1 / 17

Tx & Rx Pseudo Code

Tx & Rx Pseudo Code. David Johnston david.johnston@ieee.org. Problems. Section 8.7.1 Tx PseudoCode & 8.7.2 Rx PseudoCode “attempt to decrypt with that key, incrementing dot11WEPICVErrorCount if the ICV check fails”

paula-carr
Download Presentation

Tx & Rx Pseudo Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Tx & Rx Pseudo Code David Johnston david.johnston@ieee.org David Johnston.

  2. Problems • Section 8.7.1 Tx PseudoCode & 8.7.2 Rx PseudoCode • “attempt to decrypt with that key, incrementingdot11WEPICVErrorCount if the ICV check fails” • This mandates an ICV check for M[PS]DUs, regardless of whether they have an ICV, MPDU level MIC, MSDU level MIC or OCB authentication. David Johnston.

  3. Identifying 802.1x Packets within the MAC Need to identify 802.1X packets here David Johnston.

  4. The Cases • Intra BSS Relay • Not 802.1x • Use aExcludeUnencrypted • To LLC • May be relayed 802.1x for Pre authentication • May be data • We know it has an LCC header. Use LLC header to distinguish 802.1x from data • To DS/.1d bridging • May be relayed 802.1x for Pre authentication • May be data • Magically distinguish between 802.1x and data so plaintext 802.1x can pass through • To Portal (via DS) • Might be 802.1x • Magically distinguish between 802.1x and data so plaintext 802.1x can pass through David Johnston.

  5. Support of Cipher Suites is not Taken into Account • Thus if we can’t find a key, we report a WEP error and increment a WEP mib variable, even if we have no WEP. • Otherwise, checking is not generally required since keys should not get into the mapping table that are not of a supported cipher suit. The issue is an error reporting issue. David Johnston.

  6. Minor Problems • Title “Temporal Key Processing” is inappropriate • Maybe “Tx and Rx Packet Processing” • MDPU & MDSU • .,$s/MDPU/MPDU/g • .,$s/MDSU/MSDU/g David Johnston.

  7. MPDU vs MSDU differentiation is not clear • “if (MSDU has an individual RA anddot11WEPKeyMappings has an entry for that RA anddot11WEPKeyMappingsKeyBroadcast is false) or (the MDPU has a multicast RA and the network type is IBSS and the network is RSN and there is an entry in dot11KeyMapppings for the TA anddot11WEPKeyMappingsKeyBroadcast is true) then” • Operations simultaneously described over MSDU & MPDUs! • So the semantics are not clear • So defeats the intent of pseudocode (Clarity) David Johnston.

  8. Solution • Rewrite as 4 pseudo code behaviours • Per MSDU Tx Behaviour • Per MPDU Tx Behaviour • Per MPDU Rx Behaviour • Per MSDU Rx Behaviour • 802.1x signals packet filtering state to MAC • aHavePTK • set by MLME.SETKEYS.request for PTKs • Unset by (re)authenticate & (re)associate • aHaveGTK • set by MLME.SETKEYS.request for GTKs • Unset by reauth & reassociate • Note MPDU Rx before MSDU Rx and MPDU Tx after MPDU Rx to match natural processing order David Johnston.

  9. 802.1x id Mechanism • Layer Violations • “if aExcludeUnencrypted = “false” or there is no entry in dot11WEPKeyMappings matching the MPDU’s TA and Ethertype is 802.1X then receive the frame without applying protections ” • The MAC should not be looking outside its layer • The MAC cannot look outside its layer on MPDUs (might not have encapsulation header in fragment) • Instead • Change “Ethertype is 802.1X” to • LLC case “((Ethertype is 802.1X and DA is to this STA) or ” • To DS and Portal case “(Ethertype is 802.1X and DA is outside this BSS)) or ” • Do it at the Per MSDU stage. David Johnston.

  10. Per MSDU Tx Behaviour • Check aDot11PrivacyInvoked • Find an entry in dot11WEPKeyMappings • Have different behaviour for CCMP, WRAP, TKIP and WEP • CCMP and WEP are null at MSDU level • Handle null key case (report null key) • Report if unsupported cipher suite • Handle case of BSS broadcast with mix of protected and non protected STAs • Handle Default key case • If null default key, report WEP error when WEP supported David Johnston.

  11. Per MPDU Tx Behaviour • Transmit MPDU based upon the cipher suite selected for the MSDU that the MPDU is a fragment of • WRAP is a NOP at MPDU level David Johnston.

  12. Per MPDU Rx Behaviour • Handle unprotected Rx MPDU • Throw away if aExcludeUnencrypted set • Otherwise receive it • Find an entry in dot11WEPKeyMappings • Handle protected Rx MPDU • Handle Default Key Case when no key found • Handle null Default key case • Report WEP error if WEP supported • When entry found • If cipher suite unsupported, discard MPDU and report • Otherwise receive packet using cipher of entry in mapping table providing cipher • WRAP is NOP at MPDU level David Johnston.

  13. Per MSDU Rx Behaviour • Handle unprotected Rx MSDU • Throw away if aExcludeUnencrypted set • Otherwise receive it • Find an entry in dot11WEPKeyMappings • Handle protected Rx MSDU • Handle null key case • Handle null WEP Default key case when WEP Supported • When entry found • If cipher suite unsupported, discard MPDU and report • Otherwise receive packet using cipher of entry in mapping table providing cipher • WEP and CCMP are NOPs at MSDU level David Johnston.

  14. Packet Filtering • MAC is asked to filter based on following MPDU state • Is MPDU a member of an 802.1x MSDU • Is 802.1x MSDU from associated STA? (and we are an AP) • Is MPDU protected? • Is MPDU unicast or broadcast/multicast? • MAC has only visibility of protected and group state, not 802.1x content • The MAC gets the following clues to dictate filtering behaviour of received MPDUs: • MLME-SETKEYS.request for PTKs • MLME-SETKEYS.request for GTKs • dot11PrivacyInvoked • aExcludeUnencrypted • TA David Johnston.

  15. Packet Filtering • Since MAC should not examine the 802.1x content of payloads, MAC must pass unencrypted MSDUs up to 802.1x layer and permit 802.1x to discard MPDUs based on its own port admission policy, in case the MSDU carries an 802.1x payload, during the period which the MAC is currently asked to pass 802.1x traffic but filter all other unprotected traffic. • The MAC is required to filter out unprotected unicast MPDUs once PTKs have been installed for that association • The MAC is required to filter out unprotected group MPDUs once GTKs have been installed for that association David Johnston.

  16. MAC Level MPDU Filtering • Add aHavePTK • Add aHaveGTK • Initialize both to FALSE • Set aHavePTK following MLME-SETKEYs for PTK • Set aHaveGTK following MLME-SETKEYs for GTK • Set both aHavePTK and aHaveGTK to FALSE on disassociate or de-authenticate • Use aExcludeUnencrypted for non RSN situations David Johnston.

  17. Motion • Move that the editor incorporate into the draft the changes described in document 11-02-643r2-TxRxPseudoCode David Johnston.

More Related