802.11: Ethernet Marches On


Published on

In depth description and analysis of Wireless Lan 802.11 Tech and its impact on Networking given at Glocom in Japan August 2002. Interesting to look back and see what predictions were right on and others not so...

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Key message : Changing the lifestyle – connected, always on WebLifestyle The Internet is changing the way we work, we live and we play. The Internet is driving this change and changing our lifestyle to a lifestyle enabled by the Web or the Web Lifestyle. It is connecting people from corner of the globe to another. It is creating new markets. It is raising new paradigms in learning like online libraries and virtual campuses through interactive multimedia based systems….
  • Why indoors? All the spectrum considered for 3G frequencies in the US (in the 1.5 GHz to 3 GHz range, but more likely to be found closer in on both ends) and the spectrum allocated to IMT2000, the actual European roadmap for 3G, has a simple dilemma. It’s true for all forms of radio networking, but we’ve got clear examples for these ranges. If you want to stuff a lot of data into a band you either need a wide stretch of bandwidth, a lot of power, or a lot of closely spaced cells. You can have just one of those and get decent results, and any two are great. All three mean you’ve got it nailed. But in the world we live in, power means lower battery life; increased cell density vastly increases costs; bandwidth is scarce, and in the US, not available at all for reallocation. Thus we look to our real-world example: Wi-Fi and related 2.4 GHz wireless data technology. They have moderate swaths of bandwidth (22 MHz for a Wi-Fi channel or 1 to 5 MHz swaths for Bluetooth and HomeRF’s frequency hopping), low power (< 1W effective radiation under Part 15 rules, but most devices are 30 mW to 100 mW), and HIGH DENSITY. You have to put a lot of access points closely together with overlapping non-interfering frequencies to get constant coverage at Mbps speeds. Thus my conclusion, which is backed up in a few places I’ve found illustrations of deployment. To get 2 Mbps, you have to deploy cells more densely because you can’t increase power and you have a small pool of bandwidth. The reason the FCC uses the euphemism “indoors,” is because the CTIA would rather not say, “You’re going to have to lease lots of customer premises equipment from us to achieve a density of service and then port that equipment through gateways back into our packet network.” Indoors means dense, cell telco-owned points clearly. I can play devil’s advocate and ask, why do they have to be owned by the cellular companies? Because the cell companies currently own everything in their networks and they wouldn’t allow edge equipment to be connected. That would be like a company hooking up their PBX directly to Ma Bell’s switch. Ma Bell (in any of her RBOC/LEC forms) may allow connections between corporate PBX’s and the phone network, but it’s not direct. There are intermediate levels that the phone company provisions and owns. That’s my argument at least. -- ---------------------------------------------------------------------- Glenn Fleishman, Unsolicited Pundit: read my work at http://glennf.com freelance reporter for The New York Times, Wired, O'Reilly Net, et al.
  • Interesting to know if anyone else is considering this technology currently.
  • European and US requirements are drastically different 2x Turbo mode is not a part of the standard
  • Allows us to work in other regulatory domains
  • Important as we move between regulatory domains and channels are unavailable. TPC – If you are 10 feet away from AP, then your power settings will downshift – only use the higher power when you need it Saves power and minimizes interference from client radio 9If AP is set at 1 mW & client is set at 30mW, your cell size will still be based on 30)
  • Security is a major issue for IEEE. Task Group I covers this area 802.1x is the authentication specification to be used for 802.11b. The task task for this is to use a firmware upgrade to existing products to be ‘security compatible’ Timetable for draft completion is likely end of the year. AES requires a lot of processing power and will result in a performance hit until we can do it in firmware WECA will require TKIP in wi-fi revision later this year
  • Port based network access control – It is the underlying authentication and messaging system included in 802.11i
  • There are three unlicensed bands -- 900 MHz, 2.4 GHz, and 5.7 GHz -- called the Industrial, Scientific, and Medical (ISM) bands. This presentation focuses on 2.4 GHz because our products use those bands today and it adheres to the IEEE 802.11b standard. In order to use the unlicensed bands you have to use spread spectrum techniques. FH and DS are two ways of doing spread spectrum. These spread spectrum techniques spread the RF energy over the available band. The 5.7 GHz band is promising for future products and Cisco is actively pursuing projects in that area. Recently, the FCC also opened up the 5.2 GHz band for unlicensed use by high speed data communications devices. 5.2 GHz is the same band that is used for the ETSI HYPERLAN specification in Europe. A nearby neighbor of the 900 MHz band is the cellular phone system. This helped the early development of the WLAN industry in the 900 MHz band because of the availability of low cost small RF components in that band. 2.4GHz has a neighbor in the PCS system. That helps with component costs too. There are no such neighbors for the 5 GHz band. The WLAN industry will have to driver the development of low cost components for 5 GHz on our own. The other downside to 5GHz is the poor range performance as compared to 2.4 GHz.
  • Assuming a 6dB antenna: (The radiated power is) U-NII 1 – 50 mW in the US/Japan, 200mW in Europe, 4 Channels (5.15-5.25), Indoor Access- Fixed Antenna U-NII 2 – 250 mW in US, 4 Channels (5.25-5.35)- Indoor/Outdoor Use – Flexible Antenna U-NII 3 – 1W in the US, 4 Channels (5.725-5.825) – Outdoor Bridging only HiperLAN – 200 mW in Europe, 8 Channels (5.25-5.35) – Indoor Use only HiperLAN– 1W in Europe, 11 channels (5.470-5.725) – Indoor/Outdoor Use –Flexible Antenna
  • Speed is determined by proximity (plus other factors)
  • No security -- 802.11b Configurable Features Security Options -- SSID – Not a security handle, sent in the clear; Public/Private WLAN segregation Drawbacks -- “Promiscuous mode” drivers; Null association Basic Security – 802.11b Configurable Features Security Options – SSID, WEP Encryption (H/W or S/W); Public/Private WLAN Segregation Drawbacks -- Static keys – create security and management issues; Easily hacked Enhanced Security – Enhanced Features Security Options – 802.1x Authentication Framework (802.11 TGi Baseline) Mutual Authentication – Dynamic, per user, per session, WEP key Automatic, frequent re-authentication Advantages – Multi-tiered security approach Maximum Security – Special Applications requiring maximum security Provides the following: Tunneling Encryption Packet integrity User and device authentication Policy management
  • 802.1x uses a RADIUS proxy to authenticate clients on the network. This proxy device could be a device like a switch or an AP. This device operates on the “enterprise edge”, meaning that it is the interface between the Enterprise network and the Public or Semi-public network, where security is most needed. The supplicant takes the logon information and passes it to the authentication server, where the logon request is compared against a user database to determine if, and at what level, the user may be granted access to the network resources.
  • The AP, acting as the authenticator at the enterprise edge, will allow the client to associate using Open authentication. The AP will then encapsulate any 802.1x traffic bound for the authentication server, and send it to the server. All other network traffic will be blocked, meaning that all other attempts to access network resources will be blocked. Upon receiving RADIUS traffic bound for the client, the AP will encapsulate it and send the information to the client. Beyond the server authenticating the client as a valid network user, this allows the client to validate the server as well, insuring that the client is not logging into a “phony” server. This entire process occurs before starting to use EAP. Completion of the network logon triggers EAP.
  • After the client has associated to the AP, the supplicant starts the process for using EAPOL (EAP over LAN) by asking the user for their logon and password. The client responds with their username and password. Using 802.1x and EAP the supplicant then send the username and a one-way hash of the password to the AP. The AP then encapsulates the request and sends the request to the RADIUS server. The RADIUS server then checks the username and password against the database to determine if the client should be authenticated on the network. If the client is to be authenticated, the RADIUS server then issues an access challenge, which is passed to the AP and then sent to the client. The client sends the EAP response to the access challenge to the RADIUS server via the AP. If the client sends the proper response then the RADIUS server sends an access success message and session WEP key (EAP over Wireless) to the client via the AP. The same session WEP key is also sent to the AP in success packet. The client and the AP then begin using session WEP keys. The WEP key used for multicasts is then sent from the AP to the client. It is encrypted using the session WEP key. Upon client log off, the AP returns to the initial state, allowing only 802.1x traffic to pass only.
