EBUG @ 2002/10/05 IP Mobility 802.11 Wireless Network 802.1x ( ) 2002/11/18 0 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. EBUG @ 2002/10/05 EBUG ftp.jp.freebsd.org netbsd 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 1
EBUG @ 2002/10/05 1. IP Mobility LAN 2. 3. IEEE802.11Wireless Network 4. IEEE802.11 5. IEEE802.1x/I-D Radius EAP TYPE 6. 7. 2 EBUG @ 2002/10/05 LAN IP Mobility LAN PC LAN PDA Hot Spot Hot Zone IMT-2000 NTT FOMA 3 1 5 7 8000 ALL IP 4G IP Mobility Vertical Handover Mobile IPv6 2002 7 IETF Internet ITS DSRC 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 3
EBUG @ 2002/10/05 LAN Local Area Network LAN LAN Hand off 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 4 EBUG @ 2002/10/05 LAN IEEE 802.11 Apple imac (Air Port) LAN (1999) Lucent LAN Intersil 2.4GHz 5GHz, 25GHz (SpeedNet, WIS) (NTT, Y!BB Mobile) (MIS) Yahoo! BB 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 5
EBUG @ 2002/10/05 802.11b? LAN Office Apple Home Networking Home RF 802.11b Home RF (FHSS) 802.11b LAN Bluetooth LAN Bluetooth LAN Embedded 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 6 EBUG @ 2002/10/05 LAN NTT com - - - LAN LAN IP Mobility Network Mobile Ad-hoc Network 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 7
EBUG @ 2002/10/05 M (NTT ) Mzone (NTT ) (NTT-ME) LAN (NTT-BP) NTT, NTT-BP NTT-ME, am/pm JR MIS, Yahoo! BB Mobile Yahoo! Café,, 2002 9 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 8 EBUG @ 2002/10/05 Hot Spot Mobile Internet Service 802.11b ASTEL PHS PHS IP MIS Mobile IP LIN6 Packet Air, Air Broadband Communications 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 9
EBUG @ 2002/10/05 FWA: xdsl, FTTH SpeedNet (IEEE802.11 FH) Wireless Internet Service (IEEE802.11b) NTT-ME SOMA Networks (2.6G OFDM 12Mbps) NTT Communications B FWA NTT 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 10 EBUG @ 2002/10/05 LAN LAN Non-PC Ultra Wide Band Software Defined Radio Cognitive Radio 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 11
EBUG @ 2002/10/05 2002/11/18 12 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. EBUG @ 2002/10/05 Ubiquitous Networking IPv6 Perimeter Model( 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 13
EBUG @ 2002/10/05 Perimeter Security Perimeter Model CodeRed Nimda Host Security 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 14 EBUG @ 2002/10/05 CodeRed IPv6, Ubiquitous Networking Host to Host Security Model 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 15
EBUG @ 2002/10/05 2002/11/18 16 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. EBUG @ 2002/10/05 1. 2. 3. 4. 5. 6. LAN 7.IPv6 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 17
EBUG @ 2002/10/05 LAN (War Driving) LAN HotSpot 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 18 EBUG @ 2002/10/05 LAN LAN, Internet IP LAN TCP/IP 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 19
EBUG @ 2002/10/05 802.11 Wireless Network 2002/11/18 20 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. EBUG @ 2002/10/05 802.11 Wireless Networks IEEE 802.11 Wi-Fi (Wireless Fidelity) 802.11b Ethernet ether 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 21
EBUG @ 2002/10/05 802.11 Wireless Networks L2 GW V-LAN,L3 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 22 EBUG @ 2002/10/05 CSMA/CA CSMA (Carrier sense Multiple Access) STA STA CA (Collision Avoidance) CD (Collision detection) collision CA STA RTS CTS DATA ACK STA Other STA 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 23
EBUG @ 2002/10/05 802.11 WECA STA AP Client AP 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 24 EBUG @ 2002/10/05 TCP/IP Layer L5,6,7 Application SSL/TLS L4 TCP/UDP L3 IP IPsec L1,2 802.11 802.11security 802.1x MAC Address TCP/IP WirelessLAN Security 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 25
