A New Authenticator An Alternative to Binary Authentication Using Traffic Shaping JIA GUO KTH Information and Communication Technology Master of Science Thesis Stockholm, Sweden 2010 TRITA-ICT-EX-2010:299 A New Authenticator An Alternative to Binary Authentication Using Traffic Shaping Jia Guo [email protected] 20 November 2010 Master’s Thesis Examiner and Supervisor Prof. Gerald Q. Maguire Jr. Department of Communication Systems School of Information and Communication Technology Royal Institute of Technology (KTH) Stockholm, Sweden Abstract Abstract This thesis is part of a larger project on non-binary alternatives to authentication; in contrast to the binary authentication used in IEEE 802.1X and IEEE 802.11i. This thesis project seeks to define, implement, and evaluate a non-binary wireless access authentication mechanism. It introduces a new authenticator that implements such a new non-binary authentication mechanism. In today’s wireless local area networks it is generally not possible to continue a multimedia roaming session smoothly, because of the long delay caused by authentication – during which no traffic other than authentication traffic is permitted. In the best cases this high delay results in a long communication interruption interval without media, while in the worst cases the session is aborted by the higher layer application as the application believes that the connectivity is lost. Thus introducing a more appropriate authentication mechanism enables mobile users who move into a new wireless local area network cell to continue to send and receive packets with greatly reduced handover latency (in comparison to existing authentication mechanisms). This new authentication mechanism potentially enables seamless roaming for users of conversational multimedia services (for example, a voice over IP call could continue despite a movement from one cell to another). This thesis demonstrates that it is possible to allow unauthenticated users to immediately begin to communicate, while simultaneously limiting their traffic. These limitations in traffic are implemented by traffic shaping. Additionally, using traffic shaping also offers a number of new possibilities – such as offering different qualities of service, allowing negotiation for different maximum bandwidths, etc. i Sammanfattning Detta examensarbete är en del av ett större projekt om icke-binära alternativ till autentisering, i motsats till den binära autentiseringen används i IEEE 802.1X och IEEE 802.11i. Denna avhandling syftar till att definiera, genomföra och utvärdera en icke-binär trådlös åtkomst autentiseringsmekanism. Denna avhandling presenterar en ny dosa som implementerar en ny icke-binär autentiseringsmekanism. Införa en mer ändamålsenlig mekanism för autentisering möjliggör mobila användare som flyttar in i ett nytt trådlöst lokalt nätverk cell att fortsätta att skicka och ta emot paket med kraftigt nedsatt överlämnandet fördröjning (i jämförelse med befintliga autentiseringsmekanismer). Denna nya autentiseringsmekanism potentiellt möjliggör sömlös roaming för användare av konversation multimedia tjänster (exempelvis kan en röst över IP-samtal fortsätter trots en rörelse från en cell till en annan). Tyvärr, i dagens lokala trådlösa nätverk fortsätter smidigt ett multimedium session är i allmänhet inte är möjligt, på grund av det långa dröjsmålet väntar på autentisering - då ingen trafik än autentisering är tillåten. I bästa fall kan detta hög fördröjning resultera i ett lång meddelande avbrott intervall utan medier, medan det i värsta fall sessionen avbryts av högre lager tillämpning som tillämpningsprogram anser att anslutning är förlorat. Denna avhandling visar att det är möjligt att tillåta autentiserade användare som omedelbart börja kommunicera, samtidigt som begränsar deras trafik. Dessa begränsningar i trafiken genomförs av trafikformning. Dessutom använder trafikformning erbjuder också ett antal nya möjligheter - såsom att erbjuda olika kvaliteter av service, vilket gör förhandling för olika maximal bandbredd, osv. ii Table of Contents Table of Contents Abstract .............................................................................................................................................. i Sammanfattning ................................................................................................................................ ii Table of Contents ............................................................................................................................ iii List of Figures ................................................................................................................................... v List of Tables .................................................................................................................................... vi List of Acronyms and Abbreviations ............................................................................................... vii 1 Introduction ............................................................................................................................... 1 1.1 Introduction to the Authenticator and our model ...................................................... 2 1.2 Problem Statement .................................................................................................... 3 1.3 Limitations ................................................................................................................ 4 1.4 Organization of this thesis ......................................................................................... 5 2 Background ............................................................................................................................... 7 2.1 IEEE 802.11 and 802.1X standards ........................................................................... 7 2.1.1 IEEE 802.11 Concepts .............................................................................................. 8 2.1.2 IEEE 802.11i ........................................................................................................... 14 2.1.3 EAP ......................................................................................................................... 14 2.1.4 IEEE 802.1X Authentication on Wireless LANs .................................................... 17 2.1.5 RADIUS .................................................................................................................. 19 2.2 Roaming .................................................................................................................. 22 2.3 hostapd .................................................................................................................... 24 2.4 Netfilter ................................................................................................................... 25 2.4.1 Netfilter Framework ................................................................................................ 25 2.4.2 Hook Operation ....................................................................................................... 29 2.4.3 Rules Table .............................................................................................................. 32 2.5 IPTable .................................................................................................................... 33 2.5.1 The three Default IP Tables ..................................................................................... 33 2.5.2 Data Structures ........................................................................................................ 34 2.5.3 Work Flow ............................................................................................................... 37 2.6 IP Set ....................................................................................................................... 44 3 Method .................................................................................................................................... 55 3.1 State Machines for EAP .......................................................................................... 56 3.1.1 EAP Full Authenticator States under Pass-Through Mode ..................................... 65 3.1.2 Constants ................................................................................................................. 66 3.1.3 Local Variables ........................................................................................................ 66 3.1.4 Procedures ............................................................................................................... 67 3.1.5 Interface between EAP SM and Methods ............................................................... 68 3.1.6 EAP SM Data Structure in hostapd ......................................................................... 69 3.1.7 Data Structure of EAP SM & AAA Interface in hostapd ........................................ 71 3.2 AAA Layer .............................................................................................................. 72 3.2.1 RADIUS Client on Receiving ................................................................................. 74 3.2.2 RADIUS Client on Sending .................................................................................... 84 3.3 EAPOL Layer .......................................................................................................... 91 3.3.1 Variables .................................................................................................................