November 2005
doc: IEEE 802.11-05/0967r9
WAPI Position Paper
2005-11-15
Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this
document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards
publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in
whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11.
Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE
standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for
compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the
possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <[email protected]> as early as
possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working
Group. If you have questions, contact the IEEE Patent Committee Administrator at <[email protected]>.
Submission
Slide 1
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Discussion of the parallel fast track ballots
for 802.11i and WAPI
Prepared for consideration by JTC1 P-members
15 November 2005
Submission
Slide 2
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Harmonisation is the most desirable outcome, and
approval of WAPI will preclude harmonisation
What is the history?
What is the current situation?
• WAPI is a WLAN security
amendment to 802.11 that has been
promoted by the Chinese NB as an
alternative to 802.11i
• The “WAPI issue” resurfaced in JTC1
in 2004, resulting in parallel fast track
ballots for both WAPI & 802.11i
• WAPI became a topic of controversy
in the WLAN industry in 2003, but
the issue was postponed after a high
level government agreement in 2004
• The parallel fast track ballots only
started after the Chinese NB rejected
all attempts to harmonise WAPI &
802.11i
• The parallel fast track ballots for
WAPI & 802.11i allow for none, one,
or both proposals to be approved
What should happen?
• Harmonisation is the most desirable outcome, and approval of WAPI will preclude
harmonisation
Summary
Submission
Slide 3
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI is a security amendment to 802.11 promoted
by the Chinese NB as an alternative to 802.11i
IEEE 802.11i
Chinese NB WAPI
1N 7903
1N7904
Document no.
Authentication
mechanism
• Disclosed algorithms
 802.1X & IETF EAP
 Multiple credentials
• Digital certificates only
• Custom protocol (WAI),
undisclosed parameters
Block cipher
• Disclosed algorithms
 AES CCMP
 TKIP & legacy WEP
• Undisclosed block
cipher crypto
• RSN IE
• WAPI IE
(clone of RSN IE)
Advertisement &
negotiation
Base
• Amendment to ISO/IEC 8802-11
Summary – History
Submission
Slide 4
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI became a topic of controversy in the WLAN
industry in 2003, but the issue was postponed
• WAPI became subject of controversy in 2003 when a regulation was
announced in China to require WAPI in all WLANs sold in China
• Most of WLAN industry and various governments opposed the WAPI
regulation because:
– It meant standard 802.11 equipment (without WAPI) could not be sold within
China, serving no justifiable or sound regulatory need & erecting unnecessary
trade barriers
– Access to the secret WAPI block cipher required a technical partnership with
government selected Chinese companies, resulting in IPR and business risks
• The WAPI controversy subsided in early 2004 after the Chinese
government agreed to postpone promulgation of the regulation
indefinitely
– Due to legitimate concerns about hampering global trade in WLAN equipment,
intervention on WAPI occurred at the highest levels of the US and Chinese
governments, with Vice Premier Wu Yi (China) and Secretary of State Colin
Powell (US) involved
Summary – History
Submission
Slide 5
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
The “WAPI issue” resurfaced in JTC1 in 2004, resulting
in parallel fast track ballots for WAPI & 802.11i
• In July 2004, the WAPI controversy was reignited when a new version of
WAPI was submitted to JTC1 for standardisation by the Chinese NB
• In October 2004, IEEE 802.11i was submitted for fast track ballot in
JTC1 by the UK NB
• Since that time, there has been much confusion and disagreement
related to the correct processes for considering WAPI & 802.11i in JTC1
– eg the Chinese NB incorrectly claims that WAPI was submitted to fast track
• The ISO/IEC Secretaries General have now decided (with support of the
NBs) to attempt to resolve the controversy by sending both the WAPI &
802.11i proposed amendments to parallel fast track ballots in JTC1
Summary – Situation
Submission
Slide 6
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
The parallel fast track ballots started only after the
Chinese NB rejected all attempts to harmonise
• ISO/IEC attempted to promote a process of harmonisation between
802.11i and WAPI, as well as the IEEE and the Chinese NB
• The IEEE actively supported the harmonisation activities by:
