版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
WirelessLANIEEE802.11林文彥qqnice@.twIEEE802.11WirelessLAN802.11CharacteristicsDesigngoalsCharacteristics
IEEE802.11WirelessLANArchitectureProtocolPHYMACRoamingNetworkImplement
AntennaSecurityWEPIEEE802.1X802.11Future802.11a,b,g802.11vsBluetoothIEEE802.11WirelessLANIEEE802.11CharacteristicsIEEE802.11WirelessLANNetworkImplementSecurityWEPIEEE802.1X802.11Future802.11a,b,g802.11vsbluetoothWirelessLANDesigngoalsCharacteristicsMarketingChipsetIntersil,Lucent(Agere)TaiwanNo.1DesigngoalsGlobal,seamlessoperationLowpowerconsumptionforbatteryuseNospecialpermissionsorlicensesrequiredRobusttransmissiontechnologySimplifiedspontaneouscooperationatmeetingsEasytouseforeveryone,simplemanagementInteroperablewithwirednetworksSecurity(nooneshouldbeabletoreadmydata),privacy(nooneshouldbeabletocollectuserprofiles),safety(lowradiation)Transparencyconcerningapplicationsandhigherlayerprotocols,butalsolocationawarenessifnecessaryCharacteristicsIVeryflexible(economicaltoscale)Ad-hocnetworkswithoutplanningpossible(Almost)nowiringdifficulties(e.g.historicbuildings,firewalls)MorerobustagainstdisastersoruserspullingaplugCharacteristicsIILowbandwidthcomparedtowirednetworks(10vs.100[0]Mbit/s)Manyproprietarysolutions,especiallyforhigherbit-rates,standardstaketheirtimeProductshavetofollowmanynationalrestrictionsifworkingwireless,ittakesalongtimetoestablishglobalsolutions(IMT-2000)SecurityEconomyInfraredvs.RadiotransmissionInfraredusesIRdiodes,diffuselight,multiplereflections(walls,furnitureetc.)simple,cheap,availableinmanymobiledevicesnolicensesneededsimpleshieldingpossibleinterferencebysunlight,heatsourcesetc.manythingsshieldorabsorbIRlightlowbandwidthExample:IrDA(InfraredDataAssociation)interface availableeverywhereRadiotypicallyusingthelicensefree
ISMbandat2.4GHzexperiencefromwirelessWANandmobilephonescanbeusedcoverageoflargerareaspossible(radiocanpenetratewalls,furnitureetc.)verylimitedlicensefreefrequencybandsshieldingmoredifficult,interferencewithotherelectricaldevices•Examples:HIPERLAN,BluetoothMarketingDell''OroGroup
2001--15BillionDollar2004--31BillionDollar2003~200640%測
全球無線區域網路市場銷售值、量預估。
資料來源:CahnersIn-Stat;工研院經資中心ITIS計劃整理Wi-FiShipmentForecastfor2001Financial
15%Other
14%Hospitality
12%Healthcare
15%Education35%KeyMarketsAdoptingWirelessRetail
9%Source:Cahner’sIn-StatGroup2001IEEE802.11WirelessLANArchitectureProtocolPHYMACRoamingArchitectureInfrastructureExtendedServiceSetESSAd-hocnetworksIndependentBasicServiceSetNetwork(IBSSNetwork)
Infrastructurevs.ad-hocnetworks802.11–ArchitectureofaninfrastructurenetworkStation(STA)–terminalwithaccessmechanismstothewirelessmediumandradiocontacttotheaccesspoint•BasicServiceSet(BSS)–groupofstationsusingthesameradiofrequency•AccessPoint–stationintegratedintothewirelessLANandthedistributionsystem•Portal–bridgetoother(wired)networks•DistributionSystem–interconnectionnetworktoformonelogicalnetwork(EES:ExtendedServiceSet)basedonseveralBSS802.11–Architectureof
