Скачать презентацию doc IEEE 802 11 -05 0395 -01 -000 Скачать презентацию doc IEEE 802 11 -05 0395 -01 -000

d0fed5ae7a03146f99997b80577f2caf.ppt

  • Количество слайдов: 24

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 802. 11 TGs doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 802. 11 TGs ESS Mesh Networking Proposal Preliminary Overview of Secure NOmadic Wireless MESH (SNOWMESH) Authors: Date: 2005 -05 -10 Name Address Company Phone Email Jonathan R. Agre 8400 Baltimore Ave. , #302 College Park, MD 20740 USA Fujitsu Laboratories of America 301 486 0978 jonathan. [email protected] fujitsu. com Wei-Peng Chen 1240 E. Arques Ave. Sunnyvale, CA 00180 USA Fujitsu Laboratories of America 408 530 4622 wei-peng. [email protected] fujitsu. com Mohamed Refaei 8400 Baltimore Ave. , #302 College Park, MD 20740 USA Fujitsu Laboratories of America 301 486 0978 mohamed. [email protected] fujitsu. com Anuja Sonalker 8400 Baltimore Ave. , #302 College Park, MD 20740 USA Fujitsu Laboratories of America 301 486 0978 anuja. [email protected] fujitsu. com Notice: This document has been prepared to assist IEEE 802. 11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802. 11. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures , including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard. " Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802. 11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at . Submission 1 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Additional Authors Name doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Additional Authors Name Address Company Phone Email Xun Yuan 8400 Baltimore Ave. , #302 College Park, MD 20740 USA University of Maryland 301 486 1749 [email protected] umd. edu Chenxi Zhu 8400 Baltimore Ave. , #302 College Park, MD 20740 USA Fujitsu Laboratories of America 301 486 0671 Chenxi. [email protected] fujitsu. com Harshal Dharia 8400 Baltimore Ave. , #302 College Park, MD 20740 USA Fujitsu Laboratories of America 301 486 0489 harshal. [email protected] fujitsu. com Submission 2 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Contents • • doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Contents • • Architecture Usage Scenarios Autoconfiguration/Initialization/Discovery Routing – Topology Maintenance – Mobility • • Security Qo. S Performance Evaluation Conclusion Submission 3 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Architecture STA STA doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Architecture STA STA MPAP(PL) MPAP STA STA STA MPAP(PL) STA MPAP STA STA MPAP = Mesh Point with AP functions MPAP(PL) STA MPAP(PL) = Mesh Point with active Portal STA STA – Client Station WDS Link Normal Link Submission 4 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 A. S STA doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 A. S STA Architecture STA MPAP(PL) MP(AP) MPAP STA STA STA MP(AP, GW) MPAP(PL) STA MP(AP) MPAP STA MP(AP) MPAP STA STA MPAP = Mesh Point with AP functions MPAP(PL) STA MPAP(PL) = Mesh Point with active Portal STA – Client Station WDS Link Normal Link A. S. – Authentication Server Submission 5 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Usage Scenarios • doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Usage Scenarios • Community Networks – – – • Emergency Response Networks – – • Extensions to primary LANs Interoperability, simple operation, low mobility, high security So. Ho Networks – • Environments with limited infrastructure (on-site networks) Rapid deployment, low mobility, high security, high reliability, continual operation/fault tolerant Enterprise Networks – – • Ubiquitous network access Alternative broadband service to residential users Static MPs, mobile STAs Simple deployment, simple operation, low mobility, moderate security Hotspots – Submission Extensions of coverage areas 6 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Key Points • doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Key Points • • • Network is sized for approximately 32 mesh points Each Mesh Point contains AP and Portal functions Single or Multiple Radios supported – • • A MP may contain multiple 802. 11 PHY radios operating on different channels. The inter-MP communication is via authenticated WDS links The mesh supports routing to multiple entry/exit points (Portals). – Portals connect to other 802. 1 networks (including other Mesh-nets) • • • STAs are unaware of the mesh and their operation is unaffected by connection to mesh Self-configuring, self-healing, automatic formation/maintenance of mesh network Two Security modes – Authentication-server mode and Standalone mode – Require modification to 802. 11 i that will support WDS authentication • Qo. S adapted for multi-hop mesh is supported Submission 7 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 MPAP Architecture Portal doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 MPAP Architecture Portal Security WDS Routing Mesh MAC Layer MAC Ports MAC Phy 1 Phyn Mesh identified by single SSID One MAC address for the MP (feasibility under study) Phyi – 802. 11 PHY - Each Phyi on a separate channel, designated by port Mesh MAC Layer handles routing, Qo. S, security across Ports MAC for each Phy handles lower level security, association, sequencing, etc. Portal attaches to other 802. 