Professional Documents
Culture Documents
Jari Jokela
Outline
Standardization status generally New standards and usage scenarios
802.11r 802.11s 802.11u 802.11v 802.11w 802.11y
Future challenges
2007 Nokia
Responsible of protocol test requirements, test plan creation and actual certification http://www.wi-fi.org/
Nowadays the border between IEEE 802.11 and WiFi Alliance is not always clear
WPA/WPA2 IEEE 802.11i WMM 802.11e WiFi Protected Setup
2007 Nokia
802.11u - Wireless interworking with external networks 802.11w - Protected Management Frames 802.11mb - Standard maintenance
2007 Nokia
802.11r
2007 Nokia
BSS #13
BSS #23
TGr Roaming
BSS #11
BSS #12
TGr Roaming
BSS #21
BSS #22
TGr Roaming
Mobility Domain #1
Mobility Domain #2
The performance benefit is to complete authentication and key derivation before re-association to target AP FT Signaling protocol support for over-the-air (OTA) or over-the-DS (OTD) cases FT provides two mechanisms
Base mechanism Reservation that allows QoS resources to be setup before re-association
2007 Nokia
FT Usage Classification
Non-RSN Robust Secure Network (RSN)
Over-the-Air
Over-the-DS
ResourceReservation(RR)
2007 Nokia
CH 1 BSS #1
CH 6
BSS #2
2007 Nokia
Over-the-Air FT Over-the-DS FT
Resource Reservation (RR) is to setup QoS resources in one or more target AP during FT transition mechanism RR is based on one round-trip negotiation Why RR?
RR Setup only follows successful PTK derivation STA requests certain QoS and t-AP provides as much or less QoS STA has priori knowledge of which target supports its services without degradation No delay during re-association for RR (RIC) processing Better application service quality during FT roaming Without RR, STA may realize target AP does not have enough resources at the time of reassociation => quality suffers due to lower QoS resources
Resource Reservation
STA may reserve at multiple AP but use only one => cost Increased AP complexity Offline load information (QBSSLoad IE in beacon) may be sufficient to measure load AP advertises the capability in the Beacon frame STA has the choice to initiate the RR procedure
10
2007 Nokia
Pre-Shared-Key (PSK) Network nodes are mutually authenticated With Secure Communication channels
R0-Key Holder
Network
PMK* PMK-R0 PMK-R1-A PMK-R1-B
Derive
11 2007 Nokia TUT_8_3_2007.ppt / 2007-03-08 / JJo
EAP Distribution
STA
FT Initial Association
AP
Beacon (FT Capability[MDIE]) Authentication Request (Open) Authentication Response (Open) (Re)association Request (MDIE, RSNIE) (Re)association Response (MDIE, FTIE[R0KH-ID, R1-KH-ID], RSNIE)
802.1X EAP Authentication (bypassed if PSK is used) EAPOL-Key (0, 0, 1, 0, P, 0, Anonce, 0) EAPOL-Key (0, 1, 0, 0, P, 0, Snonce, MIC, RSNIE[PMKR1Name], MDIE, FTIE) EAPOL-Key (1, 1, 1, 1, P, 0, Anonce, MIC, RSNIE[PMKR1Name], MDIE, GTK[N], FTIE, TIE[reas], TIE[key] ) EAPOL-Key (1, 1, 0, 0, P, 0, 0, MIC) 802.1X Controlled Port Unblocked
12
2007 Nokia
s-AP
t-AP
13
2007 Nokia
s-AP
t-AP
FT Action Request( STA, t-AP, MDIE, FTIE[Snonce, R0-KH-ID], RSNIE[PMKR0Name]) FT Action Respone (STA, t-AP, MDIE, RSNIE, FTIE[Anonce, Snonce, R0-KH-ID, R1-KH-ID], RSNIE[PMKR0Name]) Reassociation Request (MDIE, FTIE[MIC, Anonce, Snonce], RSNIE[PMKR1Name], RIC-Request)
14
2007 Nokia
s-AP
t-AP
Reassociation only if QoS RR is acceptable Reassociation Request (MDIE, FTIE[MIC, Anonce, Snonce], RSNIE[PMKR1Name]) Reassociation Response (MDIE, FTIE[MIC, Anonce, Snonce, GTK[N]], RSNIE[PMKR1Name]) 802.1X Controlled Port Unblocked Session Data through new AP
15 2007 Nokia TUT_8_3_2007.ppt / 2007-03-08 / JJo
s-AP
t-AP
FT Action Request( STA, t-AP, MDIE, FTIE[Snonce, R0-KH-ID], RSNIE[PMKR0Name]) FT Action Respone (STA, t-AP, MDIE, RSNIE, FTIE[Anonce, Snonce, R0-KH-ID, R1-KH-ID], RSNIE[PMKR0Name]) FT Action Confirm( STA, t-AP, MDIE, FTIE[Snonce, R0-KH-ID], RSNIE[PMKR1Name], RIC-Request)
