Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID



Title: Standard

 

  Hi Bob,

 

  The STA doesn't choose its device ID. The device ID space is owned by the network and the network assigns a STA a unique device ID out of it. Think of an IPsec SPI. If you let the other guy choose your SPI it would wreck havoc.

 

  regards,

 

  Dan.

 

--

"the object of life is not to be on the side of the majority, but to

escape finding oneself in the ranks of the insane." – Marcus Aurelius

 

On 8/2/23, 11:12 AM, "Robert Moskowitz" <rgm@xxxxxxxxxxxxxxxxxxxx> wrote:

 

Mark,

WRT to minimum length.  If your concern is collision probability on the part of the STA randomly creating its Device ID, see rfc9374, Appendix D.  I provide the formula you can use (and you can look it up in wikipedia) to calculate for any length ID.

8 bytes would be a reasonable maximum minimum (hey what?  :) ).

6 bytes is totally reasonable within the small domain of use here.

But wrt to brute forcing, see the discussion in sec 9. Security Considerations.

Of course 9374 creates an "Entity Tag" (ID) via hashing the public key of a EC keypair (sec 3.5), but the collision math still applies.

What is LowRa Wan's ID?  2 bytes?  I know it is really small, but don't have it in front of me.  That may be a minimum to use and then look up their arguments for their ID length.  It is probably the smallest ID out there.

Or SigFox?

There is really no current Best Practice for this sort of animal.  Been involved in too many discussions on this subject over the decades.

And a higher layer could easily be the ID source.  But then it would probably NOT be the minimum length.

On 8/2/23 12:52, Mark Hamilton wrote:

A couple of counter arguments (I think, if I’m understanding the points made):

1.       I am concerned that with no minimum length requirement for a Device ID, we will get comments that there is a “security hole” in that an attacker could easily brute force try a lot/every possible short Device ID string until one works.  We’ve had discussions in the past that we don’t want to introduce a mechanism that allows trivial spoofing of a “known” device, by either a rogue STA or AP.  As long as we have agreement that we don’t care about this problem, and/or it is out of our scope to worry about perhaps (in which case maybe we at least want a NOTE?), then I can see arguments for allowing (or at least not disallowing) very short Device IDs.

2.       Ben’s takeaway (just below) seems to have been that the Device ID comes from a “higher layer protocol”.  That has not been my assumption.  I could imagine that this is possible, but I can also imagine that it is generate (in an implementation-dependent manner) within the 802 layer.  Do we need to get agreement/add clarification on this (again, maybe just a NOTE)?

 

Mark

 

From: Benjamin Rolfe <ben@xxxxxxxxxxxxxx>
Sent: Wednesday, August 2, 2023 8:49 AM
To: STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID

 

Thanks Dan, that explanation is very helpful.

An alternative to rejecting the comment would be "revised" and clarify the field definition consistent with Dan's explanation. As is it says that it contains something that is undefined (refers only to an informative annex) which a voter might suggest makes the spec not technically complete.

A change such as:  

 

The Device ID field is an octet string and is defined by the higher layer protocol.  See also  Annex AD.1.

 

(borrowing language from 802.11-2020 for similar situations where the content is defined at the network layer). 

 

FWIW it would seem from the discussion that clarification will help.  It helped me!

 

Ben

 


From: Harkins, Dan <daniel.harkins@xxxxxxx>
Sent: Tuesday, August 1, 2023 5:50 PM
To: STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx <STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx>
Subject: Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID

 

 

  Hello,

 

  I missed the TGbh call this morning but I understand there was a discussion about min/max device ID lengths. It is my opinion that the contents of a device ID and its subsequent length are entirely outside the scope of the standard. The only requirement is it has to fit in an IE and if you do the Annex encryption stuff you will need to take into account the overhead it imposes (17 octets plus tweak plus padding if used) and make sure your device IDs will still fit after being encrypted. There is no need to specify a min. STAs don't care what their device ID is (remember, these use cases are entirely to help the network side of the conversation) and the network owns the device ID space so it can do anything it wants.

 

  I would support rejection of the comments that ask for min/max limits on device IDs.

 

  regards,

 

  Dan.

 

--

"the object of life is not to be on the side of the majority, but to

escape finding oneself in the ranks of the insane." – Marcus Aurelius

 

On 8/1/23, 9:18 AM, "Mark Hamilton" <mark.hamilton2152@xxxxxxxxx> wrote:

 

All,

 

I just wanted to point out a couple examples from the baseline (REVme, that is), for fields which are not always present, and/or have variable length or some restrictions on their length (when they are present).

 

Supported Operating Classes element:

cid:part1.KQv3Etdi.DJcGqw9J@labs.htt-consult.com

Note the “(optional)” inside the field’s box, and the “variable” below the box.  Also, note that the text then describes when the field is present or not, and minimal information about what it carries when it is present:

cid:part2.Nw6lv1DT.FBLlaeYN@labs.htt-consult.com

 

Time Advertisement element:

 

cid:part3.qaPEjBwj.vZNfS39J@labs.htt-consult.com

 

Again “(optional)” inside the box, and this time a fixed choice of length below the box (0 or a fixed length).  And, again, minimal description in the text about when the field is present, and what it means when it is present:

 

cid:part4.WkHhXtO0.oNpknF3E@labs.htt-consult.com

 

 

Multi-band element:

 

cid:part5.Bg2Qumoh.2nFM0gHx@labs.htt-consult.com

 

Of interest here, is the use of “4 x m” for the length of the last field.  So, there are examples of a simple “formula” type of length, even with an optional field – which can presumably be 0 if m is 0.

 

QMF Policy frame:

 

cid:part6.9dSHI0M7.nG9zfik1@labs.htt-consult.com

 

This is one with the possibility of “not present” (0 length), or a specific range of lengths allowed when it is present.  And, here the text describes when it is present, and points elsewhere (although still in clause 9 ?! 😊) for its structure and definition when it is present:

 

cid:part7.RiY9x0sE.toBojpR3@labs.htt-consult.com

 

 

Personally, I think that last example might be the most relevant one for us to mirror, if we decide the Device ID length can be a range (when present), or ours could be like Time Advertisement element if we decide the Device ID is fixed length (when present).

 

Other thoughts/flames?

 

Mark


To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1


To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1


To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1


To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1

 

--
Robert Moskowitz
Owner
HTT Consulting

C:      248-219-2059
F:
      248-968-2824
E:
      rgm@xxxxxxxxxxxxxxxxxxxx

There's no limit to what can be accomplished if it doesn't matter who gets the credit


To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1


To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1