Network Working Group Internet Draft G. Paterno' Document: draft-gpaterno-wireless-pppoe-02.txt Editor Expires: April 2003 October 2002 Using PPPoE to authenticate Wireless LANs Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 except that the right to produce derivative works is not granted. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC-2119]. Abstract This document targets consumers, corporations and Internet Service Providers that aim at providing access to their users through Wireless LANs technologies, such as IEEE 802.11. The advatages of using the Point-To-Point Protocol over Ethernet to provide access to the internetwork are explored, and suggestions are made on how to deploy the infrastucture. G. Paterno' Informational [Page 1] Internet-Draft Using PPPoE in Wireless LANs September 2002 Table of Contents Status of this memo............................................1 Conventions used in this document..............................1 Abstract.......................................................1 1. Current Wireless LANs scenario..............................2 2. Existing Wireless LANs authentication methodologies.........3 3. A layered approach..........................................3 4. Proposed autentication solution: PPPoE......................4 5. The encryption layer........................................5 6. An architecture example.....................................5 7. Conclusions.................................................7 Copyright and disclaimer.......................................7 References.....................................................8 Acknowledgments................................................8 Author's Addresses.............................................8 1. Current Wireless LANs scenario The need for mobility and network coverage in open spaces or places where cabling is an hard effort (such as airports, hospitals, wharehouses or old buildings) has increased the development in the Wireless space. There are several technologies that has been conceived for trasmitting data "over-the-air", for example GPRS, bluetooth and IEEE 801.11, also known as Wireless Ethernet. This last technology is becoming popular among corporations and consumers for easy configuration, flexibility and performance with low costs. In brief, the IEEE 802.11 protocol emulates an ethernet network and most of today's access points are acting as mediator (i.e. bridge) between an existing Local Area Network, for example the corporate LAN, and the wireless network. Furthermore, the protocol itself includes an optional security feature in the form of encryption, via the Wired Equivalent Privacy (WEP). Unfortunatly, it has been demonstrated that WEP can be broken by a malicious user that might gain access to the network without supplying any credential. WEP contains an algorithm, called CRC-32, that was initially designed to verify data integrity: through the observation of CRC-32 contained a given number of packets, it is possible to obtain the original WEP encryption key, be a 64-bit or even a 128-bit. Wired Equivalent Privacy therefore gives a false security feeling to the end-user, so that sensitive data that is not encrypted at a presentation layer, through SSL for example, would be easily evasdropped. G. Paterno' Informational [Page 2] Internet-Draft Using PPPoE in Wireless LANs September 2002 Moreover, using layer 3 network addesses over wireless LAN raise some concerns. For example the use of DHCP might represent a disadvantage for those service providers that are unable to identify a specific user, typically for AAA purposes. We have also to consider that, once a malicious user gains access to the WEP keys, DHCP immediatly gives an IP address and network information to the intruder (DNS, WINS, routing, etc.). The IEEE 802.11 protocol tries to fill the gap suggesting the use of MAC addresses to identify uniquely the users. The use of MAC addresses introduces another issue on manageability: if a user changes the wireless adapter, for example to replace a broken one, he/she should contact the ISP and provides the new MAC address for the old one to be deconfigured. In addition, MAC addresses can be changed easily and guessed by malicious users to gain access to the Wireless LAN. 2. Existing Wireless LANs authentication methodologies Recently, the IEEE 802.1X standard, based on EAPOL (Extensive Authentication Protocol Over Lan), has been proposed to solve the wireless LANs problems. The protocol has been designed to provide user authentication for both wireless and wired LAN, giving any ISPs and corporates the opportunity to provide their users with personalised services such as grouping in specific Virtual LANs. Although IEEE 802.1X provides flexibility and extended LANs support, purchasing compliant hardware is still an expensive solution for small business and consumers. In fact, as of today, many of the Wireless Access Points and hub/switches do not support EAPOL. Furthermore, 802.1X does not implement a dynamic WEP-key exchange feature, adding potential security issues. Most of consumers, small ISP and small corporations won't be able to afford such equipments, nevertheless they are in need of security and of being able to identify the users that are accessing their resources: some malicious users today are gaining access to home users' equipment through WLANs in order to attack remote sites and being anonymous. 