doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 1 BA Reordering for A-MPDU Notice: This document has been prepared to assist IEEE It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEEs name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEEs sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE Working Group. If you have questions, contact the IEEE Patent Committee Administrator at. Date: Authors:

doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 2 The Issue Clause Rx reordering buffer control specifies how received packets are buffered to maintain the order under Block ACK with a sliding window of the expected sequence numbers. The window could be moved forward by a hackers packet and legitimate packets received thereafter will be discarded unexpectedly. CID 5899 in LB 115

doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 3 More Descriptions The sliding window of expected sequence numbers (SN) is determined by WinStart_B (the next expected sequence number that has not yet been received) WinEnd_B (the end of the window) Packets are classified into 3 categories based on their SNs and the current window: 1) WinStart_B <= SN <= WinEnd_B -- within the expected window 2) WinEnd_B < SN < (WinStart_B + 2^11) -- after the expected window 3) (WinStart_B+2^11) <= SN < WinStart_B -- before the expected window Under normal operating conditions all of the received packets should be type 1 -- within the expected window. Packets that are before the window (type 3) are discarded. If a hacker moves the expected window forward by sending a type (2) frame with a SN greater than WinEnd_B, legitimate packets received after the hacker's packet will be treated as type (3) and discarded.

doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 4 Proposed Change Reverse the order of "Block ACK Reordering" and "MPDU decryption and Integrity (Optional)" on the Rx side of Figure 6-1

doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 5 Two Types of Attacks Two possible types of data packet SN attack : (a) The hacker generates a data packet with a modified SN. (b) The hacker captures a data packets and then retransmits with a modified SN. Reversing the order can stop type (a) attack Now that the decryption occurs before the reordering, type (a) packets will fail the decryption and wont be further passed up for BA reordering. Reversing the order can't fix type (b) attack either, just makes the attack more difficult as a capture-modify- replay type. The hacker is intentionally sending *later* sequence numbers that are not duplicates, "the duplicate removal" layer won't help.

doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 6 Available Choices (a) To leave the spec as is A-MPDU is exposed to both type (a) and (b). (b) To change the order in the spec as proposed Type (a) attack is stopped, still exposed to the more difficult type (b) attack. (c) To change the order in the implementation, but leave the spec intact. Type (a) attack is stopped, still exposed to the more difficult type (b) attack. However, does such an implementation complies to the spec? If no then this is not an option. If yes, then we have a figure in the spec that does not required to be complied and should be indicated as informational or simply removed altogether. (d) To find a complete fix that addresses both types of attack. We don't have such a fix in place yet.

doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 7 Straw Poll Which of the four choices do you prefer?

doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 8 Comments?