doc: ieee 802.11-05/0967r9 submission november 2005 ieee 802.11 wgslide 1 wapi position paper...
TRANSCRIPT
November 2005
IEEE 802.11 WG
Slide 1
doc: IEEE 802.11-05/0967r9
Submission
WAPI Position Paper
2005-11-15
Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11.
Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <[email protected]> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <[email protected]>.
November 2005
IEEE 802.11 WG
Slide 2
doc: IEEE 802.11-05/0967r9
Submission
Discussion of the parallel fast track ballotsfor 802.11i and WAPI
Prepared for consideration by JTC1 P-members
15 November 2005
November 2005
IEEE 802.11 WG
Slide 3
doc: IEEE 802.11-05/0967r9
Submission
Harmonisation is the most desirable outcome, and approval of WAPI will preclude harmonisation
Summary
What is the history?
• WAPI is a WLAN security amendment to 802.11 that has been promoted by the Chinese NB as an alternative to 802.11i
• WAPI became a topic of controversy in the WLAN industry in 2003, but the issue was postponed after a high level government agreement in 2004
What is the current situation?
• The “WAPI issue” resurfaced in JTC1 in 2004, resulting in parallel fast track ballots for both WAPI & 802.11i
• The parallel fast track ballots only started after the Chinese NB rejected all attempts to harmonise WAPI & 802.11i
• The parallel fast track ballots for WAPI & 802.11i allow for none, one, or both proposals to be approved
What should happen?
• Harmonisation is the most desirable outcome, and approval of WAPI will preclude harmonisation
November 2005
IEEE 802.11 WG
Slide 4
doc: IEEE 802.11-05/0967r9
Submission
WAPI is a security amendment to 802.11 promoted by the Chinese NB as an alternative to 802.11i
Summary – History
IEEE 802.11i Chinese NB WAPI
• Disclosed algorithms 802.1X & IETF EAP Multiple credentials
• Digital certificates only• Custom protocol (WAI),
undisclosed parameters
• Disclosed algorithms AES CCMP TKIP & legacy WEP
• Undisclosed blockcipher crypto
• RSN IE• WAPI IE
(clone of RSN IE)
Authentication mechanism
Block cipher
Advertisement & negotiation
• Amendment to ISO/IEC 8802-11Base
1N 7903 1N7904Document no.
November 2005
IEEE 802.11 WG
Slide 5
doc: IEEE 802.11-05/0967r9
Submission
WAPI became a topic of controversy in the WLAN industry in 2003, but the issue was postponed
• WAPI became subject of controversy in 2003 when a regulation was announced in China to require WAPI in all WLANs sold in China
• Most of WLAN industry and various governments opposed the WAPI regulation because:– It meant standard 802.11 equipment (without WAPI) could not be sold within
China, serving no justifiable or sound regulatory need & erecting unnecessary trade barriers
– Access to the secret WAPI block cipher required a technical partnership with government selected Chinese companies, resulting in IPR and business risks
• The WAPI controversy subsided in early 2004 after the Chinese government agreed to postpone promulgation of the regulation indefinitely– Due to legitimate concerns about hampering global trade in WLAN equipment,
intervention on WAPI occurred at the highest levels of the US and Chinese governments, with Vice Premier Wu Yi (China) and Secretary of State Colin Powell (US) involved
Summary – History
November 2005
IEEE 802.11 WG
Slide 6
doc: IEEE 802.11-05/0967r9
Submission
The “WAPI issue” resurfaced in JTC1 in 2004, resulting in parallel fast track ballots for WAPI & 802.11i
• In July 2004, the WAPI controversy was reignited when a new version of WAPI was submitted to JTC1 for standardisation by the Chinese NB
• In October 2004, IEEE 802.11i was submitted for fast track ballot in JTC1 by the UK NB
• Since that time, there has been much confusion and disagreement related to the correct processes for considering WAPI & 802.11i in JTC1– eg the Chinese NB incorrectly claims that WAPI was submitted to fast track
• The ISO/IEC Secretaries General have now decided (with support of the NBs) to attempt to resolve the controversy by sending both the WAPI & 802.11i proposed amendments to parallel fast track ballots in JTC1
Summary – Situation
November 2005
IEEE 802.11 WG
Slide 7
doc: IEEE 802.11-05/0967r9
Submission
The parallel fast track ballots started only after the Chinese NB rejected all attempts to harmonise
• ISO/IEC attempted to promote a process of harmonisation between 802.11i and WAPI, as well as the IEEE and the Chinese NB
• The IEEE actively supported the harmonisation activities by:– Participating in meetings with the Chinese NB in US (Nov 04), Germany (Feb
05), Switzerland (May 05), China (Aug 05) & France (Aug 05)
– Repeatedly inviting the Chinese NB to participate in 802.11 activities from the time of the first WAPI controversy
– Supporting the standardisation of WAPI technology in appropriate forums