anad-hocnetwork•Directcommunicationwithinalimitedrange–Station(STA):terminalwithaccessmechanismstothewirelessmedium–BasicServiceSet(BSS):groupofstationsusingthesameradiofrequency•YoumayuseSDMorFDMtoestablishseveralBSS.802.11–Protocolarchitecture802.11-ThelowerlayersindetailPMD(PhysicalMediumDependent)modulation,coding•PLCP(PhysicalLayerConvergence Protocol)clearchannelassessmentsignal (carriersense)•PHYManagementchannelselection,PHY-MIB•StationManagementcoordinationofallmanagement functionsMACaccessmechanismsfragmentationencryptionMACManagementSynchronizationroamingpowermanagementMIB(managementinformation base)802.11-Physicallayer3versions:2radio(2.4GHz),1IR:FHSS(FrequencyHoppingSpreadSpectrum)spreading,despreading,signalstrength,1Mbit/satleast2.5frequencyhops/s,two-levelGFSKmodulation
DSSS(DirectSequenceSpreadSpectrum)DBPSKmodulationfor1Mbit/s(DifferentialBinaryPhaseShiftKeying),DQPSKfor2Mbit/s(DifferentialQuadraturePSK)preambleandheaderofaframeisalwaystransmittedwith1Mbit/s,restoftransmission2(oroptionally1)Mbit/schippingsequence:Barkercode(+–++–+++–––)max.radiatedpower1W(USA),100mW(EU),min.1mW
Infrared850-950nm,diffuselight,10mrangecarrierdetection,energydetection,synchronizationIEEE802.11StandardFamily
SingleMAC,MultiplePHYsFrequencyHopping79Channels,1MHzEachChangesfrequency(Hops)atleastevery0.4secondsSynchronizedhoppingrequiredFrequency2.400GHz2.483GHz123456789FrequencyHoppingSpreadSpectrum
SpreadSpectrumTechniques
DirectSequence2Mbpsdataratewithoutcomplexmodulationscheme3AccessPointscanoccupysameareaDirectSequenceSpreadSpectrum。
SpreadSpectrumTechniquesDirectSequenceSpreadingsignalDatasignalSpreadingsignalFilterRecoveredDatasignalnoiseFHSSPHYpacketformatSynchronizationsynchwith010101...pattern•SFD(StartFrameDelimiter)0000110010111101startpattern•PLW(PLCP_PDULengthWord)lengthofpayloadincl.32bitCRCofpayload,PLW<4096•PSF(PLCPSignalingField)datarateofpayload(1or2Mbit/s)•HEC(HeaderErrorCheck)CRCwithx16+x12+x5+1DSSSPHYpacketformatSynchronizationsynch.,gainsetting,energydetection,frequencyoffsetcompensationSFD(StartFrameDelimiter)1111001110100000Signaldatarateofthepayload(0x0A:1Mbit/sDBPSK;0x14:2Mbit/sDQPSK)Service(futureuse,00:802.11compliant)Length(lengthofthepayload)HEC(HeaderErrorCheck)protectionofsignal,serviceandlength,x16+x12+x5+1CyclicRedundancyCode(CRC):DivisioninHardwareUsecyclicshiftregisterrregisters,whereristheorderofG(x)•ExampleFinallytheremainderofthedivisionisintheregistersMAClayerDefinedthroughdifferentinterframespaces•noguaranteed,hardpriorities•SIFS(ShortInterFrameSpacing)highestpriority,forACK,CTS,pollingresponse•PIFS(PCFIFS)mediumpriority,fortime-boundedserviceusingPCF•DIFS(DCF,DistributedCoordinationFunctionIFS)lowestpriority,forasynchronousdataserviceCSMA/CACSMA/CA2SendingunicastpacketsstationhastowaitforDIFSbeforesendingdatareceiversacknowledgeatonce(afterwaitingforSIFS)ifthepacketwasreceivedcorrectly(CRC)automaticretransmissionofdatapacketsincaseoftransmissionerrorsSTA“B”
