved flexibility ISP capacityISP capacity Validation off RADIUS, LDAP, or ODBC back endsValidation off RADIUS, LDAP, or ODBC back ends



Security Issues in Wholesale Security Issues in Wholesale Wireless AccessWireless Access

RADIUS does not provide for inter-RADIUS does not provide for inter-domain securitydomain security No support for end-to-end message integrity or No support for end-to-end message integrity or

attribute hidingattribute hiding Proxy can add, delete, modify attributes in transit Proxy can add, delete, modify attributes in transit

between client and serverbetween client and server Proxy will have access to Tunnel passwords, and WEP Proxy will have access to Tunnel passwords, and WEP

keys keys in clear textin clear text

RecommendationRecommendation Use strong mutual authentication when untrusted Use strong mutual authentication when untrusted

proxies are presentproxies are present Check logs to detect unusual proxy activityCheck logs to detect unusual proxy activity



Seamless MobilitySeamless Mobility Many applications can live with changing IP Many applications can live with changing IP

address as we moveaddress as we move Example: HTTPExample: HTTP

But others cannotBut others cannot TCP-based protocols with long sessions: Telnet, TCP-based protocols with long sessions: Telnet,

FTPFTP VPNs: IKE, SSHVPNs: IKE, SSH

Mobile IPv6 will eventually provide the Mobile IPv6 will eventually provide the solutionsolution MIPv4 difficult to deployMIPv4 difficult to deploy

But what can we do right now?But what can we do right now? Dynamic VLANsDynamic VLANs TunnelingTunneling



RADIUS Tunnel AttributesRADIUS Tunnel Attributes Used in authorization only:Used in authorization only:

Tunnel-Private-Group-IdTunnel-Private-Group-Id Tunnel-Assignment-IdTunnel-Assignment-Id Tunnel-PreferenceTunnel-Preference Tunnel-PasswordTunnel-Password

Not for use with proxies!Not for use with proxies! Used in authorization and accounting:Used in authorization and accounting:

Tunnel-Type (PPTP, L2TP,VLAN, etc.)Tunnel-Type (PPTP, L2TP,VLAN, etc.) Tunnel-Medium-Type (X.25, ATM, Frame Relay, IEEE 802, IP, etc.)Tunnel-Medium-Type (X.25, ATM, Frame Relay, IEEE 802, IP, etc.) Tunnel-Client-EndpointTunnel-Client-Endpoint Tunnel-Server-EndpointTunnel-Server-Endpoint

Used for accounting only:Used for accounting only: Acct-Tunnel-ConnectionAcct-Tunnel-Connection

DocumentsDocuments RFC 2867RFC 2867 RFC 2868RFC 2868



Understanding Dynamic VLANsUnderstanding Dynamic VLANs

Alternative to Mobile IP: Allow mobile node Alternative to Mobile IP: Allow mobile node to maintain same address as they moveto maintain same address as they move

Prior to VLANs, only way to do this was via Prior to VLANs, only way to do this was via host routeshost routes For a large enterprise or ISP, large number of For a large enterprise or ISP, large number of

host routes is infeasiblehost routes is infeasible Issue is rate of change, not number of host Issue is rate of change, not number of host

routes, per seroutes, per se With VLANs, changes in topology are With VLANs, changes in topology are

handled at layer 2, not layer 3handled at layer 2, not layer 3 To a “one armed router” all mobile nodes within a To a “one armed router” all mobile nodes within a

VLAN appear on a single interfaceVLAN appear on a single interface No need for host routesNo need for host routes



Caveats with Dynamic VLANsCaveats with Dynamic VLANs Applicable only at enterprise scaleApplicable only at enterprise scale

Not an Internet scale solutionNot an Internet scale solution Goal is to tag packets of mobile nodes with a pre-Goal is to tag packets of mobile nodes with a pre-

existing VLANIDexisting VLANID No need to create new VLANs on the fly!No need to create new VLANs on the fly!

Requires VLAN-enabled switches or APs, VLAN-Requires VLAN-enabled switches or APs, VLAN-enabled coreenabled core ““One-armed router” configurationOne-armed router” configuration Single interface, multiple VLANs per interfaceSingle interface, multiple VLANs per interface May require substantial change to network architectureMay require substantial change to network architecture

Single spanning tree used for all VLANsSingle spanning tree used for all VLANs Single spanning tree is most stable, because spanning tree Single spanning tree is most stable, because spanning tree

recalculation not required due to VLAN topology changesrecalculation not required due to VLAN topology changes Use of multiple spanning tree (802.1s) discouragedUse of multiple spanning tree (802.1s) discouraged



Example: ISP ProvisioningExample: ISP Provisioning

Ethernet WANConnection

Customer A Branch Office 1

Corporate Office

RADIUS

802.1Q VLANID can be authorized via RADIUS tunnel attributes802.1Q VLANID can be authorized via RADIUS tunnel attributes Enables customer virtual LANs to span branch officesEnables customer virtual LANs to span branch offices Enables isolation of customer traffic by assigning separate VLANIDs to Enables isolation of customer traffic by assigning separate VLANIDs to

themthem Filters installed at ISP backend separating VLANs 1 & 2Filters installed at ISP backend separating VLANs 1 & 2

Assigned VLAN ID 1

Customer A Branch Office 2 Assigned VLAN ID 1

Provisioning Server

Customer BAssigned VLAN ID 2

EtherNAS

Filter separating VLAN 1 & 2



Example: Seamless 802.11 Example: Seamless 802.11 MobilityMobility

“One armed router”802.1XSupplicant

RADIUSAuthentication Server

VLAN-awareSwitch or AP

VLAN 2

VLAN 1

VLAN 1

VLANenabledcore



TunnelingTunneling


Customer Branch Office 1

Corporate Office

RADIUS

Compulsory tunnels can be authorized via RADIUSCompulsory tunnels can be authorized via RADIUS Enables isolation of customer trafficEnables isolation of customer traffic Can tunnel Ethernet via L2TP & BCPCan tunnel Ethernet via L2TP & BCP Can tunnel IP via IP-IPCan tunnel IP via IP-IP

Traffic tunneled to

ISP VPN server

Customer Branch Office 2

Traffic tunneled to ISP VPN server

Provisioning Server

EtherNAS



VPNs and 802.11VPNs and 802.11 Next generation APs will have powerful Next generation APs will have powerful

crypto acceleration capabilities built-incrypto acceleration capabilities built-in If a general AES engine is used, can support If a general AES engine is used, can support

IPsec with AES transform as easily as 802.11 IPsec with AES transform as easily as 802.11 with AESwith AES Can be used to develop combined 802.11/VPN Can be used to develop combined 802.11/VPN

devicesdevices

VPNs also useful as a layer of protection VPNs also useful as a layer of protection above IEEE 802above IEEE 802 Want end-to-end security, not just link layerWant end-to-end security, not just link layer



