140 likes | 276 Views
Proposed solutions to comments on section 7. Minor comments. Doc 294 Minor comments and resolutions Bad use of “shall” Incorrect cut and paste Not always saying only use ESN functionality if ESN capable Define ID numbers Better diagrams Not clear encrypting only data frames
E N D
Minor comments • Doc 294 • Minor comments and resolutions • Bad use of “shall” • Incorrect cut and paste • Not always saying only use ESN functionality if ESN capable • Define ID numbers • Better diagrams • Not clear encrypting only data frames • Description of usage of elements should be in section 5 not 7 • NULL security to 0.0.0.0 and move rest down • We do not mandate all ESN – make recommended not mandatory
Major comments • Unspecified authentication • Kerberos Optimization • Which elements are in which messages • How Multicast Ciphers are negotiated • ESN without ULA
Unspecified authentication • Use of unspecified authentication to allow 802.1X to decide • WG discussed this before and there were deployments that it was useful for – reject
Kerberos optimization • Information elements are optional, all authentication methods must run without the information elements. • The elements defined are optimized for Kerberos
Beacon • Client may optimize if supplied but if not can find out either via probe or associate/re-associate • ASE optional • UCSE optional • MCSE optional • Realm Name optional • Principal Name optional
Probe Request • Client asks for what it wants to optimize, a STA that is not ESN capable does not supply the elements in the response • 802.11d Request Element containing • ASE, UCSE, MCSE, Realm Name or Principal Name element IDs
Probe Response • If ESN capable must supply whatever elements were asked for in Probe Req Request Element • ASE optional • UCSE optional • MCSE optional • Realm Name optional • Principle Name optional
Associate Request • ASE optional • Left to other STA if not supplied • UCSE optional • Left to other STA if not supplied • MCSE optional • Left to other STA if not supplied • Nonce optional • Authentication methods must be able to handle not having them, but optimize the auth protocol
Associate Response • ASE optional • Must be supplied if defaults not correct and must be within request scope • UCSE optional • Must be supplied if defaults not correct and must be within request scope • MCSE optional • Must be supplied if defaults not correct and must be within request scope • Realm Name optional • Authentication methods must be able to handle not having them, but can be used to optimize the auth protocol • Principle Name optional • Authentication methods must be able to handle not having them, but can be used to optimize the auth protocol • Nonce optional • Authentication methods must be able to handle not having them, but can be used to optimize the auth protocol
Re-associate Request • ASE optional • Left to other STA if not supplied • UCSE optional • Left to other STA if not supplied • MCSE optional • Left to other STA if not supplied
Re-associate Response • ASE optional • Must be supplied if not defaults not correct and must be within request scope • UCSE optional • Must be supplied if not defaults not correct and must be within request scope • MCSE optional • Must be supplied if not defaults not correct and must be within request scope • Realm Name optional • Authentication methods must be able to handle not having them, but optimize the auth protocol • Principle Name optional • Authentication methods must be able to handle not having them, but optimize the auth protocol
UCSE/MCSE • Each STA/STA pair can negotiate a different UCS • The AP decides the MCS and forces all STAs to it (may be based on the first STA) • If MCSE is not specified in response defaults to AES not to UCSE
ESN without ULA • Should AES without ULA is allowed in ESN? • E.g. For IBSS • No allowed, need to support ULA within IBSS