STA“A”RTS-RangeAccessPointCTS-RangeDFWMACDistributedFoundationWirelessMACstationcansendRTSwithreservationparameterafterwaitingforDIFS(reservationdeterminesamountoftimethedatapacketneedsthemedium)•acknowledgementviaCTSafterSIFSbyreceiver(ifreadytoreceive)•sendercannowsenddataatonce,acknowledgementviaACK•otherstationsstoremediumreservationsdistributedviaRTSandCTSFragmentationIfpacketgetstoolongtransmissionerrorprobabilitygrows•AsimplebackoftheenvelopecalculationdeterminestheoptimalfragmentsizeDFWMAC-PCFAnaccesspointcanpollstationsDFWMAC-PCF2FrameformatMACFrameFormatFrameControlDurationIDAddr1Addr2Addr3Addr4SequenceControlCRCFrameBody22666620-23124802.11MACHeaderProtocolVersionTypeSubTypeToDSRetryPwrMgtMoreDataWEPRsvdFrameControlFieldBits:22411111111DSFromMoreFragAddressFieldDescriptionAddr1=Allstationsfilteronthisaddress.Addr2=TransmitterAddressIdentifiestransmittertoaddresstheACKframetoAddr3=DependentonToandFromDSbits.Addr4=OnlyneededtoidentifytheoriginalsourceofWDS(WirelessDistributionSystem)frames.MACaddressformatDS:DistributionSystemAP:AccessPointDA:DestinationAddressSA:SourceAddressBSSID:BasicServiceSetIdentifierRA:ReceiverAddressTA:TransmitterAddressMACmanagementSynchronizationtrytofindaLAN,trytostaywithinaLANtimeretc.•Powermanagementsleep-modewithoutmissingamessageperiodicsleep,framebuffering,trafficmeasurements•Association/ReassociationintegrationintoaLANroaming,i.e.changenetworksbychangingaccesspointsscanning,i.e.activesearchforanetwork•MIB-ManagementInformationBasemanaging,read,writeSynchronizationInaninfrastructurenetwork,theaccesspointcansendabeaconSynchronizationInanad-hocnetwork,thebeaconhastobesentbyanystationPowermanagementIdea:ifnotneededturnoffthetransceiverStatesofastation:sleepandawakeTimingSynchronizationFunction(TSF)stationswakeupatthesametimeInfrastructureTrafficIndicationMap(TIM)listofunicastreceiverstransmittedbyAPDeliveryTrafficIndicationMap(DTIM)listofbroadcast/multicastreceiverstransmittedbyAPAd-hocAd-hocTrafficIndicationMap(ATIM)announcementofreceiversbystationsbufferingframesmorecomplicated-nocentralAPcollisionofATIMspossible(scalability?)PowerManagementThreeClientAdapterModesCAM=ConstantAwakeModePowernotanissueHighAvailablityPSP=PowerSaveModePowerisanissueAPbuffersmessagesWakesupperiodicallytoretrievedataFastPSP=FastPowerSaveModeSwitchbetweenCAMandPSPUserswhoswitchbetweenACandDCDefaultisCAMAvailableonlyonPCMCIAOnlyonecanbeselectedWindowsNetworkPropertiesCAMPSPFastPSPConstantFlowOccasionalFlowBufferedwhenasleepConstantFlowOccasionalFlowBufferedwhenasleepPowersavingwithwake-uppatterns(infrastructure)Powersavingwithwake-uppatterns(ad-hoc)
Modulation
