802.11 Session
802.11
802.11 802.11 LAN LAN
802.11 802.11 LAN LAN
/ /
/ ROI 70 CompUSA AP
/ IT WLAN
WLAN
/ / Barcode POS WEP
HIPAA LANS
802.11 802.11 LAN LAN
802.11 (SSID) (WEP) MAC
(SSID) Cisco SSID SSID LAN Cisco SSID
WEP RC4 40 104
XOR
12345 XOR CISCO AHGAE
IV IV 45678 XOR IV CISCO WGSSF
802.11 IV 802.11 IV 24 Octets 40 64 104 128 Bits IV MSDU Pad 0-2304 4 ID ICV
802.11 1. 2. 3. 4. 5. 6. AP
802.11 WEP, WEP WEP
802.11 1. EP 123456 2. ( ) 3. / 4. WEP WEP 112233 4. X AP WEP AP
802.11 EP 112233 1. 2. ( ) 3. ( ) 4. ( ) WEP 112233 AP WEP AP WEP AP,
802.11 MAC 802.11
802.11 MAC 1. 2. RADIUS (PAP) MAC MAC ABC 4. ( ) 3. RADIUS- RADIUS AP MAC 1) 2) AAA
802.11 WEP
802.11 802.11 LAN LAN
802.11 WEP WEP
SSID! Beacons SSID SSID WiFi
SSID
NIC
XOR XOR
XOR ( )
MAC MAC MAC
802.11 WEP WEP 1M 4M LAN AirSnort
LAN IV/WEP
IV/WEP ) LAN, IV
IV/WEP 2. 1.
IV/WEP XORed XORed XOR XOR (1) (1) (2) (2) XOR XOR (1) (1) (2) (2) (1) (1) (2) (2) (1) (1) (2) (2) WEP WEP
LAN
(ICV) CRC-32 ICV AP
WEP ICV 3 CRC Fail WEP XOR
WEP (F1 and C1) 01011010110101 110 XOR 110 (F2) 000000111 00000 XOR 101 ICV (C3) (F3) 010110 010 10101 010 ICV (C2) ICV + ICV (F3 + C3) 010110 010 10101 101
802.11 1997 802.11 WEP LAN!!
802.11 WEP
802.11 802.11 LAN LAN
LAN
LAN 802.11
LAN VPN TKIP 802.1X
AAA
802.11 VPN PKI AAA
802.11 802.1X 2 (EAP) AP AAA PKI
802.1X RADIUS AP RADIUS RADIUS
EAP LAN EAP-Cisco (aka LEAP) EAP-TLS ( ) EAP-PEAP ( EAP) / EAP-TTLS ( TLS) /
EAP-Cisco Windows 95-XP Windows CE Macintosh OS 9.X 10.X Linux (WGB 340 350) (BR350 )
EAP-Cisco RADIUS Cisco ACS Cisco AR Funk Steel Belted RADIUS Interlink Merit Microsoft Active Directory ( )
EAP-Cisco RADIUS NT/AD AP RADIUS RADIUS AP,
EAP-TLS Windows 2000, XP EAP-TLS RADIUS Cisco ACS, Cisco AR, MS IAS RADIUS Windows 2000 Server
EAP-TLS RADIUS AP AP,
EAP-TTLS TLS (CHAP, PAP ) EAP-PEAP TLS EAP (EAP-GTC, EAP-MD5 )
CA EAP-TLS / LDAP Unix NT/AD Kerberos
EAP-TLS RADIUS AAA AP AP,
EAP-TLS RADIUS AAA AP EAP EAP AP,
EAP-MD5 WLAN
EAP-Cisco RADIUS RADIUS AP
EAP-MD5 EAP-Cisco EAP-TLS EAP- TTLS/PEAP VPN AP X X X X X X X X X X X X X* X* X X X X: *
T (TKIP) WEP VPN 3DES HMAC-SHA1 HMAC-MD5
TKIP Cisco
IV IV IV WEP WEP WEP IV
IV WEP Hash XOR IV WEP IV IV IV WEP WEP WEP IV
IV 802.11 IV 2^24 ( 0 16.7M) WEP 802.1X IV/
(MIC) IV/WEP
(MIC) WEP 802.11 IV LLC SNAP ICV WEP MIC802.11 WEP IV LLC SNAP MIC SEQ ICV WEP
(MIC) MIC MAC Seed 32 MIC SEQ DA SA LLC SNAP SEQ MMH Hash 4 MIC
