Network Working Group
Internet Draft
Document: draft-gpaterno-wireless-pppoe-06.txt Giuseppe Paterno'
Expires: May 2003 December 2002
Using PPP-over-Ethernet (PPPoE) to authenticate Wireless LANs
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in [RFC-2119].
Abstract
This document explores the use of Point-To-Point Protocol over
Ethernet (PPPoE) to provide access to the Internet and suggests how
the infrastructure can be deployed. The document targets consumers,
corporations, Internet Service Providers, and mobile phone operators
that provide user access through Wireless LANs technologies such as
IEEE 802.11.
G. Paterno' Experimental [Page 1]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
Table of Contents
Status of this memo............................................1
Conventions used in this document..............................1
Abstract.......................................................1
Table of contents..............................................2
1. Introduction................................................3
2. Current Wireless LAN scenario...............................3
2.1. Wireless standard IEEE 802.11 and security concerns.......3
2.2. Existing authentication methodologies.....................4
3 Proposed solution............................................5
3.1. A layered approach........................................5
3.2. The authentication layer: PPPoE...........................6
3.3. The encryption layer......................................8
4. An architecture example.....................................9
5. Conclusions................................................10
Acronyms......................................................11
References....................................................12
Copyright and disclaimer......................................14
Acknowledgments...............................................14
Author's Addresses............................................14
G. Paterno' Experimental [Page 2]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
1. Introduction
Current wireless LANs technologies provide a feeble security
architecture that can be broken by motivated malicious users.
Moreover, these technologies are not able to uniquely identify the
user that is accessing the network: as a result, corporations, ISPs,
and mobile operators are unable to apply appropriate rights and/or
services to the end-users.
This document proposes the adoption of the Point-To-Point Protocol
over Ethernet as an authentication methodology in wireless LANs and
as an additional security component. Furthermore, it explores how
consumers, corporations, ISPs, and mobile operators will benefit of
the adoption of PPPoE as an alternative solution to IEEE 802.1X.
2. Current Wireless LANs scenario
The need for mobility and network coverage in open spaces or places
where cabling is difficult (such as airports, hospitals, warehouses
or old buildings) has accelerated the development of Wireless
alternatives. Different technologies exist for transmitting data
"over-the-air", for example GSM Packet Radio Service (GPRS),
Bluetooth, and IEEE 801.11, also known as Wireless Ethernet or
Wireless Fidelity (Wi-Fi).
2.1. Wireless standard IEEE 802.11 and security concerns
The most successful technology in wireless LANs is IEEE 802.11 [10]
for its easy configuration, flexibility and performance with low
costs. In particular, the extension named IEEE 802.11b [15] (also
referred to as 802.11 High Rate or Wi-Fi), was a 1999 ratification to
the original 802.11 standard, allowing wireless functionality
comparable to Ethernet.
IEEE 802.11 focus mainly on Wireless LAN Medium Access Control (MAC)
and Physical Layer (PHY) specifications, but it specifies also an
optional security feature in the form of encryption, named the Wired
Equivalent Privacy (WEP). WEP was initially developed to give to the
end user the same protection as the wired network. Recent studies,
such as [9] and [11], demonstrated that a malicious user might gain
access to the network by breaking the WEP keys and without supplying
any credential. WEP is based on the RC4 [17] encryption algorithm, a
function that generates a pseudo-random infinitive streaming cypher
by suppling two arguments: the actual WEP keys (referred as K), that
might be 40 or 104 bits long, and the Initial Vector (IV), that is 24
bits long. Each IEEE 802.11 frame payload contains both the IV in
clear and the cyphertext: the cyphertext is obtained by applying XOR
G. Paterno' Experimental [Page 3]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
between the RC4(IV,K) resulting stream and the clear text. Moreover
when a frame is transmitted a new IV is generated: as the IV has
16777216 of possible values (2^24), the number of IV would be
repeated (i.e. collide) every 5 hours by constantly transmitting at
11 Mb/s. With about 1500 IV collisions, and with a probabilistic
attack to the RC4 algorithm, it is possible to decrypt the
transmission and derive the original WEP keys. The document [12]
help understanding the RC4 algorithm weaknesses, and [11] explains
how can be applied to break WEP.
The Wired Equivalent Privacy gives therefore a false security feeling
to the end-user: sensitive data that is not encrypted in the
presentation layer, through SSL for example, would be easily
eavesdropped.
Using layer 3 network addresses over the wireless LAN raises also
some concerns. For example the use of DHCP might represent a
disadvantage for those service providers that are unable to identify
a specific user, typically for authorisation and accounting purposes.
