CAPWAP Overview

1. CAPWAP Overview Saag Presentation 65th IETF 23 March 2006 T. Charles Clancy clancy@cs.umd.edu Scott G. Kelly scott@hyperthought.com

2. Agenda • Introduction • Some background and current scope • Security-related protocols, relationships, considerations, requirements • Current state of things • Conclusion

3. Introduction • Defining a protocol to control and provision wireless access points • Things carried over protocol include • Access Point configuration/control • Network access control decisions • Cryptographic session keys • Security is obviously a significant concern • Compromised communications may result in infrastructure take-over • Working group wants to invite security area participation • Requesting appointment of a security advisor • Formal liaison with security area • Avoid delays in document advancement due to security concerns • Provide security community connection for security reviews, advice

4. Background Early Architecture Mgmt WLAN ELEMENTS AS: Authentication Server, typically RADIUS AP: wireless access point STA: wireless station (typically a laptop) AS/AAA AP AP STA STA STA STA

5. Current Architecture(Security Protocol Hierarchy and Interactions) Mgmt AAA SNMP HTTP TLS SSH RADIUS IPsec AC AC CAPWAP CAPWAP WTP WTP WTP WTP 802.1X, 802.11i, WPA 802.1X, 802.11i, WPA STA STA STA STA STA STA STA STA Each layer in hierarchy depends on layers above for security

6. Complex Trust Relationships Color Coding Mgmt AAA • short-term keys RADIUS PSK • long-term keys Admin Credential MK AC Long-Term EAP Credential AC MSK/PMK PSK/Cert WTP WTP WTP WTP PTK STA STA STA STA STA STA STA STA

7. Why is security important in CAPWAP? • Many interdependent security protocols between station and network • CAPWAP must not degrade existing security (can’t become weak link) • Multiple deployment models • Direct L2 connection • Physical security solves most problems • Routed connection, one administrative domain • Mobile network elements introduce infrastructure risks • Routed connection, potentially hostile hops • Remote WTP scenarios • Employees take WTPs home • Branch office WTP, Central office AC • Hotspots • some hops may be over wireless • Mesh (e.g. metro wifi)

8. Additional CAPWAP Security Considerations • “Splitting the MAC” introduces security complexity • If 802.11 crypto is terminated at the WTP, security context must arrive there securely (via AC), and WTP must implement 802.11 data security functions • Otherwise, AC implements 802.11 data security functions • Since user/station authentication is mediated by the AC, it must securely interact with AS • WTP forwards 802.1x frames to AC • AC-WTP communications must not be a weak link; they require • Strong mutual authentication • Data integrity verification • Confidentiality (depends on deployment nuances, threats)

9. CAPWAP Protocol Security Requirements • AC ↔ AAA • STA ↔ AAA • STA ↔ WTP • Management ↔ AC IN SCOPE • AC ↔ WTP • Authentication is unique, strong, mutual, and explicit • Communications protected by strong ciphersuite NOT CURRENTLY IN SCOPE (but requirements nonetheless)

10. Current State of CAPWAP • 4 competing protocol proposals were evaluated • WG created independent eval team • Protocols: LWAPP,SLAPP,WiCoP,CTP • WG chose LWAPP as basis for new CAPWAP protocol • LWAPP provides its own proprietary security mechanisms • Eval team (and others) recommended replacing this with DTLS

11. LWAPP Security Protocol, cont. • T. Charles Clancy (UMD) conducted security review, proposed improvements • Protocol subsequently modified to meet wg objectives draft requirements and Clancy suggestions • LWAPP/DTLS draft submitted by Kelly & Rescorla • DTLS added to capwap-00 draft as proposed security mechanism • Numerous operational details yet to be specified, but no show-stoppers uncovered or anticipated • WG still discussing, hopefully to reach closure soon

12. Standards-based protocol TLS is well reviewed (DTLS is equivalent from security perspective) Widely deployed on the Internet (TLS) Negotiation capability provides for algorithm agility Several freely available implementations Built-in DoS protection Employs security best practices Unidirectional crypto keys Each side contributes to IVs Security parameter verification via message hash Continued benefit from broad deployment and scrutiny Home-grown protocol Latest incarnation has only one public review Little deployment experience No algorithm negotiation – crypto change requires protocol forklift No known open source implementations No DoS protection A few questionable security practices Same key used for transmit/receive One side controls IV generation No verification of negotiable parameters (psk vs cert) One-off (capwap-only) deployment severely limits exposure to scrutiny Compare/Contrast DTLS vs LWAPP DTLS LWAPP

13. SUMMARY • Security is clearly an integral concern for CAPWAP • IEEE efforts primarily focused on STA+WTP+AS • ACWTP interactions introduce various subtleties • It’s easy to get security wrong, even when clueful people are involved – more eyes on the problem mitigates the risk • CAPWAP would clearly benefit from additional security community participation • Group needs formal security advisor • Formal liaison with security area • Avoid delays in document advancement due to security concerns • Provide security community connection for security reviews, advice • Questions?

15. Background • Early WLAN deployments rely on “fat” access points • Standalone, individually managed network elements • Limited range implies mgmt scaling issues • User roaming implies other infrastructure issues • Current generation moving to centralized control model, “thin” access points • This presents a number of challenges that merit IETF attention

16. Background, cont. Next Generation WLAN Architecture New Terms AC: Access Controller WTP: Wireless Termination Point AAA Mgmt AC AC CAPWAP Domain WTP WTP WTP WTP STA STA STA STA STA STA STA STA

17. Current CAPWAP Scope • There are many security-related interactions among wlan elements • Management Plane • AAA/AS • AC • WTP • Arguably, should be managed entirely by AC • AC-WTP communications • WTP-STA communications • Much of the related security is out of scope (provided by various IEEE protocols, RADIUS/EAP extensions) • Current CAPWAP scope covers only AC-WTP communications • Obviously don’t want to introduce weak link

18. Preaching to the choir • CAPWAP group has familiar question • Homegrown vs standards-based security? • This is a debate we’ve had before in IETF • Roll your own security protocol? • Or use a standard, well-scrutinized one instead? • Getting to closure on this ASAP is a priority for capwap wg

19. LWAPP Security Overview • Initial protocol was certificate-based • WTP generates random session ID, forwards this with cert to AC • AC validates cert, generates crypto keys, encrypts with WTP public key, signs encrypted keys + session ID, returns these to WTP (RSA key wrap) • WTP unwraps keys, uses AES-CCM for subsequent control channel communications • This protocol had a number of shortcomings

20. CAPWAP Attack Containment AAA Unaffected Nodes WTP Compromise AC AC WTP WTP WTP WTP Affected Nodes STA STA STA STA STA STA STA STA