Re: [OPSAWG] Simplified Alternative to CAPWAP

"Rajesh Pazhyannur (rpazhyan)" <rpazhyan@cisco.com> Tue, 25 February 2014 00:29 UTC

Return-Path: <rpazhyan@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8D1D1A0313 for <opsawg@ietfa.amsl.com>; Mon, 24 Feb 2014 16:29:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.047
X-Spam-Level:
X-Spam-Status: No, score=-12.047 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y7oATqmdYBGp for <opsawg@ietfa.amsl.com>; Mon, 24 Feb 2014 16:29:07 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 6A9EE1A0200 for <opsawg@ietf.org>; Mon, 24 Feb 2014 16:29:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22262; q=dns/txt; s=iport; t=1393288147; x=1394497747; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=iqSvHqPZEseuWHfeHHINMiX2w75mBsswaae/8VNfPOo=; b=K2Z2Nvjd6Ciam61yP6CGxlKSAGkIydjW+caOpBNcsEUj84RuoGZFU+Uz 4UcO+roXNVFkEuTRX2bK+uGks+u2CiCQBNltY227ApgXd+9SWFdvpZ0Ij jIhYGv1vzmD/7ksPe5Rzvh0KW8zOJsa1NOraTWZmwfIARb1aaMmsPx3o0 Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AuUFABHjC1OtJV2d/2dsb2JhbABZgkJEO1eDA7VXhGmDIE8YgQIWdIIlAQEBAwEBAQEgCigZEAcEAgEIEQEDAQELHQMCAgIlCxQDBggCBAESCId1CA2lWaBJF44CEQEfLQsGgmk1gRQEmWaLMIVFgy2BcTk
X-IronPort-AV: E=Sophos; i="4.97,537,1389744000"; d="scan'208,217"; a="306315242"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-4.cisco.com with ESMTP; 25 Feb 2014 00:29:05 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id s1P0T5gN021351 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 25 Feb 2014 00:29:05 GMT
Received: from xmb-aln-x09.cisco.com ([169.254.4.22]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.03.0123.003; Mon, 24 Feb 2014 18:29:05 -0600
From: "Rajesh Pazhyannur (rpazhyan)" <rpazhyan@cisco.com>
To: =?utf-8?B?QmrDtnJuIFNtZWRtYW4=?= <bjorn.smedman@anyfinetworks.com>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] Simplified Alternative to CAPWAP
Thread-Index: AQHPMbPgQtd3dWdjMUewmYg0xTSiXZrFGNzw
Date: Tue, 25 Feb 2014 00:29:04 +0000
Message-ID: <4ED2E36A22261145861BAB2C24088B4320F5D75F@xmb-aln-x09.cisco.com>
References: <CAO_acptCXNzu09qH1sxig+qbjJXX0KMUmbA35LOo6KoRrG8vPg@mail.gmail.com>
In-Reply-To: <CAO_acptCXNzu09qH1sxig+qbjJXX0KMUmbA35LOo6KoRrG8vPg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.35.68.69]
Content-Type: multipart/alternative; boundary="_000_4ED2E36A22261145861BAB2C24088B4320F5D75Fxmbalnx09ciscoc_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/opsawg/wYvp1Sit9Atlc5FOTTDfDYbPyPw
Subject: Re: [OPSAWG] Simplified Alternative to CAPWAP
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2014 00:29:14 -0000

Hello Bjorn

We see strong benefits to such a protocol from an extensibility [4], flexibility [5] and security [6] perspective. If there is interest in exploring this further please let me know

Thanks for the well captured email.  Would like to explore more about what you are suggesting.
I have not read the details provided in your link.

In the meanwhile,

3. The separation of data and control planes that CAPWAP does provide is IMHO incorrect: 802.1X key exchange is considered part of the control plane but the derived encryption keys protect the data plane.
This doesn't matter when both control and data plane terminate in the same location (the AC), but becomes a problem when they are separated (encryption keys end up in a different place than the encrypted data!).

>        Technically speaking, 802.1X protects the 802.11 frames and does not have anything to do CAPWAP Data channel. The Data channel is protected using DTLS. It is conceivable that 1) the tunnel mode is encapsulating 802.11 frames (instead of 802.3 frames) and 2) CAPWAP-Data is not encrypted and 3) 802.11 encryption is happening at the AC instead of AP. When all three conditions hold,  what you are saying is true: 802.1X is indeed protecting the data plane.

