Embed Size (px)
Citation preview
July 2007
Slide 1
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 1
Segregated Data Services in 802.11Date: 2007-07-17
Name Affiliations Address Phone email Donald Eastlake 3rd Motorola 111 Locke Drive, Marlboro,
MA 01757 USA +1-508-786-7554 [email protected]
Guido R. Hiertz Philips ComNets, RWTH Aachen
University Kopernikusstr. 16, 52074 Aachen, Federal Republic of Germany
+49-241-802-5829 [email protected]
Dee Denteneer Philips Philips Research, HTC 27 (WL
1.132), 5656 AE Eindhoven, The Netherlands
+31-402-746-937 [email protected]
Nancy Cam-Winget Cisco Systems 190 W Tasman San Jose CA 95134 USA
+1-408-853-0532 [email protected]
Stephen Rayment BelAir
Networks 603 March Road, Ottawa, ON,
Canada K2K 2M5 +1 613 254 7070
x112 [email protected]
Tony Metke Motorola 1301 E. Algonquin Road Mail Stop: 1232
Schaumberg, IL 60196 USA
+1-847-576-0092 [email protected]
Authors:
July 2007
Slide 2
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 2
Abstract
Essentially all 802.11 networks need VLANs or a similar mechanism for segregated data services. The need varies from a mild requirement to distinguish “visitors” from “residents” in a one AP home network to much stronger and more complex requirements in enterprise, municipal, and other systems. Scenarios and requirements for adding segregated services / VLANs to IEEE 802.11 are presented along with some comments on existing or prospective mechanisms.
July 2007
Slide 3
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 3
Motivation• Segregating traffic for “visitors” who should only have
access to the Internet and limited facilities, from “insider” traffic.
• Provision of different services for free and subscriptions services in Hot Zone or Municipal systems. (May also segregate subscription service through different carriers.)
• In mesh environments, ability to safely forward data through nodes with limited trust.
• To enable aggregation of traffic over a single infrastructure for efficient deployment.
• Dedicated traffic segregation by type, such as VoIP
July 2007
Slide 4
doc.: IEEE 802.11-07/2161r1
Submission
Example Scenario I(unified infrastructure, single interface end stations)
MAP 1
Guest Station
MAP 2
AP 2
Guest Station
Local Station
Local Station
Internet
Local Station
Protected Services
Local Station
Local VLAN
Guest VLAN
Wired Connection
Firewall
July 2007
Slide 5
doc.: IEEE 802.11-07/2161r1
Submission
Example Scenario II(diverse mesh, multi-interface mesh points)
Org 1MP
Internet
Org 1MP
Org 2MP
Org 2MP
Org 2MP
Org 3MP
Org 1MP
Organization 1 Infrastructure
Org 1MPP
Lo
cal M
esh
Ser
vice
Org
aniz
atio
n 1
S
ervi
ce
Org
aniz
atio
n 2
S
ervi
ce
Organization 2 Infrastructure
Org 2MPP
July 2007
Slide 6
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 6
Tentative Requirements
1. Advertising Availability of Services2. Associating/Authenticating/Authorizing for One or
more Specific Services3. Multiple Service Security Channels Between Two
Stations4. Transit Frame Labelling5. Protection of Segregated Data from Unauthorized
Access6. Configuration and Management
July 2007
Slide 7
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 7
1. Advertising Availability of Services
• Current practice: Transmit multiple Beacons, as is done at IEEE 802 meetings.
• Work in progress: General Advertisement Service (GAS) mechanisms in 802.11 TGu (Interworking with External Networks).– Includes SSIDC (SSID Container IE) for transmission of multiple
SSIDs (with or without multiple BSSIDs) in a single beacon.
• Possible new work:– Extensions to TGu GAS.
– Other mechanisms.
July 2007
Slide 8
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 8
2. Associating/Authenticating/Authorizing for a Specific Service
• Current practice: Only one association, 802.11i security.
• Work in progress:– TGw (Protected Management Frames) to extends security to some
control messages
– TGs (Mesh Networking) with authentication to mesh distinguished from authentication to an AP
– TGu (Interworking with External Networks) different credentials/authentication for different back end carriers
• Possible new work: Different credentials/authentication for different Services/VLANs.
July 2007
Slide 9
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 9
3. Multiple Service Security Channels Between Two Stations
• Current Practice:– AP can have multiple security associations but each with a
different end station.– Two stations can have multiple IPsec security associations or the
like at the application level.
• Work in Progress: TGs (Mesh Networking) permits multiple associations but each with a different mesh point.
• Possible new work:– Different security associations for different services/VLANs– Development of a new Authenticator PAE function that can
manage multiple SAs with a given neighbor
July 2007
Slide 10
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 10
4. Transit Frame Labelling
• Current Practice:– Current standard explicitly permits 802.1Q-Tag in payload
(802.11-2007 Annex M) but Q-Tag’s priority and VLAN ID fields are otherwise ignored.
– Only obvious way is to use different MAC addresses.
• Work in Progress: none...(?)
• Possible new work:– Header addition to distinguish Service/VLAN
– Other mechanisms
July 2007
Slide 11
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 11
5. Protection of Segregated Data from Unauthorized Access
• Current Practice: Have to use IPsec or some similar application level mechanism to protect data at intermediate hops.
• Work in Progress: none...
• Possible new work:– Optional edge-to-edge security between original source station and
final destination station. But not all services would require this. (If VLAN mapping is possible, authentication should be keyed to SSID, not VLAN ID.)
July 2007
Slide 12
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 12
6. Configuration and Management
• Current Practice:– SNMP (Simple Network Management Protcol)
– GVRP (GARP VLAN Registration Protocol)
– Proprietary command line interfaces and protocols
• Work in Progress: SNMP MIB (Management Information Base) additions by TGu (Interworking with External Networks)
• Possible new work:– MIB additions or other mechanisms for configuration and
management including setting-up and deleting VLANs
July 2007
Slide 13
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 13
Straw Polls• Results in WNG SC during morning session on 17 July:
– Should the 802.11 WNG SC proceed at this time to vote on a motion to set up a Study Group?Yes: 6 No: 27 Abstain: 18
– Should 802.11 receive further presentations on the topic of segregated data services?Yes: 46 No: 0 Abstain: 1
July 2007
Slide 14
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 14
Motion (not voted on in WNG)• Moved, To request the IEEE 802.11 Working Group to
approve and forward to the IEEE 802 Executive Committee the creation of a “WLAN Multiple Segregated Data Services” Study Group to draft a PAR and 5 Criterion for the provision of secure segregated data services in 802.11, such services to include some or all of the following:– advertising and associating with such services; labeling frames per
service; security of data within a service; and the configuration and management of such services.
Moved: Seconded:
Yes: No: Abstain:
July 2007
Slide 15
doc.: IEEE 802.11-07/2161r1
Submission
July 2007
Donald Eastlake 3rd, MotorolaSlide 15
References
• Standard 802.11-2007 – WLANs
• Standard 802.1Q-2005 – VLANs, GVRP
• Draft 802.11s D1.05 – ESS Mesh Networking
• Draft 802.11u D1.0 – Interworking with External Networks
• Draft 802.11w D2.0, – Protected Management Frames
• IETF STD 62 (IETF RFCs 3411 through 3418) – SNMP
