802.11: Ethernet Marches On

8/29/02 Copyright 2002 Robert J. Berger 1

802.11: Ethernet Marches On

Robert J. Berger

Internet Bandwidth Development, LLC


The Internet Revolution Has Only Just Begun Businesses continue to be transformed People continue to adapt it to be part of

their lives It continues to worm its way into the

fabric of everyday life Its just not the darling of Wall Street and

VCs anymore It is the foundation of a lot of our future


By The End of this Decade Almost everything will be connected to the Internet

Appliances, automobiles, personal communicators, screens (large and small), refrigerators, stereos, washing machines, copiers, traffic lights, even your watch.

3 billion Internet-capable wireless devices The Internet will be:

Telephone, answering machine, television, radio, movie theatre, clock, store, cell phone, pager, post office, mailbox, library, security system, gaming platform, musical instrument, learning center, storage medium, and much, much more!

802.11 will extend Ethernet/Internet to almost everywhere Allows everyone and everything to connect to each other Moore’s, Gilders’ and Metcalfe’s “Laws” deliver information

abundance


In a decade we will have: Huge storage

1 TB disks will be mass market (<$200) Very fast wired networking

100 Gb Ethernet will be mass market (< $100) Ubiquitous wireless networking

3 billion units worldwide! 1 Gb wireless LANs: a viable replacement for wired NICs 10 Mbps wireless WANs

More powerful personal computers 10+ GHz processors (and or computer arrays) 4x resolution (2K x 2K) displays competitive w/paper Large, wall-sized and watch-sized displays

A new generation of personal communicators PDAs, PIMs, cell phones, watches, etc.

Invisible computing Networked appliances (washing machines, microwaves, etc.)

The biggest problem will be software and interfaces with humans


By the End of the Decade, 802.11 will be…. A viable desktop NIC replacement Ubiquitous

In 1994, there were less than 3K PPP dialup ports in the US… today there are millions

Wireless ISPs will happen Community nets will happen Mesh networking will extend coverage dramatically Dual 802.11/WAN NICs will be commonplace Additional Physical Interfaces will be introduced

Take advantage of new RF Tech like Ultrawide Band Faster Speeds Longer Distances / Better Penetration


Simultaneous Trends by end of Decade

Bigger, Faster 200 Million

units/year: Laptop, Desktop, Server

10 GHz processor 100 GbE 1+ TB magnetic disk

Smaller, Cheaper 500 million units/year:

PDA/Cell phone/sub-laptop

1 GHz processor 1 Gbps Wireless LAN 10 Mbps wireless WAN 1 GB flash disk


Automobiles663 Million

Telephones1.5 Billion

Electronic Chips30 Billion

X-Internet

“X-Internet” Beyond the PC

Forrester Research, May 2001

93Million

407 Million

Internet Computers

Internet UsersToday’s Internet


“X-Internet” Beyond the PC

Forrester Research, May 2001

0

5000

10000

15000

2001200220032004200520062007200820092010

Mill

ion

s

Year

XInternet

PCInternet


Implications Distributed, “Grid” computing will be the norm

Your “PC”, PDA, etc will be a window into a media/communication/compute cloud

Data and Processing “locationless” IP and Ethernet will be the mainstream technology for SAN,

MAN, WAN and LAN Fiber the primary PHY for 10 GbE

Goodbye Fiber Channel and SONET! 802.11 with various PHYs for 1 - 100Mbps

Goodbye Home RF and Bluetooth! Managing vast storage will be challenging

P2P Grid distributed storage Authentication, Privacy big issues


There is one thing in the way

The “Last Mile” Bottleneck


Huge Capacity at Core & Edge, Nothing in between Hi Capacity Long Haul Fiber is mostly there

Huge Buildouts between cities Easy to add capacity to this now existing dark fiber /

conduit Bandwidth for Buildings & Campus at Edge

Ethernet ultra fast and ultra cheap 100Mbps, 1Gbps, 10Gbps wire/fiber 11Mbps, 54Mbps Wireless

Almost nothing inexpensive to connect them Dialup 56kbps Limited DSL/Cable Modem 128kbps - 6Mbps


It’s a “Layer 8 & 9” Problem Layer 8: Economics

The cost to build “the last mile” is huge There is a lot of it Rights of way, trenching, etc

Estimated to cost US$50B - US$150B (About what AT&T paid for TCI)

Layer 9: Politics Incumbent Phone & Cable Company

Internet Bust reinforced their monopoly They have over 100 years of lobbying

experience They have actively and passively maintained

a choke hold on the last mile and keep it a bottleneck

Data LinkNetwork

TransportSession

PresentationApplication

Physical

EconomicsPolitics

802.11IP

TCP/UDP


Wireless can help break the Last Mile Bottleneck Wireless builds can be much less

capital intensive Minimal rights of way (rooftops) Can be rolled out sparsely and then

filled in Build where there is immediate demand


802.11 Will be a major factor Its Wireless Ethernet Wire/Fiber Ethernet metamorphed from a

“toy” technology to covering LANs, MANs and WANs from 10Mbps to 10Gbps

802.11 is/will do the same It’s a standard that is comfortable & can

support new physical (PHY) layers Not the optimal solution, but the most flexible,

cost effective and rapidly evolving one


Public Access Hotspots to Hotzones with 802.11++

Independent Hotspots connected with DSL

Central Office

Hotzone of 2 Square miles with all wireless connectivity

Metro Pop


Public Wireless Ethernet Deployment Data Network

Use Moore’s Law to “route around” Laws of Physics

Key problems solved Expanded network capacity Reduced deployment cost Avoid interference

Network


Can incrementally grow

Backhaulsite

Standalone802.11++ AP

Backhaul802.11++ AP

Point-to-point link

Sparsely Deployed 802.11++ AP


Can mix Fixed & Public Access

Wireless p-to-p, p-to-mp to the neighborhood

And/Or Fiber to the neighborhood

802.11++ for the last few thousand feet

Fiber

Fiber

BusinessesHomes

PublicAccess


Who is going to build it?


Who will be the players in the Public 802.11 opportunity?