– Participating in meetings with the Chinese NB in US (Nov 04), Germany (Feb
05), Switzerland (May 05), China (Aug 05) & France (Aug 05)
– Repeatedly inviting the Chinese NB to participate in 802.11 activities from the
time of the first WAPI controversy
– Supporting the standardisation of WAPI technology in appropriate forums
– Attempting to hold an 802.11 meeting in Beijing in May 2005 (but was unable
to obtain visas for delegates)
• However, the Chinese NB steadfastly rejected all attempts to harmonise
802.11i and WAPI by:
– Walking out of the meeting in Germany (Feb 05)
– Repeatedly refusing to consider any approach except full approval of WAPI
“as is,” regardless of its incompatibility with the existing 8802-11 standard and
its emerging amendments
Summary – Situation
Submission
Slide 7
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
The parallel fast track ballots for WAPI & 802.11i
allow for none, one or both proposals to be approved
Parallel
standards
WAPI
only
802.11i
only
Reject
both
WAPI
Yes
Yes
No
No
802.11i
Yes
No
Yes
No
• WAPI is
standardised in
JTC1
• 802.11i is
standardised in
JTC1
• Status quo, with
no ISO/IEC
security WLAN
standard
• Both 802.11i &
WAPI are
approved
Result
• Parallel,
independent
and conflicting
standards are
inevitable if both
are approved in
fast track
Summary – Situation
Submission
Slide 8
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Parallel, independent and conflicting standards are
inevitable if both are approved in fast track
It is claimed a “stapled”
approach is viable if both
ballots are approved
• One possible outcome of
the fast track balloting
process is that both
802.11i and WAPI are
approved
• At the Beijing meeting in
August 2005, the
Chinese NB claimed the
two amendments could
be “stapled” into 8802-11
to create a new standard
The stapled approach
is impossible
• The editing instructions
in 802.11i (1N7903) and
WAPI (1N7904) are
contradictory
• Execution of editing
instructions from both
proposals is impossible
• Comment resolution
would most likely require
years to resolve the
editorial and normative
technical issues – and so
is not viable
Parallel standards is the
only choice if both
ballots are approved
• The only way to avoid
the issues related to the
“stapled” approach is to
create two parallel and
independent standards
covering WLANs
• Note: the suggestion that
comment resolution
could harmonise WAPI &
802.11i if both were
approved is also not
viable because the
process is not set up for
making big changes
Summary – Situation - Parallel
Submission
Slide 9
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
The editing instructions in 802.11i (1N7903) and
WAPI (1N7904) are contradictory
WAPI
Examples from clause 5.7.5 of both proposals showing editorial & normative differences
802.11i
Summary – Situation – Parallel - Editing
Submission
Slide 10
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Harmonisation is the most desirable outcome, and
approval of WAPI will preclude harmonisation
Parallel
standards
WAPI
only
802.11i
only
Reject
both
WAPI
Yes
Yes
No
No
802.11i
Yes
No
Yes
No
• WAPI is
generally
unsuitable for
approval in its
current form
• WAPI is
generally
unsuitable for
approval in its
current form
Conclusion • Fails to meet
WTO & ISO/IEC
goals & results
in ISO/IEC
irrelevance in
WLANs
• Divorces
ISO/IEC from
802.11 & results
in ISO/IEC
irrelevance in
WLANs
UNACCEPTABLE
UNACCEPTABLE
• 802.11i should
be approved,
satisfying the
needs of 100’s
millions of
existing users
• Encourages
Chinese NB to
participate in
harmonisation
process
DESIRABLE
• A no-no vote is
not defensible
on any technical
grounds
• Acceptable only
if the Chinese
NB are willing to
participate in
harmonisation
LESS DESIRABLE
Summary – Conclusion
Submission
Slide 11
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI is generally unsuitable for approval
by JTC1 in its current form
Submission
Slide 12
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI is generally unsuitable for approval by JTC1
in its current form
WAPI is not suitable for approval
via the fast track process
WAPI includes functions that are
inappropriate in 8802-11
• WAPI is unstable and immature,
making it unsuitable for
consideration by fast track ballot
• WAPI digital certificates should be
considered by JTC1/SC6/WG7 or
ITU-T rather than JTC1/SC6/WG1
• Application of established “fast
track” contradiction procedures
should halt the WAPI fast track
ballot
• WAPI authentication (WAI) should
be considered by JTC1/SC27 rather
than JTC1/SC6/WG1
WAPI problems
Submission
Slide 13
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI is generally unsuitable for approval by JTC1
in its current form
WAPI’s use of undisclosed ciphers
doesn’t support standards goal of
interoperable security
WAPI ignores clearly demonstrated
market requirements
• WAPI’s use of undisclosed or
