Date post: | 01-Jan-2016 |
Category: |
Documents |
Upload: | cleopatra-heath |
View: | 225 times |
Download: | 6 times |
Jan 2008
Richard Paine, BoeingSlide 1
doc.: IEEE 802.11-08/0120r1
Submission
Next Generation Security for 802.11
• What is 21st Century Security?
• 802.11 Responsibilities
• VOIP/VoWLAN Reality
• Identity Solutions
• 802.11 Architecture
Jan 2008
Richard Paine, BoeingSlide 2
doc.: IEEE 802.11-08/0120r1
Submission
Security comes from certainty about "Who, What, Where, When, How and Why".
Whatever adds to that certainty increases security, and whatever obscures that certainty decreases
security.
Certainty is about knowing the neighborhood, including identity, the regulatory domains, location, and
surrounding equipment.
What is Security?
Jan 2008
Richard Paine, BoeingSlide 3
doc.: IEEE 802.11-08/0120r1
Submission
Today’s 802.11 Wireless Security
Tomorrow’s Security (for P2P VOIP)
Fear Knowledge
Low QualityInsecure on WLAN
High QualitySecure on WLAN
XX
X
Low QualityInsecure on WLAN
Insecure on non-802.11
High QualitySecure on WLANSecure on non-802.11
Near Future 802.11 Wireless Security (w 11k, 11n, 11r, 11s, 11u, 11w, 11y, 11z)
XX
X
XX
Insecure on non-802.11
Secure on non-802.11
Low QualityInsecure on WLAN
Insecure on non-802.11
High QualitySecure on WLANSecure on non-802.11
X
Jan 2008
Richard Paine, BoeingSlide 4
doc.: IEEE 802.11-08/0120r1
Submission
21st Century Security
• Shared medium (all wireless in regulatory domains)• Identity Assurance• Location Privacy• Transition from Fear to Safety Assurance• From Spoofing to Identity Protection• Uncertainty Protection and Minor Risk Acceptance• Weapons of Internet Offense and Defense• Reliability Assurance (protection from DOS attacks)
Jan 2008
Richard Paine, BoeingSlide 5
doc.: IEEE 802.11-08/0120r1
Submission
How 802.11 Fits in 21st Century Security
• Leading network standard (11ma, 11k,11n,11r, 11s, 11T, 11u, 11v, 11w, 11y, and 11z)
• Should be primary to deliver mobility/identity/location privacy/identity protection/uncertainty protection/independent from 802.3 and the Internet
• Reliability assurance during handoffs (11k and 11r)
Jan 2008
Richard Paine, BoeingSlide 6
doc.: IEEE 802.11-08/0120r1
Submission
802.11 Responsibilities
• 802.11 leadership in an unwired world
• Independence from previous wired thought
• VoWLAN – 802.11 issues (QoS, DOS, etc)
• Transition from ESS to P2P
• Enabling seamless secure wireless to wired (P2P as in VoWLAN)
• Enabling identity-based security wireless to wired (P2P as in VoWLAN)
Jan 2008
Richard Paine, BoeingSlide 7
doc.: IEEE 802.11-08/0120r1
Submission
802.11 Leadership
• 802.11 secure wireless (WPA and RSN)
• Transition to the wired network insecure
• AP is the source of the transition to the wired
Jan 2008
Richard Paine, BoeingSlide 8
doc.: IEEE 802.11-08/0120r1
Submission
Previous Thought
• Security for wireless enough
• Applications must handle their own security
• Not the responsibility of the wireless realm
• 802.11 in prime position to solve the problem
Jan 2008
Richard Paine, BoeingSlide 9
doc.: IEEE 802.11-08/0120r1
Submission
Future Thinking
• Security end-to-end will require IEEE 802.11 protocols (mobility and identity)
• VoWLAN will change the world
• IETF security not enough (HIP part of SMA)
