1 / 43

802.11 Architecture and 802.11 (f) – Inter Access Point Protocol

802.11 Architecture and 802.11 (f) – Inter Access Point Protocol. Motivation. We have seen so far only packets transmitted between two stations over the Wireless Medium

erna
Download Presentation

802.11 Architecture and 802.11 (f) – Inter Access Point Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 802.11 Architecture and802.11 (f) – Inter Access Point Protocol 1

  2. Motivation • We have seen so far only packets transmitted between two stations over the Wireless Medium • What about connections with computers in the internet (e.g. Web Servers) or with other wireless computers that are out of range? • What happens if we move out of range of the Access Point? • We need an infrastructure that connects a wireless network to other networks and allows stations to move between Access Points 2

  3. Contents • Elements of the 802.11 Architecture • Distribution System Services • The 802.11 (f) Inter-Access Point Protocol: A proposed Recommended Practice 3

  4. Elements of the 802.11Architecture 4

  5. The Basic Service Set • The Basic Service Set (BSS) is the building block of an 802.11 LAN • A BSS consists of a number of stations that can communicate with each other • The minimum composition of a BSS is just two stations • Services available within a Basic Service Set are: • Security services: Authentication, Deauthentication, Privacy • MSDU Delivery: between two peer MAC entities 5

  6. Independent BSS • A network that consists of a single BSS, without any further connectivity, is an Independent BSS (IBSS) • An IBSS is also known as an ad-hoc network, since it requires no advance planning 6

  7. Distribution System • In order to connect multiple BSSs, and to connect these to other networks, the 802.11 specification defines the concept of a Distribution System (DS) 7

  8. Access Points • We have already seen that an Access Point (AP) contains the Point Coordination Function (PCF) • An Access Point also allows access to the Distribution System: • Note that an Access Point includes all the functionality of a Station 8

  9. Infrastructure BSS • Stations within a BSS that includes an Access Point are able to connect to the Distribution System • Such a BSS is known as an Infrastructure BSS 9

  10. Integrated LAN • In addition to connecting multiple 802.11 BSSs, the Distribution System can connect to other 802-based Local Area Networks via Portals • Such Networks are known as an Integrated LANs 10

  11. Extended Service Set • A collection of BSSs and the Distribution System which connects them to each other and to Integrated LANs is called an Extended Service Set (ESS) 11

  12. Distribution System Service • We have already seen the basic services that a BSS allows • Within a DS, the following services are available via an Access Point • Association • Disassociation • Distribution • Integration • Reassociation • These are known as Distribution System Services (DSSs) and we will look at each in turn 12

  13. Layered Architecture and the ESS (1) • The scope of 802.11 is restricted to the MAC and PHY layers; no specification is made for the higher layers • However, the Distribution System operates so that: Connections between stations within an ESS shall appear to the LLC as if they were only 1 ‘hop’ apart 13

  14. Layered Architecture and the ESS (2) 14

  15. Layered Architecture and the ESS (3) 15

  16. Summary • Basic Service Set (BSS): Collection of Stations that can communicate with each other • Distribution System (DS): Network connecting BSSs and Integrated LANs • Access Point (AP): Station with additional functionality that allows stations in its BSS access to the DS • Independent BSS (IBSS): BSS that does not include an AP and is not connected to a DS • Infrastructure BSS: BSS that is connected to a DS via an AP • Integrated LAN: LAN that is connected to a DS via a Portal • Extended Service Set (ESS): A DS and its connected BSSs 16

  17. Important Notes! • The 802.11 standard does not specify: • The architecture of the DS • How the DSS should be implemented • For example, the DS could be a 802.3 LAN, an 802.11 Wireless LAN, or a wired IP network • 802.11 specifies only the services (i.e. the DSS) which the DS must provide 17

  18. Association • Before a station can transmit or receive frames to or from the DS, it must become Associated with an Access Point • Association is always initiated by the Station • If association is successful, an AP  STA mapping is created • This mapping is used by the DS to determine which AP to send frames to for a particular Station • A station can only be associated with one AP at a time 18