  • 802.11: Ethernet Marches On

    1. 1. 802.11: Ethernet Marches On Robert J. Berger Internet Bandwidth Development, LLC8/29/02 Copyright 2002 Robert J. Berger 1
    2. 2. The Internet Revolution Has Only Just Begun  Businesses continue to be transformed  People continue to adapt it to be part of their lives  It continues to worm its way into the fabric of everyday life  Its just not the darling of Wall Street and VCs anymore  It is the foundation of a lot of our future8/29/02 Copyright 2002 Robert J. 2 Berger
    3. 3. By The End of this Decade  Almost everything will be connected to the Internet  Appliances, automobiles, personal communicators, screens (large and small), refrigerators, stereos, washing machines, copiers, traffic lights, even your watch.  3 billion Internet-capable wireless devices  The Internet will be:  Telephone, answering machine, television, radio, movie theatre, clock, store, cell phone, pager, post office, mailbox, library, security system, gaming platform, musical instrument, learning center, storage medium, and much, much more!  802.11 will extend Ethernet/Internet to almost everywhere  Allows everyone and everything to connect to each other  Moore’s, Gilders’ and Metcalfe’s “Laws” deliver information abundance8/29/02 Copyright 2002 Robert J. 3 Berger
    4. 4. In a decade we will have:  Huge storage  1 TB disks will be mass market (<$200)  Very fast wired networking  100 Gb Ethernet will be mass market (< $100)  Ubiquitous wireless networking  3 billion units worldwide!  1 Gb wireless LANs: a viable replacement for wired NICs  10 Mbps wireless WANs  More powerful personal computers  10+ GHz processors (and or computer arrays)  4x resolution (2K x 2K) displays competitive w/paper  Large, wall-sized and watch-sized displays  A new generation of personal communicators  PDAs, PIMs, cell phones, watches, etc.  Invisible computing  Networked appliances (washing machines, microwaves, etc.)  The biggest problem will be software and interfaces with humans8/29/02 Copyright 2002 Robert J. 4 Berger
    5. 5. By the End of the Decade, 802.11 will be….  A viable desktop NIC replacement  Ubiquitous  In 1994, there were less than 3K PPP dialup ports in the US… today there are millions  Wireless ISPs will happen  Community nets will happen  Mesh networking will extend coverage dramatically  Dual 802.11/WAN NICs will be commonplace  Additional Physical Interfaces will be introduced  Take advantage of new RF Tech like Ultrawide Band  Faster Speeds  Longer Distances / Better Penetration8/29/02 Copyright 2002 Robert J. 5 Berger
    6. 6. Simultaneous Trends by end of Decade  Bigger, Faster  Smaller, Cheaper  200 Million  500 million units/year: PDA/Cell phone/sub- units/year: Laptop, laptop Desktop, Server  1 GHz processor  10 GHz processor  1 Gbps Wireless LAN  100 GbE  10 Mbps wireless WAN  1+ TB magnetic disk  1 GB flash disk8/29/02 Copyright 2002 Robert J. 6 Berger
    7. 7. “X-Internet” Beyond the PC Internet Computers 93 Million Today’s Internet Internet Users 407 Million Automobiles 663 Million Telephones X-Internet 1.5 Billion Electronic Chips 30 Billion8/29/02 Copyright 2002 Robert J. 7 ForresterBerger May 2001 Research,
    8. 8. “X-Internet” Beyond the PC 15000Millions 10000 PC 5000 Internet X Internet 0 2001200220032004200520062007200820092010 Year 8/29/02 Copyright 2002 Robert J. 8 ForresterBerger May 2001 Research,
    9. 9. Implications  Distributed, “Grid” computing will be the norm  Your “PC”, PDA, etc will be a window into a media/communication/compute cloud  Data and Processing “locationless”  IP and Ethernet will be the mainstream technology for SAN, MAN, WAN and LAN  Fiber the primary PHY for 10 GbE  Goodbye Fiber Channel and SONET!  802.11 with various PHYs for 1 - 100Mbps  Goodbye Home RF and Bluetooth!  Managing vast storage will be challenging  P2P Grid distributed storage  Authentication, Privacy big issues8/29/02 Copyright 2002 Robert J. 9 Berger
    10. 10. There is one thing in the way The “Last Mile” Bottleneck8/29/02 Copyright 2002 Robert J. Berger 11
    11. 11. Huge Capacity at Core & Edge, Nothing in between  Hi Capacity Long Haul Fiber is mostly there  Huge Buildouts between cities  Easy to add capacity to this now existing dark fiber / conduit  Bandwidth for Buildings & Campus at Edge  Ethernet ultra fast and ultra cheap  100Mbps, 1Gbps, 10Gbps wire/fiber  11Mbps, 54Mbps Wireless  Almost nothing inexpensive to connect them  Dialup 56kbps  Limited DSL/Cable Modem 128kbps - 6Mbps8/29/02 Copyright 2002 Robert J. 12 Berger
    12. 12. It’s a “Layer 8 & 9” Problem Layer 8: Economics  The cost to build “the last mile” is huge  There is a lot of it Politics  Rights of way, trenching, etc Economics  Estimated to cost US$50B - US$150B Application  (About what AT&T paid for TCI) Presentation Session Layer 9: Politics Transport TCP/UDP  Incumbent Phone & Cable Company Network IP  Internet Bust reinforced their monopoly Data Link  They have over 100 years of lobbying Physical 802.11 experience  They have actively and passively maintained a choke hold on the last mile and keep it a bottleneck 8/29/02 Copyright 2002 Robert J. 13 Berger
    13. 13. Wireless can help break the Last Mile Bottleneck  Wireless builds can be much less capital intensive  Minimal rights of way (rooftops)  Can be rolled out sparsely and then filled in  Build where there is immediate demand8/29/02 Copyright 2002 Robert J. 14 Berger
    14. 14. 802.11 Will be a major factor  Its Wireless Ethernet  Wire/Fiber Ethernet metamorphed from a “toy” technology to covering LANs, MANs and WANs from 10Mbps to 10Gbps  802.11 is/will do the same  It’s a standard that is comfortable & can support new physical (PHY) layers  Not the optimal solution, but the most flexible, cost effective and rapidly evolving one8/29/02 Copyright 2002 Robert J. 15 Berger
    15. 15. Public Access Hotspots to Hotzones with 802.11++Central Office Metro Pop Independent Hotspots connected with DSL Hotzone of 2 Square miles with all wireless connectivity 8/29/02 Copyright 2002 Robert J. 16 Berger
    16. 16. Public Wireless Ethernet Deployment Data Network Network  Use Moore’s Law to “route around” Laws of Physics  Key problems solved  Expanded network capacity  Reduced deployment cost  Avoid interference8/29/02 Copyright 2002 Robert J. 17 Berger
    17. 17. Can incrementally grow Backhaul Point-to-point link site Standalone Backhaul 802.11++ AP 802.11++ AP Sparsely Deployed 802.11++ AP8/29/02 Copyright 2002 Robert J. 18 Berger
    18. 18. Can mix Fixed & Public Access Homes Businesses Fiber Wireless p-to-p, p-to-mp to the neighborhood And/Or Fiber to the Public Access neighborhood 802.11++ for the last Fiber few thousand feet8/29/02 Copyright 2002 Robert J. 19 Berger
    19. 19. Who is going to build it?8/29/02 Copyright 2002 Robert J. Berger 20
    20. 20. Who will be the players in the Public 802.11 opportunity?Wireless ISPs Mobile operators Community networks Fixed ISPs Fixed operators Backbone operators Free access Real estate owners Manufacturers providers8/29/02 Copyright 2002 Robert J. 21 Berger
    21. 21. Ubiquity and reliability are the key factors for public WLAN access What end users demand Most important Business users Consumer users Wide availability Cost Reliability Wide availability Security Data transfer speed VPN access Reliability Seamless connection Security Cost Single billing relationship Single billing relationship Seamless connection Data transfer speed Least important8/29/02 Copyright 2002 Robert J. 22 Berger
    22. 22. Community Networks  Cheap Hardware  Base stations (were $1000’s now $135)  Card now $50  Free Software  Linux, NoCat Authentication  Organized in most major cities  SFNet, SeattleWireless, Guerrilla.net, NYC Wireless  Great for education, probably won’t scale8/29/02 Copyright 2002 Robert J. 23 Berger
    23. 23. Wireless ISPs (WISPs)?  There are over 1000 in the US  Mostly small and undercapitalized  Successful in less developed areas  Only broadband outside of major metros  Main Internet service in some developing countries  Limited growth due to limited capital8/29/02 Copyright 2002 Robert J. 24 Berger
