270 likes | 437 Vues
ORiNOCO AS-2000 Networks Technology. Module contents. System Overview Client architecture AS-2000 architecture Boot loader issues Authentication Security Roaming. Internet Intranet. IP Networks. ORiNOCO AS-2000 System overview. 10/100base-T Ethernet. Encrypted Radio link
E N D
ORiNOCO AS-2000 Networks Technology
Module contents • System Overview • Client architecture • AS-2000 architecture • Boot loader issues • Authentication • Security • Roaming
Internet Intranet IP Networks ORiNOCO AS-2000System overview 10/100base-T Ethernet Encrypted Radio link @ 11 Mbps (shared) Router Backhaul: Ethernet, Leased line, DSL, Cable, wireless ... AS Manager server RADIUS Server Network Operations Center ORiNOCO AS-2000 Laptop + AS Client + ORiNOCO PC Card
User App User App TCP/UDP TCP/UDP IP IP PPP PPP 802.11 802.3 AS-2000 IP Router Internet IP Router AS Client IP IP IP IP IP IP 802.11 802.3 802.3 HDLC HDLC 802.3 AS-2000 Network Protocol Architecture AS-2000 network supports the following protocols : * TCP/IP on Ethernet and Radio * DHCP * TFTP * PPP * RADIUS * Proxy ARP * SNMP V1 MIB-II * Scan and Change (for setting AS-2000 IP address)
User_Interactions Display User_Input Wireless_802.11 AS Client WirelineNetwork NetworkData DataRequest DataRequest DataResponse UserData DataResponse AS-2000 PC_Applications SNMPGet, SNMPSet ISP_Management SNMP AS Mgr SNMPData, Display UserInput SNMPTRAP ORiNOCO AS-2000System overview • User interaction with the AS Client occurs via the GUI: • Netlist update • Login name and password • Applications interact with the AS Client using the TCP/IP stack • AS Client interacts with the AS-2000 using IEEE 802.11b traffic • AS Manager communicates with the AS-2000 using SNMP protocols • Network manager communicates with the AS Manager using JAVA GUIs
ORiNOCO AS Client GUI RAS TCP/IP TAPI NDIS Miniport Interface AS Client VXD User Mode Protocol Interface Kernel Mode NDISTAPI NDIS Miniport Interface ORiNOCO Utility Driver AS Client driver Protocol Interface NDIS ORiNOCO Client Drvr NDIS ORiNOCO NIC AS Client Architecture for Windows • AS Client uses the regular ORiNOCO PC Card driver to access the PC Card • Encryption executed by the PC card is switched off; instead encryption is implemented in software • AS Client protocol driver accesses the PC card driver using the NDIS interface • On top of the AS Client protocol driver resides the AS Client VXD that interfaces with the TCP/IP stack via PPP protocols
Up/Down load TELNET Daemon RADIUS Client TFTP IAPP SNMP V1 AGENT TELNET UDP TCP IP ICMP ARP Ethernet II SNAP& RFC 1042 PPP server SHIM Driver and encryption Vx Works OS Other Device Drivers Serial Driver 802.3 Driver 802.11 Driver AS-2000 AS2000 Image file • The AS2000 software image includes: • The VxWorks operating system that controls the operation and manages the resources • The devices drivers such as the ORiNOCO PC Card driver and the the Ethernet driver • The IP stack to allow the devices to be managed from other network locations • The UDP protocol to support among others IAPP and SNMP • The TCP protocol to support Telnet • The Radius Client to allow Radius MAC based authentication • The IAPP protocol to support roaming • The SNMP agent for configuration & management • The PPP server that maintain the PPP protocol with the AS Client • The SHIM driver that handles among other the encryption between AS Client and AS-2000
TFTP server AS2000 Image file Kernel AP Firmware Con- figuration Data BSP/Boot loader TFTP transfer AS-2000 Flash ROM Original BSP/Boot loader Upgrade BSP/Boot loader ORiNOCO PC Card ORiNOCO PC Card RAM AP Firmware AP Firmware Buffers, Filter & bridge tables Con- figuration Data Kernel AP Firmware Port 1 Port 2 Port 3 RS232 Port Ethernet Interface AS-2000Functional diagram • The AS-2000 operates its software from an embedded image (kept in FlashROM, but executed from RAM): • Uploading of image is executed with the help of a TFTP server. • Users can initiate transfer of • Image (kernel and AP firmware) • BSP.Bootloader upgrades • Configuration data (MIB-II) • System leaves factory with only “Original BSP/Bootloader” on board. Cannot be overwritten by users • New bootloader version can be inserted in different area “Upgrade BSP/Bootloader” • When both bootloaders are present, the Upgrade bootloader is active (not the orginal bootloader) • On start of operation, AP Firmware is placed in PC Cards