Wireless ISPs

Fixed ISPs

Free accessproviders

Fixed operators

Mobile operators

Real estate owners

Community networks

Backbone operators

Manufacturers


Ubiquity and reliability are the key factors for public WLAN access

Consumer users

Cost

Wide availability

Seamless connection

Reliability

Security

Single billing relationship

Data transfer speed

Business users

Wide availabilityReliability

SecurityVPN access

Seamless connection

Single billing relationshipData transfer speed

Cost

Most important

Least important

What end users demand


CommunityNetworks Cheap Hardware

Base stations (were $1000’s now $135) Card now $50

Free Software Linux, NoCat Authentication

Organized in most major cities SFNet, SeattleWireless, Guerrilla.net, NYC

Wireless Great for education, probably won’t scale


Wireless ISPs (WISPs)? There are over 1000 in the US Mostly small and undercapitalized Successful in less developed areas

Only broadband outside of major metros Main Internet service in some developing

countries Limited growth due to limited capital


Several independent 802.11 providers have appeared (and disappeared)

Wayport focuses on hotels and airports Telerama is an ISP based in Pittsburg Community networks (e.g. NYCwireless,

SeattleWireless, Elektrosmog) offer free access MobileStar went bankrupt, assets picked up by

T-Mobile Wifi Metro / HereUare closed down


Business case is risky for these independent providers WISPs are still small and fragmented:

difficult to establish a long-term relation with users they cannot provide the breadth of coverage high investment is required to build a brand there is strong pressure to consolidate before any start-up

Free access is becoming increasingly common, but it will remain limited to specific types of location and use

Community networks encourage use, but are not in direct competition with other service providers


To succeed, WISPs need to face several challenges Availability Roaming Billing and pricing Security Consolidation pressure Branding Customer service Spectrum overcrowding Real estate owners Technology Change


Mobile Operators? Conceptualy they are well poised Culturally they will need to go through

major transformation 802.11 can be seen to be both

competitive and complementary Operators have been fixated on 3G as

THE way for mobile data


Threat to 3G Mobile Operators? Wi-Fi

Have it today Its faster Its decentralized It doesn’t require new spectrum Its CHEAP


Voice Operators are in debt $180 billion in the last 15 months for new spectrum

Last year AT&T Wireless spent 5 billon to upgrade their network from:

Will spend 5 billon more this year

3G is Expensive

Source: Strategic News Services

9.6 Kbps 9.6 Kbps - desktop speeds 20 years ago - desktop speeds 20 years ago

to 56 Kbpsto 56 Kbps - desktop speeds 10 years ago- desktop speeds 10 years ago

8/29/02 Copyright 2002 Robert J. Berger 31NY Times 2/14/02 www.fcc.gov/3G

3G is years away and slower By 2004, US carrier networks will support speeds of

384 Kbps and 2 Mbps a year later But FCC says this is only for stationary use

Speed drops 80% when walking and 95% when driving

To get 2 Mbps or higher speeds businesses will have to individually negotiate and lease equipment from cell telcos

Wi-Fi supports 11 Mbps today and 54 Mbps soon


Cheaper to Install

Airport cell stations Cost $50,000 For hardware and connections Does not include spectrum

licenses Wi-Fi Base Station

Coverage is more limited (300 ft) But:

Cost is closer to $1,000 No spectrum licensing fees

Source: Seattle Times

UMTS Station


Wi-Fi can do more than just data Location Based Services

Tenaid technologies Mobile Payment Voice

Voice over IP Peer-to-Peer or through PBX

multiple band IP/GPRS/etc. phones


Public 802.11 delivers highspeed data access ahead of 3G

Source: Public Wireless LAN Access: A Threat toMobile Operators, Analysys Research, 2001

802.11b/WiFi

50

500

1000

10 000

50 000

100 000

Tra

nsm

issi

on r

ate

(kb

it/s)

HomeRFBluetooth

Fixed LAN

Blackberry (US)

HomeRFBluetooth

802.11a and HiperLAN2

UMTSGPRS

GSM

Stationary Walkingspeed

Drivingspeed


…but it will be complementary to cellular networks

• 11Mbit/s wireless connection

• fixed LAN substitute

• VPN, intranet, streaming possible

• Concentrated in hotspots / hotzones

• Multiple providers

• Limited to PCs and PDAs (so far)

• 9.6kbit/s–500Mbit/s transfer speed

• email, IM, information retrieval dominate

• Easier to create wider coverage

• Single billing relationship, roaming allowed

• Higher per-Mbyte charges

• Limited to mostly Phone / PDAs

802.11 public access Cellular access


Cellular Operators Potential Candidate to Build Network

Other Networks(GSM, PSTN, ISDN, etc.)

IP NetworkMobile Switching

Center

Cellular User

CellularBase Station

802.11a

802.11 User

Subscriber Directory

802.11 MeshBase Stations

Can leverage Cell Towers CLEC status Customer Base Billing Systems RF Knowledge Complements 2.5G/3G

(could save their a**)

Will be a stretch Need to think different Currently paralyzed with

fear


802.11 / VoIP & 2.5G/3G Cell Integrated 802.11 / Cell phone in the works PBX Adjunct Solution- Adds Wireless

Handsets to Existing PBX Single SIP Identity can seamlessly follow a

user between 802.11 handset and “cell phone”

Laptops & PDA could roam from hotspots to cellular data when outside of hotspot


Considerations for Mobile Operators

• WLANs will bring in additional revenues

• The billing relationship with customers can be exploited

• GPRS and 3G do not yet offer high bandwidth for data access

• 802.11 base stations are cheap to install

• WLAN may address a segment of demand that could otherwise be captured by WISP competitors

• The complexity of the service escapes most of the emerging WISP providers

• Need to negotiate rental contracts with local real estate owners

• WLAN data revenues will cannibalize, to some extent, GPRS/UMTS revenues

• New pricing schemes may be necessary to spur demand

• Initial investment required

• Value chain not yet understood

• Need to establish roaming agreements

• Bellhead mentality

•ATM vs Ethernet, Packet vs Circuit, price / byte / time vs. bandwidth

Advantages Challenges


Who will win? It is still too early to tell, but regional differences have

emerged Mobile operators have an advantage, but they need to

move fast and its counter to their culture Independent WISPs have a clear focus and can move

quickly, but are vastly undercapitalized Roaming and wide availability are key to success


Geography will have a strong impact on public WLAN access

• Higher density of population

• Higher cellular penetration

• Market dominated by mobile operators

• Bigger reliance on public transportation, smaller homes

• Consumer-oriented wireless data market

• Higher penetration of laptop computers and PDAs

• Higher Internet penetration

• Higher 802.11 penetration

• Airports and hotels as major hotspot locations

• More advanced wireless data applications for business users

Europe and Asia US

Higher density of hotspots

WLAN access as an extension of cellular data access

Larger demand for wireless dataapplications from business users

WLAN access as a substitutefor fixed LAN access


In Europe, mobile operators have been leading the way

Telia HomeRun Sonera Telenor Telefónica Moviles/Iobox BTopenworld


In Asia, independent providers have started to appear

MIS in Japan and Korea Several mobile operators have started

trials or operations (NTT East/West, Japan Telecom, Far EasTone)

Free access is available at several airports and other hotspot locations


Regional differences are bound to remain Mobile operators will have a larger role in

