Network Working Group P. Calhoun, Editor Internet-Draft Cisco Systems, Inc. Expires: November 6, 2006 M. Montemurro, Editor Chantry Networks D. Stanley, Editor Aruba Networks May 5, 2006 CAPWAP Protocol Specification draft-ietf-capwap-protocol-specification-01 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on November 6, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract Wireless LAN product architectures have evolved from single autonomous access points to systems consisting of a centralized controller and Wireless Termination Points (WTPs). The general goal of centralized control architectures is to move access control, including user authentication and authorization, mobility management Calhoun, Editor, et al. Expires November 6, 2006 [Page 1] Internet-Draft CAPWAP Protocol Specification May 2006 and radio management from the single access point to a centralized controller. This specification defines the Control And Provisioning of Wireless Access Points (CAPWAP) Protocol. The CAPWAP protocol meets the IETF CAPWAP working group protocol requirements. The CAPWAP protocol is designed to be flexible, allowing it to be used for a variety of wireless technologies. This document describes the base CAPWAP protocol, including an extension which supports the IEEE 802.11 wireless LAN protocol. Future extensions will enable support of additional wireless technologies. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 1.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Conventions used in this document . . . . . . . . . . . 8 1.3. Contributing Authors . . . . . . . . . . . . . . . . . . 8 1.4. Acknowledgements . . . . . . . . . . . . . . . . . . . . 10 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 11 2.1. Wireless Binding Definition . . . . . . . . . . . . . . 12 2.2. CAPWAP Session Establishment Overview . . . . . . . . . 12 2.3. CAPWAP State Machine Definition . . . . . . . . . . . . 14 2.3.1. CAPWAP Protocol State Transitions . . . . . . . . . 15 2.3.2. CAPWAP to DTLS Commands . . . . . . . . . . . . . . 22 2.3.3. DTLS to CAPWAP Notifications . . . . . . . . . . . 23 2.3.4. DTLS State Transitions . . . . . . . . . . . . . . 23 2.4. Use of DTLS in the CAPWAP Protocol . . . . . . . . . . . 26 2.4.1. DTLS Handshake Processing . . . . . . . . . . . . . 27 2.4.2. DTLS Error Handling . . . . . . . . . . . . . . . . 28 2.4.3. DTLS Rehandshake Behavior . . . . . . . . . . . . . 29 2.4.4. DTLS EndPoint Authentication . . . . . . . . . . . 32 3. CAPWAP Transport . . . . . . . . . . . . . . . . . . . . . . 35 3.1. UDP Transport . . . . . . . . . . . . . . . . . . . . . 35 3.2. AC Discovery . . . . . . . . . . . . . . . . . . . . . . 35 3.3. Fragmentation/Reassembly . . . . . . . . . . . . . . . . 36 4. CAPWAP Packet Formats . . . . . . . . . . . . . . . . . . . . 37 4.1. CAPWAP Transport Header . . . . . . . . . . . . . . . . 38 4.2. CAPWAP Data Messages . . . . . . . . . . . . . . . . . . 40 4.3. CAPWAP Control Messages . . . . . . . . . . . . . . . . 41 4.3.1. Control Message Format . . . . . . . . . . . . . . 41 4.3.2. Control Message Quality of Service . . . . . . . . 44 4.4. CAPWAP Protocol Message Elements . . . . . . . . . . . . 44 4.4.1. AC Descriptor . . . . . . . . . . . . . . . . . . . 45 4.4.2. AC IPv4 List . . . . . . . . . . . . . . . . . . . 46 4.4.3. AC IPv6 List . . . . . . . . . . . . . . . . . . . 46 4.4.4. AC Name . . . . . . . . . . . . . . . . . . . . . . 47 Calhoun, Editor, et al. Expires November 6, 2006 [Page 2] Internet-Draft CAPWAP Protocol Specification May 2006 4.4.5. AC Name with Index . . . . . . . . . . . . . . . . 47 4.4.6. AC Timestamp . . . . . . . . . . . . . . . . . . . 48 4.4.7. Add MAC ACL Entry . . . . . . . . . . . . . . . . . 48 4.4.8. Add Mobile Station . . . . . . . . . . . . . . . . 49 4.4.9. Add Static MAC ACL Entry . . . . . . . . . . . . . 49 4.4.10. CAPWAP Timers . . . . . . . . . . . . . . . . . . . 50 4.4.11. Change State Event . . . . . . . . . . . . . . . . 50 4.4.12. Data Transfer Data . . . . . . . . . . . . . . . . 51 4.4.13. Data Transfer Mode . . . . . . . . . . . . . . . . 52 4.4.14. Decryption Error Report . . . . . . . . . . . . . . 52 4.4.15. Decryption Error Report Period . . . . . . . . . . 53 4.4.16. Delete MAC ACL Entry . . . . . . . . . . . . . . . 53 4.4.17. Delete Mobile Station . . . . . . . . . . . . . . . 54 4.4.18. Delete Static MAC ACL Entry . . . . . . . . . . . . 54 4.4.19. Discovery Type . . . . . . . . . . . . . . . . . . 55 4.4.20. Duplicate IPv4 Address . . . . . . . . . . . . . . 55 4.4.21. Duplicate IPv6 Address . . . . . . . . . . . . . . 56 4.4.22. Idle Timeout . . . . . . . . . . . . . . . . . . . 56 4.4.23. Image Data . . . . . . . . . . . . . . . . . . . . 57 4.4.24. Image Filename . . . . . . . . . . . . . . . . . . 57 4.4.25. Initiate Download . . . . . . . . . . . . . . . . . 58 4.4.26. Location Data . . . . . . . . . . . . . . . . . . . 58 4.4.27. MTU Discovery Padding . . . . . . . . . . . . . . . 59 4.4.28. Radio Administrative State . . . . . . . . . . . . 59 4.4.29. Result Code . . . . . . . . . . . . . . . . . . . . 60 4.4.30. Session ID . . . . . . . . . . . . . . . . . . . . 60 4.4.31. Statistics Timer . . . . . . . . . . . . . . . . . 61 4.4.32. Vendor Specific Payload . . . . . . . . . . . . . . 61 4.4.33. WTP Board Data . . . . . . . . . . . . . . . . . . 62 4.4.34. WTP Descriptor . . . . . . . . . . . . . . . . . . 63 4.4.35. WTP Fallback . . . . . . . . . . . . . . . . . . . 64 4.4.36. WTP Frame Encapsulation Type . . . . . . . . . . . 65 4.4.37. WTP IPv4 IP Address . . . . . . . . . . . . . . . . 66 4.4.38. WTP MAC Type . . . . . . . . . . . . . . . . . . . 66 4.4.39. WTP Radio Information . . . . . . . . . . . . . . . 67 4.4.40. WTP Manager Control IPv4 Address . . . . . . . . . 67 4.4.41. WTP Manager Control IPv6 Address . . . . . . . . . 68 4.4.42. WTP Name . . . . . . . . . . . . . . . . . . . . . 69 4.4.43. WTP Reboot Statistics . . . . . . . . . . . . . . . 69 4.4.44. WTP Static IP Address Information . . . . . . . . . 70 4.5. CAPWAP Protocol Timers . . . . . . . . . . . . . . . . . 71 4.5.1. DiscoveryInterval . . . . . . . . . . . . . . . . . 71 4.5.2. DTLSRehandshake . . . . . . . . . . . . . . . . . . 71 4.5.3. DTLSSessionDelete . . . . . . . . . . . . . . . . . 71 4.5.4. EchoInterval . . . . . . . . . . . . . . . . . . . 71 4.5.5. KeyLifetime . . . . . . . . . . . . . . . . . . . . 71 4.5.6. MaxDiscoveryInterval . . . . . . . . . . . . . . . 72 4.5.7. NeighborDeadInterval . . . . . . . . . . . . . . . 72 Calhoun, Editor, et al. Expires November 6, 2006 [Page 3] Internet-Draft CAPWAP Protocol Specification May 2006 4.5.8. ResponseTimeout . . . . . . . . . . . . . . . . . . 72 4.5.9. RetransmitInterval . . . . . . . . . . . . . . . . 72 4.5.10. SilentInterval . . . . . . . . . . . . . . . . . . 72 4.5.11. WaitJoin . . . . . . . . . . . . . . . . . . . . . 72 4.6. CAPWAP Protocol Variables . . . . . . . . . . . . . . . 73 4.6.1. DiscoveryCount . . . . . . . . . . . . . . . . . . 73 4.6.2. MaxDiscoveries . . . . . . . . . . . . . . . . . . 73 4.6.3. MaxRetransmit . . . . . . . . . . . . . . . . . . . 73 4.6.4. RetransmitCount . . . . . . . . . . . . . . . . . . 73 5. CAPWAP Discovery Operations . . . . . . . . . . . . . . . . . 74 5.1. Discovery Request Message . . . . . . . . . . . . . . . 74 5.2. Discovery Response Message . . . . . . . . . . . . . . . 75 5.3. Primary Discovery Request Message . . . . . . . . . . . 75 5.4. Primary Discovery Response . . . . . . . . . . . . . . . 76 6. CAPWAP Join Operations . . . . . . . . . . . . . . . . . . . 77 6.1. Join Request . . . . . . . . . . . . . . . . . . . . . . 77 6.2. Join Response . . . . . . . . . . . . . . . . . . . . . 78 7. Control Channel Management . . . . . . . . . . . . . . . . . 79 7.1. Echo Request . . . . . . . . . . . . . . . . . . . . . . 79 7.2. Echo Response . . . . . . . . . . . . . . . . . . . . . 79 8. WTP Configuration Management . . . . . . . . . . . . . . . . 80 8.1. Configuration Consistency . . . . . . . . . . . . . . . 80 8.1.1. Configuration Flexibility . . . . . . . . . . . . . 81 8.2. Configuration Status . . . . . . . . . . . . . . . . . . 81 8.3. Configuration Status Response . . . . . . . . . . . . . 82 8.4. Configuration Update Request . . . . . . . . . . . . . . 82 8.5. Configuration Update Response . . . . . . . . . . . . . 83 8.6. Change State Event Request . . . . . . . . . . . . . . . 84 8.7. Change State Event Response . . . . . . . . . . . . . . 84 8.8. Clear Config Indication . . . . . . . . . . . . . . . . 85 9. Device Management Operations . . . . . . . . . . . . . . . . 86 9.1. Image Data Request . . . . . . . . . . . . . . . . . . . 86 9.2. Image Data Response . . . . . . . . . . . . . . . . . . 87 9.3. Reset Request . . . . . . . . . . . . . . . . . . . . . 87 9.4. Reset Response . . . . . . . . . . . . . . . . . . . . . 87 9.5. WTP Event Request . . . . . . . . . . . . . . . . . . . 87 9.6. WTP Event Response . . . . . . . . . . . . . . . . . . . 88 9.7. Data Transfer Request . . . . . . . . . . . . . . . . . 88 9.8. Data Transfer Response . . . . . . . . . . . . . . . . . 88 10. Mobile Session Management . . . . . . . . . . . . . . . . . . 90 10.1. Mobile Config Request . . . . . . . . . . . . . . . . . 90 10.2. Mobile Config Response . . . . . . . . . . . . . . . . . 90 11. IEEE 802.11 Binding . . . . . . . . . . . . . . . . . . . . . 91 11.1. Split MAC and Local MAC Functionality . . . . . . . . . 91 11.1.1. Split MAC . . . . . . . . . . . . . . . . . . . . . 91 11.1.2. Local MAC . . . . . . . . . . . . . . . . . . . . . 93 11.2. Roaming Behavior . . . . . . . . . . . . . . . . . . . . 96 11.3. Group Key Refresh . . . . . . . . . . . . . . . . . . . 97 Calhoun, Editor, et al. Expires November 6, 2006 [Page 4] Internet-Draft CAPWAP Protocol Specification May 2006 11.4. Transport specific bindings . . . . . . . . . . . . . . 97 11.5. BSSID to WLAN ID Mapping . . . . . . . . . . . . . . . . 99 11.6. Quality of Service for Control Messages . . . . . . . . 99 11.7. IEEE 802.11 Specific CAPWAP Control Messages . . . . . . 100 11.7.1. IEEE 802.11 WLAN Config Request . . . . . . . . . . 100 11.7.2. IEEE 802.11 WLAN Config Response . . . . . . . . . 101 11.8. Data Message bindings . . . . . . . . . . . . . . . . . 101 11.9. Control Message bindings . . . . . . . . . . . . . . . . 101 11.9.1. Mobile Config Request . . . . . . . . . . . . . . . 101 11.9.2. WTP Event Request . . . . . . . . . . . . . . . . . 101 11.9.3. Configuration Messages . . . . . . . . . . . . . . 102 11.10. IEEE 802.11 Message Element Definitions . . . . . . . . 102 11.10.1. IEEE 802.11 Add WLAN . . . . . . . . . . . . . . . 102 11.10.2. IEEE 802.11 Antenna . . . . . . . . . . . . . . . . 106 11.10.3. IEEE 802.11 Assigned WTP BSSID . . . . . . . . . . 107 11.10.4. IEEE 802.11 Broadcast Probe Mode . . . . . . . . . 108 11.10.5. IEEE 802.11 Delete WLAN . . . . . . . . . . . . . . 108 11.10.6. IEEE 802.11 Direct Sequence Control . . . . . . . . 109 11.10.7. IEEE 802.11 Information Element . . . . . . . . . . 110 11.10.8. IEEE 802.11 MAC Operation . . . . . . . . . . . . . 110 11.10.9. IEEE 802.11 MIC Countermeasures . . . . . . . . . . 112 11.10.10. IEEE 802.11 MIC Error Report From Mobile . . . . . 112 11.10.11. IEEE 802.11 Mobile . . . . . . . . . . . . . . . . 113 11.10.12. IEEE 802.11 Mobile Session Key . . . . . . . . . . 114 11.10.13. IEEE 802.11 Multi-domain Capability . . . . . . . . 116 11.10.14. IEEE 802.11 OFDM Control . . . . . . . . . . . . . 117 11.10.15. IEEE 802.11 Rate Set . . . . . . . . . . . . . . . 118 11.10.16. IEEE 802.11 Statistics . . . . . . . . . . . . . . 118 11.10.17. IEEE 802.11 Supported Rates . . . . . . . . . . . . 120 11.10.18. IEEE 802.11 Tx Power . . . . . . . . . . . . . . . 121 11.10.19. IEEE 802.11 Tx Power Level . . . . . . . . . . . . 121 11.10.20. IEEE 802.11 Update Mobile QoS . . . . . . . . . . . 122 11.10.21. IEEE 802.11 Update WLAN . . . . . . . . . . . . . . 122 11.10.22. IEEE 802.11 WTP Quality of Service . . . . . . . . 125 11.10.23. IEEE 802.11 WTP Radio Fail Alarm Indication . . . . 126 11.10.24. IEEE 802.11 WTP Radio Configuration . . . . . . . . 127 11.10.25. Station QoS Profile . . . . . . . . . . . . . . . . 128 11.11. Technology Specific Message Element Values . . . . . . . 129 12. NAT Considerations . . . . . . . . . . . . . . . . . . . . . 130 13. Security Considerations . . . . . . . . . . . . . . . . . . . 132 13.1. CAPWAP Security . . . . . . . . . . . . . . . . . . . . 132 13.1.1. Converting Protected Data into Unprotected Data . . 133 13.1.2. Converting Unprotected Data into Protected Data (Insertion) . . . . . . . . . . . . . . . . . . . . 133 13.1.3. Deletion of Protected Records . . . . . . . . . . . 133 13.1.4. Insertion of Unprotected Records . . . . . . . . . 133 13.2. Use of Preshared Keys in CAPWAP . . . . . . . . . . . . 133 13.3. Use of Certificates in CAPWAP . . . . . . . . . . . . . 134 Calhoun, Editor, et al. Expires November 6, 2006 [Page 5] Internet-Draft CAPWAP Protocol Specification May 2006 13.4. AAA Security . . . . . . . . . . . . . . . . . . . . . . 134 13.5. IEEE 802.11 Security . . . . . . . . . . . . . . . . . . 135 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 136 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 137 15.1. Normative References . . . . . . . . . . . . . . . . . . 137 15.2. Informational References . . . . . . . . . . . . . . . . 138 Editors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 140 Intellectual Property and Copyright Statements . . . . . . . . . 141 Calhoun, Editor, et al. Expires November 6, 2006 [Page 6] Internet-Draft CAPWAP Protocol Specification May 2006 1. Introduction The emergence of centralized architectures, in which simple IEEE 802.11 WTPs are managed by an Access Controller (AC) suggests that a standards based, interoperable protocol could radically simplify the deployment and management of wireless networks. WTPs require a set of dynamic management and control functions related to their primary task of connecting the wireless and wired mediums. Traditional protocols for managing WTPs are either manual static configuration via HTTP, proprietary Layer 2 specific or non-existent (if the WTPs are self-contained). This document describes the CAPWAP Protocol, a standard, interoperable protocol which enables an AC to manage a collection of WTPs. While the protocol is defined to be independent of layer 2 technology, an IEEE 802.11 binding is provided to support IEEE 802.11 wireless LAN networks. CAPWAP assumes a network configuration consisting of multiple WTPs communicating via the Internet Protocol (IP) to an AC. WTPs are viewed as remote RF interfaces controlled by the AC. The AC forwards all L2 frames to be transmitted by a WTP to that WTP via the CAPWAP protocol. L2 frames from mobile nodes (STAs) are forwarded by the WTP to the AC using the CAPWAP protocol. Both Split-MAC and Local MAC arhcitectures are supported. Figure 1 illustrates this arrangement as applied to an IEEE 802.11 binding. +-+ 802.11 frames +-+ | |--------------------------------| | | | +-+ | | | |--------------| |---------------| | | | 802.11 PHY/ | | CAPWAP | | | | MAC sublayer | | | | +-+ +-+ +-+ STA WTP AC Figure 1: Representative CAPWAP Architecture for Split MAC Provisioning WTPs with security credentials, and managing which WTPs are authorized to provide service are traditionally handled by proprietary solutions. Allowing these functions to be performed from a centralized AC in an interoperable fashion increases manageability and allows network operators to more tightly control their wireless network infrastructure. 1.1. Goals The goals for the CAPWAP protocol are listed below: Calhoun, Editor, et al. Expires November 6, 2006 [Page 7] Internet-Draft CAPWAP Protocol Specification May 2006 1. To centralize the bridging, forwarding, authentication and policy enforcement functions for a wireless network. Optionally, the AC may also provide centralized encryption of user traffic. Centralization of these functions will enable reduced cost and higher efficiency by applying the capabilities of network processing silicon to the wireless network, as in wired LANs. 2. To enable shifting of the higher level protocol processing from the WTP. This leaves the time critical applications of wireless control and access in the WTP, making efficient use of the computing power available in WTPs which are the subject to severe cost pressure. 3. To provide a generic encapsulation and transport mechanism, enabling the CAPWAP protocol to be applied to other access point types in the future, via a specific wireless binding. The CAPWAP protocol concerns itself solely with the interface between the WTP and the AC. Inter-AC, or mobile node (STA) to AC communication is strictly outside the scope of this document. 1.2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. 