1 network(s) Submission 8 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Network Initialization and doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Network Initialization and Discovery Mesh Initialization and Network Discovery (MIND) • When MP powered on, enters discovery mode – Based on active scan of all channels by each port • • Send probe messages Probe response from MPs includes some additional information – – Mesh identified by matching mesh SSID (preconfigured parameter) • – MP receives probe responses from all neighbors on each channel If not secure mesh and no mesh found after several attempts, MP becomes Mesh Initial MP • Potential problem with merging independently formed subnets – – Resolution methods under study (e. g. , lowest MAC address, most nodes, etc) If secure mesh, some requirements for 1 st node pre-configuration (discussed in security section) • Submission e. g. , routing protocol option, security option, parameters, etc Simple solution is to require that designated node be powered on first 9 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Network Discovery (cont) doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Network Discovery (cont) – If mesh found (i. e. matching SSID), • MP “selects” best channels for its own radios to connect to mesh, thus determining its 1 -hop neighbors in the mesh • MP initiates WDS link establishment for each neighbor MP • If secure mesh then WDS link is blocked until authenticated – MP initiates authentication with each WDS neighbor – Authentication certificate identifies MP as MP-capable – An Authenticated MP either requests or waits for next Network Advertisement message • If open security, then MP simply waits for Network Advertisement Submission 10 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Mesh Network Maintenance doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Mesh Network Maintenance (MNM) • • Handles addition, deletion of MPs, mobility Maintenance scheme is function of routing protocol option in effect – Format of net advertisement data also defined by routing protocol option • In Basic Scheme: Each associated MP periodically issues network advertisement messages to propagate topology information – The Basic Routing Protocol option includes a simple Mesh Network Maintenance scheme Simple-MNM as follows: • Flat Topology Table of all MAC addresses • Two types of Network Advertisement messages are used in basic scheme – Full update (NA-message) – Network topology table of all MAC addresses of MPs and STAs, channels, link metrics, portals, authentication server – Change update (δ-NA messages) – includes only changes since last full update (or indicates no change) • Each MP broadcasts a network advertisement message to its one-hop neighbors – Periods for Full update and Change update are parameters – Sent using group keys in secure modes • Ageing and replacement scheme based on sequence numbers Submission 11 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Routing • Mesh doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Routing • Mesh will support multiple routing protocols specified through mesh configuration options. • Recommend that all MPs implement at least a Basic Mesh Routing Protocol • We propose a Simple Link-state Routing Protocol (SLRP) – Weighted shortest path, computed by Dijkstra’s Algorithm from Topology Table – Weighted by link quality (RSSI, load, other factors, formula TBD) – Operates on Flat Topology Table • MAC addresses of all MPs, MAC addresses of associated STAs • MAC addresses of Portals • For each MAC address in the mesh: For each directly connected neighbor to that address : Store the Channel, Link quality metrics, Sequence number – Basic topology maintenance using Simple-MNM Submission 12 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Basic Routing Protocol doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Basic Routing Protocol Features – Routing Tables contains entry for each possible Destination MAC in Mesh (MPs, STAs, Portals) – (Destination MAC, Next Hop MAC address, Outgoing Port/Channel) – Mobility of MPs and STAs handled by Network Advertisements (break-before-make scheme) – Packet format for MP-MP messages is WDS using 4 MAC address fields – (Next-hop receiver address, current transmitter address, original destination address, original source address) – Additional Hop Count field added to packet for loop detection • Considering TTL field – Maximum values for Hop Count or TTL are parameters Submission 13 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Routing Issues • doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Routing Issues • Routing will consider Qo. S – Priority queues and link metrics are under study • Support for broadcast and multicast groups – Secure keys for broadcast and multicast – Needs further study • Routing to external networks – How choose best portal – shortest path, learned routes, flooding? • High mobility will hurt the basic scheme • Scalability questions • Future system could allow dynamic choice of routing scheme Submission 14 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Optional Routing Scheme doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Optional Routing Scheme – Hybrid Mesh Routing Protocol (HMRP) • Suitable to community networks with static MPs and mobile STAs • Use a proactive routing to maintain the topology of static MPs – Topology propagation in the basic mode only contains the links between MPs • Use an on-demand routing for discovery of mobile STAs – AODV-like (REQ/REP) mechanism • Learn/Maintain topology from various sources – Data packets: effective for long-live connections – Authentication / Association packets Submission 15 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Security Issues • doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Security Issues • Two security modes will be supported – Authentication Server Mode – based on normal 802. 11 i and 802. 1 x. An authentication server (e. g. , Radius) is assumed to be reachable within the mesh or externally via a portal – Standalone Mode – An authentication server is not available and an internal trust model is developed. • Basic Security Architecture – Security can be enabled or disabled – A single administrative domain is assumed • Valid STAs and MP have certificates recognized by admin domain – Each STA will authenticate with its associated MPAP using 802. 11 i – Each MP will authenticate with each of its WDS link neighbors • Extension to 802. 1 x and 802. 11 i needed for WDS authentication – Once authenticated as an MP, an MP can participate in mesh routing and will become an authenticator for other MPs Submission 16 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Security • Authentication doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Security • Authentication Server Mode – A proper certificate is assumed to be installed on the MP indicating that this is a valid MP for this mesh SSID – Each STA will authenticate with its associated MPAP using 802. 