Asia and Europe Independent providers with roaming

agreements will survive in the US Billing traditions in Europe and Asia will result

in a higher emphasis on metered access Billing traditions in the US will lead to a

predominance of flat-fee pricing


802.11 Needs to Evolve for Public & Fixed Access Wireless bridging or meshing between Access Points

Allow for cost effective hotzones 802.11 Spec mentions but does not yet specify Currently only limited proprietary implementations 802.11a offers enough bandwidth to share

802.11h extended to allow sophisticated power management APs should use only enough power to reach adjacent nodes,

minimize overlaps New Physical Layers

Like Ethernet, different PHYs for speed / density Other spectrum (700Mhz, 24Ghz, 60Ghz Ultrawide Band


802.11 Basics


802.11 and the OSI reference model

802.11FrequencyHopping

802.11IRdA

802.11bDirect Seq

Spread Spectrum

802.11aOFDM at

5Ghz

802.11gOFDM at2.4Ghz

Future?UWB

24Ghz60Ghz

IEEE 802.11Media Access Control (MAC)

IEEE 802.2Logical Link Control (LLC)

IETF Internet Protocol (IP)

PHY

MAC

OSILayer 1

OSILayer 2

OSILayer 3Network


IEEE 802.11 Standards 802.11a - 5GHz- ratified in 1999 802.11b - 11 Mbps, 2.4 GHz, ratified in 1999 802.11d - World Mode and additional regulatory

domains - ratified 802.11e - Quality of Service 802.11f - Inter-Access Point Protocol (IAPP) 802.11g - Higher Data rate (>20 Mbps) 2.4GHz 802.11h - Dynamic Frequency Selection and

Transmit Power Control mechanisms 802.11i - Authentication and security


Original 802.11 Original 802.11, circa 1999

Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) with ACK

FHSS, DSSS, IR 1 & 2 Mbps Wired Equivalent Privacy (WEP) SNMP v2 for remote management


802.11a Ratified as Standard in Sept, 1999 First products available in 2002 Utilizes U-NII and ISM spectrum in the 5.25 -

5.85 Ghz (Country Specific) Data rates to 54 Mbps defined

6, 9, 12, 18, 24, 36, 48, 54 Mbps 4 Indoor only, 4 indoor/outdoor, 4 outdoor

only (Country Specific) Regulations differ extensively across

countries


802.11b Ratified as Standard in Sept, 1999.

Emerged as product way before 802.11a 2.4 GHz, Direct Sequence

1, 2, 5.5 & 11 Mbps Complementary Code Keying (CCK) 11 US channels 13 ETSI channels 14 Japan channels

Power levels 36 dBm EIRP-FCC, 20 dBm EIRP-ETSI

ISM - Virtually approved world wide


802.11dExtensions to Operate in Additional Regulatory Domains

802.11c was subsumed into 802.11d Bridge operation

Ratified in June, 2001 Defines frequency and power limitation for

different regulatory domains ‘World Mode’

APs set to appropriate Regulatory domain Clients, upon association to AP, inherit the power

and frequency requirements of regulatory domain Permits roaming across different regulatory

domains with the same client.


802.11eMAC Enhancements for Quality of Service

Ongoing, Draft 3.0, resolving comments Provides quality-of-service (QoS) features

to support the existing 802.11b and 802.11a QoS and multimedia support are critical to

wireless Required for Networks with voice, video and

audio Desired by most Broadband service providers


802.11fRecommended Practice for Inter Access Point Protocol

Draft 2 Inter Access Point Protocol (IAPP) Multivendor Infrastructure

Improved Roaming Support for 802.11 authentication and

privacy, including preauthentication Operation in a reasonably secure fashion Remote configuration, including AP

attributes


IEEE 802.11gStandard for Higher Rate (20+ Mbps) Extensions in the 2.4 GHz Band

Still in Draft, but silicon in the works Provides higher data rates @ 2.4 GHz Similar speeds as 802.11a Backward compatible with 11 Mbps

(802.11b) Same modulation as 802.11a—OFDM Still has to compete with all other users

of 2.4Ghz Spectrum Still only 3 non-overlapping channels

802.11g

6–54 MB 1 -11 MB

802.11g 802.11b


802.11h Spectrum Managed 802.11a Still in Draft mode Dynamic Frequency Selection (DFS)

Enables transmitter to move to another channel when is encounters other RF on its channel

Transmit Power Control (TPC) Provides minimum required transmitter power for

EACH user Provides minimal interference to any other users

or system ETSI Requirement for 5 GHz


IEEE 802.11i Security Draft currently at version 3.0 Fixes to WEP (Software)

AES instead of DES Encryption Much more robust and modern encryption

TKIP (Temporal Key Integrity Protocol) Eliminates the major weakness of WEP Key


802.1x / EAPPort based network access control

Falls under 802.1 NOT 802.11 Access Control (EAP) an IETF Standard This is a NETWORK standard, not a

wireless standard Is PART of the 802.11i draft Provides Network Authentication, NOT

encryption But can be used to supply keys


ISM Unlicensed Frequency Bands

ExtremelyLow

VeryLow

Low Medium High VeryHigh

UltraHigh

SuperHigh

Infrared VisibleLight

Ultra-violet

X-Rays

AudioAM Broadcast

Short Wave Radio FM BroadcastTelevision Infrared wireless LAN

Cellular (840MHz)NPCS (1.9GHz)

902-928 MHz5 GHz

802.11a (54 Mbps)

2.4 – 2.4835 GHz802.11b (11 Mbps)802.11g (54 Mbps)


802.11b/g 2.4Ghz Channels

(14) 22 MHz wide channels (11 under FCC/ISTC) 3 non-overlapping channels (1, 6,11) 11 Mbps data rate 3 access points or bridges can be co-located in the same location for a total of 33 Mbps

aggregate throughput


Europe19 Channels(*assumes noantenna gain)

1W200mW

802.11a 5GHz Channels5.15 5.35 5.470 5.725 5.8255GHz

UNII Band5.25

UNII-1: Indoor use, antenna must be fixed to the radioUNII-2: Indoor/Outdoor use, fixed or remote antennaUNII-3: Outdoor bridging only

UNII-140mW

UNII-2250mW

US (FCC)12 Channels(*can use up to

6dBi gain antenna)

UNII-31W

11 Ch 4 Ch4 Ch4 Ch

*if you use a higher gain antenna, you must reduce the transmit power accordingly


802.11a/b Power and Range

6 Mbps 802.11a2 Mbps 802.11b165 - 250 feet radius

12 Mbps 802.11a5.5 Mbps 802.11b130-165 feet

36 Mbps 802.11a11 Mbps 802.11b< 75 feet radius





Platform Computer

Platform Computer

PC-Card Hardware

PC-Card HardwareRadio

Hardware

Radio Hardware

WMAC controller withStation Firmware

(WNIC-STA)


(WNIC-STA)

Driver Software(STADr)


802.11 frame format

802.3 frame format

Ethernet V2.0 / 802.3frame format

Protocol StackProtocol Stack

Terminology:Station (STA) Architecture Device that contains IEEE 802.11

conformant MAC and PHY interface to the wireless medium, but does not provide access to a distribution system

Most often end-stations available in terminals (work-stations, laptops etc.)