unspecified block ciphers means
global interoperability is impossible
• WAPI imposes WAI rather than
meeting the international market
requirement for RADIUS based
authentication
• WAPI’s use of undisclosed or
unspecified block ciphers means
users assume it provides no security
• WAPI ignores the needs of 200+
million existing 8802-11 compliant
devices
WAPI problems
Submission
Slide 14
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI is unstable and immature, making it
unsuitable for consideration by fast track ballot
Fast track is designed
for mature & stable
“existing standards”
WAPI is unstable &
immature
• The ISO/IEC JTC1 fast
track process is
designed to enable fast
processing of an
“existing standard”
• The WAPI document has
changed multiple times
since 2003, with most
recent change in August
2005
• It is implicitly assumed
that “existing standards”
are stable and mature
• It is unclear that WAPI
was developed based on
WTO principles for
transparency, openness
& consensus
• The WTO (G/TBT/9)
outlines principles for
standards development
including transparency,
openness & consensus
WAPI is not suitable for
fast track review
• While the Chinese NB
has the right to submit
WAPI to fast track, it is
not suitable given its
immaturity and lack of
stability
• WAPI should be
removed from fast track
or rejected by the ballot
process
• WAPI should then be
considered using normal
ISO non-fast track
processes
WAPI problems – Immature
Submission
Slide 15
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI has changed substantially & radically multiple
times, with most recent change in August 2005
May 2003
July 2004
August 2005
Chinese standard
GB15629.11 (2003)
1N7506
6N12687
1N7904
Substantive changes
included supporting:
Substantive & radical
changes included:
• Broadcast & multicast,
which is required by
modern networking
• Changing the protection
scheme:
– from MSDU based
– to MPDU based
• A security MIB
• Replay protection,
which is a radical
change with interesting
subtleties
• Introducing a discovery
& negotiation scheme
duplicated from 802.11i
WAPI problems – Immature - Timeline
Submission
Slide 16
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Application of established “fast track” contradiction
procedures should halt the WAPI fast track ballot
ISO JTC1 has well
established procedures
for “fast track”
Despite WAPI containing
contradictions, they will
not be resolved
• “ISO/IEC JTC1
Directives” documents
the JTC1 procedures for
fast track
• WAPI (1N7904) has
multiple known
“contradictions” with
other standards
• They require that Pmembers review &
comment on documents
• However, those
“contradictions” in WAPI
will not be resolved
before the five month
ballot starts
• Any contradictions with
other ISO or IEC
standards must be
resolved before ballot
voting
WAPI contradictions
must be resolved before
fast track progresses
• WAPI’s “contradictions”
should be resolved
according to JTC1
procedures before the
five month ballot starts to
avoid impinging on the
rights and time of
member NBs
WAPI problems – Fast track
Submission
Slide 17
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI has multiple known “contradictions” with
other standards
WAPI’s digital certificate
contradicts the ITU-T
X.509 standard
8802-11
• WAPI defines a new
digital certificate
• Digital certificates are
outside the established
scope of JTC1/SC6/WG1
• Digital certificates have
previously been defined
by ITU-T in X.509 (also
ISO/IEC Std 9594)
WAPI’s authentication
mechanism (WAI) does
not belong in SC6
• WAPI defines a new
authentication mechanism
(WAI)
• Authentication
mechanisms are outside
the established scope of
JTC1/SC6
WAPI deletion of WEP
“contradicts” 8802-11
• WAPI deletes WEP from
8802-11
• This change succeeds in
making 200+ million
devices instantly noncompliant with an existing
ISO/IEC standard
• This work is probably best
done in JTC1/SC27
• The digital certificate work
in WAPI is probably best
considered by ITU-T
WAPI problems – Fast track – Contradictions
Submission
Slide 18
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
There is no plan for “contradictions” in WAPI to be
resolved before the 5 month ballot starts
•
China NB submitted a WAPI specification
as a New Work Item Proposal (NP) to
JTC1 in July 04
•
However, the China NB did not submit a
WAPI specification for fast track ballot until
25 Aug 05
–
•
The WAPI specification submitted
(1N7904) is radically different from any
previous submission
The entries for Proposer & Secretariat on the
NP form appear to have been transposed
accidentally so that it appeared that SC 6 had
submitted the proposal
•
The JTC1 Secretariat issued WAPI
(1N7506) as a concurrent ballot on the
assumption that the SC6 Secretariat had
already initiated a ballot in SC6
•
ISO/IEC Secretaries General ruled in a
