1 / 14

802/802.1X/802.11 Architecture

802/802.1X/802.11 Architecture. Mike Moreton. 802.1Q Architectural Model. 802.1Q – Position of LLC. SAPs in 802 (Not generally named in the standards). ISS = Internal Sublayer Service.

topaz
Download Presentation

802/802.1X/802.11 Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802/802.1X/802.11 Architecture Mike Moreton Mike Moreton, Synad Technologies

  2. 802.1Q Architectural Model Mike Moreton, Synad Technologies

  3. 802.1Q – Position of LLC Mike Moreton, Synad Technologies

  4. SAPs in 802 (Not generally named in the standards) ISS = Internal Sublayer Service Mike Moreton, Synad Technologies

  5. There are two instances of LLC/SNAP per MAC entity, one for the controlled port, and one for the uncontrolled port. The MAC SAP always forwards a copy of each received frame to the uncontrolled LLC/SNAP entity. If the controlled port is authorised, then a copy is also sent to the controlled LLC/SNAP entity, and a further copy to the ISS SAP. When the controlled port is unauthorised, the MAC SAP will not pass frames for transmission received from the controlled LLC/SNAP entity, and the ISS SAP will not pass any frames for transmission. 802.1X Controlled and Uncontrolled Ports Mike Moreton, Synad Technologies

  6. 802.1X Architecture Mike Moreton, Synad Technologies

  7. Alternative 802.1X Port Architecture • The SNAP SAPs are split into controlled and uncontrolled. • When the controlled port is authorised, traffic may pass via all SNAP SAPs and via the ISS SAP. • When the controlled port is not authorised, traffic may only pass via the uncontrolled SNAP SAPs. Mike Moreton, Synad Technologies

  8. Alternative 802.1X Controlled/Uncontrolled Mike Moreton, Synad Technologies

  9. 802.11 in the 802.1 Architecture • 802.11 is a shared access LAN • Not suitable for Port-Based Access Control. • 802.1X suggests 802.11 associations can be used as “pseudo-ports”. • But this requires isolation between STAs, which isn’t practical in 802.11 2003 • TGi provides STA isolation by using a unique pairwise key for each one. • But no isolation for group addresses. • Only one copy is sent out, encrypted with a separate group key. • TGi can not be modelled in the 802.1 architecture purely as a set of pseudo-ports, one per association. Mike Moreton, Synad Technologies

  10. 802.11 in 802.1 – a Possible Solution • Each 802.11i association is modelled as a pseudo-port. • However, the MAC entity for these ports is required to discard group addressed frames for transmission. • Received group addressed frames are processed as normal. • There is an additional permanent port used for transmitting group addressed frames • The MAC entity for this port will only pass group addressed frames for transmission. All other frames (including received frames) are discarded. • Is not controlled by 802.1X – always authorised. • 802.11i will encrypt these frames, and may not send them if no STAs are associated. Mike Moreton, Synad Technologies

  11. 802.11 in 802.1 – The Diagram EAPOL MAC Relay Entity Group Addressed Pseudo-Port STA 1 Pseudo-Port STA 2 Pseudo-Port STA 3 Pseudo-Port STA 4 Pseudo-Port STA 5 Pseudo-Port Mike Moreton, Synad Technologies

  12. 802.11 in 802.1 – Group Addressed Frame Flow • The originating STA forwards the frame to the AP as a directed unicast frame • This is the way 802.11 has always done it • It is received on the AP pseudo-port for that association. Assuming the associated controlled port is authorised, the frame is forwarded (with the recovered group address) to the Relay Agent. • The Relay Agent distributes the frame to all ports other than the one it was received from. • Each association pseudo port that receives the frame will discard it before transmission, as it does not have a unicast destination address. • The multicast pseudo port will transmit the frame. • All STAs will receive a single copy of the frame. • The originating STA will discard the frame based on the source address. • Again, this is the way 802.11 has always done it. Mike Moreton, Synad Technologies

  13. 802.11 Attached Bridges • Standard 802.11 APs do not forward frames for unknown addresses • Can’t attach an 802.1D bridge via 802.11 • Standard defines 4 address format that could be used to carry unknown frames, but doesn’t describe how to use it. • Many suppliers use proprietary indications in the association message to indicate an attached bridge, so that unknown frames can be forwarded to it. Mike Moreton, Synad Technologies

  14. 802.11 Bridging Some Questions • How do you secure who can be a bridge? • Can it be anyone? • Should an Ethernet 802.1X switch also discard unknown frames? • If so, maybe “bridge indication” should be in 802.1X. • What happens when multiple bridges are associated? • Perhaps use group address? Mike Moreton, Synad Technologies

More Related