RR Exchange
FT Action ACK (STA, t-AP, MDIE, RSNIE, FTIE[Anonce, Snonce, R0-KH-ID, R1-KH-ID], RSNIE[PMKR1Name], RIC-Response) Reassociation Request (MDIE, FTIE[MIC, Anonce, Snonce], RSNIE[PMKR1Name]) Reassociation Response (MDIE, FTIE[MIC, Anonce, Snonce, GTK[N]],RSNIE[PMKR1Name])
16
2007 Nokia
802.11r Performance
Source: Sangeetha Bangolae, Carol Bell, Emily Qi, Performance study of fast BSS transition using IEEE 802.11r, International Conference On Communications And Mobile Computing, 2006 17 2007 Nokia TUT_8_3_2007.ppt / 2007-03-08 / JJo
IETF Role
Most of 802.11 security related work in done in CAPWAP Mailing list disc. indicate some rule it out as out of scope for current charter, some indicate that there is immediate support for 802.11r in CAPWAP in at least split MAC scenarios
Authenticator and key hierarchy reside in AC AC pushes the PTK to WTP with Add-Mobile message based on 802.11r message triggering
Relevant Drafts
18
2007 Nokia
19
2007 Nokia
802.11s
20
2007 Nokia
802.11s scope
802.11s standard defines MAC enhancements, routing, security and interworking principles for WLAN MESH networking.
MAC enhancements are concentrating to forwarded frames format, beaconing, EDCA use and power save. Routing defines one default routing protocol + enables other routing protocol usage in MESH networking Security: network authentication and security of forwarded traffic.
routing done in MAC layer
802.11s defines new device classes (supported functionality for each device next slide)
MESH Point (MP) is device, capable to operate in MESH backbone MESH AP (MAP) is device capable to operate as AP and MESH Point (MP) Non-Forwarding MP is device participating in MESH network, but does not forward any traffic (for instance operating in stand-by power save)
1-hop range entity LW-MP is WLAN terminal in enhanced ad hoc operation mode
MESH Portal is device, which connects the MESH network to IP backbone or with other MESH network. One network may have 0 multiple portals.
21
2007 Nokia
22
2007 Nokia
WLAN MESH devices are required to be cheap and simple in order to compete against fixed, wired WLAN networks and cellular networks.
23
2007 Nokia
Mesh Options
Each node has a single radio
Access and backhaul share radio All nodes tune to same frequency Mesh nodes use omni-directional antennas
Access and backhaul are in separate bands 2.4 GHz client access, 5 GHz backhaul
24
2007 Nokia
In ad hoc use scenario devices desire to exchange data between each other. In Home network use scenario:
Ad hoc (IBSS) (Original IBSS network defined in base 802.11, enhanced in 802.11s)
The communicating terminals create 1-hop network Link specific authentication If terminal is operating only in Ad hoc mode, the infrastructure network with Internet connectivity is lost Multihop network with routing protocols and data forwarding capability Infrastructure network connectivity may be obtained through MESH forwarding. Different device roles enable some devices to operate in power save and other in full power. MESH wide authentication
25
2007 Nokia
IBSS Beaconing: (joint ATIM period for all devices in the network)
IBSS station
Beaconing affects to network connectivity and stand-by power consumption. New concepts:
Beacon broadcaster -> one terminal transmits all beacons reduced random delay before beacon is transmitted More reliable beaconing -> the beacon transmission opportunity is not randomly selected among all nodes. The beacon broadcaster may select new beacon broadcaster and the role may be rotated in a network Enables more state information maintaining (i.e. power save mode info) and special operation mode for beacon broadcaster
26
2007 Nokia
Simultaneous use of ad hoc and infrastructure network creates new requirements for WLAN implementation.
Encryption needs to be changed fast. Data may be received from multiple networks Networks may be operating in different channels Beacons may be transmitted with different periodicity -> challenges in the receiver scheduling
27
2007 Nokia
Status of 802.11s
Draft was not approved ~5000 comments received
28
2007 Nokia
802.11u
29
2007 Nokia
But could the home SSPN be located far away? What are the query semantics used?
31 2007 Nokia TUT_8_3_2007.ppt / 2007-03-08 / JJo
Network Selection
Solution
External query services are named as Generic Advertisement Services (GAS) Solution is to
Broadcast the interworking service capability over beacons/probe responses Povide a general MAC management facility in state-1 for various advertisement services
GAS Initial Request/Response GAS Comeback Request/Response
GAS type identifies a particular service query used => query protocol types are extensible One of the GAS type is IEEE 802.21 MIS query AP maintains a state for a brief time till the response is delivered
IP MAC facility encapsulating 802.21 GAS type
GAS Server
IP
SSPN
Local network
AP
32
2007 Nokia
Network Selection
AP
Advertisement Server
GAS Initial Request (Req) GAS Initial Response (GAS Query ID, GAS time delay) Retrieve info for Req time delay Resp GAS Comeback Request (GAS Query ID) GAS Comeback Response (GAS Query Req, GAS Query ID, Resp)
Network Selection
AP
Advertisement Server
GAS Initial Request (Req) GAS Initial Response (GAS Query ID, Multicast Address) Retrieve info for Req
When GASTIM count reaches 0
Resp
GAS Comeback Response (GAS Query Req, GAS Query ID, Resp) GAS Comeback Response (GAS Query Req, GAS Query ID, Resp)
GAS Comeback Response (GAS Query Req, GAS Query ID, Resp)
STA already associated will have means to indicate e911 call setup to AP. Why?
AP can prioritize the traffic from that STA to improve call success rate Ensure adequate QoS as per configured AP policies Configure traffic handling in the DS (backend)
35
2007 Nokia
Possible for STA to use AP location, if provisioned or others (TGv) DHCP server (ECRIT)
36
2007 Nokia
Allow WPA capable SSID to support e911 calls A well known public user id (NAI) is used for dummy authentication AAA server downloads restricted e911 policy to AP to restrict traffic Draft standard does not discuss security keys for encryption EBR in QoS Setup
Special SSID without any security support is configured for emergency Simple MAC level solution, with no AAA involvement => Applicable for certain situations Open auth association but AP may configure this SSID to only use a certain VLAN destined for emergency use only EBR in QoS Setup
37
2007 Nokia
Provides a MAC management facility for STA to request the QoS map set from AP in state-3
Requirement is to have completed successful EAP exchange => AP will have filtering info for that STA
A QoS map set is a map of User Priority (UP, QoS levels in 802.11) to DSCP range values Exceptions are also provided for specific DSCP value matches within the range and the corresponding UP STA shall use the corresponding UP on WLAN for the DSCP code values used in IP header QoS Map updates (if changed) are provided unsolicited
38
2007 Nokia
39
2007 Nokia
40
2007 Nokia
Status of 802.11u
One group internal review held No letter ballot yet Expected ratification Q1/09
41
2007 Nokia
802.11v
42
2007 Nokia
General
Started Q3/04 Purpose of the project (as stated in PAR):
The purpose of this document is to provide amendments to the IEEE 802.11 PHY/MAC layers that enables management of attached stations in a centralized or in a distributed fashion (e.g. monitoring, configuring, and updating) through a layer 2 machanism. While the 802.11k Task Group is defining messages to retrieve information from the station, the ability to configure the station is not in its scope. The proposed Task Group will also create an Access Port Management Information Base (AP MIB). The current IEEE 802.11 specification implies that stations may be managed via a Simple Network Management Protocol (SNMP). The use of SNMP intruduces the following problems: 1. Very few stations in the market include SNMP capabilities. 2. The use of secure SNMP protocol (e.g. SNMPv3) requires significant pre-configuration of the station. 3. Management of a station may be required prior to the establishment of an IP connection. There are cases where a device must be managed because it cannot get IP connectivity. Therefore, a standarized approach to manage stations is required. 802.11 APs have significantly increased in complexity and features, which cannot be controlled via the current MIB. The Task Group needs to expand on the existing MIB (or creat a MIB) to support these new devices.
