Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID

Thread Links	Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

A couple of counter arguments (I think, if I’m understanding the points made):

I am concerned that with no minimum length requirement for a Device ID, we will get comments that there is a “security hole” in that an attacker could easily brute force try a lot/every possible short Device ID string until one works. We’ve had discussions in the past that we don’t want to introduce a mechanism that allows trivial spoofing of a “known” device, by either a rogue STA or AP. As long as we have agreement that we don’t care about this problem, and/or it is out of our scope to worry about perhaps (in which case maybe we at least want a NOTE?), then I can see arguments for allowing (or at least not disallowing) very short Device IDs.
Ben’s takeaway (just below) seems to have been that the Device ID comes from a “higher layer protocol”. That has not been my assumption. I could imagine that this is possible, but I can also imagine that it is generate (in an implementation-dependent manner) within the 802 layer. Do we need to get agreement/add clarification on this (again, maybe just a NOTE)?
[BAR] I based this on Dan's explanation. Should have prefaced with "if Dan's explanation is correct..." I guess 🙂. The current draft does not contain any technical specification Device ID. So the two positions are (1) that's fine it shouldn't, or (2) some minimum requirements are needed to prevent poor use. (2) is definitely out of scope of my expertise 😉. A more general version of "out of scope of the standard" clarification might be:

The Device ID field is an octet string the content of which is implementation dependent. Some suggestions for Device ID implementations are given in Annex AD.1.

which would fit either Dan's or Mark's layering. If it's not defined in the standard then either layering view seems valid to me.
I suppose there's an inbetween version which is we use a "should" to recommend using a method such as given in AD.1 or equivalent in performance (which is valid if we think it's implementation specific MAC layer, but not if we think it's network layer in which case don't use "should").

Mark

From: Benjamin Rolfe <ben@xxxxxxxxxxxxxx>
Sent: Wednesday, August 2, 2023 8:49 AM
To: STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID

Thanks Dan, that explanation is very helpful.

An alternative to rejecting the comment would be "revised" and clarify the field definition consistent with Dan's explanation. As is it says that it contains something that is undefined (refers only to an informative annex) which a voter might suggest makes the spec not technically complete.

A change such as:

(borrowing language from 802.11-2020 for similar situations where the content is defined at the network layer).

FWIW it would seem from the discussion that clarification will help. It helped me!

Ben

From: Harkins, Dan <daniel.harkins@xxxxxxx>
Sent: Tuesday, August 1, 2023 5:50 PM
To: STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx <STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx>
Subject: Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID

Hello,

I missed the TGbh call this morning but I understand there was a discussion about min/max device ID lengths. It is my opinion that the contents of a device ID and its subsequent length are entirely outside the scope of the standard. The only requirement is it has to fit in an IE and if you do the Annex encryption stuff you will need to take into account the overhead it imposes (17 octets plus tweak plus padding if used) and make sure your device IDs will still fit after being encrypted. There is no need to specify a min. STAs don't care what their device ID is (remember, these use cases are entirely to help the network side of the conversation) and the network owns the device ID space so it can do anything it wants.

I would support rejection of the comments that ask for min/max limits on device IDs.

regards,

Dan.

"the object of life is not to be on the side of the majority, but to

escape finding oneself in the ranks of the insane." – Marcus Aurelius

On 8/1/23, 9:18 AM, "Mark Hamilton" <mark.hamilton2152@xxxxxxxxx> wrote:

All,

I just wanted to point out a couple examples from the baseline (REVme, that is), for fields which are not always present, and/or have variable length or some restrictions on their length (when they are present).

Supported Operating Classes element:

Note the “(optional)” inside the field’s box, and the “variable” below the box. Also, note that the text then describes when the field is present or not, and minimal information about what it carries when it is present:

Time Advertisement element:

Again “(optional)” inside the box, and this time a fixed choice of length below the box (0 or a fixed length). And, again, minimal description in the text about when the field is present, and what it means when it is present:

Multi-band element:

Of interest here, is the use of “4 x m” for the length of the last field. So, there are examples of a simple “formula” type of length, even with an optional field – which can presumably be 0 if m is 0.

QMF Policy frame:

This is one with the possibility of “not present” (0 length), or a specific range of lengths allowed when it is present. And, here the text describes when it is present, and points elsewhere (although still in clause 9 ?! 😊) for its structure and definition when it is present:

Personally, I think that last example might be the most relevant one for us to mirror, if we decide the Device ID length can be a range (when present), or ours could be like Time Advertisement element if we decide the Device ID is fixed length (when present).

Other thoughts/flames?

Mark

To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1