802.11: ethernet marches on
DESCRIPTION
In depth description and analysis of Wireless Lan 802.11 Tech and its impact on Networking given at Glocom in Japan August 2002. Interesting to look back and see what predictions were right on and others not so...TRANSCRIPT
8/29/02 Copyright 2002 Robert J. Berger 1
802.11: Ethernet Marches On
Robert J. Berger
Internet Bandwidth Development, LLC
8/29/02 Copyright 2002 Robert J. Berger 2
The Internet Revolution Has Only Just Begun Businesses continue to be transformed People continue to adapt it to be part of
their lives It continues to worm its way into the
fabric of everyday life Its just not the darling of Wall Street and
VCs anymore It is the foundation of a lot of our future
8/29/02 Copyright 2002 Robert J. Berger 3
By The End of this Decade Almost everything will be connected to the Internet
Appliances, automobiles, personal communicators, screens (large and small), refrigerators, stereos, washing machines, copiers, traffic lights, even your watch.
3 billion Internet-capable wireless devices The Internet will be:
Telephone, answering machine, television, radio, movie theatre, clock, store, cell phone, pager, post office, mailbox, library, security system, gaming platform, musical instrument, learning center, storage medium, and much, much more!
802.11 will extend Ethernet/Internet to almost everywhere Allows everyone and everything to connect to each other Moore’s, Gilders’ and Metcalfe’s “Laws” deliver information
abundance
8/29/02 Copyright 2002 Robert J. Berger 4
In a decade we will have: Huge storage
1 TB disks will be mass market (<$200) Very fast wired networking
100 Gb Ethernet will be mass market (< $100) Ubiquitous wireless networking
3 billion units worldwide! 1 Gb wireless LANs: a viable replacement for wired NICs 10 Mbps wireless WANs
More powerful personal computers 10+ GHz processors (and or computer arrays) 4x resolution (2K x 2K) displays competitive w/paper Large, wall-sized and watch-sized displays
A new generation of personal communicators PDAs, PIMs, cell phones, watches, etc.
Invisible computing Networked appliances (washing machines, microwaves, etc.)
The biggest problem will be software and interfaces with humans
8/29/02 Copyright 2002 Robert J. Berger 5
By the End of the Decade, 802.11 will be…. A viable desktop NIC replacement Ubiquitous
In 1994, there were less than 3K PPP dialup ports in the US… today there are millions
Wireless ISPs will happen Community nets will happen Mesh networking will extend coverage dramatically Dual 802.11/WAN NICs will be commonplace Additional Physical Interfaces will be introduced
Take advantage of new RF Tech like Ultrawide Band Faster Speeds Longer Distances / Better Penetration
8/29/02 Copyright 2002 Robert J. Berger 6
Simultaneous Trends by end of Decade
Bigger, Faster 200 Million
units/year: Laptop, Desktop, Server
10 GHz processor 100 GbE 1+ TB magnetic disk
Smaller, Cheaper 500 million units/year:
PDA/Cell phone/sub-laptop
1 GHz processor 1 Gbps Wireless LAN 10 Mbps wireless WAN 1 GB flash disk
8/29/02 Copyright 2002 Robert J. Berger 7
Automobiles663 Million
Telephones1.5 Billion
Electronic Chips30 Billion
X-Internet
“X-Internet” Beyond the PC
Forrester Research, May 2001
93Million
407 Million
Internet Computers
Internet UsersToday’s Internet
8/29/02 Copyright 2002 Robert J. Berger 8
“X-Internet” Beyond the PC
Forrester Research, May 2001
0
5000
10000
15000
2001200220032004200520062007200820092010
Mill
ion
s
Year
XInternet
PCInternet
8/29/02 Copyright 2002 Robert J. Berger 9
Implications Distributed, “Grid” computing will be the norm
Your “PC”, PDA, etc will be a window into a media/communication/compute cloud
Data and Processing “locationless” IP and Ethernet will be the mainstream technology for SAN,
MAN, WAN and LAN Fiber the primary PHY for 10 GbE
Goodbye Fiber Channel and SONET! 802.11 with various PHYs for 1 - 100Mbps
Goodbye Home RF and Bluetooth! Managing vast storage will be challenging
P2P Grid distributed storage Authentication, Privacy big issues
8/29/02 Copyright 2002 Robert J. Berger 11
There is one thing in the way
The “Last Mile” Bottleneck
8/29/02 Copyright 2002 Robert J. Berger 12
Huge Capacity at Core & Edge, Nothing in between Hi Capacity Long Haul Fiber is mostly there
Huge Buildouts between cities Easy to add capacity to this now existing dark fiber /
conduit Bandwidth for Buildings & Campus at Edge
Ethernet ultra fast and ultra cheap 100Mbps, 1Gbps, 10Gbps wire/fiber 11Mbps, 54Mbps Wireless
Almost nothing inexpensive to connect them Dialup 56kbps Limited DSL/Cable Modem 128kbps - 6Mbps
8/29/02 Copyright 2002 Robert J. Berger 13
It’s a “Layer 8 & 9” Problem Layer 8: Economics
The cost to build “the last mile” is huge There is a lot of it Rights of way, trenching, etc
Estimated to cost US$50B - US$150B (About what AT&T paid for TCI)
Layer 9: Politics Incumbent Phone & Cable Company
Internet Bust reinforced their monopoly They have over 100 years of lobbying
experience They have actively and passively maintained
a choke hold on the last mile and keep it a bottleneck
Data LinkNetwork
TransportSession
PresentationApplication
Physical
EconomicsPolitics
802.11IP
TCP/UDP
8/29/02 Copyright 2002 Robert J. Berger 14
Wireless can help break the Last Mile Bottleneck Wireless builds can be much less
capital intensive Minimal rights of way (rooftops) Can be rolled out sparsely and then
filled in Build where there is immediate demand
8/29/02 Copyright 2002 Robert J. Berger 15
802.11 Will be a major factor Its Wireless Ethernet Wire/Fiber Ethernet metamorphed from a
“toy” technology to covering LANs, MANs and WANs from 10Mbps to 10Gbps
802.11 is/will do the same It’s a standard that is comfortable & can
support new physical (PHY) layers Not the optimal solution, but the most flexible,
cost effective and rapidly evolving one
8/29/02 Copyright 2002 Robert J. Berger 16
Public Access Hotspots to Hotzones with 802.11++
Independent Hotspots connected with DSL
Central Office
Hotzone of 2 Square miles with all wireless connectivity
Metro Pop
8/29/02 Copyright 2002 Robert J. Berger 17
Public Wireless Ethernet Deployment Data Network
Use Moore’s Law to “route around” Laws of Physics
Key problems solved Expanded network capacity Reduced deployment cost Avoid interference
Network
8/29/02 Copyright 2002 Robert J. Berger 18
Can incrementally grow
Backhaulsite
Standalone802.11++ AP
Backhaul802.11++ AP
Point-to-point link
Sparsely Deployed 802.11++ AP
8/29/02 Copyright 2002 Robert J. Berger 19
Can mix Fixed & Public Access
Wireless p-to-p, p-to-mp to the neighborhood
And/Or Fiber to the neighborhood
802.11++ for the last few thousand feet
Fiber
Fiber
BusinessesHomes
PublicAccess
8/29/02 Copyright 2002 Robert J. Berger 20
Who is going to build it?
8/29/02 Copyright 2002 Robert J. Berger 21
Who will be the players in the Public 802.11 opportunity?
