R. Mar

1
PANA bootstrapping IEEE 802.11 security
(draft-marin-pana-ieee80211doti-00.txt)

• R. Marín-López
• Y.Ohba
• J.Bournelle

2
Objective of the work

• The purpose of this I-D is to complement PANA
  framework in terms of 802.11i bootstrapping (PSK
  mode) by adding more details.
• Two cases are considered
• PANA over IEEE 802.1X Uncontrolled Port
• PANA over non-RSN (open) Access Points

3
PANA over 802.1XUncontrolled Port (Case 1)

• IEEE 802.11i does not preclude to process
  restricted IP traffic over Uncontrolled Port.
  ARP, DHCP , IPv6 Neighbour Discovery and PANA.
• This solution implies driver level modification
  IP filter needs to be implemented in the
  Uncontrolled Port.

4
PANA over non-RSN (open) AP (Case 2)
5
PSK derivation 4-way handshake

• PSK The first 32 bytes of PaC-EP-Master-Key
• PSKs lifetime is bounded to PaC-EP-Master-Key
• When new PSK is installed in the AP, 4-way
  handshake is run immediately. (?)

6
Capability Discovery

• PANA Framework classifies access point as four
  types (a,b,c,d)
• a) AP without IEEE 802.11i
• b) AP with IEEE 802.11i using PSK mode
  bootstrapped from PANA
• b1) PANA over Uncontrolled Port (Case 1)
• b2) PANA over non-RSN AP (Case 2)
• c) AP with IEEE 802.11i using native PSK mode
  
• d) AP with IEEE 802.11i using 802.1X/EAP mode
• Type b1 and b2 are newly added by this I-D to
  complement the classification in PANA framework
  I-D.
• Type b1), b2) and c) are not distinguisable from
  Beacon/Probe Response (PSK mode is announced in
  RSN IE). It leads PaC to associate and some cases
  to configure IP address and run PANA to discover
  them.

7
802.11i bootstrapping from PANA pre-authentication
PAA
PANA preauth
PSK-1
PSK-2
IEEE 802.11i pre-authentication
AP
AP1
AP2
PaC
PSK-1/PSK-2
8
Questions?

• Should this I-D be a WG item? Informational?
• ??