VPNs for Access Control?VPNs for Access Control? Some 802.11 deployments implemented as DMZ(s)Some 802.11 deployments implemented as DMZ(s) Clients have to connect to VPN gateway to get access to Clients have to connect to VPN gateway to get access to

IntranetIntranet IssuesIssues

Gateway discoveryGateway discovery Multiple DMZs required for global enterprise Multiple DMZs required for global enterprise Clients need to discover VPN gateways before gaining accessClients need to discover VPN gateways before gaining access Implies need for services within the DMZ: DHCP, DNSImplies need for services within the DMZ: DHCP, DNS Without DNSSEC, easy to bring up rogue VPN serversWithout DNSSEC, easy to bring up rogue VPN servers

SecuritySecurity DES still “mandatory to implement” within IPsecDES still “mandatory to implement” within IPsec IKE MM requires group pre-shared key when used with IKE MM requires group pre-shared key when used with

dynamically addressed clients – susceptible to man-in-the dynamically addressed clients – susceptible to man-in-the middle attackmiddle attack

Rogue VPN servers can setup in DMZ, negotiate “CHAP” Rogue VPN servers can setup in DMZ, negotiate “CHAP” authentication, crack many user passwords authentication, crack many user passwords



VPNs for Access Control (cont’d)VPNs for Access Control (cont’d) MobilityMobility

Need MIP support for IPsec SAs to withstand COA Need MIP support for IPsec SAs to withstand COA changeschanges

VPN clients susceptible to dropped connectionsVPN clients susceptible to dropped connections Interoperability: Interoperability:

Addressing IKE MM pre-shared key issues requires Addressing IKE MM pre-shared key issues requires proprietary extensions (e.g. CRACK, Hybrid)proprietary extensions (e.g. CRACK, Hybrid)

Few vendors support IETF VPN standards (IPsec/DHCP, Few vendors support IETF VPN standards (IPsec/DHCP, PIC, L2TP/IPsec)PIC, L2TP/IPsec)

ConclusionsConclusions VPN-based wireless access not ready for prime timeVPN-based wireless access not ready for prime time Want at least authentication (and possibly not more) in Want at least authentication (and possibly not more) in

802.11802.11



Automated ProvisioningAutomated Provisioning The old wayThe old way

ISP or customer installs 56 Kbps CSU/DSU, router as ISP or customer installs 56 Kbps CSU/DSU, router as customer CPEcustomer CPE

ISP orders 56 kbps link for customer from LECISP orders 56 kbps link for customer from LEC Customer waits and waits and waits…Customer waits and waits and waits… Customer outgrows 56 Kbps linkCustomer outgrows 56 Kbps link ISP or customer installs T-1 CSU/DSU, router as customer ISP or customer installs T-1 CSU/DSU, router as customer

CPE… and the cycle starts again.CPE… and the cycle starts again.

The new wayThe new way ISP provides fibre or cat-5 Ethernet connectivity to ISP provides fibre or cat-5 Ethernet connectivity to

customercustomer ISP or customer installs Ethernet switch or AP as customer ISP or customer installs Ethernet switch or AP as customer

CPECPE Customer provisions themselves via a web pageCustomer provisions themselves via a web page ““Pay per packet” bandwidth authorized on demandPay per packet” bandwidth authorized on demand



802.1X-based Provisioning802.1X-based Provisioning


Customer LAN

Ethernet ISP

802.1p or DiffServ rate limiting

Ethernet connectivity provided to customerEthernet connectivity provided to customer Web server allows customers to self-provisionWeb server allows customers to self-provision Rate limiting enforced at ISP backendRate limiting enforced at ISP backend

Contract can include specifications for limits on different Contract can include specifications for limits on different classes of trafficclasses of traffic

Limits can be expressed in terms of 802.1p or DiffServ Limits can be expressed in terms of 802.1p or DiffServ markingsmarkings

ProvisioningWeb server

•Customer sets provisioning via web browser

•Instant upgrade from 1.0 Mbps to 10 Mbps! RADIUS

Server



Step by StepStep by Step Customer provisions themselves on ISP Web serverCustomer provisions themselves on ISP Web server

Customer indicates how much bandwidth is desiredCustomer indicates how much bandwidth is desired Average usage, peak utilization, burst levels, etc.Average usage, peak utilization, burst levels, etc. Can specify utilization within various classes of traffic if Can specify utilization within various classes of traffic if

desireddesired Provisioning server translates web form into RADIUS Provisioning server translates web form into RADIUS

attributesattributes Rate limiting filtersRate limiting filters Virtual LAN or Virtual Private Network provisioningVirtual LAN or Virtual Private Network provisioning Per-connection IP filters or static routesPer-connection IP filters or static routes

New settings take effect after 802.1X re-New settings take effect after 802.1X re-authentication/re-authorizationauthentication/re-authorization Re-authentication/re-authorization initiated after Re-authentication/re-authorization initiated after

provisioning changesprovisioning changes Instant provisioning!Instant provisioning!



Ethernet WAN Connection

Per-User Static RoutesPer-User Static Routes

Home Network or Branch Office subnet(s)

Ethernet ISP

RADIUS (per-user static routes)

Data extension to user objectData extension to user object Home addresses routable to ISP netHome addresses routable to ISP net Static addresses valid during connectionStatic addresses valid during connection

802.1X enabled Bridge

802.1X enabled Bridge



Per-Connection IP FiltersPer-Connection IP Filters


Customer LAN

Ethernet ISP

RADIUS (per-call IP filters)

Filters associated with authenticated Filters associated with authenticated LAN policyLAN policy

Policy selected at connection timePolicy selected at connection time



Windows RADIUS Windows RADIUS SupportSupport



Evolution of AAA ThinkingEvolution of AAA Thinking Early AAA efforts (non-standard)Early AAA efforts (non-standard)

TACACSTACACS SNMP-based, syslog-based accountingSNMP-based, syslog-based accounting

Standardization phaseStandardization phase RADIUS authenticationRADIUS authentication RADIUS accounting (informational, not advanced)RADIUS accounting (informational, not advanced)

RADIUS proxy extensionsRADIUS proxy extensions Shared used networksShared used networks RoamingRoaming

Directory integrationDirectory integration Unified user information storeUnified user information store

Security infrastructureSecurity infrastructure Widespread deployment of AAA technologies in authenticated LANs, firewalls, VPNs, Widespread deployment of AAA technologies in authenticated LANs, firewalls, VPNs,

IP Telephony, etc. IP Telephony, etc. Increased interest in auditing and intrusion detectionIncreased interest in auditing and intrusion detection Enhanced AAA security (RADIUS over IPSEC)Enhanced AAA security (RADIUS over IPSEC)

FuturesFutures Certificate based authentication and roamingCertificate based authentication and roaming Standard accounting session formatStandard accounting session format Standards-track accounting protocolStandards-track accounting protocol



Authenticated LANs and IASAuthenticated LANs and IAS Internet Authentication Service (IAS) is a Internet Authentication Service (IAS) is a

RADIUS server RADIUS server Originally shipped with NT 4.0 Option PackOriginally shipped with NT 4.0 Option Pack Integrated with Windows 2000 Active DirectoryIntegrated with Windows 2000 Active Directory

Integrated with User Object UIIntegrated with User Object UI Support for IEEE 802.1X built-inSupport for IEEE 802.1X built-in

EAP over Wireless (EAPOW)EAP over Wireless (EAPOW) EAP over LAN (EAPOL)EAP over LAN (EAPOL)

Support for sophisticated policies based on group, Support for sophisticated policies based on group, access medium, time of day, etc.access medium, time of day, etc.



