doc.: ieee 802.11-07/2491r00 submission september 2007 d. eastlake (motorola), g. hiertz...
TRANSCRIPT
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 1
doc.: IEEE 802.11-07/2491r00
Submission Slide 1
WLAN Segregated Data ServicesDate: 2007-09-17
Name Affiliations Address Phone email Donald Eastlake 3rd Motorola 111 Locke Drive, Marlboro,
MA 01757 USA +1-508-786-7554 [email protected]
Guido R. Hiertz Philips ComNets, RWTH Aachen
University Kopernikusstr. 16, 52074 Aachen, Federal Republic of Germany
+49-241-802-5829 [email protected]
Stephen McCann Nokia Siemens
Networks
Roke Manor Research Ltd Old Salisbury Lane Romsey, Hampshire
SO51 0ZN, United Kingdom
+44 1794 833341 [email protected]
Dee Denteneer Philips Philips Research, HTC 27 (WL
1.132), 5656 AE Eindhoven, The Netherlands
+31-402-746-937 [email protected]
Nancy Cam-Winget Cisco Systems 190 W Tasman San Jose CA 95134 USA
+1-408-853-0532 [email protected]
Stephen Rayment BelAir
Networks 603 March Road, Ottawa, ON,
Canada K2K 2M5 +1 613 254 7070
x112 [email protected]
Tony Metke Motorola 1301 E. Algonquin Road Mail Stop: 1232
Schaumberg, IL 60196 USA
+1-847-576-0092 [email protected]
Authors:
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 2
doc.: IEEE 802.11-07/2491r00
Submission Slide 2
Abstract
802.11 networks, particularly meshes, need VLANs or a similar mechanism for segregated data services. The need varies from a mild requirement to distinguish “visitors” from “residents” in a one AP home network to much stronger and more complex requirements in enterprise, municipal, and other systems. The requirements are particularly important in WLAN meshes. Scenarios and requirements for adding segregated services to IEEE 802.11 are presented along with some comments on existing, under development, or prospective mechanisms to met those requirements.
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 3
doc.: IEEE 802.11-07/2491r00
Submission Slide 3
Motivation• Segregating traffic for “visitors” who should only have
access to the Internet and limited facilities, from “insider” traffic.
• Provision of different services for free and subscriptions services in Hot Zone or Municipal systems. (May also segregate subscription service through different carriers.)
• In mesh environments, ability to safely forward data through nodes with limited trust.
• To enable aggregation of traffic over a single infrastructure for efficient deployment.
• Dedicated traffic segregation by type, such as VoIP
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 4
doc.: IEEE 802.11-07/2491r00
Submission
Example Scenario I(unified infrastructure, single interface end stations)
MAP 1
Guest Station
MAP 2
AP 2
Guest Station
Local Station
Local Station
Internet
Local Station
Protected Services
Local Station
Local VLAN
Guest VLAN
Wired Connection
Firewall
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 5
doc.: IEEE 802.11-07/2491r00
Submission
Example Scenario II(diverse mesh, multi-interface mesh points)
Org 1MP
Internet
Org 1MP
Org 2MP
Org 2MP
Org 2MP
Org 3MP
Org 1MP
Organization 1 Infrastructure
Org 1MPP
Lo
cal M
esh
Ser
vice
Org
aniz
atio
n 1
S
ervi
ce
Org
aniz
atio
n 2
S
ervi
ce
Organization 2 Infrastructure
Org 2MPP
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 6
doc.: IEEE 802.11-07/2491r00
Submission
Scenario II without segregated data services
Org 1MP
Internet
Org 1MP
Org 2MP
Org 2MP
Org 2MP
Org 3MP
Org 1MP
Organization 1 Infrastructure
Org 1MPP
Org
aniz
atio
n 1
S
ervi
ce
Org
aniz
atio
n 2
S
ervi
ce
Organization 2 Infrastructure
Org 2MPP
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 7
doc.: IEEE 802.11-07/2491r00
Submission Slide 7
Requirements
1. Advertising Availability of Services2. Associating/Authenticating/Authorizing for One or
more Specific Services3. Multiple Service Security Channels Between Two
Stations4. Transit Frame Labelling5. Protection of Segregated Data from Unauthorized
Access6. Configuration and Management
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 8
doc.: IEEE 802.11-07/2491r00
Submission Slide 8
1. Advertising Availability of Services
• Current practice: Transmit multiple Beacons, as is done at IEEE 802 meetings.
