doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 1 WLAN Segregated Data Services Date: Authors:
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 2 Abstract networks, particularly meshes, need VLANs or a similar mechanism for segregated data services. The need varies from a mild requirement to distinguish “visitors” from “residents” in a one AP home network to much stronger and more complex requirements in enterprise, municipal, and other systems. The requirements are particularly important in WLAN meshes. Scenarios and requirements for adding segregated services to IEEE are presented along with some comments on existing, under development, or prospective mechanisms to met those requirements.
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 3 Motivation Segregating traffic for “visitors” who should only have access to the Internet and limited facilities, from “insider” traffic. Provision of different services for free and subscriptions services in Hot Zone or Municipal systems. (May also segregate subscription service through different carriers.) In mesh environments, ability to safely forward data through nodes with limited trust. To enable aggregation of traffic over a single infrastructure for efficient deployment. Dedicated traffic segregation by type, such as VoIP
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 4 Example Scenario I (unified infrastructure, single interface end stations) MAP 1 Guest Station MAP 2 AP 2 Guest Station Local Station Internet Local Station Protected Services Local Station Local VLAN Guest VLAN Wired Connection Firewall
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 5 Example Scenario II (diverse mesh, multi-interface mesh points) Org 1 MP Internet Org 1 MP Org 2 MP Org 3 MP Org 1 MP Organization 1 Infrastructure Org 1 MPP Local Mesh ServiceOrganization 1 ServiceOrganization 2 Service Organization 2 Infrastructure Org 2 MPP
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 6 Scenario II without segregated data services Org 1 MP Internet Org 1 MP Org 2 MP Org 3 MP Org 1 MP Organization 1 Infrastructure Org 1 MPP Organization 1 ServiceOrganization 2 Service Organization 2 Infrastructure Org 2 MPP
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 7 Requirements 1.Advertising Availability of Services 2.Associating/Authenticating/Authorizing for One or more Specific Services 3.Multiple Service Security Channels Between Two Stations 4.Transit Frame Labelling 5.Protection of Segregated Data from Unauthorized Access 6.Configuration and Management
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 8 1. Advertising Availability of Services Current practice: Transmit multiple Beacons, as is done at IEEE 802 meetings. Work in progress: General Advertisement Service (GAS) mechanisms in TGu (Interworking with External Networks). –Includes SSIDC (SSID Container IE) for transmission of multiple SSIDs (with or without multiple BSSIDs) in a single beacon. No additional chartered work appears necessary for this requirement. The TGu mechanisms are adequate.
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 9 2. Associating/Authenticating/Authorizing for a Specific Service Current practice: Only one association, i security. Work in progress: –TGw (Protected Management Frames) to extends security to some control messages –TGs (Mesh Networking) with authentication to mesh distinguished from authentication to an AP –TGu (Interworking with External Networks) different credentials/authentication for different back end carriers Possible new work: Ability to have different credentials / authentication for different Services/VLANs.
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide Multiple Service Security Channels Between Stations Current Practice: –AP can have multiple security associations but each with a different end station. –Two stations can have multiple IPsec security associations or the like at the application level. Work in Progress: TGs (Mesh Networking) permits multiple associations but each with a different mesh point. Possible new work: –Different security associations for different services/VLANs –Need to handling unicast, multicast, and broadcast –Development of a new Authenticator PAE function that can manage multiple SAs with a given neighbor
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide Transit Frame Labelling Current Practice: –Current standard explicitly permits 802.1Q-Tag in payload ( Annex M) but Q-Tag’s priority and VLAN ID fields are otherwise ignored. –Only obvious way is to use different MAC addresses. Work in Progress: none... Possible new work: –Header addition to distinguish Service/VLAN –Other mechanisms?
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide Protection of Segregated Data from Unauthorized Access Current Practice: Have to use IPsec or some similar application level mechanism to protect data at intermediate hops. Work in Progress: none... Possible new work: –Optional edge-to-edge security between original source station and final destination station. But not all services would require this. (If VLAN mapping is possible, authentication should be keyed to SSID, not VLAN ID.)
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide Configuration and Management Current Practice: –SNMP (Simple Network Management Protcol) –GVRP (GARP VLAN Registration Protocol) –Proprietary command line interfaces and protocols Work in Progress: SNMP MIB (Management Information Base) additions by TGu (Interworking with External Networks) Possible new work: –MIB additions or other mechanisms for configuration and management including setting-up and deleting VLANs
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 14 Straw Polls in San Francisco Results in WNG SC during morning session on 17 July 2007: –Should the WNG SC proceed at this time to vote on a motion to set up a Study Group? Yes: 6No: 27 Abstain: 18 –Should receive further presentations on the topic of segregated data services? Yes: 46No: 0 Abstain: 1
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 15 Motion Changes from previous draft motion: –Remove Requirement 1, which is covered by TGu, from the purview of the proposed Study Group. –The Study Group would not be directed to produce a PAR and 5 Criterion to amend but can consider whatever is the best course within the rules.
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 16 Motion (cont.) Moved, To request the IEEE Working Group to approve and forward to the IEEE 802 Executive Committee the creation of a “WLAN Segregated Data Services” Study Group to consider how best to meet requirements as follows: –labeling frames per service; security of data within a service; and the configuration and management of such services. Moved:Seconded: Yes:No:Abstain:
doc.: IEEE /2491r00 Submission September 2007 D. Eastlake (Motorola), G. Hiertz (Philips)Slide 17 References Draft s D1.06 – ESS Mesh Networking Draft u D1.0 – Interworking with External Networks Draft w D2.1, – Protected Management Frames IEEE Standard – WLANs IEEE Standard 802.1Q-2005 – VLANs, GVRP IETF STD 62 (IETF RFCs 3411 through 3418) – SNMP