We must also consider that, once a malicious user gains access to the
WEP keys, DHCP immediately gives an IP address and network
information to the intruder (DNS, WINS, routing, etc.).
Many manufacturers of APs introduced another security feature by
providing the ability to identify the MAC addresses of network cards
permitted to use the AP, also known as MAC filtering. The use of MAC
addresses introduces some issues, one of manageability: if a user
changes the wireless adapter, for example to replace a broken one,
he/she should contact the ISP and provide the new MAC address.
Another issue is that MAC addresses can be changed easily and guessed
by malicious users to gain access to the Wireless LAN.
2.2. Existing authentication methodologies
The IEEE 802.1X standard [2], based on Extensive Authentication
Protocol Over Lan (EAPOL), has been proposed to address the security
concerns of Wireless LANs. The protocol has been designed to provide
user authentication for both wireless and wireline LANs, giving to
the corporations the opportunity to provide their users with
personalised services such as grouping in specific Virtual LANs.
While the enhancements proposed by both IEEE 802.1X and the work-in-
progress IEEE 802.11i could improve the security of 802.11 networks,
these solutions come out of the market too late, causing impatient
vendors to implement proprietary solutions. These vendors may not be
willing to replace these proprietary fixes with 802.11i as it becomes
available.
G. Paterno' Experimental [Page 4]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
Many of the high-end AP manufacturers anyway embraced the IEEE 802.1X
standard, sometimes with proprietary extensions: although 802.1X
provides flexibility and extended LAN support, purchasing compliant
hardware is still an expensive solution for small businesses and
consumers. In fact, as of today, many of the Wireless Access Points
and hub/switches do not support EAPOL. Furthermore, many 802.1X
compliant hardware do not implement the dynamic WEP-key exchange
feature [2] (EAPOL-Key), adding potential security issues.
Most consumers, small ISPs and small corporations will not be able to
afford such equipment, but are nevertheless in need of security and
of being able to identify users that are accessing their resources:
in fact, some malicious users today are gaining access to home users'
equipment through WLANs in order to attack remote sites and preserve
their anonymity.
It is also to be considered that many of ISPs and mobile operators
are not interested in implementing encryption to their customer, for
example for public Internet access, nevertheless they are in need to
identify the user for billing purposes. The ideal solution for ISPs
and mobile operators would be able to integrate with the existing
dial-up infrastructure (modem, GPRS, etc) with little effort, and
should bring the same subscribed services (fixed IP address, Quality
of Service, etc) to the end user.
3. Proposed solution
3.1. A layered approach
As suggested by the OSI specifications, a good solution might be the
adoption of a layered approach, focusing on specific aspects of a
given layer. By analysing physical/data link, authentication, and
encryption separately the advantage is that the resulting framework
would allow changes in one layer to occur without affecting the other
layers. As Wireless LANs, including IEEE 802.11, will evolve and new
standards become available, authentication and encryption will remain
unchanged or vice versa.
The schema below summaries the proposed authentication layer and the
resulting framework:
G. Paterno' Experimental [Page 5]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
+-------+ +-------+ +----------------+
| HTTPS | | IMAPS | | Other secure | Application Layer
| | | | | protocol (TLS) |
+-------+ +-------+ +----------------+
+-------+ +------------+ +-----------+
| IPSec | | Other | | MPPE |
| | | encryption | | PPP | Encryption Layer
+-------+ +------------+ | extension | (optional)
| |
+------------------------+ |
| Point-To-Point Protocol | Authentication Layer
+------------------------------------+
+--------+ +----------+ +------------+
| 802.11 | | HyperLAN | | Other WLAN | Physical/Data Link Layer
+--------+ +----------+ +------------+
3.2. The authentication layer: PPPoE
With the introduction of cable and ADSL technologies, ISPs have
adopted a methodology for resolving the authentication layer problem
for the broadband world.
In standard configuration, these technologies are able to emulate an
ethernet network. Although DHCP is easy to deploy for a Service
Provider, and to configure from an user perspective, it does not
provide a way to authenticate the user, and therefore cannot be used
for accounting or authorization.
This need was solved with the introduction of the Point-To-Point over
Ethernet protocol (PPPoE), described in [1]. Through the adoption of
this protocol, access control, billing, and several type of services
can be performed on a per-user, rather than a per-site or cell basis.