Wireless ISPs
Fixed ISPs
Free accessproviders
Fixed operators
Mobile operators
Real estate owners
Community networks
Backbone operators
Manufacturers
8/29/02 Copyright 2002 Robert J. Berger 22
Ubiquity and reliability are the key factors for public WLAN access
Consumer users
Cost
Wide availability
Seamless connection
Reliability
Security
Single billing relationship
Data transfer speed
Business users
Wide availabilityReliability
SecurityVPN access
Seamless connection
Single billing relationshipData transfer speed
Cost
Most important
Least important
What end users demand
8/29/02 Copyright 2002 Robert J. Berger 23
CommunityNetworks Cheap Hardware
Base stations (were $1000’s now $135) Card now $50
Free Software Linux, NoCat Authentication
Organized in most major cities SFNet, SeattleWireless, Guerrilla.net, NYC
Wireless Great for education, probably won’t scale
8/29/02 Copyright 2002 Robert J. Berger 24
Wireless ISPs (WISPs)? There are over 1000 in the US Mostly small and undercapitalized Successful in less developed areas
Only broadband outside of major metros Main Internet service in some developing
countries Limited growth due to limited capital
8/29/02 Copyright 2002 Robert J. Berger 25
Several independent 802.11 providers have appeared (and disappeared)
Wayport focuses on hotels and airports Telerama is an ISP based in Pittsburg Community networks (e.g. NYCwireless,
SeattleWireless, Elektrosmog) offer free access MobileStar went bankrupt, assets picked up by
T-Mobile Wifi Metro / HereUare closed down
8/29/02 Copyright 2002 Robert J. Berger 26
Business case is risky for these independent providers WISPs are still small and fragmented:
difficult to establish a long-term relation with users they cannot provide the breadth of coverage high investment is required to build a brand there is strong pressure to consolidate before any start-up
Free access is becoming increasingly common, but it will remain limited to specific types of location and use
Community networks encourage use, but are not in direct competition with other service providers
8/29/02 Copyright 2002 Robert J. Berger 27
To succeed, WISPs need to face several challenges Availability Roaming Billing and pricing Security Consolidation pressure Branding Customer service Spectrum overcrowding Real estate owners Technology Change
8/29/02 Copyright 2002 Robert J. Berger 28
Mobile Operators? Conceptualy they are well poised Culturally they will need to go through
major transformation 802.11 can be seen to be both
competitive and complementary Operators have been fixated on 3G as
THE way for mobile data
8/29/02 Copyright 2002 Robert J. Berger 29
Threat to 3G Mobile Operators? Wi-Fi
Have it today Its faster Its decentralized It doesn’t require new spectrum Its CHEAP
8/29/02 Copyright 2002 Robert J. Berger 30
Voice Operators are in debt $180 billion in the last 15 months for new spectrum
Last year AT&T Wireless spent 5 billon to upgrade their network from:
Will spend 5 billon more this year
3G is Expensive
Source: Strategic News Services
9.6 Kbps 9.6 Kbps - desktop speeds 20 years ago - desktop speeds 20 years ago
to 56 Kbpsto 56 Kbps - desktop speeds 10 years ago- desktop speeds 10 years ago
8/29/02 Copyright 2002 Robert J. Berger 31NY Times 2/14/02 www.fcc.gov/3G
3G is years away and slower By 2004, US carrier networks will support speeds of
384 Kbps and 2 Mbps a year later But FCC says this is only for stationary use
Speed drops 80% when walking and 95% when driving
To get 2 Mbps or higher speeds businesses will have to individually negotiate and lease equipment from cell telcos
Wi-Fi supports 11 Mbps today and 54 Mbps soon
8/29/02 Copyright 2002 Robert J. Berger 32
Cheaper to Install
Airport cell stations Cost $50,000 For hardware and connections Does not include spectrum
licenses Wi-Fi Base Station
Coverage is more limited (300 ft) But:
Cost is closer to $1,000 No spectrum licensing fees
Source: Seattle Times
UMTS Station
8/29/02 Copyright 2002 Robert J. Berger 33
Wi-Fi can do more than just data Location Based Services
Tenaid technologies Mobile Payment Voice
Voice over IP Peer-to-Peer or through PBX
multiple band IP/GPRS/etc. phones
8/29/02 Copyright 2002 Robert J. Berger 34
Public 802.11 delivers highspeed data access ahead of 3G
Source: Public Wireless LAN Access: A Threat toMobile Operators, Analysys Research, 2001
802.11b/WiFi
50
500
1000
10 000
50 000
100 000
Tra
nsm
issi
on r
ate
(kb
it/s)
HomeRFBluetooth
Fixed LAN
Blackberry (US)
HomeRFBluetooth
802.11a and HiperLAN2
UMTSGPRS
GSM
Stationary Walkingspeed
Drivingspeed
8/29/02 Copyright 2002 Robert J. Berger 35
…but it will be complementary to cellular networks
• 11Mbit/s wireless connection
• fixed LAN substitute
• VPN, intranet, streaming possible
• Concentrated in hotspots / hotzones
• Multiple providers
• Limited to PCs and PDAs (so far)
• 9.6kbit/s–500Mbit/s transfer speed
• email, IM, information retrieval dominate
• Easier to create wider coverage
• Single billing relationship, roaming allowed
• Higher per-Mbyte charges
• Limited to mostly Phone / PDAs
802.11 public access Cellular access
8/29/02 Copyright 2002 Robert J. Berger 36
Cellular Operators Potential Candidate to Build Network
Other Networks(GSM, PSTN, ISDN, etc.)
IP NetworkMobile Switching
Center
Cellular User
CellularBase Station
802.11a
802.11 User
Subscriber Directory
802.11 MeshBase Stations
Can leverage Cell Towers CLEC status Customer Base Billing Systems RF Knowledge Complements 2.5G/3G
(could save their a**)
Will be a stretch Need to think different Currently paralyzed with
fear
8/29/02 Copyright 2002 Robert J. Berger 37
802.11 / VoIP & 2.5G/3G Cell Integrated 802.11 / Cell phone in the works PBX Adjunct Solution- Adds Wireless
Handsets to Existing PBX Single SIP Identity can seamlessly follow a
user between 802.11 handset and “cell phone”
Laptops & PDA could roam from hotspots to cellular data when outside of hotspot
8/29/02 Copyright 2002 Robert J. Berger 38
Considerations for Mobile Operators
• WLANs will bring in additional revenues
• The billing relationship with customers can be exploited
• GPRS and 3G do not yet offer high bandwidth for data access
• 802.11 base stations are cheap to install
• WLAN may address a segment of demand that could otherwise be captured by WISP competitors
• The complexity of the service escapes most of the emerging WISP providers
• Need to negotiate rental contracts with local real estate owners
• WLAN data revenues will cannibalize, to some extent, GPRS/UMTS revenues
• New pricing schemes may be necessary to spur demand
• Initial investment required
• Value chain not yet understood
• Need to establish roaming agreements
• Bellhead mentality
•ATM vs Ethernet, Packet vs Circuit, price / byte / time vs. bandwidth
Advantages Challenges
8/29/02 Copyright 2002 Robert J. Berger 39
Who will win? It is still too early to tell, but regional differences have
emerged Mobile operators have an advantage, but they need to
move fast and its counter to their culture Independent WISPs have a clear focus and can move
quickly, but are vastly undercapitalized Roaming and wide availability are key to success
8/29/02 Copyright 2002 Robert J. Berger 40
Geography will have a strong impact on public WLAN access
• Higher density of population
• Higher cellular penetration
• Market dominated by mobile operators
• Bigger reliance on public transportation, smaller homes
• Consumer-oriented wireless data market
• Higher penetration of laptop computers and PDAs
• Higher Internet penetration
• Higher 802.11 penetration
• Airports and hotels as major hotspot locations
• More advanced wireless data applications for business users
Europe and Asia US
Higher density of hotspots
WLAN access as an extension of cellular data access
Larger demand for wireless dataapplications from business users
WLAN access as a substitutefor fixed LAN access
8/29/02 Copyright 2002 Robert J. Berger 41