• Work in progress: General Advertisement Service (GAS) mechanisms in 802.11 TGu (Interworking with External Networks).– Includes SSIDC (SSID Container IE) for transmission of multiple
SSIDs (with or without multiple BSSIDs) in a single beacon.
• No additional chartered work appears necessary for this requirement. The TGu mechanisms are adequate.
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 9
doc.: IEEE 802.11-07/2491r00
Submission Slide 9
2. Associating/Authenticating/Authorizing for a Specific Service
• Current practice: Only one association, 802.11i security.
• Work in progress:– TGw (Protected Management Frames) to extends security to some
control messages
– TGs (Mesh Networking) with authentication to mesh distinguished from authentication to an AP
– TGu (Interworking with External Networks) different credentials/authentication for different back end carriers
• Possible new work: Ability to have different credentials / authentication for different Services/VLANs.
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 10
doc.: IEEE 802.11-07/2491r00
Submission Slide 10
3. Multiple Service Security Channels Between Stations
• Current Practice:– AP can have multiple security associations but each with a different end
station.
– Two stations can have multiple IPsec security associations or the like at the application level.
• Work in Progress: TGs (Mesh Networking) permits multiple associations but each with a different mesh point.
• Possible new work:– Different security associations for different services/VLANs
– Need to handling unicast, multicast, and broadcast
– Development of a new Authenticator PAE function that can manage multiple SAs with a given neighbor
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 11
doc.: IEEE 802.11-07/2491r00
Submission Slide 11
4. Transit Frame Labelling
• Current Practice:– Current standard explicitly permits 802.1Q-Tag in payload
(802.11-2007 Annex M) but Q-Tag’s priority and VLAN ID fields are otherwise ignored.
– Only obvious way is to use different MAC addresses.
• Work in Progress: none...
• Possible new work:– Header addition to distinguish Service/VLAN
– Other mechanisms?
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 12
doc.: IEEE 802.11-07/2491r00
Submission Slide 12
5. Protection of Segregated Data from Unauthorized Access
• Current Practice: Have to use IPsec or some similar application level mechanism to protect data at intermediate hops.
• Work in Progress: none...
• Possible new work:– Optional edge-to-edge security between original source station and
final destination station. But not all services would require this. (If VLAN mapping is possible, authentication should be keyed to SSID, not VLAN ID.)
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 13
doc.: IEEE 802.11-07/2491r00
Submission Slide 13
6. Configuration and Management
• Current Practice:– SNMP (Simple Network Management Protcol)
– GVRP (GARP VLAN Registration Protocol)
– Proprietary command line interfaces and protocols
• Work in Progress: SNMP MIB (Management Information Base) additions by TGu (Interworking with External Networks)
• Possible new work:– MIB additions or other mechanisms for configuration and
management including setting-up and deleting VLANs
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 14
doc.: IEEE 802.11-07/2491r00
Submission Slide 14
Straw Polls in San Francisco
• Results in WNG SC during morning session on 17 July 2007:
– Should the 802.11 WNG SC proceed at this time to vote on a motion to set up a Study Group?Yes: 6 No: 27 Abstain: 18
– Should 802.11 receive further presentations on the topic of segregated data services?Yes: 46 No: 0 Abstain: 1
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 15
doc.: IEEE 802.11-07/2491r00
Submission Slide 15
Motion
• Changes from previous draft motion:
– Remove Requirement 1, which is covered by TGu, from the purview of the proposed Study Group.
– The Study Group would not be directed to produce a PAR and 5 Criterion to amend 802.11 but can consider whatever is the best course within the 802.11 rules.
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 16
doc.: IEEE 802.11-07/2491r00
Submission Slide 16
Motion (cont.)• Moved, To request the IEEE 802.11 Working Group to
approve and forward to the IEEE 802 Executive Committee the creation of a “WLAN Segregated Data Services” Study Group to consider how best to meet requirements as follows:– labeling frames per service; security of data within a service; and
the configuration and management of such services.
Moved: Seconded:
Yes: No: Abstain:
September 2007
D. Eastlake (Motorola), G. Hiertz (Philips)
Slide 17
doc.: IEEE 802.11-07/2491r00
Submission Slide 17
References
• Draft 802.11s D1.06 – ESS Mesh Networking
• Draft 802.11u D1.0 – Interworking with External Networks
• Draft 802.11w D2.1, – Protected Management Frames
• IEEE Standard 802.11-2007 – WLANs
• IEEE Standard 802.1Q-2005 – VLANs, GVRP
• IETF STD 62 (IETF RFCs 3411 through 3418) – SNMP