    24. 24. Several independent 802.11 providers have appeared (and disappeared) Wayport focuses on hotels and airports Telerama is an ISP based in Pittsburg Community networks (e.g. NYCwireless, SeattleWireless, Elektrosmog) offer free access MobileStar went bankrupt, assets picked up by T-Mobile Wifi Metro / HereUare closed down 8/29/02 Copyright 2002 Robert J. 25 Berger
    25. 25. Business case is risky for these independent providers  WISPs are still small and fragmented:  difficult to establish a long-term relation with users  they cannot provide the breadth of coverage  high investment is required to build a brand  there is strong pressure to consolidate before any start-up  Free access is becoming increasingly common, but it will remain limited to specific types of location and use  Community networks encourage use, but are not in direct competition with other service providers8/29/02 Copyright 2002 Robert J. 26 Berger
    26. 26. To succeed, WISPs need to face several challenges  Availability  Roaming  Billing and pricing  Security  Consolidation pressure  Branding  Customer service  Spectrum overcrowding  Real estate owners  Technology Change8/29/02 Copyright 2002 Robert J. 27 Berger
    27. 27. Mobile Operators?  Conceptualy they are well poised  Culturally they will need to go through major transformation  802.11 can be seen to be both competitive and complementary  Operators have been fixated on 3G as THE way for mobile data8/29/02 Copyright 2002 Robert J. 28 Berger
    28. 28. Threat to 3G Mobile Operators?  Wi-Fi  Have it today  Its faster  Its decentralized  It doesn’t require new spectrum  Its CHEAP8/29/02 Copyright 2002 Robert J. 29 Berger
    29. 29. 3G is Expensive  Voice Operators are in debt  $180 billion in the last 15 months for new spectrum  Last year AT&T Wireless spent 5 billon to upgrade their network from: 9.6 Kbps - desktop speeds 20 years ago to 56 Kbps - desktop speeds 10 years ago  Will spend 5 billon more this year8/29/02 Copyright 2002 Robert Source: Strategic News Services J. 30 Berger
    30. 30. 3G is years away and slower  By 2004, US carrier networks will support speeds of 384 Kbps and 2 Mbps a year later  But FCC says this is only for stationary use  Speed drops 80% when walking  and 95% when driving  To get 2 Mbps or higher speeds businesses will have to individually negotiate and lease equipment from cell telcos  Wi-Fi supports 11 Mbps today and 54 Mbps soon8/29/02 Copyright 2002 Robert J. 31 Berger NY Times 2/14/02 www.fcc.gov/3G
    31. 31. Cheaper to Install Airport cell stations  Cost $50,000  For hardware and connections  Does not include spectrum licenses Wi-Fi Base Station UMTS Station  Coverage is more limited (300 ft)  But:  Cost is closer to $1,000  No spectrum licensing fees 8/29/02 Copyright 2002 Robert J. 32 Source: Seattle Times Berger
    32. 32. Wi-Fi can do more than just data  Location Based Services  Tenaid technologies  Mobile Payment  Voice  Voice over IP  Peer-to-Peer or through PBX  multiple band IP/GPRS/etc. phones8/29/02 Copyright 2002 Robert J. 33 Berger
    33. 33. Public 802.11 delivers highspeed data access ahead of 3G 100 000 Fixed Source: Public Wireless LAN Access: A Threat toTransmission rate (kbit/s) LAN Mobile Operators, Analysys Research, 2001 50 000 802.11a and 10 000 HiperLAN2 802.11b/WiFi 1000 HomeRF HomeRF 500 Bluetooth UMTS GPRS 50 GSM Blackberry (US) Walking Driving Stationary speed speed 8/29/02 Copyright 2002 Robert J. 34 Berger
    34. 34. …but it will be complementary to cellular networks 802.11 public access Cellular access• 11Mbit/s wireless connection • 9.6kbit/s–500Mbit/s transfer speed • fixed LAN substitute • email, IM, information retrieval dominate • VPN, intranet, streaming possible • Easier to create wider coverage• Concentrated in hotspots / hotzones • Single billing relationship, roaming• Multiple providers allowed• Limited to PCs and PDAs (so far) • Higher per-Mbyte charges • Limited to mostly Phone / PDAs 8/29/02 Copyright 2002 Robert J. 35 Berger
    35. 35. Cellular Operators Potential Candidate to Build Network Subscriber Directory Can leverage Mobile Switching IP Network Center  Cell Towers  CLEC status Other Networks (GSM, PSTN, ISDN, etc.)  Customer Base Cellular User  Billing Systems Cellular Base Station  RF Knowledge  Complements 2.5G/3G  (could save their a**) 802.11 User Will be a stretch  Need to think different 802.11a  Currently paralyzed with fear 802.11 Mesh Base Stations 8/29/02 Copyright 2002 Robert J. 36 Berger
    36. 36. 802.11 / VoIP & 2.5G/3G Cell Integrated 802.11 / Cell phone in the works PBX Adjunct Solution- Adds Wireless Handsets to Existing PBX Single SIP Identity can seamlessly follow a user between 802.11 handset and “cell phone” Laptops & PDA could roam from hotspots to cellular data when outside of hotspot8/29/02 Copyright 2002 Robert J. 37 Berger
    37. 37. Considerations for Mobile Operators Advantages Challenges• WLANs will bring in additional revenues • Need to negotiate rental contracts with local real estate owners• The billing relationship with customers can be exploited • WLAN data revenues will cannibalize, to some extent, GPRS/UMTS revenues• GPRS and 3G do not yet offer high bandwidth for data access • New pricing schemes may be necessary to spur demand• 802.11 base stations are cheap to install • Initial investment required• WLAN may address a segment of demand that could otherwise be captured • Value chain not yet understood by WISP competitors • Need to establish roaming agreements• The complexity of the service escapes • Bellhead mentality most of the emerging WISP providers •ATM vs Ethernet, Packet vs Circuit, price / byte / time vs. bandwidth 8/29/02 Copyright 2002 Robert J. 38 Berger
    38. 38. Who will win?  It is still too early to tell, but regional differences have emerged  Mobile operators have an advantage, but they need to move fast and its counter to their culture  Independent WISPs have a clear focus and can move quickly, but are vastly undercapitalized  Roaming and wide availability are key to success8/29/02 Copyright 2002 Robert J. 39 Berger
    39. 39. Geography will have a strong impact on public WLAN access Europe and Asia US• Higher density of population • Higher penetration of laptop computers and PDAs• Higher cellular penetration • Higher Internet penetration• Market dominated by mobile operators • Higher 802.11 penetration• Bigger reliance on public transportation, smaller homes • Airports and hotels as major hotspot locations• Consumer-oriented wireless data market • More advanced wireless data applications for business users Larger demand for wireless data Higher density of hotspots applications from business users WLAN access as an extension WLAN access as a substitute of cellular data access for fixed LAN access 8/29/02 Copyright 2002 Robert J. 40 Berger
    40. 40. In Europe, mobile operators have been leading the way  Telia HomeRun  Sonera  Telenor  Telefónica Moviles/Iobox  BTopenworld8/29/02 Copyright 2002 Robert J. 41 Berger
    41. 41. In Asia, independent providers have started to appear MIS in Japan and Korea Several mobile operators have started trials or operations (NTT East/West, Japan Telecom, Far EasTone) Free access is available at several airports and other hotspot locations 8/29/02 Copyright 2002 Robert J. 42 Berger
    42. 42. Regional differences are bound to remain  Mobile operators will have a larger role in Asia and Europe  Independent providers with roaming agreements will survive in the US  Billing traditions in Europe and Asia will result in a higher emphasis on metered access  Billing traditions in the US will lead to a predominance of flat-fee pricing8/29/02 Copyright 2002 Robert J. 43 Berger
    43. 43. 802.11 Needs to Evolve for Public & Fixed Access  Wireless bridging or meshing between Access Points  Allow for cost effective hotzones  802.11 Spec mentions but does not yet specify  Currently only limited proprietary implementations  802.11a offers enough bandwidth to share  802.11h extended to allow sophisticated power management  APs should use only enough power to reach adjacent nodes, minimize overlaps  New Physical Layers  Like Ethernet, different PHYs for speed / density  Other spectrum (700Mhz, 24Ghz, 60Ghz  Ultrawide Band8/29/02 Copyright 2002 Robert J. 44 Berger
    44. 44. 802.11 Basics8/29/02 Copyright 2002 Robert J. 45 Berger
