Transcript 00-03-0019-00-0000Linksec_Handoff_Issues_r3

May. 2003
doc.: 802_Handoff_Linksec_Presentation
802 Handoff
LinkSec Handoff Issues?
David Johnston
[email protected]
[email protected]
Submission
Slide 1
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
(very)
Simplified Anatomy of a L3
Handoff
• Down at the link layer, a link breaks
• So, something somewhere up the stack agrees, in
its own way to handoff from one place to another
– E.G. Mobile IP
• Consequently, down at the link layer, an
attachment switches from one place to another
– Association-authentication-authorization in one of
several possible orders and flavors
– Either by picking a new attachment point for an
interface, or picking a new interface
• Mobile IP reconnects via the net attachment
Submission
Slide 2
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
Pre – auth Requirements
• Prior to attempting to authenticate, the mobile
node may want to know whether it is worth the
effort
– Does the AP support my L3 network needs?
– Do I have a payment method, auth protocol,
subscription that will work on the candidate AP?
– Can my QoS needs be met?
• It would be nice for the conduit for this
information:
– To not be blocked prior to authentication
– To be applicable to diverse 802 network types (MSDU
transport)
Submission
Slide 3
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
The blocking behavior of 802.1x
• 802.1x allows access to the MAC
• Blocks access to all LSAPs above the LLC except for
EAPoL until authentication has completed
– So only MAC signalling and EAP available prior to authentication
– This takes advantage of the common MSDU transport capability of
different 802 networks.
– A mechanism applicable to diverse 802 network types could not be
codified in existing MAC signaling or EAP
• So current 802 authentication practice impacts on the
transfer of handoff related information prior to
authentication
Submission
Slide 4
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
EAP Extensions
New Features Here
• Introduce new EAP
methods to enable
network detection
EAP
mIP
– Detection bound to some
place in the EAP
authentication sequence
– IEFT Domain
EAPol
LLC
LLC
MAC
MAC
PHY
PHY
Medium
802.1x/aa
controlled/uncontrolled port
Submission
Slide 5
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
EAPoL Extensions
New Features Here
• Amend 802.1aa to add
attachment information
service
– Tied use of 802.1x in 802
case
– IEEE 802.1aa Domain
EAP
mIP
EAPol
LLC
LLC
MAC
MAC
PHY
PHY
Medium
802.1x/aa
controlled/uncontrolled port
Submission
Slide 6
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
Controlled/Uncontrolled Port Entity
(CUPE) New Features Here
• Add new entity above
LSAP
EAP
mIP
(Secured)
CPE
LLC
– Uncontrolled port for
MAC
insecure data/signaling
– Controlled port
PHY
otherwise
– Tied use of 802.1x in
802 case
– IEEE 802 Domain
802.1x/aa
(Unsecured)
UPE
EAPol
LLC
MAC
PHY
Medium
controlled/uncontrolled port
Submission
Slide 7
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
Beacons
• Add new management
frames/frame content
– Uses native 802.[x]
management frames for
signaling
New Features Here
MAC
New Thing
No 802.1x/aa needed
Submission
Slide 8
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
Scheduling
EAP
EAP
EAPoL
Attached
Attached & Connected
Attachment Information transfer can only happen
within a limited range of time during
EAP
EAPoL
EAP
EAPoL
Attached
EAPoL
Attached & Connected
Attachment
Information transfer can only happen
within a limited range of time during
EAPoL operation
Submission
Slide 9
Hypothetically, EAPoL could be
invoked during the authenticated
state for the purposes of information
transfer
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
Scheduling
CUPE
EAP
EAPoL
Attached
Attachment
Attached & Authorized
Information transfer can happen
anytime during a connection, with
restrictions on what is transferred
based on controlled port status
Beacons/Probes
EAP
EAPoL
Attached
B/P
Attachment
Submission
B/P
B/P
Attached & Authorized
B/P
B/P
B/P
Information transfer can happen
anytime the transmitter chooses,
assuming the L2 media supports it
Slide 10
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
Extending the auth model be
extended to support Handoff
• Extend set of pre authentication unblocked
things from:
– MAC signalling
– EAPoL
• To:
– MAC signalling
– EAPol
– Non sensitive handoff related data
Submission
Slide 11
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
So: One requirement
• Don’t make it impossible for the definition
of the distribution of media independent
handoff decision data prior to authentication
– Allows mobile nodes to handoff based on good
information
– Enables mobile nodes to choose who they
should bother authenticating to.
Submission
Slide 12
David Johnston, Intel
May. 2003
doc.: 802_Handoff_Linksec_Presentation
Port == AID?!
• In 802.11 the port is defined to be attached to an
association
• Prevents authentication before association
• Is a problem for 802.11 if you have handoff
decision data on the uncontrolled port
– Increases time to access handoff data
– Leaves only the beacon for public data before auth
• Limited in size,
• Unsafe to extend
• Not common across 802
• Can the port not be per mobile part MAC address
or some such thing?
Submission
Slide 13
David Johnston, Intel