letter (6 Sept) that 1N7904 will progress to
fast track, with a 30 day contradiction
review and a 5 month ballot
•
However, it is believed that the NP was
not submitted to the SC6 Secretariat
•
•
When the JTC1 Secretariat realised the
situation they voided 1N7506 and asked
the China NB to submit the proposal to
SC6
However, it was also ruled that the 5
month ballot will proceed regardless of
any contradictions uncovered
•
This is contrary to normal ISO JTC1
practice and process
•
1N7506 was never subjected to a 30 day
contradiction review
WAPI problems – Fast track – No resolution
Submission
Slide 19
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI digital certificates should be considered by
JTC1/SC6/WG7 or ITU-T rather than JTC1/SC6/WG1
WAPI defines a
digital certificate
format
• WAPI (1N7904) defines
a novel digital certificate
format in 8.1.3
Digital certificates are
outside the scope of
JTC1/SC6/WG1
The WAPI certificates
should be submitted to
another forum
• ISO/IEC JTC1/SC6
WG1’s scope is MAC &
PHY standards, not
digital certificate
standards
• WAPI digital certificates
have a wider application
than WLANs
• The digital certification
formats are already costandardized by:
– JTC1/SC6/WG7
(ISO/IEC Std 9594)
– ITU-T (ITU-T Std
X.509)
• WAPI digital certificates
do not appear to support
any functions that X.509
does not already provide
• Consideration of WAPI
digital certificates should
be moved to:
– JTC1/SC6/WG7
– ITU-T
WAPI problems – Digital certificates
Submission
Slide 20
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI authentication (WAI) should be considered by
JTC1/SC27 rather than JTC1/SC6/WG1
WAPI defines an
authentication protocol
called WAI
Authentication is outside
the scope of
JTC1/SC6/WG1
WAI should be
submitted to
JTC1/SC27
• WAPI defines a novel
authentication methods
(WAI) in clause 8.1.4.2
• ISO/IEC JTC1/SC6/WG1
developed and maintains
8802-11
• WAI is easily applicable
to many environments
besides wireless LAN
standards
 eg China’s NB has
signaled its intention to
apply WAI to WiMAX
• The scope of WG1 is
“Physical and data link
layers”
• Authentication standards
as proposed by the
WAPI submission are
outside the scope of
ISO/IEC JTC1/SC6/WG1
• JTC1/SC27 appears to
be the appropriate
standardization body for
authentication methods
WAPI problems - Authentication
Submission
Slide 21
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI’s use of undisclosed or unspecified block
ciphers means global interoperability is impossible
WAPI uses a secret
or a unspecified
block cipher
• WAPI specifies the use
of a block cipher within
China called SMS4,
which appears to be
unavailable to nonChinese parties
• WAPI suggests that
another block cipher
should be used in other
countries, but does not
specify the cipher
WAPI doesn’t enable
global interoperability
WAPI must be modified
to enable global
interoperability
• It appears likely that non
Chinese companies will
be unable to implement
WAPI based on SMS4
• Interoperability in most
countries is required by
vendors, users & the
standards community
• WAPI based on SMS4
does not interoperate
with WAPI based on any
other block cipher
• Either SMS4 must be
disclosed or another
disclosed block cipher
must replace it
• The lack of at least one
specified, globally
available block cipher
means global WAPI
interoperability is
impossible
• Alternatively, WAPI
should remain as a
Chinese national
standard rather than an
international standard
WAPI problems – Global interoperability
Submission
Slide 22
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI’s use of undisclosed or unspecified block
ciphers means users assume it provides no security
WAPI uses undisclosed
or unspecified
block ciphers
• WAPI specifies the use
of a block cipher within
China called SMS4,
which has not been
publicly disclosed
• WAPI suggests that
another block cipher
should be used in other
countries, but does not
specify the cipher
WAPI’s security
cannot be evaluated
• 100% of WAPI’s data
security derives from the
underlying block cipher
• It is impossible to
independently evaluate
WAPI’s security because
no publicly disclosed
block cipher is specified
• Without independent
analysis, the market will
assume that WAPI
provides no security
WAPI must be modified
to enable a proper
security review
• Unknown security is
unacceptable to
governments, vendors,
users & the standards
community
• Either SMS4 must be
disclosed or another
disclosed block cipher
must replace it
• Alternatively, WAPI
should remain as a
Chinese national
standard rather than an
international standard
WAPI problems – No security
Submission
Slide 23
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI imposes WAI rather than meeting the international
market requirement for RADIUS based authentication
WAPI specifies a single
authentication method