3. A layered approach As suggested by the OSI specifications, a good solution might be the adoption of a layered approach, focusing on specific aspects of a given layer. By analysing access, authentication and encryption separately the advantage is that the resulting framework would allow changes in one layer to occur without affecting the other layers. As Wireless LANs, including IEEE 802.11, will evolve and new standards G. Paterno' Informational [Page 3] Internet-Draft Using PPPoE in Wireless LANs September 2002 become available, authentication and encryption will remain unchanged or vice versa. 4. Proposed authentication solution: PPPoE With the introduction of cable and ADSL technologies, ISPs have adopted a methodology for resolving the authentication layer problem for the broadband world. The aforementioned technologies, in standard configurations, are able to emulate an ethernet network. Although the DHCP is easy to deploy for a Service Provider and to configure from an user perspective, it does not provide a way to authenticate the user, and therefore cannot be used for accounting or authorization. This need was solved with the introduction of the Point-To-Point over Ethernet protocol (PPPoE), described in RFC 2516. Through the adoption of this protocol, access control, billing and several type of services can be performed on a per-user, rather than a per-site or cell basis. The 802.11 tecnology, in a similar way to the aforementioned broadband technologies, is able to emulate the ethernet network. The advantage is clear: through the application of PPPoE technology to the wireless LANs consumers, corporations and Internet Service Providers can perform authentication, authorisation and accounting easily on the wireless users without adding new components and, more important, with little effort. A practical of this technology might be to provide, for example, fixed IP addresses to roaming wireless user: wherever the the user is located, he/she can have his/her IP address and chosen (as per subscription) class of services. Furthermore, the use of PPP will introduce another to obstacle to malicious users, that would have to break both the WEP and the PPP layer to gain access to the IP-based network. It is envisaged that password MUST NOT be exchanged through the PAP authentication methodology, a challenged protocol such as CHAP (RFC-1994), EAP-TLS (RFC-2716) or better should be used instead. From a traditional ISP and corporates prespective, it is not a real benefit using PPPoE technology rather than using IEEE 802.1X: a big disadvantage of using PPPoE is the PPP frame overhead and the MTU size problem. However, an aspect has to be considered when deploying IEEE 802.1X: EAPOL-TLS requires the ISP/corporate to distribuite X.509 certificates to end-users, which might be quite expensive if a valid Certification Authority is used and, furthermore, they are hard G. Paterno' Informational [Page 4] Internet-Draft Using PPPoE in Wireless LANs September 2002 to distribute if organisations have several thousands of customers. Moreover, if the ISP or corporate already owns non 802.1X compliant Access Points, such hardware should be replaced. For consumers, small business and local ISPs such a PPPoE limitation is not an issue, if compared to the cost of deploying both hardware and EAPOL compliant software to the client. The advantage is that, preserving the existing access points and with a simple additional component (the PPPoE server), they are able to protect their LANs by identifying uniquely the user. As a result, adding a PPPoE server is extremely easier than deploying EAPOL-TLS, that requires a more complex infrastructure. Moreover most of today's operating systems ships with a PPPoE client, which results in a low cost technology deployement. Using the aforementioned methodology, Access Point manufacturers can easily embed a PPPoE server in their products, that might be distrubuted as a firmware update, and provide an easy user configuration to the consumer, for example through a web interface. It is envisaged that to handle the MTU issue, its size should be set to 1492. 