EBUG @ 2002/10/05 IEEE802 802.10 802 802.1 (d,e,f,h,q,x) 802.2 802.1 (c,g,w) 802.3 802.4 802.5 802.6 802.11 802.12 802.3 802.4 802.5 802.6 802.11 802.12 CSMA/CD Token Bus Token Ring Distributed Queue Dual Bus Wireless LAN Demand Priority IEEE Std 802.11 1999Edition 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 26 EBUG @ 2002/10/05 IEEE802.11 IEEE802.11b 2.4GHz IEEE802.11g 2.4 GHz LAN (11Mbps) 2.4 GHz LAN (54Mbps) PHY IEEE802.11a 5GHz IEEE802.11h IEEE802.11d IEEE802.11c 5GHz LAN (50Mbps) MAC IEEE802.11e IEEE802.11f IEEE802.11i QoS 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 27
EBUG @ 2002/10/05 IEEE 802.11b 11Mbps 2~3Mbps 14 11 22MHz 5 2.4 2.497GHz Bluetooth CCK DSSS 11Mbps 5M/11Mbps DSSS: (Direct Sequence Spread Spectrum ) 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 28 EBUG @ 2002/10/05 IEEE 802.11a 54Mbps 24 30Mbps 5.15 5.25GHz 4.9 5.1GHz OFDM 1 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 29
EBUG @ 2002/10/05 802.11a/11b 802.11 NIC Service Set Identifier (SSID): Open or Shared Key Authentication : MAC Address Authentication : Wired Equivalent Privacy (WEP) PDA PIN 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 30 EBUG @ 2002/10/05 LAN WEP LAN PC 802.1x LAN 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 31
EBUG @ 2002/10/05 Service Set Identifier (SSID) LAN 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 32 EBUG @ 2002/10/05 SSID ESS-ID ESS-ID ESS-ID ESS-ID trivial default ESS-ID 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 33
EBUG @ 2002/10/05 802.11 Association Negotiation 2 Shared Key Authentication Challeng WEP Open Authentication( AP 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 34 EBUG @ 2002/10/05 802.11 Association Negotiation Man-in-the-middle-attack WEP XOR XOR 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 35
EBUG @ 2002/10/05 802.11 MAC MAC AP DS 00094000000B 00094000000C STA3 STA1 AP MAC address list IEEE802.1 STA2 00094000000D 00094000000B 00094000000C 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 36 EBUG @ 2002/10/05 802.11 MAC Open Authentication / Shared Key Authentication WEP MAC 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 37
EBUG @ 2002/10/05 Wired Equivalent Privacy (WEP) WEP 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 38 EBUG @ 2002/10/05 24bit IV Wired Equivalent Privacy (WEP) 40/104bit PRNG RC4 802.11frame CRC32 ICV XOR PRNG: 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 39 Pseudo Random Number Generator IV: Initialization Vector ICV: Integrity Check Value FCS: Frame Check Sequence XOR: exclusive OR CRC: Cyclic Redundancy Checksum MAC: Media Access Control
EBUG @ 2002/10/05 WEP 1. AP (WEP) 2. WEP 40 104bit 3. IV( ) 24bit WEP 60bit/128bit 4. 40bit/128bit RC4 5. CRC32 6. RC4 7. IV IV IV:Initialization Vector= RC4:Ron s Code 4 Ron Rivest 1 DES RSA Security SSL 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 40 EBUG @ 2002/10/05 WEP WEP UCB RC4 Algorism Stream Cipher key XOR IC CRC32 check sum Maryland Network Name SSID-MAC Un-authenticated DH Key Agreement Man-in-the-middle Attack WEP Scalability 802.1x, EAP-TLS 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 41
EBUG @ 2002/10/05 802.11 Security Security MAC RADIUS address UserID password (EAP,802.1x ESSID ANY ESSID ANY (STA),Frame capture AP beacon (AP) user User Session Session (EAP,802.1x) WEP IV(Initialization vector) IV(Initialization vector) 128 24bit (WEP2,802.1x) 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 42 EBUG @ 2002/10/05 dynamic secure roaming AP roaming ( ( ) ) Overhead Overhead deployment secure 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 43
EBUG @ 2002/10/05 802.11i 802.11i(MAC Enhancements for Enhanced Security) Temporal Key Integrity Protocol (TKIP) WEP re-keying Message Integrity Code (MIC) WEP 16bytes 802.1X keying/rekeying Advanced Encryption Standard (AES) RC4-base WEP/WEP2 128bit Encryption of management frames re-key WEP dynamic Roaming and key hand-off Reuse 802.1X EAPOL-Key message 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 44 EBUG @ 2002/10/05 802.1x 2002/11/18 45 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc.