TypeUsesComplimentaryCodeKeying(CCK)at5.5and11Mbps.CCKusesadvancedcodingtechniques.CCKconsistsofasetof64eight-bitcodewords.Asaset,thesecodewordshaveuniquemathematicalpropertiesthatallowthemtobecorrectlydistinguishedfromoneanotherbyareceivereveninthepresenceofsubstantialnoiseandmultipathinterference.TableofModulationRoamingNoorbadconnection?Thenperform:Scanningscantheenvironment,i.e.,listenintothemediumforbeaconsignalsor sendprobesintothemediumandwaitforananswerAssociationRequeststationsendsarequesttooneorseveralAP(s)AssociationResponsesuccess:APhasanswered,stationcannowparticipatefailure:continuescanningAPacceptsassociationrequestsignalthenewstationtothedistributionsystemthedistributionsystemupdatesitsdatabase(i.e.,locationinformation)typically,thedistributionsystemnowinformstheoldAPsoitcanreleaseresourcesRoamingInternetEx.RoamingProblemESSID,IP(x,y)(0,0)SameESSID;SameIP(0,1)SameESSID;DiffIP(1,0)DiffESSID;SameIP(1,1)DiffESSID;DiffIPSubnetVPN
NetworkImplementAntennaAdhocmode
InfrastructureWLANTopologiesWirelessRepeaterTopologySystemRedundancyTopologyPoint-to-PointConfigurationPoint-to-MultipointConfigurationOmniAntennas2.2dBiAIR-ANT3194OmniCeilingmount5.2dBiAIR-ANT1728OmniCeilingmount5.2dBiAIR-ANT2506OmniMastmount12dBiAIR-ANT4121OmniMastmount2.0dBiAIR-ANT5959DiversityOmniCeilingMount5.2dBiAIR-ANT3213DiversityOmniPillarmount2.2dBiAIR-ANT3342DiversityOmniDiversitydipole2.2dBiAIR-ANT3342DiversityOmniDiversitydipole(forusewithLMC)AreaofpoorcoveragedirectlyundertheantennaBeamwidthDirectionalAntennas8.5dBiAIR-ANT3549Patch6dBiAIR-ANT2012DiversityPatch21dBiAIR-ANT3338Dish13.5dbiAIR-ANT1949YagiYagiAntennasYagiantennasareusedprimarilyforfocusedpoint-to-pointlinks.TheyareconsideredmoreattractivethanParabolicantennas,andhavemuchlesswindloadingthanPanels.Theirprimarytechnicaldisadvantageisthatsnowandicecanbuilduponthelongtubeanddistortthesignalandreducetheirgain,andtendtobemoreexpensive.•6-21dBi($40-$160)EquipmentAntennas(Mostimportantpieceofgear)Gainvs.Freqvs.Beamwidth(biggerisbetter)Polarization(horizontalvs.vertical)EquipmentAntennas(Mostimportantpieceofgear)Gainvs.Freqvs.Beamwidth(biggerisbetter)Polarization(horizontalvs.vertical)LightningArrestorDesignedtoprotectLANdevicesfromstaticelectricityandlightningsurgesthattraveloncoaxtransmissionlines.Goodforboth900MHzand2.4GHzsystems.RP-TNCconnectorsusedonallAironetAntennasDirectStrikeProtectionBridgeToNetworkCopper–Fibertransceivers1meterfiberopticcableProtectionfromadirectstrike1meterfiberopticcablingElectricitywillnottraveloverfiberTransceiversrequirepowerHubEquipmentCoax(Secondmostimportant)Biggerisbetter,butmoreexpensiveTimesMicrowaveLMR400,LMR600UseNconnectorsandheatshrinkEquipmentAmplifiersAmpasalastresortMastmountampclosetoantennaTransverters802.11bto5.7GHzusingYDIunitDualbandantennasMastmountampclosetoantennaWANDesignDiversityandMultipathInamultipathenvironment,signalnullpointsarelocatedthroughoutthearea.Movingtheantennaslightlywillallowyoutomoveoutofanullpointandreceivethesignalcorrectly.DualDiversityantennastypicallymeanifoneantennaisinanull,theotheronewillnotbe,thereforeprovidingbetterperformanceinmultipathenvironments.Interference&ObstructionsMulti-path(DiversityAntennas)Antenna101下表為天線增益值(dBi)與距離關係(km):增益值
