Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-11-TGM] 11me/D2.0 CID 3573/3574 (replay counters)

--- This message came from the IEEE 802.11 Task Group M Technical Reflector ---

There was no objection yesterday to the direction proposed in 22/2069r6

for CIDs 3573 and 3574 about replay counters.  I have now made the additional

changes discussed.  For reference, here is the outcome, to be in 22/2069r7

for motion:

 

Proposed changes:

 

In 11.24.1.1 add a bullet “— The frame is not a PV1 Management frame.” at 2652.5/14/23.

 

Change 12.5.2.4.4 PN and replay detection as follows:

 

b) For each PTKSA, (#166)TPKSA, GTKSA, (#1627)mesh PTKSA, and mesh GTKSA(#239), the recipient shall maintain a separate replay counter for each TID, subject to the limitation of the number of supported replay counters indicated in the RSN Capabilities field (see 9.4.2.24 (RSNE)), and shall use the PN from a received frame to detect replayed frames. A replayed frame occurs when the PN from a received frame is less than or equal to the current replay counter value for the frame’s MSDU or A-MSDU priority and frame type.

 

(#171)NOTE 2—For the purpose of replay detection, non-QoS Data frames are treated as having TID 0, and use the reply counter corresponding to MSDU priority 0.

 

c) If the recipient set the MFPC bit on a given link to 1, it(#199) shall maintain a single replay counter for received individually addressed robust PV0 Management frames that are received with the To DS subfield equal to 0, and (S1G STA only) a single replay counter for received individually addressed robust PV1 Management frames and shall use the PN from the received frame to detect replays. If dot11QMFActivated is also true, the recipient shall maintain an additional replay counter for each ACI for received individually addressed robust PV0 Management frames and robust PV1 Management frames(#1681), where these framesthat are received with the To DS subfield equal to 1. The QMF receiver shall use the ACI encoded in the Sequence Number field of the received frame to select the replay counter to use for the received frame, and shall use the PN from the received frame to detect replays. A replayed frame occurs when the PN from the frame is less than or equal to the current value of the management frame replay counter that corresponds to the ACI of the frame.

NOTE—QMF is not supported for PV1 Management frames (see 11.24.1.1).

 

d) The receiver shall discard any Data frame that is received with its PN less than or equal to the value of the replay counter that is associated with the TA, RA (individual or group address; not if TDLS) and priority value of the received MPDU. The receiver shall discard fragmented MSDUs, A-MSDUs and MMPDUs whose constituent MPDU PN values are not incrementing in steps of 1. (#199)If the receiver set the MFPC bit on a given link to 1, it shall discard any individually addressed robust Management frame that is received with its PN less than or equal to the value of the replay counter associated with the TA, (QMF receiver of an individually addressed robust PV0 Management frame with the To DS subfield equal to 1 only) ACI, and (S1G STA only) Protocol Version subfield of that individually addressed Management frame.

 

Change 12.5.2.3.1 General (under CCMP cryptographic encapsulation) as follows:

 

b) For secure PV1 MPDUs, CCMP encrypts the Frame Body field of a plaintext MPDU and encapsulates the resulting cipher text using the following steps:

1) When the sequence number of the MPDU is less than the previous sequence number and satisfies the BPN update conditions in 12.5.2.3.6 (Construct CCMP header for PV1 MPDUs), for that (#37)(#193)PTID, (for Data frames) or ACI (for QMFs), increment the base PN so that the PN never repeats for the same temporal key and (#37)PTID/ACI.

NOTE 2—Retransmitted MPDUs are not modified on retransmission.

NOTE 3—QMF is not supported for PV1 Management frames (see 11.24.1.1).

2) Use the fields in the MPDU header to construct the AAD for CCM. The CCM algorithm provides integrity protection for the fields included in the AAD. MPDU header fields that might change when retransmitted are muted by being (#1951)masked out when calculating the AAD.

3) Construct the (#209)CCM nonce as defined in 12.5.2.3.4 (Construct CCM nonce) from the PN, A2, and the priority value of the MPDU, where A2 is the STA MAC address identified by the A2 field of the MPDU. If the MPDU is a QoS Data MPDU, the priority value of the MPDU is equal to the value of the PTID subfield of the Frame Control field. If the Type field of the Frame Control field is 001 (Management frame) and the frame is a QMF, the priority value of the MPDU is equal to the value in the ACI subfield of the Sequence Number field. Otherwise, the priority value of the MPDU is equal to the fixed value 0.

 

Change 12.5.2.3.2 PN processing as follows:

 

The PN is incremented by a positive number for each MPDU. The PN shall be incremented in steps of 1 for constituent MPDUs of fragmented MSDUs, (11ax)A-MSDUs, and MMPDUs. For PV0 MPDUs, the PN shall never repeat for a series of encrypted MPDUs using the same temporal key. For PV1 MPDUs, the PN shall never repeat for a series of encrypted MPDUs using the same temporal key and (for Data frames) (#37)(#193)PTID (for Data frames) or ACI (for QMFs).

 

Change 12.5.3.4 BIP replay protection as follows:

 

12.5.3.4 BIP replay protectioncounters and packet numbers

 

[…]

 

See 12.5.3.5 (BIP transmission) and 12.5.3.6 (BIP reception) for per frame BIP processing, including detection of replayed frames.