Implemented in Wireless IEEE 802.11 PC-Card


Terminology:Station Architecture (cont’d) Ethernet-like driver interface

supports virtually all protocol stacks

Frame translation according to IEEE Std 802.1H

Maximum Data limited to 1500 octets

Transparent bridging to Ethernet

Platform Computer

Platform Computer

PC-Card Hardware


Hardware

Radio Hardware


(WNIC-STA)


(WNIC-STA)



802.11 frame format

802.3 frame format


Protocol StackProtocol Stack


Terminology:Access-Point (AP) Architecture Device that contains IEEE 802.11

conformant MAC and PHY interface to the wireless medium, and provide access to a distribution system for associated stations

Most often infra-structure products that connect to wired backbones

Usually Implemented as a stand-alone box connected to an Ethernet backbone

BridgeSoftware

BridgeSoftware

PC-Card Hardware


Hardware

Radio Hardware

WMAC controller withAccess Point Firmware

(WNIC-AP)


(WNIC-AP)

Driver Software(APDr)


802.11 frame format

802.3 frame format


Kernel Software (APK)Kernel Software (APK)

BridgeHardware

BridgeHardware

EthernetInterface

EthernetInterface


Terminology:Access-Point (AP) (cont’d) Stations select an Access-Point

and “associate with it Access-Points :

Support roaming Provide time synchronization

functions (beaconing) Provide Power Management

support Traffic typically flows through

Access-Point

BridgeSoftware

BridgeSoftware

PC-Card Hardware


Hardware

Radio Hardware


(WNIC-AP)


(WNIC-AP)



802.11 frame format

802.3 frame format


Kernel Software (APK)Kernel Software (APK)

BridgeHardware

BridgeHardware

EthernetInterface

EthernetInterface


Terminology:Basic Service Set (BSS) A set of stations controlled by a single “Coordination

Function” The logical function that determines when a station can

transmit or receive A BSS can have an Access-Point, known as

“infrastructure” mode (both in standalone networks and in building-wide configurations), or can run without and Access-Point (in standalone Ad-Hoc networks)

Diameter of the cell is about twice the coverage-distance between two wireless stations


Basic Service Set (BSS)

BSS


Terminology:Independent Basic Service Set (IBSS)

A Basic Service Set (BSS) which forms a self-contained network in which no access to a Distribution System is available

Also known as “Ad-Hoc” mode A BSS without an Access-Point One of the stations in the IBSS can be

configured to “initiate” the network and assume the Coordination Function

Diameter of the cell determined by coverage distance between two wireless stations


Independent Basic Service Set (IBSS)

IBSS


Terminology:Extended Service Set (ESS):

A set of one or more Basic Service Sets interconnected by a Distribution System (DS)

Traffic always flows via Access-Point (Infrastructure mode)

Extends coverage by adding access points / Roaming Diameter of the cell is double the coverage distance

between two wireless stations Distribution System (DS):

A system to interconnect a set of Access Points Wired; Using cable to interconnect the Access-Points Wireless; Using wireless to interconnect the Access-Points


Extended Service Set (ESS) BSS’s with wired Distribution System (DS)

BSS

BSS

Distribution

System


Extended Service Set (ESS) BSS’s and wireless Distribution System (DS)

BSS

BSS

Distribution

System


Terminology:Service Set Identifier (SSID)

“Network name” Identifies the Wireless Network Usually exposed and set by the user

32 octets long Each network (ESS or IBSS) has one

SSID Most primitive of access control


Terminology: Basic Service Set Identifier (BSSID)

“Cell Identifier” Generated automatically Not visible to user

6 octets long (MAC address format) Each BSS has one SSID Value of BSSID is the same as the MAC

address of the radio in the Access-Point


Operational processes:Association To establish relationship with Access-Point Stations scan frequency band to and select Access-

Point with best communications quality Active Scan (sending a “Probe request” on specific channels

and assess response) Passive Scan (assessing communications quality from

beacon message) Access-Point maintains list of associate stations in

MAC FW Record station capability (data-rate) To allow inter-BSS relay

Station’s MAC address is also maintained in bridge learn table associated with the port it is located on


Operational processes:Authentication To control access to the infrastructure via an

authentication Stations identify themselves to other stations (or

Access-Points) prior to data traffic or association Open System Authentication

Uses null authentication algorithm Default, totally insecure

Shared Key Authentication Uses WEP privacy algorithm

802.1x / EAP Secure Authentication of each user


Operational processes:Starting an ESS

The infrastructure network is identified by its ESSID

All Access-Points will have been set according to this ESSID

On power up stations will issue Probe Requests and will locate the Access-Point that they will associate with: “best” Access-Point with matching ESSID “best” Access-Point if the “desired SSID” has been

set to “ANY”


Operational processes:Starting an IBSS Station configured for IBSS operation will:

“look” for Beacons that contain a network name (SSID) that matches the one that is configured

When Beacons with matching Network Name are received and are issued by an AP, Station will associate to the AP

When Beacons with matching Network Name are received and are issued by another Station in IBSS mode, the station will join this IBSS

When no beacons are received with matching Network Name, Station will issue beacons itself.

All Stations in an IBSS network will participate in sending beacons. All stations start a random timer prior to the point in time when next Beacon

is to be sent. First station whose random timer expires will send the next beacon


Security


Range of Possible Security Solutions

Dynamic Key Management

System, Mutual Authentication, and

802.1x via EAP

Mid-Market and Enterprise

Enhanced Security

No WEP and Broadcast Mode

Public Access

No Security

Wi-Fi 40-bit, 128-bit

Static WEP

Telecommuter and Small Business

Basic Security

End-to-end security using VPN

Special Apps./ Business Traveler

VPN Security

82

Application

Transport Layer(TCP,UDP)

Network Layer (IP)

802.11Link Layer

Phys. Layer

Network Layer

802.11Link Layer

802.11

Network Layer

Process Process

RouterBuffers Packets thatneed to be forwarded(based on IP address).