• Transition to new thinking about Internet security (P2P)
• 802.11 should step up to new thinking
Jan 2008
Richard Paine, BoeingSlide 10
doc.: IEEE 802.11-08/0120r1
Submission
VoWLAN - 802.11 Issues
• 11u VoWLAN projects– ENUM– ECRIT
• 11e/WMM discrepancies– Not adequate for widespread VoWLAN– Failure of the QSE proposed 802.11 work
• 802.11 security only addresses ESS
• Must address wireless to wired security
Jan 2008
Richard Paine, BoeingSlide 11
doc.: IEEE 802.11-08/0120r1
Submission
VOIP Reality
• VOIP will operate over both wired and wireless
• SIP reality is over both wired and wireless
• Secure communications is BSS/ESS and VPN (not secure past the VPN server)
• VOIP to demand secure voice comm
• IETF working on securing P2P (P2PSIP)
Jan 2008
Richard Paine, BoeingSlide 12
doc.: IEEE 802.11-08/0120r1
Submission
VoWLAN Reality
• VoWLAN entering the BSS and ESS via wire
• VOIP requiring peer-to-peer or end-to-end secure voice communications
• 802.11 must have an end-to-end and peer-to-peer transition and handoff solution
Jan 2008
Richard Paine, BoeingSlide 13
doc.: IEEE 802.11-08/0120r1
Submission
End-to-End/Peer-to-Peer
• Tunnels
• SSL
• SIP/HIP (Host Identity Protocol)
Jan 2008
Richard Paine, BoeingSlide 14
doc.: IEEE 802.11-08/0120r1
Submission
Transition from ESS to P2P
• Naming and Addressing– IP Addresses vulnerable– MAC addresses vulnerable– PKI Identity-based security associations OK
• IETF Middlebox Capabilities• Potential Solution: AP must have
middlebox features– HIP Middlebox possibilities or SSL Tunnel
Handoffs
Jan 2008
Richard Paine, BoeingSlide 15
doc.: IEEE 802.11-08/0120r1
Submission
Enabling Secure P2P – Wired and Wireless
• Possible Solutions– HIP– Secure Tunnels
• Security Solutions– IPv6/MIPv6– Identity Based
• HIP• 802.1x
Jan 2008
Richard Paine, BoeingSlide 16
doc.: IEEE 802.11-08/0120r1
Submission
Identity-Based P2P
• HIP– Cryptographic Names/Identifiers– Security Associations– HIP-enabled communications
• Parity– Need ongoing parity– Overlap in BSS– Changing keys by symbol
Jan 2008
Richard Paine, BoeingSlide 17
doc.: IEEE 802.11-08/0120r1
Submission
SMA Big Picture
VPN
WiMAXCellular
Intranet Plane
SCADAnet PlaneOverlay Network
Cell Subnet WiMAX Subnet
HTTPPROXY Internet Plane
VPN
Subnet A
Subnet B
HIPMB
AP Middlebox AP Middlebox
Jan 2008
Richard Paine, BoeingSlide 18
doc.: IEEE 802.11-08/0120r1
Submission
Boeing 2007 SMA/HIP Implementation
smamobiles
Boeing Intranet
AAAServer
DNS Namespace:mobile.tl.boeing.com
RouterAP
AP
AP
…
smaX
Msg Brkr
Directory
DNS
WiFiSwitch
TempCert RA
LocationServer
LPDD
HIP SA
AP
AP
AP
…
SMAxVOIP
Msg Brkr
Directory
DNS
WiFiSwitch
TempCert RA
LocationServer
LPDD
SmamobilesVOIP
HIP SAHIP S
A
HIP SA
BoeingPKI
CellularSmamobile
HIP SA
HIP
SA
Internet
RobotController
RobotsHIP
SA
HIP SA
HIP
SA
Jan 2008
Richard Paine, BoeingSlide 19
doc.: IEEE 802.11-08/0120r1
Submission
AP Middlebox
• AP Middlebox– HIP
• Names/Identifiers• Security Associations• HIP-enabled communications• Rendezvous Server
– Tunnels +
Jan 2008
Richard Paine, BoeingSlide 20
doc.: IEEE 802.11-08/0120r1
Submission
802.11 Possibilities
• Do Nothing
• Concede an 802.1 P2P enhancement
• 802.11 SG on P2P 802.11 enhancements
• 802.11 SG on NG security
• 11u address P2P in amendment
• 11u address VoWLAN in E911
• Combination of 802.1 and 802.11