IAS Standards SupportIAS Standards Support Standards supportedStandards supported

RFC 2619, 2621: RADIUS server MIBsRFC 2619, 2621: RADIUS server MIBs RFC 2865: RADIUS authenticationRFC 2865: RADIUS authentication RFC 2865: RADIUS accountingRFC 2865: RADIUS accounting RFC 2867-8: RADIUS tunnelingRFC 2867-8: RADIUS tunneling RFC 2869: RADIUS extensionsRFC 2869: RADIUS extensions

InteroperabilityInteroperability Bakeoffs completedBakeoffs completed Tested with other NAS RADIUS clientsTested with other NAS RADIUS clients

APIsAPIs Advanced Authentication through EAPAdvanced Authentication through EAP

Extensible via “drop-in” third party EAP DLLsExtensible via “drop-in” third party EAP DLLs Enables Third party support for Token Cards, Enables Third party support for Token Cards,

Smart Cards, CertificatesSmart Cards, Certificates



Access Point orAccess Point orBridgeBridge

Network Port AuthenticationNetwork Port Authentication(EAPOW, EAPOL)(EAPOW, EAPOL)

Client ComponentsClient Components

RADIUS ServerRADIUS Server

MBSMBSODBCODBCNTSNTS

RADIUS ProxyRADIUS Proxy

RADIUSRADIUS

RADIUSRADIUS

Network Port AuthenticationNetwork Port Authentication



Extensible Authentication Protocol (EAP)

Access PointAccess PointOr BridgeOr Bridge

RADIUS ProxyRADIUS Proxy RADIUS ServerRADIUS Server

NegotiateNegotiate

ChallengeChallenge

ResponseResponse ResponseResponse ResponseResponse

Network Port AuthenticationNetwork Port Authentication

ChallengeChallengeChallengeChallenge

ChallengeChallenge

ResponseResponse ResponseResponse ResponseResponse

ChallengeChallengeChallengeChallenge



Access Point orAccess Point orBridgeBridge

IEEE 802.1X)IEEE 802.1X)





RADIUSRADIUS

RADIUSRADIUS

Access?

FilterID + VLANID + 802.1p FilterID + VLANID + 802.1p ……

RADIUS AuthorizationRADIUS Authorization



RADIUS AccountingRADIUS Accounting

Access PointAccess PointOr BridgeOr Bridge

IEEE 802.1XIEEE 802.1X





RADIUSRADIUS

RADIUSRADIUS

User-Name = JohnDoeAcct-Session-Time = 1273

User-Name = JohnDoeUser-Name = JohnDoeAcct-Session-Time = 1273Acct-Session-Time = 1273



Accounting, Auditing, and Accounting, Auditing, and AlarmingAlarming

IssuesIssues Accounting for port usage by userAccounting for port usage by user Billback of port usage to departmentsBillback of port usage to departments Auditing of ISP billsAuditing of ISP bills Alarming on unusual conditionsAlarming on unusual conditions

Windows 2000 accounting supportWindows 2000 accounting support NT accounting (Eventlog)NT accounting (Eventlog) RADIUS accountingRADIUS accounting Accounting protocol choice independent of authentication choiceAccounting protocol choice independent of authentication choice

Can use RADIUS accounting with NT authenticationCan use RADIUS accounting with NT authentication

Accounting, auditing, and alarming toolsAccounting, auditing, and alarming tools TRU RADIUS Accountant from Telco Research, included in TRU RADIUS Accountant from Telco Research, included in

Windows 2000 Resource KitWindows 2000 Resource Kit



Active Directory IntegrationActive Directory Integration Per-user information in User Object in DSPer-user information in User Object in DS Policies and Profiles Policies and Profiles

Local policy stored on RAS/IAS serverLocal policy stored on RAS/IAS server

Stand-alone ServerStand-alone Server Per-user information in Local User ObjectPer-user information in Local User Object Policies and Profiles stored in local server DBPolicies and Profiles stored in local server DB

RAS & IAS share RADIUS Schema in Active RAS & IAS share RADIUS Schema in Active Directory.Directory.

RAS & IAS support new features of Active DirectoryRAS & IAS support new features of Active Directory Universal GroupsUniversal Groups Nested GroupsNested Groups Universal Names, and other user naming conventionsUniversal Names, and other user naming conventions



RFCs SupportedRFCs Supported RFC 1334, 1994 (PAP, CHAP)RFC 1334, 1994 (PAP, CHAP) RFC 1717, 2125 (MP, BACP)RFC 1717, 2125 (MP, BACP) RFC 1777, 1960, 2251 (LDAP)RFC 1777, 1960, 2251 (LDAP) RFC 2865 (RADIUS authentication)RFC 2865 (RADIUS authentication) RFC 2286 (RADIUS accounting)RFC 2286 (RADIUS accounting) RFC 2284 (EAP)RFC 2284 (EAP) RFC 1035 (DNS)RFC 1035 (DNS) RFC 2205, 2208 (RSVP)RFC 2205, 2208 (RSVP) RFC 2619,2621 (RADIUS server MIBs)RFC 2619,2621 (RADIUS server MIBs) RFC 2194, 2477, 2486, 2607 (Roaming)RFC 2194, 2477, 2486, 2607 (Roaming) RFC 2401-2409 (IPSEC)RFC 2401-2409 (IPSEC) RFC 2637 (PPTP)RFC 2637 (PPTP) RFC 2661 (L2TP)RFC 2661 (L2TP) RFC 2716 (EAP-TLS)RFC 2716 (EAP-TLS) RFC 2809 (L2TP tunneling with RADIUS)RFC 2809 (L2TP tunneling with RADIUS) RFC 2867, 2868 (RADIUS tunneling extensions)RFC 2867, 2868 (RADIUS tunneling extensions) RFC 2869 (RADIUS extensions)RFC 2869 (RADIUS extensions) Draft-congdon-radius-8021x-16.txtDraft-congdon-radius-8021x-16.txt



