RE: [LinkSec] 802.11 architecture and pre-auth paper
Hi Bernard,
This document is helpful. It definitely gets the ball rolling
on defining pre-authentication for Link Security (or .1aa). I have
a few questions, some of which may be more for .1aa to answer rather
than .11i, but they will hopefully generate some discussion and keep
this issue active here.
1. I have a created a table which I believe summarized the transfer of
packets between the wireless medium (WM) and distribution system (DS).
Is this accurate?
0123456780123456789012345678901234567890123456789012345678901234567890123456
789
Port Ether- ToDS FromDS 802.11
Received To MAC From type Field Field State Result
-------- -------------- ----- ----- ------ ------ ------- ------------
-
--> WM port WM MAC <any> <any> <any> <any> <any> Processed
by WM port
--> WM port <any> <any> <any> FALSE FALSE <any> Processed
by WM port
--> WM port <any> <any> <any> FALSE <any> <any> NOT sent to
relay agent.
--> WM port not WM <any> <any> TRUE <any> not 3 Discard
frame
--> WM port non-fwd mcast <any> <any> TRUE <any> 3 Processed
by WM port
--> WM port unicast on <any> <any> TRUE <any> 3 Processed by
wireless Relay Agent,
sent
to WM port,
sent
wireless STA
--> WM port unicast not <any> <any> TRUE <any> 3 Processed by
on wireless Relay Agent,
sent
to DS port,
sent
to DS.
--> DS port DS MAC <any> <any> <any> <any> na Processed by
DS port
--> DS port broadcast <any> <any> <any> <any> na
Implementation
dependent.
May
forward to
WM,
may not.
--> DS port unicast on <any> <any> <any> <any> na Processed by
relay
wireless agent, sent
to
WM port,
sent to
wireless
with
FromDS=TRUE,
ToDS=FALSE.
--> DS port WM MAC <any> <any> <any> <any> na Processed by
relay
agent, sent
to
WM port.
2. Under section 1.3 there is a sentence:
" An Access Point supporting 802.1X shall have a WM port supporting an
Authenticator
Port Access Entity (PAE), and may have a WM port supporting a Supplicant PAE
"
I believe it would be more accurate if it read:
" An Access Point supporting 802.1X shall have a WM port that can create
logical
(virtual) ports which support an Authenticator Port Access Entity (PAE), and
may
also support a Supplicant PAE"
3. In section 1.1 there is a sentence:
" Depending on the AP implementation, the WM port and DS port may or may
not
have distinct MAC addresses."
It is not made clear in the document how an AP that has a single MAC
entity
for both the WM and DS will operate? If a frame is delivered to the
single
MAC entity how is it processed? Where is the relay agent (or is there
none)?
Logical ports are created atop the MAC entity normally, so in the case of
a
single WM/DS MAC entity that is running .1X on the WM, how are frames from
the
DS differentiated from frames from the WM?
4. How do PAE logical ports created via preauthentication get removed if the
station never roams to the access point? A station preauthenticates to
the
target AP, and a logical PAE port is created (resources are used on the
AP).
The station then fails to roam to the target AP. Will there be a
lifetime
associated with a logical PAE port?
5. Is there a contingency if a station roams too quickly? It begins the
preauthentication process through the current AP but arrives at the
target
AP before the preauthentication completes. Should the target AP try
to pick up the preauthentication it began on its DS port over the WM
port?
Or should it just do a full reauthentication of the station?
6. In section 2, second paragraph, last sentence:
"Since the STA is in State 3 (authenticated and associated) with respect
to the current AP, and since the frame has the 'From DS" FC bit set to FALSE
and the 'To DS' FC bit set to TRUE, and the destination unicast address does
not correspond to a STA associated with the WM port of the current AP, the
frame is forwarded by the Relay Entity to the DS port of the current AP and
transmitted on the DS."
The statement 'the destination unicast address does not correspond to a
STA
associated with the WM port of the current AP' opens a potential security
risk.
Namely, what if 'the destination unicast address *does* correspond to a
STA'
because a rogue has altered their station so that it is spoofing the MAC of
the
'target AP'. Won't the current AP deliver all roaming stations EAPOL
packets
to this rogue station?
Thanks,
Jim B.
-----Original Message-----
From: owner-stds-802-linksec@majordomo.ieee.org
[mailto:owner-stds-802-linksec@majordomo.ieee.org]On Behalf Of Bernard
Aboba
Sent: Thursday, July 24, 2003 6:21 PM
To: stds-802-1@ieee.org; stds-802-linksec@ieee.org
Subject: [LinkSec] 802.11 architecture and pre-auth paper
Here is the white paper requested by IEEE 802.1 in order to clarify the
802.11 architecture so as to allow a more detailed understanding
of pre-auth (and VLANs). Comments welcome.
http://www.drizzle.com/~aboba/IEEE/preauth.doc
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus