1 / 17

Light Weight Access Point Protocol (LWAPP)

Light Weight Access Point Protocol (LWAPP). Pat R. Calhoun draft-ohara-capwap-lwapp-01.txt. Introduction. Components of protocol: Discovery phase Control Channel Management Join (binding phase) Creates LWAPP security association Watchdog Key Update WTP Configuration

alexa
Download Presentation

Light Weight Access Point Protocol (LWAPP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Light Weight Access Point Protocol (LWAPP) Pat R. Calhoun draft-ohara-capwap-lwapp-01.txt

  2. Introduction • Components of protocol: • Discovery phase • Control Channel Management • Join (binding phase) • Creates LWAPP security association • Watchdog • Key Update • WTP Configuration • WTP initiated Configuration Request • AC initiated Configuration Update • WTP Config Clear

  3. Introduction (cont.) • Components of protocol: • Device Management Operations • WTP Reset • WTP Firmware Download • WTP Event Notification (Unsolicited events, such as statistics) • Mobile Management • Create forwarding policies on WTP • IEEE 802.11 Technology Binding • WLAN (service) Configuration

  4. WTP/AC Communication WTP AC Discovery Phase Join Phase Security Association Established – encryption enabled Either: 1) or 2) WTP Configuration AP Advertises service Image Data Transfer AP Reboots with new firmware

  5. New LWAPP State Machine • /------------\ | v | +------------+ | C| Idle |<-----------------------------------\ | +------------+<-----------------------\ | | ^ |a ^ | | | | | \----\ | | | | | |tu | | | | | +-----------+------>+------------+ | | / | C| Run | | Key Update | | | / | r+-----------+<------+------------+ | | / | ^ |swx| | | | v | | | | | | +--------------+ | | v |y | | C| Discovery | q| \--------------->+-------+ | | b+--------------+ +-------------+ | Reset | | | |df| ^ | Configure |------->+-------+ | | | | | +-------------+p ^ | |e v | | ^ ^ | | +---------+ v |i |k2| | | C| Sulking | +------------+ +--------------+ | | +---------+ C| Join |--->| Join-Confirm | | | g+------------+z +--------------+ | | |hm| 3| |4 | | | | | v |o |\ | | | +------------+ \\-----------------/ \--------+---->| Image Data |C \------------------------------------/ +------------+n

  6. New LWAPP State Machine • State machine is now consistent with text throughout the document • New text in -01 now has explicit text about state machine behavior, for instance: Idle to Discovery (a): This is the initialization state. WTP: The WTP enters the Discovery state prior to transmitting the first Discovery Request (see Section 5.1). Upon entering this state, the WTP sets the DiscoveryInterval timer (see Section 12). The WTP resets the DiscoveryCount counter to zero (0) (see Section 13). The WTP also clears all information from ACs (e.g., AC Addresses) it may have received during a previous Discovery phase. AC: The AC does not need to maintain state information for the WTP upon reception of the Discovery Request, but it MUST respond with a Discovery Response (see Section 5.2).

  7. Technology Bindings • Added text about how to add new technology bindings (section 2.1) • Moved and renamed all 802.11 specific protocol components to 802.11 binding (section 11) • Defined IEEE 802.11 specific message elements in binding section • Mobile Config Request (section 11.4.1) • WTP Event Request (section 11.4.2)

  8. Technology Bindings (cont.) • Introduced IEEE 802.11 specific commands • IEEE 802.11 WLAN Config Request • IEEE 802.11 WLAN Config Response • IEEE 802.11 WTP Event • Many IEEE 802.11 specific message elements are defined in section 11

  9. LWAPP Transport • LWAPP is transport agnostic. • Specification defines IP/UDP and IEEE 802.3 • New text (01) now a single transport header • IEEE 802.3 and IP/UDP refer back to single header figure 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |VER| RID |C|F|L| Frag ID | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status/WLANs | Payload... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  10. WTP 802.11 control protocol 802.11 beacons 802.11 probe responses 802.11e frame queuing 802.11i frame encryption AC 802.11 MAC management e.g., Association, Action 802.11 Data Frames 802.11e resource reservation 802.11i Auth/Key Exchange Division of Labor – Split MAC Local MAC behavior will be added in -03.

  11. LWAPP Data Frames • LWAPP defines the following format for the IEEE 802.11 technology binding: +-----------------------------------------------------------+ |Transport Header | LWAPP Header [C=0] | 802.11 Frame... +-----------------------------------------------------------+

  12. LWAPP Control Messages • LWAPP defines a specific header for Control messages: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Type | Seq Num | Msg Element Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Msg Element [0..N] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  13. LWAPP Messages • Increased the readability of every LWAPP Control message: • Section now includes all message elements allowed: 5.2 Discovery Response . . . . . . . . . . . . . . . 33 5.2.1 AC Address . . . . . . . . . . . . . . . 34 5.2.2 AC Descriptor . . . . . . . . . . . . . 34 5.2.3 AC Name . . . . . . . . . . . . . . . . 35 5.2.4 WTP Manager Control IP Address . . . . . 36 • Includes complete instructions on WTP and AC behavior, and ties back into state machine • Refers to all necessary timers and variables (sections 12 and 13)

  14. Message Elements • Significant formatting changes • Removed large message element table • Each message element now includes identifier number and length. 5.1.1 Discovery Type The Discovery message element is used to configure an WTP to operate in a specific mode. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Discovery Type| +-+-+-+-+-+-+-+-+ Type: 58 for Discovery Type Length: 1 Discovery Type: An 8-bit value indicating how the AC was discovered. The following values are supported: 0 - Broadcast 1 - Configured

  15. Security • Significant cleanup in text detailing certificate based LWAPP security • Message elements clearly spell out their contents • Introduction of PSK • State machine changes • Changes to certain message elements to handle both modes of operation • Specific text detailing DH/PRF security approach • AC Advertises security modes supported in AC Descriptor (section 5.2.2) • New Security Considerations section for both modes of operation.

  16. Certificate Based Security WTP AC Join request (WTP-Cert, SID) AC Creates session keys (KeyMaterial) Data = E-wtp{Kpub, PKCS1(KeyMaterial)} Cipher-text = E-ac{Kpriv, SID|Data} Join Response (AC-Cert, SID, cipher-text) Data = D-ac{Kpub, Cipher-text} PKCS1(KeyMaterial) = D-ac{Kpriv , data} AES-CCM Encrypted Control Channel

  17. PSK Based Security WTP AC AC chooses exponent x and creates WNonce Join request (DH-Params(g, p, g^x mod p), WNonce, SID) AC chooses exponent y and creates ANonce PMS = LEN_16(Z) | Z | LEN_16(PSK) | PSK KeyMaterial = PRF(PMS, "master secret", Wnonce + Anonce) Key Material is split into K1 (KCK), K2 (KEK) and K3 (Rekey key) Join Response (DH-Params(g^y mod p), SID, ANonce, PSK-MIC) WTP computes key PSK-MIC validation provides key confirmation Join ACK (SID, PSK-MIC) PSK-MIC validation provides key confirmation Join Confirm (SID, PSK-MIC) Authenticated Join Confirm closes the state machine loop AES-CCM Encrypted Control Channel

More Related