– Attempting to hold an 802.11 meeting in Beijing in May 2005 (but was unable to obtain visas for delegates)
• However, the Chinese NB steadfastly rejected all attempts to harmonise 802.11i and WAPI by:– Walking out of the meeting in Germany (Feb 05)
– Repeatedly refusing to consider any approach except full approval of WAPI “as is,” regardless of its incompatibility with the existing 8802-11 standard and its emerging amendments Summary – Situation
November 2005
IEEE 802.11 WG
Slide 8
doc: IEEE 802.11-05/0967r9
Submission
The parallel fast track ballots for WAPI & 802.11i allow for none, one or both proposals to be approved
WAPI
802.11i
Yes
Yes
Yes
No
No
Yes
No
No
Parallel standards
WAPIonly
802.11ionly
Rejectboth
• Both 802.11i & WAPI are approved
• Parallel, independent and conflicting standards are inevitable if both are approved in fast track
• WAPI is standardised in JTC1
• 802.11i is standardised in JTC1
• Status quo, with no ISO/IEC security WLAN standard
Summary – Situation
Result
November 2005
IEEE 802.11 WG
Slide 9
doc: IEEE 802.11-05/0967r9
Submission
Parallel, independent and conflicting standards are inevitable if both are approved in fast track
It is claimed a “stapled” approach is viable if both
ballots are approved
The stapled approachis impossible
• One possible outcome of the fast track balloting process is that both 802.11i and WAPI are approved
• At the Beijing meeting in August 2005, the Chinese NB claimed the two amendments could be “stapled” into 8802-11 to create a new standard
• The editing instructions in 802.11i (1N7903) and WAPI (1N7904) are contradictory
• Execution of editing instructions from both proposals is impossible
• Comment resolution would most likely require years to resolve the editorial and normative technical issues – and so is not viable
Parallel standards is the only choice if both
ballots are approved
• The only way to avoid the issues related to the “stapled” approach is to create two parallel and independent standards covering WLANs
• Note: the suggestion that comment resolution could harmonise WAPI & 802.11i if both were approved is also not viable because the process is not set up for making big changes
Summary – Situation - Parallel
November 2005
IEEE 802.11 WG
Slide 10
doc: IEEE 802.11-05/0967r9
Submission
The editing instructions in 802.11i (1N7903) and WAPI (1N7904) are contradictory
WAPI
802.11i
Examples from clause 5.7.5 of both proposals showing editorial & normative differences
Summary – Situation – Parallel - Editing
November 2005
IEEE 802.11 WG
Slide 11
doc: IEEE 802.11-05/0967r9
Submission
Harmonisation is the most desirable outcome, and approval of WAPI will preclude harmonisation
WAPI
802.11i
Yes
Yes
Yes
No
No
Yes
No
No
Parallel standards
WAPIonly
802.11ionly
Rejectboth
• WAPI is generally unsuitable for approval in its current form
• Fails to meet WTO & ISO/IEC goals & resultsin ISO/IEC irrelevance in WLANs
• WAPI is generally unsuitable for approval in its current form
• Divorces ISO/IEC from 802.11 & results in ISO/IEC irrelevance in WLANs
• 802.11i should be approved, satisfying the needs of 100’s millions of existing users
• Encourages Chinese NB to participate in harmonisation process
• A no-no vote is not defensible on any technical grounds
• Acceptable only if the Chinese NB are willing to participate in harmonisation
UNACCEPTABLE UNACCEPTABLE DESIRABLE LESS DESIRABLESummary – Conclusion
Conclusion
November 2005
IEEE 802.11 WG
Slide 12
doc: IEEE 802.11-05/0967r9
Submission
WAPI is generally unsuitable for approvalby JTC1 in its current form
November 2005
IEEE 802.11 WG
Slide 13
doc: IEEE 802.11-05/0967r9
Submission
WAPI is generally unsuitable for approval by JTC1 in its current form
WAPI problems
WAPI is not suitable for approval via the fast track process
• WAPI is unstable and immature, making it unsuitable for consideration by fast track ballot
• Application of established “fast track” contradiction procedures should halt the WAPI fast track ballot
WAPI includes functions that are inappropriate in 8802-11
• WAPI digital certificates should be considered by JTC1/SC6/WG7 or ITU-T rather than JTC1/SC6/WG1
• WAPI authentication (WAI) should be considered by JTC1/SC27 rather than JTC1/SC6/WG1
November 2005
IEEE 802.11 WG
Slide 14
doc: IEEE 802.11-05/0967r9
Submission
WAPI is generally unsuitable for approval by JTC1 in its current form
WAPI problems
WAPI’s use of undisclosed ciphers doesn’t support standards goal of
interoperable security
• WAPI’s use of undisclosed or unspecified block ciphers means global interoperability is impossible
• WAPI’s use of undisclosed or unspecified block ciphers means users assume it provides no security
WAPI ignores clearly demonstrated market requirements