EBUG @ 2002/10/05 Supplicant ( ) Authenticator (AP,Switch) 802.1x Authentication server (RADIUS) Supplicant PAE EAP over LAN Supplicant Access service Authenticator PAE EAP over RADIUS Authentication server Port unautenticate PORT MAC disable LAN PORT IEEE 802.1x - Port-Based Network Access Control LAN PAE: Port Access Entity 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 46 EBUG @ 2002/10/05 802.1x EAPOL 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 47
EBUG @ 2002/10/05 EAP PPP EAP Octet RFC2284(PPP Extensible Authentication Protocol) numb er field EAP 1 Code (EAP type) 3 = Success 4 = Failure EAP type ( smart card, Kerberos, Public key, One time password etc.) 2 Identifie r EAP session 802.1x EAP EAP over LAN EAP over RADIUS 3-4 5- PPP: Length Data description 1 = Request 2 = Response Header Packet Length Data EAP type EAP packet format Point to Point Protocol 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 48 EBUG @ 2002/10/05 EAP over LAN(EAPoL) Octect Supplicant PAE number 1-2 PAE Ethernet Type Authenticator PAE 3 Protocol Version EAP 4 Packet Type Session WEP Descriptor Format 802.11 802.3,802.5 5-6 7-n Pakcet Body Length Packet Body [0x03] PAE (Port Access Entity: ) Ethenet [0x888E] EAPoL [0x01] EAP-Packet: [0x00] EAP Body EAP EAPOL-Start [0x01] EAP EAPOL-Logoff [0x02] EAP EAPOL-Key [0x03] Body Key EAPOL-Encapsulated-ASF-Alert [0x04] SNMP EAP 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 49
EBUG @ 2002/10/05 EAP over RADIUS Octect RADIUS EAP-Message(79) number Message-Authenticator(80) 1 Code RFC2869 RADIUS Extension) RADIUS(EAP RADIUS Proxy ) 2 Identifier 2 -n Authentic ator Attributes Authenticator value specific authentication 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 50 3-4 5-20 Length RAIUS type 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved Request,replies matching 4096byte RADIUS format EBUG @ 2002/10/05 802.1x Supplicant( ) Authenticator (AP) Authentication server Associate (SSID) (RADIUS) EAPoL-Start Access EAP-type EAP-Request/Identify EAP-Response/Identify EAP-Request(EAP-type) EAP-Response RADIUS-Access-Request RADIUS-Access-Challenge RADIUS-Access-Request EAP-Request EAP-Response EAP-Success EAPoL-Key(key) RADIUS-Access-Challenge RADIUS-Access-Request RADIUS-Access-Accept Access 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 51
EBUG @ 2002/10/05 EAP-type ( ) ( ) EAP-MD5 EAP-TLS TLS(SSL) EAP-LEAP Cisco Radius EAP-TTLS TLS EAP-SKE Shared Key Exchange: PEAP Protected Extensible EAP-SRP Secure Remote Password Authentication Protocol: PPP EAP-TLS PPP EAP GSM EAP TLS EAP EAP-AKA EAP-SIM UMTS AKA EAP-MAKE Mutual Authentication Procotol: AKA UMTS SIM Diffie-Hellman PKI AKA GSM UMTS AKA GSM UMTS SIM (GSM Subscriber EAP-GSS Identification Module) 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 52 EBUG @ 2002/10/05 TLS(Transport Layer Security) Hello_request Client_hello Server_hello Certificate negociation Server_hello_ done Protocol version, session ID, Client_key _ Exchange Protocol version, session ID, Certificate_ Verify X.509.v3 Finished Hand Shake Protocol Server_key _ Exchange Ceritificate_ request RSA Diffie&Hellman Change_cipher_sp ec Hand Shake Protocol RFC2246(TLSver1.0) TLS(ver1.0) SSL(3.0) 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 53
EBUG @ 2002/10/05 Client TLS negotiate Client_hello(Cipher Suites) Server_hello(Cipher Suites ) Server_Certificate SSL server Server_Key Exchange(Certificate ) Certificate_request Server_Hello_Done Client_Certificate Client_KeyExchange(premaster secret) Certifivate Verify( ) Change_Cipher Spec( ) Finished Change_Cipher Spec( ) Finished 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 54 EBUG @ 2002/10/05 EAP-TLS RFC2716(EAP TLS Authentication Protocol) EAP Identity/Success/Failure fragment reassembly AP (TLS Session ID) Client AP EAP-TLS 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 55