(接收端)
增益值(發送端)
18dBi14dBi8dBi6dBi5dBi18dBi5.541.510.614dBi2.52.51.50.80.68dBi1110.80.66dBi0.80.80.80.80.65dBi0.80.60.60.60.5Peer-to-PeerConfiguration(adhocmode)WirelessClientsWireless“Cell”ModemPeer-to-PeerTopologyAccessPointWireless“Cell”Channel6WirelessClientsLANBackboneChannel1AccessPointWireless“Cell”WirelessClientsInfrastructureWLANTopologiesWirelessRepeaterTopologyChannel1AccessPointWirelessClientsChannel1AccessPointWirelessRepeater“Cell”LANBackboneSystemRedundancyTopologyWirelessClientsLANBackboneChannel1Channel60to25miles(lineofsight)EthernetBridgeOptionalAntennaBuildingABuildingBOptionalAntennaPoint-to-PointConfigurationEthernetBridgeBuildingBBuildingCBuildingADirectionalAntennaOmni-directionalAntennaPoint-to-MultipointConfigurationAccessPointPositionCampusWLANBldg2Bldg3Omni-DirectionalAntennaChannel1Channel1MainOfficeBldg1Channel1LocalAreaNetwork11MbpsDataRateupTo7or8Miles信義樓育才樓仁愛樓活動中心萬全大樓育英樓覺民館工管館行政大樓萬卷樓有線網路圖書館
Vit
無線網路骨幹圖規劃圖書館經國樓工教大樓存盧紀念館忠孝樓教職員宿舍弘道館職訓中心育英樓Vit
無線網路骨幹圖(續)SignalStrengthStrongMedWeakLowMedHighNoiseLevelMorenoise,LessBandwidthUpto33MbpsFECFECDistanceorBandwidthDistanceorBandwidthGreaterdistancespossibleatslowerspeedAggregationusingFECorMultiLink“bond”uptothreebridgelinksWirelessLANSecuritySecurityTodayWEPVPNIPSecDigitalsignatureFirewall802.1xEWAPSecurity-The#1ConcernforEnterpriseaboutWirelessSource:WSJ,2/5/01802.11SecurityTodayBasicSSIDMACAccessControlExistingsecurityconsistsoftwosubsystems:WiredEquivalentPrivacy(WEP):Adataencapsulationtechnique.SharedKeyAuthentication:Anauthenticationalgorithm•Goals:CreatetheprivacyachievedbyawirednetworkSimulatephysicalaccesscontrolbydenyingaccesstounauthenticatedstationsBasicsecurityconcernsSSIDisnotasecurityfeaturetransmittedintheclearinbeaconframesspecssaysthatclientscansetasnullstring(doesnotworkforCiscoproductthough)APAccessControlListcanbeeasilybypassedMACaddressescanbesniffedfromtheairclient’sMACaddresscanbeeasilyspoofedSharedKeyAuthenticationSharedKeyAuthenticationStepstoAuthenticateUsingtheSharedKeyAPdecryptstheencrypted
challengetextAuthenticationsuccessfuliftextmatchesoriginalStationencryptschallengetext
andsendsittotheAPAccessPointStationsendsauthenticationrequestAPsendschallengetextgenerated
withtheWEPalgorithmSecretKeyLoadedLocallySecretKeyLoadedLocallyStationWEPSecurityEncryptionmechanismcalledWEPorWiredEquivalentPrivacyOptionalEncryptionAlgorithmBasedonRC4PRNGdevelopedbyRSADataSecurityInc.A40bitSecretKeyA24bitIVorInitializationVectorsendwiththedataIncludesanICVtoallowintegritycheckIVCiphertextKeysequenceICVSeedIVSecretkeyPlaintextIntegrityAlgorithmWEPPRNGmessageWLANSecurity:DataEncryptionMuxMuxIntegrity
