1 / 13

Security Considerations for Protecting Associations from Attacks

This paper analyzes design considerations proposed in the 11-07-2441-02 - 11-07-2461-06 documents for teardown protection. It addresses security implications, deployment challenges, and alternative solutions for safeguarding associations in wireless networks.

hhuffman
Download Presentation

Security Considerations for Protecting Associations from Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protecting Associations Attacks – Some Considerations Date: 2007-11-15 Authors: Kapil Sood, Intel Corporation

  2. Abstract Analysis and considerations for design proposed in 11-07-2441-02-000w-sa-teardown-protection.ppt and 11-07-2461-06-000w-sa-teardown-protection-text • Security • Design/Implementation • Deployment And, some plausible alternatives Kapil Sood, Intel Corporation

  3. 802.11w D3.0 11w protects deauths/disassoc which • Eliminates a sub-class of DoS attacks • Removes mechanism for clients to recover from inadvertent disconnects • Still leaves the window open for masqueraded Association DoS attacks • Problem is that the protection of deauth/disassoc does not allow clients to recover Kapil Sood, Intel Corporation

  4. Proposal from 11-07-2441-02Legitimate Case • Non-AP STA sends (Re)association • AP rejects association, but starts ping • AP pings the STA • Only failure drops the SA and disables encryption • STA tries again Non-AP STA AP Association Request Association Response Reject: Try Again Later Ping Request ResponseTimeout Ping Request SA Terminated Ping Request Pings Ignored Association Request Association Response EAPOL EAPOL Kapil Sood, Intel Corporation

  5. Proposal from 11-07-2441-02 Attacker Case • Attacker sends (Re)association • AP pings the STA • AP stops processing the Association • AP and STA continue using old association and SA Attacker Non-AP STA AP Association Request Association Response Reject: Try Again Later Ping Request Ping Response ResponseTimeout Kapil Sood, Intel Corporation

  6. Security Considerations • Cascade “Ping” floods • Each message by the attacker causes at least 3 messages in the WLAN • Even legitimate Associations cause multiple messages in the WLAN • Changes the effects of the Association attack • From Client lockout to a flooding attack • A new, more lethal attack • Attacker just needs to modify his script to masquerade all valid STAs on WLAN and send create unstoppable “ping” floods • What does it do to (Enterprise) WLAN radio environment? Kapil Sood, Intel Corporation

  7. Security Considerations • “Power Drain” Attacks • On STAs in Power Save Mode • STAs in Power-Save mode now need to be awoken to respond to these “pings” • Attacker not only creates floods, but also drains battery Kapil Sood, Intel Corporation

  8. Design/Implementation Considerations • How will “Comeback Later” value be set? • Too long => Legitimate users suffer • Too short => Serves no useful purpose, as ping will immediately follow • Design Complexity • Association state machine changes leads to multitude of new client behaviors • STA may start a re-Scan • AP Selection: Drop AP in “prohibited” AP-list • Power Save algorithms • Complexity increases implementation costs Kapil Sood, Intel Corporation

  9. Deployment Considerations • Enterprises need Stable Client environment • Introduction of 11w will immediately cause unknown and different client behaviors • Serious problem for large enterprises with • Multiple vendor products • Co-existing voice/video/data WLANs • “Can I turn-off Association Mitigation feature?” • Not without turning off entire 11w! Kapil Sood, Intel Corporation

  10. Deployment Considerations • What is the operational impact • Enterprise Study or Simulations of the proposal is needed • How do extra high priority messages (“ping floods”) impact voice and data WLANs? • What is User experience due to association delays • Immediate Enterprise problem: • Control erratic client behavior – Client Manageability • This proposal causes immediate churn • Where attacks happen – Home/Operator • Is 11w a home/operator feature? • Are some parts of 11w more pertinent to home? Kapil Sood, Intel Corporation

  11. Suggestions • This proposal not be accepted owing to the above considerations • More work needed • Add Capability Bit to allow 11w deployment flexibility • Bit 0: TGw mandatory protects Unicast Action Frames and BIP • Bit 1: Protects unicast disassociate/deauthenticate/associate • Capability bit allows enterprises to roll-out 11w without drastic client association behavior • Allow basic Client recovery procedures using “ping” • No enforcement of the “Ping Procedure” Kapil Sood, Intel Corporation

  12. Other Alternatives An adequate solution for containing such attacks is a difficult proposition. Here are preliminary other ideas: • AP to support multiple simultaneous EAP Authentications • Change the 11i Association handshake procedure • Authenticate before Associate Kapil Sood, Intel Corporation

  13. Summary • The current proposal (11-07-2441-02/11-07-2461-06) has significant unmeasured impact • Security, Design, Deployment, User • Complexity and Costs may deter implementation and deployments • Mandatory proposed solution may out-weigh the perceived benefits of 11w • For broad adoption: 11w should be incremental, not radical Kapil Sood, Intel Corporation

More Related