  19. Disassociation • The reverse process of Association, Disassociation terminates an existing association • This could be, for example, when a station is switched off • The standard does not require disassociation, and will function correctly (though less efficiently) even if a Station fails to Disassociate • This is because a station might shut down abruptly without having time to send a Disassociation message 19

  20. Reassociation • Reassociation is invoked when a station moves out of range of one AP into the range of another within the same ESS • This allows the DS to maintain correct AP  STA mapping 20

  21. Distribution • The Distribution System delivers messages between stations in different BSSs, from the ‘source’ AP to ‘destination’ AP • The DS uses the AP  STA mappings provided by the Access Points 21

  22. Integration • Integration is an addition to the Distribution function to allow frames to be delivered to and from Integrated LANs • The connection to the source/destination is a Portal, rather than an AP • This function is responsible for any address space/media translations • As with Distribution, the way this is implemented depends on how the DS is built 22

  23. Identifiers • Various Identifiers are used by 802.11 systems: • Station MAC address: every wireless station has a 48-bit IEEE 802 MAC address, which is programmed during manufacture • BSS ID: Each BSS is identified by a BSS ID; in an infrastructure BSS, this is the MAC address of the AP • SSID (Service Set ID): This identifies the Service Set (e.g. ESS), but is set by management. It is used by Stations to identify the network(s) they are considering joining • Association ID (AID): This is assigned to a Station when it associates with an AP; it identifies the station amongst those associated with a particular AP 23

  24. Association Procedure • The procedure for Association is as follows: • The Station Management Entity requests the Station to associate with a given AP • The Station sends an Association Request message to the AP, specifying: • Station MAC address, AP MAC address, ID of ESS (SSID) • The AP responds with an Association Response, specifying: • Status (Successful/Unsuccessful), AID (if successful) • The Station responds with an ACK, and indicates to its SME that the association has been completed • On receipt of the ACK, the AP creates the AP-STA mapping and informs the DS of the Association 24

  25. Reassociation Procedure • The procedure for Reassociation is as follows: • The Station Management Entity requests the Station to reassociate with a given AP (for example, after scanning) • The Station sends an Reassociation Request message to the AP, specifying: • Station MAC address, new AP MAC address, old AP MAC address, ID of ESS (SSID) • The AP responds with an Reassociation Response, specifying: • Status (Successful/Unsuccessful), AID (if successful) • The Station responds with an ACK, and indicates to its SME that the association has been completed • On receipt of the ACK, the AP creates the AP-STA mapping and informs the DS of the Reassociation 25

  26. IEEE 802.11 (f) Inter AccessPoint Protocol(Proposed Supplement) 26

  27. Why do we need an IAPP? • In order to create a Distribution Service (and hence an ESS), APs must be interoperable and communicate using a common protocol • Currently, APs from different vendors do not communicate with each other in a standardized manner and hence may not interoperate • The 802.11 (f) Inter Access Point Protocol (IAPP) proposes a Recommended Practice for the implementation of the Distribution System Services, and a protocol which allows APs to provide such services • It does not specify how to implement a DS 27

  28. Requirements of the IAPP • The IAPP requires the following: • Access Points implement TCP and UDP over IP • TCP/IP and UDP/IP packets can be carried over the Distribution System • The presence of a RADIUS server if security functions are required • No IAPP functionality is required in stations – in fact, the operation of IAPP is transparent to the end user 28

  29. IAPP Layered Architecture 29

  30. Data Transfer in the Presence of IAPP • The presence of the IAPP within the APs and DS does not affect the transfer of user data within the ESS • To the stations, the 802.11 network appears to be only a Layer 2 network – i.e. the use of IP or any other higher layer protocol within the DS is neither specified nor required • The requirement that the DS be able to carry IP datagrams in order that IAPP operate correctly does not mean that user data be carried in IP datagrams 30

  31. IAPP Functions • The IAPP performs the following functions: • Support the mobility of stations, via the handover of Station information (“context”) between Access Points • Creation and maintenance of an ESS • Assistance to Layer 2 devices in the DS to enable them to route frames correctly to a station • Enforcement of the rule that a STA may be associated with only one AP at a time • If a RADIUS server is available, some of these functions may be carried out securely 31