In Europe, mobile operators have been leading the way
Telia HomeRun Sonera Telenor Telefónica Moviles/Iobox BTopenworld
8/29/02 Copyright 2002 Robert J. Berger 42
In Asia, independent providers have started to appear
MIS in Japan and Korea Several mobile operators have started
trials or operations (NTT East/West, Japan Telecom, Far EasTone)
Free access is available at several airports and other hotspot locations
8/29/02 Copyright 2002 Robert J. Berger 43
Regional differences are bound to remain Mobile operators will have a larger role in
Asia and Europe Independent providers with roaming
agreements will survive in the US Billing traditions in Europe and Asia will result
in a higher emphasis on metered access Billing traditions in the US will lead to a
predominance of flat-fee pricing
8/29/02 Copyright 2002 Robert J. Berger 44
802.11 Needs to Evolve for Public & Fixed Access Wireless bridging or meshing between Access Points
Allow for cost effective hotzones 802.11 Spec mentions but does not yet specify Currently only limited proprietary implementations 802.11a offers enough bandwidth to share
802.11h extended to allow sophisticated power management APs should use only enough power to reach adjacent nodes,
minimize overlaps New Physical Layers
Like Ethernet, different PHYs for speed / density Other spectrum (700Mhz, 24Ghz, 60Ghz Ultrawide Band
8/29/02 Copyright 2002 Robert J. Berger 45
802.11 Basics
8/29/02 Copyright 2002 Robert J. Berger 46
802.11 and the OSI reference model
802.11FrequencyHopping
802.11IRdA
802.11bDirect Seq
Spread Spectrum
802.11aOFDM at
5Ghz
802.11gOFDM at2.4Ghz
Future?UWB
24Ghz60Ghz
IEEE 802.11Media Access Control (MAC)
IEEE 802.2Logical Link Control (LLC)
IETF Internet Protocol (IP)
PHY
MAC
OSILayer 1
OSILayer 2
OSILayer 3Network
8/29/02 Copyright 2002 Robert J. Berger 47
IEEE 802.11 Standards 802.11a - 5GHz- ratified in 1999 802.11b - 11 Mbps, 2.4 GHz, ratified in 1999 802.11d - World Mode and additional regulatory
domains - ratified 802.11e - Quality of Service 802.11f - Inter-Access Point Protocol (IAPP) 802.11g - Higher Data rate (>20 Mbps) 2.4GHz 802.11h - Dynamic Frequency Selection and
Transmit Power Control mechanisms 802.11i - Authentication and security
8/29/02 Copyright 2002 Robert J. Berger 48
Original 802.11 Original 802.11, circa 1999
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) with ACK
FHSS, DSSS, IR 1 & 2 Mbps Wired Equivalent Privacy (WEP) SNMP v2 for remote management
8/29/02 Copyright 2002 Robert J. Berger 49
802.11a Ratified as Standard in Sept, 1999 First products available in 2002 Utilizes U-NII and ISM spectrum in the 5.25 -
5.85 Ghz (Country Specific) Data rates to 54 Mbps defined
6, 9, 12, 18, 24, 36, 48, 54 Mbps 4 Indoor only, 4 indoor/outdoor, 4 outdoor
only (Country Specific) Regulations differ extensively across
countries
8/29/02 Copyright 2002 Robert J. Berger 50
802.11b Ratified as Standard in Sept, 1999.
Emerged as product way before 802.11a 2.4 GHz, Direct Sequence
1, 2, 5.5 & 11 Mbps Complementary Code Keying (CCK) 11 US channels 13 ETSI channels 14 Japan channels
Power levels 36 dBm EIRP-FCC, 20 dBm EIRP-ETSI
ISM - Virtually approved world wide
8/29/02 Copyright 2002 Robert J. Berger 51
802.11dExtensions to Operate in Additional Regulatory Domains
802.11c was subsumed into 802.11d Bridge operation
Ratified in June, 2001 Defines frequency and power limitation for
different regulatory domains ‘World Mode’
APs set to appropriate Regulatory domain Clients, upon association to AP, inherit the power
and frequency requirements of regulatory domain Permits roaming across different regulatory
domains with the same client.
8/29/02 Copyright 2002 Robert J. Berger 52
802.11eMAC Enhancements for Quality of Service
Ongoing, Draft 3.0, resolving comments Provides quality-of-service (QoS) features
to support the existing 802.11b and 802.11a QoS and multimedia support are critical to
wireless Required for Networks with voice, video and
audio Desired by most Broadband service providers
8/29/02 Copyright 2002 Robert J. Berger 53
802.11fRecommended Practice for Inter Access Point Protocol
Draft 2 Inter Access Point Protocol (IAPP) Multivendor Infrastructure
Improved Roaming Support for 802.11 authentication and
privacy, including preauthentication Operation in a reasonably secure fashion Remote configuration, including AP
attributes
8/29/02 Copyright 2002 Robert J. Berger 54
IEEE 802.11gStandard for Higher Rate (20+ Mbps) Extensions in the 2.4 GHz Band
Still in Draft, but silicon in the works Provides higher data rates @ 2.4 GHz Similar speeds as 802.11a Backward compatible with 11 Mbps
(802.11b) Same modulation as 802.11a—OFDM Still has to compete with all other users
of 2.4Ghz Spectrum Still only 3 non-overlapping channels
802.11g
6–54 MB 1 -11 MB
802.11g 802.11b
8/29/02 Copyright 2002 Robert J. Berger 55
802.11h Spectrum Managed 802.11a Still in Draft mode Dynamic Frequency Selection (DFS)
Enables transmitter to move to another channel when is encounters other RF on its channel
Transmit Power Control (TPC) Provides minimum required transmitter power for
EACH user Provides minimal interference to any other users
or system ETSI Requirement for 5 GHz
8/29/02 Copyright 2002 Robert J. Berger 56
IEEE 802.11i Security Draft currently at version 3.0 Fixes to WEP (Software)
AES instead of DES Encryption Much more robust and modern encryption
TKIP (Temporal Key Integrity Protocol) Eliminates the major weakness of WEP Key
8/29/02 Copyright 2002 Robert J. Berger 57
802.1x / EAPPort based network access control
Falls under 802.1 NOT 802.11 Access Control (EAP) an IETF Standard This is a NETWORK standard, not a
wireless standard Is PART of the 802.11i draft Provides Network Authentication, NOT
encryption But can be used to supply keys
8/29/02 Copyright 2002 Robert J. Berger 59
ISM Unlicensed Frequency Bands
ExtremelyLow
VeryLow
Low Medium High VeryHigh
UltraHigh
SuperHigh
Infrared VisibleLight
Ultra-violet
X-Rays
AudioAM Broadcast
Short Wave Radio FM BroadcastTelevision Infrared wireless LAN
Cellular (840MHz)NPCS (1.9GHz)
902-928 MHz5 GHz
802.11a (54 Mbps)
2.4 – 2.4835 GHz802.11b (11 Mbps)802.11g (54 Mbps)
8/29/02 Copyright 2002 Robert J. Berger 60
802.11b/g 2.4Ghz Channels
(14) 22 MHz wide channels (11 under FCC/ISTC) 3 non-overlapping channels (1, 6,11) 11 Mbps data rate 3 access points or bridges can be co-located in the same location for a total of 33 Mbps
aggregate throughput
8/29/02 Copyright 2002 Robert J. Berger 61
Europe19 Channels(*assumes noantenna gain)
1W200mW
802.11a 5GHz Channels5.15 5.35 5.470 5.725 5.8255GHz
UNII Band5.25
UNII-1: Indoor use, antenna must be fixed to the radioUNII-2: Indoor/Outdoor use, fixed or remote antennaUNII-3: Outdoor bridging only
UNII-140mW
UNII-2250mW
US (FCC)12 Channels(*can use up to
6dBi gain antenna)
UNII-31W
11 Ch 4 Ch4 Ch4 Ch
*if you use a higher gain antenna, you must reduce the transmit power accordingly
8/29/02 Copyright 2002 Robert J. Berger 62
802.11a/b Power and Range
6 Mbps 802.11a2 Mbps 802.11b165 - 250 feet radius
12 Mbps 802.11a5.5 Mbps 802.11b130-165 feet
36 Mbps 802.11a11 Mbps 802.11b< 75 feet radius
36 Mbps 802.11a11 Mbps 802.11b< 75 feet radius
18 Mbps 802.11a11 Mbps 802.11b< 130 feet radius
18 Mbps 802.11a11 Mbps 802.11b< 130 feet radius
8/29/02 Copyright 2002 Robert J. Berger 63
Platform Computer
Platform Computer
PC-Card Hardware
PC-Card HardwareRadio
Hardware
Radio Hardware
WMAC controller withStation Firmware
(WNIC-STA)
WMAC controller withStation Firmware
(WNIC-STA)
Driver Software(STADr)
Driver Software(STADr)
802.11 frame format
802.3 frame format
Ethernet V2.0 / 802.3frame format
Protocol StackProtocol Stack
Terminology:Station (STA) Architecture Device that contains IEEE 802.11
conformant MAC and PHY interface to the wireless medium, but does not provide access to a distribution system
Most often end-stations available in terminals (work-stations, laptops etc.)