called WAI
WAPI ignores the market
requirement for RADIUS
based authentication
WAPI should be modified
to recognise market
requirements for RADIUS
• WAPI (1N7904) requires
the use WAI
authentication
• WAI is incompatible with
widely deployed RADIUS
mechanisms, making
WAI irrelevant to the
majority of the market
whom have an existing
large RADIUS
investment
• WAI should be
standardised as another
authentication method
available to the market
• In contrast, 802.11i
supports RADIUS
authentication
• In contrast, 802.11i was
designed to satisfy the
demonstrated market
need for WLANs to reuse
existing RADIUS
infrastructure
• In the meantime, WAPI
should be modified to
allow the use of
RADIUS, as well as WAI
• This approach ensures
WAPI satisfies the goal
of standards to grow
markets, not arbitrarily
restrict them
WAPI problems – Imposes WAI
Submission
Slide 24
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
WAPI ignores the needs of 200+ million existing
8802-11 compliant devices
Amendments must be
compatible with existing
compliant devices
• It is a well accepted
principle of standards
development that
amendments should
continue to support
existing compliant
devices
WAPI ignores the needs
of 200+ million 8802-11
compliant devices
WAPI must be modified
to recognise existing
8802-11 devices
• The 200+ million
existing 8802-11 devices
that cannot implement
advanced security must
be supported
• 802.11i (1N7903)
provides an example of
what WAPI must do
before it begins to be
acceptable:
– Deprecating rather
than deleting WEP
– Defining an upgrade
path using TKIP, which
provides real security
guarantees within the
resource constraints of
legacy technology
• However, WAPI
(1N7904) ignores the
needs of these devices
by:
– Deleting WEP
– Defining no suitable
upgrade path
WAPI problems – Ignores existing
Submission
Slide 25
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Parallel standards fail to meet WTO & ISO/IEC
requirements and will result in
ISO/IEC irrelevance in WLANs
Submission
Slide 26
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Parallel standards fail to meet WTO & ISO/IEC goals
and will result in ISO/IEC irrelevance in WLANs
Contrary to
ISO/IEC & WTO
Leads to ISO/IEC
irrelevance
WAPI subject to IPR
uncertainty
Approval of both WAPI
& 802.11i in the fast
track ballot is contrary
to ISO & WTO goals
The approval of both
WAPI & 802.11i results
in divorce from future
IEEE work and ISO/IEC
irrelevance in WLANs
Any WAPI version of
8802-11 without IEEE
support is subject to
severe “IPR
uncertainty”
Approve one or neither
of WAPI & 802.11i
Approve only
802.11i
Approve only
802.11i
WAPI is generally unsuitable for approval
by JTC1 in its current form
Parallel problems
Submission
Slide 27
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Approval by JTC1 of both WAPI & 802.11i in the fast
track ballot is contrary to ISO/IEC & WTO goals
S
Both WTO & ISO
discourage duplicate
standards
C
• The ISO Strategic Plan
2005-2010 clearly states
one standard is
KL
preferable
• The WTO “Agreement
On Technical Barriers To
Trade” states that
duplication of standards
should be avoided
Approval of 802.11i and
WAPI is contrary to
WTO and ISO goals
Only one of 802.11i and
WAPI should be
approved
• The approval of both
WAPI and 802.11i will
result in two incompatible
and non interoperable
standards covering
WLANs
• NB’s under WTO rules
and ISO goals have a
responsibility to approve
only one of the proposals
Parallel problems – ISO/WTO goals
Submission
Slide 28
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Both WTO & ISO discourage duplicate standards
ISO Strategic Plan 2005-2010
• “One standard, one test, and one
conformity assessment procedure
accepted everywhere”
WTO “Agreement On Technical
Barriers To Trade”
• “The standardizing body within the
territory of a Member shall make
every effort to avoid duplication of, or
overlap with, the work of other
standardizing bodies in the national
territory or with the work of relevant
international or regional
standardizing bodies”
Parallel problems – ISO/WTO goals - Quotes
Submission
Slide 29
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
The approval of both WAPI & 802.11i results in divorce
from future IEEE work & ISO/IEC irrelevance in WLANs
Approval of 802.11i &
WAPI results in two
independent standards
Both standards will
become irrelevant
over time
Continued relevance
requires that only 802.11i
be approved
• If JTC1 approves both
802.11i and WAPI during
the fast track then two
parallel & independent
standards will result
– 8802-11+802.11i
– 8802-11+WAPI
• IEEE will continue
developing 802.11 but
may not support further
development of either
version of 8802-11
• 8802-11 will become
increasingly irrelevant
because there will be no
body capable & willing to
properly develop it
• In the short term, it will