    45. 45. 802.11 and the OSI reference model OSI IETF Internet Protocol (IP) Network Layer 3 IEEE 802.2 Logical Link Control (LLC) OSI Layer 2 IEEE 802.11 Media Access Control (MAC) MAC 802.11 802.11b 802.11a 802.11g Future? 802.11 Direct Seq UWB OSIFrequency OFDM at OFDM at Hopping IRdA Spread 5Ghz 2.4Ghz 24Ghz PHY Layer 1 Spectrum 60Ghz 8/29/02 Copyright 2002 Robert J. 46 Berger
    46. 46. IEEE 802.11 Standards 802.11a - 5GHz- ratified in 1999 802.11b - 11 Mbps, 2.4 GHz, ratified in 1999 802.11d - World Mode and additional regulatory domains - ratified 802.11e - Quality of Service 802.11f - Inter-Access Point Protocol (IAPP) 802.11g - Higher Data rate (>20 Mbps) 2.4GHz 802.11h - Dynamic Frequency Selection and Transmit Power Control mechanisms 802.11i - Authentication and security 8/29/02 Copyright 2002 Robert J. 47 Berger
    47. 47. Original 802.11  Original 802.11, circa 1999  Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) with ACK  FHSS, DSSS, IR  1 & 2 Mbps  Wired Equivalent Privacy (WEP)  SNMP v2 for remote management8/29/02 Copyright 2002 Robert J. 48 Berger
    48. 48. 802.11a  Ratified as Standard in Sept, 1999  First products available in 2002  Utilizes U-NII and ISM spectrum in the 5.25 - 5.85 Ghz (Country Specific)  Data rates to 54 Mbps defined  6, 9, 12, 18, 24, 36, 48, 54 Mbps  4 Indoor only, 4 indoor/outdoor, 4 outdoor only (Country Specific)  Regulations differ extensively across countries8/29/02 Copyright 2002 Robert J. 49 Berger
    49. 49. 802.11b  Ratified as Standard in Sept, 1999.  Emerged as product way before 802.11a  2.4 GHz, Direct Sequence  1, 2, 5.5 & 11 Mbps  Complementary Code Keying (CCK)  11 US channels  13 ETSI channels  14 Japan channels  Power levels  36 dBm EIRP-FCC, 20 dBm EIRP-ETSI  ISM - Virtually approved world wide8/29/02 Copyright 2002 Robert J. 50 Berger
    50. 50. 802.11d Extensions to Operate in Additional Regulatory Domains  802.11c was subsumed into 802.11d  Bridge operation  Ratified in June, 2001  Defines frequency and power limitation for different regulatory domains  ‘World Mode’  APs set to appropriate Regulatory domain  Clients, upon association to AP, inherit the power and frequency requirements of regulatory domain  Permits roaming across different regulatory domains with the same client.8/29/02 Copyright 2002 Robert J. 51 Berger
    51. 51. 802.11e MAC Enhancements for Quality of Service  Ongoing, Draft 3.0, resolving comments  Provides quality-of-service (QoS) features  to support the existing 802.11b and 802.11a  QoS and multimedia support are critical to wireless  Required for Networks with voice, video and audio  Desired by most Broadband service providers8/29/02 Copyright 2002 Robert J. 52 Berger
    52. 52. 802.11f Recommended Practice for Inter Access Point Protocol  Draft 2  Inter Access Point Protocol (IAPP)  Multivendor Infrastructure  Improved Roaming  Support for 802.11 authentication and privacy, including preauthentication  Operation in a reasonably secure fashion  Remote configuration, including AP attributesCopyright 2002 Robert J. 538/29/02 Berger
    53. 53. IEEE 802.11g Standard for Higher Rate (20+ Mbps) Extensions in the 2.4 GHz Band Still in Draft, but silicon in the works Provides higher data rates @ 2.4 GHz Similar speeds as 802.11a Backward compatible with 11 Mbps (802.11b) 802.11g Same modulation as 802.11a—OFDM Still has to compete with all other users 6–54 MB 1- of 2.4Ghz Spectrum 11 MB Still only 3 non-overlapping channels 802.11g 802.11b 8/29/02 Copyright 2002 Robert J. 54 Berger
    54. 54. 802.11h Spectrum Managed 802.11a  Still in Draft mode  Dynamic Frequency Selection (DFS)  Enables transmitter to move to another channel when is encounters other RF on its channel  Transmit Power Control (TPC)  Provides minimum required transmitter power for EACH user  Provides minimal interference to any other users or system  ETSI Requirement for 5 GHz8/29/02 Copyright 2002 Robert J. 55 Berger
    55. 55. IEEE 802.11i Security  Draft currently at version 3.0  Fixes to WEP (Software)  AES instead of DES Encryption  Much more robust and modern encryption  TKIP (Temporal Key Integrity Protocol)  Eliminates the major weakness of WEP Key8/29/02 Copyright 2002 Robert J. 56 Berger
    56. 56. 802.1x / EAP Port based network access control  Falls under 802.1 NOT 802.11  Access Control (EAP) an IETF Standard  This is a NETWORK standard, not a wireless standard  Is PART of the 802.11i draft  Provides Network Authentication, NOT encryption  But can be used to supply keys8/29/02 Copyright 2002 Robert J. 57 Berger
    57. 57. ISM Unlicensed Frequency Bands Short Wave Radio FM Broadcast AM Broadcast Television Infrared wireless LAN Audio Cellular (840MHz) NPCS (1.9GHz) Extremely Very Low Medium High Very Ultra Super Infrared Visible Ultra- X-Rays Low Low High High High Light violet 2.4 – 2.4835 GHz 5 GHz 902-928 MHz 802.11b (11 Mbps) 802.11a (54 Mbps) 802.11g (54 Mbps)8/29/02 Copyright 2002 Robert J. 59 Berger
    58. 58. 802.11b/g 2.4Ghz Channels (14) 22 MHz wide channels (11 under FCC/ISTC) 3 non-overlapping channels (1, 6,11) 11 Mbps data rate 3 access points or bridges can be co-located in the same location for a total of 33 Mbps aggregate throughput 8/29/02 Copyright 2002 Robert J. 60 Berger
    59. 59. 802.11a 5GHz Channels 5GHz 5.15 5.25 5.35 5.470 5.725 5.825 UNII Band 4 Ch 4 Ch 11 Ch 4 Ch US (FCC) 12 Channels UNII-1 UNII-2 UNII-3 (*can use up to 40mW 250mW 1W6dBi gain antenna) Europe 19 Channels 200mW 1W (*assumes no antenna gain) *if you use a higher gain antenna, you must reduce the transmit power accordingly UNII-1: Indoor use, antenna must be fixed to the radio UNII-2: Indoor/Outdoor use, fixed or remote antenna UNII-3: Outdoor bridging only 8/29/02 Copyright 2002 Robert J. 61 Berger
    60. 60. 802.11a/b Power and Range 36 Mbps 802.11a 11 Mbps 802.11b < 75 feet radius 18 Mbps 802.11a 11 Mbps 802.11b < 130 feet radius 12 Mbps 802.11a 5.5 Mbps 802.11b 130-165 feet 6 Mbps 802.11a 2 Mbps 802.11b 165 - 250 feet radius8/29/02 Copyright 2002 Robert J. 62 Berger
    61. 61. Terminology: Station (STA) Architecture  Device that contains IEEE 802.11 Radio PC-Card PC-Card Radio conformant MAC and PHY Hardware Hardware Hardware Hardware interface to the wireless medium, 802.11 frame format WMAC controller with but does not provide access to a WMAC controller with Station Firmware Station Firmware (WNIC-STA) (WNIC-STA) distribution system 802.3 frame format  Most often end-stations available Platform Platform Driver in terminals (work-stations, laptops Driver Software Software (STADr) Computer Computer (STADr) etc.) Ethernet V2.0 / 802.3 frame format  Implemented in Wireless IEEE Protocol Stack Protocol Stack 802.11 PC-Card8/29/02 Copyright 2002 Robert J. 63 Berger
    62. 62. Terminology: Station Architecture (cont’d)  Ethernet-like driver interface Radio Radio PC-Card PC-Card Hardware Hardware Hardware Hardware  supports virtually all protocol stacks 802.11 frame format  Frame translation according to WMAC controller with WMAC controller with Station Firmware Station Firmware IEEE Std 802.1H (WNIC-STA) (WNIC-STA)  Maximum Data limited to 1500 octets 802.3 frame format Platform Platform  Transparent bridging to Driver Driver Software Software Computer Computer (STADr) Ethernet (STADr) Ethernet V2.0 / 802.3 frame format Protocol Stack Protocol Stack8/29/02 Copyright 2002 Robert J. 64 Berger
    63. 63. Terminology: Access-Point (AP) Architecture  Device that contains IEEE 802.11 Radio Radio PC-Card PC-Card Hardware Hardware Hardware conformant MAC and PHY interface to Hardware 802.11 frame format the wireless medium, and provide WMAC controller with WMAC controller with access to a distribution system for Access Point Firmware Access Point Firmware (WNIC-AP) (WNIC-AP) associated stations 802.3 frame format  Most often infra-structure products that Driver Driver Bridge Bridge Software Software Software connect to wired backbones Software (APDr) (APDr) Ethernet V2.0 / 802.3 frame format  Usually Implemented as a stand-alone Kernel Software (APK) box connected to an Ethernet Kernel Software (APK) backbone Ethernet Ethernet Bridge Bridge Interface Interface Hardware Hardware8/29/02 Copyright 2002 Robert J. 65 Berger