EBUG @ 2002/10/05 TLS negoiation EAP-TLS 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 56 EBUG @ 2002/10/05 EAP-TTLS(Tunneled TLS) draft-ietf-pppext-eap-ttls-02 ( ) EAP Identity/Success/Failure fragment reassembly AP (TLS Session ID) AP EAP-TTLS TTLS-server Client TLS handshake TLS tunnel 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 57
EBUG @ 2002/10/05 EAP-TTLS TLS Negotiation TLS Tunnel 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 58 EBUG @ 2002/10/05 PEAP(Protected EAP) draft-josefsson-pppext-eap-tls-eap-05( ) EAP Identity/Success/Failure tunnel fragment reassembly PEAP request/response Flag filed) AP (TLS Session ID) TLS PEAP TLS handshake TLS tunnel 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 59
EBUG @ 2002/10/05 AP EAP pass TLS negotiation PEAP TLS Tunnel 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 60 EBUG @ 2002/10/05 PEAP key 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 61
EBUG @ 2002/10/05 2002/11/18 62 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. EBUG @ 2002/10/05 IPsec VPN PO WE RFA ULT DA TA ALA RM L3 password VPN STA AP VPN 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 63
PW R OK W IC0 AC T/C H0 ACT /C H1 W IC 0 AC T/C H0 AC T/C H1 ET H AC T CO L EBUG @ 2002/10/05 SSH IPsec ssh tunnel passcode Spilit-tunnel 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 64 EBUG @ 2002/10/05 Web (captive portal) Authentication RADIUS, LDAP, passwd, Kerberos etc AP The Internet Access Control + WEB WEB SSL secure authentication 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 65
EBUG @ 2002/10/05 APOP delegate SMTP-Auth SMTP over SSL sftp NAT-Traversal Firewall+NAT 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 66 EBUG @ 2002/10/05 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 67
EBUG @ 2002/10/05 1. 2. 3. 4. 5. 6. LAN 7. IPv6 P2P, 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 68 EBUG @ 2002/10/05 801.1 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 69 Radius CA (CRL) DRM AAA
EBUG @ 2002/10/05 LAN WEP + MAC 802.1x (EAP) L3 (VPN) 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 70 EBUG @ 2002/10/05 LAN 2.4GHz PCIMCA OS IP-GW BSD Linux :-) 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 71
IEEE802.11 EBUG @ 2002/10/05 2002/11/18 72 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. EBUG @ 2002/10/05 IEEE802.11 (1) STA 802.11 Wireless Medium AP: Association :STA AP BSS:basic service set BSA:BSS basic service area) BSSID BSS ID AP MAC address SS:BSS STA MAC service data unit Station Service) BSA BSA BSS BSS STA1 STA1 STA3 STA2 Ad hoc network SS STA2 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 73 AP Infrastructure network
EBUG @ 2002/10/05 IEEE802.11 (2) DS:BSS Distribution System) DSS:BSS service Distribution System Service) ESS:DS BSA Extended Service Set) ESA:ESA Extended Service Area) ESSID:ESS Roaming: BSA STA3 Roaming STA3 ESS STA1 BSS1 BSS2 STA4 STA2 STA3 AP DSS AP DSS DS Extended Service Set 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 74 EBUG @ 2002/10/05 STA frame Class 1 State1: Unautenticated Unassociated DeAuthentication frame Class 1&2 Class 1&2&3 Authentication Authentication Reassociation State2: Authenticated Unassociated State3: Authenticated Associated DeAuthentication Disassociaton STA Class 1 Class 2 Class 3 control managem ent managem ent control managem ent Data frameswith FC bits To DS fromds both false 2002/11/18 Copyright 2002 Tomoharu SATO/Internet Research Institue Inc. 75 data data RTS,CTS,ACK,CF-END,CF-END+ACK Proberequest/response,Beacon, Authentication,Deauthentication Data frameswith FC bits To DS fromds both false Association request/response Reassociation request/response, Disassociation PS-Poll Deauthentication