Implemented in Wireless IEEE 802.11 PC-Card
8/29/02 Copyright 2002 Robert J. Berger 64
Terminology:Station Architecture (cont’d) Ethernet-like driver interface
supports virtually all protocol stacks
Frame translation according to IEEE Std 802.1H
Maximum Data limited to 1500 octets
Transparent bridging to Ethernet
Platform Computer
Platform Computer
PC-Card Hardware
PC-Card HardwareRadio
Hardware
Radio Hardware
WMAC controller withStation Firmware
(WNIC-STA)
WMAC controller withStation Firmware
(WNIC-STA)
Driver Software(STADr)
Driver Software(STADr)
802.11 frame format
802.3 frame format
Ethernet V2.0 / 802.3frame format
Protocol StackProtocol Stack
8/29/02 Copyright 2002 Robert J. Berger 65
Terminology:Access-Point (AP) Architecture Device that contains IEEE 802.11
conformant MAC and PHY interface to the wireless medium, and provide access to a distribution system for associated stations
Most often infra-structure products that connect to wired backbones
Usually Implemented as a stand-alone box connected to an Ethernet backbone
BridgeSoftware
BridgeSoftware
PC-Card Hardware
PC-Card HardwareRadio
Hardware
Radio Hardware
WMAC controller withAccess Point Firmware
(WNIC-AP)
WMAC controller withAccess Point Firmware
(WNIC-AP)
Driver Software(APDr)
Driver Software(APDr)
802.11 frame format
802.3 frame format
Ethernet V2.0 / 802.3frame format
Kernel Software (APK)Kernel Software (APK)
BridgeHardware
BridgeHardware
EthernetInterface
EthernetInterface
8/29/02 Copyright 2002 Robert J. Berger 66
Terminology:Access-Point (AP) (cont’d) Stations select an Access-Point
and “associate with it Access-Points :
Support roaming Provide time synchronization
functions (beaconing) Provide Power Management
support Traffic typically flows through
Access-Point
BridgeSoftware
BridgeSoftware
PC-Card Hardware
PC-Card HardwareRadio
Hardware
Radio Hardware
WMAC controller withAccess Point Firmware
(WNIC-AP)
WMAC controller withAccess Point Firmware
(WNIC-AP)
Driver Software(APDr)
Driver Software(APDr)
802.11 frame format
802.3 frame format
Ethernet V2.0 / 802.3frame format
Kernel Software (APK)Kernel Software (APK)
BridgeHardware
BridgeHardware
EthernetInterface
EthernetInterface
8/29/02 Copyright 2002 Robert J. Berger 67
Terminology:Basic Service Set (BSS) A set of stations controlled by a single “Coordination
Function” The logical function that determines when a station can
transmit or receive A BSS can have an Access-Point, known as
“infrastructure” mode (both in standalone networks and in building-wide configurations), or can run without and Access-Point (in standalone Ad-Hoc networks)
Diameter of the cell is about twice the coverage-distance between two wireless stations
8/29/02 Copyright 2002 Robert J. Berger 68
Basic Service Set (BSS)
BSS
8/29/02 Copyright 2002 Robert J. Berger 69
Terminology:Independent Basic Service Set (IBSS)
A Basic Service Set (BSS) which forms a self-contained network in which no access to a Distribution System is available
Also known as “Ad-Hoc” mode A BSS without an Access-Point One of the stations in the IBSS can be
configured to “initiate” the network and assume the Coordination Function
Diameter of the cell determined by coverage distance between two wireless stations
8/29/02 Copyright 2002 Robert J. Berger 70
Independent Basic Service Set (IBSS)
IBSS
8/29/02 Copyright 2002 Robert J. Berger 71
Terminology:Extended Service Set (ESS):
A set of one or more Basic Service Sets interconnected by a Distribution System (DS)
Traffic always flows via Access-Point (Infrastructure mode)
Extends coverage by adding access points / Roaming Diameter of the cell is double the coverage distance
between two wireless stations Distribution System (DS):
A system to interconnect a set of Access Points Wired; Using cable to interconnect the Access-Points Wireless; Using wireless to interconnect the Access-Points
8/29/02 Copyright 2002 Robert J. Berger 72
Extended Service Set (ESS) BSS’s with wired Distribution System (DS)
BSS
BSS
Distribution
System
8/29/02 Copyright 2002 Robert J. Berger 73
Extended Service Set (ESS) BSS’s and wireless Distribution System (DS)
BSS
BSS
Distribution
System
8/29/02 Copyright 2002 Robert J. Berger 74
Terminology:Service Set Identifier (SSID)
“Network name” Identifies the Wireless Network Usually exposed and set by the user
32 octets long Each network (ESS or IBSS) has one
SSID Most primitive of access control
8/29/02 Copyright 2002 Robert J. Berger 75
Terminology: Basic Service Set Identifier (BSSID)
“Cell Identifier” Generated automatically Not visible to user
6 octets long (MAC address format) Each BSS has one SSID Value of BSSID is the same as the MAC
address of the radio in the Access-Point
8/29/02 Copyright 2002 Robert J. Berger 76
Operational processes:Association To establish relationship with Access-Point Stations scan frequency band to and select Access-
Point with best communications quality Active Scan (sending a “Probe request” on specific channels
and assess response) Passive Scan (assessing communications quality from
beacon message) Access-Point maintains list of associate stations in
MAC FW Record station capability (data-rate) To allow inter-BSS relay
Station’s MAC address is also maintained in bridge learn table associated with the port it is located on
8/29/02 Copyright 2002 Robert J. Berger 77
Operational processes:Authentication To control access to the infrastructure via an
authentication Stations identify themselves to other stations (or
Access-Points) prior to data traffic or association Open System Authentication
Uses null authentication algorithm Default, totally insecure
Shared Key Authentication Uses WEP privacy algorithm
802.1x / EAP Secure Authentication of each user
8/29/02 Copyright 2002 Robert J. Berger 78
Operational processes:Starting an ESS
The infrastructure network is identified by its ESSID
All Access-Points will have been set according to this ESSID
On power up stations will issue Probe Requests and will locate the Access-Point that they will associate with: “best” Access-Point with matching ESSID “best” Access-Point if the “desired SSID” has been
set to “ANY”
8/29/02 Copyright 2002 Robert J. Berger 79
Operational processes:Starting an IBSS Station configured for IBSS operation will:
“look” for Beacons that contain a network name (SSID) that matches the one that is configured
When Beacons with matching Network Name are received and are issued by an AP, Station will associate to the AP
When Beacons with matching Network Name are received and are issued by another Station in IBSS mode, the station will join this IBSS
When no beacons are received with matching Network Name, Station will issue beacons itself.