be orphaned from many
known future 802.11
amendments
• All NB’s have a
responsibility to only
approve the amendment
that provides for the
future relevance of
ISO/IEC 8802-11
standards
• These standards will
need to be maintained &
extended in the future
• Only approval of 802.11i
meets this test
Parallel problems - Irrelevance
Submission
Slide 30
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
ISO/IEC 8802-11 may be orphaned from many known
future IEEE 802.11 amendments & corrigenda
• If IEEE 802.11 stops supporting ISO/IEC 8802-11 development then
ISO/IEC 8802-11 development will be orphaned from:
– 802.11k (radio resource measurement)
– 802.11ma (rolling up 802.11e/g/h/i/j on the base/a/b/d and other corrections)
– 802.11n (high rate)
– 802.11p (vehicular)
– 802.11r (fast roaming)
– 802.11s (mesh)
– 802.11u (inter-working with external networks)
– 802.11v (wireless network management)
– 802.11w (management frame protection)
• Note that these amendments represent 1,000’s of man years of effort
that JTC1 could not hope to duplicate successfully
Parallel problems – Irrelevance - Amendments
Submission
Slide 31
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Any WAPI version of ISO/IEC 8802-11 is subject to
severe “IPR uncertainty”
IPR statements have
been submitted to IEEE
for 802.11
• Various organisations
assert rights to various
elements of 802.11
• Most of these
organisations have made
RAND IPR statements to
IEEE
It is not clear these IPR
statements apply to a
WAPI version of 8802-11
The IPR issue needs to
be understood and
resolved
• These statements only
apply to specific the
IEEE Standard (see
IEEE IPR statement)
• An international standard
that cannot be legally
implemented is not very
useful
• These statements do not
apply to an ISO standard
that is substantially
different from the IEEE
standard
• It is important for JTC1 to
understand and resolve
the IPR issue
– ie the 8802-11 plus
WAPI standard as
proposed by Chinese
NB
Parallel standards – IPR
Submission
Slide 32
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
802.11i is suitable for fast track approval, satisfying
the needs of 100’s millions of existing users
Submission
Slide 33
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
802.11i is suitable for fast track approval, satisfying
the needs of 100’s millions of existing users
802.11i is suitable for
approval using the fast
track process
• 802.11i is a stable &
mature standard based
on an open and
international
development process
802.11i supports clearly
demonstrated
international market
requirements
• 802.11i meets
international market
authentication
requirements by
supporting RADIUS
authentication
• 802.11i provides a
migration path for the
200 million existing
8802-11 compliant
WEP-only devices
802.11i provides
verifiable security
based on disclosed
algorithms
• All 802.11i algorithms
are fully specified &
disclosed, enabling
global interoperability
• 802.11i provides
independently verified
security satisfying the
needs of an
international standard
• 802.11i is being shipped
in 250,000 new devices
every day
802.11i benefits
Submission
Slide 34
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
802.11i is a stable & mature standard based on an
open & international development process
Fast track is designed
for mature & stable
“existing standards”
• The JTC1 fast track
process is designed to
enable fast processing of
an “existing standard”
• It is implicitly assumed
that “existing standards”
are stable and mature
• The WTO (G/TBT/9)
outlines principles for
standards development
including transparency,
openness & consensus
802.11i is
stable & mature
802.11i is suitable
for fast track review
• 802.11i was developed
using an open process
compatible with ISO/IEC
and WTO principles
 Review by over 500
international engineers
 Independent review by
cryptographers
 Sponsor ballot review
by 100 reviewers
 Interoperability testing
by vendor community
 4 years of open
development
• All NBs have a
responsibility to approve
only mature documents
802.11i benefits - Stable
Submission
Slide 35
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
802.11i meets international market authentication
requirements by supporting RADIUS authentication
Market refused to deploy
WLANs without RADIUS
authentication
• Sales of 8802-11
systems lagged even
before any problems with
WEP were identified
• The international market
demanded reuse of its
established
authentication
technology base
• Each organisation wants
to set its own
authentication policy
802.11i supports RADIUS
based authentication
• 802.11i was designed
with the goals of
 Allowing reuse of
existing RADIUS
authentication
 Making RADIUS
authentication as
secure as possible in a
WLAN
Only 802.11i aligns with
market realities
• All NBs have a
responsibility to align