The 802.11 technology, in a similar way to the previous broadband
technologies, is able to emulate the ethernet network. The idea then
is to apply PPPoE technology to Wireless LANs. The advantage is
clear: consumers, corporations, Internet Service Providers, and
mobile operators can perform authentication, authorisation, and
accounting easily on the wireless users without adding new components
and, more importantly, with little effort.
A practical aspect of this technology might be to provide, for
example, fixed IP addresses to a roaming wireless user: wherever the
user is located, he/she can have his/her IP address and subscribed
class of services.
G. Paterno' Experimental [Page 6]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
Furthermore, the use of PPP will introduce another obstacle to
malicious users, that would have to break both the WEP and the PPP
layer to gain access to the IP-based network. It is envisaged that
passwords must not be exchanged through the Password Authentication
Protocol (PAP), since PAP transmit passwords in cleartext: a stronger
protocol such as MS-CHAPv2 [4], EAP-TLS [5] or better should be used
instead.
From a traditional ISP and corporations perspective, there is no
additional benefit in using PPPoE technology, if compared to IEEE
802.1X: the concerns of using PPPoE are the PPP frame overhead and
the MTU size. However, one aspect must be considered when deploying
IEEE 802.1X: current implementations are based on EAP-TLS [5].
Although EAP-TLS is the perfect choice for corporations that already
deployed X.509 certificates, it is not for ISPs, mobile operators and
corporations that do not own or plan to have an X.509 infrastructure.
Creating and maintaining a PKI infrastructure is expensive,
especially if a public Certification Authority is used, and requires
expert human resources dedicated to the PKI. Moreover, if the ISP or
corporate already owns non 802.1X compliant Access Points, such
hardware should be replaced.
Another advantage of embracing PPPoE for Network Access Provider
(NAP) or Network Service Provider (NSP) is that they can provide
secure access to a corporate gateway, by using Layer 3 routing, Layer
2 Tunneling Protocol (L2TP), and/or IPSec tunnels in a similar way of
existing dial-up scenarios (modem, ISDN, ADSL, etc..). This makes
the business model of selling wholesale services and Virtual Private
Dial-up Networks (VPDNs) scalable.
For consumers, small businesses, and local ISPs the PPPoE MTU
limitation is not an issue, if compared to the cost of deploying both
hardware and EAPOL compliant software to the client. The advantage is
that, by preserving the existing access points and with a simple
additional component (the PPPoE server), they are able to protect
their LANs by identifying uniquely the user. As a result, adding a
PPPoE server is easier than deploying EAPOL with EAP-TLS, that
requires a more complex infrastructure. Moreover, most of today's
operating systems include a PPPoE client, resulting in a low cost
deployment for this technology.
Finally, Access Point manufacturers can easily embed a PPPoE server
in their products, that might be distributed as a firmware update,
and provide an easy user configuration to the consumer, for example
through a web interface.
It has been mentioned in the former paragraphs that the use of PPPoE
has an Maximum Transmission Unit (MTU) issue: as specified in [1],
G. Paterno' Experimental [Page 7]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
the Maximum Receive Unit (MRU) option must not be negotiated to a
size larger than 1492; Ethernet has a maximum payload size of 1500
octets. The PPPoE header is 6 octets and the PPP protocol ID is 2
octets, so that the PPP MTU must not be greater than 1492. However,
based on the author's experience, some misbehaved VPN software
packages add their own overhead to the MTU reported by the PPPoE
interface, making the network packets too large to pass through a PPP
over Ethernet connection: reducing the MTU by 32 bytes to 1460 should
generally suffice.
3.3. The encryption layer
A Wireless LAN, being over the air, might be considered a public
switched network, in a similar way of the telephone network. For
example, in the traditional Plain Old Telephone Service (POTS), a
malicious user intercept PPP packets by tapping the phone wire. The
Wireless LAN can be managed therefore as a dial-up connection and
encryption and/or access policies should be applied, such as
protecting the access through a firewall or a proxy, allowing only
specific applications.
It is recommended that users that need privacy should add an
encryption layer on top of their connection, be a wireless LAN or a
standard PPP over modem. There can be different approaches for this
layer: a simple, but efficient solution for companies, ISPs and
mobile operators can be the Microsoft Point-To-Point Encryption
Protocol [6] PPP extension.
MPPE is an optional PPP extension that is negotiated within option 18
[16] in the Compression Control Protocol, and uses the Rivest-Shamir-
Adleman (RSA) RC4 [17] algorithm to provide data confidentiality.
