250 likes | 263 Views
This motion proposes editorial changes and addresses comments on the IEEE 802.11i document to improve key management services and authentication methods in wireless LANs.
E N D
Some LB 62 Motions January 13, 2003 Jesse Walker, Intel Corporation
Motion 1 • Motion: IEEE 802.11 Task Group I adopts 802_11i-D7.1.doc as the basis for further work • Note: Adoption of this motion would accept the following editorial changes: 4-22, 25, 27, 29-52, 54-57, 59-74, 76-122, 124-153, 155-161, 163, 165-167, 171-180, 184, 188, 192, 195, 197, 204-206, 210, 214, 215, 225, 226, 238, 241, 257, 300, 316, 330, 333, 340-342, 348, 390, 394, 395, 408, 409, 411-413, 422, 423, 432-453, 455-457, 460-472, 479, 481-484, 491, 492, 494, 497, 501, 503, 504, 508, 514, 516-519, 531-537, 541, 542, 544-553, 556, 559-574, 576, 578, 579, 585, 588, 590, 593, 594, 609, 610, 614, 631-633, 636-638, 640-643, 645, 647, 648, 650, 652, 654, 656, 658-663, 672, 679-682, 688, 689, 691, 693-700, 702, 703, 705, 707, 712. Jesse Walker, Intel Corporation
Motion 2: Comment 298 • Comment 298 observes that 802.1X does not provide key management services. • Motion: Address Comment 298 on 5.1.1.4 by adopting the text: In an RSNA, IEEE 802.11 provides functions to protect Data frames, IEEE 802.1X provides authentication and frame filtering, and IEEE 802.11 and IEEE 802.1X collaborate to provide key management Jesse Walker, Intel Corporation
Motion 3: Comment 292 • Comment 295 asks that we bring 802.11i’s usage of 802.1X into line with 802.1X. • Motion: Address Comment 292 on 5.2.2.2 by text it suggests: The first component is an IEEE 802.1X Port Access Entity (PAE). PAEs are present on all STAs in an RSNA and control the forwarding of data to and from the MAC. The PAE in an AP adopts the Authenticator role, while the PAEs in other STAs in the BSS adopt the Supplicant role. In an IBSS, the PAE in each STAs adopts both roles simultaneously Jesse Walker, Intel Corporation
Motion 4: Comments 284, 285 • Motion: Address Comments 284, 285 by replacing the text from 5.4.2.2 Once the IEEE 802.1X AKM completes successfully, the IEEE 802.1X Controlled Port unblocks to allow data traffic • with the text: Once the AKM completes successfully, data protection is enabled to prevent unauthorized access, and the IEEE 802.1X Controlled Port unblocks to allow protected Data traffic. Jesse Walker, Intel Corporation
Motion 5: Comment 295 • Motion: Address Comment 295 by replacing the text from 5.4.3.2 with No facilities are provided to move an RSNA during Reassociation, so the old RSNA will be deleted, and a new RSNA will need to be constructed Jesse Walker, Intel Corporation
Motion 6: Comment 296 • Comment 296 observes 1st paragraph we are adding to 5.4.3 does not make sense. • Motion: Address Comment 296 by replacing 1st paragraph we are adding with: In a WLAN that does not support the establishment of RSNAs, Authentication and Confidentially services were defined with the intention of providing similar security characteristics to those achieved by restricting physical access to a wired LAN. A wired LAN provides a level of Authentication as only users with physical access to the LAN can connect, and a level of Confidentiality as only users with physical access can monitor data flows Jesse Walker, Intel Corporation
