AP Architecture Thoughts Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5

advertisement
November 2004
doc.: IEEE 802.11-04/1191r5
AP Architecture Thoughts
Mike Moreton, STMicroelectronics
Submission
Slide 1
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
Introduction
• 802.11 defines terms such as “Integration
Function”, “Portal”, “DS”, “DSM” etc.
• Definition is deliberately vague
– To allow different implementations
• Hence different companies have different
views of what these terms actually mean
– Almost any diagram is likely to be
unacceptable to a majority of companies
Submission
Slide 2
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
Definitions
3.20 distribution system (DS): A system used to interconnect a
set of BSSs and integrated LANs to create an ESS.
3.21 distribution system medium (DSM): The medium or set of
media used by a DS for communications between APs and
portals of an ESS.
3.25 extended service set (ESS): A set of one or more
interconnected BSSs and integrated LANs that appears as a
single BSS to the LLC layer at any station associated with one
of those BSSs.
3.29 integration: The service that enables delivery of MSDUs
between the DS and an existing, non-IEEE 802.11 LAN (via a
portal).
3.39 portal: The logical point at which MSDUs from a nonIEEE 802.11 LAN enter the DS of an ESS.
Submission
Slide 3
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
Position of Portal
Submission
Slide 4
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
DS and Integrated LAN (1999)
Integrated LAN
Submission
AP
Non 802.11
Endpoint
BSS
ESS
Slide 5
(AP STA)
Portal (Integration
Function)
AP
STA
802.11 MAC
DSM
(AP STA)
802.11 MAC
DS
BSS
STA
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
DS and Integrated LAN (1999) – missing blocks filled in
STA
DSM
MAC
AP
DSM
Portal
Integrated LAN
BSS
Non 802.11
Endpoint
(AP
AP
802.11 MAC Relay
Entity
802.11 MAC
STA)
DSM
MAC
802.11 MAC
STA)
(AP
802.11 MAC Relay
Entity
DS
BSS
STA
ESS
Submission
Slide 6
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
802.1D Architecture
Submission
Slide 7
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
1999 including LLC
DSM
MAC
AP
DSM
Portal
DS
LLC
(AP STA)
DSM
MAC
802.11 MAC
Relay Entity
802.11 MAC
AP
LLC
LLC
Higher Layer Entities
802.11 MAC
Relay Entity
(AP STA)
802.11 MAC
LLC
Higher Layer Entities
Integrated LAN
STA
Submission
BSS
ESS
Non 802.11
Endpoint
Slide 8
BSS
STA
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
1999 with 802.X DS
STA
Submission
Virtual
Portal
DS
Virtual Integrated LAN
BSS
ESS
802.X
Endpoint
Slide 9
BSS
LLC
(AP STA)
Frame
AP Routing
802.X
MAC
802.11 MAC
802.X
MAC
802.11 MAC
Relay Entity
802.X LAN
(AP STA)
802.11 MAC
Frame
Routing AP
LLC
802.11 MAC
Relay Entity
Higher Layer Entities
LLC
LLC
Higher Layer Entities
STA
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
1999 – portal in AP
Portal
Frame
Routing
Frame
Routing
ILAN MAC
ILAN MAC
AP
AP
Frame
Routing
DS
(AP STA)
Portal
802.11 MAC
(AP STA)
Frame
Routing
802.11 MAC
DS
LLC
802.11 MAC
Relay Entity
LLC
802.11 MAC
Relay Entity
LLC
Higher Layer Entities
LLC
Higher Layer Entities
Integrated LAN (ILAN)
STA
BSS
ESS
Submission
Non 802.11
Endpoint
Slide 10
BSS
STA
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
802.1X Port Model
(not controlled and uncontrolled!)
Switch
STA
STA
• 802.1X authenticates the
device connected to a port
• For 802.3, the security
association between the
authentication and frames
is provided by the
physical limitations of the
port
Apologies to 802.1X
experts for any errors…
Submission
Slide 11
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
802.1X and Broadcast LANs
• One STA authenticating
doesn’t prove anything, as
frames could come from
another STA.
Switch
STA
Submission
STA
Slide 12
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
802.1X and 802.11i
Switch
STA
Submission
STA
• Use encryption with pairwise
key to create virtual links
between the switch and a
single STA.
• As long as encryption is
enabled before controlled port
is enabled, can’t “steal”
someone else’s authentication.
• Correspondence between
pairwise key and “virtual
port”
Slide 13
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
11i
DS
Frame
Routing
Frame
Routing
Frame
Routing
Port for STA 1
Port for STA 2
Port for STA 3
802.11 MAC Relay Entity
Submission
Controlled /
Uncontrolled
Port Filtering
• Separate port created for
each STA at association
• 802.1X controls
communication to relay
entity
• Relay entity similar to
802.1D, but not identical.
• DS Update at Controlled
Port Authentication?
Slide 14
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
11i with broadcast
DS
Frame
Routing
Frame
Routing
Frame
Routing
Frame
Routing
Port for STA 1
Port for STA 2
Port for STA 3
Broadcast Port
802.11 MAC Relay Entity
Submission
• Broadcast frames have
their own key – so surely
they have their own
virtual port?
• Relay Entity has different
rules for forwarding
frames to ports depending
on type
• Controlled port
authorised at first
association?
Slide 15
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
11i with broadcast, single MAC
DS
Frame
Routing
Frame
Routing
Frame
Routing
Frame
Routing
Port for STA 1
Port for STA 2
Port for STA 3
Broadcast Port
802.11 MAC Relay Entity
802.11 MAC
Submission
• Reality is more like
this.
• The different “ports”
share a MAC
• One MAC can handle
multiple ports as port is
identified by MAC
address.
Slide 16
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
11i with broadcast plus WDS
DS
Frame
Routing
Frame
Routing
Frame
Routing
Frame
Routing
Frame
Routing
Frame
Routing
Frame
Routing
Port for STA 1
Port for STA 2
Port for STA 3
Broadcast Port
WDS Port 1
WDS Port 2
WDS Port 3
802.11 MAC Relay Entity
802.11 MAC
Submission
Slide 17
• WDS links are
AP to AP links
• Will probably
have pairwise
keys (TGs to
define)
• Relay treatment
is like standard
802.1D Relay
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
802.11i Relay Entity Port Types
• Unicast
– Address comes from association, not learnt
– No flooding of unknown frames
– No forwarding of broadcast frames
• Broadcast
– No forwarding of any unicast frames (known or unknown)
– Forward copy of each broadcast frame
• WDS
–
–
–
–
Submission
Learn addresses at remote end
Flood unknown frames
Forward copy of each broadcast frame
Run STP
Slide 18
Mike Moreton, STMicroelectronics
November 2004
doc.: IEEE 802.11-04/1191r5
Question
• Should 802.11 define it’s own (enhanced)
Relay Entity, or should the standard 802.1D
Relay Entity be enhanced to support
802.11i?
Submission
Slide 19
Mike Moreton, STMicroelectronics
Download