All Stations in an IBSS network will participate in sending beacons. All stations start a random timer prior to the point in time when next Beacon
is to be sent. First station whose random timer expires will send the next beacon
8/29/02 Copyright 2002 Robert J. Berger 80
Security
8/29/02 Copyright 2002 Robert J. Berger 81
Range of Possible Security Solutions
Dynamic Key Management
System, Mutual Authentication, and
802.1x via EAP
Mid-Market and Enterprise
Enhanced Security
No WEP and Broadcast Mode
Public Access
No Security
Wi-Fi 40-bit, 128-bit
Static WEP
Telecommuter and Small Business
Basic Security
End-to-end security using VPN
Special Apps./ Business Traveler
VPN Security
82
Application
Transport Layer(TCP,UDP)
Network Layer (IP)
802.11Link Layer
Phys. Layer
Network Layer
802.11Link Layer
802.11
Network Layer
Process Process
RouterBuffers Packets thatneed to be forwarded(based on IP address).
Application
Transport Layer(TCP,UDP)
Network Layer (IP)
Data-Link Layer
Phys. Layer
Data Link Layer
Phys. Layer
IPsec IPsec
SSL SSL
802.11Ethernet
EthernetEthernet
EthernetWEP
Phys. Layer
WEP
Defense - Higher LevelSecure Protocols
8/29/02 Copyright 2002 Robert J. Berger 83
Original 802.11 Security Authentication
Open System authentication Shared Key authentication
Data confidentiality Wired Equivalent Privacy (WEP)
Designed to be as secure as a wired network No encryption key management
8/29/02 Copyright 2002 Robert J. Berger 84
Poor Encryption with WEP Encryption for wireless is required
Goal to elliminate sniffing “over the air” between clients & AP Does not deal with end-to-end encryption
Two shared keys: A multicast/global key & a unicast session key Barely useful for home and corporate LANs
Uses RC4 symmetric stream cipher with 40-bit and 104-bit encryption keys
Bad Encryption design. They forgot to consult with cryptographers
Determination and distribution of WEP keys are not defined by IEEE 802.11
8/29/02 Copyright 2002 Robert J. Berger 85
“Network Stumbler” - shows 802.11 Networks
WEP ON
Screen of laptop with Wireless LAN card85
No
No
8/29/02 Copyright 2002 Robert J. Berger 86
“AiroPeek” maps out who’s talking to who
86
8/29/02 Copyright 2002 Robert J. Berger 87
Data sniffed off the air from non-WEP session.
87
8/29/02 Copyright 2002 Robert J. Berger 88
http://airsnort.sourceforge.net88
AirSnort: Cracks WEP Messages Operates by passively monitoring transmissions, computing the
encryption key when enough packets have been gathered. " Weaknesses in the Key Scheduling Algorithm of RC4 " by
Scott Fluhrer, Itsik Mantin and Adi Shamir. AirSnort, along with WEPCrack are the first public
implementations of this attack. Once ~5-10 million encrypted packets are gathered, AirSnort
can guess the encryption password in under a second.
8/29/02 Copyright 2002 Robert J. Berger 89
Original Security Issues No per-user identification
and authentication No central authentication,
authorization, and accounting No support for extended authentication:
token cards, certificates, smart cards No support for unicast session
key management
8/29/02 Copyright 2002 Robert J. Berger 90
Security Solutions in the pipe No per-user identification and authentication
Solution: IEEE 802.1X and EAP No central authentication, authorization,
and accounting Solution: RADIUS
No support for extended authentication: token cards, certificates, smart cards
Solution: IEEE 802.1X and EAP No support for per-session encryption
key management Solution: IEEE 802.1X and EAP/TLS
8/29/02 Copyright 2002 Robert J. Berger 91
Is it hopeless until 802.1x? What can I do without completely blowing my budget
and redesigning my network? Enable WEP (its better than nothing…) Disable DHCP Don’t by cheap APs
Limit the MAC addresses that can connect to the network Separate the WLAN from the LAN and require VPN
8/29/02 Copyright 2002 Robert J. Berger 92
IEEE 802.1x - Definitions Port-based network access control
Used for Ethernet switches Adapted for IEEE 802.11
Enforces authentication before frame exchange with wired network is allowed
Uses Extensible Authentication Protocol (EAP)
Defines EAP over LAN (EAPOL)
8/29/02 Copyright 2002 Robert J. Berger 93
EAP – An Overview Extension to PPP & Ethernet for arbitrary
network access authentication mechanisms
Authentication plug-in modules at both the wireless client and authenticating server (RADIUS server)
RADIUSRADIUSserverserver
EAP messagesEAP messagesWireless Wireless
APAPWirelessWireless
clientclient RADIUS messagesRADIUS messages
EAP conversationEAP conversation
8/29/02 Copyright 2002 Robert J. Berger 94
EAP Types EAP-MD5 CHAP
Required EAP type that uses MD5 CHAP NOT appropriate for wireless access
EAP-TLS For certificate-based security environments (registry-based
certificates) Generates high-entropy unicast
session keys Appropriate for wireless access
8/29/02 Copyright 2002 Robert J. Berger 95
RADIUS – An Overview Remote Authentication Dial-In User Service
(RADIUS) RFCs 2865 and 2866
Centralized authentication, authorization, and accounting (AAA) for: Wireless APs Authenticating Ethernet switches Virtual private network (VPN) servers Digital Subscriber Line (DSL) and other network
access servers
8/29/02 Copyright 2002 Robert J. Berger 96
RADIUS Infrastructure
WirelessWirelessAPAP
VPNVPNserverserver
Dial-upDial-upserverserver
RADIUSRADIUSproxyproxy
AccessAccessclientsclients
AccessAccessserversservers
User accountUser accountdatabasedatabase
RADIUSRADIUSserverserver
RADIUSRADIUSprotocolprotocol
8/29/02 Copyright 2002 Robert J. Berger 97
How it works:Authentication process
Public/Semi-Public Network
Enterprise / ISP Edge
Enterprise / ISP Network
Operates on client Operates on devices at
network edge, like APs and
switches
EAP plug-in goes in RADIUS
server
Supplicant Authenticator Authentication Server
8/29/02 Copyright 2002 Robert J. Berger 98
How it works on the WLAN
Operates on client AP acting as Authenticator
EAP plug-in goes in RADIUS
server
Supplicant Authenticator Authentication Server
802.1x traffic only
Public/Semi-Public Network
Enterprise / ISP Edge
Enterprise / ISP Network
8/29/02 Copyright 2002 Robert J. Berger 99
Steps to EAP - authentication
Identity Request
Identity Response
Access Request
Access Challenge
EAP request
EAP ResponseAccess request
Access Success
EAP Success
EAPOW key
EAPOL Start Start Process
Ask client for ID
Client provides ID
Pass request to server
Perform sequence defined by
authentication method (EAP-TLS,
LEAP)
Session key to APStart using WEP
Deliver broadcast key, encrypted with session key
8/29/02 Copyright 2002 Robert J. Berger 100
Lessons Data encryption by itself offers no protection from
attack There is no meaningful privacy if the data authenticity
problem is not solved It is profoundly easy to mis-use a cipher
Get any cryptographic scheme reviewed by professionals You must be concerned about Security at all layers
as well as from end-to-end. 802.1x / EAP is only link layer security Does not solve layer 2 shared medium issues
8/29/02 Copyright 2002 Robert J. Berger 101
In depth 802.1X / EAP
8/29/02 Copyright 2002 Robert J. Berger 102
What is Network Access Authentication? A mechanism by which access to the network is restricted to authorized
entities Identities used are typically userIDs NB: each user on a multi-user machine does not need to authenticate once
the link is up, so this doesn’t guarantee that only the authenticated user is accessing the network
Once authenticated, the session needs to be authorized Authorization can include things like session keys, VLANID, rate limits,
filters, tunneling, etc. To prevent hijacking, you need per-packet authentication as well
Encryption orthogonal to authentication Per-packet Message Integrity Check (MIC) based on key derived during the
authentication process, linking each packet to the identity claimed in the authentication
No MIC support in PPP or WEP!
