290 likes | 308 Views
IEEE 802.11/JTC1 Engagement. Jesse Walker IEEE 802 Liaison to JTC1/SC6. Agenda. Goals Status Discussion of Backup material Next Steps Backup Liaison Presentation to JTC1/SC6 in October Strawman response to JTC1/SC6 Input Strawman response to China’s submission
E N D
IEEE 802.11/JTC1 Engagement Jesse Walker IEEE 802 Liaison to JTC1/SC6 Jesse Walker, Liaison to JTC1/SC6
Agenda • Goals • Status • Discussion of Backup material • Next Steps • Backup • Liaison Presentation to JTC1/SC6 in October • Strawman response to JTC1/SC6 Input • Strawman response to China’s submission • Strawman response to China’s 802.11i comments Jesse Walker, Liaison to JTC1/SC6
Goals • Develop response to input from JTC1/SC6 • Develop separate response to China • To their submission • To their 802.11i comments • Develop position for Frankfurt meeting • Authorize responses and position at January 2005 IEEE 802.11 Meeting Jesse Walker, Liaison to JTC1/SC6
Status (1) • China has submitted WAPI to ISO/IEC JTC1/SC6 for consideration as an international standard • China’s right as a National Body • Under its rules, JTC1/SC6 must vote on whether to accept such work item from National Bodies • At October JTC1/SC6 meeting IEEE 802 welcomed China’s contribution as an optional standard complementing 802.11i • WAPI implementation still optional under China’s policy • IEEE 802 feels the market can decide when to use which security standard • Compatibility with the rest of 802.11 most important issue • JTC1/SC6 has not removed 802.11i from fast track adoption • JTC1/SC6 has forwarded China’s text to IEEE 802 for processing • Through administrative error, the JTC1/SC6 Secretariat (Ms. Jooran Lee, Korea) removed China’s submission • JTC1/SC6/WG1 Project Editor (Mr. Robin Tasker, U.K.) has invited China to resubmit its proposal Jesse Walker, Liaison to JTC1/SC6
Status (2) • JTC1/SC6 resolution on WAPI: • SC6 instructs its Secretariat to forward the Chinese NB contribution (National Standard of China, GB15629.11) found in 6N12687 to the IEEE 802 (and specifically IEEE 802.11) for information. • Documents forwarded: • 6N12687 doc 11/04 1535 r0 (WAPI) • ChinaCommentB doc 11/04 1537 r0 (Spectrum rules) • 6N12732 doc 11/04 1536 (China’s comments on 802.11i) • JTC1/SC6 authorized meeting of WG1 in Frankfurt • February 21-25, 2005 • Purpose: Discuss China’s submission and China’s comments on 802.11i Jesse Walker, Liaison to JTC1/SC6
Discussion • See backup material • 802 Liaison presentation to October JTC1/SC6 meeting • Strawman response to JTC1/SC6 input • Strawman response to China’s submission • Strawman response to China’s 802.11i comments Jesse Walker, Liaison to JTC1/SC6
Next Steps • Create ad hoc Task Group to draft response to JT1/SC6 • Chair: • Create ad hoc Task Group to draft response to China’s submission • Chair: • Create ad hoc Task Group to draft response to China’s 802.11i comments • Chair: • Next meeting: 12 PM EST, January 13, 2005 • Agenda: take reports on progress in ad hoc Task Groups Jesse Walker, Liaison to JTC1/SC6
Backup Jesse Walker, Liaison to JTC1/SC6
802 Liaison Presentation at October JTC1/SC6 Meeting Jesse Walker, Liaison to JTC1/SC6
IEEE Preliminary Liaison Response to China Position Statement and Work Item Proposal 6 N 12687 Bruce Kraemer, IEEE 802.11 Task Group n Chair Al Petrick, IEEE 802.11 Working Group Vice Chair Jesse Walker, IEEE Standard 802.11i Editor Jesse Walker, Liaison to JTC1/SC6
Preliminary Response • IEEE fully supports China’s desire to improve WLAN security beyond what was originally provided by Wired Equivalent Privacy (WEP) in 1999 • IEEE 802 members recently invested >3 years in the development of 802.11i extensions to dramatically improve security (N7537) • WEP was not removed, 802.11i features were added • Security development is not complete and continues to evolve within 802.11 Advanced Security study group • N7506 and N7537 are not mutually exclusive. Both can reside within 8802-11 as security mechanisms and be invoked when and where needed. Jesse Walker, Liaison to JTC1/SC6