MPPE can use 40-bit, 56-bit, or 128-bit encryption keys: the 40-bit
key provides backward compatibility with old clients. It was
originally designed for encryption across a point-to-point link where
packets arrive in the same order in which they were sent with little
packet loss.
For environments that requires stronger privacy, it is recommended to
use other encryption methodologies to access the corporate LAN, such
as for example IPSec [7], the de-facto standard Point-to-Point
Tunneling Protocol (PPTP) [8], or future encryption technologies.
G. Paterno' Experimental [Page 8]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
4. An architecture example
In the previous chapter, the Wireless LAN has been compared to a
dial-up infrastructure from a security perspective. Using this
similarity, a typical corporate scenario can be analysed as an
example.
+----------+
| Internet |
+----------+
|
+----------+ (DMZ1) +-------------------------+
| Firewall |--------| External Proxy/DNS/Mail |
+----------+ +-------------------------+
| (DMZ2)
| +---------------------------+
+--------------| Remote Access/VPDN server |
| +---------------------------+
|
| +--------------------------+
+--------------| Wireless Access Point(s) |
| +--------------------------+
|
+----------+ (DMZ3) +------------------+
| Firewall |--------| VPN concentrator |
+----------+ | +------------------+
| |
| | +------------------+ +---------------+
| +----| Internal Proxy |--| Radius Server |
| +------------------+ +---------------+
+----------+
| Intranet |
+----------+
We mentioned that remote access systems, such as modems, are subject
to "wardialing", i.e. the attempt of a malicious user of guessing the
modem telephone number and accessing the corporate network. Today,
most of the corporate IT security policies do not allow to connect a
modem and an analogue phone line to internally connected computers.
In a security infrastructure, dial-up users are usually subject to an
IP-based inspection (using a firewall or access lists for example) to
limit access to corporate resources. While creating a security
policy, dial-up user are usually considered more "trusted" than
global Internet users, since appropriate credentials should be
required.
G. Paterno' Experimental [Page 9]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
In the example above, a border firewall separates global Internet
access from both externally visible services (DNS, Mail, Proxy,
etc..) and remote access users, creating two demilitarised zones,
DMZ1 and DMZ2 respectively. DMZ2 should be more secure than the
external services, that can be compromised by a malicious user: this
zone is suitable for dial-up (be a RAS server or outsourcing through
a Virtual Private Dial-up Network) and Wireless LANs user, that
should supply credential to gain access to IP-based network.
Once a dial-up/wireless user has obtained access, a second firewall
connects the DMZ2 to a DMZ3 and the corporate Intranet. DMZ3 hosts a
RADIUS server to authenticate users, an internal proxy and a VPN
concentrator, if not included with the firewall. The VPN concentrator
implements the encryption layer, offering a secure connection to the
Intranet. An optional data flow, if encrypted, can be established
from DMZ2 to the Intranet, for example IMAPS or HTTPS, so that VPN
will be required only for specific unencrypted applications, such as
TN3270E mainframe access.
5. Conclusions
At the time of writing, it is extremely easy from a malicious users
perspective to gain access to wireless networks, even if encrypted.
Many Wireless LANs are unencrypted and their access points are
configured to release dynamic IP address through the Dynamic Host
Configuration Protocol. In such a configuration, it is even easier
for an intruder to gain access to the network. Moreover, this raises
some legal concerns: in some countries it is not illegal to gain
access to a network that is not protected in any way or limited
through a warning statement, for example through the usual
"restricted area" banner, because the user is not accessing the
Wireless LAN by "forcing" the system.
Public services, such as mobile operators, ISPs, and free wireless
networks, will not take advantage of any evolution of the WEP
protocol. Today the encryption keys are unique for the whole Wireless
LAN segment, which means that keys should be made publically
available, in turn making the WEP protection mechanism ineffective.
For consumers and corporations, using WEP or future protocols to
encrypt "over-the-air" transmission is still an advantage: although
easy to decrypt, the intruder should be very motivated to enter the
network because an observation of thousands of interesting packets is
needed to gain access to the encryption keys.
Through this paper the author analyses the advantages of using Point-
To-Point over Ethernet protocol as a solution for a Wireless LAN
authentication layer: it has been demonstrated that, through the
G. Paterno' Experimental [Page 10]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
reuse of existing elements of the network and without changing the
existing infrastructure, consumers, corporations and Internet Service
Providers can take advantage of PPPoE, resulting in a more secure
environment with no or little additional cost.
