1 / 12

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network Access -- 802.1x over 802.15.4] Date Submitted: [11 May 2011] Source: [Jonathan Hui and Wei Hong] Company [Cisco Systems, Inc.]

hammer
Télécharger la présentation

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network Access -- 802.1x over 802.15.4] Date Submitted: [11 May 2011] Source: [Jonathan Hui and Wei Hong] Company [Cisco Systems, Inc.] Address [170 West Tasman Drive, San Jose, CA 95134 USA] Voice:[408-424-1537], E-Mail:[wei.hong@cisco.com] Re: [WNG] Abstract: [Problem statement and Call to action for supporting 802.1x over 802.15.4] Purpose: [Presentation to WNG] Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15. <Wei Hong, Jonathan Hui>, <Cisco>

  2. Securing the 802.15.4 Network Access –802.1x Over 802.15.4 Jonathan Hui Wei Hong Cisco Systems, Inc. <Wei Hong and Jonathan Hui>, <Cisco>

  3. IEEE 802.15.4 Security Frame Security • Data confidentiality, Data authenticity, Replay protection Network Access Control • Defer to upper layer based on MAC address Security Suites • CCM* mode encryption and authentication transformation • AES block cipher What is specified today?

  4. IEEE 802.15.4 Security Secure Network Access Control Architecture • Supplicant, Authenticator, and Authentication Server Protocols • Security Capabilities Discovery • Authentication • Secure Association/Key management Existing deployments use no or proprietary secure network access What is not specified today?

  5. IEEE Knows Network Access Control Well-defined Architecture • Supplicant, Authenticator, and Authentication Server Security Capabilities Discovery • RSN Information Element Authentication • Carry Extensible Authentication Protocol (EAP) in EAP over LAN (EAPoL) frames Secure Association/Key Management • EAP-derived PMK  PTK • Use PTK to communicate GTK Leverage IEEE 802.1x and IEEE 802.11i

  6. Typical 802.1x Architecture Auth Server: handles access requests from authenticators Access Point: device that performs authentication negotiations and acts as an Enforcement Point Supplicant: a device that wishes gain access to the network Authenticator Enforcement Point Authentication Server Supplicant EAPoL e.g. RADIUS

  7. What Needs to be Done Map EAPoL to IEEE 802.15.4 frames Define operation where Supplicant and Authenticator are not within direct communication

  8. Extended for Multihop Networks Auth Server: handles access requests from authenticators Authenticator: device that performs authentication negotiations Enforcement Point: a device that has already been admitted into the network by the authenticator Supplicant: a device that wishes gain access to the network Enforcement Point Authentication Server Supplicant Authenticator EAPoL Tunnel over IP EAPoL over 15.4 e.g. RADIUS

  9. Why Not PANA? Architectural Issues • Enable (restricted) network-layer communication before allowing link-layer access Still need key management (e.g. 802.11i) • 4-way handshake for PMK  PTK derivation • 2-way handshake for GTK distribution No wide-spread deployments

  10. Summary Problem • Need secure Network Access Control for IEEE 802.15.4 Approach • Apply proven IEEE 802.1x and 802.11i techniques for: • Security Capabilities Discovery • Authentication Using EAP • Secure Association/Key Management

  11. Call to Action Specify EAPoL for 802.15.4 • Within IEEE 802.15? • Leverage PHY adaptation layer in 15.4k for fragmentation? Specify link operation of Enforcement Point and Authenticator • Within IEEE 802.1? Specify EAPoL Tunnel over IP • Within IETF?

  12. End

More Related