Preliminary Response • IEEE 802 WG offers its full range of expertise to assist in the development of additional security systems that are both robust and well integrated into the IEEE Std 802.11 environment • IEEE 802 WG wishes to ensure broadest worldwide participation of all interested technical experts • IEEE 802 WG is very receptive to holding meetings in Asia and has already done so for groups such as 802.16 to better enable Chinese to engage in IEEE 802 standards work • 802.11 is making arrangements for a meeting in Beijing in May 2005 • IEEE 802.11 WG will be discussing the details of the Chinese comments (N12732) and a more formal IEEE Liaison Response in San Antonio the week of November 15. • Request the email addresses of those who prepared N12732 to continue discussion • Liaison responses will be provided to SC6 soon thereafter Jesse Walker, Liaison to JTC1/SC6
Preliminary Response WAPI’s success will require technical review by or collaboration with IEEE 802.11 WG • IEEE 802.11 standard process requires: • Extensions be forward compatible with all on-going and planned amendments to IEEE Std 802.11 • No single amendment can break any other amendment Technical review inevitably leads to changes • IEEE 802.11 WG needs ongoing participation by China’s experts, to guarantee it does not break any critical WAPI feature Jesse Walker, Liaison to JTC1/SC6
Preliminary Response Not all meetings can be held in Beijing • IEEE 802 WG will continue to issue letters of invitation as requested • IEEE 802 WG will investigate methods to expedite issuance of visas • All technical documents are available via internet • If requested, ISO participants can be added to 802.11reflectors Jesse Walker, Liaison to JTC1/SC6
Preliminary Response The core technical expertise for WLAN currently resides within the membership of IEEE 802.11 WG • 6 times per year 500 people from around the world convene for this purpose. • email and teleconferences enable development to continue between meetings. • SC6 has recognized that this scale of effort cannot be replicated IEEE 802 WG wishes China’s delegates to note that security is not the only topic of development. 15 projects are currently underway to improve and extend the capabilities of WLANs. Most of those will be brought to ISO for incorporation into 8802-11. China is not contributing to those developments. • IEEE 802 WG wishes to better understand under what conditions China would consider contributing to and participating in all aspects of WLAN development Jesse Walker, Liaison to JTC1/SC6
Strawman Response to JTC1/SC6 Jesse Walker, Liaison to JTC1/SC6
Response to JCT1/SC6 • IEEE 802 thanks JTC1/SC6 for its inputs • IEEE 802 offers to initiate process leading to creation of an IEEE 802.11 Task Group to process China’s submission in 6N12687 and ChinaCommentB as an amendment to IEEE 802.11 • Amendment would add China’s National Standard as an alternative security method to IEEE 802.11i, not replace IEEE 802.11i • On completion, IEEE 802 would forward amendment to JTC1/SC6 for ratification • Based on similar work (incorporation of Japan’s regulatory requirements in IEEE 802.11), this is estimated as requiring 2 years • IEEE 802 does not believe other approaches would result in an amendment compatible with IEEE Std 802.11 Jesse Walker, Liaison to JTC1/SC6
Strawman Response to China’s Submission Jesse Walker, Liaison to JTC1/SC6
Response to China’s Submission (1) • IEEE 802 thanks China for their contribution • IEEE 802 desires China’s citizens to participate in the IEEE 802.11 WG and in a Task Group to incorporate China’s National Standard as an amendment in particular • Under IEEE 802 IPR policy submission by China’s citizens will be treated equally with all other submissions • IEEE 802.11 WG welcomes the formation of a TG to integrate China’s submission into as an amendment to IEEE Std 802.11 • Consensus that Task Group should hold interim meetings dealing with China’s submission in China • IEEE 802 dedicated to working to minimize visa problems for IEEE 802 Plenary meetings in the U.S. Jesse Walker, Liaison to JTC1/SC6
