doc.: ieee 802.15-11-0650-00-0kmp submission september 2011 robert moskowitz, verizon slide 1...
DESCRIPTION
doc.: IEEE kmp Submission September 2011 Robert Moskowitz, Verizon Slide 3 Abstract To provide for a Key Management Protocol for Mechanism for 15.4,.6,.7 KMP agnostic Support: HIP, IKEv2, 802.1X,... Provide recommended functionality for KMPsTRANSCRIPT
September 2011
Robert Moskowitz, Verizon
Slide 1
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)
Submission Title: Key Management for 802.15Date Submitted: September 21, 2011Source: Robert Moskowitz, VerizonAddress 1000 Bent Creek Blvd, Mechanicsburg, PA, USAVoice:+1 (248) 968-9809, e-mail: [email protected]: Key Management for 802.15
Abstract: Key Management Protocol support for 802.15
Purpose: To add Key Management capabilities to 802.15Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.
September 2011
Robert Moskowitz, Verizon
Slide 2
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
Adding Key Management Protocol support to 802.15
Robert MoskowitzOkinawa
September 21, 2011
September 2011
Robert Moskowitz, Verizon
Slide 3
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
Abstract To provide for a Key Management
Protocol for 802.15 Mechanism for 15.4, .6, .7 KMP agnostic Support: HIP, IKEv2, 802.1X, ...
Provide recommended functionality for KMPs
September 2011
Robert Moskowitz, Verizon
Slide 4
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
Functionality Functionality needed
– Manage keying variables in 802.15 security
• Security mode, key value,key rollover, ...
– Manage long-lived PMK and key-lifetime PTK (including key refresh)
– Distribute GTK for broadcast/multicast– Provide authentication
September 2011
Robert Moskowitz, Verizon
Slide 5
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
Document Organization General KMP transport method Specific instructions for
– 802.15.4, 15.6, 15.7 Guidelines for specific KMPs
– HIP, IKEv2, 802.1X, 4-Way Handshake, SAE
• Use case scenario
September 2011
Robert Moskowitz, Verizon
Slide 6
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
KMP Transport General KMP transport method
– KMP packets vary greatly in length but can go to a couple KB
• When including X.509 certificates– Transport MUST provide a
fragmentation/reassembly role– A simple forced in order validated
transmission– KMP SHOULD be the earliest possible
interaction between to nodes
September 2011
Robert Moskowitz, Verizon
Slide 7
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
KMP Transport General KMP transport method
– A shim that fragments the KMP datagram into manageable pieces
• Using a standard TLV (Type/Length/Value) container
• “Information Element”– A command frame for actual
transmission if no “EtherType” in data frames
– A forced ACK to ensure in order receipt
September 2011
Robert Moskowitz, Verizon
Slide 8
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
KMP Transport General KMP transport method
– Even with forced ACKs, duplicates WILL be received (e.g. ACK lost)
• Provide for recognition and dropping of duplicate content
September 2011
Robert Moskowitz, Verizon
Slide 9
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
Frame Content TLV format
– Type assigned for 'KMP'– If Max length is less than frame
payload• Allow for multiple TLVs per frame to
minimize transmission overhead– Value contains 1 byte control plus
KMP datagram fragment
September 2011
Robert Moskowitz, Verizon
Slide 10
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
Frame Content
Control field– 1 bit Chaining flag (yes, last/one only)
• Chaining REQUIRES frame ACK– 7 bit KMP type/Chain count
• First packet provides KMP type – (HIP, IKEv2, 802.1X, SAE, 4-Way-
Handshake, vendor
• Chain count– C=0 is 2nd fragment– C=1 is 3rd fragment
September 2011
Robert Moskowitz, Verizon
Slide 11
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
Frame Content
Control field– 7 bit count with ave 65 byte Value
yields 8KB KMP datagram– Warning on processing
• Last packet in chain may be indistinguishable from a 1 packet only transmission
• Once in chaining simple to manage this
September 2011
Robert Moskowitz, Verizon
Slide 12
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
802.15.4 Guidelines
Use 4e Multipurpose Frame– Provides support for Information
Element– Can use IEs in Command Frames
Pre 4e devices– Recommendation on equivalent
method• E.G. Work with 6lowpan on RFC
September 2011
Robert Moskowitz, Verizon
Slide 13
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
802.15.4 Guidelines
Security Association (SA)– Indexed by peer long address
• Include short address once assigned– Master Key information– Transient Key information– Group Key(s) information
• Min Send and Receive keys– Supply KDF
September 2011
Robert Moskowitz, Verizon
Slide 14
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
802.15.6 and .7 Guidelines
If there are equivalent features to 4e– Guidelines mirror 15.4 guidelines– Need experts
If no equivalent features– Guidelines for upper layers for Shim
and SA support
September 2011
Robert Moskowitz, Verizon
Slide 15
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
KMP Guidelines
For each KMP– Text supplied by expert
• Supply usage scenario(s)– Referenced standard– SA population– Other advice
September 2011
Robert Moskowitz, Verizon
Slide 16
doc.: IEEE 802.15-11-0650-00-0kmp
Submission
Moving Forward
Next steps