• WAPI imposes WAI rather than meeting the international market requirement for RADIUS based authentication
• WAPI ignores the needs of 200+ million existing 8802-11 compliant devices
November 2005
IEEE 802.11 WG
Slide 15
doc: IEEE 802.11-05/0967r9
Submission
WAPI is unstable and immature, making it unsuitable for consideration by fast track ballot
Fast track is designedfor mature & stable
“existing standards”
WAPI is unstable & immature
• The ISO/IEC JTC1 fast track process is designed to enable fast processing of an “existing standard”
• It is implicitly assumed that “existing standards” are stable and mature
• The WTO (G/TBT/9) outlines principles for standards development including transparency, openness & consensus
• The WAPI document has changed multiple times since 2003, with most recent change in August 2005
• It is unclear that WAPI was developed based on WTO principles for transparency, openness & consensus
• While the Chinese NB has the right to submit WAPI to fast track, it is not suitable given its immaturity and lack of stability
• WAPI should be removed from fast track or rejected by the ballot process
• WAPI should then be considered using normal ISO non-fast track processes
WAPI is not suitable for fast track review
WAPI problems – Immature
November 2005
IEEE 802.11 WG
Slide 16
doc: IEEE 802.11-05/0967r9
Submission
WAPI has changed substantially & radically multiple times, with most recent change in August 2005
Substantive & radical changes included:
• Changing the protection scheme:
– from MSDU based
– to MPDU based
• Introducing a discovery & negotiation scheme duplicated from 802.11i
Substantive changes included supporting:
• Broadcast & multicast, which is required by modern networking
• A security MIB
• Replay protection, which is a radical change with interesting subtleties
Chinese standardGB15629.11 (2003)
1N7506 6N12687
1N7904
May 2003 July 2004 August 2005
WAPI problems – Immature - Timeline
November 2005
IEEE 802.11 WG
Slide 17
doc: IEEE 802.11-05/0967r9
Submission
Application of established “fast track” contradiction procedures should halt the WAPI fast track ballot
ISO JTC1 has well established procedures
for “fast track”
Despite WAPI containing contradictions, they will
not be resolved
• “ISO/IEC JTC1 Directives” documents the JTC1 procedures for fast track
• They require that P-members review & comment on documents
• Any contradictions with other ISO or IEC standards must be resolved before ballot voting
• WAPI (1N7904) has multiple known “contradictions” with other standards
• However, those “contradictions” in WAPI will not be resolved before the five month ballot starts
• WAPI’s “contradictions” should be resolved according to JTC1 procedures before the five month ballot starts to avoid impinging on the rights and time of member NBs
WAPI contradictions must be resolved before
fast track progresses
WAPI problems – Fast track
November 2005
IEEE 802.11 WG
Slide 18
doc: IEEE 802.11-05/0967r9
Submission
WAPI has multiple known “contradictions” with other standards
8802-11
WAPI’s digital certificate contradicts the ITU-T
X.509 standard
WAPI’s authentication mechanism (WAI) does
not belong in SC6
• WAPI defines a new digital certificate
• Digital certificates are outside the established scope of JTC1/SC6/WG1
• Digital certificates have previously been defined by ITU-T in X.509 (also ISO/IEC Std 9594)
• The digital certificate work in WAPI is probably best considered by ITU-T
• WAPI defines a new authentication mechanism (WAI)
• Authentication mechanisms are outside the established scope of JTC1/SC6
• This work is probably best done in JTC1/SC27
• WAPI deletes WEP from 8802-11
• This change succeeds in making 200+ million devices instantly non-compliant with an existing ISO/IEC standard
WAPI deletion of WEP “contradicts” 8802-11
WAPI problems – Fast track – Contradictions
November 2005
IEEE 802.11 WG
Slide 19
doc: IEEE 802.11-05/0967r9
Submission
There is no plan for “contradictions” in WAPI to be resolved before the 5 month ballot starts
• China NB submitted a WAPI specification as a New Work Item Proposal (NP) to JTC1 in July 04– The entries for Proposer & Secretariat on the
NP form appear to have been transposed accidentally so that it appeared that SC 6 had submitted the proposal
• The JTC1 Secretariat issued WAPI (1N7506) as a concurrent ballot on the assumption that the SC6 Secretariat had already initiated a ballot in SC6
• However, it is believed that the NP was not submitted to the SC6 Secretariat
• When the JTC1 Secretariat realised the situation they voided 1N7506 and asked the China NB to submit the proposal to SC6
• 1N7506 was never subjected to a 30 day contradiction review
• However, the China NB did not submit a WAPI specification for fast track ballot until 25 Aug 05
• The WAPI specification submitted (1N7904) is radically different from any previous submission