LAN Access PoliciesLAN Access Policies Rules-based administration for LANsRules-based administration for LANs Examples:Examples:

access by group membershipaccess by group membership unique rules for LAN access versus dial-in unique rules for LAN access versus dial-in

accessaccess Rules for wireless vs. wired LAN accessRules for wireless vs. wired LAN access time of day access restrictionstime of day access restrictions 802.1p/Q policy implementation802.1p/Q policy implementation

Complementary to ZAW/GPEComplementary to ZAW/GPE ZAW deals with user attributes or client ZAW deals with user attributes or client

settingssettings LAN Policies and Profiles are for server LAN Policies and Profiles are for server

treatment of clientstreatment of clients



LAN Access Policies (cont’d)LAN Access Policies (cont’d)

Policy = {match rule, access control, profile}Policy = {match rule, access control, profile} match rulematch rule: matches on set of connection properties (eg : matches on set of connection properties (eg

user group, media, time of day..)user group, media, time of day..) access controlaccess control: allow or deny access: allow or deny access profileprofile: set of attributes assigned to the connection: set of attributes assigned to the connection

access constraints (macAddress, session length, time access constraints (macAddress, session length, time of day..)of day..)

network controls (address policy, IP filters)network controls (address policy, IP filters)



Extended per-user InfoExtended per-user Info

MAC address verificationMAC address verification LAN access controlLAN access control Static IP address assignmentStatic IP address assignment Static routes assignmentStatic routes assignment



User Manager SnapinUser Manager Snapin



LAN Access Policies LAN Access Policies



Work in ProgressWork in Progress

Warning: The work described in Warning: The work described in the rest of this deck represents the rest of this deck represents work in progress. It may or may work in progress. It may or may

not be reflected in final not be reflected in final standards documents. standards documents.



Improving WEPImproving WEP



Classes of Attacks Against WEP v1.0Classes of Attacks Against WEP v1.0 IV (key) reuse [Walker, Berkeley team, Arbaugh]IV (key) reuse [Walker, Berkeley team, Arbaugh]

Made possible by small IV space in WEPv1.0, lack of IV replay Made possible by small IV space in WEPv1.0, lack of IV replay protectionprotection

Enables statistical attack against ciphertexts w/replayed IVsEnables statistical attack against ciphertexts w/replayed IVs

Known plaintext attack [Walker, Berkeley team, Arbaugh]Known plaintext attack [Walker, Berkeley team, Arbaugh] Lots of known plaintext in IP traffic: ICMP, ARP, TCP ACK, etc.Lots of known plaintext in IP traffic: ICMP, ARP, TCP ACK, etc. Can send pings from Internet through AP to snooping attackerCan send pings from Internet through AP to snooping attacker Enables recovery of key stream of length N for a given IVEnables recovery of key stream of length N for a given IV Can forge packets of size N by reusing IV in absence of a keyed MICCan forge packets of size N by reusing IV in absence of a keyed MIC

Partial known plaintext [Berkeley team, Arbaugh]Partial known plaintext [Berkeley team, Arbaugh] May only know a portion of the plaintext (e.g. IP header)May only know a portion of the plaintext (e.g. IP header) Possible to recover M octets of the keystream, M < NPossible to recover M octets of the keystream, M < N Via repeated probing, can extend keystream from M to N [Arbaugh]Via repeated probing, can extend keystream from M to N [Arbaugh] Possible to flip bits in realtime, adjust CRC32, divert traffic to Possible to flip bits in realtime, adjust CRC32, divert traffic to

attackerattacker Enabled by linearity of CRC32, absence of keyed MICEnabled by linearity of CRC32, absence of keyed MIC



Classes of Attacks (cont’d)Classes of Attacks (cont’d) Authentication forging [Berkeley team]Authentication forging [Berkeley team]

WEP v1.0 encrypts challenge using IV chosen by clientWEP v1.0 encrypts challenge using IV chosen by client Recovery of key stream for a given IV enables re-use of that IV for Recovery of key stream for a given IV enables re-use of that IV for

forging WEP v1.0 authenticationforging WEP v1.0 authentication Does not provide key, so can’t join LANDoes not provide key, so can’t join LAN

Denial of serviceDenial of service Disassociate, reassociate messages not authenticatedDisassociate, reassociate messages not authenticated

Dictionary attackDictionary attack Possible where WEP keys derived from passwordsPossible where WEP keys derived from passwords

Realtime decryption [Berkeley team, Arbaugh]Realtime decryption [Berkeley team, Arbaugh] Repeated IV reuse, probing enables building of a dictionary of IVs, Repeated IV reuse, probing enables building of a dictionary of IVs,

key streamskey streams Enables decryption of traffic in realtimeEnables decryption of traffic in realtime Possible to store dictionary due to small IV spacePossible to store dictionary due to small IV space

Need 1500 octets of key stream for each IVNeed 1500 octets of key stream for each IV 2^24 * 1500 octets = 24 GB2^24 * 1500 octets = 24 GB



Kerberos V Dictionary Attack Kerberos V Dictionary Attack VulnerabilitiesVulnerabilities ReferencesReferences

Bellovin & Meritt “Limitations of the Kerberos authentication system”, USENIX Bellovin & Meritt “Limitations of the Kerberos authentication system”, USENIX 19911991

Wu, T. “A Real-World Analysis of Kerberos Password Security”, 1998 Wu, T. “A Real-World Analysis of Kerberos Password Security”, 1998 http://theory.stanford.edu/~tjw/krbpass.htmlhttp://theory.stanford.edu/~tjw/krbpass.html

ScenarioScenario Attacker snoops AS_REQ/AS_REP exchange, recovers passwords offlineAttacker snoops AS_REQ/AS_REP exchange, recovers passwords offline In popular 802.11 networks (“hot spots”), may be possible to collect many such In popular 802.11 networks (“hot spots”), may be possible to collect many such

exchanges in a single attemptexchanges in a single attempt

VulnerabilitiesVulnerabilities PADATA or TGT encrypted with client Key derived from password via STRING-PADATA or TGT encrypted with client Key derived from password via STRING-

TO-KEY(P)TO-KEY(P)

Results [Wu, 1998]Results [Wu, 1998] Password checkers not successful in significantly increasing password entropyPassword checkers not successful in significantly increasing password entropy Structure of TGT (service name = krbtgt) enables verification of key guess by Structure of TGT (service name = krbtgt) enables verification of key guess by

decrypting only 14 octets; similar issues with PADATAdecrypting only 14 octets; similar issues with PADATA Use of DES to encrypt TGT enables use of parallel DES cracking techniquesUse of DES to encrypt TGT enables use of parallel DES cracking techniques Of 25,000 sample TGTs, 2045 could be decrypted in two weeks using a cluster of Of 25,000 sample TGTs, 2045 could be decrypted in two weeks using a cluster of

