1

A VPN based approach to A VPN based approach to secure WLAN accesssecure WLAN access

A VPN based approach to A VPN based approach to secure WLAN accesssecure WLAN access

John Floroiufloroiu@fokus.fhg.de

2

GoalGoal

• Design and implementation of a protocol enabling mobile users visiting foreign WLAN domains to securely access network resources in Internet– Authenticating mobile users– Protecting the data traffic of the clients

3

ReasonReason

• Various attacks (passive, active, man-in-the-middle) are easier to mount in a WLANs because potential attackers may be located on the same link

• Initial message exchange between visiting nodes and a foreign WLAN domain is unprotected

4

ReasonReason

Access Point Access Router

Nomadic Nodes

Campus Network

5

Possible approachesPossible approaches

• EAP-based protocols– Compound authentication methods aimed at

securing legacy authentication protocols

• VPN-based methods– Provide an IPsec overlay to WLANs– More flexibility in negotiating cryptographic

material (protocols, transforms, SPI)

6

Outline of the protocolOutline of the protocol

• High level requirements– Authenticate users in an inter-domain

environment– Provide strong security mechanisms to support

per-user encryption and cryptographic material to other potential applications/protocols (Mobile IP)

– Exhibit robustness to DoS (resource depletion, reply attacks, computational DoS)

7

Outline of the protocolOutline of the protocol

• Sets up an IPsec tunnel over the wireless link• Uses AAA for inter-domain authentication

– Based on shared secrets, timestamps (similar to MIPv4)

• ISAKMP for key exchange– Phase 1 exchange piggybacked into the AAA

authentication request/answer– Phase 2 takes place between the client and the

access router

8

Future workFuture work

• Local mobility – a nomadic node moves between different access routers within the same administrative domain– Dynamic „update“ of the ends of an IPsec

connection– Multihoming

9

Future workFuture work

Access Point Access Router +Local Home Agent

Nomadic Node

Campus Network

Access Point

Access Router +Local Home Agent

10

Open issuesOpen issues

• Authentication of 802.11 management messages (beacon, association/re-association/disassociation request/reply)

11

Thank you!