ISO standards with
international market
reality
• The international market
has rewarded the design
by deploying 70 million
devices in the first year
802.11i benefits – Market needs
Submission
Slide 36
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
802.11i provides a migration path for the 200 million
existing 8802-11 compliant WEP-only devices
Amendments must be
compatible with existing
compliant devices
• Amendments of
standards should
continue to support
deployed compliant
devices
802.11i supports an
upgrade path
through TKIP
802.11i is compatible with
ISO legacy
support goals
• 802.11i (1N7904) defines
TKIP as a patch
applicable to the 200
million existing WEPonly devices
• All NBs have a
responsibility to ensure
significant numbers of
existing devices remain
conformant
• 802.11i deprecates WEP
but allows its use for
cases where upgrade is
not economically feasible
• 802.11i achieves this
goal
• 802.11i defers the
decision on WEP’s use
to a local policy decision,
not imposing policy
802.11i benefits - Migration
Submission
Slide 37
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
802.11i represents market reality & is being shipped
in 250,000 new devices every day
Standards need to reflect
market reality
802.11i represents WLAN
market reality
8802-11 must include
802.11i
• It is vital that standards
reflect market reality
• 250,000 802.11i capable
devices are being
shipped every day as
APs, NICs and
embedded devices
• The NB’s have a
responsibility to ensure
802.11i is incorporated
into 8802-11
• This means that
standards must support
products that are
successful in the market
place
• The massive success of
802.11i can be
contrasted to a claimed
rollout of only 10,000
WAPI APs in western
China after 2+ years of
rollout (source: Chinese
NB at Beijing meeting)
802.11i benefits - Support
Submission
Slide 38
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
All 802.11i algorithms are fully specified &
disclosed, enabling global interoperability
ISO strive to promote
global interoperability
802.11i enables global
interoperability
• ISO explicitly states its
business goal as
promoting interoperability
• All of 802.11i is specified
in 1N7903 or in other
publicly available
documents
 One standard, one
test, and one
conformity assessment
procedure accepted
everywhere
• All authentication
mechanisms used by
802.11i are defined in
publicly available
documents
Only 802.11i supports
global interoperability
• All NBs have a
responsibility to only
approve amendments
that promote global
interoperability
• All mandatory-toimplement 802.11i
algorithms are in the
public domain
802.11i benefits - Disclosed
Submission
Slide 39
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
802.11i provides independently verified security
satisfying the needs of an international standard
Security claims
standards should be
independently verifiable
• Standards should not
make unsubstantiated
security claims
• All security claims must
be independently verified
All 802.11i security
claims have
independently verified
802.11i security is
appropriate for an
international standard
• Numerous independent
cryptographic reviews
have verified 802.11i
security claims
 Including by R. Rivest,
D. Wagner, P.
Rogaway, J. Jonsson,
S. Langford, J. Kelsy,
etc.
• All NBs have a
responsibility to promote
standards whose
security claims are
independently verified
• No fundamental security
flaw has been identified
by any independent
review
802.11i benefits - Verified
Submission
Slide 40
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
A no-no vote is not defensible on any technical
grounds
Submission
Slide 41
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
A no-no vote is not defensible on any technical
grounds
• There is substantial technical justification for a yes vote on
802.11i (1N7903)
• There is substantial technical justification for a no vote on WAPI
(1N7904)
Submission
Slide 42
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
A harmonised approach is desirable
as long as the Chinese NB are willing to participate
Submission
Slide 43
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
A harmonised approach is desirable as long as the
Chinese NB are willing to participate
• Harmonisation advantages outweigh the disadvantages
– Addresses the needs of all
– Ensures all useful technology is included
– Ensures an evolving standard that is secure, open & implementable
– Takes time but so do “good” standards
• IEEE 802 is eager to facilitate a “harmonised standard”
• IEEE 802 & ISO leadership have suggested a number of harmonisation
mechanisms based on approved ISO/IEC processes for collaboration
with IEEE 802
– See 8802-1:2001 (Feb 01), 6N11917 (April 01)
• So far none of the harmonisation mechanisms have been accepted by
the Chinese NB