5. The encryption layer A Wireless LAN, being over the air, might be considered a public switched network, in a similar way of the plain old telephone network. For example, in the traditional POTS world, a malicious user could stand over the phone wire and capture PPP packets. The Wireless LAN can be managed therefore as a dial-up connection to the corporate and encryption and/or access policies should be applied, such as protecting the access through a firewall or a proxy, allowing only specific applications. It is recommended that users that needs privacy should add an encryption layer on top of their connection, be a wireless LAN or a standard PPP over modem. There can be different approaches for this layer: a simple solution for companies who needs low privacy can be the use the Microsoft Point-To-Point Encryption Protocol (RFC-3078) extension. A step further would be using stronger encryption technologies to access the corporate LAN, such as for example IPSec (RFC-2401) and the de-facto standard PPTP, which in turn is based however on the MPPE. 6. An architecture example In the previous chapter, the Wireless LAN has been compared to a dial-up infrastructure from a security perspective. Using this G. Paterno' Informational [Page 5] Internet-Draft Using PPPoE in Wireless LANs September 2002 affinity, a typical coprorate scenario can be analysed as an example. +----------+ | Internet | +----------+ | +----------+ (DMZ1) +-------------------------+ | Firewall |--------| External Proxy/DNS/Mail | +----------+ +-------------------------+ | (DMZ2) | +---------------------------+ +--------------| Remote Access/VPDN server | | +---------------------------+ | | +--------------------------+ +--------------| Wireless Access Point(s) | | +--------------------------+ | +----------+ (DMZ3) +------------------+ | Firewall |--------| VPN concentrator | +----------+ | +------------------+ | | | | +------------------+ +---------------+ | +----| Internal Proxy |--| Radius Server | | +------------------+ +---------------+ +----------+ | Intranet | +----------+ We mentioned that remote access systems, such as modems, are subject to "wardialing", i.e. the attempt of a malicious user of guessing the modem telephone number and accessing the corporate network. Today, most of the corporate IT security policies doesn't allow to connect a modem and a analogue phones line to internally connected computers. In a security infrastructure, dial-up users are usually subject to an IP-based inspection (be a firewall or access lists) to limit access to corporate's resources. While creating a security policy, dial-up user are usually considered more "trusted" than global Internet users, since appropriate credentials should be required. In the example above, a border firewall separates global Internet access from both externally visible services (DNS, Mail, Proxy, etc..) and remote access users, creating two demilitarised zones, DMZ1 and DMZ2 respectively. DMZ2 should be more secure than the external services, that can be compromised by a malicious user: this zone is suitable for dial-up (be a RAS server or outsourcing through a VPDN) and Wireless LANs user, that should supply credential to gain access to IP-based network. G. Paterno' Informational [Page 6] Internet-Draft Using PPPoE in Wireless LANs September 2002 Once a dialup/wireless user has obtained access, a second firewall connects the DMZ2 to a DMZ3 and the corporate Intranet. DMZ3 hosts a radius server to authenticate users, an internal proxy and a VPN concentrator, if not included with the firewall. The VPN concentrator will implement the encryption layer, offering a secure connection to the Intranet. An optional data flow, if encrypted through SSL, can be estabilished from DMZ2 to the Intranet, for example IMAPS or HTTPS, so that VPN will be required only for specific applications, such as TN3270E (RFC-2355) mainframe access. 7. Conclusions In this paper the author explored the advantages of using Point-To- Point over Ethernet protcol as a solution for a Wireless LANs authentication layer. It has been demonstrated that, through reusing existing elements of the network and without changing the existing infrastructure, consumers, corporations and Internet Service Providers can take advantages of PPPoE, resulting in a more secure environment with no or little additional cost. Copyright and disclaimer Copyright (C) Giuseppe Paterno' (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the author of this document or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the author or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and Giuseppe Paterno' DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. G. Paterno' Informational [Page 7] Internet-Draft Using PPPoE in Wireless LANs September 2002 References [1] RFC 2516, "A Method for Transmitting PPP Over Ethernet (PPPoE)" [2] Roaring Penguin PPPoE implementation [3] RAS PPPoE protocol implementation, by Robert Schlabbach Acknowledgments The author of this document wish to thanks Silvio Danesi and Daniele Todde for providing the technical infrastructure, Luca Sciortino for his moral support. Author's addresses Giuseppe Paterno' Via Copernico, 63 20094 Corsico (MI) Italy Email: gpaterno@gpaterno.com G. Paterno' Informational [Page 8]