    64. 64. Terminology: Access-Point (AP) (cont’d)  Stations select an Access-Point Radio Radio Hardware PC-Card PC-Card Hardware Hardware and “associate with it Hardware 802.11 frame format  Access-Points : WMAC controller with WMAC controller with Access Point Firmware Access Point Firmware (WNIC-AP)  Support roaming (WNIC-AP)  Provide time synchronization 802.3 frame format Bridge functions (beaconing) Driver Driver Software Software Bridge Software Software (APDr)  Provide Power Management (APDr) Ethernet V2.0 / 802.3 support frame format Kernel Software (APK) Kernel Software (APK)  Traffic typically flows through Bridge Access-Point Ethernet Ethernet Interface Bridge Interface Hardware Hardware8/29/02 Copyright 2002 Robert J. 66 Berger
    65. 65. Terminology: Basic Service Set (BSS)  A set of stations controlled by a single “Coordination Function”  The logical function that determines when a station can transmit or receive  A BSS can have an Access-Point, known as “infrastructure” mode (both in standalone networks and in building-wide configurations), or can run without and Access-Point (in standalone Ad-Hoc networks)  Diameter of the cell is about twice the coverage- distance between two wireless stations8/29/02 Copyright 2002 Robert J. 67 Berger
    66. 66. Basic Service Set (BSS) BSS8/29/02 Copyright 2002 Robert J. 68 Berger
    67. 67. Terminology: Independent Basic Service Set (IBSS)  A Basic Service Set (BSS) which forms a self- contained network in which no access to a Distribution System is available  Also known as “Ad-Hoc” mode  A BSS without an Access-Point  One of the stations in the IBSS can be configured to “initiate” the network and assume the Coordination Function  Diameter of the cell determined by coverage distance between two wireless stations8/29/02 Copyright 2002 Robert J. 69 Berger
    68. 68. Independent Basic Service Set (IBSS) IBSS8/29/02 Copyright 2002 Robert J. 70 Berger
    69. 69. Terminology: Extended Service Set (ESS): A set of one or more Basic Service Sets interconnected by a Distribution System (DS) Traffic always flows via Access-Point (Infrastructure mode) Extends coverage by adding access points / Roaming Diameter of the cell is double the coverage distance between two wireless stations Distribution System (DS): A system to interconnect a set of Access Points  Wired; Using cable to interconnect the Access-Points  Wireless; Using wireless to interconnect the Access-Points8/29/02 Copyright 2002 Robert J. 71 Berger
    70. 70. Extended Service Set (ESS) BSS’s with wired Distribution System (DS) Di stBSS r Sy ibu st tio em n BSS8/29/02 Copyright 2002 Robert J. 72 Berger
    71. 71. Extended Service Set (ESS) BSS’s and wireless Distribution System (DS) Di st BSS Sy ribu st tio em n BSS8/29/02 Copyright 2002 Robert J. 73 Berger
    72. 72. Terminology: Service Set Identifier (SSID)  “Network name”  Identifies the Wireless Network  Usually exposed and set by the user  32 octets long  Each network (ESS or IBSS) has one SSID  Most primitive of access control8/29/02 Copyright 2002 Robert J. 74 Berger
    73. 73. Terminology: Basic Service Set Identifier (BSSID)  “Cell Identifier”  Generated automatically  Not visible to user  6 octets long (MAC address format)  Each BSS has one SSID  Value of BSSID is the same as the MAC address of the radio in the Access-Point8/29/02 Copyright 2002 Robert J. 75 Berger
    74. 74. Operational processes: Association  To establish relationship with Access-Point  Stations scan frequency band to and select Access- Point with best communications quality  Active Scan (sending a “Probe request” on specific channels and assess response)  Passive Scan (assessing communications quality from beacon message)  Access-Point maintains list of associate stations in MAC FW  Record station capability (data-rate)  To allow inter-BSS relay  Station’s MAC address is also maintained in bridge learn table associated with the port it is located on8/29/02 Copyright 2002 Robert J. 76 Berger
    75. 75. Operational processes: Authentication  To control access to the infrastructure via an authentication  Stations identify themselves to other stations (or Access-Points) prior to data traffic or association  Open System Authentication  Uses null authentication algorithm  Default, totally insecure  Shared Key Authentication  Uses WEP privacy algorithm  802.1x / EAP  Secure Authentication of each user8/29/02 Copyright 2002 Robert J. 77 Berger
    76. 76. Operational processes: Starting an ESS  The infrastructure network is identified by its ESSID  All Access-Points will have been set according to this ESSID  On power up stations will issue Probe Requests and will locate the Access-Point that they will associate with:  “best” Access-Point with matching ESSID  “best” Access-Point if the “desired SSID” has been set to “ANY”8/29/02 Copyright 2002 Robert J. 78Berger
    77. 77. Operational processes: Starting an IBSS  Station configured for IBSS operation will:  “look” for Beacons that contain a network name (SSID) that matches the one that is configured  When Beacons with matching Network Name are received and are issued by an AP, Station will associate to the AP  When Beacons with matching Network Name are received and are issued by another Station in IBSS mode, the station will join this IBSS  When no beacons are received with matching Network Name, Station will issue beacons itself.  All Stations in an IBSS network will participate in sending beacons.  All stations start a random timer prior to the point in time when next Beacon is to be sent.  First station whose random timer expires will send the next beacon8/29/02 Copyright 2002 Robert J. 79 Berger
    78. 78. Security8/29/02 Copyright 2002 Robert J. 80 Berger
    79. 79. Range of Possible Security Solutions No Basic Enhanced VPN Security Security Security Security Dynamic Key Management Wi-Fi 40-bit, End-to-end No WEP and System, Mutual 128-bit security using VPNBroadcast Mode Authentication, and Static WEP 802.1x via EAP Public Telecommuter and Mid-Market and Special Apps./ Access Small Business Enterprise Business Traveler 8/29/02 Copyright 2002 Robert J. 81 Berger
    80. 80. Process Defense - Higher Level ProcessApplication Secure Protocols Application SSL SSL Router TransportTransport Buffers Packets that LayerLayer need to be forwarded (TCP,UDP)(TCP,UDP) (based on IP address).Network NetworkLayer (IP) Layer (IP) Network Network IPsec Layer Layer IPsec 802.11 802.11 Ethernet EthernetLink Layer Link Layer Data Link Layer Data-Link Layer WEP WEP Ethernet Ethernet 802.11 802.11 Phys. Layer Phys. LayerPhys. Layer Phys. Layer 82
    81. 81. Original 802.11 Security  Authentication  Open System authentication  Shared Key authentication  Data confidentiality  Wired Equivalent Privacy (WEP)  Designed to be as secure as a wired network  No encryption key management8/29/02 Copyright 2002 Robert J. 83 Berger
    82. 82. Poor Encryption with WEP  Encryption for wireless is required  Goal to elliminate sniffing “over the air” between clients & AP  Does not deal with end-to-end encryption  Two shared keys:  A multicast/global key & a unicast session key  Barely useful for home and corporate LANs  Uses RC4 symmetric stream cipher with 40-bit and 104-bit encryption keys  Bad Encryption design. They forgot to consult with cryptographers  Determination and distribution of WEP keys are not defined by IEEE 802.118/29/02 Copyright 2002 Robert J. 84 Berger
    83. 83. “Network Stumbler” - shows 802.11 Networks WEP ON No No8/29/02 Screen of laptop with Wireless LAN cardJ. 85 Copyright 2002 Robert Berger 85
    84. 84. “AiroPeek” maps out who’s talking to who8/29/02 Copyright 2002 Robert J. 86 Berger 86
    85. 85. Data sniffed off the air from non- WEP session.8/29/02 Copyright 2002 Robert J. 87 Berger 87
    86. 86. AirSnort: Cracks WEP Messages  Operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.  " Weaknesses in the Key Scheduling Algorithm of RC4 " by Scott Fluhrer, Itsik Mantin and Adi Shamir.  AirSnort, along with WEPCrack are the first public implementations of this attack.  Once ~5-10 million encrypted packets are gathered, AirSnort can guess the encryption password in under a second. http://airsnort.sourceforge.net8/29/02 Copyright 2002 Robert J. 88 Berger 88