3 UltraSPARC-2 (200 Mhz) and 5 UltraSPARC-1 (167 Mhz) machines3 UltraSPARC-2 (200 Mhz) and 5 UltraSPARC-1 (167 Mhz) machines Today, 15 off-the-shelf PCs could accomplish the same thing in 1 day at a cost of Today, 15 off-the-shelf PCs could accomplish the same thing in 1 day at a cost of

< $15K< $15K



Rapid Rekey ExplainedRapid Rekey Explained

MAC-Layer Authenticated Key RefreshMAC-Layer Authenticated Key Refresh3-way handshake between AP and STA3-way handshake between AP and STAAuthenticates the refresh operationAuthenticates the refresh operationEnsures master keys are synchronizedEnsures master keys are synchronizedKey material is exchangedKey material is exchangedIncreases master key entropy (lifetime)Increases master key entropy (lifetime)Uses HMAC-MD5 to authorize the exchangeUses HMAC-MD5 to authorize the exchange



Rekey every 10K framesRekey every 10K frames(as recommended by Shamir)(as recommended by Shamir)

Probability of Key word recovery for WEPProbability of Key word recovery for WEP

IV LengthIV Length ProbabilityProbability Expected IVs Expected IVs requiredrequired

3 bytes3 bytes 4.57 x 104.57 x 10-5-5 1310K1310K

8 bytes8 bytes 2.8 x 102.8 x 10-4-4 214K214K

12 bytes12 bytes 5.04 x 105.04 x 10-4-4 119K119K

16 bytes16 bytes 7.18 x 107.18 x 10-4-4 83.6K83.6K



Rekey impactRekey impact

Bit RateBit Rate

Mbits/secMbits/sec

Time Frequency* Time Frequency* between key refreshesbetween key refreshes

50k pkts50k pkts

(sec)(sec)

10k pkts10k pkts

(sec)(sec)

66 3030 66

1111 16.316.3 3.33.3

5454 3.33.3 .67.67

*Based on 450byte packet size



MAC-Layer Authenticated Key MAC-Layer Authenticated Key RefreshRefresh

Bit RateBit Rate

Mbits/secMbits/sec

Rekey Time RequirementsRekey Time Requirements

Air + CPUAir + CPU AirAir11 CPUCPU22

66 2762 usec2762 usec 2562 usec2562 usec

200usec200usec1111 1598 usec1598 usec 1398 usec1398 usec

5454 484 usec484 usec 284 usec284 usec

1 Time required to transfer exchange packets over the air

2 Time required to perform Authenticated Key Refresh on 333MHz Pentium Pro, using HMAC-MD5 for authentication and AES-CBC-MAC for key derivation



Recommended Practice Recommended Practice Improves WEP SecurityImproves WEP Security

IV Sequence check protects from both IV Sequence check protects from both intentional and unintentional IV reuseintentional and unintentional IV reuse

Protection from IV reuse makes it harder to Protection from IV reuse makes it harder to mount attacks [Arbaugh], [Berkeley team] and mount attacks [Arbaugh], [Berkeley team] and [Shamir] Longer Key requires adversary to [Shamir] Longer Key requires adversary to acquire more packets for key recovery acquire more packets for key recovery (derived (derived key, not master key)key, not master key)

Authenticated Key Refresh provides a secure Authenticated Key Refresh provides a secure and synchronized mechanism for rekeyingand synchronized mechanism for rekeying



Improvements to WEP Improvements to WEP Security (cont’d)Security (cont’d)

Frequent rekeying makes it harder to Frequent rekeying makes it harder to recover (derived) encryption key. Even if recover (derived) encryption key. Even if key is cracked, it’s only the temporal key is cracked, it’s only the temporal encryption key vs. masterencryption key vs. master

MAC-Layer Rekeying allows for faster MAC-Layer Rekeying allows for faster refreshrefresh

Implementation is backward compatible. Implementation is backward compatible. All improvements are additions on top of All improvements are additions on top of current WEP implementations.current WEP implementations.



On the Flip side…..On the Flip side…..

Recommended Practice does not Recommended Practice does not addressaddressBit-flipping attacks: a keyed MIC is requiredBit-flipping attacks: a keyed MIC is required

Active attacksActive attacksBut IV sequencing protects fromBut IV sequencing protects from

Shared keysShared keysProvide more data for passive attacksProvide more data for passive attacksRekeying could be adapted for shared Rekeying could be adapted for shared

keyskeys



Alternatives ConsideredAlternatives Considered Removing first 256 bytes of RC4 key streamRemoving first 256 bytes of RC4 key stream

Not backward compatibleNot backward compatibleStill requires IV Sequencing and Keyed MICStill requires IV Sequencing and Keyed MICMust be treated as separate encryption to Must be treated as separate encryption to oldold RC4 RC4

Prepending N pseudorandom bytes to Prepending N pseudorandom bytes to plaintext dataplaintext dataNot backward compatibleNot backward compatibleUnclear what a sufficient N should beUnclear what a sufficient N should beIncreases per packet overheadIncreases per packet overheadStill requires IV Sequencing and Keyed MICStill requires IV Sequencing and Keyed MICMust be treated as separate encryption to Must be treated as separate encryption to oldold RC4 RC4



Alternatives Discussed Alternatives Discussed (cont’d)(cont’d)

Using Beacon as a means to Using Beacon as a means to synchronize new keysynchronize new keyOnly addresses shared keyOnly addresses shared keyRekeying is not authenticated (i.e. insecure)Rekeying is not authenticated (i.e. insecure)Constrained to rekey only on Beacon Constrained to rekey only on Beacon

intervalsintervals

Using a Longer IVUsing a Longer IVWorsens security Worsens security it reduces the number it reduces the number

of frames required to recover key!of frames required to recover key!