AlgorithmPRNGWEPPRNGIntegrityAlgorithmICV'=ICVMuxIVIVSeedKey+CiphertextICVIV+SecretKeyCiphertextICVPlaintextPlaintextTXWEPICV'EncryptsthedataportionofthepacketsWEPselfsynchronizingsoftwarealgorithm
RC4PRNGeneratoralgorithmwitha40bitsecretkeyand24bitInitializationVector(IV)MaximizedatasecuritybychangingtheIVoneachpacketAdditional2%overheadtodatapacketIVandseedareincludedinMPDUIntegrityCheckValue(ICV)mustmatchICV’onreceivesideICVWEPEncapsulationWEPprotocolThesenderandreceivershareasecretkeykSender,inordertotransmitamessage:ComputeaCRC-32checksumICV,andattachittothemessagePickaper-packetkeyIVv,andgenerateakeystreamRC4(v,k)Attention:WEPAllowsvtobere-usedwithanypacketEncryptdataandattachedICVbyXORitwithRC4(v,k)Transmitheader,IVv,andencrypteddata/ICVReceiver:UsereceivedIVvandsharedktocalculatekeystreamRC4(v,k)DecryptdataandICVbyXORitwithRC4(v,k)CheckwhetherICVisavalidCRC-32checksumVernamCiphersPRNGPropertiesofVernamCiphersThoughtexperiment:whathappenswhenp1andp2areencryptedunderthesame“random”byteb?c1=p1⊕bc2=p2⊕bThen:c1⊕c2=(p1⊕b)⊕(p2⊕b)=p1⊕p2Conclusion:itisabadideatoencryptanytwobytesofdatausingthesamebyteoutputbyaVernamCipherPRNG.Attacks-KeystreamReuseAttacks-MessageAuthenticationAttacks-MessageModificationAttacks-MessageModificationWEPlessonsWhatcouldonedotoimproveWEP:UselongIV’sthatareusedonlyonceinthelifetimeofasharedkeykUseastrongmessageauthenticationcode(insteadofaCRCcode), thatdoesdependonthekeyandtheIV.Whatyoushoulddo:Don’ttrustWEP.Don’ttrustitmorethansendingplainmessagesoveranEthernet.However,WEPisusuallyseenasagoodfirst deterrentagainstso-called“wardrivers.”PutthewirelessnetworkoutsideyourfirewallTherearenewproprietarysecuritysolutionssuchasLEAP.DynamicWEPusing802.1xPer-packetInitializationVector(IV)UseothersecuritymechanismssuchasVPN,IPSec,sshRADIUSAuthenticationInternetVPNVirtualPrivateNetworkW2K
DCROUTERActiveDirectory資料傳輸安全性W2K
DCROUTERInternal
NetworkSiteTPInternal
NetworkSiteKHVPNSecurityCrackerSecurity-ThreatsThreats:Packetsniffingtointercept“clear-text”trafficCompromisedstaticWEPKeysPacketsniffing/CryptanalysisLaptoploss/theftPacketintegritycompromiseRogueaccess-pointsWirelessLANsraisesecurityimplicationsnotfoundwithtraditionalwiredLANs…CrackingTools:NetworkAssociatesInc.-WirelessSnifferPro4.6WildPacketsInc.–AiroPeek1.1NetStumblerAirSnortSecurity-LEAPClientOtherclientOSs:CisconetworklogonapplicationInstalledwithclientadapterFront-endsstandardnetworklogonUsesLightEAP(LEAP)inclientadapterfirmwaretointeractwithRADIUSserverandusernetworklogoninfoWindowsWhistlerrelease:Operatingsystem(OS)incorporatesEAPEthernetsupplicant:toworkonMS-XP,Win2K,CE4.0natively;nolegacysupportSecurity-CentralizedUser-BasedAuthenticationAuthenticator(e.g.AccessPoint,CatalystSwitch)SupplicantSemi-PublicNetwork/EnterpriseEdgeAuthenticationServersuchasACS2000v2.6RADIUSEAPOverWireless/LAN(EAPOW/EAPOL)EAPOverRADIUSExtendedEnterprise(BranchOffice,Home,etc.)Enterprise