8/29/02 Copyright 2002 Robert J. Berger 103
Network Access Control Alternatives
Network access authentication can be implemented at any layer. PHY
Example: 802.11b WEP Pros: no MAC or TCP/IP changes required (all support in firmware) Cons: requires firmware changes in NICs and NASes to support new
auth methods, requires NAS to understand new auth types, slows delivery of bug fixes (e.g. WEP v1.0), hard to integrate into AAA
MAC Examples: PPP , 802.1X Pros: no firmware changes required for new auth methods, easier to
fix bugs, easy to integrate into AAA, no network access needed prior to authentication, extensible (RFC 2284)
Cons: requires MAC layer changes unless implemented in driver
8/29/02 Copyright 2002 Robert J. Berger 104
Network Access Control Alternatives (cont’d) IP
Examples: hotel access (based on ICMP re-direct to access web server) Pros: no client MAC or TCP/IP changes required (for ICMP re-direct
method) Cons: Doesn’t work for all apps, no mutual authentication, partial network
access required prior to auth, need to find access control server if not at first hop, typically not extensible, may not derive encryption keys, no accounting (no logoff)
UDP/TCP Examples: Proprietary token card protocols Pros: No client MAC or TCP/IP changes required – can be implemented
purely at the application layer Cons: requires client software, partial network access required prior to auth,
need to find access control server if not at first hop, typically not extensible, no accounting (no logoff)
8/29/02 Copyright 2002 Robert J. Berger 105
Why Do Auth at the Link Layer? It’s fast, simple, and inexpensive
Most popular link layers support it: PPP, IEEE 802 Cost matters if you’re planning on deploying 1 million ports!
Client doesn’t need network access to authenticate No need to resolve names, obtain an IP address prior to auth
NAS devices need minimal layer 3 functionality 802.11 access points, 1 Gbps switch ports go for $300, support 802.1D,
802.1X, SNMP & RADIUS, may have no layer 3 filtering support Authentication, AAA support typically a firmware upgrade
In a multi-protocol world, doing auth at link layer enables authorizing all protocols at the same time
Doing it at the network layer would mean adding authentication within IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI
Would also mean authorizing within multiple layers Result: more delay
8/29/02 Copyright 2002 Robert J. Berger 106
What is IEEE 802.1X? The IEEE standard for authenticated and auto-provisioned
LANs. Ratified June 2001 Based on EAP, IETF RFC 2284
A framework for authentication and key management IEEE 802.1X derives keys which can be used to provide per-packet
authentication, integrity and confidentiality Typically used along with well-known key derivation algorithms (e.g.
TLS, SRP, etc.) IEEE 802.1X does not mandate security services – can do
authentication, or authentication & encryption Encryption alone not recommended (but that’s what WEP does)
8/29/02 Copyright 2002 Robert J. Berger 107
What 802.1X is not
Not purely a wireless standard – it applies to all IEEE 802 technologies (e.g. Ethernet First Mile applications)
Not PPP over Ethernet (PPPOE) – only supports EAP authentication methods (no PAP or CHAP), packets are not encapsulated
Not a cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.
But 802.1X can be used to derive keys for any cipher Not a single authentication method
But 802.1X can support many authentication methods without changes to the AP or NIC firmware
8/29/02 Copyright 2002 Robert J. Berger 108
A History of IEEE 802.1X The idea started with customers who wanted to control access to a public network
Universities, government agencies Existing approaches were inadequate
Customers wanted something that could be implemented inexpensively – on existing switches Customers wanted to utilize existing network access infrastructure (RADIUS, LDAP, etc.) PPPOE – too much overhead VPN – too many interoperability issues DHCP – designed for addressing and configuration, not access control
Concept developed by 3Com, HP, Cisco, Microsoft and others Examined alternatives, and settled on a Layer 2 approach A small group wrote the spec and built prototypes Consensus and running code! Not designed by committee!
IEEE 802.1X PAR approved in January 1999 Approved as an IEEE standard June 2001 Specification available at: http://www.drizzle.com/~aboba/IEEE/
A great site for info on 802.1x /EAP and wireless in general
8/29/02 Copyright 2002 Robert J. Berger 109
Authenticator/EtherNASAuthenticator/EtherNAS(e.g. Access Point or (e.g. Access Point or
Bridge)Bridge)
SupplicantSupplicant
Enterprise or ISP Enterprise or ISP NetworkNetwork
Semi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge
AuthenticationAuthenticationServerServer
RADIUS
EAP Over Wireless (EAPOW)
EAP Over Wireless (EAPOW)
EAP over LAN (EAPOL)
EAP over LAN (EAPOL)EAP Over RADIUS
EAP Over RADIUS
PAEPAE
PAEPAE
EtherCPEEtherCPE
SupplicantSupplicant
Non-802.1XNon-802.1X
802.1X Topologies
8/29/02 Copyright 2002 Robert J. Berger 110
802.1X Security Philosophy Approach: a flexible security framework
Implement security framework in upper layers Enable plug-in of new authentication, key management methods without
changing NIC or Access Point Leverage main CPU resources for cryptographic calculations
How it works Security conversation carried out between supplicant and authentication
server NIC, Access Point acts as a pass through device
Advantages Decreases hardware cost and complexity Enables customers to choose their own security solution Can implement the latest, most sophisticated authentication and key
management techniques with modest hardware Enables rapid response to security issues
8/29/02 Copyright 2002 Robert J. Berger 111
What is EAP? The Extensible Authentication Protocol (RFC 2284)
Provides a flexible link layer security framework Simple encapsulation protocol
No dependency on IP ACK/NAK, no windowing No fragmentation support
Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Does not assume physically secure link
Methods provide security services Assumes no re-ordering Can run over lossy or lossless media
Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)
EAP methods based on IETF standards Transport Level Security (TLS) Secure Remote Password (SRP) GSS_API (including Kerberos)
8/29/02 Copyright 2002 Robert J. Berger 112
EAP Architecture
EAPEAPLayerLayer
MethodMethodLayerLayer
EAPEAPEAPEAP
TLSTLSTLSTLS
MediaMediaLayerLayer
NDISNDIS
APIsAPIs
EAP EAP
APIsAPIs
PPPPPP802.3
CSMA/CD
(Ethernet)
802.3CSMA/CD
(Ethernet)
802.5TokenRing
802.5TokenRing
802.11Wireless
LAN
802.11Wireless
LAN
SRPSRPSRPSRPAKAAKA
SIMSIM
AKAAKA
SIMSIM
8/29/02 Copyright 2002 Robert J. Berger 113
What is RADIUS? Remote Access Dial In User Service Supports authentication, authorization, and accounting for network
access Physical ports (analog, ISDN, IEEE 802) Virtual ports (tunnels, wireless)
Allows centralized administration and accounting IETF status
Proposed standard RFC 2865, RADIUS authentication/authorization RFC 2618-2621, RADIUS MIBs
Informational RFC 2866, RADIUS accounting RFC 2867-8, RADIUS Tunneling support RFC 2869, RADIUS extensions RFC 3162, RADIUS for IPv6
8/29/02 Copyright 2002 Robert J. Berger 114
EthernetLaptop computer
Switch
Radius Server
IEEE 802.1X Conversation
EAPOL-Start
EAP-Response/Identity
Radius-Access-Challenge
EAP-Response (credentials)
Access blockedPort connect
Radius-Access-Accept
EAP-Request/Identity
EAP-Request
Access allowed
EAP-Success
Radius-Access-Request
Radius-Access-Request
RADIUSEAPOL
8/29/02 Copyright 2002 Robert J. Berger 115
Ethernet
Access Point
Radius Server
802.1X On 802.11
EAPOW-Start
EAP-Response/Identity
Radius-Access-Challenge
EAP-Response (credentials)
Access blockedAssociation
Radius-Access-Accept
EAP-Request/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Request
RADIUS
EAPOW
Laptop computer
Wireless
802.11802.11 Associate-Request
EAP-Success
Access allowed
EAPOW-Key (WEP)
802.11 Associate-Response
8/29/02 Copyright 2002 Robert J. Berger 116
802.1X authentication in 802.11 IEEE 802.1X authentication occurs after 802.11 association or
reassociation Association/Reassociation serves as “port up” within 802.1X state
machine Prior to authentication, access point filters all non-802.1X traffic
from client If 802.1X authentication succeeds, access point removes the filter
802.1X messages sent to destination MAC address Client, Access Point MAC addresses known after 802.11
association No need to use 802.1X multicast MAC address in EAP-Start, EAP-
Request/Identity messages Prior to 802.1X authentication, access point only accepts packets
with source = Client and Ethertype = EAPOL
8/29/02 Copyright 2002 Robert J. Berger 117
802.1X and Per-Client Session Keys How does 802.1X derive per-Station unicast session keys?