1.3. Contributing Authors This section lists and acknowledges the authors of significant text and concepts included in this specification. [Note: This section needs work to accurately reflect the contribution of each author and this work will be done in revision 01 of this document.] The CAPWAP Working Group selected the Lightweight Access Point Protocol (LWAPP) [add reference, when available]to be used as the basis of the CAPWAP protocol specification. The following people are authors of the LWAPP document: Calhoun, Editor, et al. Expires November 6, 2006 [Page 8] Internet-Draft CAPWAP Protocol Specification May 2006 Bob O'Hara, Cisco Systems, Inc.,170 West Tasman Drive, San Jose, CA 95134 Phone: +1 408-853-5513, Email: bob.ohara@cisco.com Pat Calhoun, Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134 Phone: +1 408-853-5269, Email: pcalhoun@cisco.com Rohit Suri, Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134 Phone: +1 408-853-5548, Email: rsuri@cisco.com Nancy Cam Winget, Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134 Phone: +1 408-853-0532, Email: ncamwing@cisco.com Scott Kelly, Aruba Networks, 1322 Crossman Ave, Sunnyvale, CA 94089 Phone: +1 408-754-8408, Email: skelly@arubanetworks.com Michael Glenn Williams, Nokia, Inc., 313 Fairchild Drive, Mountain View, CA 94043 Phone: +1 650-714-7758, Email: Michael.G.Williams@Nokia.com Sue Hares, Nexthop Technologies, Inc., 825 Victors Way, Suite 100, Ann Arbor, MI 48108 Phone: +1 734 222 1610, Email: shares@nexthop.com DTLS is used as the security solution for the CAPWAP protocol. The following people are authors of significant DTLS-related text included in this document: Scott Kelly, Aruba Networks, 1322 Crossman Ave, Sunnyvale, CA 94089 Phone: +1 408-754-8408, Email: skelly@arubanetworks.com Eric Rescorla, Network Resonance, 2483 El Camino Real, #212,Palo Alto CA, 94303 Email: ekr@networkresonance.com The concept of using DTLS to secure the CAPWAP protocol was part of the Secure Light Access Point Protocol (SLAPP) proposal [add reference when available]. The following people are authors of the SLAPP proposal: Partha Narasimhan, Aruba Networks, 1322 Crossman Ave, Sunnyvale, CA 94089 Phone: +1 408-480-4716, Email: partha@arubanetworks.com Dan Harkins, Tropos Networks, 555 Del Rey Avenue, Sunnyvale, CA, 95085 Phone: +1 408 470 7372, Email: dharkins@tropos.com Subbu Ponnuswamy, Aruba Networks, 1322 Crossman Ave, Sunnyvale, CA 94089 Phone: +1 408-754-1213, Email: subbu@arubanetworks.com Calhoun, Editor, et al. Expires November 6, 2006 [Page 9] Internet-Draft CAPWAP Protocol Specification May 2006 1.4. Acknowledgements The authors thank Michael Vakulenko for contributing text that describes how CAPWAP can be used over a layer 3 (IP/UDP) network. The authors thank Russ Housley and Charles Clancy for their assistance in provide a security review of the LWAPP specification. Charles' review can be found at [16]. Calhoun, Editor, et al. Expires November 6, 2006 [Page 10] Internet-Draft CAPWAP Protocol Specification May 2006 2. Protocol Overview The CAPWAP protocol is a generic protocol defining AC and WTP control and data plane communication via a CAPWAP protocol transport mechanism. CAPWAP control messages, and optionally CAPWAP data messages, are secured using Datagram Transport Layer Security (DTLS) [14]. DTLS is a standards-track IETF protocol based upon TLS. The underlying security-related protocol mechanisms of TLS have been successfully deployed for many years. The CAPWAP protocol Transport layer carries two types of payload, CAPWAP Data messages and CAPWAP Control messages. CAPWAP Data messages are forwarded wireless frames. CAPWAP protocol Control messages are management messages exchanged between a WTP and an AC. The CAPWAP Data and Control packets are sent over separate UDP ports. Since both data and control frames can exceed the PMTU, the payload of a CAPWAP data or control message can be fragmented. The fragmentation behavior is defined in Section 3. The CAPWAP Protocol begins with a discovery phase. The WTPs send a Discovery Request message, causing any Access Controller (AC) receiving the message to respond with a Discovery Response message. From the Discovery Response messages received, a WTP will select an AC with which to establish a secure DTLS session. CAPWAP protocol messages will be fragmented to the maximum length discovered to be supported by the network. Once the WTP and the AC have completed DTLS session establishment, a configuration exchange occurs in which both devices to agree on version information. During this exchange the WTP may receive provisioning settings. For the IEEE 802.11 binding, this information typically includes a name (IEEE 802.11 Service Set Identifier, SSID) security parameters, the data rates to be advertised and the associated radio channel(s) to be used. The WTP is then enabled for operation. When the WTP and AC have completed the version and provision exchange and the WTP is enabled, the CAPWAP protocol is used to encapsulate the wireless data frames sent between the WTP and AC. The CAPWAP protocol will fragment the L2 frames if the size of the encapsulated wireless user data (Data) or protocol control (Management) frames causes the resulting CAPWAP protocol packet to exceed the MTU supported between the WTP and AC. Fragmented CAPWAP packets are reassembled to reconstitute the original encapsulated payload. The CAPWAP protocol provides for the delivery of commands from the AC to the WTP for the management of mobile units (STAs) that are communicating with the WTP. This may include the creation of local Calhoun, Editor, et al. Expires November 6, 2006 [Page 11] Internet-Draft CAPWAP Protocol Specification May 2006 data structures in the WTP for the mobile units and the collection of statistical information about the communication between the WTP and the mobile units. The CAPWAP protocol provides a mechanism for the AC to obtain statistical information collected by the WTP. The CAPWAP protocol provides for a keep alive feature that preserves the communication channel between the WTP and AC. If the AC fails to appear alive, the WTP will try to discover a new AC. This Document uses terminology defined in [5]. 2.1. Wireless Binding Definition The CAPWAP protocol is independent of a specific WTP radio technology. Elements of the CAPWAP protocol are designed to accommodate the specific needs of each wireless technology in a standard way. Implementation of the CAPWAP protocol for a particular wireless technology must follow the binding requirements defined for that technology. This specification includes a binding for the IEEE 802.11 standard(see Section 11). When defining a binding for other wireless technologies, the authors MUST include any necessary definitions for technology-specific messages and all technology-specific message elements for those messages. At a minimum, a binding MUST provide the definition for a binding-specific Statistics message element, carried in the WTP Event Request message, and a Mobile message element, carried in the Mobile Configure Request. If technology specific message elements are required for any of the existing CAPWAP messages defined in this specification, they MUST also be defined in the technology binding document. The naming of binding-specific message elements MUST begin with the name of the technology type, e.g., the binding for IEEE 802.11, provided in this specification, begins with "IEEE 802.11"." 2.2. CAPWAP Session Establishment Overview This section describes the session establishment process message exchanges in the ideal case. The annotated ladder diagram shows the AC on the right, the WTP on the left, and assumes the use of certificates for DTLS authentication. The CAPWAP Protocol State Machine is described in detail in Section 2.3. ============ ============ WTP AC ============ ============ [----------- begin optional discovery ------------] Calhoun, Editor, et al. Expires November 6, 2006 [Page 12] Internet-Draft CAPWAP Protocol Specification May 2006 Discover Request ------> <------ Discover Response [----------- end optional discovery ------------] (--- begin dtls handshake ---) ClientHello ------> <------ HelloVerifyRequest (with cookie) ClientHello ------> (with cookie) <------ ServerHello <------ Certificate <------ ServerHelloDone (WTP callout for AC authorization) Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished ------> (AC callout for WTP authorization) [ChangeCipherSpec] <------ Finished (--- DTLS session is established now ---) Join Request ------> <------ Join Response ( ---assume image is up to date ---) Configure Request -------> <------ Configure Response (--- enter RUN state ---) : : Echo Request -------> <------ Echo Response Calhoun, Editor, et al. Expires November 6, 2006 [Page 13] Internet-Draft CAPWAP Protocol Specification May 2006 : : EventRequest -------> <------ Event Response : : At the end of the illustrated CAPWAP message exchange, the AC and WTP are securely exchanging CAPWAP control messages. This is an idealized illustration, provided to clarify protocol operation. Section 2.3 provides a detailed description of the corresponding state machine. 2.3. CAPWAP State Machine Definition The following state diagram represents the lifecycle of a WTP-AC session. Use of DTLS by the CAPWAP protocol results in the juxtaposition of two nominally separate yet tightly bound state machines. The DTLS and CAPWAP state machines are coupled through an API consisting of commands (from CAPWAP to DTLS) and notifications (from (DTLS to CAPWAP). Certain transitions in the DTLS state machine are triggered by commands from the CAPWAP state machine, while certain transitions in the CAPWAP state machine are triggered by notifications from the DTLS state machine. This section defines the CAPWAP Integrated State Machine. In the figure below, single lines (denoted with '-' and '|') are used to illustrate state transitions. Double lines (denoted with '=' and '"') are used to illustrate commands and notifications between DTLS and CAPWAP. A line composed of '~' characters is used to delineate the boundary between nominal CAPWAP and DTLS state machine components. Calhoun, Editor, et al. Expires November 6, 2006 [Page 14] Internet-Draft CAPWAP Protocol Specification May 2006 /-------------<----------------+--------------------\ v |d | +------+ b+-----------+ +----------+ | | Idle |-->| Discovery |--->| Sulking | | +------+ a +-----------+ c +----------+ | ^ |aa ^ |e /----------------------\ | | V f| v k| | | h +--------------+ +------------+ i +------------+j | | /--| Join |->| Configure |-->| Image Data | | | | +--------------+ g+------------+ +------------+ | | | "c1, ^ ^ ^ m| ^ |l | | | "c4 " " " | /-------/ | /----/ | | " " " " V |s v V | | " " " " +------------+ o+------------+ | | " " " " | Run |->| Reset |-------/ | " " " " n+------------+ +------------+ p | " " " " "c2 ^ ^ c3" ^ \---"-----"--"---"--------"----"-------/ " " CAPWAP ~~~~~~~"~~~~~"~~"~~~"~~~~~~~~"~~~~"~~~~~~~~~~~~"~~~"~~~~~~~~~~~~ " " " " " " " " DTLS v " "n2 \"""""\ " " v "n6,n7 /-->+------+ " W+------+ " " " +------------+ | /-| Idle | " C| Auth |--"~-"----"----->| Shutdown |-------\P | | +------+ " +------+V " " " /--->| |<----\ | | |X Z| " ^ U| " " n4 " | +------------+ | | | | | " | | " " n5," | ^ | | | | v "n1 |Y | n3" v n8" |R |Q | | | | +--------+ | +------------+ S+------------+ | | | | | Init | \->| Run |<--| Rekey | | | | | +--------+ | |-->| | | | | | +------------+T +------------+ | | | \---------------------------------------------------------/ | \-------------------------------------------------------------/ Figure 2: CAPWAP Integrated State Machine The CAPWAP protocol state machine, depicted above, is used by both the AC and the WTP. In cases where states are not shared (i.e. not implemented in one or the other of the AC or WTP), this is explicitly called out in the transition descriptions below. For every state defined, only certain messages are permitted to be sent and received. The CAPWAP control messages definitions specify the state(s) in which each message is valid. 2.3.1. CAPWAP Protocol State Transitions The following text discusses the various state transitions, and the Calhoun, Editor, et al. Expires November 6, 2006 [Page 15] Internet-Draft CAPWAP Protocol Specification May 2006 events that cause them. This section does not discuss interactions between DTLS- and CAPWAP-specific states. Those interactions, as well as DTLS-specific states and transitions, are discussed in subsequent sections. Idle to Discovery (a): This transition occurs once device initialization is complete. WTP: The WTP enters the Discovery state prior to transmitting the first Discovery Request message (see Section 5.1). Upon entering this state, the WTP sets the DiscoveryInterval timer (see Section 4.5). The WTP resets the DiscoveryCount counter to zero (0) (see Section 4.6). The WTP also clears all information from ACs it may have received during a previous Discovery phase. AC: The AC does not maintain state information for the WTP upon reception of the Discovery Request message, but it SHOULD respond with a Discovery Response message (see Section 5.2). This transition is a no-op for the AC. Idle to Join (aa): This transition occurs when the WTP presents a DTLS ClientHello message containing a valid cookie to the AC. WTP: This transition is a no-op for the WTP. AC: The AC does not maintain state information until the WTP presents a DTLS ClientHello message containing a valid cookie. Upon receipt of a DTLS ClientHello message containing a valid cookie, the AC creates session state and transitions to the Join state. Discovery to Discovery (b): In the Discovery state, the WTP determines which AC to connect to. WTP: This transition occurs when the DiscoveryInterval timer expires. If the WTP is configured with a list of ACs, it transmits a Discovery Request message to every AC from which it has not received a Discovery Response message. For every transition to this event, the WTP increments the DiscoveryCount counter. See Section 5.1 for more information on how the WTP knows the ACs to which it should transmit the Discovery Request messages. The WTP restarts the DiscoveryInterval timer whenever it transmits Discovery Request messages. Calhoun, Editor, et al. Expires November 6, 2006 [Page 16] Internet-Draft CAPWAP Protocol Specification May 2006 AC: This is a no-op. Discovery to Sulking (c): This transition occurs on a WTP when Discovery or connectivity to the AC fails. WTP: The WTP enters this state when the DiscoveryInterval timer expires and the DiscoveryCount variable is equal to the MaxDiscoveries variable (see Section 4.6). Upon entering this state, the WTP shall start the SilentInterval timer. While in the Sulking state, all received CAPWAP protocol messages received shall be ignored. AC: This is a no-op. Sulking to Idle (d): This transition occurs on a WTP when it must restart the discovery phase. WTP: The WTP enters this state when the SilentInterval timer (see Section 4.5) expires. AC: This is a no-op. Discovery to Join (e): This transition occurs when the WTP sends a ClientHello message to the AC, confirming that it wishes to be provided services by the AC. WTP: The WTP selects the best AC based either on information it gathered during the Discovery Phase or on its configuration. It then sends a JoinRequest message to its preferred AC, sets the WaitJoin timer, and awaits the Join Response Message. AC: This is a no-op for the AC. Join to Discovery (f): This state transition is used to return the WTP to the Discovery state when an unresponsive AC is encountered. WTP: The WTP re-enters the Discovery state when the WaitJoin timer expires. AC: This is a no-op. Join to Configure (g): This state transition is used by the WTP and the AC to exchange configuration information. WTP: The WTP enters the Configure state when it successfully completes the Join operation. If it determines that its version number and the version number advertised by the AC are the same, the WTP transmits the Configuration Status message Calhoun, Editor, et al. Expires November 6, 2006 [Page 17] Internet-Draft CAPWAP Protocol Specification May 2006 (see Section 8.2) to the AC with a snapshot of its current configuration. The WTP also starts the ResponseTimeout timer (see ). (Section 4.5) If the version numbers are not the same, the WTP will immediately transition to Image Data state (see transition (i)). AC: This state transition occurs immediately after the AC transmits the Join Response message to the WTP. If the AC receives the Configuration Status message from the WTP, the AC must transmit a Configuration Status Response message(see Section 8.3) to the WTP, and may include specific message elements to override the WTP's configuration. If the AC instead receives the Image Data Request from the WTP, it immediately transitions to the Image Data state (see transition (i)). Join