1 / 18

Key Management over 4e Multipurpose Frames

This submission discusses the use of 4e Multipurpose Frames for key management in wireless personal area networks (WPANs). It provides recommendations for functionality, authentication, and duplicate transmission management.

dgoodman
Télécharger la présentation

Key Management over 4e Multipurpose Frames

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robert Moskowitz, Verizon Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Key Management over 4e Multipurpose Frames Date Submitted: September 19, 2011 Source: Robert Moskowitz, Verizon Address 1000 Bent Creek Blvd, MechanicsBurg, PA, USA Voice:+1 (248) 968-9809, e-mail: rgm@labs.htt-consult.com Re: Key Managementn over 4e Multipurpose Frames Abstract: Using 4e Multipurpose Frames to provide for Key Mangement Purpose: To add Key Management capabilities to 15.4 Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.

  2. Robert Moskowitz Okinawa September 21, 2011 Key Management over 15.4e Multipurpose Frames Robert Moskowitz, Verizon

  3. Robert Moskowitz, Verizon Abstract • To provide for a Key Management Protocol for 802.15.4 • KMP agnostic • Support: HIP, IKEv2, 802.1X, ... • Provide recommended functionality for KMPs • Use Information Elements • in the new Multipurpose and existing Comand Frames added via 15.4e for the transport of the KMP frames

  4. Robert Moskowitz, Verizon Discussion • Functionality needed • Manage keying variables in 802.15.4 security • Security mode, key value,key rollover, ... • Manage long-lived PMK and key-lifetime PTK (including key refresh) • Distribute GTK for broadcast/multicast

  5. Robert Moskowitz, Verizon Discussion • Functionality needed • Provide authentication • Manage • Short addresses • Collisions • Duplicate transmissions

  6. Robert Moskowitz, Verizon Discussion • 4e Multipurpose Frame • Adds flexibilty to 15.4 • New functions without major standards revisions • Pre 4e usage • Recommendation on equivalent method • Should be 'easy' for 6lowpan

  7. Robert Moskowitz, Verizon Discussion • 4e Information Elements • Available in Multipurpose and Command frames • Basic TLV – Type/Length/Value

  8. Robert Moskowitz, Verizon Discussion • KMP Information Element • Type value assigned from 802.15.4 reserved range • 2 Byte KMP info field • KMP type 5bits (HIP, IKEv2, 802.1X, SAE, 4-Way-Handshake, vendor ) • Chaining flag 1 bit (yes, last) • Chaining REQUIRES frame ack • Chain count 8bits (multiple frames per KMP packet)

  9. Robert Moskowitz, Verizon Discussion • Duplicate transmission management • Keep last frame received to determine if duplicate • Duplicates result of lost ACKs. Other reasons? • KMP Information Element • KMP payload • Guidelines provided for 15.4 specific use

  10. Robert Moskowitz, Verizon Discussion • Short address for KMP frames • Need general collision handling • Or NO short address support? • What if multiple KMPs in a PAN? • When HIP is KMP • I1 always uses long addresses • HITs used derive short addresses • Low order 16 bits? • Include short addresses in R1 over long addresses, THEN I2 over short addresses to handle collisions?

  11. Robert Moskowitz, Verizon Discussion • If no short address for initial KMP frames • KMP update frames MAY use short addresses established by other higher layers • E.G. 6lowpan

  12. Robert Moskowitz, Verizon Discussion • BEACONLESS PANs are commonly deployed and thus first step in participation would be to KMP over Multipurpose frames. • BEACON PANs use ASSOCIATE Command Frames to start participation. • These frames can contain IEs so they would be used for KMP transport.

  13. Robert Moskowitz, Verizon Discussion • What options for TX only devices? • BLINK frames • Open for presentations

  14. Robert Moskowitz, Verizon HIP KMP Discussion • HIT discovery and defense from Diffie-Hellman MITM attacks • Assume Initiator has no knowledge of Responders HIT for I1, so use I1 opportunistic mode (no Responder HIT) • Responder authenticates Initiator HIT • Pre-configured ACL • Restricted time window

  15. Robert Moskowitz, Verizon Moving Forward • Create 802.15.4 Recommended Practice document for KMP support as outlined • Include HIP DEX, IKEv2, 802.1X, SAE, and 4-Way-Handshake guidelines • Allow for other KMPs defined elsewhere

  16. Robert Moskowitz, Verizon Moving Forward • Address issues raised for 15.4f support • KMP REQUIRES bi-directional data flows • Research Blink frames

  17. Robert Moskowitz, Verizon Moving Forward • Use by other 802.15 MACs (e.g. .3, .6, .7) • They will need Information Element support and Multipurpose frame • Common Type value for IE? • Short address collision detection • Need general solution or KMP will be forced to long addresses only

  18. Robert Moskowitz, Verizon Moving Forward • Work with IETF with 'mess under' to support KMP within a 15.4 mess? • E.G. to protect IPv6 Neighbor Discovery

More Related