2007 Nokia TUT_8_3_2007.ppt / 2007-03-08 / JJo
43
Flexible broadcast/multicast
Transition events RSNA events Peer-to-peer link events Syslog events
44
Multicast Diagnostics
Idea is to enable very simple monitoring of broadcast/multicast receptions
In base specification there are no means to detect whether bc/mc frames are lost
Report is triggered if the STA does not receive any bc/mc traffic during specific time interval Procedures also include mechanism to indicate STAs maximum bc/mc reception rate Usage of Multicast Diagnostics
AP can get rough feeling on how reliable bc/mc transmissions are and what is maximum bc/mc data rate that can be used
45
2007 Nokia
With FBMS it is possible to create longer sleep intervals and terminal can exactly specify the bc/mc services it is interested in Furthermore the AP can exactly indicate to which bc/mc services the buffered frames belongs to
Terminal can enter to sleep mode very quickly if no frames targeted to it are buffered If supported then missing DTIM beacons is not so crucial anymore
46
2007 Nokia
= broadcast data = multicast stream 1 (for STA1) = multicast stream 2 (for STA2)
a)
STA1 and STA2 awake STA1 and STA2 awake STA1 and STA2 awake
b)
STA2 awake STA1 awake STA1 awake STA1 awake STA1 awake
47
2007 Nokia
Event procedures
Event procedures are meant to enable real-time diagnostics of the WLAN network
Event type Transition Purpose Used to collect information about transition events (i.e. roaming events). Can be conditional => if too many transitions during given time => report is generated Used to collect information about performed authentications
AP can request event reports from the STAs AP can set up event report conditions so that if problems occurs the STA sends report Transition events RSNA events Peer-to-peer link events Syslog events
RSNA
Syslog
Used to collect Syslog (IETF RFC 3164) info from the terminals
48
2007 Nokia
Diagnostics procedures
Provides means to diagnose and debug WLAN network problems Four types of diagnostics procedures
STA report 802.11 authentication Association 802.1X authentication
Diagnostics type STA report Purpose Used to collect information (capabilities, manufacturer info, operational info) about terminal. Used to verify whether the STA is able to perform 802.11 authentication with given parameteres Used to verify whether the STA is able to perform association with given parameteres Used to verify whether the STA is able to perform 802.1X authentication with given parameteres
802.11 authentication
Association
802.1X authetication
49
2007 Nokia
Presence procedures
AP and/or terminal can configure presence service
AP can configure how often and in which channels terminal(s) sends presence indications Terminal can configure how often it wants to receive location information AP can configure all the terminals or it can configure each terminal separately It is also possible to use one-time requests May include radio related parameters => signal strength based location estimate May include motion related info (i.e., is terminal static or in motion) Requested location data (local = terminal, remote = AP or peer terminal) Indicates the required location data format, resolution and accuracy Location data format: Civic, GEO (RFC 4119, RFC 3693) Resolution, encoding (RFC 3825, RFC 4119, X.694) and accuracy Actual location data (either local or remote) Location source identifier (RFC 3693) Radio information Timing information (TOA support)
Responses to precense indication may include actual location data and/or additional info that can be used to determine location
50
2007 Nokia
Load balancing
AP has possibility to command terminals to roam for load balancing reasons AP gives prioritized list of target AP candidates
Specification does not specify when the AP should/shall/should-not/shall-not use the load balancing feature AP can indicate that some APs are excluded i.e., the terminal should not try to roam to that AP if roaming to non-excluded AP is possible Not binding target AP decision is still in terminal side
