Wi-Fi will expand to include new authentication methods, more enterprise support: The Wi-Fi Alliance, responsible for the brand name Wi-Fi and the certification and testing that stand behind it, will add two new authentication methods to the suite supported as part of WPA2: EAP-FAST and EAP-AKA. EAP (Extensible Authentication Protocol) is a generic method of sending messages between parties.
EAP-FAST (Flexible Authentication through Secure Tunneling) is a Cisco replacement for the long-deprecated LEAP (Lightweight EAP), which was broken back in 2004. Unlike PEAP and EAP-TTLS, popular ways of validating a WPA2 Enterprise session with server certificates and tunneling credentials, FAST uses certificates only as an option. (EAP-FAST is itself vulnerable, although those vulnerabilities can be avoided in a deployment.)
EAP-AKA (Authentication and Key Agreement) is the more critical of the two, an authentication system designed for use on 3G networks--both GMS and CDMA evolved system--with a lot of flexibility about the kind of credential that's used to authenticate a device to a network.
The alliance has long included testing of five other EAP methods, including TLS (per-device certificate), TTLS, PEAPv0 and PEAPv1, and SIM. EAP-SIM is used with 2G GSM devices.
Edgar Figueroa, the executive director of the Wi-Fi Alliance, said in an interview that EAP-AKA testing and certification goes along with the group's interest in Wi-Fi in handsets. "It's very much in alignment with our intent to continue to support convergence," he said.
Handsets need to be more capable of easily logging into Wi-Fi networks because of the constant increase in the scale of data being sent to handheld devices, coupled with the cost and limits of 3G data to subscribers. "Users may be cognizant they are paying for that data traffic really quickly if they don't get on that Wi-Fi network," Figueroa said.
I asked Figueroa about a related issue: the coming deluge of single-stream 802.11n devices which are aimed at handsets as a replacement for 802.11g. Single-stream N will use single antennas and a single radio chain, which means that the encoding speed could be much faster than 802.11g, but can't approach the 100 to 150 Mbps top rates possible with two-radio, wide-channel multi-stream 802.11n devices in laptops and base stations. (You can read more background about this in my article, "Does the iPhone Need 802.11n?", 26 March 2009.)
The potential for consumer confusion could be high, with two bands, multiple streams, and other options. "Simpler is better," he said. The alliance is discussing "how information is needed, and how much may be superfluous, and how much do we want to complicate our brand."
One item in the group's favor is that all the 802.11n devices I'm aware of that support the 5 GHz band also support 2.4 GHz. This could make 2.4 GHz the default mode for compatibility. An increasing number of consumer base stations are simultaneous dual band, too, which alleviates issues on the client side. (There may be some specialized enterprise gear that's 5 GHz 802.11a or 802.11n only.)
Unrelated to today's announcement, a minor security update is planned in the future for WPA2 to add 802.11w, which provides integrity for management frames. These specialized frames are used by access points to report various data or communicate messages without user data between an access point and client.
But, most critically, disassociation and deauthentication frames are sent in this fashion without any protection. A network attacker can disrupt a network by forging these requests, which aren't checked for validity. 802.11w uses an encryption method that prevents invalid requests from being carried out.
The minor flaw in the TKIP encryption method discovered last year won't have any impact on the security protocols or tests by the alliance, Figueroa said. "We have consistently advocated WPA2 as the protocol that people should be using"--a message echoed by all sensible security consultants, writers, and researchers.
On the enterprise side, Figueroa said the Wi-Fi Alliance had a few enterprise-oriented projects in the works with a timetable of about two years for reaching fruition.
One is WMM-Admission Control, which enhances the WMM (Wireless Multimedia) quality of service provisioning protocol (from 802.11e) with resource availability. WMM by itself allows data to be assigned one of several priority queues to ensure, for instance, that voice packets make it through.
The admission control addition would let a set of managed devices restrict a device from joining a given base station channel if the resources to support an additional call or stream weren't available. "If you allow that to happen otherwise, you end up having a non-elegant degradation for all who are using the network," Figueroa noted.
The ultimate protocol might include a form of "advice," in which a device was told a different channel to join that had resources free for what the device was intending to do.
A related future improvement is Voice-Enterprise, which will provide more robust testing of VoIP over Wi-Fi at the scale used in large networks. Currently VoIP testing by the alliance simulates a loaded network with four calls being placed; the enterprise flavor will test in a simulation of dozens of calls along with many access points in use and fast roaming among them.
Finally, Wireless Network Management will one day extend detailed network status information that's required for network monitoring and troubleshooting to network administrators. While Wi-Fi access points can report a fair amount of information today--and that varies by vendor and network design--the testing program would establish a baseline and interoperability parameters.