to Reset (h): This state transition occurs when the WaitJoin Timer expires. WTP: The state transition occurs when the WTP WaitJoin timer expires, or upon DTLS negotiation failure. AC: Thise state transition occurs when the AC WaitJoin timer expires, or or upon DTLS negotiation failure. Configure to Image Data (i): This state transition is used by the WTP and the AC to download executable firmware. WTP: The WTP enters the Image Data state when it successfully comletes DTLS session establishment, and determines that its version number and the version number advertised by the AC are different. The WTP transmits the Image Data Request (see Section 9.1) message requesting that a download of the AC's latest firmware be initiated. AC: This state transition occurs when the AC receives the Image Data Request message from the WTP. The AC must transmit an Image Data Response message (see Section 9.2) to the WTP, which includes a portion of the firmware. Image Data to Image Data (j): The Image Data state is used by WTP and the AC during the firmware download phase. WTP: The WTP enters the Image Data state when it receives an Image Data Response message indicating that the AC has more data to send. Calhoun, Editor, et al. Expires November 6, 2006 [Page 18] Internet-Draft CAPWAP Protocol Specification May 2006 AC: This state transition occurs when the AC receives the Image Data Request message from the WTP while already in the Image Data state, and it detects that the firmware download has not completed. Configure to Reset (k): This state transition is used to reset the connection to the AC prior to restarting the WTP with a new configuration. WTP: The WTP enters the Reset state when it determines that a reset of the WTP is required, due to the characteristics of a new configuration. AC: The AC transitions to the Reset state when it receives the DTLSPeerDisconnect (n7) notification. Image Data to Reset (l): This state transition is used to reset the DTLS connection prior to restarting the WTP after an image download. WTP: When an image download completes, the WTP enters the Reset state, and terminates the DTLS connection, sending a DTLSShutdown command to the DTLS state machine. AC: The AC enters the Reset state upon receipt of a DTLSIdle (n6) notification. Configure to Run (m): This state transition occurs when the WTP and AC enter their normal state of operation. WTP: The WTP enters this state when it receives a successful Configuration Status Response message from the AC. The WTP initializes the HeartBeat timer (see Section 4.5), and transmits the Change State Event Request message (see Section 8.6). AC: This state transition occurs when the AC receives the Change State Event Request message (see Section 8.6) from the WTP. The AC responds with a Change State Event Response (see Section 8.7) message. The AC must start the NeighborDeadInterval timer (see Section 4.5). Run to Run (n): This is the normal state of operation. WTP: This is the WTP's normal state of operation. There are many events that result this state transition: Calhoun, Editor, et al. Expires November 6, 2006 [Page 19] Internet-Draft CAPWAP Protocol Specification May 2006 Configuration Update: The WTP receives a Configuration Update Request message(see Section 8.4). The WTP MUST respond with a Configuration Update Response message (see Section 8.5). Change State Event: The WTP receives a Change State Event Response message, or determines that it must initiate a Change State Event Request message, as a result of a failure or change in the state of a radio. Echo Request: The WTP receives an Echo Request message (see Section 7.1), to which it MUST respond with an Echo Response message(see Section 7.2). Clear Config Indication: The WTP receives a Clear Config Indication message (see Section 8.8). The WTP MUST reset its configuration back to manufacturer defaults. WTP Event: The WTP generates a WTP Event Request message to send information to the AC (see Section 9.5). The WTP receives a WTP Event Response message from the AC (see Section 9.6). Data Transfer: The WTP generates a Data Transfer Request message to the AC (see Section 9.7). The WTP receives a Data Transfer Response message from the AC (see Section 9.8). WLAN Config Request: The WTP receives a WLAN Config Request message (see Section 11.7.1), to which it MUST respond with a WLAN Config Response message (see Section 11.7.2). Mobile Config Request: The WTP receives a Mobile Config Request message (see Section 10.1), to which it MUST respond with a Mobile Config Response message (see Section 10.2). AC: This is the AC's normal state of operation: Configuration Update: The AC sends a Configuration Update Request message (see Section 8.4) to the WTP to update its configuration. The AC receives a Configuration Update Response message (see Section 8.5) from the WTP. Change State Event: The AC receives a Change State Event Request message (see Section 8.6), to which it MUST respond with the Change State Event Response message (see Section 8.7). Calhoun, Editor, et al. Expires November 6, 2006 [Page 20] Internet-Draft CAPWAP Protocol Specification May 2006 Echo: The AC sends an Echo Request message Section 7.1 or receives the corresponding Echo Response message, see Section 7.2 from the WTP. Clear Config Indication: The AC sends a Clear Config Indication message (see Section 8.8). WLAN Config: The AC sends a WLAN Config Request message (see Section 11.7.1) or receives the corresponding WLAN Config Response message (see Section 11.7.2) from the WTP. Mobile Config: The AC sends a Mobile Config Request message (see Section 10.1) or receives the corresponding Mobile Config Response message (see Section 10.2) from the WTP. Data Transfer: The AC receives a Data Transfer Request message from the AC (see Section 9.7) and MUST generate a corresponding Data Transfer Response message (see Section 9.8). WTP Event: The AC receives a WTP Event Request message from the AC (see Section 9.5) and MUST generate a corresponding WTP Event Response message (see Section 9.6). Run to Reset(o): This state transition is used when the AC or WTP wish to tear down the connection. This may occur as part of normal operation, or due to error conditions. WTP: The WTP enters the Reset state when it initiates orderly termination of the DTLS connection, or when the underlying reliable transport is unable to transmit a message within the RetransmitInterval timer, see Section 4.5 The WTP also enters the Reset state upon receiving a DTLS session termination message (DTLS alert) from the AC. The WTP sends a DTLSReset command to the DTLS state machine. AC: The AC enters the Idle state when it initiates orderly termination of the DTLS connection, or when the underlying reliable transport is unable to transmit a message within the RetransmitInterval timer (see Section 4.5), and the maximum number of RetransmitCount counter has reached the MaxRetransmit variable (see Section 4.6). The AC also enters the Reset state upon receiving a DTLS session termination message from the WTP. Calhoun, Editor, et al. Expires November 6, 2006 [Page 21] Internet-Draft CAPWAP Protocol Specification May 2006 Reset to Idle (p): This state transition occurs when the state machine is restarted following a system restart, an unrecoverable error on the AC-WTP connection, or orderly session teardown. WTP: The WTP clears any state associated with any AC and enters the Idle state. AC: The AC clears any state associated with the WTP and enters the idle state. Run to Image Data (s): This state transition occurs when the AC transmits an Image Data Request to the WTP, with the Initiate Download message element. The means by which the AC decides to download firmware is undefined, but could occur through an administrative action. WTP: The WTP enters this state when it receives an an Image Data Request to the WTP, with the Initiate Download message element. The WTP responds by transmitting an Image Data Request with the Image Filename message element included.. AC: This state transition occurs when the AC decides that an WTP is to update its firmware by sending an Image Data Request to the WTP, with the Initiate Download message element. 2.3.2. CAPWAP to DTLS Commands Four commands are defined for the CAPWAP to DTLS API. These "commands" are conceptual, and may be implemented as one or more function calls. This API definition is provided to clarify interactions between the DTLS and CAPWAP components of the integrated CAPWAP state machine. Below is a list of the minimal command API: o c1: DTLSStart is sent to the DTLS module to cause a DTLS session to be established. o c2: DTLSRehandshake is sent to the DTLS module to cause initiation of a rehandshake (DTLS rekey). o c3: DTLSShutdown is sent to the DTLS module to cause session teardown. o c4: DTLSAbort is sent to the DTLS module to cause session teardown when the WaitJoin timer expires. Calhoun, Editor, et al. Expires November 6, 2006 [Page 22] Internet-Draft CAPWAP Protocol Specification May 2006 2.3.3. DTLS to CAPWAP Notifications Eight notifications are defined for the DTLS to CAPWAP API. These "notifications" are conceptual, and may be implemented in numerous ways (e.g. as function return values). This API definition is provided to clarify interactions between the DTLS and CAPWAP components of the integrated CAPWAP state machine. Below is a list of the API notifications: o n1: DTLSInitFailure is sent to the CAPWAP module to indicate an initialization failure, which may be due to out of memory or other internal error condition. o n2: DTLSAuthenticateFail or DTLSAuthorizeFail is sent to the CAPWAP module to indicate peer authentication or authorization failures, respectively. o n3: DTLSEstablished is sent to the CAPWAP module to indicate that that a secure channel now exists. o n4: DTLSEncapFailure may be sent to CAPWAP to indicate an encapsulation failure. DTLSDecapFailure may be sent to CAPWAP to indicate an encryption/authentication failure o n5: DTLSRehandshake is sent to the CAPWAP module to indicate DTLS rehandshake initiation by peer. o n6: DTLSIdle is sent to the CAPWAP module to indicate that session abort (as requested by CAPWAP) is complete; this occurs when the WaitJoin timer expires, or when CAPWAP is executing an orderly session shutdown. o n7: DTLSPeerDisconnect is sent to the CAPWAP module to indicate DTLS session teardown by peer. Note that the n7 notification, can be received while in the Join, Configure, Image Data, Run and Reset states, and always causes a transition to the Reset state. o n8: DTLSReassemblyFailure may be sent to the CAPWAP module to indicate DTLS fragment reassembly failure. 2.3.4. DTLS State Transitions This section describes the transitions in the DTLS-specific portion of the state machine. Calhoun, Editor, et al. Expires November 6, 2006 [Page 23] Internet-Draft CAPWAP Protocol Specification May 2006 Idle to Init (Z): This transition indicates the begining of a DTLS session. WTP: The state ransition is triggered by receipt of the DTLSStart command from the CAPWAP state machine, and causes the WTP to send a DTLS ClientHello to the AC. AC: The state transition is triggered by receipt of the DTLSStart command from the CAPWAP state machine. The AC starts the WaitJoin timer and awaits reception of a DTLS ClientHello message Init to Authenticate/Authorize (Y) This transition indicates that the DTLS handshake is in progress. WTP: The WTP executes this state transition upon receipt of a valid ServerHello. AC: The AC executes this transition upon receipt of a certificate payload (if configured for public key authentication) or upon receipt of the ClientKeyExchange payload if configured for preshared keys. Init to Idle(X) This state transition occurs upon timeout of the WaitJoin Timer. WTP: Upon receiving a DTLSAbort command from the CAPWAP state machine, the WTP DTLS state machine transitions to Idle state. AC: Upon receiving a DTLSAbort command from the CAPWAP state machine, the AC DTLS state machine transitions to Idle state. Authenticate/Authorize to Authenticate/Authorize (W) This state transition is a Loopback state, representing execution of the TLS handshake protocol, including authorization callbacks to the CAPWAP architecture. WTP: Upon receiving AC credential, attempt to execute associated validation, authentication, and authorization callbacks. Note that credentials may span protocol messages, in which case the WTP will remain in this state pending receipt of all credential payloads. AC: Upon receipt of the WTP credential, attempt to execute associated validation, authentication, and authorization callbacks. Note that credentials may span protocol messages, in which case the AC will remain in this state pending receipt of all credential payloads. Calhoun, Editor, et al. Expires November 6, 2006 [Page 24] Internet-Draft CAPWAP Protocol Specification May 2006 Authenticate/Authorize to Shutdown (V) This state transition indicates a failure of the DTLS handshake. WTP: Send a DTLSAuthenticateFail or DTLSAuthorizeFail to the CAPWAP state machine, depending on the exact cause of the error. May send a DTLS notification to the AC to indicate failure. AC: Send a DTLSAuthenticateFail or DTLSAuthorizeFail to the CAPWAP state machine, depending on the exact cause of the error. May send a DTLS Notification to the AC to indicate failure. Authenticate/Authorize to Run (U) This state transition occurs upon successful completion of the DTLS handshake. WTP: Send a DTLSEstablished notification to the CAPWAP state machine. AC: Send a DTLSEstablished notification to the CAPWAP state machine. Run to Rekey (T) This state transition occurs when a DTLS rehandshake is in progress; this is initiated when either (a) the DTLS state machine receives the DTLSRehandshake command from CAPWAP, or (b) a DTLS rehandshake message is received from the peer.. WTP: If CAPWAP issued a DTLSRehandshake command, initiate rehandshake with the peer; note that control traffic may continue to flow using existing secure association. If the rehandshake is initiated by the peer, send a DTLSRehandshake notification to CAPWAP. AC: If CAPWAP issued a DTLSRehandshake command, initiate rehandshake with the peer; note that control traffic may continue to flow using existing secure association. If the rehandshake is initiated by the peer, send a DTLSRehandshake notification to CAPWAP. Run to Shutdown (S) This state transition indicates a shutdown of the DTLS channel. WTP: This state transition occurs when the CAPWAP state machine sends a DTLSShutdown command, or when the the AC terminates the DTLS session. Calhoun, Editor, et al. Expires November 6, 2006 [Page 25] Internet-Draft CAPWAP Protocol Specification May 2006 AC: This state transition occurs when CAPWAP state machine sends a DTLSShutdown command, or when the WTP terminates the DTLS session. Rekey to Run (R) This state transition indicates the successful completion of a DTLS rehandshake. WTP: This state transition occurs when the WTP receives the DTLS Finished message from the AC, completing the DTLS re-handshake. AC: This state transition occurs when the AC sends a DTLS Finished message to the WTP, completing the DTLS re-handshake. Rekey to Shutdown (Q) This state transition indicates the failure of the DTLS rekey operation. WTP: This state transition occurs when there is a failure in the rehandshake negotiation with the AC. AC: This state transition occurs when there is a failure in the rehandshake negotiation with the WTP. Shutdown to Idle (P) This state transition occurs upon transmission of a DTLS Session termination message, or upon receipt of a DTLS session termination message. WTP: This state transition occurs after the WTP transmits the DTLS session termination message. If the WTP receives a DTLS session termination message, it sends the DTLSPeerDisconnect notification to CAPWAP and moves to the Idle state. AC: This state transition occurs after the AC transmits the DTLS session termination message. If the AC receives a DTLS session termination message, it sends the DTLSPeerDisconnect notification to CAPWAP and moves to the Idle state. 2.4. Use of DTLS in the CAPWAP Protocol DTLS is used as a tightly-integrated, secure wrapper for the CAPWAP protocol. In this document DTLS and CAPWAP are discussed as nominally distinct entitites; however they are very closely coupled, and may even be implemented inseparably. Since there are DTLS library implementations currently available, and since security protocols (e.g. IPsec, TLS) are often implemented in widely available acceleration hardware, it is both convenient and forward- looking to maintain a modular distinction in this document. This section describes a detailed walk-through of the interactions Calhoun, Editor, et al. Expires November 6, 2006 [Page 26] Internet-Draft CAPWAP Protocol Specification May 2006 between the DTLS module and the CAPWAP module, via 'commands' (CAPWAP to DTLS) and 'notifications' (DTLS to CAPWAP) as they would be encountered during the normal course of operation. 