802.1X WEP
WEP TKIP VPN X X IV AirS rt X X X X
802.11 802.11 LAN LAN
LAN 802.11 VPN TKIP 802.1X
802.11 VPN VPN
802.11 VPN VPN WLAN
802.11 VPN AP
802.11 VPN ( ) IP ARP
802.11 VPN IP ( ) UDP DNS DHCP ESP ( 50)
802.11 VPN IP DNS DHCP IKE ( 500)
802.11 VPN IP DNS DHCP IKE ( 500)
802.11 VPN AP
802.11 VPN 3 ACL ESP IKE ICMP DHCP DNS
802.11 VPN 3 ACL ESP IKE ICMP DHCP DNS
VPN ACLs VPN, DHCP, DNS VPN Si VPN AAA
802.11 VPN Si Si ACLs to Allow VPN, DHCP, DNS Si Si VPN VPN VLAN
802.11 VPN VPN CPE IPSec AP
802.11 VPN WAN ACLs to Allow VPN, DNS, DHCP WAN AP Si VPN AP
802.11 VPN VPN WAN WAN WAN ACLs VPN, DHCP,DNS Si AP
802.11 VPN VPN WAN
802.11 VPN s ACLs VPN IPSec IPSec AAA
802.11 VPN IPSec ACLs to Allow VPN Si IPSec VPN AAA
802.11 VPN 30% 40%
802.11 VPN IP IPX AppleTalk 802.11e QoS VPN WLAN IP/ESP
802.11 VPN WLAN Barcode, 802.11 2 ESP 3 IP
TKIP 802.1X EAP-Cisco EAP-TLS Cisco AP
TKIP 802.1X AP VPN, 11.10T1 TKIP 11.10T1 / VPN 4.25.10 NDIS 6.97 TKIP 4.25.23 NDIS 8.01.06
TKIP 802.1X RADIUS EAP-Cisco ACS v2.6 v3.0 AR v1.7 Funk Steel Belted RADIUS 3.0 Interlink RAD-E v5.1 EAP-TLS ACS v3.0 MS IAS 2000
TKIP 802.1X TKIP
TKIP 802.1X RADIUS AP NAS RADIUS RADIUS 27
TKIP 802.1X Si Si CA RADIUS
TKIP EAP-Cisco Cisco 340/350 Cisco EAP-Cisco (LEAP) Windows
TKIP EAP-Cisco 802.1X 10
TKIP EAP-Cisco RADIUS NT /W2K Active Directory
TKIP EAP-Cisco EAP-Cisco v11.10t1
TKIP EAP-Cisco EAP-Cisco NT/W2K AD EAP-Cisco RADIUS
TKIP EAP-TLS WinXP Win2K SP3 OS SSID
TKIP EAP-TLS
TKIP EAP-TLS CA MS CA Win2K
TKIP EAP-TLS RADIUS Cisco ACS Microsoft IAS Microsoft Win2k CA
TKIP 802.1X RADIUS WAN WAN WAN Si
WAN 802.1X
WAN 802.1X QoS WAN 802.1X RADIUS DSCP AF31/IP 3 LLQ CBWFQ RADIUS 1.5 KB 8 Kbps 5
TKIP 802.1X IEEE, 802.11 802.11 E, F, H, I
TKIP 802.1X WEP MIC 5% 15%
TKIP 802.1X ( ) RADIUS 300 600 ms
RADIUS (PSPF)
RADIUS AP RFC2866 RADIUS ; AP
RADIUS AP AP AP
RADIUS EAP EAP EAP / / MAC
RADIUS RADIUS / / ID NAS ( ) IP
RADIUS -> / /
RADIUS / EAP EAP
WLAN AP BSS
PSPF
802.11 802.11 LAN LAN
IEEE 802.11i TKIP (WiFi) AES
AES 3DES NIST Rijndael 128,192, 256
AES (OCB ) (CCM )
TKIP 802.1X IPSec (Bits) 128 168 ACL RC4 CRC32/MIC / / / CA 3 DES MD5-HMAC/SHA-HMAC / OTP VPN IP Static WEP 128 PC PAD; PC PAD; OS OS RC4 CRC32/MIC QoS IPSec VPN
EAP-SIM MAC_RAND RADIUS AuC AP 1IMSI@realm 1IMSI@realm GetAuthInfo SIM- SIM- Authenticated SIM- SIM- -Resp EAP- -Resp MAC_SRES AP,
802.11 Session
Session