Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 00-03-0019-00-0000Linksec_Handoff_Issues_r3
Document related concepts
Transcript
May. 2003 doc.: 802_Handoff_Linksec_Presentation 802 Handoff LinkSec Handoff Issues? David Johnston [email protected] [email protected] Submission Slide 1 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation (very) Simplified Anatomy of a L3 Handoff • Down at the link layer, a link breaks • So, something somewhere up the stack agrees, in its own way to handoff from one place to another – E.G. Mobile IP • Consequently, down at the link layer, an attachment switches from one place to another – Association-authentication-authorization in one of several possible orders and flavors – Either by picking a new attachment point for an interface, or picking a new interface • Mobile IP reconnects via the net attachment Submission Slide 2 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation Pre – auth Requirements • Prior to attempting to authenticate, the mobile node may want to know whether it is worth the effort – Does the AP support my L3 network needs? – Do I have a payment method, auth protocol, subscription that will work on the candidate AP? – Can my QoS needs be met? • It would be nice for the conduit for this information: – To not be blocked prior to authentication – To be applicable to diverse 802 network types (MSDU transport) Submission Slide 3 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation The blocking behavior of 802.1x • 802.1x allows access to the MAC • Blocks access to all LSAPs above the LLC except for EAPoL until authentication has completed – So only MAC signalling and EAP available prior to authentication – This takes advantage of the common MSDU transport capability of different 802 networks. – A mechanism applicable to diverse 802 network types could not be codified in existing MAC signaling or EAP • So current 802 authentication practice impacts on the transfer of handoff related information prior to authentication Submission Slide 4 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation EAP Extensions New Features Here • Introduce new EAP methods to enable network detection EAP mIP – Detection bound to some place in the EAP authentication sequence – IEFT Domain EAPol LLC LLC MAC MAC PHY PHY Medium 802.1x/aa controlled/uncontrolled port Submission Slide 5 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation EAPoL Extensions New Features Here • Amend 802.1aa to add attachment information service – Tied use of 802.1x in 802 case – IEEE 802.1aa Domain EAP mIP EAPol LLC LLC MAC MAC PHY PHY Medium 802.1x/aa controlled/uncontrolled port Submission Slide 6 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation Controlled/Uncontrolled Port Entity (CUPE) New Features Here • Add new entity above LSAP EAP mIP (Secured) CPE LLC – Uncontrolled port for MAC insecure data/signaling – Controlled port PHY otherwise – Tied use of 802.1x in 802 case – IEEE 802 Domain 802.1x/aa (Unsecured) UPE EAPol LLC MAC PHY Medium controlled/uncontrolled port Submission Slide 7 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation Beacons • Add new management frames/frame content – Uses native 802.[x] management frames for signaling New Features Here MAC New Thing No 802.1x/aa needed Submission Slide 8 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation Scheduling EAP EAP EAPoL Attached Attached & Connected Attachment Information transfer can only happen within a limited range of time during EAP EAPoL EAP EAPoL Attached EAPoL Attached & Connected Attachment Information transfer can only happen within a limited range of time during EAPoL operation Submission Slide 9 Hypothetically, EAPoL could be invoked during the authenticated state for the purposes of information transfer David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation Scheduling CUPE EAP EAPoL Attached Attachment Attached & Authorized Information transfer can happen anytime during a connection, with restrictions on what is transferred based on controlled port status Beacons/Probes EAP EAPoL Attached B/P Attachment Submission B/P B/P Attached & Authorized B/P B/P B/P Information transfer can happen anytime the transmitter chooses, assuming the L2 media supports it Slide 10 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation Extending the auth model be extended to support Handoff • Extend set of pre authentication unblocked things from: – MAC signalling – EAPoL • To: – MAC signalling – EAPol – Non sensitive handoff related data Submission Slide 11 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation So: One requirement • Don’t make it impossible for the definition of the distribution of media independent handoff decision data prior to authentication – Allows mobile nodes to handoff based on good information – Enables mobile nodes to choose who they should bother authenticating to. Submission Slide 12 David Johnston, Intel May. 2003 doc.: 802_Handoff_Linksec_Presentation Port == AID?! • In 802.11 the port is defined to be attached to an association • Prevents authentication before association • Is a problem for 802.11 if you have handoff decision data on the uncontrolled port – Increases time to access handoff data – Leaves only the beacon for public data before auth • Limited in size, • Unsafe to extend • Not common across 802 • Can the port not be per mobile part MAC address or some such thing? Submission Slide 13 David Johnston, Intel
