Presentation on theme: "Doc.: IEEE 802.11-09/0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 1 A vendor specific plan for centralized security Date: 2009-01-19 Authors:"— Presentation transcript:
doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 1 A vendor specific plan for centralized security Date: Authors:
doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 2 Abstract The complexity of the centralized security architecture defined in s is considered in the context of the pace of the task group. A proposal is introduced that could greatly simplify the s draft, permitting rapid progress toward sponsor ballot and task group completion. The proposal provides a framework for vendor-specific centralized security architectures in place of a standards-specified architecture (MSA).
doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 3 Security and the Pace of TGs Progress The lack of progress in TGs is drawing attention The most contentious element within s today is centralized security Attempts to manage complexity in the security architecture have not achieved technical consensus. TotalOpenClosedPercent Closed General % MAC % Security % RFI %
doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 4 Security Complexity Centralized security adds complexity regardless of the architecture chosen –MSA introduces new components to , namely a mesh key distributor (MKD) that creates keys for nodes in the mesh. –Mesh STAs must maintain a path to the MKD –New protocols are needed for transporting the keys between the MKD and mesh STAs. –Additional complexity is introduced due to: The interaction of link security with these key transport protocols The use of 802.1X (client-server) authentication with peer-to-peer link security The security architecture is also topology-dependent, which is a challenge for standardization –There were several comments on multiple MKDs during the previous LB, perhaps due to conflicting requirements –Questions about deploying MKDs may remain after MSA is upgraded Consensus resolution of issues will cause s to miss market window
doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 5 Overview of Proposal A proposal modifying the TGs draft is available in 11-09/0112r /0112r0 It makes centralized security a vendor-specific option. An identifier of the authentication protocol is defined as part of the mesh profile. –It allows SAE or a vendor-specific protocol to be chosen. –Carried within the mesh configuration element The mesh key hierarchy is removed (§8). –Security association definitions are updated to reflect the keys that are created via the selected authentication protocol & via Abbreviated HS MSA establishment procedure & MSA key holder communication protocols are removed (§11B.5) –New overview section is provided (§11B.5.1) –Abbreviated HS & Mesh Group Key HS sections remain
doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 6 Decision Procedure for Link Setup Abbrev HS Succeeds? Session Do I share PMK with Peer? Did SAE succeed? Yes Peer Discovery Yes Null No SAE No Active Authentication Protocol PLM succeeds? No Yes A vendor-specific authentication protocol may also be selected.
doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 7 Comments resolved & Draft complexity The proposal, if adopted, would resolve at least 75 comments (63% of open security comments). –Security subgroup progress would move to 90% (381/425). It would likely simplify the resolution of many of the remaining 44 comments, such as those commenting on Abbreviated HS. TGs Draft: Security clauses are reduced from occupying ~89 pages to ~40 pages, eliminating nearly 50 pages from the TGs draft.
doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 8 Summary With this proposal, TGs can focus on continuing to improve protocols that have undergone a letter ballot (SAE, Abbr. HS). Further, it will allow TGs to pass letter ballot more quickly, shorten the cycle between letter ballots, and allow us to reach our goal of producing a quality, relevant standard.
doc.: IEEE /0114r1 Submission January 2009 Tony Braskich, MotorolaSlide 9 References T. Braskich et al, 11-09/0112r0, A vendor specific framework for centralized security, Jan /0112r0 T. Braskich, 11-09/0113r0, Comment Resolution for vendor specific centralized security, Jan /0113r0 D. Harkins and M. Audeh, 11-08/1263r0, A Modest Proposal…, Nov /1263r0 J. Walker et al, 11-08/1296r0, Key Distribution for Mesh Link Security, Nov /1296r0 S. Emeott and T. Braskich, 11-08/1361r0, Upgrades to MSA to support multiple MKD, Nov (Also /1364.)11-08/1361r /1364