Saturday, October 30, 2010

Wi-Fi Direct Formally Certifies Soft-AP Functionality

To follow-up on my previous post regarding the security threats associated with virtualized AP functionality (soft-APs), it is important for network administrators to understand that the forthcoming Wi-Fi Alliance certification for Wi-Fi Direct functionality does allow devices in a group to cross-connect other group members into the larger infrastructure network.

Practically, this means that a device, such as a laptop, can simultaneously be connected to the infrastructure as a client as well as establish a Wi-Fi Direct group session with one or many other group members, then allow those group members to access resources in the infrastructure.

The Wi-Fi Direct cross-connect functionality is explained on the Wi-Fi Alliance's webpage.

All devices certified under the Wi-Fi Direct program will allow the user to connect to an infrastructure or a Wi-Fi Direct-certified network. Some devices certified under the Wi-Fi Direct program will support connections to both an infrastructure network and Wi-Fi Direct-certified group at the same time (e.g. a laptop may support an infrastructure connection while also belonging to a Wi-Fi Direct-certified group). Simultaneous connection to a Wi-Fi Direct-certified group and an infrastructure network is an optional feature.

Can a network based on devices certified under the Wi-Fi Direct program cross connect to an infrastructure network for internet connectivity?
Yes. A single device in a Wi-Fi Direct-certified group network may share internet connectivity with other devices in the network by creating simultaneous infrastructure and Wi-Fi Direct connections. A network of devices certified under the Wi-Fi Direct program operates in a security domain separate from the infrastructure network, even when cross-connected.

The mention of separate "security domains" is interesting, and infers that the security posture of the Wi-Fi Direct group may differ from that of the infrastructure. For example, if the infrastructure requires 802.1x/EAP authentication and WPA2-AES encryption, the Wi-Fi Direct group does not need to abide by that policy and may use WPA2-PSK instead. And sure enough, this inference is validated:

Group networks based on the specification underlying the Wi-Fi Direct program operate in a security domain that is independent from any infrastructure network. This means that they have protection of the security features certified under the WPA2 program, but are managed separately from the security system in the AP-based network (home, enterprise, hotspot). This means both the group networks based on the specification underlying the Wi-Fi Direct program and the infrastructure networks can be protected, but users don’t need credentials for the infrastructure network to connect to the network based on the specification underlying the Wi-Fi Direct program.

Additionally, since Wi-Fi Direct will be backwards compatible with clients that are not certified under the Wi-Fi Direct program, and only one group members needs to be Wi-Fi Direct capable, this will have implications for rogue AP network detection as well. One group member will provide the connection to the rest of the group in lieu of an infrastructure AP. Due to this and the backwards compatibility, the central Wi-Fi Direct group member may be acting as a soft-AP to provide the group communication framework.

The underlying specification connects devices using an approach similar to the traditional AP-to-client connection used in Wi-Fi CERTIFIED infrastructure networks. One Wi-Fi Direct-certified device will provide the connection to other participants in a group of Wi-Fi Direct-certified devices in lieu of an AP. A device certified under the Wi-Fi Direct program does not require special hardware compared to traditional Wi-Fi AP devices.

Will Wi-Fi Direct work with legacy devices?
Yes. A legacy Wi-Fi CERTIFIED station device can connect with a Wi-Fi Direct device.

So, what can network administrators do to protect their networks? One of the FAQ answers addresses this specifically by stating that the infrastructure APs can identify clients connecting to the infrastructure as supporting Wi-Fi Direct and may disallow their association. However, as with all things, there is a catch (and it's a fairly obvious one). In order for APs to prevent clients implementing Wi-Fi Direct (presumably either in an active Wi-Fi Direct group or not) from connecting to the infrastructure, the AP firmware must be upgraded to recognize Wi-Fi Direct capable clients. Additionally, the clients must be honest in reporting their capability to the infrastructure, which is a HUGE leap of faith to start trusting clients to report the truth, especially in matters of security where attackers will be all-too-happy to falsify capability reports to gain entry. (Just see NAC / NAP endpoint scanning and reporting falsification for a history lesson on how well that goes over!)

Wi-Fi Direct-certified devices will be identifiable as Wi-Fi Direct-certified devices to infrastructure access points. APs can prevent devices currently using Wi-Fi Direct from connecting to the AP, or disconnect them if already connected, while Wi-Fi Direct is in use and/or configure their parameters including channel. The technology behind the Wi-Fi Direct certification program will be important for enterprise environments, enabling applications such as file transfer, printing, and display in the absence of a suitable WLAN. We also expect that the specification will be used in enterprises to temporarily connect mobile data terminals and other portable devices for short-term tasks such as data transfer.

Wi-Fi Direct certification seems to me to be a formalized soft-AP functionality for Wi-Fi devices. Interesting indeed!

Let's at-least hope Wi-Fi Direct clients will "play by the rules" and implement ALL infrastructure AP functionality to ensure network performance. I don't want to be seeing some silly beacon intervals at 10ms.

Also, the mention of the "pre-association discovery method" may have ramifications on performance of the RF channel if clients attempt discovery too often. Client probing behavior in an infrastructure BSS can be bad enough by some manufacturer's proprietary algorithms. And that only happens when clients have triggered their internal roam threshold parameters. Now add on top of that Wi-Fi Direct pre-association discovery frames by multiple clients in your environment and we could see channel utilization increase dramatically if implemented poorly.

There's never a dull moment in this industry, I guess.

-Andrew

3 comments:

  1. Very nice post Andrew. I hadn't had a chance to dig into Wi-Fi Direct yet, but now I have to make time. Holy smokes. This is very helpful. You're SO right about "trusting clients."

    Devinator

    ReplyDelete
  2. Good analysis, especially re: security

    ReplyDelete
  3. Hey, Andrew

    I'v read the spec, but I'm still confused with 'device address' and 'interface', would you like to tell me what's the difference, and how do these two address come from, they are not the MAC address of the P2P device.

    Daniel

    ReplyDelete