Security AnalysisSecurity Analysis

Attack WEPv1.0 WEPv1.0 and AES802.1X w/EAP TLS 802.1X w/EAP TLS

Unintentional IV reuse XIntentional IV reuse XRealtime decryption X XKnown plaintext XPartial known plaintext XAuthentication forging X XDenial of Service w/fix w/fixDictionary attack X X



Secure Remote Password Secure Remote Password Authentication for 802.11Authentication for 802.11



What is Secure Remote Password?What is Secure Remote Password? An abstract protocol specificationAn abstract protocol specification

Creator: Thomas Wu, Stanford UniversityCreator: Thomas Wu, Stanford University RFC 2945 (Proposed Standard)RFC 2945 (Proposed Standard)

An EAP method An EAP method Draft-ietf-pppext-eap-srp-03.txtDraft-ietf-pppext-eap-srp-03.txt Standardized within PPPEXTStandardized within PPPEXT Author: James Carlson (Sun Microsystems), Henry Haverinen, Bernard AbobaAuthor: James Carlson (Sun Microsystems), Henry Haverinen, Bernard Aboba

A GSS-API methodA GSS-API method Draft-ietf-cat-srpgm-02.txt (expired)Draft-ietf-cat-srpgm-02.txt (expired)

A key derivation mechanism for TLSA key derivation mechanism for TLS Draft-ietf-tls-srp-01.txtDraft-ietf-tls-srp-01.txt Standardized within TLS WGStandardized within TLS WG Author: D. Taylor (Forge Research)Author: D. Taylor (Forge Research)

A set of SASL mechanisms A set of SASL mechanisms Draft-burdis-cat-srp-sasl-04.txtDraft-burdis-cat-srp-sasl-04.txt Individual submissionIndividual submission Authors: K.R. Burdis (Rhodes University), R. Naffah (Forge Research)Authors: K.R. Burdis (Rhodes University), R. Naffah (Forge Research)

A submission to IEEE P1363A submission to IEEE P1363 See See http://grouper.ieee.org/groups/1363/http://grouper.ieee.org/groups/1363/



Pros and Cons of SRPPros and Cons of SRP ProsPros

Support for mutual authentication and key derivationSupport for mutual authentication and key derivation No changes required to IEEE 802.1X, EAP (RFC 2284)No changes required to IEEE 802.1X, EAP (RFC 2284) Uses password-only credentials (no client or server certificates)Uses password-only credentials (no client or server certificates) Thought to be invulnerable to dictionary attack on the on-the-wire protocolThought to be invulnerable to dictionary attack on the on-the-wire protocol Does not require password to be stored either in cleartext or reversibly encryptedDoes not require password to be stored either in cleartext or reversibly encrypted Intellectual property statement filed by Stanford UniversityIntellectual property statement filed by Stanford University

http://www.ietf.org/ietf/IPR/WU-SRPhttp://www.ietf.org/ietf/IPR/WU-SRP

ftp://ftp.merit.edu/mail.archives/ietf-ppp-archive/ietf-ppplog.2001.06ftp://ftp.merit.edu/mail.archives/ietf-ppp-archive/ietf-ppplog.2001.06 ConsCons

Computationally intensiveComputationally intensive 2 MODEXP calculations on each side (assuming verifier is cached)2 MODEXP calculations on each side (assuming verifier is cached) Only 1 exponentiation required for EKEOnly 1 exponentiation required for EKE

Limited flexibilityLimited flexibility No support for ECC groups, only DH groupsNo support for ECC groups, only DH groups

Requires storage of new per-user credentialsRequires storage of new per-user credentials Username, Salt, Password verifier, prime modulus/generator groupUsername, Salt, Password verifier, prime modulus/generator group

Vulnerable to offline dictionary attack against credential storeVulnerable to offline dictionary attack against credential store



How can SRP be used by How can SRP be used by 802.11?802.11?

As an EAP methodAs an EAP method EAP SRP (draft-ietf-pppext-eap-srp-03.txt)EAP SRP (draft-ietf-pppext-eap-srp-03.txt) Simplest way to obtain SRP functionalitySimplest way to obtain SRP functionality

As a Kerberos Extension or GSS-API mechanismAs a Kerberos Extension or GSS-API mechanism EAP GSS (draft-aboba-pppext-eapgss-04.txt)EAP GSS (draft-aboba-pppext-eapgss-04.txt) Wu proposal for SRP integration within Kerberos: Wu proposal for SRP integration within Kerberos:

http://theory.stanford.edu/~tjw/krbpass.htmlhttp://theory.stanford.edu/~tjw/krbpass.html SRP GSS-API mechanism:Draft-ietf-cat-srpgm-02.txtSRP GSS-API mechanism:Draft-ietf-cat-srpgm-02.txt

SRP negotiated via SPNEGO within EAP-GSSSRP negotiated via SPNEGO within EAP-GSS As a TLS mechanismAs a TLS mechanism

SRP negotiated within TLS (draft-ietf-tls-srp-01.txt)SRP negotiated within TLS (draft-ietf-tls-srp-01.txt) Compatible with future upgrade to EAP-TLS with certificates (RFC 2716)Compatible with future upgrade to EAP-TLS with certificates (RFC 2716) Requires major change to TLS implementationsRequires major change to TLS implementations

DifferencesDifferences OverheadOverhead

More overhead for layered negotiationsMore overhead for layered negotiations Protected authentication negotiationProtected authentication negotiation

Supported within GSS-API (SPNEGO), TLSSupported within GSS-API (SPNEGO), TLS Not supported within pure EAP approach (handled via policy)Not supported within pure EAP approach (handled via policy)



How Does it Work?How Does it Work?(From RFC 2945)(From RFC 2945)

The server stores user credentials as 5-tuples of the form:The server stores user credentials as 5-tuples of the form: {<username>, <password verifier>, <salt>, g, N}{<username>, <password verifier>, <salt>, g, N} <salt> = random()<salt> = random() x = SHA(<salt> | SHA(<username> | ":" | <raw password>))x = SHA(<salt> | SHA(<username> | ":" | <raw password>))

<password verifier> = v = g^x % N<password verifier> = v = g^x % N N = prime modulus; g = generatorN = prime modulus; g = generator

Prime modulus/generator/salt are constant each time a given Prime modulus/generator/salt are constant each time a given user authenticatesuser authenticates If they could vary, server would need to pre-calculate multiple If they could vary, server would need to pre-calculate multiple

verifiers, one for each salt/prime modulus/generator combinationverifiers, one for each salt/prime modulus/generator combination

Client and server calculate and exchange public keysClient and server calculate and exchange public keys Server public key derived from the password verifierServer public key derived from the password verifier DH exchange used to derive a keyDH exchange used to derive a key

Client and server exchange hashes based on the DH key, Client and server exchange hashes based on the DH key, verifier, group, salt, username, etc.verifier, group, salt, username, etc. Authenticates the DH exchangeAuthenticates the DH exchange



Protocol ExchangeProtocol ExchangeClient ServerClient Server

-------- -------------- ------

U = <username> ->U = <username> ->

<- salt<- salt

a = random()a = random()

A = gâ % N ->A = gâ % N ->

v = <stored verifier>v = <stored verifier>

b = random()b = random()

<- B = (v + g^b) % N<- B = (v + g^b) % N

p = <raw password>p = <raw password>

x = SHA(s | SHA(U | ":" | p))x = SHA(s | SHA(U | ":" | p))

S = (B - g^x) ^ (a + u * x) % N S = (A * vû) ^ b % NS = (B - g^x) ^ (a + u * x) % N S = (A * vû) ^ b % N

K = SHA_Interleave(S) K = SHA_Interleave(S)K = SHA_Interleave(S) K = SHA_Interleave(S)

M = H(H(N) XOR H(g) | H(U) | s | A | B | K)-> (CLIENT AUTH)M = H(H(N) XOR H(g) | H(U) | s | A | B | K)-> (CLIENT AUTH)

<- H(A | M | K) <- H(A | M | K)

(SERVER AUTH)(SERVER AUTH)



““Short Form” ExchangeShort Form” Exchange

Client ServerClient Server

-------- -------------- ------

U, A ->U, A ->

<-s, B<-s, B

H(H(N) XOR H(g) | H(U) | s | A | B | K)->H(H(N) XOR H(g) | H(U) | s | A | B | K)->

<-H(A | M | <-H(A | M | K)K)

•Usable where client initiates (e.g. GSS_API, TLS)

•Not usable where server initiates (EAP)



What Does SRP Not Provide?What Does SRP Not Provide?