Application

Transport Layer(TCP,UDP)

Network Layer (IP)

Data-Link Layer

Phys. Layer

Data Link Layer

Phys. Layer

IPsec IPsec

SSL SSL

802.11Ethernet

EthernetEthernet

EthernetWEP

Phys. Layer

WEP

Defense - Higher LevelSecure Protocols


Original 802.11 Security Authentication

Open System authentication Shared Key authentication

Data confidentiality Wired Equivalent Privacy (WEP)

Designed to be as secure as a wired network No encryption key management


Poor Encryption with WEP Encryption for wireless is required

Goal to elliminate sniffing “over the air” between clients & AP Does not deal with end-to-end encryption

Two shared keys: A multicast/global key & a unicast session key Barely useful for home and corporate LANs

Uses RC4 symmetric stream cipher with 40-bit and 104-bit encryption keys

Bad Encryption design. They forgot to consult with cryptographers

Determination and distribution of WEP keys are not defined by IEEE 802.11


“Network Stumbler” - shows 802.11 Networks

WEP ON

Screen of laptop with Wireless LAN card85

No

No


“AiroPeek” maps out who’s talking to who

86


Data sniffed off the air from non-WEP session.

87


http://airsnort.sourceforge.net88

AirSnort: Cracks WEP Messages Operates by passively monitoring transmissions, computing the

encryption key when enough packets have been gathered. " Weaknesses in the Key Scheduling Algorithm of RC4 " by

Scott Fluhrer, Itsik Mantin and Adi Shamir. AirSnort, along with WEPCrack are the first public

implementations of this attack. Once ~5-10 million encrypted packets are gathered, AirSnort

can guess the encryption password in under a second.


Original Security Issues No per-user identification

and authentication No central authentication,

authorization, and accounting No support for extended authentication:

token cards, certificates, smart cards No support for unicast session

key management


Security Solutions in the pipe No per-user identification and authentication

Solution: IEEE 802.1X and EAP No central authentication, authorization,

and accounting Solution: RADIUS

No support for extended authentication: token cards, certificates, smart cards

Solution: IEEE 802.1X and EAP No support for per-session encryption

key management Solution: IEEE 802.1X and EAP/TLS


Is it hopeless until 802.1x? What can I do without completely blowing my budget

and redesigning my network? Enable WEP (its better than nothing…) Disable DHCP Don’t by cheap APs

Limit the MAC addresses that can connect to the network Separate the WLAN from the LAN and require VPN


IEEE 802.1x - Definitions Port-based network access control

Used for Ethernet switches Adapted for IEEE 802.11

Enforces authentication before frame exchange with wired network is allowed

Uses Extensible Authentication Protocol (EAP)

Defines EAP over LAN (EAPOL)


EAP – An Overview Extension to PPP & Ethernet for arbitrary

network access authentication mechanisms

Authentication plug-in modules at both the wireless client and authenticating server (RADIUS server)

RADIUSRADIUSserverserver

EAP messagesEAP messagesWireless Wireless

APAPWirelessWireless

clientclient RADIUS messagesRADIUS messages

EAP conversationEAP conversation


EAP Types EAP-MD5 CHAP

Required EAP type that uses MD5 CHAP NOT appropriate for wireless access

EAP-TLS For certificate-based security environments (registry-based

certificates) Generates high-entropy unicast

session keys Appropriate for wireless access


RADIUS – An Overview Remote Authentication Dial-In User Service

(RADIUS) RFCs 2865 and 2866

Centralized authentication, authorization, and accounting (AAA) for: Wireless APs Authenticating Ethernet switches Virtual private network (VPN) servers Digital Subscriber Line (DSL) and other network

access servers


RADIUS Infrastructure

WirelessWirelessAPAP

VPNVPNserverserver

Dial-upDial-upserverserver

RADIUSRADIUSproxyproxy

AccessAccessclientsclients

AccessAccessserversservers

User accountUser accountdatabasedatabase

RADIUSRADIUSserverserver

RADIUSRADIUSprotocolprotocol


How it works:Authentication process

Public/Semi-Public Network

Enterprise / ISP Edge

Enterprise / ISP Network

Operates on client Operates on devices at

network edge, like APs and

switches

EAP plug-in goes in RADIUS

server

Supplicant Authenticator Authentication Server


How it works on the WLAN

Operates on client AP acting as Authenticator

EAP plug-in goes in RADIUS

server

Supplicant Authenticator Authentication Server

802.1x traffic only

Public/Semi-Public Network

Enterprise / ISP Edge

Enterprise / ISP Network


Steps to EAP - authentication

Identity Request

Identity Response

Access Request

Access Challenge

EAP request

EAP ResponseAccess request

Access Success

EAP Success

EAPOW key

EAPOL Start Start Process

Ask client for ID

Client provides ID

Pass request to server

Perform sequence defined by

authentication method (EAP-TLS,

LEAP)

Session key to APStart using WEP

Deliver broadcast key, encrypted with session key


Lessons Data encryption by itself offers no protection from

attack There is no meaningful privacy if the data authenticity

problem is not solved It is profoundly easy to mis-use a cipher

Get any cryptographic scheme reviewed by professionals You must be concerned about Security at all layers

as well as from end-to-end. 802.1x / EAP is only link layer security Does not solve layer 2 shared medium issues


In depth 802.1X / EAP


What is Network Access Authentication? A mechanism by which access to the network is restricted to authorized

entities Identities used are typically userIDs NB: each user on a multi-user machine does not need to authenticate once

the link is up, so this doesn’t guarantee that only the authenticated user is accessing the network

Once authenticated, the session needs to be authorized Authorization can include things like session keys, VLANID, rate limits,

filters, tunneling, etc. To prevent hijacking, you need per-packet authentication as well

Encryption orthogonal to authentication Per-packet Message Integrity Check (MIC) based on key derived during the

authentication process, linking each packet to the identity claimed in the authentication

No MIC support in PPP or WEP!


Network Access Control Alternatives

Network access authentication can be implemented at any layer. PHY

Example: 802.11b WEP Pros: no MAC or TCP/IP changes required (all support in firmware) Cons: requires firmware changes in NICs and NASes to support new

auth methods, requires NAS to understand new auth types, slows delivery of bug fixes (e.g. WEP v1.0), hard to integrate into AAA

MAC Examples: PPP , 802.1X Pros: no firmware changes required for new auth methods, easier to

fix bugs, easy to integrate into AAA, no network access needed prior to authentication, extensible (RFC 2284)

Cons: requires MAC layer changes unless implemented in driver


Network Access Control Alternatives (cont’d) IP

Examples: hotel access (based on ICMP re-direct to access web server) Pros: no client MAC or TCP/IP changes required (for ICMP re-direct

method) Cons: Doesn’t work for all apps, no mutual authentication, partial network

access required prior to auth, need to find access control server if not at first hop, typically not extensible, may not derive encryption keys, no accounting (no logoff)

UDP/TCP Examples: Proprietary token card protocols Pros: No client MAC or TCP/IP changes required – can be implemented

purely at the application layer Cons: requires client software, partial network access required prior to auth,

need to find access control server if not at first hop, typically not extensible, no accounting (no logoff)


Why Do Auth at the Link Layer? It’s fast, simple, and inexpensive

Most popular link layers support it: PPP, IEEE 802 Cost matters if you’re planning on deploying 1 million ports!