    87. 87. Original Security Issues  No per-user identification and authentication  No central authentication, authorization, and accounting  No support for extended authentication: token cards, certificates, smart cards  No support for unicast session key management8/29/02 Copyright 2002 Robert J. 89 Berger
    88. 88. Security Solutions in the pipe  No per-user identification and authentication  Solution: IEEE 802.1X and EAP  No central authentication, authorization, and accounting  Solution: RADIUS  No support for extended authentication: token cards, certificates, smart cards  Solution: IEEE 802.1X and EAP  No support for per-session encryption key management  Solution: IEEE 802.1X and EAP/TLS8/29/02 Copyright 2002 Robert J. 90 Berger
    89. 89. Is it hopeless until 802.1x?  What can I do without completely blowing my budget and redesigning my network?  Enable WEP (its better than nothing…)  Disable DHCP  Don’t by cheap APs  Limit the MAC addresses that can connect to the network  Separate the WLAN from the LAN and require VPN8/29/02 Copyright 2002 Robert J. 91 Berger
    90. 90. IEEE 802.1x - Definitions  Port-based network access control  Used for Ethernet switches  Adapted for IEEE 802.11  Enforces authentication before frame exchange with wired network is allowed  Uses Extensible Authentication Protocol (EAP)  Defines EAP over LAN (EAPOL)8/29/02 Copyright 2002 Robert J. 92 Berger
    91. 91. EAP – An Overview Extension to PPP & Ethernet for arbitrary network access authentication mechanisms Authentication plug-in modules at both the wireless client and authenticating server (RADIUS server) Wireless Wireless RADIUS EAP messages RADIUS messages client AP server EAP conversation 8/29/02 Copyright 2002 Robert J. 93 Berger
    92. 92. EAP Types  EAP-MD5 CHAP  Required EAP type that uses MD5 CHAP  NOT appropriate for wireless access  EAP-TLS  For certificate-based security environments (registry-based certificates)  Generates high-entropy unicast session keys  Appropriate for wireless access8/29/02 Copyright 2002 Robert J. 94 Berger
    93. 93. RADIUS – An Overview  Remote Authentication Dial-In User Service (RADIUS)  RFCs 2865 and 2866  Centralized authentication, authorization, and accounting (AAA) for:  Wireless APs  Authenticating Ethernet switches  Virtual private network (VPN) servers  Digital Subscriber Line (DSL) and other network access servers8/29/02 Copyright 2002 Robert J. 95 Berger
    94. 94. RADIUS Infrastructure Access clients Dial-up VPN Wireless Access server server AP servers RADIUS proxy RADIUS protocol RADIUS User account server database 8/29/02 Copyright 2002 Robert J. 96 Berger
    95. 95. How it works: Authentication process Public/Semi- Enterprise / Enterprise /Public Network ISP Edge ISP Network Supplicant Authenticator Authentication ServerOperates on client Operates on EAP plug-in devices at goes in RADIUS network edge, server like APs and switches 8/29/02 Copyright 2002 Robert J. 97 Berger
    96. 96. How it works on the WLAN Public/Semi- Enterprise / Enterprise /Public Network ISP Edge ISP Network Supplicant Authenticator Authentication Server 802.1x traffic onlyOperates on client AP acting as EAP plug-in Authenticator goes in RADIUS server 8/29/02 Copyright 2002 Robert J. 98 Berger
    97. 97. Steps to EAP - authentication EAPOL Start Start ProcessIdentity Request Ask client for IDIdentity Response Client provides ID Pass request to server Access Request Perform sequence Access Challenge defined by EAP request authentication EAP Response method (EAP-TLS, LEAP) Access request Access Success Session key to AP EAP Success Start using WEP Deliver broadcast key, EAPOW key encrypted with session key 8/29/02 Copyright 2002 Robert J. 99 Berger
    98. 98. Lessons  Data encryption by itself offers no protection from attack  There is no meaningful privacy if the data authenticity problem is not solved  It is profoundly easy to mis-use a cipher  Get any cryptographic scheme reviewed by professionals  You must be concerned about Security at all layers as well as from end-to-end.  802.1x / EAP is only link layer security  Does not solve layer 2 shared medium issues8/29/02 Copyright 2002 Robert J. 100 Berger
    99. 99. In depth 802.1X / EAP8/29/02 Copyright 2002 Robert J. Berger 101
    100. 100. What is Network Access Authentication?  A mechanism by which access to the network is restricted to authorized entities  Identities used are typically userIDs  NB: each user on a multi-user machine does not need to authenticate once the link is up, so this doesn’t guarantee that only the authenticated user is accessing the network  Once authenticated, the session needs to be authorized  Authorization can include things like session keys, VLANID, rate limits, filters, tunneling, etc.  To prevent hijacking, you need per-packet authentication as well  Encryption orthogonal to authentication  Per-packet Message Integrity Check (MIC) based on key derived during the authentication process, linking each packet to the identity claimed in the authentication  No MIC support in PPP or WEP!8/29/02 Copyright 2002 Robert J. 102 Berger
    101. 101. Network Access Control Alternatives Network access authentication can be implemented at any layer. PHY  Example: 802.11b WEP  Pros: no MAC or TCP/IP changes required (all support in firmware)  Cons: requires firmware changes in NICs and NASes to support new auth methods, requires NAS to understand new auth types, slows delivery of bug fixes (e.g. WEP v1.0), hard to integrate into AAA MAC  Examples: PPP , 802.1X  Pros: no firmware changes required for new auth methods, easier to fix bugs, easy to integrate into AAA, no network access needed prior to authentication, extensible (RFC 2284)  Cons: requires MAC layer changes unless implemented in driver8/29/02 Copyright 2002 Robert J. 103 Berger
    102. 102. Network Access Control Alternatives (cont’d)  IP  Examples: hotel access (based on ICMP re-direct to access web server)  Pros: no client MAC or TCP/IP changes required (for ICMP re-direct method)  Cons: Doesn’t work for all apps, no mutual authentication, partial network access required prior to auth, need to find access control server if not at first hop, typically not extensible, may not derive encryption keys, no accounting (no logoff)  UDP/TCP  Examples: Proprietary token card protocols  Pros: No client MAC or TCP/IP changes required – can be implemented purely at the application layer  Cons: requires client software, partial network access required prior to auth, need to find access control server if not at first hop, typically not extensible, no accounting (no logoff)8/29/02 Copyright 2002 Robert J. 104 Berger
    103. 103. Why Do Auth at the Link Layer?  It’s fast, simple, and inexpensive  Most popular link layers support it: PPP, IEEE 802  Cost matters if you’re planning on deploying 1 million ports!  Client doesn’t need network access to authenticate  No need to resolve names, obtain an IP address prior to auth  NAS devices need minimal layer 3 functionality  802.11 access points, 1 Gbps switch ports go for $300, support 802.1D, 802.1X, SNMP & RADIUS, may have no layer 3 filtering support  Authentication, AAA support typically a firmware upgrade  In a multi-protocol world, doing auth at link layer enables authorizing all protocols at the same time  Doing it at the network layer would mean adding authentication within IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI  Would also mean authorizing within multiple layers  Result: more delay8/29/02 Copyright 2002 Robert J. 105 Berger
    104. 104. What is IEEE 802.1X?  The IEEE standard for authenticated and auto-provisioned LANs.  Ratified June 2001  Based on EAP, IETF RFC 2284  A framework for authentication and key management  IEEE 802.1X derives keys which can be used to provide per-packet authentication, integrity and confidentiality  Typically used along with well-known key derivation algorithms (e.g. TLS, SRP, etc.)  IEEE 802.1X does not mandate security services – can do authentication, or authentication & encryption  Encryption alone not recommended (but that’s what WEP does)8/29/02 Copyright 2002 Robert J. 106 Berger