• The key to success of the harmonisation approach is Chinese NB
willingness to participate
Submission
Slide 44
Harmonised
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Harmonisation addresses the needs of all, providing an
evolving standard that is secure, open & implementable
• Ensures all market needs (from China and rest of the world) are
addressed by enabling global input
• Incorporates the best technology from both WAPI and 802.11i
• Provides a standard that is secure, open, complete and implementable
• Ensures a living standard compatible with existing & future 802.11
amendments
• Provides the best way for the Chinese NB to work constructively in
international standards bodies
• Defines the only way to incorporate WAPI technology that is acceptable
to the international standards community and the global WLAN market
Harmonised - Positives
Submission
Slide 45
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
Harmonisation takes time but so do “good”
standards
• It will take substantial effort and some time to complete harmonisation
– Some elements of WAPI can be harmonised relatively quickly
— for example, SHA-256 can be integrated with 802.11 within six months
– Some elements may take make longer
— for example, WAI needs to be standardised in the appropriate forum
• However, good standards inevitably take time to complete
– Time is required for complete and accurate review
– Time is required for consensus building
• We should let the engineers participating in the harmonisation process
determine the best scope, solution and timing
Harmonised - Barriers
Submission
Slide 46
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
IEEE 802 is eager to facilitate a “harmonised
standard” to achieve 802.11/WAPI integration
ISO
• Agree on
“harmonised
standard”
approach
• Either delay
or approve
802.11i
IEEE 802
• Approve
formation of
802.11 Study
Group
802.11 SG
• Confirm
scope of
802.11
amendment
including
WAPI
technology
802.11 TG
…
• Write 802.11
amendment
Previous suggestion from IEEE
rejected by China NB
• Approved in
July 2005 to
support existing
ISO & IEEE
collaboration
agreement
• SC6 NB participation
invitation issued in SaintPaul de Vence, with full
SG voting rights
• SG starts in Nov 05 in
Vancouver
• Participating NBs receive
Immediate SG voting rights
• SG can conduct interim
meetings in more
convenient locations,
e.g. China
Harmonised - IEEE
Submission
Slide 47
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
IEEE have suggested harmonisation mechanisms
based on approved ISO/IEC collaboration processes
Process proposed by IEEE at Beijing meeting (August 2005)
Results
ISO/IEC JTC1/SC6 appoint an Ad hoc Working Group (AHWG) to develop
an outline & timetable for integration of elements of the WAPI technology
& 802.11i into ISO/IEC 8802-11
IEEE
The AHWG formally liaise with IEEE 802 to ensure the outline represents
a feasible way to integrate WAPI technology & 802.11i into 8802-11 &
IEEE Standard 802.11
The work defined by the outline & schedule for integration of WAPI
technology & 802.11i into ISO/IEC 8802-11 & IEEE Standard 802.11 be
executed in appropriate WGs within ISO/IEC JTC1/SC6 & IEEE 802, as
agreed jointly by JTC1/SC6 and IEEE 802
A very close liaison be established to track and review the work as it
develops in JTC1/SC 6 and IEEE 802 to ensure compatibility is
maintained with existing and developing ISO/IEC 8802-11 and 802.11
amendments.
Accept
SAC
Reject
ANSI
Reject
KATS
Abstain
As long as progress continues, ISO/IEC JTC1 delay resumption of the
802.11i fast track ballot and not consider any other security related
amendments to 8802-11
Harmonised - IEEE
Submission
Slide 48
IEEE 802.11 WG
November 2005
doc: IEEE 802.11-05/0967r9
The key to success of the harmonisation approach
is Chinese NB willingness to participate
• Harmonisation of WAPI & 802.11i is a desirable goal
• IEEE 802 even offered to delay 802.11i standardisation to achieve this goal
• However, the Chinese NB has refused all suggestions to achieve harmonisation
• The most desirable approach is a “yes” vote for 802.11i (1N7903) & a “no” vote
for WAPI (1N7904)
–
–
It enables the future of an international standard reflecting the market reality of a growing
base of 100’s millions of 8802-11 and 802.11i users
It may motivate the Chinese NB to participate in a harmonisation process, including
normal JTC1/IEEE collaboration mechanisms
• A “no” vote for both 802.11i (1N7903) & WAPI (1N7904) is an acceptable but less
desirable outcome
–
–
It might lead to harmonisation but provides little incentive to do so
It is more likely to lead to delay & uncertainty given the historical unwillingness of the
Chinese NB to discuss harmonisation
• In either of the above cases, IEEE 802 will continue to seek harmonisation of
802.11i & WAPI
Harmonised - Participation
Submission
Slide 49
IEEE 802.11 WG