11 i – A new MP joining the mesh will independently authenticate with each of its (1 hop) WDS neighbors as a supplicant using augmented 802. 11 i – Once authenticated as an MP, an MP can participate in mesh routing and will become an authenticator for other MPs and STAs – An authentication server (e. g. Radius) may be hosted on an MP or a route to an external authentication server is known to the mesh • Requirement of initial mesh node – MPAP maintains a Security table entry for each authenticated MPAP neighbor, any multicast groups and broadcast • Encryption – Along with authentication, encryption keys are defined per communicating pair, i. e. , • 802. 11 i pair-wise encryption is used for STA to MPAP and for MPAP to MPAP – E. g. , full WPA 2 • Support both dynamic key distribution and pre-shared keys • Group keys also established at time of authentication Submission 17 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Security (cont. d) doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Security (cont. d) • Standalone Mode (Authentication Server not available) – Each MP has a proper attribute certificate indicating that this is a valid MP for this mesh SSID and defining the capability of the MP – New MP joining the mesh will authenticate with each of its (1 -hop) WDS neighbors as a supplicant using the attribute certificate assigned to it. • Local, 2 -party authentication (e. g. , challenge-handshake) – Once authenticated as an MP, an MP can participate in mesh routing and will become an authenticator for other MPs and STAs – MPAP maintains a table entry for each authenticated MPAP neighbors, multicast groups and broadcast – Revocation of issued certificates and renewal of expiring certificates required. – MPs exchange periodic information on authenticated/revoked supplicants – Threat model and security attributes currently under research Submission 18 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Roaming/Mobility • STAs doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Roaming/Mobility • STAs and MPs can be mobile – Basic routing protocol designed for low mobility, infrequent changes • In basic scheme, a STA that moves between MPAPs will re-associate and re-authenticate • A MPAP that moves will re-associate and reauthenticate will all new 1 -hop neighbors • The mesh will attempt to support 802. 11 r Fast Roaming when defined – Method TBD Submission 19 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Quality-of-Service • 802. doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Quality-of-Service • 802. 11 e Qo. S will be supported (Mny details still TBD) – For STAs, the MPAP will appear as a normal 11 e AP • Admission control scheme at MPAP needs to be modified to account for end -to-end delay over multiple hops – Each MPAP will support up to eight priority queues as in 11 e • • Admission control for admitting new MPAPs still under consideration MPs will negotiate between themselves to set up end-to-end Qo. S support Mesh management messages need priority (i. e. , network advertisements) Should forwarded traffic get priority? – Extensions to TSPEC being considered and integration with network advertisement metrics – Algorithm/Performance under investigation via simulation Submission 20 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Ongoing Issues • doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Ongoing Issues • Desire a simple, but expandable framework • Connection to IP networks needs further refinement – General philosophy is that basic functions are independent of IP, but recognize that IP is most common application • • ARP needed, Proxy ARP may be significant improvement Others: DHCP, NAT, … should work smoothly VLAN support (? ) VPN support (? ) – E. g. , Clients should be able to send/receive Internet messages, browse the web, if paths exist • Additional mesh management messages may still be required • Power efficiency not considered (as yet) Submission 21 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Prototyping Efforts • doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Prototyping Efforts • Working on single- and multi-radio prototypes that follow the proposal • Consideration of existing architecture has guided many decisions – Reuse as much of existing MAC as possible, but we need a new view of what an AP can do, e. g. , • The MPAP should be able to initiate an active scan (currently not typical) • The MPAP should be able to associate (establish a WDS link) and authenticate to another MPAP to use the WDS link under 802. 1 x procedures (e. g. , supplicant) • The MPAP should be able to perform as an authenticator after becoming authenticated (as a supplicant) Submission 22 Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Performance Simulation • doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Performance Simulation • • 8*4 MPs in grid structure, 100 static STAs Each STA starts one CBR (4 kbps) flow. 50% of the destinations locate outside mesh Evaluation of full topology update in basic mode BW = 11 Mbps, 12 MPs interfere with the central portal 1 Ch 1 PL Submission 2 Ch 2 PL 2 Ch 1 PL 23 2 Ch 4 PL Jonathan Agre et al. , Fujitsu Labs of America

doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Summary/Conclusions • Basic doc. : IEEE 802. 11 -05/0395 -01 -000 s May 2005 Summary/Conclusions • Basic extensible mesh framework defined – Simple base components defined • routing, Qo. S, autoconfiguration • Two modes of security – Infrastructure and infrastructureless – Options to extend components • Work is continuing on several open issues – Interface with external networks, Qo. S • Performance simulations of base components underway • Prototyping effort using COTS radios We are looking to harmonize/partner with other proposals Please contact us! Submission 24 Jonathan Agre et al. , Fujitsu Labs of America