TFTP Server AS-2000 TFTP (Bootp) request Image file packet Image file packet Image file packet Image file packet TFTP Serverits role • AS2000 image is stored on TFTP server • AS2000’s retrieve image from server using TFTP protocol • AS2000 needs to know: • IP Address of the TFTP server • The name of the image file to be downloaded • The TFTP server needs to know: • Location of the image (I.e directory) • Server used during course: • “pumpkin” from Klever • tftp server from SolarWinds
Security • Authentication • Authentication is the positive identification of a registered person or device ; usually takes place prior to accessing the service • using RADIUS profiles (User name and password) • Encryption • Software Encryption (Automatic Key Management) • Uses standard WLAN cards, and ORiNOCO Access Servers infrastructure • Per-user per-session encryption: Diffie-Hellman algorithm for automatic key negotiation (56bit RC-4 key, optionally longer) between client and AS-2000
SecurityAuthentication using RADIUS • RADIUS (Remote Authentication Dial-In User Service) is an industry-standard Client/Server-based system (RFC 2138) • RADIUS provides “AAA”: Authentication, Authorization, & Accounting (RFC 2139) • Authentication allows positive identification of the user against the access provider’s secure database • Authorization allows different services and connection parameters to be used depending on user profile and policies (bandwidth, access priority, protocol filtering…) • Accounting/billing capability is built-in, allows to charge users for service, and is needed for clearing-house mechanism (roaming scenario with GRIC or IPASS)
RADIUS AS Client AS-2000 RADIUS Client RADIUS User SecurityAuthentication using RADIUS • RADIUS supports: • Clients (I.e. the AS2000 systems) • Users (I.e. the AS Clients) • RADIUS clients are recorded in the clients database: • name • IP Address • Shared secret • RADIUS users are recorded in the user database: • name • Password • Profile information (e.g. to issue IP addresses
RADIUS AS Client AS-2000 Login Authentication request Authentication response Accounting request Accounting response Connected SecurityAuthentication using RADIUS • AS2000 uses a RADIUS server to control the access of AS Clients to the network • Interaction between AS2000 and RADIUS is conform Internet standard: • RFC xxxx • RADIUS systems interpret protocol messages using so-called “Dictionary” • Mapping of data elements to defined fields • Standard fields (attributes) • Vendor specific elements (VSAs)
RADIUS AS Client AS-2000 Login Authentication request Authentication response Accounting request Accounting response Connected SecurityAuthentication using RADIUS • Two main processes executed by the RADIUS server: • Authentication (validating the user as being a valid user in the database, by name and password) • Accounting (create a record to log the users time on the system • Authentication and Accounting can be performed by two different RADIUS servers • Multiple RADIUS servers can exist for backup purpose
SecurityAuthentication using RADIUS- Attributes • Some RADIUS servers need dictionary updates according to the AS2000 dictionary. • Most RADIUS servers work with standard AS2000 dictionary • AS2000 has no non-standard VSAs (Vendor Specific Attributes) • RADIUS dictionary is available as separate document • Common RADIUS implementations used: • Steelbelted RADIUS • Navis RADIUS (Lucent)
SecurityEncryption (Over The Air) • DSSS offers some inherent security • Per-user, per-session RC4-based encryption over the air • Together RC-4 and Diffie-Hellman are excellent, their objective is to prevent “casual eavesdropping” - and simplify key management
AS Client_SHIM AS-2000_SHIM Init generate_DH_parameters generate_DH_key Configure_Request Subtype 1, Prime, generator, AS Client public key Insert_DH_parameters generate_DH_key alt 1 Configure_NAK Error condition at AS Station Init 1 Configure_ACK AS-2000 key generation OK Subtype 2, AS-2000 Public key ( ) DH_compute_key() DH_compute_key() RC4_set_key (Recv) RC4_set_key (Txmt) RC4_set_key (Recv) RC4_set_key (Txmt) Challenge = DH_generate_random() Encrypted Challenge = RC4(Challenge) Diffie-Hellman Encryption Key Exchange 1. Each side selects (or has) a secret number let say 16 bytes long. This is referred to as the private key. 2. Side A starts by selecting a large prime number (let's say 1024 bits long). 3. Side A calculates its public key using the prime number and the secret key as following: • Public key = 2 ^ private key MOD prime number, the number 2 is referred to as the generator. 4. Side A sends its 1024 bit Public Key, the 1024 bit prime number and the generator (2) to side B 5. Side B performs a similar calculation with its secret key and the prime and generator to get its public key. 6. Side B sends its Public key to the side A.