  32. What is ‘context’? • When a station moves from one BSS to another, within the same ESS, IAPP enables the transfer of data relevant to that station from the old AP to the new AP • In the current standard, no such information is defined • However, in the future, such information (referred to a ‘context’) could include: • Security (Authentication) details • Quality of Service (QoS) requirements • The aim is to reduce the amount of signaling that occurs over the wireless medium every time the station moves and thus to speed up handoff 32

  33. IAPP Procedures • There are two main IAPP Procedures which we classify according on the type of message that initiated the procedure: • Association: allows other APs to become aware of the location of the Station • Reassociation: allows context to be transferred from the old AP to the new AP • Both procedures ensure that a Station is not associated with more than one AP • IAPP procedures are initiated by the Access Point Management Entity (APME) function in the Access Point that received the message 33

  34. IAPP Procedures: Interfaces • The interfaces across which messages/primitives are passed are shown below: 34

  35. IAPP Procedures: Association 35

  36. IAPP Association (1) • 1. MLME-Associate: • sent by the MLME when a station has successfully been associated with the AP • 2. ADD.request • Contains: MAC address of station, Sequence # of Association request frame • 3a. L2 Update Frame • 802 Broadcast frame, with source address = MAC address of the Station, sent to the DS to update all layer 2 devices (bridges, etc) • 3b. ADD-notify message • Transmitted to All-IAPP multicast IP address 36

  37. IAPP Association (2) • 4. ADD.indication • Informs other APs of the new association • If the Station was formally associated with an AP, that AP dissociates the Station • If the Station has associated with an AP more recently (i.e. with a higher sequence number), that AP acts as if the station had just Reassociated with that AP, and follows the Reassociation procedure. This is to remove the association at the AP sending the ADD-notify message • 5. ADD.confirm • Confirms to the AP that the L2 update frame and the ADD-notify message were sent 37

  38. IAPP Procedures: Reassociation 38

  39. IAPP Reassociation (1) • 1. MLME-Reassociate • Sent by the MLME when a station has become reassociated with the AP • 2. MOVE.request • Contains: MAC address of STA, Sequence # of Reassociation request frame, Old AP’s MAC address, Context to be sent to old AP • 3. MOVE-notify message • IP packet transmitted to the old AP using TCP/IP. • Note that the new AP must first determine the IP address of the old AP. This may be done by polling the RADIUS server, if available. 39

  40. IAPP Reassociation (2) • 4. MOVE.indication • Informs old AP that station is associated with new AP • 5. MOVE.response • Contains any context that is to be passed to the new AP • If the station has in fact been reassociated with the ‘old’ AP more recently than with the ‘new’ AP, the ‘old’ AP shall return a status of STALE_MOVE, and initiate its own Reassociation procedure • 6. MOVE-response message • 7. MOVE.confirm • Contain information received in the MOVE.response primitive • 8. Layer 2 Update message (same as in Association) 40

  41. The Need for Security • Because IAPP messages are sent over IP, these may be fraudulently created anywhere • A bogus MOVE or ADD-Notify may cause an AP to delete all state it has for a station • If an attacker can capture IAPP packets, it can access information about the Stations • Hence, it is necessary to provide secure connections between APs for the transmission of IAPP messages • IPSec (RFCs 2406, 2407) can provide group-wise or pair-wise ‘Security Association’ and is thus recommended for this purpose 41

  42. The use of RADIUS • RADIUS (Remote Authentication Dial In User Service) (RFC 2865) provides a centralized method for authenticating users • In addition, it can act as a directory for information, available only to authenticated users • The proposed use of RADIUS is to maintain, for each AP, the following information: • BSSID (i.e. the MAC address of the AP on the wireless medium) • Shared secret (known only to the AP and the RADIUS server) • IP address of the AP • Security methods supported by the AP 42

  43. Functions of the RADIUS server • The RADIUS server provides the following services: • Authenticates the AP on joining an ESS • Provides the IP address of another Access Point • Provides security information (e.g. keys) to allow Access Points to communicate in a secure manner using IPSec 43

More Related