IntranetCentralizedManagement–
WLANAdoptionProblemsLargenumberofAccessPointsaredifficulttomanageImpracticaltoconfigureeachoneindividuallyNeedaggregatedstatusandexceptionnotificationUserscanbeanywhere!NeedtoknowwhichAPtheuserisassociatedwithDifficulttotroubleshootassociationproblemsWirelesssolutionismorethanjusttheAPsLEAPserverforauthenticationConnectedswitchmustbeconfiguredcorrectlyCentralizedManagement-WirelessLANManagementProductConceptAccessPointsClientsLEAPServerCiscoSecureACSAttachedSwitch/RouterMonitoringClientAssociationMonitoring&ReportingSwitch/RouterMonitoring&ConfigurationAPMonitoring&ConfigurationProductConceptWLANNetworkManagementInitiatives:WaveLink:CentralizedmanagementofClients,AP’s,andBridges(MobileManager5.0)CiscoEMBU:WLANManagementapplicationforCiscoWorks2000(targetCQ202)CentralizedManagement-FeaturesAutomaticdiscoveryofAccessPointsandBridges,withanoptiontoautomaticallyconfigurenewAPsandBridgesUser-defined“Groups”ofAPsandBridges.GroupscanincludeGroupstocreateahierarchalrepresentation.TemplatebasedconfigurationofGroupsSummarystatusofindividualorGroupsConfigurablethresholdsforfaultsAPUtilizationreportsCurrentClienttoAPassociationreportsLastfewassociationsperClientreportMonitoringandperformancemeasurementofLEAPserverCustomizableadministratorviewsandrolesCentralizedManagement–Features(Cont.)VPNFirewallExistingconcept,technologyavailable,independentofhardwareArguablythemostcosteffectiveWeaknessesprotectsIPtraffic,notlowerlevele.g.ARPclientscanstillbeattackabletargetsDevelopmentsinstandard802.1xprovidessupportforPort-basedNetworkAccessControlatMACBridgesuseridentification,centralizedauthentication,e.g.RADIUSdynamic&per-sessionkeymanagementWindowsXPbuilt-insupport802.11iprovidesnewencryption128-bitAES?butcurrentequipmentwillnotbenefitOthersecurityconsiderationsOverallsecuritypictureWLANisonly1physicalpartofyournetworkjusttreatitasunsecuredConfidentialityofusername/passwordClient-sidesecuritye.g.IDS,Firewall,AV,cardtheftMobilitydisciplinee.g.HomeandcybercafeWLANenvironmentsIEEE802.11i-SecurityExtensions802.11iwillsupportAframeworkfornegotiationofauthenticationalgorithms(EAP-802.1Xbased)Aframeworkfornegotiationofencryptionalgorithms(TKIPoptionalandAESmandatory)SecuritysolutionsforAPandpeer-peerapplications802.1X(PortBasedNetworkAccessControl)aloneisnotsufficientWirelessLANsrequireasecurecommunicationchannelbetweensupplicantandauthenticatorsystemsIEEE802.11iEnhancedSecurityDescriptionEnhancementstothe802.11MACstandardtoincreasethesecurity;addressesnewencryptionmethodsandupperlayerauthenticationImportanceHigh:weaknessofWEPencryptionisdamagingthe802.11standardperceptioninthemarketRelatedstandardsThisappliesto802.11b,802.11aand802.11gsystems.
