| Thread Links | Date Links | ||||
|---|---|---|---|---|---|
| Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
Hi All,Based on Alfred's suggestion, I am initiating this mail thread to discuss the serious security issue on MAPC.The door of DoS attack on MAPC was opened by some members suddenly in draft11bn 1.5 via NOTE3 as below:NOTE 3—TSF synchronization between a Co-RTWT coordinating(#6406)(#7969) AP and a Co-RTWT coordinated AP, if performed, is out of the scope of this standard.(#11008) An AP can obtain the TSF of another AP by receiving its Beacon frames ,Probe Response frames.The problem lies in the fact that a MAPC AP has no way to determine whether a Beacon or Probe Response frame originates from a legitimate AP or a fake AP. Thus, an adversary has the opportunity to impersonate a legitimate AP and provide incorrect TSF information via the Beacon and Probe Response frame, which could disrupt the Co-rTWT TSF synchronization function.On the other hand, once a MAPC AP can obtain the TSF from a Beacon frame, other information (such as CSA, ECSA,etc.) in that Beacon can also be retrieved. This leads to other known security issue. (Refer to the paper: “Attacking WPA3: New Vulnerabilities & Exploit Framework”, page 25)To address this issue, one temporary approach to prevent a DoS attack is to remove the text: "An AP can obtain the TSF of another AP by receiving its Beacon frames, Probe Response frames." from the quoted NOTE3.An alternative approach is to include the TSF in the protected MAPC frames. The individually addressed protected MAPC negotiation frame is already defined in the baseline. The missing component is the protected group addressed MAPC Discovery request/response frame, assuming an AP is allowed to overhear the TSF from a group addressed MAPC Discovery request/response frame.For the latter, what is needed is to add BIP protection to the group addressed MAPC Discovery request/response frame. The two APs can then exchange their MAPC IGTK via the MAPC negotiation frame exchange.Anyway, the bottom line in 11bn is that we shall not proactively open any known security issue in MAPC. Once we do that, it will not be ready for the coming letter ballot.Welcome the further insight from our group.ThanksBest RegardsJay Yang (杨志杰)
To unsubscribe from the STDS-802-11-TGBN list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBN&A=1
To unsubscribe from the STDS-802-11-TGBN list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBN&A=1