• ISO/IEC Secretaries General ruled in a letter (6 Sept) that 1N7904 will progress to fast track, with a 30 day contradiction review and a 5 month ballot
• However, it was also ruled that the 5 month ballot will proceed regardless of any contradictions uncovered
• This is contrary to normal ISO JTC1 practice and process
WAPI problems – Fast track – No resolution
November 2005
IEEE 802.11 WG
Slide 20
doc: IEEE 802.11-05/0967r9
Submission
WAPI digital certificates should be considered by JTC1/SC6/WG7 or ITU-T rather than JTC1/SC6/WG1
WAPI defines adigital certificate
format
Digital certificates are outside the scope of
JTC1/SC6/WG1
• WAPI (1N7904) defines a novel digital certificate format in 8.1.3
• ISO/IEC JTC1/SC6 WG1’s scope is MAC & PHY standards, not digital certificate standards
• The digital certification formats are already co- standardized by:
– JTC1/SC6/WG7 (ISO/IEC Std 9594)
– ITU-T (ITU-T Std X.509)
• WAPI digital certificates have a wider application than WLANs
• WAPI digital certificates do not appear to support any functions that X.509 does not already provide
• Consideration of WAPI digital certificates should be moved to:
– JTC1/SC6/WG7
– ITU-T
The WAPI certificates should be submitted to
another forum
WAPI problems – Digital certificates
November 2005
IEEE 802.11 WG
Slide 21
doc: IEEE 802.11-05/0967r9
Submission
WAPI authentication (WAI) should be considered by JTC1/SC27 rather than JTC1/SC6/WG1
WAPI defines an authentication protocol
called WAI
Authentication is outside the scope of
JTC1/SC6/WG1
• WAPI defines a novel authentication methods (WAI) in clause 8.1.4.2
• ISO/IEC JTC1/SC6/WG1 developed and maintains 8802-11
• The scope of WG1 is “Physical and data link layers”
• Authentication standards as proposed by the WAPI submission are outside the scope of ISO/IEC JTC1/SC6/WG1
• WAI is easily applicable to many environments besides wireless LAN standards eg China’s NB has
signaled its intention to apply WAI to WiMAX
• JTC1/SC27 appears to be the appropriate standardization body for authentication methods
WAI should besubmitted toJTC1/SC27
WAPI problems - Authentication
November 2005
IEEE 802.11 WG
Slide 22
doc: IEEE 802.11-05/0967r9
Submission
WAPI’s use of undisclosed or unspecified block ciphers means global interoperability is impossible
WAPI uses a secretor a unspecified
block cipher
WAPI doesn’t enable global interoperability
• WAPI specifies the use of a block cipher within China called SMS4, which appears to be unavailable to non-Chinese parties
• WAPI suggests that another block cipher should be used in other countries, but does not specify the cipher
• It appears likely that non Chinese companies will be unable to implement WAPI based on SMS4
• WAPI based on SMS4 does not interoperate with WAPI based on any other block cipher
• The lack of at least one specified, globally available block cipher means global WAPI interoperability is impossible
• Interoperability in most countries is required by vendors, users & the standards community
• Either SMS4 must be disclosed or another disclosed block cipher must replace it
• Alternatively, WAPI should remain as a Chinese national standard rather than an international standard
WAPI must be modified to enable global interoperability
WAPI problems – Global interoperability
November 2005
IEEE 802.11 WG
Slide 23
doc: IEEE 802.11-05/0967r9
Submission
WAPI’s use of undisclosed or unspecified block ciphers means users assume it provides no security
WAPI uses undisclosed or unspecifiedblock ciphers
WAPI’s securitycannot be evaluated
• WAPI specifies the use of a block cipher within China called SMS4, which has not been publicly disclosed
• WAPI suggests that another block cipher should be used in other countries, but does not specify the cipher
• 100% of WAPI’s data security derives from the underlying block cipher
• It is impossible to independently evaluate WAPI’s security because no publicly disclosed block cipher is specified
• Without independent analysis, the market will assume that WAPI provides no security
WAPI must be modified to enable a proper
security review
• Unknown security is unacceptable to governments, vendors, users & the standards community
• Either SMS4 must be disclosed or another disclosed block cipher must replace it
• Alternatively, WAPI should remain as a Chinese national standard rather than an international standard
WAPI problems – No security
November 2005
IEEE 802.11 WG
Slide 24
doc: IEEE 802.11-05/0967r9
Submission
WAPI imposes WAI rather than meeting the international market requirement for RADIUS based authentication
WAPI specifies a single authentication method
called WAI
WAPI ignores the market requirement for RADIUS
based authentication
• WAPI (1N7904) requires the use WAI authentication