AS Client_SHIM AS-2000_SHIM Configure_request ( subtype 3, encrypted challenge ) Challenge = RC4(encrypted challenge) Configure_ACK Subtype 4, cleartext challenge alt 2 Configure_Request Challenge is successful ) ( Subtype 5, challenge succeeded DH_Key_Exchange_Complete 2 Configure_Request Challenge is unsuccessful ( Subtype 6, challenge failed ) Init 2 1 Diffie-Hellman Encryption Key Exchange 7. Now side A can calculate the 1024 bit shared key as following • Shared key = B's Public key ^ A's secret key MOD prime number 8. Side B can calculate the same 1024 bit shared key as following • Shared key = A's Public key ^ B's secret key MOD prime number • The two shared key calculations produce the same 1024 bit value (magic of modulus arithmetic). • This 1024 bit string is used as a basis to select keys of any length for RC4, DES or any other type encryption
Diffie-Hellman Encryption Key Exchange • Specifics of AS-2000 network implementation: • The prime is fixed at 768 bits and not sent over the air. • The Access Server selects a secret key for the duration of its uptime and pre-calculates its Public key to save computation. • The AS Client generates random secret keys every time it wants to connect to the AS-2000. This results in a per user / per session key. • Calculation time for the modulus operation in the AS-1000 (486-66) is roughly 250ms. Less with AS-2000 StrongArm. • The Send and Receive RC4 keys are different. • Unlike WEP the entire RC4 key stays the same during the session (no IV)
All AS-2000s AS-2000-1 AP-1 Announce Request Announce Request 1. Announce Response Announce Response 2. 3. Announce Response Announce Response Announce Response Announce Response 4. Roaming - IAPPAnnounce Protocol 1. At startup AS-2000 transmits a so-called "Announce request” (IP Multicast Destination Address) using defined UDP/IP group addressing. 2. AS-2000s that are part of the same network and are already operational will respond with a so-called "Announce response”, containing: • IP address of the replying AS-2000 • BSSID of the replying AS-2000
All AS-2000s AS-2000-1 AP-1 Announce Request Announce Request 1. Announce Response Announce Response 2. 3. Announce Response Announce Response Announce Response Announce Response 4. Roaming - IAPPAnnounce Protocol (cont’d) 3. The new AS-2000 uses the data in the reply to build a BSSID-to-IP conversion table to relate the BSSID, (used by the roaming station to identify its "old" AS-2000) to the IP address of the "old" AS-2000 4. After an appropriate time interval, when all responses are received, the "new" AS-2000 will issue an "Announce response" to indicate its operational status. • The "new" AS-2000 will (as will all AS-2000s) re-issue the "Announce response" to keep informing all participating AS-2000s about any changes in the status.
Mobile Mobile Old AS-2000 New AS-2000 IEEE 802.11 IAPP station station Re-association Re-association 1. Request Request Re-association Re-association Handover Request Handover Request 3. Response Response 2. Handover Response Handover Response 4. Roaming - IAPPHand-over Protocol 1. When the mobile station moves away from its "old" AS-2000, it issues a Re-associate Request to a "new" AS-2000. 2. The "new" AS-2000 will return a Re-association Response when it accepts the roaming station. The AS-2000 service for the mobile station starts at this point in time 3. The "new" AS-2000 sends a Hand-over Request to the old AS-2000 (via the backbone). IP address of old AS-2000 is determined based on BSSID carried in the Re-association Request 4. The “old” AS-2000 will reply with an Hand-over Response sent to the “new” AS-2000.
Mobile Mobile Old AS-2000 New AS-2000 IEEE 802.11 IAPP station station Re-association Re-association 1. Request Request Re-association Re-association Handover Request Handover Request 3. Response Response 2. Handover Response Handover Response 4. Roaming - IAPPHand-over Protocol Data included in the hand-over response: • AS Client IP Address • To inform the PPP protocol in the “new” AS-2000 on what IP address to use • Old AS-2000 IP address • AS Client PPP session-state structure • This contains the PPP session variables, and their current values • Receive RC4 Structure • This contains the RC4 key used and the Receive sequence number • Transmit RC4 Structure • This contains the RC4 key used and the Transmit sequence number
RADIUS AS Client AS-2000 1 2 3 4 5 6 7 8 Traffic flowsAS Client start up 1. AS Client program started; Association request issued. 2. AS-2000 responds positively if Network name provided by AS Client matches. Station “associated”, but not “connected” to the “network” 3. AS Client user logs in (connects) providing User name and password 4. Diffie-Hellman Automatic Key Exchange 5. PPP session starts 6. AS-2000 consults RADIUS server to authenticate the AS Client 7. RADIUS server responds 8. If positive, AS Client gets IP, DNS, Gateway etc.: Station “connected” to the “network”.
RADIUS AS Client AS-2000 1 4 2 3 Traffic flowsAS Client connected Station “connected” to the “network”. AS Client program operational in background. 1. Client application accesses network resource (server, printer, email server, Internet gateway). Data is encrypted using its own unique key 2. AS-2000 passes the traffic to the proper network resource (non-encrypted) 3. Network resource will return traffic to AS-2000 (non-encrypted) 4. AS-2000 will encrypt the data and pass it to the AS Client
Summary • System Overview • Client architecture • AS-2000 architecture • Boot loader issues • Authentication • Security • Roaming