Motion 7: Comments on 5.4.3.2 • Motion: Address Comments 221-223, 299, and 548 by replacing the body of 5.4.3.2 with the text IEEE 802.11 attempts to control LAN access via the authentication service. IEEE 802.11 authentication is an SS. This service may be used by all STAs to establish their identity to STAs with which they communicate, in both ESS and IBSS networks. If a mutually acceptable level of authentication has not been established between two STAs, an association shall not be established. IEEE 802.11 authentication operates at the link level between IEEE 802.11 STAs. IEEE 802.11 does not provide either end-to-end (message origin to message destination) or user-to-user authentication. IEEE 802.11 defines two authentication methods, Open System Authentication and Shared Key Authentication. Open System Authentication admits any STA to the LAN. Shared Key Authentication relies on WEP to demonstrate knowledge of a WEP encryption key. The IEEE 802.11 authentication mechanism also allows definition of new authentication methods. An RSNA also supports authentication based on IEEE 802.1X, or Pre-Shared Keys (PSKs). IEEE 802.1X authentication utilizes the Extensible Authentication Protocol (EAP, RFC 2284) to authenticate STAs and the AS with one another. This standard does not specify a mandatory-to-implement EAP method. Clause 8.4.4 describes the IEEE 802.1X Authentication and PSK within IEEE 802.11 IBSS. In an RSNA, IEEE 802.1X Supplicant’s and Authenticators exchange protocol information via the IEEE 802.1X Uncontrolled Port. The IEEE 802.1X Controlled Port is blocked from passing general data traffic between the STA and the AP until an IEEE 802.1X authentication procedure completes successfully over the IEEE 802.1X Uncontrolled Port. The Open System Authentication algorithm is used in both BSS and IBSS RSNA, though Open System Authentication is optional in an RSNA IBSS. RSNA disallows the uses of Shared Key Authentication. Management information base (MIB) functions are provided to support the standardized authentication schemes. A STA may be authenticated with many other STAs at any given instant. Jesse Walker, Intel Corporation
Comments 302, 574, 672 • Motion: Make 5.4.3.2 read: The deauthentication service is invoked when an existing authentication is to be terminated. Deauthentication is an SS. In an ESS, because IEEE 802.11 authentication is a prerequisite for Association, the act of deauthentication shall cause the STA to be disassociated. The deauthentication service may be invoked by either authenticated party (non-AP STA or AP). Deauthentication is not a request; it is a notification. Deauthentication shall not be refused by either party. When an AP sends a deauthentication notice to an associated STA, the association shall also be terminated. In an RSNA, Deauthentication also destroys any related PTKSAs and GTKSAs that exists in the STA and closes the associated IEEE 802.1X Controlled Port. If PMK caching is not enabled, Deauthentication also destroys the PMKSA from which the deleted PTKSA was derived. Note that the existence of IEEE 802.11 Authentication is not a pre-requisite for invoking the Deauthentication service in the IBSS case. Jesse Walker, Intel Corporation
Comment 225 • Motion: In 5.4.3.3, replace: If this default is not acceptable to one party or the other, data frames shall not be successfully communicated between the LLC entities. • with If this policy is unacceptable to sender, it shall not send Data frames, and if unacceptable to the receiver, it shall discard received Data frames. Jesse Walker, Intel Corporation
Comment 303 • “Automatic and manual” key management methods discussed in 5.4.3.4 not defined • MotionL Reword 5.4.3.4 as: The enhanced confidentiality, data authentication, and replay protection mechanisms require fresh cryptographic keys. The procedures described in this document provide fresh keys by means of the 4-Way and Group Key Handshakes. Jesse Walker, Intel Corporation
Comment 304 • Motion: In 5.4.3.5, replace: The data origin authenticity mechanism defines a means by which a STA that receives a Data frame from another STA can determine that the MSDU actually originated from that STA • with The data origin authenticity mechanism defines a means by which a STA that receives a Data frame can determine which STA actually transmitted the MPDU. Jesse Walker, Intel Corporation