• In contrast, 802.11i supports RADIUS authentication
• WAI is incompatible with widely deployed RADIUS mechanisms, making WAI irrelevant to the majority of the market whom have an existing large RADIUS investment
• In contrast, 802.11i was designed to satisfy the demonstrated market need for WLANs to reuse existing RADIUS infrastructure
WAPI should be modified to recognise market
requirements for RADIUS
• WAI should be standardised as another authentication method available to the market
• In the meantime, WAPI should be modified to allow the use of RADIUS, as well as WAI
• This approach ensures WAPI satisfies the goal of standards to grow markets, not arbitrarily
restrict them
WAPI problems – Imposes WAI
November 2005
IEEE 802.11 WG
Slide 25
doc: IEEE 802.11-05/0967r9
Submission
WAPI ignores the needs of 200+ million existing 8802-11 compliant devices
Amendments must be compatible with existing
compliant devices
WAPI ignores the needs of 200+ million 8802-11
compliant devices
• It is a well accepted principle of standards development that amendments should continue to support existing compliant devices
• The 200+ million existing 8802-11 devices that cannot implement advanced security must be supported
• However, WAPI (1N7904) ignores the needs of these devices by:
– Deleting WEP
– Defining no suitable upgrade path
WAPI must be modified to recognise existing
8802-11 devices
• 802.11i (1N7903) provides an example of what WAPI must do before it begins to be acceptable:
– Deprecating rather than deleting WEP
– Defining an upgrade path using TKIP, which provides real security guarantees within the resource constraints of legacy technology
WAPI problems – Ignores existing
November 2005
IEEE 802.11 WG
Slide 26
doc: IEEE 802.11-05/0967r9
Submission
Parallel standards fail to meet WTO & ISO/IEC requirements and will result inISO/IEC irrelevance in WLANs
November 2005
IEEE 802.11 WG
Slide 27
doc: IEEE 802.11-05/0967r9
Submission
Parallel standards fail to meet WTO & ISO/IEC goals and will result in ISO/IEC irrelevance in WLANs
Parallel problems
Contrary toISO/IEC & WTO
Leads to ISO/IEC irrelevance
WAPI subject to IPR uncertainty
Approval of both WAPI & 802.11i in the fast
track ballot is contrary to ISO & WTO goals
The approval of both WAPI & 802.11i results in divorce from future
IEEE work and ISO/IEC irrelevance in WLANs
Any WAPI version of 8802-11 without IEEE support is subject to
severe “IPR uncertainty”
Approve one or neither of WAPI & 802.11i
Approve only802.11i
Approve only802.11i
WAPI is generally unsuitable for approvalby JTC1 in its current form
November 2005
IEEE 802.11 WG
Slide 28
doc: IEEE 802.11-05/0967r9
Submission
Approval by JTC1 of both WAPI & 802.11i in the fast track ballot is contrary to ISO/IEC & WTO goals
S
C
KL
Both WTO & ISO discourage duplicate
standards
Approval of 802.11i and WAPI is contrary toWTO and ISO goals
• The ISO Strategic Plan 2005-2010 clearly states one standard is preferable
• The WTO “Agreement On Technical Barriers To Trade” states that duplication of standards should be avoided
• The approval of both WAPI and 802.11i will result in two incompatible and non interoperable standards covering WLANs
Only one of 802.11i and WAPI should be
approved
• NB’s under WTO rules and ISO goals have a responsibility to approve only one of the proposals
Parallel problems – ISO/WTO goals
November 2005
IEEE 802.11 WG
Slide 29
doc: IEEE 802.11-05/0967r9
Submission
Both WTO & ISO discourage duplicate standards
ISO Strategic Plan 2005-2010
• “One standard, one test, and one conformity assessment procedure accepted everywhere”
WTO “Agreement On Technical Barriers To Trade”
• “The standardizing body within the territory of a Member shall make every effort to avoid duplication of, or overlap with, the work of other standardizing bodies in the national territory or with the work of relevant international or regional standardizing bodies”
Parallel problems – ISO/WTO goals - Quotes
November 2005
IEEE 802.11 WG
Slide 30
doc: IEEE 802.11-05/0967r9
Submission
The approval of both WAPI & 802.11i results in divorce from future IEEE work & ISO/IEC irrelevance in WLANs
Approval of 802.11i & WAPI results in two
independent standards
Both standards will become irrelevant
over time
• If JTC1 approves both 802.11i and WAPI during the fast track then two parallel & independent standards will result
– 8802-11+802.11i
– 8802-11+WAPI
• These standards will need to be maintained & extended in the future
• IEEE will continue developing 802.11 but may not support further development of either version of 8802-11
• 8802-11 will become increasingly irrelevant because there will be no body capable & willing to properly develop it
• In the short term, it will be orphaned from many known future 802.11 amendments