Can use any EAP method supporting secure dynamic key derivation EAP-TLS (RFC 2716) EAP-SRP EAP-AKA, EAP-SIM (for compatibility with cellular) Security Dynamics
Keys derived on client and the RADIUS server RADIUS server transmits key to access point
RADIUS attribute encrypted on a hop-by-hop basis using shared secret shared by RADIUS client and server
Unicast keys can be used to encrypt subsequent traffic, including EAPOW-key packet (for carrying multicast/global keys)
Per-Station unicast session keys not required If only multicast/global keys are supported, then session key is only used to
encrypt the multicast/global key
8/29/02 Copyright 2002 Robert J. Berger 118
802.1X and Multicast/Global Keys How can 802.1X transfer multicast/global
keys? An EAPOL packet type is defined for use in
transporting multicast/global keys: EAPOW-Key EAPOW-Key packet type used to transmit one or
more keys from access point to client (or vice versa)
EAPOW-Key packets only sent after EAPOW authentication succeeds
EAPOW-Key packets are encrypted using derived per-STA encryption key
8/29/02 Copyright 2002 Robert J. Berger 124
Deploying IEEE 802.1X With 802.11
8/29/02 Copyright 2002 Robert J. Berger 125
Deployment Issues with 802.11 User-based authentication and accounting
802.11-1997 only allows users to be identified by MAC address How do I know who is on my network? How can I do user-based access control, accounting and auditing? What happens if a machine is stolen? Proprietary key management solutions require separate user
databases Secure roaming
Why can’t you just “plug in and connect” anywhere in the world? Key management
802.11-1997 supports per-user keys, but most implementations only support global keys
What if the global key(s) are compromised? Static keys difficult to manage on clients, access points
8/29/02 Copyright 2002 Robert J. Berger 126
WEP Summary of Attacks Downloadable procedures
To crack the Key: http://airsnort.sourceforge.net/ http://sourceforge.net/projects/wepcrack/
To brute force enter into WLAN, select THC-RUT from http://www.thehackerschoice.com/releases.php
Attacks based on [Walker], [Arbaugh], [Berkeley team], [Fluhrer/Shamir]
Lack of IV replay protection Short IV sequence space RC4 vulnerabilities due to WEP’s implementation Linear properties of CRC32 (allows bit flipping)) Lack of keyed MIC Use of shared keys
8/29/02 Copyright 2002 Robert J. Berger 127
Quest to Improve WEP How can we improve WEP security and
Retain (most) performance Enhance without greatly reducing line rates
Easily upgrade deployed systems Avoid hardware upgrades
Retain interoperability Allow most deployed systems to upgrade Allow for incremental deployment Allow legacy systems to continue to work without
improvements
Provide better protection until AES is available
8/29/02 Copyright 2002 Robert J. Berger 128
Improving WEP’s Security Recommended Practice includes
Per-link keys Unique key per STA
IV Sequencing Check for monotonically increasing IVs Weak IV avoidance
104-bit keys IV + Key = 128-bits
Rapid Rekey Derive WEP keys from master key Change encryption key frequently
8/29/02 Copyright 2002 Robert J. Berger 129
802.1X Authentication 802.1X users identified by usernames, not MAC addresses
Enables user-based authentication, authorization, accounting For use with 802.1X, EAP methods supporting mutual
authentication are recommended Need to mutually authenticate to guarantee key is transferred to the
right entity Prevents man-in-the-middle and rogue server attacks
Common EAP methods support mutual authentication TLS: server and client must supply a certificate, prove possession
of private key SRP: permits mutual authentication via weak shared secret without
risk of dictionary attack on the wire Tunneled TLS: enables any EAP method to run, protected by TLS
8/29/02 Copyright 2002 Robert J. Berger 130
Advantages of IEEE 802.1X Open standards based
Leverages existing standards: EAP (RFC 2284), RADIUS (RFC 2865, 2866, 2867, 2868, 2869)
Enables interoperable user identification, centralized authentication, key management
Enables automated provisioning of LAN connectivity User-based identification
Identification based on Network Access Identifier (RFC 2486) enables support for roaming access in public spaces (RFC 2607).