Client doesn’t need network access to authenticate No need to resolve names, obtain an IP address prior to auth

NAS devices need minimal layer 3 functionality 802.11 access points, 1 Gbps switch ports go for $300, support 802.1D,

802.1X, SNMP & RADIUS, may have no layer 3 filtering support Authentication, AAA support typically a firmware upgrade

In a multi-protocol world, doing auth at link layer enables authorizing all protocols at the same time

Doing it at the network layer would mean adding authentication within IPv4, IPv6, AppleTalk, IPX, SNA, NetBEUI

Would also mean authorizing within multiple layers Result: more delay


What is IEEE 802.1X? The IEEE standard for authenticated and auto-provisioned

LANs. Ratified June 2001 Based on EAP, IETF RFC 2284

A framework for authentication and key management IEEE 802.1X derives keys which can be used to provide per-packet

authentication, integrity and confidentiality Typically used along with well-known key derivation algorithms (e.g.

TLS, SRP, etc.) IEEE 802.1X does not mandate security services – can do

authentication, or authentication & encryption Encryption alone not recommended (but that’s what WEP does)


What 802.1X is not

Not purely a wireless standard – it applies to all IEEE 802 technologies (e.g. Ethernet First Mile applications)

Not PPP over Ethernet (PPPOE) – only supports EAP authentication methods (no PAP or CHAP), packets are not encapsulated

Not a cipher – not a substitute for WEP, RC4, DES, 3DES, AES, etc.

But 802.1X can be used to derive keys for any cipher Not a single authentication method

But 802.1X can support many authentication methods without changes to the AP or NIC firmware


A History of IEEE 802.1X The idea started with customers who wanted to control access to a public network

Universities, government agencies Existing approaches were inadequate

Customers wanted something that could be implemented inexpensively – on existing switches Customers wanted to utilize existing network access infrastructure (RADIUS, LDAP, etc.) PPPOE – too much overhead VPN – too many interoperability issues DHCP – designed for addressing and configuration, not access control

Concept developed by 3Com, HP, Cisco, Microsoft and others Examined alternatives, and settled on a Layer 2 approach A small group wrote the spec and built prototypes Consensus and running code! Not designed by committee!

IEEE 802.1X PAR approved in January 1999 Approved as an IEEE standard June 2001 Specification available at: http://www.drizzle.com/~aboba/IEEE/

A great site for info on 802.1x /EAP and wireless in general

http://www.drizzle.com/~aboba/IEEE/


Authenticator/EtherNASAuthenticator/EtherNAS(e.g. Access Point or (e.g. Access Point or

Bridge)Bridge)

SupplicantSupplicant

Enterprise or ISP Enterprise or ISP NetworkNetwork

Semi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge

AuthenticationAuthenticationServerServer

RADIUS

EAP Over Wireless (EAPOW)

EAP Over Wireless (EAPOW)

EAP over LAN (EAPOL)

EAP over LAN (EAPOL)EAP Over RADIUS

EAP Over RADIUS

PAEPAE

PAEPAE

EtherCPEEtherCPE

SupplicantSupplicant

Non-802.1XNon-802.1X

802.1X Topologies


802.1X Security Philosophy Approach: a flexible security framework

Implement security framework in upper layers Enable plug-in of new authentication, key management methods without

changing NIC or Access Point Leverage main CPU resources for cryptographic calculations

How it works Security conversation carried out between supplicant and authentication

server NIC, Access Point acts as a pass through device

Advantages Decreases hardware cost and complexity Enables customers to choose their own security solution Can implement the latest, most sophisticated authentication and key

management techniques with modest hardware Enables rapid response to security issues


What is EAP? The Extensible Authentication Protocol (RFC 2284)

Provides a flexible link layer security framework Simple encapsulation protocol

No dependency on IP ACK/NAK, no windowing No fragmentation support

Few link layer assumptions Can run over any link layer (PPP, 802, etc.) Does not assume physically secure link

Methods provide security services Assumes no re-ordering Can run over lossy or lossless media

Retransmission responsibility of authenticator (not needed for 802.1X or 802.11)

EAP methods based on IETF standards Transport Level Security (TLS) Secure Remote Password (SRP) GSS_API (including Kerberos)


EAP Architecture

EAPEAPLayerLayer

MethodMethodLayerLayer

EAPEAPEAPEAP

TLSTLSTLSTLS

MediaMediaLayerLayer

NDISNDIS

APIsAPIs

EAP EAP

APIsAPIs

PPPPPP802.3

CSMA/CD

(Ethernet)

802.3CSMA/CD

(Ethernet)

802.5TokenRing

802.5TokenRing

802.11Wireless

LAN

802.11Wireless

LAN

SRPSRPSRPSRPAKAAKA

SIMSIM

AKAAKA

SIMSIM


What is RADIUS? Remote Access Dial In User Service Supports authentication, authorization, and accounting for network

access Physical ports (analog, ISDN, IEEE 802) Virtual ports (tunnels, wireless)

Allows centralized administration and accounting IETF status

Proposed standard RFC 2865, RADIUS authentication/authorization RFC 2618-2621, RADIUS MIBs

Informational RFC 2866, RADIUS accounting RFC 2867-8, RADIUS Tunneling support RFC 2869, RADIUS extensions RFC 3162, RADIUS for IPv6


EthernetLaptop computer

Switch

Radius Server

IEEE 802.1X Conversation

EAPOL-Start

EAP-Response/Identity

Radius-Access-Challenge

EAP-Response (credentials)

Access blockedPort connect

Radius-Access-Accept

EAP-Request/Identity

EAP-Request

Access allowed

EAP-Success

Radius-Access-Request


RADIUSEAPOL


Ethernet

Access Point

Radius Server

802.1X On 802.11

EAPOW-Start

EAP-Response/Identity

Radius-Access-Challenge

EAP-Response (credentials)

Access blockedAssociation

Radius-Access-Accept

EAP-Request/Identity

EAP-Request



RADIUS

EAPOW

Laptop computer

Wireless

802.11802.11 Associate-Request

EAP-Success

Access allowed

EAPOW-Key (WEP)

802.11 Associate-Response


802.1X authentication in 802.11 IEEE 802.1X authentication occurs after 802.11 association or

reassociation Association/Reassociation serves as “port up” within 802.1X state

machine Prior to authentication, access point filters all non-802.1X traffic

from client If 802.1X authentication succeeds, access point removes the filter

802.1X messages sent to destination MAC address Client, Access Point MAC addresses known after 802.11

association No need to use 802.1X multicast MAC address in EAP-Start, EAP-

Request/Identity messages Prior to 802.1X authentication, access point only accepts packets

with source = Client and Ethertype = EAPOL


802.1X and Per-Client Session Keys How does 802.1X derive per-Station unicast session keys?