Specification of bits on the wireSpecification of bits on the wireRFC 2945 is an abstract protocol specification – need RFC 2945 is an abstract protocol specification – need

to adapt it for a particular useto adapt it for a particular use

Specification for how additional keys are Specification for how additional keys are derived from SRP key (K)derived from SRP key (K)Bad idea to use K on the wire (master key would Bad idea to use K on the wire (master key would

become stale)become stale)Need to describe how to derive IVs, authentication, Need to describe how to derive IVs, authentication,

encryption keys of appropriate lengths in each encryption keys of appropriate lengths in each direction from SRP master key (K)direction from SRP master key (K)

Protected ciphersuite negotiationProtected ciphersuite negotiationNeeded to guard against “down negotiation” attacksNeeded to guard against “down negotiation” attacks



How does EAP SRP Work?How does EAP SRP Work? EAP SRP is a reasonably faithful implementation of RFC EAP SRP is a reasonably faithful implementation of RFC

2945 as an EAP method2945 as an EAP method Additional featuresAdditional features

Server can provide its identityServer can provide its identity Derived key can be used in ECP or notDerived key can be used in ECP or not Support for lightweight, periodic reauthenticationsSupport for lightweight, periodic reauthentications Support for hidden pseudonyms for identity protectionSupport for hidden pseudonyms for identity protection

Bugs/gripesBugs/gripes Prime modulus/generator should be specified as groups, not Prime modulus/generator should be specified as groups, not

numbersnumbersCurrent spec analogous to IKE “new group mode”Current spec analogous to IKE “new group mode”Difficult for client to verify validity of the offered group, will Difficult for client to verify validity of the offered group, will

probably just compare the offered group against a “known probably just compare the offered group against a “known good” listgood” list

Best to just assign group numbers to “known good” groupsBest to just assign group numbers to “known good” groupsExample: groups listed in SRP-SASL draft with prime Example: groups listed in SRP-SASL draft with prime

modulus >= 1024 bitsmodulus >= 1024 bits



SRP ReferencesSRP References T. Wu, "The SRP Authentication and Key T. Wu, "The SRP Authentication and Key

Exchange System,“ RFC 2945, 09/2000Exchange System,“ RFC 2945, 09/2000 T. Wu, "The Secure Remote Password T. Wu, "The Secure Remote Password

Protocol", in Proceedings of the 1998 Internet Protocol", in Proceedings of the 1998 Internet Society Symposium on Network and Society Symposium on Network and Distributed Systems Security, San Diego, CA, Distributed Systems Security, San Diego, CA, pp. 97-111pp. 97-111

EAP SRPEAP SRP http://www.ietf.org/internet-drafts/draft-ietf-pppext-eap-srp-03.txthttp://www.ietf.org/internet-drafts/draft-ietf-pppext-eap-srp-03.txt



SRP SummarySRP Summary SRP attractive for password-based authenticationSRP attractive for password-based authentication

Thought to be invulnerable to dictionary attackThought to be invulnerable to dictionary attack Does not require storing password in clear or reversibly Does not require storing password in clear or reversibly

encryptedencrypted Intellectual property filings available for inspectionIntellectual property filings available for inspection

IETF standardization process underwayIETF standardization process underway RFC 2945 at Proposed StandardRFC 2945 at Proposed Standard SRP-TLS, EAP SRP drafts on Standards TrackSRP-TLS, EAP SRP drafts on Standards Track

Several ways to use SRPSeveral ways to use SRP Can be negotiated within TLS, EAP, GSS-APICan be negotiated within TLS, EAP, GSS-API

RecommendationRecommendation SRP worthy of consideration as mandatory-to-implement SRP worthy of consideration as mandatory-to-implement

method for 802.11 Tgimethod for 802.11 Tgi Simplest to use SRP as a straight EAP mechanismSimplest to use SRP as a straight EAP mechanism Other secure password-schemes may also be worth Other secure password-schemes may also be worth

examining (EKE, etc.) if intellectual property issues can be examining (EKE, etc.) if intellectual property issues can be resolvedresolved



Fast HandoffFast Handoff



802.11: Implications for Fast Handoff802.11: Implications for Fast Handoff Classic 802.11 authentication occursClassic 802.11 authentication occurs before before reassociation reassociation

Enables a STA to pre-authenticate with the new AP prior to Enables a STA to pre-authenticate with the new AP prior to reassociationreassociation

Management frames are not authenticatedManagement frames are not authenticated Association-Request/Response, Reassociation-Request/Response, Association-Request/Response, Reassociation-Request/Response,

Disassociation notification are unauthenticatedDisassociation notification are unauthenticated Enables an attacker to forge these and other management frames, Enables an attacker to forge these and other management frames,

take over sessionstake over sessions Inter-Access Point communication typically not necessaryInter-Access Point communication typically not necessary

If all APs use the same key, new AP can validate the STA If all APs use the same key, new AP can validate the STA authentication without contacting the old AP. authentication without contacting the old AP.