2.4.1. DTLS Handshake Processing Details of the DTLS handshake process are specified in [DTLS]. This section describes the interactions between the DTLS session establishment process and the CAPWAP protocol. In the normal case, the DTLS handshake will proceed as follows (NOTE: this example uses certificates, but preshared keys are also supported): ============ ============ WTP AC ============ ============ ClientHello ------> <------ HelloVerifyRequest (with cookie) ClientHello ------> (with cookie) <------ ServerHello <------ Certificate <------ ServerHelloDone (WTP callout for AC authorization) Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished ------> (AC callout for WTP authorization) [ChangeCipherSpec] <------ Finished DTLS, as specified, provides its own retransmit timers with an exponential back-off. However, it will never terminate the handshake due to non-responsiveness; rather, it will continue to increase its back-off timer period. Hence, timing out incomplete DTLS handshakes is entirely the responsiblity of the CAPWAP protocol. Calhoun, Editor, et al. Expires November 6, 2006 [Page 27] Internet-Draft CAPWAP Protocol Specification May 2006 2.4.1.1. Join Operations The WTP, either through the Discovery process, or through pre- configuration, determines the AC to connect to. The WTP uses DTLS to establish a secure connection to the selected AC. Prior to initiation of the DTLS handshake, the WTP sets the WaitJoin timer. Upon receipt of a ClientHello message containing a valid cookie, the AC sets the WaitJoin timer. If the Join operation has not completed prior to timer expiration, the Join process is aborted, the WTP transitions back to Discovery state, and the AC transitions back to Idle state. Upon successful completion of the Join process the WaitJoin timer is deactivated. 2.4.2. DTLS Error Handling If the AC does not respond to any DTLS messages sent by the WTP, the DTLS specification calls for the WTP to retransmit these messages. If the WaitJoin timer expires, CAPWAP will issue the DTLSAbort command, causing DTLS to terminate the handshake and remove any allocated session context. Note that DTLS MAY send a single TLS Alert message to the AC to indicate session termination. If the WTP does not respond to any DTLS messages sent by the AC, the CAPWAP protocol allows for three possiblities, listed below. Note that DTLS MAY send a single TLS Alert message to the AC to indicate session termination. o The message was lost in transit; in this case, the WTP will re- transmit its last outstanding message, since it did not receive the reply. o The WTP sent a DTLS Alert, which was lost in transit; in this case, the AC's WaitJoin timer will expire, and the session will be terminated. o Communication with the WTP has completely failed; in this case, the AC's WaitJoin timer will expire, and the session will be terminated. The DTLS specification provides for retransmission of unacknowledged requests. If retransmissions remain unacknowledged, the WaitJoin timer will eventually expire, at which time the CAPWAP module will terminate the session. If a cookie fails to validate, this could represent a WTP error, or it could represent a DoS attack. Hence, AC resource utilization SHOULD be minimized. The AC MAY log a message indicating the failure, but SHOULD NOT attempt to reply to the WTP. Calhoun, Editor, et al. Expires November 6, 2006 [Page 28] Internet-Draft CAPWAP Protocol Specification May 2006 Since DTLS handshake messages are potentially larger than the maximum record size, DTLS supports fragmenting of handshake messages across multiple records. There are several potential causes of re-assembly errors, including overlapping and/or lost fragments. The DTLS module MUST send a DTLSReassemblyFailure notification to CAPWAP. Whether precise information is given along with notification is an implementation issue, and hence is beyond the scope of this document. Upon receipt of such an error, the CAPWAP protocol implementation SHOULD log an appropriate error message. Whether processing continues or the DTLS session is terminated is implementation dependent. DTLS decapsulation errors consist of three types: decryption errors, and authentication errors, and malformed DTLS record headers. Since DTLS authenticates the data prior to encapsulation, if decryption fails, it is difficult to detect this without first attempting to authenticate the packet. If authentication fails, a decryption error is also likely, but not guaranteed. Rather than attempt to derive (and require the implementation of) algorithms for detecting decryption failures, these are reported as authentication failures. The DTLS module MUST provide a DTLSDecapFailure notification to CAPWAP when such errors occur. If a malformed DTLS record header is detected, the packets SHOULD be silently discarded, and the receiver MAY log an error message. There is currently only one encapsulation error defined: MTU exceeeded. As part of DTLS session establishment, CAPWAP informs DTLS of the MTU size. This may be dynamically modified at any time when CAPWAP sends the DTLSMtuUpdate command to DTLS. DTLS returns this notification to CAPWAP whenever a transmission request will result in a packet which exceeds the MTU. 2.4.3. DTLS Rehandshake Behavior DTLS rekeying (known in DTLS as "rehandshake") requires special attention, as the DTLS specification provides no rehandshake triggering mechanism. Rather, the application (in this case, CAPWAP) is expected to manage this for itself. This section addressed various aspects of rehandshake behavior. One simple way to think of a DTLS session is as a pair of unidirectional channels which are tightly bound together. A useful analogy is the twisted pair used for phone wiring, with one line per pair. Then, the rehandshake process can be thought of using the call over the existing pair to establish a call over a new pair - that is, an entirely new session is negotiated under the protection of the existing session. Calhoun, Editor, et al. Expires November 6, 2006 [Page 29] Internet-Draft CAPWAP Protocol Specification May 2006 This sounds simple enough, yet there is operational complexity in changing over to the new session. In particular, how does each end know when it is safe to delete the "old" session, and switch over to the new one? If DTLS were not a datagram protocol, this would be simpler, but the fact that message delivery is unreliable significantly complicates things: when the AC (the "server") transmits its Finished message, it cannot be sure that the WTP received it until the WTP transmits data on the new channel. This fact constrains the way in which we transition to the new session, and delete the old one. The WTP, upon receipt of the AC's Finished message for the new session, immediately makes the new session active, and transmits no further data (e.g. echo requests, statistics, etc) on the old channel, and sends a TLS "user_cancelled" alert message on the old channel, after which the old session is immediately deleted. The AC, sets a DTLSSessionDelete timer, (see Section 4.5) and immediately makes the new session active, and transmits no further data (e.g. echo requests, statistics, etc) on the old channel. If a TLS "user_cancelled" alert message is received on the old channel, the session delete timer is deactivated, and the session is deleted. if the dtls-session-delete timer expires, a TLS "user_cancelled" alert message is transmitted on the old channel, and the session is deleted. Note that there is a slight possibility that some packets may be in flight when the session is deleted. However, since CAPWAP provides reliable delivery, these packets will be retransmitted over the new channel. 2.4.3.1. Peer Initiated Rehandshake Triggers Since key lifetimes are not negotiable in DTLS, it is possible that a rehandshake from a peer may occur at any time, and implementations must be prepared for this eventuality. Presumably, communicating devices will be within the same domain of control. This being the case, overly-aggressive rekeying may be detected by simply monitoring logs, assuming such activity is indeed logged. Hence, implementations MUST log rekey attempts as they occur, reporting the time and identifying information for the peer. CAPWAP implementations MUST provide an administrative interface which permits specification of key lifetimes in seconds. Also, implementations which wait until this interval has expired to begin Calhoun, Editor, et al. Expires November 6, 2006 [Page 30] Internet-Draft CAPWAP Protocol Specification May 2006 the rehandshake process are liable to encounter temporary service lapses on heavily loaded networks, so implementations SHOULD begin the rehandshake before the actual lifetime has elapsed. Given the relatively low bandwidth we might reasonably expect over a CAPWAP control channel and the strength of modern cryptographic algorithms (e.g. AES-128, 3DES, etc), it is reasonable to assume that lifetimes will typically be more than 8 hours. Given this assumption, a good rule of thumb for deciding when to rekey is this: deduct a random number of seconds from the lifetime (say, between 1% and 5% of the lifetime), and begin the rehandshake process at that point. Using a random value helps avert collisions, when both sides initiate a rehandshake at the same time (discussed further below). 2.4.3.2. Time Based Rehandshake Triggers CAPWAP implementations MUST provide an administrative interface which permits specification of key lifetimes in seconds. Also, implementations which wait until this interval has expired to begin the rehandshake process are liable to encounter temporary service lapses on heavily loaded networks, so implementations SHOULD begin the rehandshake before the actual lifetime has elapsed. Given the relatively low bandwidth we might reasonably expect over a CAPWAP control channel and the strength of modern cryptographic algorithms (e.g. AES-128, 3DES, etc), it is reasonable to assume that key lifetimes will typically be more than 8 hours. Given this assumption, a good rule of thumb for deciding when to rekey is this: deduct a random number of seconds from the lifetime (say, between 1% and 5% of the lifetime), and begin the rehandshake process at that point. Using a random value helps avert collisions, when both sides initiate a rehandshake at the same time. 2.4.3.3. Volume Based Rehandshake Triggers CAPWAP implementations MUST provide an administrative interface which permits specification of key lifetimes in packet count. Like time- based, lifetimes, implementations which wait until this interval has expired to begin the rehandshake process may encounter temporary service lapses on heavily loaded networks, so implementations SHOULD begin the rehandshake before the actual lifetime has elapsed. Volume-based lifetime estimation for purposes of rehandshake initiation is considerably more complex than time-based lifetime. In addition to avoiding collisions, the maximum burst rate must be known, and an extimate made, assuming rehandshake packets are lost, etc. Hence, we do not specify a one-size-fits-all approach here, and the specific algorithm used is implementation dependent. Calhoun, Editor, et al. Expires November 6, 2006 [Page 31] Internet-Draft CAPWAP Protocol Specification May 2006 2.4.3.4. Rehandshake Collisions A collision occurs when both sides initiate a rehandshake simultaneously. No matter how much care is taken, rehandshake collisions are a distinct possibility. Hence, a contention resolution strategy is specified. A rehandshake collision is detected when a system receives a rehandshake initiation when it has one outstanding with the same peer. When this occurs, each side will compare its own address with that of its peer (in network byte order). The one with the lower of the two addresses will ignore the peer's rehandshake message, and continue with its own rehandshake process. The one with the higher message will immediately abort its current rehandshake, and set the DTLSRehandshake timer (see Section 4.5); if the peer with the lower address does not complete the rehandshake before the timer expires, the peer with the higher address will re- initiate. 2.4.4. DTLS EndPoint Authentication DTLS supports endpoint authentication with certificates or preshared keys. The TLS algorithm suites for each endpoint authentication method are described below. 2.4.4.1. Authenticating with Certificates Note that only block ciphers are currently recommended for use with DTLS. To understand the reasoning behind this, see [26]. However,support for AES counter mode encryption is currently progressing in the TLS working group, and once protocol identifiers are available, they will be added below. At present, the following algorithms MUST be supported when using certificates for CAPWAP authentication: o TLS_RSA_WITH_AES_128_CBC_SHA o TLS_RSA_WITH_3DES_EDE_CBC_SHA The following algorithms SHOULD be supported when using certificates: o TLS_DH_RSA_WITH_AES_128_CBC_SHA Calhoun, Editor, et al. Expires November 6, 2006 [Page 32] Internet-Draft CAPWAP Protocol Specification May 2006 o TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA The following algorithms MAY be supported when using certificates: o TLS_RSA_WITH_AES_256_CBC_SHA o TLS_DH_RSA_WITH_AES_256_CBC_SHA 2.4.4.2. Authenticating with Preshared Keys Pre-shared keys present significant challenges from a security perspective, and for that reason, their use is strongly discouraged. However, [13] defines 3 different methods for authenticating with preshared keys: o PSK key exchange algorithm - simplest method, ciphersuites use only symmetric key algorithms o DHE_PSK key exchange algorithm - use a PSK to authenticate a Diffie-Hellman exchange. These ciphersuites give some additional protection against dictionary attacks and also provide Perfect Forward Secrecy (PFS). o RSA_PSK key exchange algorithm - use RSA and certificates to authenticate the server, in addition to using a PSK. This is not susceptible to passive attacks. The first approach (plain PSK) is susceptible to passive dictionary attacks; hence, while this alorithm MAY be supported, special care should be taken when choosing that method. In particular, user- readable passphrases SHOULD NOT be used, and use of short PSKs should be strongly discouraged. Additionally, DHE_PSK MUST be supported, and RSA_PSK MAY be supported. The following cryptographic algorithms MUST be supported when using preshared keys: o TLS_DHE_PSK_WITH_AES_128_CBC_SHA o TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA The following algorithms SHOULD be supported when using preshared keys: o TLS_DHE_PSK_WITH_AES_256_CBC_SHA The following algorithms MAY be supported when using preshared keys: Calhoun, Editor, et al. Expires November 6, 2006 [Page 33] Internet-Draft CAPWAP Protocol Specification May 2006 o TLS_PSK_WITH_AES_128_CBC_SHA o TLS_PSK_WITH_AES_256_CBC_SHA o TLS_PSK_WITH_3DES_EDE_CBC_SHA o TLS_RSA_PSK_WITH_AES_128_CBC_SHA o TLS_RSA_PSK_WITH_AES_256_CBC_SHA o TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 2.4.4.3. Certificate Usage Validation of the certificates by the AC and WTP is required so that only an AC may perform the functions of an AC and that only a WTP may perform the functions of a WTP. This restriction of functions to the AC or WTP requires that the certificates used by the AC MUST be distinguishable from the certificate used by the WTP. To accomplish this differentiation, the x.509v3 certificates MUST include the Extensions field [11] and MUST include the NetscapeComment [15] extension. For an AC, the value of the NetscapeComment extension MUST be the string "CAPWAP AC Device Certificate". For a WTP, the value of the NetscapeComment extension MUST be the string "CAPWAP WTP Device Certificate". Part of the CAPWAP certificate validation process includes ensuring that the proper string is included in the NetscapeComment extension, and only allowing the CAPWAP session to be established if the extension does not represent the same role as the device validating the certificate. For instance, a WTP MUST NOT accept a certificate whose NetscapeComment field is set to "CAPWAP WTP Device Certificate". Calhoun, Editor, et al. Expires November 6, 2006 [Page 34] Internet-Draft CAPWAP Protocol Specification May 2006 3. CAPWAP Transport The CAPWAP protocol uses UDP as a transport, and can be used with IPv4 or IPv6. This section details the specifics of how the CAPWAP protocol works in conjunction with IP. 3.1. UDP Transport Communication between a WTP and an AC is established according to the standard UDP client/server model. One of the CAPWAP requirements is to allow a WTP to reside behind a firewall and/or Network Address Translation (NAT) device. Since the connection is initiated by the WTP (client) to the well-known UDP port of the AC (server), the use of UDP is a logical choice. CAPWAP protocol control packets sent between the WTP and the AC use well known UDP port [to be IANA assigned]. CAPWAP protocol data packets sent between the WTP and the AC use UDP port [to be IANA assigned]. 