1. doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network Access -- 802.1x over 802.15.4] Date Submitted: [11 May 2011] Source: [Jonathan Hui and Wei Hong] Company [Cisco Systems, Inc.] Address [170 West Tasman Drive, San Jose, CA 95134 USA] Voice:[408-424-1537], E-Mail:[wei.hong@cisco.com] Re: [WNG] Abstract:[Problem statement and Call to action for supporting 802.1x over 802.15.4] Purpose:[Presentation to WNG] Notice:This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release:The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.

2. doc.: Submission Securing the 802.15.4 Network Access – 802.1x Over 802.15.4 Jonathan Hui Wei Hong Cisco Systems, Inc., Slide 2

3. doc.: Submission IEEE 802.15.4 Security Frame Security –Data confidentiality, Data authenticity, Replay protection Network Access Control –Defer to upper layer based on MAC address Security Suites –CCM* mode encryption and authentication transformation –AES block cipher What is specified today?

4. doc.: Submission IEEE 802.15.4 Security Secure Network Access Control Architecture –Supplicant, Authenticator, and Authentication Server Protocols –Security Capabilities Discovery –Authentication –Secure Association/Key management Existing deployments use no or proprietary secure network access What is not specified today?

5. doc.: Submission IEEE Knows Network Access Control Well-defined Architecture –Supplicant, Authenticator, and Authentication Server Security Capabilities Discovery –RSN Information Element Authentication –Carry Extensible Authentication Protocol (EAP) in EAP over LAN (EAPoL) frames Secure Association/Key Management –EAP-derived PMK  PTK –Use PTK to communicate GTK Leverage IEEE 802.1x and IEEE 802.11i

6. doc.: Submission Typical 802.1x Architecture Authentication Server Authenticator Enforcement Point e.g. RADIUSEAPoL Auth Server: handles access requests from authenticators Access Point: device that performs authentication negotiations and acts as an Enforcement Point Supplicant: a device that wishes gain access to the network Supplicant

7. doc.: Submission What Needs to be Done Map EAPoL to IEEE 802.15.4 frames Define operation where Supplicant and Authenticator are not within direct communication

8. doc.: Submission Extended for Multihop Networks Authentication Server Authenticator e.g. RADIUSEAPoL over 15.4 EAPoL Tunnel over IP Auth Server: handles access requests from authenticators Authenticator: device that performs authentication negotiations Enforcement Point: a device that has already been admitted into the network by the authenticator Supplicant: a device that wishes gain access to the network Supplicant Enforcement Point

9. doc.: Submission Why Not PANA? Architectural Issues –Enable (restricted) network-layer communication before allowing link-layer access Still need key management (e.g. 802.11i) –4-way handshake for PMK  PTK derivation –2-way handshake for GTK distribution No wide-spread deployments

10. doc.: Submission Summary Problem –Need secure Network Access Control for IEEE 802.15.4 Approach –Apply proven IEEE 802.1x and 802.11i techniques for: Security Capabilities Discovery Authentication Using EAP Secure Association/Key Management

11. doc.: Submission Call to Action Specify EAPoL for 802.15.4 –Within IEEE 802.15? –Leverage PHY adaptation layer in 15.4k for fragmentation? Specify link operation of Enforcement Point and Authenticator –Within IEEE 802.1? Specify EAPoL Tunnel over IP –Within IETF?

12. doc.: Submission End