1 / 13

802 Handoff LinkSec Handoff Issues?

802 Handoff LinkSec Handoff Issues?. David Johnston david.johnston@ieee.org dj.johnston@intel.com. (very) Simplified Anatomy of a L3 Handoff. Down at the link layer, a link breaks So, something somewhere up the stack agrees, in its own way to handoff from one place to another

kiril
Download Presentation

802 Handoff LinkSec Handoff Issues?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802 HandoffLinkSec Handoff Issues? David Johnston david.johnston@ieee.org dj.johnston@intel.com David Johnston, Intel

  2. (very) Simplified Anatomy of a L3 Handoff • Down at the link layer, a link breaks • So, something somewhere up the stack agrees, in its own way to handoff from one place to another • E.G. Mobile IP • Consequently, down at the link layer, an attachment switches from one place to another • Association-authentication-authorization in one of several possible orders and flavors • Either by picking a new attachment point for an interface, or picking a new interface • Mobile IP reconnects via the net attachment David Johnston, Intel

  3. Pre – auth Requirements • Prior to attempting to authenticate, the mobile node may want to know whether it is worth the effort • Does the AP support my L3 network needs? • Do I have a payment method, auth protocol, subscription that will work on the candidate AP? • Can my QoS needs be met? • It would be nice for the conduit for this information: • To not be blocked prior to authentication • To be applicable to diverse 802 network types (MSDU transport) David Johnston, Intel

  4. The blocking behavior of 802.1x • 802.1x allows access to the MAC • Blocks access to all LSAPs above the LLC except for EAPoL until authentication has completed • So only MAC signalling and EAP available prior to authentication • This takes advantage of the common MSDU transport capability of different 802 networks. • A mechanism applicable to diverse 802 network types could not be codified in existing MAC signaling or EAP • So current 802 authentication practice impacts on the transfer of handoff related information prior to authentication David Johnston, Intel

  5. EAP Extensions New Features Here EAP • Introduce new EAP methods to enable network detection • Detection bound to some place in the EAP authentication sequence • IEFT Domain mIP EAPol LLC LLC MAC MAC PHY PHY Medium 802.1x/aa controlled/uncontrolled port David Johnston, Intel

  6. EAPoL Extensions New Features Here EAP • Amend 802.1aa to add attachment information service • Tied use of 802.1x in 802 case • IEEE 802.1aa Domain mIP EAPol LLC LLC MAC MAC PHY PHY Medium 802.1x/aa controlled/uncontrolled port David Johnston, Intel

  7. Controlled/Uncontrolled Port Entity (CUPE) New Features Here EAP • Add new entity above LSAP • Uncontrolled port for insecure data/signaling • Controlled port otherwise • Tied use of 802.1x in 802 case • IEEE 802 Domain mIP (Secured) CPE (Unsecured) UPE EAPol LLC LLC MAC MAC PHY PHY Medium 802.1x/aa controlled/uncontrolled port David Johnston, Intel

  8. Beacons • Add new management frames/frame content • Uses native 802.[x] management frames for signaling New Features Here MAC New Thing No 802.1x/aa needed David Johnston, Intel

  9. Scheduling EAP EAPoL EAP Attached Attached & Connected Attachment Information transfer can only happen within a limited range of time during EAP EAPoL EAP EAPoL EAPoL Attached Attached & Connected Attachment Hypothetically, EAPoL could be invoked during the authenticated state for the purposes of information transfer Information transfer can only happen within a limited range of time during EAPoL operation David Johnston, Intel

  10. Scheduling EAP EAPoL CUPE Attached Attached & Authorized Information transfer can happen anytime during a connection, with restrictions on what is transferred based on controlled port status Attachment Beacons/Probes EAP EAPoL Attached Attached & Authorized B/P B/P B/P B/P B/P B/P Information transfer can happen anytime the transmitter chooses, assuming the L2 media supports it Attachment David Johnston, Intel

  11. Extending the auth model be extended to support Handoff • Extend set of pre authentication unblocked things from: • MAC signalling • EAPoL • To: • MAC signalling • EAPol • Non sensitive handoff related data David Johnston, Intel

  12. So: One requirement • Don’t make it impossible for the definition of the distribution of media independent handoff decision data prior to authentication • Allows mobile nodes to handoff based on good information • Enables mobile nodes to choose who they should bother authenticating to. David Johnston, Intel

  13. Port == AID?! • In 802.11 the port is defined to be attached to an association • Prevents authentication before association • Is a problem for 802.11 if you have handoff decision data on the uncontrolled port • Increases time to access handoff data • Leaves only the beacon for public data before auth • Limited in size, • Unsafe to extend • Not common across 802 • Can the port not be per mobile part MAC address or some such thing? David Johnston, Intel

More Related