doc.: ieee 802.11-07/2913r0 submission november 2007 kapil sood, intel corporationslide 1 protecting...
TRANSCRIPT
November 2007
Kapil Sood, Intel Corporation
Slide 1
doc.: IEEE 802.11-07/2913r0
Submission
Protecting Associations Attacks – Some Considerations
Date: 2007-11-15
Name Company Address Phone email Kapil Sood Intel Corporation 2111 N.E. 25th Ave,
Hillsboro, OR USA +1-503-264-3759
Authors:
November 2007
Kapil Sood, Intel Corporation
Slide 2
doc.: IEEE 802.11-07/2913r0
Submission
Abstract
Analysis and considerations for design proposed in 11-07-2441-02-000w-sa-teardown-protection.ppt and 11-07-2461-06-000w-sa-teardown-protection-text
• Security
• Design/Implementation
• Deployment
And, some plausible alternatives
November 2007
Kapil Sood, Intel Corporation
Slide 3
doc.: IEEE 802.11-07/2913r0
Submission
802.11w D3.0
11w protects deauths/disassoc which
• Eliminates a sub-class of DoS attacks
• Removes mechanism for clients to recover from inadvertent disconnects
• Still leaves the window open for masqueraded Association DoS attacks– Problem is that the protection of deauth/disassoc does not allow
clients to recover
November 2007
Kapil Sood, Intel Corporation
Slide 4
doc.: IEEE 802.11-07/2913r0
Submission
Proposal from 11-07-2441-02Legitimate Case
• Non-AP STA sends (Re)association• AP rejects association, but starts ping• AP pings the STA• Only failure drops the SA and disables encryption• STA tries again
Non-AP STA AP
ResponseTimeout
Ping Request
Ping Request
Ping Request SA Terminated
Association Request
Association Response Reject: Try Again Later
EAPOLEAPOL
Pings Ignored
Association Request
Association Response
November 2007
Kapil Sood, Intel Corporation
Slide 5
doc.: IEEE 802.11-07/2913r0
Submission
Proposal from 11-07-2441-02 Attacker Case
• Attacker sends (Re)association• AP pings the STA• AP stops processing the Association• AP and STA continue using old association and SA
Non-AP STA AP
ResponseTimeout
Ping Request
Ping Response
Association Request
Attacker
Association Response Reject: Try Again Later
November 2007
Kapil Sood, Intel Corporation
Slide 6
doc.: IEEE 802.11-07/2913r0
Submission
Security Considerations
• Cascade “Ping” floods– Each message by the attacker causes at least 3 messages in the
WLAN
– Even legitimate Associations cause multiple messages in the WLAN
• Changes the effects of the Association attack– From Client lockout to a flooding attack
• A new, more lethal attack– Attacker just needs to modify his script to masquerade all valid
STAs on WLAN and send create unstoppable “ping” floods
– What does it do to (Enterprise) WLAN radio environment?
November 2007
Kapil Sood, Intel Corporation
Slide 7
doc.: IEEE 802.11-07/2913r0
Submission
Security Considerations
• “Power Drain” Attacks– On STAs in Power Save Mode
– STAs in Power-Save mode now need to be awoken to respond to these “pings”• Attacker not only creates floods, but also drains battery
November 2007
Kapil Sood, Intel Corporation
Slide 8
doc.: IEEE 802.11-07/2913r0
Submission
Design/Implementation Considerations
• How will “Comeback Later” value be set?– Too long => Legitimate users suffer
– Too short => Serves no useful purpose, as ping will immediately follow
• Design Complexity – Association state machine changes leads to multitude of new client
behaviors
– STA may start a re-Scan
– AP Selection: Drop AP in “prohibited” AP-list
– Power Save algorithms
• Complexity increases implementation costs
November 2007
Kapil Sood, Intel Corporation
Slide 9
doc.: IEEE 802.11-07/2913r0
Submission
Deployment Considerations
• Enterprises need Stable Client environment– Introduction of 11w will immediately cause unknown and
different client behaviors
– Serious problem for large enterprises with • Multiple vendor products
• Co-existing voice/video/data WLANs
• “Can I turn-off Association Mitigation feature?”– Not without turning off entire 11w!
November 2007
Kapil Sood, Intel Corporation
Slide 10
doc.: IEEE 802.11-07/2913r0
Submission
Deployment Considerations
• What is the operational impact– Enterprise Study or Simulations of the proposal is needed– How do extra high priority messages (“ping floods”) impact voice
and data WLANs?
• What is User experience due to association delays• Immediate Enterprise problem:
– Control erratic client behavior – Client Manageability– This proposal causes immediate churn
• Where attacks happen – Home/Operator– Is 11w a home/operator feature?– Are some parts of 11w more pertinent to home?
November 2007
Kapil Sood, Intel Corporation
Slide 11
doc.: IEEE 802.11-07/2913r0
Submission
Suggestions
• Add Capability Bit to allow 11w deployment flexibility– Bit 0: TGw mandatory protects Unicast Action Frames and BIP
– Bit 1: Protects unicast disassociate/deauthenticate/associate
– Capability bit allows enterprises to roll-out 11w without drastic client association behavior
• Allow basic Client recovery procedures using “ping”– No enforcement of the “Ping Procedure”
November 2007
Kapil Sood, Intel Corporation
Slide 12
doc.: IEEE 802.11-07/2913r0
Submission
Other Alternatives
An adequate solution for containing such attacks is a difficult proposition. Here are preliminary other ideas:
• AP to support multiple simultaneous EAP Authentications
• Change the 11i Association handshake procedure– Authenticate before Associate
November 2007
Kapil Sood, Intel Corporation
Slide 13
doc.: IEEE 802.11-07/2913r0
Submission
Summary
• The current proposal (11-07-2441-02/11-07-2461-06) has significant unmeasured impact– Security, Design, Deployment, User
• Complexity and Costs may deter implementation and deployments
• Mandatory proposed solution may out-weigh the perceived benefits of 11w– For broad adoption: 11w should be incremental, not radical