After a draft of this document was released to the public, some
implementations of PPPoE authentication were deployed, demonstrating
the willingness to implement this methodology: in fact, some premier
universities, institutions and private users, including free access
city wireless networks, implemented the PPPoE solutions for their
Wireless LANs.
Acronyms
ADSL ............. Asymmetric Digital Subscriber Line
AP ............... Access Point
DMZ .............. Demilitarised Zone
EAPOL ............ Extensive Authentication Protocol over Ethernet
GPRS ............. GSM Packet Radio Service
GSM .............. Global System for Mobile Communications
IEEE ............. Institute of Electrical and Electronics Engineers
ISP .............. Internet Service Provider
MPPE ............. Microsoft Point-to-Point Encryption Protocol
MRU .............. Maximum Receive Unit
MTU .............. Maximum Transmission Unit
NAP .............. Network Access Provider
NSP .............. Network Service Provider
POTS ............. Plain Old Telephone Service
PPPoE ............ Point-To-Point Protocol over Ethernet
PPTP ............. Point-To-Point Tunneling Protocol
SSL .............. Secure Sockets Layer
TLS .............. Transport Layer Security
VLAN ............. Virtual LAN
WEP .............. Wired Equivalent Privacy
Wi-Fi ............ Wireless Fidelity
WLAN ............. Wireless LAN
G. Paterno' Experimental [Page 11]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
References
[1] Mamakos, et. al.,
"A Method for Transmitting PPP Over Ethernet (PPPoE)",
RFC 2516, February 1999
[2] Institute of Electrical and Electronics Engineers,
"Local and metropolitan area networks Port-Based Network Access Control",
ANSI/IEEE Standard 802.1X, October 2001
[3] Simpson,
"PPP Challenge Handshake Authentication Protocol (CHAP)",
RFC 1994, August 1996
[4] Zorn,
"Microsoft PPP CHAP Extensions, Version 2",
RFC 2759, January 2000
[5] Aboba & Simon,
"PPP EAP TLS Authentication Protocol",
RFC 2716, October 1999
[6] Pall & Zorn,
"Microsoft Point-To-Point Encryption (MPPE) Protocol"
RFC 3078, March 2001
[7] Kent & Atkinson,
"Security Architecture for the Internet Protocol",
RFC 2401, November 1998
[8] Microsoft Corporation,
"Understanding Point-to-Point Tunneling Protocol (PPTP)",
WhitePaper, September 1999
[9] M. Sutton, iDEFENSE Labs,
"Hacking the Invisible Network. Insecurities in 802.11x",
WhitePaper, July 2002
[10] Institute of Electrical and Electronics Engineers,
"Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications",
ANSI/IEEE Standard 802.11, 1999 Edition
[11] Stubblefield, Ioannidis, and Rubin,
"Using the Fluhrer, Mantin, and Shamir Attack to Break WEP",
AT&T Labs Technical Report TD-4ZCPZZ, August 2001
[12] Fluhrer, Mantin, and Shamir,
G. Paterno' Experimental [Page 12]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
"Weaknesses in the Key Scheduling Algorithm of RC4",
WhitePaper
[13] Cisco Systems,
"Troubleshooting MTU Size in PPPoE Dialin Connectivity",
WhitePaper
[14] Cisco Systems,
"PPPoE Baseline Architecture for the Cisco 6400 UAC",
WhitePaper
[15] Institute of Electrical and Electronics Engineers,
"Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications:
Higher-Speed Physical Layer Extension in the 2.4 GHz Band",
IEEE Standard 802.11b, September 1999
[16] Pall,
"Microsoft Point-to-Point Compression (MPPC) Protocol",
RFC 2118, March 1997
[17] RC4 is a proprietary encryption algorithm available under
license from RSA Data Security Inc. For licensing information,
contact:
RSA Data Security, Inc.
100 Marine Parkway
Redwood City, CA 94065-1031
G. Paterno' Experimental [Page 13]
�
Internet-Draft Using PPPoE to authenticate Wireless LANs December 2002
Copyright and disclaimer
Copyright (C) Giuseppe Paterno' (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the author of this document or
other Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the author or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and Giuseppe Paterno' DISCLAIMS ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgments
The author of this document wishes to thank Luca Sciortino for his
precious moral support and his contribution to this document, Silvio
Danesi and Daniele Todde for providing the technical infrastructure.
Many thanks go to Maria Di Biccari, Alberto Paterno' and Elisa Stella
for their patience and loveliness.
Author's addresses
Giuseppe Paterno'
Email: gpaterno@gpaterno.com
G. Paterno' Experimental [Page 14]
