November 2004 doc.: IEEE 802.11-04/1191r5 AP Architecture Thoughts Mike Moreton, STMicroelectronics Submission Slide 1 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 Introduction • 802.11 defines terms such as “Integration Function”, “Portal”, “DS”, “DSM” etc. • Definition is deliberately vague – To allow different implementations • Hence different companies have different views of what these terms actually mean – Almost any diagram is likely to be unacceptable to a majority of companies Submission Slide 2 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 Definitions 3.20 distribution system (DS): A system used to interconnect a set of BSSs and integrated LANs to create an ESS. 3.21 distribution system medium (DSM): The medium or set of media used by a DS for communications between APs and portals of an ESS. 3.25 extended service set (ESS): A set of one or more interconnected BSSs and integrated LANs that appears as a single BSS to the LLC layer at any station associated with one of those BSSs. 3.29 integration: The service that enables delivery of MSDUs between the DS and an existing, non-IEEE 802.11 LAN (via a portal). 3.39 portal: The logical point at which MSDUs from a nonIEEE 802.11 LAN enter the DS of an ESS. Submission Slide 3 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 Position of Portal Submission Slide 4 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 DS and Integrated LAN (1999) Integrated LAN Submission AP Non 802.11 Endpoint BSS ESS Slide 5 (AP STA) Portal (Integration Function) AP STA 802.11 MAC DSM (AP STA) 802.11 MAC DS BSS STA Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 DS and Integrated LAN (1999) – missing blocks filled in STA DSM MAC AP DSM Portal Integrated LAN BSS Non 802.11 Endpoint (AP AP 802.11 MAC Relay Entity 802.11 MAC STA) DSM MAC 802.11 MAC STA) (AP 802.11 MAC Relay Entity DS BSS STA ESS Submission Slide 6 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 802.1D Architecture Submission Slide 7 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 1999 including LLC DSM MAC AP DSM Portal DS LLC (AP STA) DSM MAC 802.11 MAC Relay Entity 802.11 MAC AP LLC LLC Higher Layer Entities 802.11 MAC Relay Entity (AP STA) 802.11 MAC LLC Higher Layer Entities Integrated LAN STA Submission BSS ESS Non 802.11 Endpoint Slide 8 BSS STA Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 1999 with 802.X DS STA Submission Virtual Portal DS Virtual Integrated LAN BSS ESS 802.X Endpoint Slide 9 BSS LLC (AP STA) Frame AP Routing 802.X MAC 802.11 MAC 802.X MAC 802.11 MAC Relay Entity 802.X LAN (AP STA) 802.11 MAC Frame Routing AP LLC 802.11 MAC Relay Entity Higher Layer Entities LLC LLC Higher Layer Entities STA Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 1999 – portal in AP Portal Frame Routing Frame Routing ILAN MAC ILAN MAC AP AP Frame Routing DS (AP STA) Portal 802.11 MAC (AP STA) Frame Routing 802.11 MAC DS LLC 802.11 MAC Relay Entity LLC 802.11 MAC Relay Entity LLC Higher Layer Entities LLC Higher Layer Entities Integrated LAN (ILAN) STA BSS ESS Submission Non 802.11 Endpoint Slide 10 BSS STA Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 802.1X Port Model (not controlled and uncontrolled!) Switch STA STA • 802.1X authenticates the device connected to a port • For 802.3, the security association between the authentication and frames is provided by the physical limitations of the port Apologies to 802.1X experts for any errors… Submission Slide 11 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 802.1X and Broadcast LANs • One STA authenticating doesn’t prove anything, as frames could come from another STA. Switch STA Submission STA Slide 12 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 802.1X and 802.11i Switch STA Submission STA • Use encryption with pairwise key to create virtual links between the switch and a single STA. • As long as encryption is enabled before controlled port is enabled, can’t “steal” someone else’s authentication. • Correspondence between pairwise key and “virtual port” Slide 13 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 11i DS Frame Routing Frame Routing Frame Routing Port for STA 1 Port for STA 2 Port for STA 3 802.11 MAC Relay Entity Submission Controlled / Uncontrolled Port Filtering • Separate port created for each STA at association • 802.1X controls communication to relay entity • Relay entity similar to 802.1D, but not identical. • DS Update at Controlled Port Authentication? Slide 14 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 11i with broadcast DS Frame Routing Frame Routing Frame Routing Frame Routing Port for STA 1 Port for STA 2 Port for STA 3 Broadcast Port 802.11 MAC Relay Entity Submission • Broadcast frames have their own key – so surely they have their own virtual port? • Relay Entity has different rules for forwarding frames to ports depending on type • Controlled port authorised at first association? Slide 15 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 11i with broadcast, single MAC DS Frame Routing Frame Routing Frame Routing Frame Routing Port for STA 1 Port for STA 2 Port for STA 3 Broadcast Port 802.11 MAC Relay Entity 802.11 MAC Submission • Reality is more like this. • The different “ports” share a MAC • One MAC can handle multiple ports as port is identified by MAC address. Slide 16 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 11i with broadcast plus WDS DS Frame Routing Frame Routing Frame Routing Frame Routing Frame Routing Frame Routing Frame Routing Port for STA 1 Port for STA 2 Port for STA 3 Broadcast Port WDS Port 1 WDS Port 2 WDS Port 3 802.11 MAC Relay Entity 802.11 MAC Submission Slide 17 • WDS links are AP to AP links • Will probably have pairwise keys (TGs to define) • Relay treatment is like standard 802.1D Relay Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 802.11i Relay Entity Port Types • Unicast – Address comes from association, not learnt – No flooding of unknown frames – No forwarding of broadcast frames • Broadcast – No forwarding of any unicast frames (known or unknown) – Forward copy of each broadcast frame • WDS – – – – Submission Learn addresses at remote end Flood unknown frames Forward copy of each broadcast frame Run STP Slide 18 Mike Moreton, STMicroelectronics November 2004 doc.: IEEE 802.11-04/1191r5 Question • Should 802.11 define it’s own (enhanced) Relay Entity, or should the standard 802.1D Relay Entity be enhanced to support 802.11i? Submission Slide 19 Mike Moreton, STMicroelectronics