    105. 105. What 802.1X is not  Not purely a wireless standard – it applies to all IEEE 802 technologies (e.g. Ethernet First Mile applications)  Not PPP over Ethernet (PPPOE) – only supports EAP authentication methods (no PAP or CHAP), packets are not encapsulated  Not a cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.  But 802.1X can be used to derive keys for any cipher  Not a single authentication method  But 802.1X can support many authentication methods without changes to the AP or NIC firmware8/29/02 Copyright 2002 Robert J. 107 Berger
    106. 106. A History of IEEE 802.1X  The idea started with customers who wanted to control access to a public network  Universities, government agencies  Existing approaches were inadequate  Customers wanted something that could be implemented inexpensively – on existing switches  Customers wanted to utilize existing network access infrastructure (RADIUS, LDAP, etc.)  PPPOE – too much overhead  VPN – too many interoperability issues  DHCP – designed for addressing and configuration, not access control  Concept developed by 3Com, HP, Cisco, Microsoft and others  Examined alternatives, and settled on a Layer 2 approach  A small group wrote the spec and built prototypes  Consensus and running code!  Not designed by committee!  IEEE 802.1X PAR approved in January 1999  Approved as an IEEE standard June 2001  Specification available at: http://www.drizzle.com/~aboba/IEEE/  A great site for info on 802.1x /EAP and wireless in general8/29/02 Copyright 2002 Robert J. 108 Berger
    107. 107. 802.1X Topologies Semi-Public Network / Enterprise or ISP Enterprise Edge Network R A D I US I AD U rR S Ove W) EAP APO s (E eles POL) Wir A ver AN (E O rL PAE Authentication EAP ove Server EAP Authenticator/EtherNAS (e.g. Access Point or Bridge) PAE SupplicantNon-802.1X EtherCPE Supplicant 8/29/02 Copyright 2002 Robert J. 109 Berger
    108. 108. 802.1X Security Philosophy  Approach: a flexible security framework  Implement security framework in upper layers  Enable plug-in of new authentication, key management methods without changing NIC or Access Point  Leverage main CPU resources for cryptographic calculations  How it works  Security conversation carried out between supplicant and authentication server  NIC, Access Point acts as a pass through device  Advantages  Decreases hardware cost and complexity  Enables customers to choose their own security solution  Can implement the latest, most sophisticated authentication and key management techniques with modest hardware  Enables rapid response to security issues8/29/02 Copyright 2002 Robert J. 110 Berger
    109. 109. What is EAP?  The Extensible Authentication Protocol (RFC 2284)  Provides a flexible link layer security framework  Simple encapsulation protocol  No dependency on IP  ACK/NAK, no windowing  No fragmentation support  Few link layer assumptions  Can run over any link layer (PPP, 802, etc.)  Does not assume physically secure link  Methods provide security services  Assumes no re-ordering  Can run over lossy or lossless media  Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)  EAP methods based on IETF standards  Transport Level Security (TLS)  Secure Remote Password (SRP)  GSS_API (including Kerberos)8/29/02 Copyright 2002 Robert J. 111 Berger
    110. 110. EAP Architecture AKA AKA MethodTLSTLS SRP SRP SIM SIM Layer EAP APIs EAP EAP EAP Layer NDIS 802.3 APIs 802.3 802.5 802.5 802.11 802.11 PPP CSMA/CD CSMA/CD Token Token Wireless Wireless Media (Ethernet) (Ethernet) Ring Ring LAN LAN Layer8/29/02 Copyright 2002 Robert J. 112 Berger
    111. 111. What is RADIUS?  Remote Access Dial In User Service  Supports authentication, authorization, and accounting for network access  Physical ports (analog, ISDN, IEEE 802)  Virtual ports (tunnels, wireless)  Allows centralized administration and accounting  IETF status  Proposed standard  RFC 2865, RADIUS authentication/authorization  RFC 2618-2621, RADIUS MIBs  Informational  RFC 2866, RADIUS accounting  RFC 2867-8, RADIUS Tunneling support  RFC 2869, RADIUS extensions  RFC 3162, RADIUS for IPv68/29/02 Copyright 2002 Robert J. 113 Berger
    112. 112. IEEE 802.1X Conversation Switch Radius Server Laptop computer Ethernet Port connect Access blockedEAPOL-Start EAPOL RADIUS EAP-Request/IdentityEAP-Response/Identity Radius-Access-Request EAP-Request Radius-Access-ChallengeEAP-Response (credentials) Radius-Access-Request EAP-Success Radius-Access-Accept Access allowed 8/29/02 Copyright 2002 Robert J. 114 Berger
    113. 113. 802.1X On 802.11 Wireless Access Point Radius Server Laptop computer Ethernet Association Access blocked802.11 Associate-Request 802.11 RADIUS 802.11 Associate-ResponseEAPOW-Start EAPOW EAP-Request/IdentityEAP-Response/Identity Radius-Access-Request EAP-Request Radius-Access-ChallengeEAP-Response (credentials) Radius-Access-Request EAP-Success Radius-Access-Accept EAPOW-Key (WEP) 8/29/02 CopyrightAccess allowed J. 115 2002 Robert Berger
    114. 114. 802.1X authentication in 802.11  IEEE 802.1X authentication occurs after 802.11 association or reassociation  Association/Reassociation serves as “port up” within 802.1X state machine  Prior to authentication, access point filters all non-802.1X traffic from client  If 802.1X authentication succeeds, access point removes the filter  802.1X messages sent to destination MAC address  Client, Access Point MAC addresses known after 802.11 association  No need to use 802.1X multicast MAC address in EAP-Start, EAP- Request/Identity messages  Prior to 802.1X authentication, access point only accepts packets with source = Client and Ethertype = EAPOL8/29/02 Copyright 2002 Robert J. 116 Berger
    115. 115. 802.1X and Per-Client Session Keys  How does 802.1X derive per-Station unicast session keys?  Can use any EAP method supporting secure dynamic key derivation  EAP-TLS (RFC 2716)  EAP-SRP  EAP-AKA, EAP-SIM (for compatibility with cellular)  Security Dynamics  Keys derived on client and the RADIUS server  RADIUS server transmits key to access point  RADIUS attribute encrypted on a hop-by-hop basis using shared secret shared by RADIUS client and server  Unicast keys can be used to encrypt subsequent traffic, including EAPOW- key packet (for carrying multicast/global keys)  Per-Station unicast session keys not required  If only multicast/global keys are supported, then session key is only used to encrypt the multicast/global key8/29/02 Copyright 2002 Robert J. 117 Berger
    116. 116. 802.1X and Multicast/Global Keys  How can 802.1X transfer multicast/global keys?  An EAPOL packet type is defined for use in transporting multicast/global keys: EAPOW-Key  EAPOW-Key packet type used to transmit one or more keys from access point to client (or vice versa)  EAPOW-Key packets only sent after EAPOW authentication succeeds  EAPOW-Key packets are encrypted using derived per-STA encryption key8/29/02 Copyright 2002 Robert J. 118 Berger
    117. 117. Deploying IEEE 802.1X With 802.118/29/02 Copyright 2002 Robert J. Berger 124
    118. 118. Deployment Issues with 802.11  User-based authentication and accounting  802.11-1997 only allows users to be identified by MAC address  How do I know who is on my network?  How can I do user-based access control, accounting and auditing?  What happens if a machine is stolen?  Proprietary key management solutions require separate user databases  Secure roaming  Why can’t you just “plug in and connect” anywhere in the world?  Key management  802.11-1997 supports per-user keys, but most implementations only support global keys  What if the global key(s) are compromised?  Static keys difficult to manage on clients, access points8/29/02 Copyright 2002 Robert J. 125 Berger
    119. 119. WEP Summary of Attacks  Downloadable procedures  To crack the Key:  http://airsnort.sourceforge.net/  http://sourceforge.net/projects/wepcrack/  To brute force enter into WLAN, select THC-RUT from  http://www.thehackerschoice.com/releases.php  Attacks based on [Walker], [Arbaugh], [Berkeley team], [Fluhrer/Shamir]  Lack of IV replay protection  Short IV sequence space  RC4 vulnerabilities due to WEP’s implementation  Linear properties of CRC32 (allows bit flipping))  Lack of keyed MIC  Use of shared keys8/29/02 Copyright 2002 Robert J. 126 Berger