Response to China’s Submission (2) • Interest of the IEEE 802.11 TG is to integrate China’s submission into the 802.11 Standard, not alter its design • This will likely require some small changes to make it forward compatible with IEEE 802.11 amendments under development • But all changes must meet approval of China’s experts • Intent is to make this an alternative to 802.11i, not replace 802.11i • Let the market decide when to use each • Under U.S. Law discussion of classified algorithms prohibited • Either China must publicly disclose its block cipher algorithm, or else its experts must not discuss China’s block cipher algorithm at IEEE 802 meetings Jesse Walker, Liaison to JTC1/SC6
Response to China’s Submission (3) • Project success requires participation by China’s citizens Jesse Walker, Liaison to JTC1/SC6
Strawman Response to China’s 802.11i Comments Jesse Walker, Liaison to JTC1/SC6
China’s 802.11i Comments In JTC1/SC6 doc 6N12732 China makes the following claims about IEEE Std 802.11i • No mutual authentication is specified in the standard • Shared key must be set up for each AP and the authentication server manually • Authentication protocol is complex • There is a problem for the security of master key Jesse Walker, Liaison to JTC1/SC6
No Mutual Authentication Specified • Issue: IEEE Std 802.11i specifies no mutual authentication algorithm • Response: This is by design and intent • 802.11i deals with MAC layer, not application or system level functions • Authentication is a system level function • Authentication is out of scope, so 802.11i explicitly declares it assumes mutual authentication • Market requires different authentication mechanisms for different market segments Jesse Walker, Liaison to JTC1/SC6
No Mutual Authentication Specified • Market has said it must have different authentication mechanisms for different market segments • Examples • Enterprises want EAP-TLS, PEAP+ MSCHAPv2, and PEAP+ OTP • 3G operators want EAP-SIM • China Mobile wants to use EAP-CAVE • Home users want to use pre-shared keys (no authentication) • Reuse of investment in VPN, remote access authentication technology essential to make deployment economically feasible • Operators, Enterprises want to issue their own credentials • Unwilling to expose customers’ real identities to competitors • Unwilling to expose employees’ real identities to outsiders • Leaving authentication for market to specify is no different than China’s submission leaving block cipher to individual nations to specify Jesse Walker, Liaison to JTC1/SC6
Authentication Protocol Complex • Issue: Concern that IEEE Std 802.1X authentication does not scale • Response: Categorically false. IEEE 802.11 TGi adopted IEEE STd 802.1X framework precisely to address scaling issues • Authentication server centralizes authentication, access control decision • This approach well-tuned to 802.11 economics • Operational experience shows it does indeed scale very well • Example: networks with ~10000 APs have been deployed without problems Jesse Walker, Liaison to JTC1/SC6
AP-AS Key Setup Manual • Issue: the AP-AS channel requires manual key setup • Response: Categorically false. IEEE Std 802.11i does not specify relationship between AS and AP • Outside IEEE 802’s scope • Instead within scope of IETF AAA WG • IETF AAA defines multiple mechanisms for AP-AS key setup • Manual configuration • IKE (IPsec key agreement) – used with RADIUS • TLS key agreement – used with Diameter • Other automated keying mechanisms exist for other transports (e.g., LDAP) Jesse Walker, Liaison to JTC1/SC6
Security of the Master Key (1) • Issue: Session key negotiated between AS and client, not between AP and client • The AS can compromise the session key • The session key can be compromised when transported to the AP • Response: The differences between security of on-line trusted 3rd (TTP) party model and off-line TTP China’s submission uses a matter of taste, not a security issue • TTP subject to compromise in both models: • On-line model also compromised by attacking key transfer • Off-line model also compromised by blocking access to revocation list Jesse Walker, Liaison to JTC1/SC6
Security of the Master Key (2) • Response: Operational experience shows On-line model performance better than for Off-line model • Off-Line model operations three orders of magnitude more expensive than On-Line model operations • On-Line model better suited to WLAN economics Jesse Walker, Liaison to JTC1/SC6