3.2. AC Discovery A WTP and an AC will frequently not reside in the same IP subnet (broadcast domain). When this occurs, the WTP must be capable of discovering the AC, without requiring that multicast services are enabled in the network. This section describes how AC discovery is performed by WTPs. As the WTP attempts to establish communication with an AC, it sends the Discovery Request message and receives the corresponding response message from the AC(s). The WTP must send the Discovery Request message to either the limited broadcast IP address (255.255.255.255), a well known multicast address or to the unicast IP address of the AC. Upon receipt of the Discovery Request message, the AC issues a Discovery Response message to the unicast IP address of the WTP, regardless of whether the Discovery Request message was sent as a broadcast, multicast or unicast message. WTP use of a limited IP broadcast, multicast or unicast IP address is implementation dependent. When a WTP transmits a Discovery Request message to a unicast address, the WTP must first obtain the IP address of the AC. Any static configuration of an AC's IP address on the WTP non-volatile storage is implementation dependent. However, additional dynamic schemes are possible, for example: Calhoun, Editor, et al. Expires November 6, 2006 [Page 35] Internet-Draft CAPWAP Protocol Specification May 2006 DHCP: A comma delimited ASCII encoded list of AC IP addresses is embedded in the DHCP vendor specific option 43 extension. An example of the actual format of the vendor specific payload for IPv4 is of the form "10.1.1.1, 10.1.1.2". DNS: The DNS name "CAPWAP-AC-Address" MAY be resolvable to one or more AC addresses. 3.3. Fragmentation/Reassembly While fragmentation and reassembly services are provided by IP, the CAPWAP protocol also provides such services. Environments where the CAPWAP protocol is used involve firewall, Network Address Translation (NAT) and "middle box" devices, which tend to drop IP fragments in order to minimize possible Denial of Service attacks. By providing fragmentation and reassembly at the application layer, any fragmentation required due to the tunneling component of the CAPWAP protocol becomes transparent to these intermediate devices. Consequently, the CAPWAP protocol is not impacted by any network configurations. Calhoun, Editor, et al. Expires November 6, 2006 [Page 36] Internet-Draft CAPWAP Protocol Specification May 2006 4. CAPWAP Packet Formats This section contains the CAPWAP protocol packet formats. A CAPWAP protocol packet consists of a CAPWAP Transport Layer packet header followed by a CAPWAP message. The CAPWAP message can be either of type Control or Data, where Control packets carry signaling, and Data packets carry user payloads. The CAPWAP frame formats for CAPWAP Data packets, and for DTLS encapsulated CAPWAP Data and Control packets. are as shown below: CAPWAP Data Packet : +--------------------------------+ | IP |UDP | CAPWAP | Wireless | | Hdr |Hdr | Header | Payload | +--------------------------------+ CAPWAP + Optional DTLS Data Packet Security: +------------------------------------------------+ | IP |UDP | DTLS | CAPWAP | Wireless | DTLS | | Hdr |Hdr | Hdr | Hdr | Payload | Trailer| +------------------------------------------------+ \--authenticated-----------/ \--- encrypted-----------/ CAPWAP Control Packet (DTLS Security Required): +-----------------------------------------------------------+ | IP |UDP | DTLS | CAPWAP | Control | Message | DTLS | | Hdr |Hdr | Hdr | Header | Header | Element(s) | Trailer | +-----------------------------------------------------------+ \-------authenticated-----------------/ \------------encrypted-------------------/ UDP: All CAPWAP packets are encapsulated within UDP. Section Section 3.1 defines the specific UDP usage. CAPWAP Header: All CAPWAP protocol packets use a common header that immediately follows the UDP header. This header, is defined in Section 4.1. Wireless Payload: A CAPWAP protocol packet that contains a wireless payload is known as a data frame. The CAPWAP protocol does not dictate the format of the wireless payload, which is defined by the appropriate wireless standard. Additional information is in Section 4.2. Calhoun, Editor, et al. Expires November 6, 2006 [Page 37] Internet-Draft CAPWAP Protocol Specification May 2006 Control Header: The CAPWAP protocol includes a signalling component, known as the CAPWAP control protocol. All CAPWAP control packets include a Control Header, which is defined in Section 4.3.1. Message Elements: A CAPWAP Control packet includes one or more message elements, which are found immediately following the control header. These message elements are in a Type/Length/value style header, defined in Section 4.4. 4.1. CAPWAP Transport Header All CAPWAP protocol messages are encapsulated using a common header format, regardless of the CAPWAP control or CAPWAP Data transport used to carry the messages. However, certain flags are not applicable for a given transport. Refer to the specific transport section in order to determine which flags are valid. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| RID | HLEN |F|L|W|M| Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fragment ID | Frag Offset |Rsv-2| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | (optional) Radio MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | (optional) Wireless Specific Information | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version: A 4 bit field which contains the version of CAPWAP used in this packet. The value for this draft is 0. RID: A 5 bit field which contains the Radio ID number for this packet. WTPs with multiple radios but a single MAC Address range use this field to indicate which radio is associated with the packet. HLEN: Length of CAPWAP tunnel header in 4 byte words. (Similar to IP header length). This length includes the optional headers. F: The Fragment 'F' bit indicates whether this packet is a fragment. When this bit is one (1), the packet is a fragment and MUST be combined with the other corresponding fragments to reassemble the complete information exchanged between the WTP and AC. Calhoun, Editor, et al. Expires November 6, 2006 [Page 38] Internet-Draft CAPWAP Protocol Specification May 2006 L: The Not Last 'L' bit is valid only if the 'F' bit is set and indicates whether the packet contains the last fragment of a fragmented exchange between WTP and AC. When this bit is 1, the packet is not the last fragment. When this bit is 0, the packet is the last fragment. W: The Wireless 'W' bit is used to specify whether the optional wireless specific information field is present in the header. A value of one (1) is used to represent the fact that the optional header is present. M: The M bit is used to indicate that the Radio MAC Address optional header is present. This is used to communicate the MAC address of the receiving radio when the native wireless packet. This field MUST NOT be set to one in packets sent by the AC to the WTP. Flags: A set of reserved bits for future flags in the CAPWAP header. All implementations complying with version zero of this protocol MUST set these bits to zero. Fragment ID: An 16 bit field whose value is assigned to each group of fragments making up a complete set. The fragment ID space is managed individually for every WTP/AC pair. The value of Fragment ID is incremented with each new set of fragments. The Fragment ID wraps to zero after the maximum value has been used to identify a set of fragments. Fragment Offset: A 13 bit field that indicates where in the payload will this fragment belong during re-assembly. This field is valid when the 'F' bit is set to 1. The fragment offset is measured in units of 8 octets (64 bits). The first fragment has offset zero. Reserved: The 3-bit Reserved-2 field is reserved and set to 0 in this version of the CAPWAP protocol. Radio MAC Address: This optional field contains the MAC address of the radio receiving the packet. This is useful in packets sent from the WTP to the AC, when the native wireless frame format is converted to 802.3 by the WTP. This field is only present if the 'M' bit is set. The field contains the basic format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | MAC Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 39] Internet-Draft CAPWAP Protocol Specification May 2006 Length: The number of bytes in the MAC Address field. The length field is present since new IEEE technologies are using 48 byte MAC addresses. MAC Address: The MAC Address of the receiving radio. Wireless Specific Information: This optional field contains technology specific information that may be used to carry per packet wireless information. This field is only present if the 'W' bit is set. The field contains the basic format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Wireless ID | Length | Data +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Wireless ID: The wireless binding identifier. The following values are defined: 1 - : IEEE 802.11 Length: The length of the data field Data: Wireless specific information, whose details are defined in the technology specific binding section. Payload: This field contains the header for a CAPWAP Data Message or CAPWAP Control Message, followed by the data associated with that message. 4.2. CAPWAP Data Messages A CAPWAP protocol data message is a forwarded wireless frame. The CAPWAP protocol defines two different modes of encapsulations; IEEE 802.3 and native wireless. IEEE 802.3 encapsulation requires that the bridging function be performed in the WTP. An IEEE 802.3 encapsulated user payload frame has the following format: +------------------------------------------------------+ | IP Header | UDP Header | CAPWAP Header | 802.3 Frame | +------------------------------------------------------+ The CAPWAP protocol also defines the native wireless encapsulation mode. The actual format of the encapsulated CAPWAP data frame is subject to the rules defined under the specific wireless technology Calhoun, Editor, et al. Expires November 6, 2006 [Page 40] Internet-Draft CAPWAP Protocol Specification May 2006 binding. As a consequence, each wireless technology binding MUST define a section entitled "Payload encapsulation", which defines the format of the wireless payload that is encapsulated within the CAPWAP Data messages. In the event that the encapsulated frame would exceed the transport layer's MTU, the sender is responsible for the fragmentation of the frame, as specified in Section 3.3. 4.3. CAPWAP Control Messages The CAPWAP Control protocol provides a control channel between the WTP and the AC. Control messages are divided into the following distinct message types: Discovery: CAPWAP Discovery messages are used to identify potential ACs, their load and capabilities. WTP Configuration: The WTP Configuration messages are used by the AC to push a specific configuration to the WTP it has a control channel with. Messages that deal with the retrieval of statistics from the WTP also fall in this category. Mobile Session Management: Mobile session management messages are used by the AC to push specific mobile station policies to the WTP. Firmware Management: Messages in this category are used by the AC to push a new firmware image to the WTP. Discovery, WTP Configuration and Mobile Session Management messages MUST be implemented. Firmware Management MAY be implemented. In addition, technology specific bindings may introduce new control channel commands. 4.3.1. Control Message Format All CAPWAP control messages are sent encapsulated within the CAPWAP header (see Section 4.1). Immediately following the CAPWAP header, is the control header, which has the following format: Calhoun, Editor, et al. Expires November 6, 2006 [Page 41] Internet-Draft CAPWAP Protocol Specification May 2006 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seq Num | Msg Element Length | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Stamp | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Msg Element [0..N] ... +-+-+-+-+-+-+-+-+-+-+-+-+ 4.3.1.1. Message Type The Message Type field identifies the function of the CAPWAP control message. The Message Type field is comprised of an IANA Enterprise Number and a message type value field. The first two byte contain the IANA Enterprise Number (for example, the IEEE 802.11 IANA Enterprise number is 13277), and the second two bytes contain the Message Type value. The message type field can be expressed as: Message Type = IANA Enterprise Number * 256 + Message Type Value The valid values for base CAPWAP Message Types are given in the table below: Calhoun, Editor, et al. Expires November 6, 2006 [Page 42] Internet-Draft CAPWAP Protocol Specification May 2006 CAPWAP Control Message Message Type Value Discovery Request 1 Discovery Response 2 Join Request 3 Join Response 4 Configuration Status 5 Configuration Status Response 6 Configuration Update Request 7 Configuration Update Response 8 WTP Event Request 9 WTP Event Response 10 Change State Event Request 11 Change State Event Response 12 Echo Request 13 Echo Response 14 Image Data Request 15 Image Data Response 16 Reset Request 17 Reset Response 18 Primary Discovery Request 19 Primary Discovery Response 20 Data Transfer Request 21 Data Transfer Response 22 Clear Config Indication 23 Mobile Config Request 24 Mobile Config Response 25 4.3.1.2. Sequence Number The Sequence Number Field is an identifier value to match request and response packet exchanges. When a CAPWAP packet with a request message type is received, the value of the sequence number field is copied into the corresponding response packet. When a CAPWAP control message is sent, its internal sequence number counter is monotonically incremented, ensuring that no two requests pending have the same sequence number. This field will wrap back to zero. 4.3.1.3. Message Element Length The Length field indicates the number of bytes following the Sequence Num field. 4.3.1.4. Flags The Flags field MUST be set to zero. Calhoun, Editor, et al. Expires November 6, 2006 [Page 43] Internet-Draft CAPWAP Protocol Specification May 2006 4.3.1.5. Time Stamp The Timestamp contains the timestamp. PRC-TODO: Details need to be added here, and I am waiting for info from Dave Perkins. 4.3.1.6. Message Element[0..N] The message element(s) carry the information pertinent to each of the control message types. Every control message in this specification specifies which message elements are permitted. 4.3.2. Control Message Quality of Service It is recommended that CAPWAP control messages be sent by both the AC and the WTP with an appropriate Quality of Service precedence value, ensuring that congestion in the network minimizes occurrences of CAPWAP control channel disconnects. Therefore, a Quality of Service enabled CAPWAP device should use the following values: 802.1P: The precedence value of 7 SHOULD be used. DSCP: The DSCP tag value of 46 SHOULD be used. 4.4. CAPWAP Protocol Message Elements This section defines the CAPWAP Protocol message elements which are included in CAPWAP protocol control messages. Message elements are used to carry information needed in control messages. Every message element is identified by the Type field, whose numbering space is managed via IANA (see Section 14). The total length of the message elements is indicated in the Message Element Length field. All of the message element definitions in this document use a diagram similar to the one below in order to depict its format. Note that in order to simplify this specification, these diagrams do not include the header fields (Type and Length). The header field values are defined in the Message element descriptions. Additional message elements may be defined in separate IETF documents. The format of a message element uses the TLV format shown here: Calhoun, Editor, et al. Expires November 6, 2006 [Page 44] Internet-Draft CAPWAP Protocol Specification May 2006 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value ... | +-+-+-+-+-+-+-+-+ Where Type (16 bit) identifies the character of the information carried in the Value field and Length (16 bits) indicates the number of bytes in the Value field. 4.4.1. AC Descriptor The AC payload message element is used by the AC to communicate it's current state. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | Hardware Version ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HW Ver | Software Version ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SW Ver | Stations | Limit | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Limit | Active WTPs | Max WTPs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Max WTPs | Security | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1 for AC Descriptor Length: 18 Reserved: MUST be set to zero Hardware Version: The AC's hardware version number Software Version: The AC's Firmware version number Stations: The number of mobile stations currently associated with the AC Limit: The maximum number of stations supported by the AC Calhoun, Editor, et al. Expires November 6, 2006 [Page 45] Internet-Draft CAPWAP Protocol Specification May 2006 Active WTPs: The number of WTPs currently attached to the AC Max WTPs: The maximum number of WTPs supported by the AC Security: A 8 bit bit mask specifying the authentication credential type supported by the AC. The following values are supported (see Section 2.4.4): 1 - X.509 Certificate Based 2 - Pre-Shared Secret 4.4.2. AC IPv4 List The AC List message element is used to configure a WTP with the latest list of ACs in a cluster. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AC IP Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 2 for AC List Length: 4 The AC IP Address: An array of 32-bit integers containing an AC's IPv4 Address. 4.4.3. AC IPv6 List The AC List message element is used to configure a WTP with the latest list of ACs in a cluster. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AC IP Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AC IP Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AC IP Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AC IP Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 46] Internet-Draft CAPWAP Protocol Specification May 2006 Type: 3 for AC IPV6 List Length: 16 The AC IP Address: An array of 32-bit integers containing an AC's IPv6 Address. 4.4.4. AC Name The AC name message element contains an ASCII representation of the AC's identity. The value is a variable length byte string. The string is NOT zero terminated. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Name ... +-+-+-+-+-+-+-+-+ Type: 4 for AC Name Length: > 0 Name: A variable length ASCII string containing the AC's name 4.4.5. AC Name with Index The AC Name with Index message element is sent by the AC to the WTP to configure preferred ACs. The number of instances where this message element would be present is equal to the number of ACs configured on the WTP. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Index | AC Name... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 5 for AC Name with Index Length: > 2 Index: The index of the preferred server (e.g., 1=primary, 2=secondary). Calhoun, Editor, et al. Expires November 6, 2006 [Page 47] Internet-Draft CAPWAP Protocol Specification May 2006 AC Name: A variable length ASCII string containing the AC's name. 4.4.6. AC Timestamp The AC Timestamp message element is sent by the AC to synchronize the WTP's clock. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 6 for AC Timestamp Length: 4 Timestamp: The AC's current time, allowing all of the WTPs to be time synchronized in the format defined by Network Time Protocol (NTP) in RFC 1305 [10]. 4.4.7. Add MAC ACL Entry The Add MAC Access Control List (ACL) Entry message element is used by an AC to add a MAC ACL list entry on a WTP, ensuring that the WTP no longer provides any service to the MAC addresses provided in the message. The MAC Addresses provided in this message element are not expected to be saved in non-volatile memory on the WTP. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num of Entries| MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 7 for Add MAC ACL Entry Length: >= 7 Num of Entries: The number of MAC Addresses in the array. MAC Address: An array of MAC Addresses to add to the ACL. Calhoun, Editor, et al. Expires November 6, 2006 [Page 48] Internet-Draft CAPWAP Protocol Specification May 2006 4.4.8. Add Mobile Station The Add Mobile Station message element is used by the AC to inform a WTP that it should forward traffic for a particular mobile station. The Add Mobile Station message element will be accompanied by technology specific binding information element which may include security parameters. Consequently, the security parameters must be applied by the WTP for the particular mobile. Once a mobile station's policy has been pushed to the WTP through this message element, an AC may change any policies by simply sending a modified Add Mobile Station message element. When a WTP receives an Add Mobile Station message element for an existing mobile station, it must override any existing state it may have for the mobile station in question. The latest Add Mobile Station message element data overrides any previously received messages. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | VLAN Name... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 8 for Add Mobile Length: >= 7 Radio ID: An 8-bit value representing the radio MAC Address: The mobile station's MAC Address VLAN Name: An optional variable string containing the VLAN Name on which the WTP is to locally bridge user data. Note this field is only valid with WTPs configured in Local MAC mode. 4.4.9. Add Static MAC ACL Entry The Add Static MAC ACL Entry message element is used by an AC to add a permanent ACL entry on a WTP, ensuring that the WTP no longer provides any service to the MAC addresses provided in the message. The MAC Addresses provided in this message element are expected to be saved in non-volative memory on the WTP. Calhoun, Editor, et al. Expires November 6, 2006 [Page 49] Internet-Draft CAPWAP Protocol Specification May 2006 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num of Entries| MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 9 for Add Static MAC ACL Entry Length: >= 7 Num of Entries: The number of MAC Addresses in the array. MAC Address: An array of MAC Addresses to add to the permanent ACL. 4.4.10. CAPWAP Timers The CAPWAP Timers message element is used by an AC to configure CAPWAP timers on a WTP. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Discovery | Echo Request | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 10 for CAPWAP Timers Length: 2 Discovery: The number of seconds between CAPWAP Discovery packets, when the WTP is in the discovery mode. Echo Request: The number of seconds between WTP Echo Request CAPWAP messages. 4.4.11. Change State Event The Change State message element is used to communicate a change in the operational state of a radio. The value contains two fields, as shown. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | State | Cause | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 50] Internet-Draft CAPWAP Protocol Specification May 2006 Type: 11 for Change State Event Length: 3 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP. State: An 8-bit boolean value representing the state of the radio. A value of one disables the radio, while a value of two enables it. Cause: In the event of a radio being inoperable, the cause field would contain the reason the radio is out of service. The following values are supported: 0 - Normal 1 - Radio Failure 2 - Software Failure 4.4.12. Data Transfer Data The Data Transfer Data message element is used by the WTP to provide information to the AC for debugging purposes. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Type | Data Length | Data .... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 12 for Data Transfer Data Length: >= 3 Data Type: An 8-bit value the type of information being sent. The following values are supported: 1 - WTP Crash Data 2 - WTP Memory Dump Data Length: Length of data field. Calhoun, Editor, et al. Expires November 6, 2006 [Page 51] Internet-Draft CAPWAP Protocol Specification May 2006 Data: Debug information. 4.4.13. Data Transfer Mode The Data Transfer Mode message element is used by the AC to request information from the WTP for debugging purposes. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Data Type | +-+-+-+-+-+-+-+-+ Type: 13 for Data Transfer Mode Length: 1 Data Type: An 8-bit value the type of information being requested. The following values are supported: 1 - WTP Crash Data 2 - WTP Memory Dump 4.4.14. Decryption Error Report The Decryption Error Report message element value is used by the WTP to inform the AC of decryption errors that have occurred since the last report. Note that this error reporting mechanism is not used if encryption and decryption services are provided via the AC. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID |Num Of Entries | Mobile MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mobile MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 14 for Decryption Error Report Length: >= 8 Radio ID: The Radio Identifier, which typically refers to an interface index on the WTP Calhoun, Editor, et al. Expires November 6, 2006 [Page 52] Internet-Draft CAPWAP Protocol Specification May 2006 Num Of Entries: An 8-bit unsigned integer indicating the number of mobile MAC addresses. Mobile MAC Address: An array of mobile station MAC addresses that have caused decryption errors. 4.4.15. Decryption Error Report Period The Decryption Error Report Period message element value is used by the AC to inform the WTP how frequently it should send decryption error report messages. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Report Interval | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 15 for Decryption Error Report Period Length: 3 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Report Interval: A 16-bit unsigned integer indicating the time, in seconds 4.4.16. Delete MAC ACL Entry The Delete MAC ACL Entry message element is used by an AC to delete a MAC ACL entry on a WTP, ensuring that the WTP provides service to the MAC addresses provided in the message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num of Entries| MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 16 for Delete MAC ACL Entry Length: >= 7 Calhoun, Editor, et al. Expires November 6, 2006 [Page 53] Internet-Draft CAPWAP Protocol Specification May 2006 Num of Entries: The number of MAC Addresses in the array. MAC Address: An array of MAC Addresses to delete from the ACL. 4.4.17. Delete Mobile Station The Delete Mobile station message element is used by the AC to inform an WTP that it should no longer provide service to a particular mobile station. The WTP must terminate service immediately upon receiving this message element. The transmission of a Delete Mobile Station message element could occur for various reasons, including for administrative reasons, as a result of the fact that the mobile has roamed to another WTP, etc. Once access has been terminated for a given station, any future packets received from the mobile station must result in a deauthenticate message, as specified in [6]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 17 for Delete Mobile Station Length: 7 Radio ID: An 8-bit value representing the radio MAC Address: The mobile station's MAC Address 4.4.18. Delete Static MAC ACL Entry The Delete Static MAC ACL Entry message element is used by an AC to delete a previously added static MAC ACL entry on a WTP, ensuring that the WTP provides service to the MAC addresses provided in the message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num of Entries| MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address[] | Calhoun, Editor, et al. Expires November 6, 2006 [Page 54] Internet-Draft CAPWAP Protocol Specification May 2006 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 18 for Delete Static MAC ACL Entry Length: >= 7 Num of Entries: The number of MAC Addresses in the array. MAC Address: An array of MAC Addresses to delete from the static MAC ACL entry. 4.4.19. Discovery Type The Discovery message element is used to configure a WTP to operate in a specific mode. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Discovery Type| +-+-+-+-+-+-+-+-+ Type: 19 for Discovery Type Length: 1 Discovery Type: An 8-bit value indicating how the AC was discovered. The following values are supported: 0 - Broadcast 1 - Configured 4.4.20. Duplicate IPv4 Address The Duplicate IPv4 Address message element is used by a WTP to inform an AC that it has detected another IP device using the same IP address it is currently using. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 55] Internet-Draft CAPWAP Protocol Specification May 2006 Type: 20 for Duplicate IPv4 Address Length: 10 IP Address: The IP Address currently used by the WTP. MAC Address: The MAC Address of the offending device. 4.4.21. Duplicate IPv6 Address The Duplicate IPv6 Address message element is used by a WTP to inform an AC that it has detected another host using the same IP address it is currently using. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 21 for Duplicate IPv6 Address Length: 22 IP Address: The IP Address currently used by the WTP. MAC Address: The MAC Address of the offending device. 4.4.22. Idle Timeout The Idle Timeout message element is sent by the AC to the WTP to provide it with the idle timeout that it should enforce on its active mobile station entries. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timeout | Calhoun, Editor, et al. Expires November 6, 2006 [Page 56] Internet-Draft CAPWAP Protocol Specification May 2006 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 22 for Idle Timeout Length: 4 Timeout: The current idle timeout to be enforced by the WTP. 4.4.23. Image Data The image data message element is present in the Image Data Request message sent by the AC and contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Opcode | Checksum | Image Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Image Data ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 23 for Image Data Length: >= 4 (allows 0 length element if last data unit is 1024 bytes) Opcode: An 8-bit value representing the transfer opcode. The following values are supported: 3 - Image data is included 5 - An error occurred. Transfer is aborted Checksum: A 16-bit value containing a checksum of the image data that follows Image Data: The Image Data field contains 1024 characters, unless the payload being sent is the last one (end of file). If the last block was 1024 in length, an Image Data with a zero length payload is sent. 4.4.24. Image Filename The image filename message element is sent by the WTP to the AC and is used to initiate the firmware download process. This message element contains the image filename, which the AC subsequently transfers to the WTP via the Image Data message element. The value is a variable length byte string, which is NOT zero terminated. Calhoun, Editor, et al. Expires November 6, 2006 [Page 57] Internet-Draft CAPWAP Protocol Specification May 2006 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Filename ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 24 for Image Filename Length: >= 1 Filename: A variable length string containing the filename to download. 4.4.25. Initiate Download The Initiate Download message element is used by the AC to inform the WTP that it should initiate a firmware upgrade. This is performed by having the WTP initiate its own Image Data Request, with the Image Download message element. This message element does not contain any data. Type: 25 for Initiate Download Length: 0 4.4.26. Location Data The Location Data message elementis a variable length byte string containing user defined location information (e.g. "Next to Fridge"). This information is configurable by the network administrator, and allows for the WTP location to be determined through this field. The string is not zero terminated. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+- | Location ... +-+-+-+-+-+-+-+-+- Type: 26 for Location Data Length: > 0 Timeout: A non-zero terminated string containing the WTP location. Calhoun, Editor, et al. Expires November 6, 2006 [Page 58] Internet-Draft CAPWAP Protocol Specification May 2006 4.4.27. MTU Discovery Padding The MTU Discovery Padding message element is used as padding to perform MTU discovery, and MUST contain octets of value 0xFF, of any length 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Padding... +-+-+-+-+-+-+-+- Type: 27 for MTU Discovery Padding Length: variable Timeout: A variable length pad. 4.4.28. Radio Administrative State The administrative event message element is used to communicate the state of a particular radio. The value contains the following fields. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Admin State | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 28 for Administrative State Length: 2 Radio ID: An 8-bit value representing the radio to configure. The Radio ID field may also include the value of 0xff, which is used to identify the WTP itself. Therefore, if an AC wishes to change the administrative state of a WTP, it would include 0xff in the Radio ID field. Admin State: An 8-bit value representing the administrative state of the radio. The following values are supported: 1 - Enabled Calhoun, Editor, et al. Expires November 6, 2006 [Page 59] Internet-Draft CAPWAP Protocol Specification May 2006 2 - Disabled 4.4.29. Result Code The Result Code message element value is a 32-bit integer value, indicating the result of the request operation corresponding to the sequence number in the message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Result Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 29 for Result Code Length: 4 Result Code: The following values are defined: 0 Success 1 Failure (AC List message element MUST be present) 2 Success (NAT detected) 3 Failure (unspecified) 4 Failure (Join Failure, Resource Depletion) 5 Failure (Join Failure, Unknown Source) 6 Failure (Join Failure, Incorrect Data) 7 Failure (Join Failure, Session ID already in use) 4.4.30. Session ID The session ID message element value contains a randomly generated unsigned 32-bit integer. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 60] Internet-Draft CAPWAP Protocol Specification May 2006 Type: 30 for Session ID Length: 4 Session ID: A 32-bit random session identifier 4.4.31. Statistics Timer The statistics timer message element value is used by the AC to inform the WTP of the frequency which it expects to receive updated statistics. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Statistics Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 31 for Statistics Timer Length: 2 Statistics Timer: A 16-bit unsigned integer indicating the time, in seconds 4.4.32. Vendor Specific Payload The Vendor Specific Payload is used to communicate vendor specific information between the WTP and the AC. The value contains the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Element ID | Value... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 32 for Vendor Specific Length: >= 7 Vendor Identifier: A 32-bit value containing the IANA assigned "SMI Network Management Private Enterprise Codes" [19] Calhoun, Editor, et al. Expires November 6, 2006 [Page 61] Internet-Draft CAPWAP Protocol Specification May 2006 Element ID: A 16-bit Element Identifier which is managed by the vendor. Value: The value associated with the vendor specific element. 4.4.33. WTP Board Data The WTP Board Data message element is sent by the WTP to the AC and contains information about the hardware present. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=0 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=1 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Optional additional vendor specific WTP board data TLVs Type: 33 for WTP Board Data Length: >=14 Vendor Identifier: A 32-bit value containing the IANA assigned "SMI Network Management Private Enterprise Codes" Type: The following values are supported: 0 - WTP Model Number: The WTP Model Number MUST be included in the WTP Board Data message element. 1 - WTP Serial Number: The WTP Serial Number MUST be included in the WTP Board Data message element. 2 - Board ID: A hardware identifier, which MAY be included in the WTP Board Data mesage element. Calhoun, Editor, et al. Expires November 6, 2006 [Page 62] Internet-Draft CAPWAP Protocol Specification May 2006 3 - Board Revision A revision number of the board, which MAY be included in the WTP Board Data message element. 4.4.34. WTP Descriptor The WTP descriptor message element is used by a WTP to communicate it's current hardware/firmware configuration. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Max Radios | Radios in use | Encryption Capabilities | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=0 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=1 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type=0 | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 34 for WTP Descriptor Length: >= 31 Max Radios: An 8-bit value representing the number of radios (where each radio is identified via the RID field) supported by the WTP Radios in use: An 8-bit value representing the number of radios present in the WTP Encryption Capabilities: This 16-bit field is used by the WTP to communicate it's capabilities to the AC. Since most WTP's support link layer encryption, the AC may make use of these services. There are binding dependent encryption capabilities. A WTP that Calhoun, Editor, et al. Expires November 6, 2006 [Page 63] Internet-Draft CAPWAP Protocol Specification May 2006 does not have any encryption capabilities would set this field to zero (0). Refer to the specific binding for further specification of the Encryption Capabilities field. Vendor Identifier: A 32-bit value containing the IANA assigned "SMI Network Management Private Enterprise Codes" Type: The following values are supported. The Hardware Version, Software Version, and Boot Version values MUST be included. 0 - WTP Model Number: The WTP Model Number MUST be included in the WTP Board Data message element. 1 - WTP Serial Number: The WTP Serial Number MUST be included in the WTP Board Data message element. 2 - Board ID: A hardware identifier, which MAY be included in the WTP Board Data mesage element. 3 - Board Revision A revision number of the board, which MAY be included in the WTP Board Data message element. 4 - Hardware Version: A 32-bit integer representing the WTP's hardware version number 5 - Software Version: A 32-bit integer representing the WTP's Firmware version number 6 - Boot Version: A 32-bit integer representing the WTP's boot loader's version number 4.4.35. WTP Fallback The WTP Fallback message element is sent by the AC to the WTP to enable or disable automatic CAPWAP fallback in the event that a WTP detects its preferred AC, and is not currently connected to it. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Mode | +-+-+-+-+-+-+-+-+ Type: 35 for WTP Fallback Calhoun, Editor, et al. Expires November 6, 2006 [Page 64] Internet-Draft CAPWAP Protocol Specification May 2006 Length: 1 Mode: The 8-bit value indicates the status of automatic CAPWAP fallback on the WTP. A value of zero disables fallback, while a value of one enables it. When enabled, if the WTP detects that its primary AC is available, and it is not connected to it, it SHOULD automatically disconnect from its current AC and reconnect to its primary. If disabled, the WTP will only reconnect to its primary through manual intervention (e.g., through the Reset Request command). 4.4.36. WTP Frame Encapsulation Type The WTP Frame EncapsultationType message element allows the WTP to communicate the encapsulation type, or tunneling modes of operation which it supports to the AC. A WTP that advertises support for all types allows the AC to select which type will be used, based on its local policy. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |Frame Enc Type | +-+-+-+-+-+-+-+-+ Type: 36 for WTP Frame Encapsulation Type Length: 1 Frame Encapsulation Type: The Frame type specifies the encapsulation modes supported by the WTP. The following values are supported: 1 - Local Bridging: Local Bridging allows the WTP to perform the bridging function. This value MUST NOT be used when the WTP MAC Type is set to Split-MAC. 2 - 802.3 Bridging: 802.3 Bridging requires the WTP and AC to encapsulate all user payload as native IEEE 802.3 frames (see Section 4.2). This value MUST NOT be used when the WTP MAC Type is set to Split-MAC. 4 - Native Bridging: Native Bridging requires the WTP and AC to encapsulate all user payloads as native wireless frames, as defined by the wireless binding (see Section 4.2). Calhoun, Editor, et al. Expires November 6, 2006 [Page 65] Internet-Draft CAPWAP Protocol Specification May 2006 7 - All: The WTP is capable of supporting all frame encapsulation types. 4.4.37. WTP IPv4 IP Address The WTP IPv4 address is used to perform NAT detection. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP IPv4 IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 37 for WTP IPv4 IP Address Length: 4 WTP IPv4 IP Address: The IPv4 address from which the WTP is sending packets. This field is used for NAT detection. 4.4.38. WTP MAC Type The WTP MAC-Type message element allows the WTP to communicate its mode of operation to the AC. A WTP that advertises support for both modes allows the AC to select the mode to use, based on local policy. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | MAC Type | +-+-+-+-+-+-+-+-+ Type: 38 for WTP MAC Type Length: 1 MAC Type: The MAC mode of operation supported by the WTP. The following values are supported 0 - Local-MAC: Local-MAC is the default mode that MUST be supported by all WTPs. 1 - Split-MAC: Split-MAC support is optional, and allows the AC to receive and process native wireless frames. Calhoun, Editor, et al. Expires November 6, 2006 [Page 66] Internet-Draft CAPWAP Protocol Specification May 2006 2 - Both: WTP is capable of supporting both Local-MAC and Split- MAC. 4.4.39. WTP Radio Information The WTP radios information message element is used to communicate the radio information in a specific slot. The Discovery Request MUST include one such message element per radio in the WTP. The Radio- Type field is used by the AC in order to determine which technology specific binding is to be used with the WTP. The value contains two fields, as shown. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Radio Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio Type | +-+-+-+-+-+-+-+-+ Type: 39 for WTP Radio Information Length: 5 Radio ID: The Radio Identifier, which typically refers to an interface index on the WTP Radio Type: The type of radio present. Note this bitfield can be used to specify support for more than a single type of PHY/MAC. The following values are supported: 1 - 802.11b: An IEEE 802.11b radio. 2 - 802.11a: An IEEE 802.11a radio. 4 - 802.11g: An IEEE 802.11g radio. 8 - 802.11n: An IEEE 802.11n radio. 0xOF - 802.11b, 802.11a, 802.11g and 802.11n: The 4 radio types indicated are supported in the WTP. 4.4.40. WTP Manager Control IPv4 Address The WTP Manager Control IPv4 Address message element is sent by the AC to the WTP during the discovery process and is used by the AC to provide the interfaces available on the AC, and the current number of Calhoun, Editor, et al. Expires November 6, 2006 [Page 67] Internet-Draft CAPWAP Protocol Specification May 2006 WTPs connected. In the event that multiple WTP Manager Control IPV4 Address message elements are returned, the WTP is expected to perform load balancing across the multiple interfaces. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 40 for WTP Manager Control IPv4 Address Length: 6 IP Address: The IP Address of an interface. WTP Count: The number of WTPs currently connected to the interface. 4.4.41. WTP Manager Control IPv6 Address The WTP Manager Control IPv6 Address message element is sent by the AC to the WTP during the discovery process and is used by the AC to provide the interfaces available on the AC, and the current number of WTPs connected. This message element is useful for the WTP to perform load balancing across multiple interfaces. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 41 for WTP Manager Control IPv6 Address Length: 18 Calhoun, Editor, et al. Expires November 6, 2006 [Page 68] Internet-Draft CAPWAP Protocol Specification May 2006 IP Address: The IP Address of an interface. WTP Count: The number of WTPs currently connected to the interface. 4.4.42. WTP Name The WTP Name message element is a variable length bye string. The string is not zero terminated. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+- | WTP Name ... +-+-+-+-+-+-+-+-+- Type: 42 for WTP Name Length: variable WTP Name: A non-zero terminated string containing the WTP name. 4.4.43. WTP Reboot Statistics The WTP Reboot Statistics message element is sent by the WTP to the AC to communicate reasons why reboots have occurred. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Crash Count | CAPWAP Initiated Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Link Failure Count | Failure Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 43 for WTP Reboot Statistics Length: 7 Crash Count: The number of reboots that have occurred due to a WTP crash. A value of 65535 implies that this information is not available on the WTP. CAPWAP Initiated Count: The number of reboots that have occurred at the request of a CAPWAP protocol message, such as a change in configuration that required a reboot or an explicit CAPWAP reset request. A value of 65535 implies that this information is not available on the WTP. Calhoun, Editor, et al. Expires November 6, 2006 [Page 69] Internet-Draft CAPWAP Protocol Specification May 2006 Link Failure Count: The number of times that a CAPWAP protocol connection with an AC has failed. Failure Type: The last WTP failure. The following values are supported: 0 - Link Failure 1 - CAPWAP Initiated (see Section 9.3) 2 - WTP Crash 255 - Unknown (e.g., WTP doesn't keep track of info) 4.4.44. WTP Static IP Address Information The WTP Static IP Address Information message element is used by an AC to configure or clear a previously configured static IP address on a WTP. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Netmask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Gateway | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Static | +-+-+-+-+-+-+-+-+ Type: 44 for WTP Static IP Address Information Length: 13 IP Address: The IP Address to assign to the WTP. This field is only valid if the static field is set to one. Netmask: The IP Netmask. This field is only valid if the static field is set to one. Gateway: The IP address of the gateway. This field is only valid if the static field is set to one. Calhoun, Editor, et al. Expires November 6, 2006 [Page 70] Internet-Draft CAPWAP Protocol Specification May 2006 Netmask: The IP Netmask. This field is only valid if the static field is set to one. Static: An 8-bit boolean stating whether the WTP should use a static IP address or not. A value of zero disables the static IP address, while a value of one enables it. 4.5. CAPWAP Protocol Timers A WTP or AC that implements CAPWAP discovery MUST implement the following timers. 4.5.1. DiscoveryInterval The minimum time, in seconds, that a WTP MUST wait after receiving a Discovery Response, before initiating a DTLS handshake. Default: 5 4.5.2. DTLSRehandshake The minimum time, in seconds, a WTP MUST wait for DTLS rehandshake to complete. Default: 10 4.5.3. DTLSSessionDelete The minimum time, in seconds, a WTP MUST wait for DTLS session deletion. Default: 5 4.5.4. EchoInterval The minimum time, in seconds, between sending echo requests to the AC with which the WTP has joined. Default: 30 4.5.5. KeyLifetime The maximum time, in seconds, which a CAPWAP DTLS session key is valid. Default: 28800 Calhoun, Editor, et al. Expires November 6, 2006 [Page 71] Internet-Draft CAPWAP Protocol Specification May 2006 4.5.6. MaxDiscoveryInterval The maximum time allowed between sending discovery requests from the interface, in seconds. Must be no less than 2 seconds and no greater than 180 seconds. Default: 20 seconds. 4.5.7. NeighborDeadInterval The minimum time, in seconds, a WTP MUST wait without having received Echo Responses to its Echo Requests, before the destination for the Echo Request may be considered dead. Must be no less than 2*EchoInterval seconds and no greater than 240 seconds. Default: 60 4.5.8. ResponseTimeout The minimum time, in seconds, which the WTP or AC must respond to a CAPWAP Request message. Default: 1 4.5.9. RetransmitInterval The minimum time, in seconds, which a non-acknowledged CAPWAP packet will be retransmitted. Default: 3 4.5.10. SilentInterval The minimum time, in seconds, a WTP MUST wait after failing to receive any responses to its discovery requests, before it MAY again send discovery requests. Default: 30 4.5.11. WaitJoin The maximum time, in seconds, a WTP MUST wait without having received a DTLS Handshake message from an AC. This timer must be greater than 30 seconds. Default: 60 Calhoun, Editor, et al. Expires November 6, 2006 [Page 72] Internet-Draft CAPWAP Protocol Specification May 2006 4.6. CAPWAP Protocol Variables A WTP or AC that implements CAPWAP discovery MUST allow for the following variables to be configured by system management; default values are specified so as to make it unnecessary to configure any of these variables in many cases. 4.6.1. DiscoveryCount The number of discoveries transmitted by a WTP to a single AC. This is a monotonically increasing counter. 