150 likes | 283 Views
Segregated Data Services. Authors:. Date: 2008-01-14. Slide 1. Abstract.
E N D
Segregated Data Services Authors: Date: 2008-01-14 Slide 1 D. Eastlake (Motorola)
Abstract 802.11 networks frequently handle different communities that need to be provided separate services. This is typically done by VLANs in wired networks. The need varies from distinguishing between “visitors” and “residents” in a home network to much stronger and more complex requirements in enterprise, municipal, and other systems. This presentation provides scenarios and requirement areas for adding segregated data services to IEEE 802.11. Slide 2 D. Eastlake (Motorola)
Protected Services Firewall MAP 1 AP 2 Example Scenario Ia(unified infrastructure, single interface end stations) Internet MAP 2 Local Station Local Station Local Station Guest Station Local VLAN Guest VLAN Wired Connection Local Station Guest Station D. Eastlake (Motorola)
MAP 1 AP 2 Example Scenario Ib(unified infrastructure, single interface end stations) Other Services End Point Assesment and Remediation MAP 2 Healthy Station Healthy Station Healthy Station Healthy Station Infected Station Normal VLAN Assessment and Remediation VLAN Wired Connection New Station D. Eastlake (Motorola)
Organization 1 Infrastructure Organization 2 Infrastructure Local Mesh Service Organization 1 Service Organization 2 Service Org 1MPP Org 1MP Org 2MP Org 2MP Org 2MPP Org 2MP Org 1MP Org 3MP Org 1MP Example Scenario II(diverse mesh, multi-interface mesh points) Internet D. Eastlake (Motorola)
Org 1MPP Org 1MP Org 2MP Org 2MP Org 2MPP Org 2MP Org 1MP Org 3MP Org 1MP Scenario II without segregated data services Internet Organization 1 Infrastructure Organization 2 Infrastructure Organization 1 Service Organization 2 Service D. Eastlake (Motorola)
Areas • Work Done or in Process? • Advertising Availability of Services • In 802.11, “service” = SSID • TGu is adding facilities to advertise multiple SSIDs • Transit Frame Labelling • Just use VLAN ID in an 802.1 C-tag (formerly called Q-tag)? • New Work? • Portal/Link Mapping of Services/VLANs & Priority • Must be configurable but should have reasonable defaults • Service Location & Multi-Service Connections • Primarily relates to mesh and mesh peer links • Security • Tunnelling a frame through nodes not fully trusted by the end points. Slide 7 D. Eastlake (Motorola)
Advertising Availability of Services • Work in progress: General Advertisement Service (GAS) mechanisms in 802.11 TGu (Interworking with External Networks). • Includes SSIDC (SSID Container IE) for transmission of multiple SSIDs (with or without multiple BSSIDs) in a single beacon. Slide 8 D. Eastlake (Motorola)
Transit Frame Labelling • Current Practice: • Base 802.11 standard explicitly permits 802.1 C-Tag (formerly Q-Tag) in payload (802.11-2007 Annex M) but C-Tag’s priority and VLAN ID fields are currently ignored. VLAN ID seems reasonable for distinguishing frames belonging to different services. Slide 9 D. Eastlake (Motorola)
Portal/Link Mapping of Services/VLANs & Priority • Possible new work: • VLAN IDs can probably be coordinated in a BSS or across an ESS. But in a mesh this would be very difficult. So maybe in a mesh the VLAN ID is just a local abbreviation mapped on each peer link hop? • Should portals have a configurable mapping, with reasonable defaults, between external priority and 802.11 TID? Slide 10 D. Eastlake (Motorola)
Service Location &Multi-Service Connections Possible new work: A legacy station to AP link is almost by definition limited to carrying one service. But mesh peer links might carry any service that is transiting the mesh… How does a mesh station (which might have just joined the mesh) find a new service that was not previously transiting the mesh but is offered by some other station/portal? Slide 11 D. Eastlake (Motorola)
Security Current Practice: Use IPsec or some similar application level mechanism to protect data end-to-end. Possible new work: Optional edge-to-edge security between original source 802.11 station and final destination 802.11 station. Slide 12 D. Eastlake (Motorola)
Results in Waikoloa 11-07/2941r1 Presented In WNG Standing Committee Vote in WNG Moved, To request the IEEE 802.11 Working Group to approve and forward to the IEEE 802 Executive Committee the creation of a “WLAN Segregated Data Services” Study Group to consider how best to meet requirements as follows and how best to coordinate such activities with 802.1: labeling frames per service; security of data within a service; and the configuration and management of such services. Moved: Donald Eastlake 3rd Seconded: Guido Hiertz Yes: 22 No: 0 Abstain: 4 (100% approval) Vote In 802.11 Working Group at Closing Plenary Yes: 19 No: 9 Abstain: 24 (67.85% approval) Slide 13 D. Eastlake (Motorola)
Results in Atlanta 11-07/2491r2 Presented In Mid-Week Plenary Motion in 802.11 Closing Plenary Moved, To approve and forward to the IEEE 802 Executive Committee for their approval the creation of a “WLAN Segregated Data Services” Study Group to consider how best to meet requirements as follows in 802.11 and how best to coordinate such activities with 802.1: labeling 802.11 frames per service; security of data within such services; and the configuration and management of such services. Moved: Donald Eastlake 3rd Seconded: Stephen McCann Withdrawn due to several objections that the scope was be to broad and unspecific, proposed Study Group needs to be rethought, etc. (This presentation, 11-08/114 in Taipei, tries to be narrower and more specific.) Slide 14 D. Eastlake (Motorola)
References • IEEE Standard 802.11-2007 – WLANs • IEEE Standard 802.1Q-2005 – VLANs • Draft 802.11s D1.07 – ESS Mesh Networking • Draft 802.11u D1.02 – Interworking with External Networks Slide 15 D. Eastlake (Motorola)