130 likes | 139 Views
This paper analyzes design considerations proposed in the 11-07-2441-02 - 11-07-2461-06 documents for teardown protection. It addresses security implications, deployment challenges, and alternative solutions for safeguarding associations in wireless networks.
E N D
Protecting Associations Attacks – Some Considerations Date: 2007-11-15 Authors: Kapil Sood, Intel Corporation
Abstract Analysis and considerations for design proposed in 11-07-2441-02-000w-sa-teardown-protection.ppt and 11-07-2461-06-000w-sa-teardown-protection-text • Security • Design/Implementation • Deployment And, some plausible alternatives Kapil Sood, Intel Corporation
802.11w D3.0 11w protects deauths/disassoc which • Eliminates a sub-class of DoS attacks • Removes mechanism for clients to recover from inadvertent disconnects • Still leaves the window open for masqueraded Association DoS attacks • Problem is that the protection of deauth/disassoc does not allow clients to recover Kapil Sood, Intel Corporation
Proposal from 11-07-2441-02Legitimate Case • Non-AP STA sends (Re)association • AP rejects association, but starts ping • AP pings the STA • Only failure drops the SA and disables encryption • STA tries again Non-AP STA AP Association Request Association Response Reject: Try Again Later Ping Request ResponseTimeout Ping Request SA Terminated Ping Request Pings Ignored Association Request Association Response EAPOL EAPOL Kapil Sood, Intel Corporation
Proposal from 11-07-2441-02 Attacker Case • Attacker sends (Re)association • AP pings the STA • AP stops processing the Association • AP and STA continue using old association and SA Attacker Non-AP STA AP Association Request Association Response Reject: Try Again Later Ping Request Ping Response ResponseTimeout Kapil Sood, Intel Corporation
Security Considerations • Cascade “Ping” floods • Each message by the attacker causes at least 3 messages in the WLAN • Even legitimate Associations cause multiple messages in the WLAN • Changes the effects of the Association attack • From Client lockout to a flooding attack • A new, more lethal attack • Attacker just needs to modify his script to masquerade all valid STAs on WLAN and send create unstoppable “ping” floods • What does it do to (Enterprise) WLAN radio environment? Kapil Sood, Intel Corporation
Security Considerations • “Power Drain” Attacks • On STAs in Power Save Mode • STAs in Power-Save mode now need to be awoken to respond to these “pings” • Attacker not only creates floods, but also drains battery Kapil Sood, Intel Corporation
Design/Implementation Considerations • How will “Comeback Later” value be set? • Too long => Legitimate users suffer • Too short => Serves no useful purpose, as ping will immediately follow • Design Complexity • Association state machine changes leads to multitude of new client behaviors • STA may start a re-Scan • AP Selection: Drop AP in “prohibited” AP-list • Power Save algorithms • Complexity increases implementation costs Kapil Sood, Intel Corporation
Deployment Considerations • Enterprises need Stable Client environment • Introduction of 11w will immediately cause unknown and different client behaviors • Serious problem for large enterprises with • Multiple vendor products • Co-existing voice/video/data WLANs • “Can I turn-off Association Mitigation feature?” • Not without turning off entire 11w! Kapil Sood, Intel Corporation
Deployment Considerations • What is the operational impact • Enterprise Study or Simulations of the proposal is needed • How do extra high priority messages (“ping floods”) impact voice and data WLANs? • What is User experience due to association delays • Immediate Enterprise problem: • Control erratic client behavior – Client Manageability • This proposal causes immediate churn • Where attacks happen – Home/Operator • Is 11w a home/operator feature? • Are some parts of 11w more pertinent to home? Kapil Sood, Intel Corporation
Suggestions • This proposal not be accepted owing to the above considerations • More work needed • Add Capability Bit to allow 11w deployment flexibility • Bit 0: TGw mandatory protects Unicast Action Frames and BIP • Bit 1: Protects unicast disassociate/deauthenticate/associate • Capability bit allows enterprises to roll-out 11w without drastic client association behavior • Allow basic Client recovery procedures using “ping” • No enforcement of the “Ping Procedure” Kapil Sood, Intel Corporation
Other Alternatives An adequate solution for containing such attacks is a difficult proposition. Here are preliminary other ideas: • AP to support multiple simultaneous EAP Authentications • Change the 11i Association handshake procedure • Authenticate before Associate Kapil Sood, Intel Corporation
Summary • The current proposal (11-07-2441-02/11-07-2461-06) has significant unmeasured impact • Security, Design, Deployment, User • Complexity and Costs may deter implementation and deployments • Mandatory proposed solution may out-weigh the perceived benefits of 11w • For broad adoption: 11w should be incremental, not radical Kapil Sood, Intel Corporation