51
2007 Nokia
Cellular-WLAN
BT-WLAN is big problem as there is no way to control WLAN DL transmissions With this reporting mechanism the AP can
1. Schedule WLAN DL transmissions so that degradation is minimised 2. Adjust its rate adaptation logic so that the problem is not made worse
TUT_8_3_2007.ppt / 2007-03-08 / JJo
52
2007 Nokia
53
2007 Nokia
Status of 802.11v
One internal review held
First letter ballot assumed to start after May 2007 meeting
54
2007 Nokia
802.11w
55
2007 Nokia
General
Started Q1/05 Purpose of the project (as stated in PAR):
The proposed project seeks to create enhancements to the IEEE 802.11 Medium Access Control layer to provide, as appropriate, mechanisms that enable data integrity, data origin authenticity, replay protection, and data confidentiality for selected IEEE 802.11 management frames including but not limited to: action management frames, deauthentication and disassociation frames. The current IEEE 802.11 standard including amendment 'i' (security) addresses security of data frames but systems are still vulnerable to malicious attack because management frames are unprotected. For example, network disruption can be caused by malicious systems generating false information and impersonating valid equipment. The work envisioned in this PAR will reduce the susceptibility of systems to such attack and is of importance to all the current applications of IEEE 802.11 and both existing and anticipated amendments. While all 802.11 users will benefit from the proposed amendment, the stakeholders are the Access Point and Network Interface Card vendors.
2007 Nokia TUT_8_3_2007.ppt / 2007-03-08 / JJo
56
General
Basic idea of 802.11w is to extend 802.11i to provide protection for selected management frames Disassociation and Deauthentication frames are considered to be especially important
If not protected then it is easy to perform DoS attack On the other hand even protection of these frames does not guarantee that DoS attacks cannot happen (there are simple ways to implement attacks)
57
2007 Nokia
802.11y
58
2007 Nokia
Type of equipments/STAs
59
2007 Nokia
Channel spacing and number of channels (5 Mhz from lower band edge 3.65 GHz and upper band edge 3.7 GHz)
No of channels 2 4 8
60
2007 Nokia
61
2007 Nokia
Challenges
Amount of standardized features is increasing
Interoperability issues Variation between the deployments IEEE standards are becoming toolboxes and final decision whether the features are really implemented is done in WiFi Alliance or somewhere else How to keep WLAN simple and cheap? Terminal may include multiple of radios that may be used simultaneously Good example is VoIP call over WLAN to Bluetooth headset Active mode power consumption is tolerable Standby mode power consumption could be better
Power consumption
62
2007 Nokia
Future topics
WLAN evolution
Illustration of capabilities of IMT-2000 and systems beyond IMT-2000
ITU IMT-Advanced
Local area bit rate target: 1Gbit/s Not clear whether WLAN will have any role
Systems beyond IMT-2000 will encompass the capabilities of previous systems Mobility New capabilities of systems beyond IMT-2000 High Enhanced IMT-2000
Enhancement
Dashed line indicates that the exact data rates associated with systems beyond IMT-2000 are not yet determined
1 000
Denotes interconnection between systems via networks, which allows flexible use in any environment without making users aware of constituent systems Nomadic/local area access systems Digital broadcast systems
63
2007 Nokia
Summary
Many ongoing standard activities
IEEE 802.11 is in charge of functional specifications WiFi Alliance is in charge of interoperability testing Interoperability will be a challenge Different deployments will likely vary a lot from the supported features perspective
64
2007 Nokia