Continued relevance requires that only 802.11i
be approved
• All NB’s have a responsibility to only approve the amendment that provides for the future relevance of ISO/IEC 8802-11 standards
• Only approval of 802.11i meets this test
Parallel problems - Irrelevance
November 2005
IEEE 802.11 WG
Slide 31
doc: IEEE 802.11-05/0967r9
Submission
ISO/IEC 8802-11 may be orphaned from many known future IEEE 802.11 amendments & corrigenda
• If IEEE 802.11 stops supporting ISO/IEC 8802-11 development then ISO/IEC 8802-11 development will be orphaned from:– 802.11k (radio resource measurement)
– 802.11ma (rolling up 802.11e/g/h/i/j on the base/a/b/d and other corrections)
– 802.11n (high rate)
– 802.11p (vehicular)
– 802.11r (fast roaming)
– 802.11s (mesh)
– 802.11u (inter-working with external networks)
– 802.11v (wireless network management)
– 802.11w (management frame protection)
• Note that these amendments represent 1,000’s of man years of effort that JTC1 could not hope to duplicate successfully
Parallel problems – Irrelevance - Amendments
November 2005
IEEE 802.11 WG
Slide 32
doc: IEEE 802.11-05/0967r9
Submission
Any WAPI version of ISO/IEC 8802-11 is subject to severe “IPR uncertainty”
IPR statements have been submitted to IEEE
for 802.11
It is not clear these IPR statements apply to a
WAPI version of 8802-11
• Various organisations assert rights to various elements of 802.11
• Most of these organisations have made RAND IPR statements to IEEE
• These statements only apply to specific the IEEE Standard (see IEEE IPR statement)
• These statements do not apply to an ISO standard that is substantially different from the IEEE standard
– ie the 8802-11 plus WAPI standard as proposed by Chinese NB
The IPR issue needs to be understood and
resolved
• An international standard that cannot be legally implemented is not very useful
• It is important for JTC1 to understand and resolve the IPR issue
Parallel standards – IPR
November 2005
IEEE 802.11 WG
Slide 33
doc: IEEE 802.11-05/0967r9
Submission
802.11i is suitable for fast track approval, satisfying the needs of 100’s millions of existing users
November 2005
IEEE 802.11 WG
Slide 34
doc: IEEE 802.11-05/0967r9
Submission
802.11i is suitable for fast track approval, satisfying the needs of 100’s millions of existing users
802.11i benefits
802.11i is suitable for approval using the fast
track process
• 802.11i is a stable & mature standard based on an open and international development process
802.11i provides verifiable security
based on disclosed algorithms
• All 802.11i algorithms are fully specified & disclosed, enabling global interoperability
• 802.11i provides independently verified security satisfying the needs of an international standard
802.11i supports clearly demonstrated
international market requirements
• 802.11i meets international market authentication requirements by supporting RADIUS authentication
• 802.11i provides a migration path for the 200 million existing 8802-11 compliant WEP-only devices
• 802.11i is being shipped in 250,000 new devices every day
November 2005
IEEE 802.11 WG
Slide 35
doc: IEEE 802.11-05/0967r9
Submission
802.11i is a stable & mature standard based on an open & international development process
Fast track is designedfor mature & stable
“existing standards”
802.11i isstable & mature
• The JTC1 fast track process is designed to enable fast processing of an “existing standard”
• It is implicitly assumed that “existing standards” are stable and mature
• The WTO (G/TBT/9) outlines principles for standards development including transparency, openness & consensus
• 802.11i was developed using an open process compatible with ISO/IEC and WTO principles Review by over 500
international engineers Independent review by
cryptographers Sponsor ballot review
by 100 reviewers Interoperability testing
by vendor community 4 years of open
development
• All NBs have a responsibility to approve only mature documents
802.11i is suitablefor fast track review
802.11i benefits - Stable
November 2005
IEEE 802.11 WG
Slide 36
doc: IEEE 802.11-05/0967r9
Submission
802.11i meets international market authentication requirements by supporting RADIUS authentication
Market refused to deploy WLANs without RADIUS
authentication
802.11i supports RADIUS based authentication
• Sales of 8802-11 systems lagged even before any problems with WEP were identified
• The international market demanded reuse of its established authentication technology base
• Each organisation wants to set its own authentication policy
• 802.11i was designed with the goals of Allowing reuse of
existing RADIUS authentication
Making RADIUS authentication as secure as possible in a WLAN
• The international market has rewarded the design by deploying 70 million devices in the first year
Only 802.11i aligns with market realities