Can use any EAP method supporting secure dynamic key derivation EAP-TLS (RFC 2716) EAP-SRP EAP-AKA, EAP-SIM (for compatibility with cellular) Security Dynamics

Keys derived on client and the RADIUS server RADIUS server transmits key to access point

RADIUS attribute encrypted on a hop-by-hop basis using shared secret shared by RADIUS client and server

Unicast keys can be used to encrypt subsequent traffic, including EAPOW-key packet (for carrying multicast/global keys)

Per-Station unicast session keys not required If only multicast/global keys are supported, then session key is only used to

encrypt the multicast/global key


802.1X and Multicast/Global Keys How can 802.1X transfer multicast/global

keys? An EAPOL packet type is defined for use in

transporting multicast/global keys: EAPOW-Key EAPOW-Key packet type used to transmit one or

more keys from access point to client (or vice versa)

EAPOW-Key packets only sent after EAPOW authentication succeeds

EAPOW-Key packets are encrypted using derived per-STA encryption key


Deploying IEEE 802.1X With 802.11


Deployment Issues with 802.11 User-based authentication and accounting

802.11-1997 only allows users to be identified by MAC address How do I know who is on my network? How can I do user-based access control, accounting and auditing? What happens if a machine is stolen? Proprietary key management solutions require separate user

databases Secure roaming

Why can’t you just “plug in and connect” anywhere in the world? Key management

802.11-1997 supports per-user keys, but most implementations only support global keys

What if the global key(s) are compromised? Static keys difficult to manage on clients, access points


WEP Summary of Attacks Downloadable procedures

To crack the Key: http://airsnort.sourceforge.net/ http://sourceforge.net/projects/wepcrack/

To brute force enter into WLAN, select THC-RUT from http://www.thehackerschoice.com/releases.php

Attacks based on [Walker], [Arbaugh], [Berkeley team], [Fluhrer/Shamir]

Lack of IV replay protection Short IV sequence space RC4 vulnerabilities due to WEP’s implementation Linear properties of CRC32 (allows bit flipping)) Lack of keyed MIC Use of shared keys

http://airsnort.sourceforge.net/

http://sourceforge.net/projects/wepcrack/

http://www.thehackerschoice.com/releases.php


Quest to Improve WEP How can we improve WEP security and

Retain (most) performance Enhance without greatly reducing line rates

Easily upgrade deployed systems Avoid hardware upgrades

Retain interoperability Allow most deployed systems to upgrade Allow for incremental deployment Allow legacy systems to continue to work without

improvements

Provide better protection until AES is available


Improving WEP’s Security Recommended Practice includes

Per-link keys Unique key per STA

IV Sequencing Check for monotonically increasing IVs Weak IV avoidance

104-bit keys IV + Key = 128-bits

Rapid Rekey Derive WEP keys from master key Change encryption key frequently


802.1X Authentication 802.1X users identified by usernames, not MAC addresses

Enables user-based authentication, authorization, accounting For use with 802.1X, EAP methods supporting mutual

authentication are recommended Need to mutually authenticate to guarantee key is transferred to the

right entity Prevents man-in-the-middle and rogue server attacks

Common EAP methods support mutual authentication TLS: server and client must supply a certificate, prove possession

of private key SRP: permits mutual authentication via weak shared secret without

risk of dictionary attack on the wire Tunneled TLS: enables any EAP method to run, protected by TLS


Advantages of IEEE 802.1X Open standards based

Leverages existing standards: EAP (RFC 2284), RADIUS (RFC 2865, 2866, 2867, 2868, 2869)

Enables interoperable user identification, centralized authentication, key management

Enables automated provisioning of LAN connectivity User-based identification

Identification based on Network Access Identifier (RFC 2486) enables support for roaming access in public spaces (RFC 2607).

Enables a new class of wireless Internet Access Dynamic key management

Improved security for wireless (802.11) installations


WEPv1.0 w/802.1X Improved key derivation

Per-user unicast keys instead of global unicast key Unicast key may be changed periodically to avoid staleness Support for standards-based key derivation techniques

Examples: TLS, SRP Kerberos V without PKINIT not recommended for use with 802.11

Additional fixes still under discussion Authentication for reassociate, disassociate

WEP deficiencies still present No keyed MIC Improper usage of RC4 stream cipher No IV replay protection

Long term solution: Need a “real” cipher! AES proposals under discussion AES-OCB versus AES-CTR mode and CBC-MAC with XCBC extensions


802.1X Implementations Implementations available now

IEEE 802.1X support included in Windows XP Firmware upgrades available from AP and NIC vendors Interoperability testing underway

802.1X OS support Microsoft: Windows XP Cisco: Windows 9x, NT4, 2000, Mac OS, Linux

RADIUS servers supporting EAP Microsoft Windows 2000 Server Cisco ACS Funk RADIUS Interlink Networks (formerly MERIT) RADIUS server


Vendors Supporting 802.1X Microsoft, AirWave, Compaq, Dell, IBM, Intel, HP, Symbol, Toshiba, Telson, Wayport

http://www.microsoft.com/presspass/press/2001/Mar01/03-26XPWirelessPR.asp 3Com

http://emea.3com.com/news/news01/mar26.html Agere

http://www.networkmagazine.com/article/COM20010629S0009 http://www.lucent.com/micro/NEWS/PRESS2001/080801a.html

Enterasys http://www.dialelectronics.com.au/articles/c4/0c0023c4.asp http://www.computingsa.co.za/2001/03/26/News/new07.htm

Intersil http://www.intersil.com/pressroom/20010403_802_1xWindows_XPFINAL_English.asp

Cisco Catalyst switches

http://www.redcorp.com/products/09084608.asp 802.11 access points

http://www.security-informer.com/english/crd_security_495312.html http://cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.pdf

http://www.microsoft.com/presspass/press/2001/Mar01/03-26XPWirelessPR.asp

http://www.networkmagazine.com/article/COM20010629S0009

http://www.lucent.com/micro/NEWS/PRESS2001/080801a.html

http://www.dialelectronics.com.au/articles/c4/0c0023c4.asp

http://www.computingsa.co.za/2001/03/26/News/new07.htm

http://www.redcorp.com/products/09084608.asp

http://www.security-informer.com/english/crd_security_495312.html


802.1X Applications


The Role of RADIUS RADIUS is the key to enabling 802.1X applications RADIUS enables per-user compulsory tunneling assignment