Enables a new class of wireless Internet Access Dynamic key management
Improved security for wireless (802.11) installations
8/29/02 Copyright 2002 Robert J. Berger 131
WEPv1.0 w/802.1X Improved key derivation
Per-user unicast keys instead of global unicast key Unicast key may be changed periodically to avoid staleness Support for standards-based key derivation techniques
Examples: TLS, SRP Kerberos V without PKINIT not recommended for use with 802.11
Additional fixes still under discussion Authentication for reassociate, disassociate
WEP deficiencies still present No keyed MIC Improper usage of RC4 stream cipher No IV replay protection
Long term solution: Need a “real” cipher! AES proposals under discussion AES-OCB versus AES-CTR mode and CBC-MAC with XCBC extensions
8/29/02 Copyright 2002 Robert J. Berger 132
802.1X Implementations Implementations available now
IEEE 802.1X support included in Windows XP Firmware upgrades available from AP and NIC vendors Interoperability testing underway
802.1X OS support Microsoft: Windows XP Cisco: Windows 9x, NT4, 2000, Mac OS, Linux
RADIUS servers supporting EAP Microsoft Windows 2000 Server Cisco ACS Funk RADIUS Interlink Networks (formerly MERIT) RADIUS server
8/29/02 Copyright 2002 Robert J. Berger 133
Vendors Supporting 802.1X Microsoft, AirWave, Compaq, Dell, IBM, Intel, HP, Symbol, Toshiba, Telson, Wayport
http://www.microsoft.com/presspass/press/2001/Mar01/03-26XPWirelessPR.asp 3Com
http://emea.3com.com/news/news01/mar26.html Agere
http://www.networkmagazine.com/article/COM20010629S0009 http://www.lucent.com/micro/NEWS/PRESS2001/080801a.html
Enterasys http://www.dialelectronics.com.au/articles/c4/0c0023c4.asp http://www.computingsa.co.za/2001/03/26/News/new07.htm
Intersil http://www.intersil.com/pressroom/20010403_802_1xWindows_XPFINAL_English.asp
Cisco Catalyst switches
http://www.redcorp.com/products/09084608.asp 802.11 access points
http://www.security-informer.com/english/crd_security_495312.html http://cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.pdf
8/29/02 Copyright 2002 Robert J. Berger 134
802.1X Applications
8/29/02 Copyright 2002 Robert J. Berger 135
The Role of RADIUS RADIUS is the key to enabling 802.1X applications RADIUS enables per-user compulsory tunneling assignment
More flexible than static or realm-based tunneling What if [email protected] is to be given Internet access, but [email protected] should be
tunneled to the marketing tunnel server? RADIUS enables per-user VLAN assignment
More flexible than static per-port or MAC-based VLAN assignment RADIUS enables accounting and auditing
Both switch/AP and tunnel server can use RADIUS Allows enterprise to audit usage, do alarming BIGCO can match accounting records from tunnel server with accounting records
from ISP for auditing purposes RADIUS enables use of a single userID/password pair
Both bridge/access point and tunnel server can authenticate against the same database
RADIUS server backend LDAP backend
8/29/02 Copyright 2002 Robert J. Berger 136
Why Are Shared Use APs Important? Multiple providers are becoming the norm within airports
Airlines are installing 802.11 networks for use in baggage reconciliation and roving ticket counters
Multiple wireless ISPs often also want to server airport customers Radio interference is an issue
In the US and Europe 802.11b networks can support only 3 non-overlapping channels
In France and Japan only one channel is available Once the channels are utilized by existing APs, additional APs will interfere
and reduce performance 802.11 deployment in public spaces is expensive
In this economic environment, raising capital is difficult The cost of providing wireless access is inversely proportional to
infrastructure utilization More economical to build infrastructure and share it among multiple
providers, than to build overlapping infrastructure
8/29/02 Copyright 2002 Robert J. Berger 137
What Features Are Needed for Shared Use APs? Support for multiple SSIDs in a single AP
Multiple SSIDs in Beacon, Probe Response not prohibited by 802.11-1997 Only single SSID needed in Association and Reassociation Request
IEEE 802.1X Users identified by userid rather than MAC address
Network Access Identifier (NAI) support Described in RFC 2486 Format is user@domain, where domain identifies the home server
SNMPv3 support Contexts used to support multiple virtual MIB instances
RADIUS authentication and accounting SSID included in Called-Station-Id attribute
RADIUS proxies RADIUS-based roaming described in RFC 2607 RADIUS authentication and accounting packets routed between AP and Home
Server by RADIUS proxies
8/29/02 Copyright 2002 Robert J. Berger 138
Shared Use APs
BIGCO
Shared Use802.11 AP
Remote [email protected]
Customer RADIUS Server
SSIDA
RADIUS
RADIUS
• AP advertises multiple SSIDs in Beacon, Probe Response
• Multiple ISPs shared the same AP• STA associates with a single AP, SSID• User authentication request routed to home server
SSIDB
SSIDC
RADIUSProxy
RADIUS
RADIUS
ISPAProxy
Internet
RA
DIU
S
RA
DIU
S
APAP
8/29/02 Copyright 2002 Robert J. Berger 139
What Is Wireless Roaming? Definition
The ability to use many wireless Internet Service Providers while maintaining a business relationship with only one
Requirements 802.1X-enabled client with 802.11 wireless card Roaming-capable authentication proxy and server
Roaming standards developed in IETF ROAMOPS WG
RFC 2194, Roaming Implementations Review RFC 2477, Roaming Evaluation Criteria RFC 2486, Network Access Identifier RFC 2607, Proxies and Policy Implementation
8/29/02 Copyright 2002 Robert J. Berger 140
Corporate RADIUSCorporate RADIUSServerServer
802.11 and 802.1X802.11 and 802.1XEnabled airportsEnabled airports
Wireless Global Roaming via IEEE 802.11 and 802.1X
Simple, Automatic Detection of 802.11 Connectivity
Global login with corporate or ISP userIDs
802.11 and 802.1X802.11 and 802.1XEnabled Hotels and MallsEnabled Hotels and Malls
GlobalGlobalAccess toAccess to
802.11 802.11 WirelessWireless
ConnectivityConnectivity
8/29/02 Copyright 2002 Robert J. Berger 141
Bilateral Roaming support
Cloud
IAS ProxyRoaming Client
ISP ARADIUS Proxy
Cloud
IAS Proxy
ISP BRADIUS Proxy
RADIUS Server
PPTP Server
NT DC
BigcoRADIUS Server
8/29/02 Copyright 2002 Robert J. Berger 142
Roaming Consortia
Cloud
IAS ProxyRoaming Client
ISP ARADIUSProxy
IAS Proxy
ISP BRADIUSProxy
RADIUS Server
PPTP Server
NT DC
BigCo
IAS Proxy
ConsortiumRADIUSProxy
8/29/02 Copyright 2002 Robert J. Berger 143
Certificate-Based Roaming
Cloud
IAS Proxy
Roaming Client
ISP A RADIUS Server
EAP-TLS
RADIUS Server
PPTP Server
NT DC
Bigco CertificateServer
Certificate RevocationList
ISP A RADIUS server can authenticate [email protected] from the client certificate
No need to proxy authentication ISP A needs to check Bigco’s certificate revocation list
Wholesale Wireless Access
AP CAP C
AP BAP B BIGCO
802.11 WirelessAccess Points
Remote [email protected]
Carrier networks
Customer RADIUS Server
ISP ARADIUS Proxy
RA
DIU
S
RA
DIU
SRADIU
S
RADIUS
•User sends authentication request to ISP
•ISP Delegates authentication to Corporation
•Single point of administrationAP AAP A
Internet Public802.11WirelessNetworks
8/29/02 Copyright 2002 Robert J. Berger 145
Benefits of Wholesale accountsThe ISP Increased sales
Attach rate of consumer services Partner relations with enterprise
Reduction in costs Simple administration, server mgmt. tools Improved collection and billing Reduced size of client store Compensation for client support burden
Simplified account management Improved collections and cash flow Corporate clientele, automated pmt
8/29/02 Copyright 2002 Robert J. Berger 146
Benefits of Wholesale accounts: The Enterprise Ubiquitous 802.11 wireless support
Enables rapid deployment of IEEE 802.11 technology in hotels, airports, malls Users can obtain wireless access using their existing corpnet accounts
Simplicity Automatic detection of wireless connectivity via “media sense” Auto-detection of 802.11 SSID Pre-configure userID/password pairs if desired
Easier to provide “backup” provider RADIUS accounting data for auditing and chargeback Reduced carrying costs
Leverage ISP capacity and aggregation Shared support burden and ISP expertise
Improved flexibility ISP capacity Validation off RADIUS, LDAP, or ODBC back ends
8/29/02 Copyright 2002 Robert J. Berger 147
Security Issues in Wholesale Wireless Access RADIUS does not provide for inter-domain security
No support for end-to-end message integrity or attribute hiding
Proxy can add, delete, modify attributes in transit between client and server
Proxy will have access to Tunnel passwords, and WEP keys in clear text
Recommendation Use strong mutual authentication when untrusted proxies
are present Check logs to detect unusual proxy activity
8/29/02 Copyright 2002 Robert J. Berger 148
Seamless Mobility Many applications can live with changing IP address
as we move Example: HTTP
But others cannot TCP-based protocols with long sessions: Telnet, FTP VPNs: IKE, SSH
Mobile IPv6 will eventually provide the solution MIPv4 difficult to deploy
But what can we do right now? Dynamic VLANs Tunneling
8/29/02 Copyright 2002 Robert J. Berger 149
802.11: Ethernet Marches On
Robert J. Berger
Internet Bandwidth Development, LLC
Thanks to:Cisco, Orinoco, Avaya, Sonic Mobility ,Dr. Bernard Aboba of Microsoft
For some of the graphics and content(Links at end of presentation)