Ability for STAs to quickly reassociate between access pointsAbility for STAs to quickly reassociate between access points STA sends Disassociate to old AP after it receives Reassociation-STA sends Disassociate to old AP after it receives Reassociation-

Response from new APResponse from new AP New AP install STA state in DS after receiving an ACK of the New AP install STA state in DS after receiving an ACK of the

Reassociation-Response from STAReassociation-Response from STA No cryptographic operations in the critical pathNo cryptographic operations in the critical path



State 1Unauthenticated, Unassociated

State 2Authenticated, Unassociated

State 3Authenticated, and Associated

Successful MAC layer

Authentication

Successful Association or Reassociation

Disassociation Notification

DeAuthentication Notification

Deauthentication

notification

Class 1 Frames

Class 1 & 2 Frames

Class 1, 2 & 3 Frames

Classic 802.11 State MachineClassic 802.11 State Machine



802.11 Fast Handoff802.11 Fast HandoffSTAAPold APnew

Associate-RequestAssociate-ResponseACK

DSNotified

Reassociate-Request

Reassociate-Response

ACK

DSNotified

Disassociate

Note: Authentication not on critical path, so not included

Transition Period ~ TSTA-AP



State 1Unauthenticated,

Unassociated

State 2Authenticated, Unassociated

State 3Authenticated, and

Associated

Successful MAC layer Authentication

Successful Association or Reassociation

Disassociation Notification

DeAuthentication Notification

Deauthentication notification

Class 1 Frames + ESN Class 2 frames

Class 1 & 2 Frames

Class 1, 2 & 3 Frames

802.11i State Machine802.11i State Machine

State 4ESN Associated

ESN Association or Reassociation

ESN Disassociation

Notification

Successful upper layer Authentication

Class 1, 2 & 3 Frames except Authentication & Deauthentication



802.11i: Implications for Fast Handoff802.11i: Implications for Fast Handoff With 802.1X, upper layer authentication occurs With 802.1X, upper layer authentication occurs afterafter ESN ESN

association/reassociationassociation/reassociation 802.1X state machine is driven by association/reassociation events802.1X state machine is driven by association/reassociation events AP can only be associated with a single STA; since 802.1X AP can only be associated with a single STA; since 802.1X

authentication occurs after reassociation, an ESN STA can only authentication occurs after reassociation, an ESN STA can only authenticate to a single ESN APauthenticate to a single ESN AP

Full reauthentication to each AP a significant costFull reauthentication to each AP a significant cost 802.1X authentication may involve multiple round-trips, public key 802.1X authentication may involve multiple round-trips, public key

operationsoperations Environments with many mobile stations can heavily load the backend Environments with many mobile stations can heavily load the backend

authentication serverauthentication server Desirable to avoid a full reauthentication at every APDesirable to avoid a full reauthentication at every AP

Need to lock all doors left open by classic 802.11Need to lock all doors left open by classic 802.11 802.11i adds dynamic keying (802.1X), credible ciphersuite (AES), 802.11i adds dynamic keying (802.1X), credible ciphersuite (AES),

but…but… Need to address other 802.11 security holes such as unauthenticated Need to address other 802.11 security holes such as unauthenticated

management framesmanagement frames Cryptographic operations now in the critical path for Fast HandoffCryptographic operations now in the critical path for Fast Handoff

ESN reassociated STA cannot access the controlled port of the ESN ESN reassociated STA cannot access the controlled port of the ESN AP until upper layer authentication completesAP until upper layer authentication completes

Authentication of Reassociation-Request/Response, Disassociation Authentication of Reassociation-Request/Response, Disassociation required to prevent hijackingrequired to prevent hijacking



QuestionsQuestionsShould authentication occur before Should authentication occur before

or after reassociation?or after reassociation?How do we authenticate management How do we authenticate management

frames?frames?This presentation addresses This presentation addresses

Reassociation-Request/Response, and Reassociation-Request/Response, and Disassociation Notification framesDisassociation Notification frames

Future work will address authentication Future work will address authentication of other Management Framesof other Management FramesAssociation-Request/Response, Association-Request/Response,

Beacon, Probe-Request/Response, Beacon, Probe-Request/Response, Deauthentication, ATIM Deauthentication, ATIM



AlternativesAlternatives Authentication before reassociationAuthentication before reassociation

ProsPros Enables pre-authenticationEnables pre-authentication Authentication no longer in the critical path for reassociationAuthentication no longer in the critical path for reassociation

ConsCons If you authenticate management frames, cryptographic If you authenticate management frames, cryptographic

operations remain in the critical path (since you need to operations remain in the critical path (since you need to authenticate the Reassociation Request/Response)authenticate the Reassociation Request/Response)

If you’re already authenticating reassociation If you’re already authenticating reassociation request/response, why do more than “canned” authentication request/response, why do more than “canned” authentication in addition?in addition?

Reassociation before AuthenticationReassociation before Authentication ProsPros

Simplicity: authenticate Reassociation-Request/Response, Simplicity: authenticate Reassociation-Request/Response, Disassociation, AP issues “canned success” in upper layer Disassociation, AP issues “canned success” in upper layer authentication if authentication is successful at MAC layerauthentication if authentication is successful at MAC layer

Minimizes cryptographic operations in the critical path for Minimizes cryptographic operations in the critical path for reassociationreassociation

ConsCons No pre-authenticationNo pre-authentication



Proposed ApproachProposed Approach Authentication of Reassociate, Disassociate framesAuthentication of Reassociate, Disassociate frames

Authenticator Information Element added to Reassociation-Authenticator Information Element added to Reassociation-Request/Response, Disassociation notification framesRequest/Response, Disassociation notification frames

Authenticator Information Element enables STA and new AP to Authenticator Information Element enables STA and new AP to provide possession of the unicast authentication session key provide possession of the unicast authentication session key negotiated with the old access point. negotiated with the old access point.

Support within the Inter-Access Point Protocol (IAPP)Support within the Inter-Access Point Protocol (IAPP) New AP passes the Authenticator IE to the with old AP in the New AP passes the Authenticator IE to the with old AP in the

Inter-Access Point Protocol (IAPP) Move-RequestInter-Access Point Protocol (IAPP) Move-Request Old AP validates the AuthenticatorOld AP validates the Authenticator If successfully validated, old AP sends IAPP Move-Response to If successfully validated, old AP sends IAPP Move-Response to

new APnew AP Otherwise, old AP silently discards IAPP Move-RequestOtherwise, old AP silently discards IAPP Move-Request

New AP will not send Reassociation-ResponseNew AP will not send Reassociation-Response STA Reassociation-Request will time outSTA Reassociation-Request will time out STA, AP will re-authenticateSTA, AP will re-authenticate Appropriate 802.11f MIB variable is incrementedAppropriate 802.11f MIB variable is incremented

802.1X “canned success” sent from AP to STA if Authenticator IE 802.1X “canned success” sent from AP to STA if Authenticator IE included within the Reassociation-Request is valid.included within the Reassociation-Request is valid.



802.11i Fast Handoff802.11i Fast Handoff

STAAPold APnew

Associate-Request

Associate-Response

ACKDSNotified

Reassociate-Request (Authenticated)

Reassociate-Response (Authenticated)

ACK

DSNotified

Disassociate (Authenticated)

Transition Period ~ RTTSTA-AP

802.1X/Identity Request

EAP-Success

802.1X/Identity Response

EAP-RequestEAP-Response

Transition Period ~ nRTTSTA-AP

n =3.5 (TLS), 2.5 (TLS continuation)

Wireless LANs: The 802.1X Revolution Slide 1 Internet World Wireless West, December 2001 Wireless...

Documents

Transcript of Wireless LANs: The 802.1X Revolution Slide 1 Internet World Wireless West, December 2001 Wireless...