More flexible than static or realm-based tunneling What if [email protected] is to be given Internet access, but [email protected] should be

tunneled to the marketing tunnel server? RADIUS enables per-user VLAN assignment

More flexible than static per-port or MAC-based VLAN assignment RADIUS enables accounting and auditing

Both switch/AP and tunnel server can use RADIUS Allows enterprise to audit usage, do alarming BIGCO can match accounting records from tunnel server with accounting records

from ISP for auditing purposes RADIUS enables use of a single userID/password pair

Both bridge/access point and tunnel server can authenticate against the same database

RADIUS server backend LDAP backend


Why Are Shared Use APs Important? Multiple providers are becoming the norm within airports

Airlines are installing 802.11 networks for use in baggage reconciliation and roving ticket counters

Multiple wireless ISPs often also want to server airport customers Radio interference is an issue

In the US and Europe 802.11b networks can support only 3 non-overlapping channels

In France and Japan only one channel is available Once the channels are utilized by existing APs, additional APs will interfere

and reduce performance 802.11 deployment in public spaces is expensive

In this economic environment, raising capital is difficult The cost of providing wireless access is inversely proportional to

infrastructure utilization More economical to build infrastructure and share it among multiple

providers, than to build overlapping infrastructure


What Features Are Needed for Shared Use APs? Support for multiple SSIDs in a single AP

Multiple SSIDs in Beacon, Probe Response not prohibited by 802.11-1997 Only single SSID needed in Association and Reassociation Request

IEEE 802.1X Users identified by userid rather than MAC address

Network Access Identifier (NAI) support Described in RFC 2486 Format is user@domain, where domain identifies the home server

SNMPv3 support Contexts used to support multiple virtual MIB instances

RADIUS authentication and accounting SSID included in Called-Station-Id attribute

RADIUS proxies RADIUS-based roaming described in RFC 2607 RADIUS authentication and accounting packets routed between AP and Home

Server by RADIUS proxies


Shared Use APs

BIGCO

Shared Use802.11 AP

Remote [email protected]

Customer RADIUS Server

SSIDA

RADIUS

RADIUS

• AP advertises multiple SSIDs in Beacon, Probe Response

• Multiple ISPs shared the same AP• STA associates with a single AP, SSID• User authentication request routed to home server

SSIDB

SSIDC

RADIUSProxy

RADIUS

RADIUS

ISPAProxy

Internet

RA

DIU

S

RA

DIU

S

APAP


What Is Wireless Roaming? Definition

The ability to use many wireless Internet Service Providers while maintaining a business relationship with only one

Requirements 802.1X-enabled client with 802.11 wireless card Roaming-capable authentication proxy and server

Roaming standards developed in IETF ROAMOPS WG

RFC 2194, Roaming Implementations Review RFC 2477, Roaming Evaluation Criteria RFC 2486, Network Access Identifier RFC 2607, Proxies and Policy Implementation


Corporate RADIUSCorporate RADIUSServerServer

802.11 and 802.1X802.11 and 802.1XEnabled airportsEnabled airports

Wireless Global Roaming via IEEE 802.11 and 802.1X

Simple, Automatic Detection of 802.11 Connectivity

Global login with corporate or ISP userIDs

802.11 and 802.1X802.11 and 802.1XEnabled Hotels and MallsEnabled Hotels and Malls

GlobalGlobalAccess toAccess to

802.11 802.11 WirelessWireless

ConnectivityConnectivity


Bilateral Roaming support

Cloud

IAS ProxyRoaming Client

ISP ARADIUS Proxy

[email protected]

Cloud

IAS Proxy

ISP BRADIUS Proxy

RADIUS Server

PPTP Server

NT DC

BigcoRADIUS Server


Roaming Consortia

Cloud

IAS ProxyRoaming Client

ISP ARADIUSProxy

[email protected]

IAS Proxy

ISP BRADIUSProxy

RADIUS Server

PPTP Server

NT DC

BigCo

IAS Proxy

ConsortiumRADIUSProxy


Certificate-Based Roaming

Cloud

IAS Proxy

Roaming Client

ISP A RADIUS Server

[email protected]

EAP-TLS

RADIUS Server

PPTP Server

NT DC

Bigco CertificateServer

Certificate RevocationList

ISP A RADIUS server can authenticate [email protected] from the client certificate

No need to proxy authentication ISP A needs to check Bigco’s certificate revocation list

Wholesale Wireless Access

AP CAP C

AP BAP B BIGCO

802.11 WirelessAccess Points

Remote [email protected]

Carrier networks

Customer RADIUS Server

ISP ARADIUS Proxy

RA

DIU

S

RA

DIU

SRADIU

S

RADIUS

•User sends authentication request to ISP

•ISP Delegates authentication to Corporation

•Single point of administrationAP AAP A

Internet Public802.11WirelessNetworks


Benefits of Wholesale accountsThe ISP Increased sales

Attach rate of consumer services Partner relations with enterprise

Reduction in costs Simple administration, server mgmt. tools Improved collection and billing Reduced size of client store Compensation for client support burden

Simplified account management Improved collections and cash flow Corporate clientele, automated pmt


Benefits of Wholesale accounts: The Enterprise Ubiquitous 802.11 wireless support

Enables rapid deployment of IEEE 802.11 technology in hotels, airports, malls Users can obtain wireless access using their existing corpnet accounts

Simplicity Automatic detection of wireless connectivity via “media sense” Auto-detection of 802.11 SSID Pre-configure userID/password pairs if desired

Easier to provide “backup” provider RADIUS accounting data for auditing and chargeback Reduced carrying costs

Leverage ISP capacity and aggregation Shared support burden and ISP expertise

Improved flexibility ISP capacity Validation off RADIUS, LDAP, or ODBC back ends


Security Issues in Wholesale Wireless Access RADIUS does not provide for inter-domain security

No support for end-to-end message integrity or attribute hiding

Proxy can add, delete, modify attributes in transit between client and server

Proxy will have access to Tunnel passwords, and WEP keys in clear text

Recommendation Use strong mutual authentication when untrusted proxies

are present Check logs to detect unusual proxy activity


Seamless Mobility Many applications can live with changing IP address

as we move Example: HTTP

But others cannot TCP-based protocols with long sessions: Telnet, FTP VPNs: IKE, SSH

Mobile IPv6 will eventually provide the solution MIPv4 difficult to deploy

But what can we do right now? Dynamic VLANs Tunneling


802.11: Ethernet Marches On

Robert J. Berger

Internet Bandwidth Development, LLC

Thanks to:Cisco, Orinoco, Avaya, Sonic Mobility ,Dr. Bernard Aboba of Microsoft

For some of the graphics and content(Links at end of presentation)