• All NBs have a responsibility to align ISO standards with international market reality
802.11i benefits – Market needs
November 2005
IEEE 802.11 WG
Slide 37
doc: IEEE 802.11-05/0967r9
Submission
802.11i provides a migration path for the 200 million existing 8802-11 compliant WEP-only devices
Amendments must be compatible with existing
compliant devices
802.11i supports an upgrade paththrough TKIP
• Amendments of standards should continue to support deployed compliant devices
• 802.11i (1N7904) defines TKIP as a patch applicable to the 200 million existing WEP-only devices
• 802.11i deprecates WEP but allows its use for cases where upgrade is not economically feasible
• 802.11i defers the decision on WEP’s use to a local policy decision, not imposing policy
802.11i is compatible with ISO legacysupport goals
• All NBs have a responsibility to ensure significant numbers of existing devices remain conformant
• 802.11i achieves this goal
802.11i benefits - Migration
November 2005
IEEE 802.11 WG
Slide 38
doc: IEEE 802.11-05/0967r9
Submission
802.11i represents market reality & is being shipped in 250,000 new devices every day
Standards need to reflect market reality
802.11i represents WLAN market reality
• It is vital that standards reflect market reality
• This means that standards must support products that are successful in the market place
• 250,000 802.11i capable devices are being shipped every day as APs, NICs and embedded devices
• The massive success of 802.11i can be contrasted to a claimed rollout of only 10,000 WAPI APs in western China after 2+ years of rollout (source: Chinese NB at Beijing meeting)
8802-11 must include 802.11i
• The NB’s have a responsibility to ensure 802.11i is incorporated into 8802-11
802.11i benefits - Support
November 2005
IEEE 802.11 WG
Slide 39
doc: IEEE 802.11-05/0967r9
Submission
All 802.11i algorithms are fully specified & disclosed, enabling global interoperability
ISO strive to promote global interoperability
802.11i enables global interoperability
• ISO explicitly states its business goal as promoting interoperability
One standard, one test, and one conformity assessment procedure accepted everywhere
• All of 802.11i is specified in 1N7903 or in other publicly available documents
• All authentication mechanisms used by 802.11i are defined in publicly available documents
• All mandatory-to-implement 802.11i algorithms are in the public domain
• All NBs have a responsibility to only approve amendments that promote global interoperability
Only 802.11i supports global interoperability
802.11i benefits - Disclosed
November 2005
IEEE 802.11 WG
Slide 40
doc: IEEE 802.11-05/0967r9
Submission
802.11i provides independently verified security satisfying the needs of an international standard
Security claims standards should be
independently verifiable
All 802.11i security claims have
independently verified
• Standards should not make unsubstantiated security claims
• All security claims must be independently verified
• Numerous independent cryptographic reviews have verified 802.11i security claims Including by R. Rivest,
D. Wagner, P. Rogaway, J. Jonsson, S. Langford, J. Kelsy, etc.
• No fundamental security flaw has been identified by any independent review
802.11i security is appropriate for an
international standard
• All NBs have a responsibility to promote standards whose security claims are independently verified
802.11i benefits - Verified
November 2005
IEEE 802.11 WG
Slide 41
doc: IEEE 802.11-05/0967r9
Submission
A no-no vote is not defensible on any technical grounds
November 2005
IEEE 802.11 WG
Slide 42
doc: IEEE 802.11-05/0967r9
Submission
A no-no vote is not defensible on any technical grounds
• There is substantial technical justification for a yes vote on 802.11i (1N7903)
• There is substantial technical justification for a no vote on WAPI (1N7904)
November 2005
IEEE 802.11 WG
Slide 43
doc: IEEE 802.11-05/0967r9
Submission
A harmonised approach is desirableas long as the Chinese NB are willing to participate
November 2005
IEEE 802.11 WG
Slide 44
doc: IEEE 802.11-05/0967r9
Submission
A harmonised approach is desirable as long as the Chinese NB are willing to participate
• Harmonisation advantages outweigh the disadvantages– Addresses the needs of all
– Ensures all useful technology is included
– Ensures an evolving standard that is secure, open & implementable
– Takes time but so do “good” standards
• IEEE 802 is eager to facilitate a “harmonised standard”
• IEEE 802 & ISO leadership have suggested a number of harmonisation mechanisms based on approved ISO/IEC processes for collaboration with IEEE 802– See 8802-1:2001 (Feb 01), 6N11917 (April 01)
• So far none of the harmonisation mechanisms have been accepted by the Chinese NB