 

[…]

 

When dot11QMFActivated is true, the receiver shall maintain an additional replay counter for each ACI for received group addressed robust Management frames that use QMF. The receiver shall use the ACI encoded in the Sequence Number field of received GQMFs protected by BIP to select the replay counter to use for the received frame, and shall use the IPN from the received frame to detect replays.

NOTE—QMF is not supported for PV1 Management frames (see 11.24.1.1).

 

If dot11RSNAProtectedManagementFramesActivated is trueWhen management frame protection is negotiated and dot11MeshSecurityActivated is true, the recipient shall maintain a single replay counter for received group addressed robust Management frames that do not use the QMF service and shall use the PN from the received frame to detect replays. If dot11QMFActivated is also true, the recipient shall maintain an additional replay counter for each ACI for received group addressed robust Management frames that use the QMF service. The QMF receiver shall use the ACI encoded in the Sequence Number field of the received frame to select the replay counter to use for the received frame, and shall use the PN from the received frame to detect replays. A replayed frame occurs when the PN from the frame is less than or equal to the value of the management frame replay counter that corresponds to the ACI of the frame. When the QMF service is not used, tThe transmitter shall preserve the order of protected group addressed robust Management frames that are transmitted to the same DRA without the QMF service. When the QMF service is used, the transmitter shall not reorder preserve the order of protected robust GQMFs within an AC when the framesthat are transmitted to the same RA.

 

Change 12.5.2.3.7 CCM originator processing as follows:

 

When the QMF service is not used, tThe transmitter shall preserve the order of protected individually addressed robust Management frames that are transmitted to the same DRA without the QMF service. When the QMF service is used, the transmitter shall not reorder preserve the order of protected robust IQMFs within an AC when the framesthat are transmitted to the same RA.

 

In 12.5.3.5 BIP transmission after a) and in 12.5.3.6 BIP reception after b)1) add:

 

NOTE—QMF is not supported for PV1 Management frames (see 11.24.1.1).

 

Change 12.5.4.4.4 PN and replay detection as follows:

 

b) For each PTKSA, (#166)TPKSA, GTKSA, mesh PTKSA, and mesh GTKSA(#239), the recipient shall maintain a separate replay counter for each TID, subject to the limitation of the number of supported replay counters indicated in the RSN Capabilities field (see 9.4.2.24 (RSNE)), and shall use the PN from a received frame to detect replayed frames. A replayed frame occurs when the PN from a received frame is less than or equal to the current replay counter value for the frame’s MSDU or A-MSDU priority and frame type.

 

(#171)NOTE—For the purpose of replay detection, non-QoS Data frames are treated as having TID 0, and use the reply counter corresponding to MSDU priority 0.

 

c) (#199)If the recipient set the MFPC bit on a given link to 1, it shall maintain a single replay counter for received individually addressed robust Management frames that are received with the To DS subfield equal to 0 and shall use the PN from the received frame to detect replays. If dot11QMFActivated is also true, the recipient shall maintain an additional replay counter for each ACI for received individually addressed robust Management frames that are received with the To DS subfield equal to 1. The QMF receiver shall use the ACI encoded in the Sequence Number field of the received frame to select the replay counter to use for the received frame, and shall use the PN from the received frame to detect replays. A replayed frame occurs when the PN from the frame is less than or equal to the current value of the management frame replay counter that corresponds to the ACI of the frame.

NOTE—PV1 frames are not supported with GCMP (see 12.5.4.1).

 

d) The receiver shall discard any Data frame that is received with its PN less than or equal to the value of the replay counter that is associated with the TA, RA (individual or group address; not if TDLS) and priority value of the received MPDU. The receiver shall discard fragmented MSDUs, A-MSDUs and MMPDUs whose constituent MPDU PN values are not incrementing in steps of 1. If the receiver set the MFPC bit on a given link to 1, it(#199) shall discard any individually addressed robust Management frame that is received with its PN less than or equal to the value of the replay counter associated with the TA and (QMF receiver of an individually addressed robust Management frame with the To DS subfield equal to 1 only) ACI of that individually addressed Management frame.

 

Change 12.5.4.3.6 GCM originator processing as follows:

 

When the QMF service is not used, tThe transmitter shall preserve the order of protected individually addressed robust Management frames that are transmitted to the same DRA without the QMF service. When the QMF service is used, the transmitter shall not reorder preserve the order of protected robust IQMFs within an AC when the framesthat are transmitted to the same RA.

 

Proposed resolution:

 

REVISED

 

Make the changes shown under “Proposed changes” for CID 3573, 3574 in <this document>, which clarify the set of replay counters in the possible contexts.  They also disallow QMF with PV1 Management frames and allow BIP to be used in non-mesh BSSes, and allow for fragmentation of A-MSDUs (dynamic, per 11ax).

 

Thanks,

 

Mark

 

--

Mark RISON, Standards Architect, WLAN   English/Esperanto/Français

Samsung Cambridge Solution Centre       Tel: +44 1223  434600

Innovation Park, Cambridge CB4 0DS      Fax: +44 1223  434601

ROYAUME UNI                             WWW: http://www.samsung.com/uk

 

To unsubscribe from the STDS-802-11-TGM list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGM&A=1