    120. 120. Quest to Improve WEP  How can we improve WEP security and  Retain (most) performance  Enhance without greatly reducing line rates  Easily upgrade deployed systems  Avoid hardware upgrades  Retain interoperability  Allow most deployed systems to upgrade  Allow for incremental deployment  Allow legacy systems to continue to work without improvements  Provide better protection until AES is available8/29/02 Copyright 2002 Robert J. 127 Berger
    121. 121. Improving WEP’s Security  Recommended Practice includes  Per-link keys  Unique key per STA  IV Sequencing  Check for monotonically increasing IVs  Weak IV avoidance  104-bit keys  IV + Key = 128-bits  Rapid Rekey  Derive WEP keys from master key  Change encryption key frequently8/29/02 Copyright 2002 Robert J. 128 Berger
    122. 122. 802.1X Authentication  802.1X users identified by usernames, not MAC addresses  Enables user-based authentication, authorization, accounting  For use with 802.1X, EAP methods supporting mutual authentication are recommended  Need to mutually authenticate to guarantee key is transferred to the right entity  Prevents man-in-the-middle and rogue server attacks  Common EAP methods support mutual authentication  TLS: server and client must supply a certificate, prove possession of private key  SRP: permits mutual authentication via weak shared secret without risk of dictionary attack on the wire  Tunneled TLS: enables any EAP method to run, protected by TLS8/29/02 Copyright 2002 Robert J. 129 Berger
    123. 123. Advantages of IEEE 802.1X  Open standards based  Leverages existing standards: EAP (RFC 2284), RADIUS (RFC 2865, 2866, 2867, 2868, 2869)  Enables interoperable user identification, centralized authentication, key management  Enables automated provisioning of LAN connectivity  User-based identification  Identification based on Network Access Identifier (RFC 2486) enables support for roaming access in public spaces (RFC 2607).  Enables a new class of wireless Internet Access  Dynamic key management  Improved security for wireless (802.11) installations8/29/02 Copyright 2002 Robert J. 130 Berger
    124. 124. WEPv1.0 w/802.1X  Improved key derivation  Per-user unicast keys instead of global unicast key  Unicast key may be changed periodically to avoid staleness  Support for standards-based key derivation techniques  Examples: TLS, SRP  Kerberos V without PKINIT not recommended for use with 802.11  Additional fixes still under discussion  Authentication for reassociate, disassociate  WEP deficiencies still present  No keyed MIC  Improper usage of RC4 stream cipher  No IV replay protection  Long term solution: Need a “real” cipher!  AES proposals under discussion  AES-OCB versus AES-CTR mode and CBC-MAC with XCBC extensions8/29/02 Copyright 2002 Robert J. 131 Berger
    125. 125. 802.1X Implementations  Implementations available now  IEEE 802.1X support included in Windows XP  Firmware upgrades available from AP and NIC vendors  Interoperability testing underway  802.1X OS support  Microsoft: Windows XP  Cisco: Windows 9x, NT4, 2000, Mac OS, Linux  RADIUS servers supporting EAP  Microsoft Windows 2000 Server  Cisco ACS  Funk RADIUS  Interlink Networks (formerly MERIT) RADIUS server8/29/02 Copyright 2002 Robert J. 132 Berger
    126. 126. Vendors Supporting 802.1X  Microsoft, AirWave, Compaq, Dell, IBM, Intel, HP, Symbol, Toshiba, Telson, Wayport  http://www.microsoft.com/presspass/press/2001/Mar01/03-26XPWirelessPR.asp  3Com  http://emea.3com.com/news/news01/mar26.html  Agere  http://www.networkmagazine.com/article/COM20010629S0009  http://www.lucent.com/micro/NEWS/PRESS2001/080801a.html  Enterasys  http://www.dialelectronics.com.au/articles/c4/0c0023c4.asp  http://www.computingsa.co.za/2001/03/26/News/new07.htm  Intersil  http://www.intersil.com/pressroom/20010403_802_1xWindows_XPFINAL_English.asp  Cisco  Catalyst switches  http://www.redcorp.com/products/09084608.asp  802.11 access points  http://www.security-informer.com/english/crd_security_495312.html  http://cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.pdf8/29/02 Copyright 2002 Robert J. 133 Berger
    127. 127. 802.1X Applications 8/29/02 Copyright 2002 Robert J. Berger 134
    128. 128. The Role of RADIUS  RADIUS is the key to enabling 802.1X applications  RADIUS enables per-user compulsory tunneling assignment  More flexible than static or realm-based tunneling  What if janet@bigco.com is to be given Internet access, but fred@bigco.com should be tunneled to the marketing tunnel server?  RADIUS enables per-user VLAN assignment  More flexible than static per-port or MAC-based VLAN assignment  RADIUS enables accounting and auditing  Both switch/AP and tunnel server can use RADIUS  Allows enterprise to audit usage, do alarming  BIGCO can match accounting records from tunnel server with accounting records from ISP for auditing purposes  RADIUS enables use of a single userID/password pair  Both bridge/access point and tunnel server can authenticate against the same database  RADIUS server backend  LDAP backend8/29/02 Copyright 2002 Robert J. 135 Berger
    129. 129. Why Are Shared Use APs Important?  Multiple providers are becoming the norm within airports  Airlines are installing 802.11 networks for use in baggage reconciliation and roving ticket counters  Multiple wireless ISPs often also want to server airport customers  Radio interference is an issue  In the US and Europe 802.11b networks can support only 3 non-overlapping channels  In France and Japan only one channel is available  Once the channels are utilized by existing APs, additional APs will interfere and reduce performance  802.11 deployment in public spaces is expensive  In this economic environment, raising capital is difficult  The cost of providing wireless access is inversely proportional to infrastructure utilization  More economical to build infrastructure and share it among multiple providers, than to build overlapping infrastructure8/29/02 Copyright 2002 Robert J. 136 Berger
    130. 130. What Features Are Needed for Shared Use APs?  Support for multiple SSIDs in a single AP  Multiple SSIDs in Beacon, Probe Response not prohibited by 802.11-1997  Only single SSID needed in Association and Reassociation Request  IEEE 802.1X  Users identified by userid rather than MAC address  Network Access Identifier (NAI) support  Described in RFC 2486  Format is user@domain, where domain identifies the home server  SNMPv3 support  Contexts used to support multiple virtual MIB instances  RADIUS authentication and accounting  SSID included in Called-Station-Id attribute  RADIUS proxies  RADIUS-based roaming described in RFC 2607  RADIUS authentication and accounting packets routed between AP and Home Server by RADIUS proxies8/29/02 Copyright 2002 Robert J. 137 Berger
    131. 131. Shared Use APs ISPA Proxy S IU RAD RA RA S IU DIIU DU SSIDA RAD S S RADIUSSSIDB AP Proxy Internet Customer RADIUS Shared Use Server 802.11 AP BIGCO SSIDC • AP advertises multiple SSIDs in Beacon, Probe Response • Multiple ISPs shared the same AP • STA associates with a single AP, SSID Remote user • User authentication request routed to home server fred@bigco.com8/29/02 Copyright 2002 Robert J. 138 Berger
    132. 132. What Is Wireless Roaming?  Definition  The ability to use many wireless Internet Service Providers while maintaining a business relationship with only one  Requirements  802.1X-enabled client with 802.11 wireless card  Roaming-capable authentication proxy and server  Roaming standards developed in IETF ROAMOPS WG  RFC 2194, Roaming Implementations Review  RFC 2477, Roaming Evaluation Criteria  RFC 2486, Network Access Identifier  RFC 2607, Proxies and Policy Implementation8/29/02 Copyright 2002 Robert J. 139 Berger
    133. 133. Wireless Global Roaming via IEEE 802.11 and 802.1X 802.11 and 802.1X Enabled airportsCorporate RADIUS Server Global Access to 802.11 Wireless Connectivity 802.11 and 802.1X Enabled Hotels and Malls Simple, Automatic Detection of 802.11 Connectivity Global login with corporate or ISP userIDs 8/29/02 Copyright 2002 Robert J. 140 Berger
    134. 134. Bilateral Roaming support ISP A ISP B Bigco RADIUS Proxy RADIUS Proxy RADIUS Server Cloud Cloud RADIUS Server IAS Proxy IAS ProxyRoaming Client NT DCfred@bigco.com PPTP Server 8/29/02 Copyright 2002 Robert J. 141 Berger