I took a look at the draft and found some fundamental problems. I would suggest review by IEEE 802.11 before proceeding.
A few of the issues are noted below. In WLAN, a number of security mechanisms on link layer make MAC address a strong enough binding anchor, for instance, 802.11i, WAPI, WEP. [BA] WAPI and WEP are most certainly *not* "strong enough" for 802.11 security, let alone to be considered a "strong enough" binding mechanism. IEEE 802.11i has long ago been obsoleted by more recent IEEE 802.11 specifications, so I'd be concerned this is also not an appropriate reference. If MAC address has no protection, attackers can spoof MAC address to succeed in validation. [BA] While this statement is true, the inverse statement (that spoofing is prevented by protection) is not true. WLAN security does not prevent one authenticated station from spoofing multicast packets from another authenticated station. An individual procedure handles binding DHCP addresses to MAC addresses. This procedure snoops the DHCP address assignment procedure between attached hosts and DHCP server. DHCP snooping in WLAN is the same as that in wired network specified in RFC7513 <https://tools.ietf.org/html/rfc7513> [RFC7513 <https://tools.ietf.org/html/rfc7513>]. An individual procedure handles binding stateless addresses to MAC addresses. This procedure snoops Duplicate Address Detection procedure. ND snooping in WLAN is the same as that in wired network specified in [RFC6620 <https://tools.ietf.org/html/rfc6620>] [RFC6620 <https://tools.ietf.org/html/rfc6620>]. [BA] These paragraphs do not mention ARP, so either the draft does not apply to IPv4 at all, or it cannot handle IPv4 static addresses. 2. A host leaves this access point. The entries for all related MAC addresses in MAC-IP table MUST be cleared. [BA] This advice, if implemented would break basic WLAN roaming functionality which allows a station to seamlessly move its point of attachment. On Thu, Oct 18, 2018 at 3:39 PM Suresh Krishnan <sur...@kaloom.com> wrote: > Hi all, > I am considering AD sponsoring the following draft > > https://tools.ietf.org/html/draft-bi-savi-wlan-15 > > that describes a source address validation solution for WLAN. If you have > any concerns > either with the content of the draft, or about me AD sponsoring it please > let me know before 2018/11/18. > > Thanks > Suresh > > NOTE: I have CCed: all the working groups that I thought could be > potentially > interested in this work. If you think I have missed out some WG(s) please > let > me know. > > _______________________________________________ > Int-area mailing list > Int-area@ietf.org > https://www.ietf.org/mailman/listinfo/int-area >
_______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area
