Unified MAPC Security Framework for IEEE 802.11-24/1693r0

oct 2024 n.w
1 / 14
Embed
Share

Explore the unified MAPC security framework proposed in IEEE 802.11-24/1693r0 for M-AP coordination schemes. The document outlines security requirements and procedures for MAP negotiation, emphasizing authentication and trust modes across different network configurations. Key topics include common coordination frameworks, security considerations within the same and across different ESS, and open questions on neighbor AP credential sharing and group key exchange. Join the discussion on enhancing security in wireless networks.

  • IEEE 802.11
  • Security Framework
  • MAPC
  • Authentication
  • Trust Mode
rayaanacharya
jeanpie Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 The MAP security framework Name Jay Yang Affiliations Address Phone email Yang.zhijie@zte.com.cn ZTE YanLi ZTE Yun Li ZTE Bo Sun Sanechips Submission Jay Yang al. (ZTE)

  2. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 Introduction 11bn group reached consensus on the unified MAPC framework 11bn defines a common framework of a M-AP Coordination for various coordination schemes. Note - Coordination schemes such as (but not limited to): Co-SR (TXOP-based with power control), Co-BF, TBD Co- TDMA , TBD C-RTWT, etc. 11bn defines a common framework of a M-AP Coordination that can enable the following procedures: M-AP Coordination Discovery procedure M-AP Coordination agreement negotiation procedure Note: Details of the procedures and whether the above procedures are mandatory/optional - TBD In this contribution, we would like to discuss a unified MAPC security framework. Submission Slide 2 Jay Yang, et al. (ZTE)

  3. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 Use case 1: the MAPC in the same ESS Security requirement The trust mode relies on the wireless/wired backhaul connection No authentication requirement between the two APs PTK is generated via the authentication frame exchanges(like PASN procedure) MAP negotiation via protected management frame exchanges MAPC AP2 AP1 STA2 STA1 Submission Slide 3 Jay Yang, et al. (ZTE)

  4. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 Use case 2: the MAPC across ESS Security requirement The new trust mode need to be defined. Authentication is required between the two APs(e.g, AP1 and AP2 in the figure) Generate PTK via the authentication frame exchanges(e.g. PASN with SAE/FILS procedure) MAP negotiation via the protected management frames ESS1 ESS2 MAPC Cable Cable AP2 AP1 APy APx STA2 STA1 Submission Slide 4 Jay Yang, et al. (ZTE)

  5. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 Some open questions Q1: Do you think your neighbour will share their AP s credential information(like SSID, password) to you? Pros: The two APs can authentication each other via SAE procedure using the same credential information. Cons: Knock on the neighbor's door to ask for the SSID and PWD? It brings some potential society problem if the end user never know who is the neighbour or the end user has some social anxiety disorder(SAD) issue. Cons: Once the SSID and password are shared, the whole neighbor's network become fragile. e.g. Mimics the neighbour AP and guide all neighbor's STA associated with this fake AP. Q2: Do you want to share your AP s group key to your neighbour AP? Some contribution proposes to add MAP signaling(e.g., C-rTWT) via Beacon frame. The receiver AP need to obtain BIGTK to verify the received Beacon frame. The receiver also can mimics a legitimate AP once BIGTK is obtained, that s, PMF functionality (mandatory feature for 11be device) is broken. Submission Slide 5 Jay Yang, et al. (ZTE)

  6. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 Some security consideration The new MAP trust mode shall be able to identify the legitimate AP Without Authentication, MAPC is easier to suffer from fake AP attacking. The two APs may be deployed in two families, one of them will be out of sight of the end user. The AP Peer key can t address the AP authentication problem(quoting the baseline text as bellow) The AP PeerKey protocol is unauthenticated (neither peer has a verified identity of the other peer) but an AP knows that only the peer AP that completed the AP PeerKey protocol is able to send protected HCCA TXOP Advertisement frames protected by the resulting AP PeerKey association The new MAP trust mode should be isolated from current infrastructure network. The agreement from the end user to enjoy the benefit of MAPC don t mean the agreement to invade their infrastructure network. The new MAP trust mode should allow the end user agree on enabling MAPC functionality with a stranger, but never share their credential information like password, (BI)GTK used for AP-STA communication to the stranger. Minimize the effect on current infrastructure network to avoid the potential backward compatible issue. Slide 6 Submission Jay Yang, et al. (ZTE)