5. CAPWAP (partly due to 1 and 2 above) depends excessively on details in the IEEE 802.11 standard, with each amendment threatening to impact the protocol.

>  Yes, it is true, that wireless binding (RFC 5416) of CAPWAP are dependent on 802.11 and needs updates with 11n, 11ac and so on. But in some sense it appears that the problem does not go away. You are simply pushing the problem to SNMP or TR-69 or something like that.  We can debate whether those are better than CAPWAP in configuring a WI-FI AP.

A. The protocol should mandate a single well-defined partitioning of the IEEE 802.11 stack, with 802.1X authentication, key management and encryption all implemented at the tunnel termination point for security reasons.

>       By this I am assuming that you want encryption at the Tunnel termination point rather than the AP.  What is motivating this, given that all APs (that I know of) implement 802.11 encryption and if security is needed between AP and Tunnel termination point then one could use IPSEC or DTLS.

Regards

Rajesh

-----Original Message-----
From: OPSAWG [mailto:opsawg-bounces@ietf.org] On Behalf Of Björn Smedman
Sent: Monday, February 24, 2014 2:57 PM
To: opsawg@ietf.org
Subject: [OPSAWG] Simplified Alternative to CAPWAP

Dear all,

I've been following the recent CAPWAP activity on this list and thought I should share some general thoughts on the protocol, and see if there's interest in a broader approach.

The CAPWAP shortcomings discussed are similar to the problems preventing us [1] from using it in our Software-Defined Networking
(SDN) architecture for IEEE 802.11 [2]:

1. CAPWAP was specified before separation of data, control and management planes became the norm in networking architecture.
Unsurprisingly it provides very little separation of concern, conflating everything from firmware updates to configuration of an extra SSID.

2. CAPWAP attempts to provide provisioning/management functionality that overlaps with other IETF standards track protocols, e.g. SNMP and NETCONF/YANG, as well as other established management protocols such as TR-069.

3. The separation of data and control planes that CAPWAP does provide is IMHO incorrect: 802.1X key exchange is considered part of the control plane but the derived encryption keys protect the data plane.
This doesn't matter when both control and data plane terminate in the same location (the AC), but becomes a problem when they are separated (encryption keys end up in a different place than the encrypted data!).

4. CAPWAP leaves many options open to the implementer and is therefore less interoperable than desired. To some extent this can be solved with run-time negotiation, but such negotiation of security critical aspects (such as where encryption keys are derived and kept) makes it impossible to reason about the security of the system. This is less than ideal IMHO.

5. CAPWAP (partly due to 1 and 2 above) depends excessively on details in the IEEE 802.11 standard, with each amendment threatening to impact the protocol.


We would be interested in specifying a simplified tunneling protocol for IEEE 802.11 similar to Geneve [3], avoiding the above problems:

A. The protocol should mandate a single well-defined partitioning of the IEEE 802.11 stack, with 802.1X authentication, key management and encryption all implemented at the tunnel termination point for security reasons.

B. The protocol should mandate a single well-defined frame format relying only on a PHY-independent stable subset of IEEE 802.11, ensuring compatibility with 11n/ac and (most likely) beyond.

C. Like Geneve the protocol should not provide any provisioning/management functionality, instead relying on SNMP, NETCONF/YANG, TR-069 and similar.

D. Like Geneve the protocol should not provide any control plane functionality, instead remaining compatible with several Software-Defined Networking (SDN) protocols for IEEE 802.11.

E. Each virtual access point in a multi-BSSID (and/or multi-radio) access point should be treated as a separate entity associated with a separate tunnel.


We see strong benefits to such a protocol from an extensibility [4], flexibility [5] and security [6] perspective. If there is interest in exploring this further please let me know.

Best regards,

Björn Smedman

1. http://www.anyfinetworks.com

2. http://anyfi.net and http://www.anyfinetworks.com/products

3. http://tools.ietf.org/html/draft-gross-geneve-00

4. http://anyfi.net/documentation#architecture

5. http://anyfi.net/documentation#a_how_it_all_fits_together

6. http://anyfi.net/documentation#i_security_model

_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org<mailto:OPSAWG@ietf.org>
https://www.ietf.org/mailman/listinfo/opsawg