Network Working Group Internet Draft G. Paterno' Document: draft-gpaterno-wireless-pppoe-01.txt Editor Expires: March 2003 September 2002 Using PPPoE to authenticate Wireless LANs Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 except that the right to produce derivative works is not granted. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC-2119]. Abstract This document targets at a first glance private users, but also small Wireless Internet Service Providers who aim to provide access to their users through Wireless LANs technologies, such as IEEE 802.11. Through this paper, the author explores the advantages of using the Point-To-Point Protocol over Ethernet to provide access to the internetwork and gives suggestions on how to deploy the infrastucture. G. Paterno' Informational [Page 1] Internet-Draft Using PPPoE in Wireless LAN September 2002 Table of Contents 1. Current Wireless LAN Scenario...............................2 2. Existing Wireless LANs authentication methodologies.........2 3. Proposed Solution: PPPoE....................................3 Copyright and disclaimer.......................................4 References.....................................................5 Acknowledgments................................................5 Author's Addresses.............................................5 1. Current Wireless LAN Scenario The current popular standard for Wireless LAN is IEEE 802.11, which is widely adopted by the device manufacturers. In brief, the protocol emulates an ethernet network and most of today's access points act as bridge between an existant Local Area Network, for example the corporate LAN, and the wireless network. Furthermore, the protocol itself includes a security feature, named Wireless Encryption Protocol (WEP), which should provide encryption to the connection, thus privacy. Unfortunatly, it has been demonstrated that WEP can be broken by a potential malicious user that might gain access to the network without supplying any credential. Furthermore, the use of DHCP or other LAN technologies might represent a disadvantage for the service providers that are unable to identify a specific user, for example for accounting or logging purposes. The protocol 801.11 tries to fill the gap suggesting the use of MAC addresses to identify uniquely the users. The use of MAC addresses introduces another issue on manageability: if a user changes the wireless adapter, for example a broken one, he/she should contact the ISP and provides the new MAC address and the old one to be deconfigured. 2. Existing Wireless LANs authentication methodologies Recently, the IEEE 802.1X standard, also called EAP, has been proposed to solve the wireless LAN problems. The protocol has been designed to provide user authentication for both wireless and wired LAN, giving any ISPs and corporates the opportunity to provide their users with personalised services such as grouping in specific Virtual LANs. Although IEEE 802.1X provides flexibility and extended LANs support, it however requires expensive hardware to be deployed. As of today, G. Paterno' Informational [Page 2] Internet-Draft Using PPPoE in Wireless LAN September 2002 most of the Wireless Access Points and low-cost hub/switches do not support EAP. Most of private users and small ISPs won't be able to afford such equipments, nevertheless they are in need of security and of being able to identify the users that are accessing their resources: some malicious users today are gaining access to home users' equipment through WLANs in order to attack remote sites and being anonymous. 3. Proposed solution: PPPoE With the introduction of cable and ADSL technologies, ISPs has adopted a methodology for resolving such a problem for the broadband world. The above technologies, in usual configurations, are able to emulate an ethernet network. Although the DHCP is an easy to deploy for a Service Provider and to configure from an user perspective, it does not provide a way to authenticate the user, thus impossible for accounting or authorization. The community solved this need with the introduction of the Point-To- Point over Ethernet protocol (PPPoe), described in RFC 2516. Through the adoption of this protocol, access control, billing and several type of services can be done on a per-user, rather than a per-site or cell basis. The 802.11 tecnology, in a similar way to the aforementioned broadband technologies, is able to emulate the ethernet network. The advantage is clear: through applying the PPPoE technology to the wireless LANs, private users that wishes to share their WLAN and small Wireless Internet Service Providers might bring authentication, authorisation, accounting cheaply and easily to the wireless users. A practical example of using this technology is to provide, for example, fixed IP addresses to roaming wireless user: wherever the the user is located, he/she can have his/her IP address and the class of services. Furthermore, the use of PPP will bring another layer to potential malicious users, that should break both the WEP and the PPP layer. It is envisaged that password should not be exchanged through the PAP authentication methodology, but a challenged protocol such as CHAP should be used instead. From a traditional ISP/WISP prespective, it is not a real benefit using PPPoE rather than using IEEE 802.1X: a big disadvantage of using PPPoE is the PPP frame overhead and the MTU size problem. G. Paterno' Informational [Page 3] Internet-Draft Using PPPoE in Wireless LAN September 2002 However, an aspect has to be considered when using IEEE 802.1X: EAP requires the ISP/corporate to distribuite X.509 certificates to end- users, which might be quite expensive if a valid Certification Authority is used and, furthermore, they are hard to distribute if organisations have several thousands of customers. From a private user and small ISPs such a PPPoE limitation is not an issue, if compared to the cost of deploying both hardware and EAP compliant software to the client. The advantage is that, with simple hardware, they are able to protect their LANs and to identify uniquely the user. Moreover, most of today's operating systems ships with a PPPoE client, which results in a low cost technology deployement. Furthermore, Access Point manufacturer can easily embed a PPPoE server to their products and provide configuration to the users through an easy web interface. While deploying the PPPoE technology, the author suggests to use the CHAP or better authentication protocol in conjuction with the Microsoft Point-To-Point Encryption Protocol (RFC3078) and WEP: this should ensure enough privacy and thus reduce risks. In this chapter, we mentioned the PPPoE limitation about MTU: it is recommended that the MTU size should be set to 1492. Copyright and disclaimer Copyright (C) Giuseppe Paterno' (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the author of this document or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the author or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and Giuseppe Paterno' DISCLAIMS ALL WARRANTIES, EXPRESS G. Paterno' Informational [Page 4] Internet-Draft Using PPPoE in Wireless LAN September 2002 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. References [1] RFC 2516, "A Method for Transmitting PPP Over Ethernet (PPPoE)" [2] Roaring Penguin PPPoE implementation [3] RAS PPPoE protocol implementation, by Robert Schlabbach Acknowledgments The author of this document wish to thanks Silvio Danesi and Daniele Todde for providing the technical infrastructure, Luca Sciortino for his moral support. Author's addresses Giuseppe Paterno' Via Copernico, 63 20094 Corsico (MI) Italy Email: gpaterno@gpaterno.com G. Paterno' Informational [Page 5]