802.1xiskeyreferenceforupperlayerauthenticationStatus+
RoadmapEnhancedencryptionsoftwarewillreplaceWEPsoftware;Thisisonarecommendedbestpractice/voluntarybasis;developmentinTgI:firstdraftMar2001;nextdraftdueMar2002;stabledraft:July2002;finalstandard:Jan2003ProductsaffectedClientandAPcards(Controllerchip,Firmware,Driver)
APkernel,RGkernel,BGkernelAgere’sactivityActivelyproposingWEPimprovementmethods,participatinginallofficial/interimmeetingsKeyplayersAgere/Microsoft/Agere/Cisco/Atheros/Intel/3Com/Intersil/Symbol/Certicom/RSA/FunkKeyissuesModeofAEStouseforencryption(CTR/CBC[CBCMIC]orOCB[MICandEncryptionfunction])IEEE802.1X-PortBasedControlDescriptionAframeworkforregulatingaccesscontrolofclientstationstoanetworkviatheuseofextensibleauthenticationmethodsImportanceHigh:formsakeypartoftheimportant802.11iproposalsforenhancedsecurityRelatedstandardsThisappliesto802.11b,802.11aand802.11gsystemsStatus+
RoadmapStandardavailable–Spring2001ProductsaffectedSupportedinAP-2000,AP-1000/500,Clients(MSdriversforXP/2000beta)Agere’sactivityAddingEAPauthtypestoproductsKeyplayersMicrosoft/Cisco/Certicom/RSA/FunkKeyissuesHomeinIETFforEAPmethoddiscussions802.1X•802.1XintroducedtheRobustSecurityNetwork(RSN)–controlaccess–provideauthentication–keymanagement802.1X
•RSNprovidesmechanismstorestrictconnectivitytoauthorizedentities–connectivityisthrough“networkport”orassociationSecurityframeworkcreatedthroughthreeentities:–supplicant–authenticator–authenticationserverIEEE802.1XTerminologyControlledportUncontrolledportSupplicantAuthenticationServerAuthenticator802.1Xcreatedtocontrolaccesstoany802LANusedasatransportforExtensibleAuthenticationProtocol(EAP,RFC2284)EAPFrameworkEAPprovidesaflexiblelinklayersecurityframeworkSimpleencapsulationprotocolNodependencyonIPACK/NAK,nowindowingNofragmentationsupportFewlinklayerassumptionsCanrunoveranylinklayer(PPP,802,etc.)Assumesnore-orderingCanrunoverlossyorlosslessmediaRetransmissionresponsibilityofauthenticator(notneededfor802.1Xor802.11)EAPmethodsbasedonIETFstandardsTransportLevelSecurity(TLS)(supportedin
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2025年北师大版高三历史上册阶段测试试卷含答案
- 2025年沪教新版选修3物理上册阶段测试试卷含答案
- 2025年粤人版高一数学下册阶段测试试卷
- 2025年北师大版九年级地理下册月考试卷含答案
- 2025年湘教版选择性必修1历史下册月考试卷含答案
- 2025年浙教新版必修三英语上册阶段测试试卷
- 公共文化服务理论与实务知到智慧树章节测试课后答案2024年秋四川艺术职业学院
- 2025年度美容院美容产品包装设计与生产合同4篇
- 二零二五年度农业休闲观光园开发合同4篇
- 二零二五年度绿色生态农用地流转合同4篇
- 2024年苏州工业园区服务外包职业学院高职单招职业适应性测试历年参考题库含答案解析
- 人教版初中语文2022-2024年三年中考真题汇编-学生版-专题08 古诗词名篇名句默写
- 2024-2025学年人教版(2024)七年级(上)数学寒假作业(十二)
- 山西粤电能源有限公司招聘笔试冲刺题2025
- 2024年高考全国甲卷英语试卷(含答案)
- 2024光伏发电工程交流汇流箱技术规范
- 旅游活动碳排放管理评价指标体系构建及实证研究
- 2022年全国职业院校技能大赛-电气安装与维修赛项规程
- 小学德育养成教育工作分层实施方案
- 2024年湖南高速铁路职业技术学院单招职业技能测试题库附答案
- 黑枸杞生物原液应用及产业化项目可行性研究报告
评论
0/150
提交评论