Comment 305 • Motion: Replace current text of 802.11i D7.1 Clause 5.6 with In an IBSS, each STA must enforce its own security policy. In an ESS, the AP can enforce a uniform security policy across all STAs. Jesse Walker, Intel Corporation
802.Controlled Port 802.1X Uncontrolled Port PMD_SAP Comments 308, 309 Station Management Entity MAC_SAP 802.1X PAE in Authenticator/Supplicant Role Motion: replace Figure 11 with Figure on this slide Data Link MAC Layer Management Entity MLME_SAP LAYER MAC RSNA Key Management PHY_SAP MLME-PLME_SAP Physical PLCP Phy Layer Management Entity PLME_SAP LAYER PMD Jesse Walker, Intel Corporation
Comment 310 • Motion: Revise 5.9 as follows: An RSNA relies on IEEE 802.1X to provide AKM services. The IEEE 802.1X access control mechanisms apply to the association between a STA and an AP, and the IBSS STA to STA peer relationship. The AP performs the Authenticator and, optionally, the Supplicant (for a WDS) and Authentication Server roles. In an ESS, a non-AP STA performs the Supplicant role. In an IBSS, a STA takes on both the Supplicant and Authenticator roles, and may take on the Authentication Server role. Jesse Walker, Intel Corporation
Comments 228, 311, 312 • Motion: Delete the sentence: IEEE 802.1X Supplicants and Authenticators exchange protocol information via the IEEE 802.1X Uncontrolled Port. from the 1st paragraph of 5.9.1 Jesse Walker, Intel Corporation
Comment 314 • Motion: Delete the clause: and optionally to transmit and receive unicast packets from the following paragraph of 5.9.2: If the Authenticator later changes the GTK, it sends the new GTK and GTK sequence number to the Supplicant using the Group Key Handshake, to allow the Supplicant to continue to receive broadcast messages, and optionally to transmit and receive unicast frames. EAPOL-Key frames are used to carry out this exchange. See Figure 4. Jesse Walker, Intel Corporation
Comment 226 • Motion: delete the parenthetical clause “(for a WDS) from clause 5.9. Jesse Walker, Intel Corporation
Comment 286 • Motion: In clause 5.9 replace the text: An RSNA relies on IEEE 802.1X to provide AKM services. • with: An RSNA relies on IEEE 802.1X to provide authentication services, and uses the IEEE 802.11 AKM defined in clause 8.5 to provide key management services. Jesse Walker, Intel Corporation
Comment 310 • Motion: Replace the sentence In an IBSS, a STA can take on the Supplicant, Authenticator and Authentication Server roles. • at the end of the 1st paragraph in 5.9.3 with: In an IBSS, a STA takes on both the Supplicant and Authenticator roles, and may take on the Authentication Server role. Jesse Walker, Intel Corporation
Comment 316 • Motion: Replace the 2nd paragraph of 5.9.3.1 with: In an IBSS, every STA generates its own GTK which it uses for encrypting the group addressed frames it sends. This GTK is given to the other STAs in the IBSS during the 4-Way Handshake so that they can decrypt the frames. Jesse Walker, Intel Corporation
AP STA IEEE 802.11 Probe Request* IEEE 802.11 Probe Response (Security Parameters)* IEEE 802.11 Open System authentication Request IEEE 802.11 Open System authentication Response IEEE 802.11 Association Request (Security Parameters) IEEE 802.11 Association Response IEEE 802.1X Controlled Port Blocked. Comment 551 Motion: add the blue asterisks and the line in blue to Figure 1 * A Beacon can report the Security Parameters instead of a Probe Request/Response pair Jesse Walker, Intel Corporation
Comment 673 • Motion: Remove the “extra” vertical line from figure 2, to bring it into conformity with the other figures Jesse Walker, Intel Corporation
Comment 608 • Motion: label the arrows in Figure 5 to indicate who initiates Jesse Walker, Intel Corporation
Comments 674, 675 • Motion: Make the dashed vertical lines in Figures 5 and 6 solid, to bring them into conformity with the other figures Jesse Walker, Intel Corporation