  7. Oct. 2024 Propose a dedicated AP(backhaul AP interface,b-AP) for MAPC authentication Doc.: IEEE 802.11-24/1693r0 BSSID/SSID level isolation is already widely used in the Wi-Fi industry. Allow the end user to enable MAPC feature via sharing the credential information of b-AP . Allow the end user pick up some of the SSIDs to enable MAPC feature, some of them are not. Leverage the co-hosted BSSID or MBSSID set functionality with less change on current design. B-AP doesn t allow STAs to associate with it. e.g. only included MAPC IE as well as other basic IE(like SSID,operating channel, RSNE,RSNXE,etc.) in the Beacon frame, the Beacon bloating concern is also moot. IGTK of B-APs can be shared with each other after authentication. Additional job: need to define a transitive trust mode between 11bn AP and b-AP -- 11bn AP performs MAPC transmission, but not between b-AP(s). a transitive trust mode allows two 11bn AP trust each other via b-AP s assistance. What s the transitive trust mode? E.g., Alice trusts Charlie,Bob proves to Alice that Charlie trusts Bob, then Alice trusts Bob Submission Slide 7 Jay Yang, et al. (ZTE)

  8. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 The proposed MAP security framework MAP provision(on-boarding) Opt1: Exchange credential information MAP provision(on-boarding) Opt2: (preferred)configure the two APs with the same credential information and cipher suite. MAP discovery MAP preassociation security negotiation(PASN) Allow the two APs generating PTK to protect the MGMT. frame in MAP agreement negotiation procedure. Additionally, the two APs may authenticate each other in MAP PASN procedure. MAP PASN MAP agreement negotiation Submission Slide 8 Jay Yang, et al. (ZTE)

  9. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 The following figure depicts an example of the MAP security framework ESS1 ESS2 Co-hosted BSSID set Co-hosted BSSID set b-AP2 AP2 AP1 b-AP1 Transitive trust mode: S_AP1 trust S_AP2 after MAP authentication S_AP1 proves to S_AP2 that S_AP1 trusts AP1. S_AP2 proves to S_AP1 that S_AP2 trusts AP2. AP1 trusts AP2 MAP provision MAP discovery MAP PASN ssid= wireless pwd= 8021180211 ssid= wireless pwd= 8021180211 AP1, AP2 generate PTK Trust link MAP negotiation Submission Slide 9 Jay Yang, et al. (ZTE)

  10. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 Summary Analyse the security requirement of MAPC in same or different ESS Provides some security consideration and propose to isolate MAPC from infrastructure network in certain level Propose to define MAP provision and MAP PASN procedure in MAPC framework. Submission Slide 10 Jay Yang, et al. (ZTE)

  11. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 THANK YOU Submission

  12. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 Reference 1. 24/209r5 Specification Framework for TGbn Submission Slide 12 Jay Yang, et al. (ZTE)

  13. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 SP1 Do you agree to define MAPC Preassociation security negotiation(PASN) as an additional procedure in MAPC framework? Note:extend the PASN or define a new mechanism is TBD. Submission Slide 13 Jay Yang, et al. (ZTE)

  14. Oct. 2024 Doc.: IEEE 802.11-24/1693r0 SP2 Do you agree to define MAPC provision procedure as an optional procedure in MAPC framework? Note: the details of MAPC provision is TBD Submission Slide 14 Jay Yang, et al. (ZTE)

Related


Airport Security Market to be Worth $25.27 Billion by 2031

Airport Security Market to be Worth $25.27 Billion by 2031

Kavya
KEERTHI SECURITY - Best Security Agencies In Bangalore

KEERTHI SECURITY - Best Security Agencies In Bangalore

KeerthiSecurity
Sens Security Your Premier Personal Security Firm

Sens Security Your Premier Personal Security Firm

Shivneil
Sens Security Your Premier Personal Security Firm

Sens Security Your Premier Personal Security Firm

Shivneil
Sens Security Your Premier Personal Security Firm

Sens Security Your Premier Personal Security Firm

Shivneil
Role of Security Champions in Organizations

Role of Security Champions in Organizations

irvin
Roles of a Security Partner

Roles of a Security Partner

zaara
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

joso_597
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update

Enhancing SWIFT Security Measures for ReBIT: March 2018 Update

grajales_i
Insights into the Salem Witch Trials

Insights into the Salem Witch Trials

faci177
Insights into the Salem Witch Trials

Insights into the Salem Witch Trials

kamr_80
Security in World Politics

Security in World Politics

eisenberg_k
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

kol_lov
UIC Security Division Overview and International Activities

UIC Security Division Overview and International Activities

hadri
Automating Security Operations Using Phantom

Automating Security Operations Using Phantom

gwe_sad
HTTP Security Headers for Web Apps

HTTP Security Headers for Web Apps

pembroke_l
Modular Security Analysis for Key Exchange and Authentication Protocols

Modular Security Analysis for Key Exchange and Authentication Protocols

area290
Universally Composable Security: A Tutorial by Ran Canetti

Universally Composable Security: A Tutorial by Ran Canetti

kama_574
Revolutionizing Security Testing with BDD-Security

Revolutionizing Security Testing with BDD-Security

sbre
Comprehensive DevOps Security Training Overview

Comprehensive DevOps Security Training Overview

jahv_808
Security Testing and Architecture

Security Testing and Architecture

nataleaei
New Crypto Offload Framework in DPDK - Security Acceleration Overview

New Crypto Offload Framework in DPDK - Security Acceleration Overview

juanm

More Related Content