• The key to success of the harmonisation approach is Chinese NB willingness to participate
Harmonised
November 2005
IEEE 802.11 WG
Slide 45
doc: IEEE 802.11-05/0967r9
Submission
Harmonisation addresses the needs of all, providing an evolving standard that is secure, open & implementable
• Ensures all market needs (from China and rest of the world) are addressed by enabling global input
• Incorporates the best technology from both WAPI and 802.11i
• Provides a standard that is secure, open, complete and implementable
• Ensures a living standard compatible with existing & future 802.11 amendments
• Provides the best way for the Chinese NB to work constructively in international standards bodies
• Defines the only way to incorporate WAPI technology that is acceptable to the international standards community and the global WLAN market
Harmonised - Positives
November 2005
IEEE 802.11 WG
Slide 46
doc: IEEE 802.11-05/0967r9
Submission
Harmonisation takes time but so do “good” standards
• It will take substantial effort and some time to complete harmonisation– Some elements of WAPI can be harmonised relatively quickly
— for example, SHA-256 can be integrated with 802.11 within six months
– Some elements may take make longer
— for example, WAI needs to be standardised in the appropriate forum
• However, good standards inevitably take time to complete– Time is required for complete and accurate review
– Time is required for consensus building
• We should let the engineers participating in the harmonisation process determine the best scope, solution and timing
Harmonised - Barriers
November 2005
IEEE 802.11 WG
Slide 47
doc: IEEE 802.11-05/0967r9
Submission
IEEE 802 is eager to facilitate a “harmonised standard” to achieve 802.11/WAPI integration
ISO IEEE 802 802.11 SG 802.11 TG
• Agree on “harmonised standard” approach
• Either delay or approve 802.11i
• Approve formation of 802.11 Study Group
• Confirm scope of 802.11 amendment including WAPI technology
• Write 802.11 amendment
…
• Approved in July 2005 to support existing ISO & IEEE collaboration agreement
• SC6 NB participation invitation issued in Saint-Paul de Vence, with full SG voting rights
• SG starts in Nov 05 in Vancouver
• Participating NBs receive Immediate SG voting rights
• SG can conduct interim meetings in more convenient locations,e.g. China
Previous suggestion from IEEErejected by China NB
Harmonised - IEEE
November 2005
IEEE 802.11 WG
Slide 48
doc: IEEE 802.11-05/0967r9
Submission
IEEE have suggested harmonisation mechanisms based on approved ISO/IEC collaboration processes
Harmonised - IEEE
ISO/IEC JTC1/SC6 appoint an Ad hoc Working Group (AHWG) to develop an outline & timetable for integration of elements of the WAPI technology & 802.11i into ISO/IEC 8802-11
The AHWG formally liaise with IEEE 802 to ensure the outline represents a feasible way to integrate WAPI technology & 802.11i into 8802-11 & IEEE Standard 802.11
The work defined by the outline & schedule for integration of WAPI technology & 802.11i into ISO/IEC 8802-11 & IEEE Standard 802.11 be executed in appropriate WGs within ISO/IEC JTC1/SC6 & IEEE 802, as agreed jointly by JTC1/SC6 and IEEE 802
A very close liaison be established to track and review the work as it develops in JTC1/SC 6 and IEEE 802 to ensure compatibility is maintained with existing and developing ISO/IEC 8802-11 and 802.11 amendments.
As long as progress continues, ISO/IEC JTC1 delay resumption of the 802.11i fast track ballot and not consider any other security related amendments to 8802-11
Process proposed by IEEE at Beijing meeting (August 2005)
IEEE
Accept
SAC
Reject
ANSI
Reject
KATS
Abstain
Results
November 2005
IEEE 802.11 WG
Slide 49
doc: IEEE 802.11-05/0967r9
Submission
The key to success of the harmonisation approach is Chinese NB willingness to participate
• Harmonisation of WAPI & 802.11i is a desirable goal
• IEEE 802 even offered to delay 802.11i standardisation to achieve this goal
• However, the Chinese NB has refused all suggestions to achieve harmonisation
• The most desirable approach is a “yes” vote for 802.11i (1N7903) & a “no” vote for WAPI (1N7904)– It enables the future of an international standard reflecting the market reality of a growing
base of 100’s millions of 8802-11 and 802.11i users– It may motivate the Chinese NB to participate in a harmonisation process, including
normal JTC1/IEEE collaboration mechanisms
• A “no” vote for both 802.11i (1N7903) & WAPI (1N7904) is an acceptable but less desirable outcome– It might lead to harmonisation but provides little incentive to do so– It is more likely to lead to delay & uncertainty given the historical unwillingness of the
Chinese NB to discuss harmonisation
• In either of the above cases, IEEE 802 will continue to seek harmonisation of 802.11i & WAPI
Harmonised - Participation