4.6.2. MaxDiscoveries The maximum number of discovery requests that will be sent after a WTP boots. Default: 10 4.6.3. MaxRetransmit The maximum number of retransmissions for a given CAPWAP packet before the link layer considers the peer dead. Default: 5 4.6.4. RetransmitCount The number of retransmissions for a given CAPWAP packet. This is a monotonically increasing counter. Calhoun, Editor, et al. Expires November 6, 2006 [Page 73] Internet-Draft CAPWAP Protocol Specification May 2006 5. CAPWAP Discovery Operations The Discovery messages are used by a WTP to determine which ACs are available to provide service, and the capabilities and load of the ACs. 5.1. Discovery Request Message The Discovery Request message is used by the WTP to automatically discover potential ACs available in the network. The Discovery Request message provides ACs with the primary capabilities of the WTP. A WTP must exchange this information to ensure subsequent exchanges with the ACs are consistent with the WTP's functional characteristics. A WTP must transmit this command even if it has a statically configured AC. Discovery Request messages MUST be sent by a WTP in the Discover state after waiting for a random delay less than MaxDiscoveryInterval, after a WTP first comes up or is (re)initialized. A WTP MUST send no more than the maximum of MaxDiscoveries Discovery Request messages, waiting for a random delay less than MaxDiscoveryInterval between each successive message. This is to prevent an explosion of WTP Discovery Request messages. An example of this occurring is when many WTPs are powered on at the same time. Discovery Request messages MUST be sent by a WTP when no Echo Response messages are received for NeighborDeadInterval and the WTP returns to the Idle state. Discovery Request messages are sent after NeighborDeadInterval. They MUST be sent after waiting for a random delay less than MaxDiscoveryInterval. A WTP MAY send up to a maximum of MaxDiscoveries Discovery Request messages, waiting for a random delay less than MaxDiscoveryInterval between each successive message. If a Discovery Response message is not received after sending the maximum number of Discovery Request messages, the WTP enters the Sulking state and MUST wait for an interval equal to SilentInterval before sending further Discovery Request messages. The Discovery Request message may be sent as a unicast, broadcast or multicast message. Upon receiving a Discovery Request message, the AC will respond with a Discovery Response message sent to the address in the source address of the received discovery request message. The following message elements MUST be included in the Discovery Calhoun, Editor, et al. Expires November 6, 2006 [Page 74] Internet-Draft CAPWAP Protocol Specification May 2006 Request message: o Discovery Type, see Section 4.4.19 o WTP Descriptor, see Section 4.4.34 o WTP Frame Type, see Section 4.4.36 o WTP MAC Type, see Section 4.4.38 o WTP Radio Information, see Section 4.4.39 5.2. Discovery Response Message The Discovery Response message provides a mechanism for an AC to advertise its services to requesting WTPs. The Discovery Response message is sent by an AC after receiving a Discovery Request message from a WTP. When a WTP receives a Discovery Response message, it MUST wait for an interval not less than DiscoveryInterval for receipt of additional Discovery Response messages. After the DiscoveryInterval elapses, the WTP enters the DTLS-Init state and selects one of the ACs that sent a Discovery Response message and send a DTLS Handshake to that AC. The following message elements MUST be included in the Discovery Response Message: o AC Descriptor, see Section 4.4.1 o AC Name, see Section 4.4.4 o WTP Manager Control IPv4 Address, see Section 4.4.40 o WTP Manager Control IPv6 Address, see Section 4.4.41 5.3. Primary Discovery Request Message The Primary Discovery Request message is sent by the WTP to determine whether its preferred (or primary) AC is available. A Primary Discovery Request message is sent by a WTP when it has a primary AC configured, and is connected to another AC. This generally occurs as a result of a failover, and is used by the WTP as a means to discover when its primary AC becomes available. As a consequence, this message is only sent by a WTP when it is in the Run Calhoun, Editor, et al. Expires November 6, 2006 [Page 75] Internet-Draft CAPWAP Protocol Specification May 2006 state. The frequency of the Primary Discovery Request messages should be no more often than the sending of the Echo Request message. Upon receipt of a Discovery Request message, the AC responds with a Primary Discovery Response message sent to the address in the source address of the received Primary Discovery Request message. The following message elements MUST be included in the Primary Discovery Request message. o Discovery Type, see Section 4.4.19 o WTP Descriptor, see Section 4.4.34 o WTP Frame Type, see Section 4.4.36 o WTP MAC Type, see Section 4.4.38 o WTP Radio Information, see Section 4.4.39 A WTP Radio Information message element MUST be present for every radio in the WTP. 5.4. Primary Discovery Response The Primary Discovery Response message enables an AC to advertise its availability and services to requesting WTPs that are configured to have the AC as its primary AC. The Primary Discovery Response message is sent by an AC after receiving a Primary Discovery Request message. When a WTP receives a Primary Discovery Response message, it may establish a CAPWAP protocol connection to its primary AC, based on the configuration of the WTP Fallback Status message element on the WTP. The following message elements MUST be included in the Primary Discovery Response message. o AC Descriptor, see Section 4.4.1 o AC Name, see Section 4.4.4 o WTP Manager Control IPv4 Address, see Section 4.4.40 o WTP Manager Control IPv6 Address, see Section 4.4.41 Calhoun, Editor, et al. Expires November 6, 2006 [Page 76] Internet-Draft CAPWAP Protocol Specification May 2006 6. CAPWAP Join Operations The Join Request message is used by a WTP to request service from an AC after a DTLS connection is established to that AC. The Join Response message is used by the the AC to indicate that it will or will not provide service. 6.1. Join Request The Join Request message is used by a WTP to inform an AC that it wishes to provide services through the AC. A Join Request message is sent by a WTP after receiving one or more Discovery Responses, and completion of DTLS session establishment. When an AC receives a Join Request message it responds with a Join Response message. Upon completion of the DTLS handshake (synonymous with DTLS "session establishment"), the WTP sends the Join Request message to the AC. Upon receipt of the Join Request Message, the AC generates a Join Response message and sends it to the WTP, indicating success or failure. Upon transmission of the Join Request message, the WTP sets the WaitJoin timer. If the Join Response message has not been received prior to expiration, the WTP aborts the Join process and transitions back to the Discovery state, see Section 2.3.1). Upon receipt of the Join Response message, the WaitJoin timer is deactivated. If the AC rejects the Join Request, it sends a Join Response with a failure indication then enters the CAPWAP reset state, resulting in shutdown of the DTLS session. Upon determining which AC to join, the WTP creates session state containing the AC address and session ID, creates the Join Request message, sets the WaitJoin timer for the session and sends the Join Request message to the AC. If an invalid (i.e. malformed) Join Request message is received, the message MUST be silently discarded by the AC. No response is sent to the WTP. The AC SHOULD log this event. The following message elements MUST be included in the Join Request message. o Location Data, see Section 4.4.26 o Session ID, see Section 4.4.30 Calhoun, Editor, et al. Expires November 6, 2006 [Page 77] Internet-Draft CAPWAP Protocol Specification May 2006 o WTP Descriptor, see Section 4.4.34 o WTP IPv4 IP Address, see Section 4.4.37 o WTP Name, see Section 4.4.42 o WTP Radio Information, see Section 4.4.39 A WTP Radio Information message element MUST be present for every radio in the WTP. 6.2. Join Response The Join Response message is sent by the AC to indicate to a WTP that it is capable and willing to provide service to it. After determining that a WTP should join the AC, the AC creates session state containing the WTP address, port and session ID, sets the WaitJoin timer for the session, sends the Join Response message to the WTP. The WTP, receiving a Join Response message checks for success or failure. If the message indicates success, the WTP clears the WaitJoin timer for the session and proceeds to the Configure or Image Data state. Otherwise, the WTP enters the CAPWAP reset state, resulting in shutdown of the DTLS session. If the WaitJoin Timer expires prior to reception of the Join Response message, the WTP MUST terminate the handshake, deallocate associated session state and transition to the Discover state. If an invalid (malformed) Join Response message is received, the WTP SHOULD log an informative message detailing the error. This error MUST be treated in the same manner as AC non-responsiveness. In this way, the WaitJoin timer will eventually expire, in which case the WTP may (if it is so configured) attempt to join with an alternative AC. The following message elements MAY be included in the Join Response message. o Result Code, see Section 4.4.29 o AC IPv4 List, see Section 4.4.2 o AC IPv6 List, see Section 4.4.3 o Session ID, see Section 4.4.30 Calhoun, Editor, et al. Expires November 6, 2006 [Page 78] Internet-Draft CAPWAP Protocol Specification May 2006 7. Control Channel Management The Control Channel Management messages are used by the WTP and AC to maintain a control communication channel. 7.1. Echo Request The Echo Request message is a keep alive mechanism for CAPWAP control messages. Echo Request messages are sent periodically by a WTP in the Run state (see Section 2.3) to determine the state of the connection between the WTP and the AC. The Echo Request message is sent by the WTP when the Heartbeat timer expires. The WTP MUST start its NeighborDeadInterval timer when the Heartbeat timer expires. The Echo Request message carries no message elements. When an AC receives an Echo Request message it responds with an Echo Response message. 7.2. Echo Response The Echo Response message acknowledges the Echo Request message, and is only processed while in the Run state (see Section 2.3). An Echo Response message is sent by an AC after receiving an Echo Request message. After transmitting the Echo Response message, the AC SHOULD reset its Heartbeat timer to expire in the value configured for EchoInterval. If another Echo Request message or other control message is not received by the AC when the timer expires, the AC SHOULD consider the WTP to be no longer be reachable. The Echo Response message carries no message elements. When a WTP receives an Echo Response message it stops the NeighborDeadInterval timer, and initializes the Heartbeat timer to the EchoInterval. If the NeighborDeadInterval timer expires prior to receiving an Echo Response message, or other control message, the WTP enters the Idle state. Calhoun, Editor, et al. Expires November 6, 2006 [Page 79] Internet-Draft CAPWAP Protocol Specification May 2006 8. WTP Configuration Management Wireless Termination Point Configuration messages are used to exchange configuration information between the AC and the WTP. 8.1. Configuration Consistency The CAPWAP protocol provides flexibility in how WTP configuration is managed. A WTP has two options: 1. The WTP retains no configuration and accepts the configuration provided by the AC. 2. The WTP retains the configuration of parameters provided by the AC that are non-default values. If the WTP opts to save configuration locally, the CAPWAP protocol state machine defines the Configure state, which allows for configuration exchange. In the Configure state, the WTP sends its current configuration overrides to the AC via the Configuration Status message. A configuration override is a parameter that is non- default. One example is that in the CAPWAP protocol, the default antenna configuration is internal omni antenna. A WTP that either has no internal antennas, or has been explicitly configured by the AC to use external antennas, sends its antenna configuration during the configure phase, allowing the AC to become aware of the WTP's current configuration. Once the WTP has provided its configuration to the AC, the AC sends its own configuration. This allows the WTP to inherit the configuration and policies from the AC. An AC maintains a copy of each active WTP's configuration. There is no need for versioning or other means to identify configuration changes. If a WTP becomes inactive, the AC MAY delete the configuration associated with it. If a WTP fails, and connects to a new AC, it provides its overridden configuration parameters, allowing the new AC to be aware of the WTP's configuration. This model allows for resiliency in case of an AC failure, that another AC can provide service to the WTP. In this scenario, the new AC would be automatically updated with WTP configuration changes, eliminating the need for inter-AC communication or the need for all ACs to be aware of the configuration of all WTPs in the network. Once the CAPWAP protocol enters the Run state, the WTPs begin to provide service. It is quite common for administrators to require that configuration changes be made while the network is operational. Calhoun, Editor, et al. Expires November 6, 2006 [Page 80] Internet-Draft CAPWAP Protocol Specification May 2006 Therefore, the Configuration Update Request is sent by the AC to the WTP to make these changes at run-time. 8.1.1. Configuration Flexibility The CAPWAP protocol provides the flexibility to configure and manage WTPs of varying design and functional characteristics. When a WTP first discovers an AC, it provides primary functional information relating to its type of MAC and to the nature of frames to be exchanged. The AC configures the WTP appropriately. The AC also establishes corresponding internal operations to deal with the WTP according to its functionalities. 8.2. Configuration Status The Configuration Status message is sent by a WTP to deliver its current configuration to its AC. Configuration Status messages are sent by a WTP while in the Configure state. The Configuration Status message carries binding specific message elements. Refer to the appropriate binding for the definition of this structure. When an AC receives a Configuration Status message it will act upon the content of the packet and respond to the WTP with a Configuration Status Response message. The Configuration Status message includes multiple Administrative State message Elements. There is one such message element for the WTP, and one message element per radio in the WTP. The following message elements MUST be included in the Configuration Status message. o AC Name, see Section 4.4.4 o AC Name with Index, see Section 4.4.5 o Radio Administrative State, see Section 4.4.28 o Statistics Timer, see Section 4.4.31 o WTP Board Data, see Section 4.4.33 o WTP Static IP Address Information, see Section 4.4.44 Calhoun, Editor, et al. Expires November 6, 2006 [Page 81] Internet-Draft CAPWAP Protocol Specification May 2006 o WTP Reboot Statistics, see Section 4.4.43 8.3. Configuration Status Response The Configuration Status Response message is sent by an AC and provides a mechanism for the AC to override a WTP's requested configuration. Configuration Status Response messages are sent by an AC after receiving a Configure Request message. The Configuration Status Response message carries binding specific message elements. Refer to the appropriate binding for the definition of this structure. When a WTP receives a Configuration Status Response message it acts upon the content of the message, as appropriate. If the Configuration Status Response message includes a Change State Event message element that causes a change in the operational state of one of the Radio, the WTP will transmit a Change State Event to the AC, as an acknowledgement of the change in state. The following message elements MUST be included in the Configuration Status Response message. o AC IPv4 List, see Section 4.4.2 o AC IPv6 List, see Section 4.4.3 o CAPWAP Timers, see Section 4.4.10 o Change State Event, see Section 4.4.11 o Decryption Error Report Period, see Section 4.4.15 o Idle Timeout, see Section 4.4.22 o WTP Fallback, see Section 4.4.35 8.4. Configuration Update Request Configure Update Request messages are sent by the AC to provision the WTP while in the Run state. This is used to modify the configuration of the WTP while it is operational. When an AC receives a Configuration Update Request message it will respond with a Configuration Update Response message, with the appropriate Result Code. Calhoun, Editor, et al. Expires November 6, 2006 [Page 82] Internet-Draft CAPWAP Protocol Specification May 2006 One or more of the following message elements MAY be included in the Configuration Update message. o AC IPv4 List, see Section 4.4.2 o AC IPv6 List, see Section 4.4.3 o AC Name with Index, see Section 4.4.5 o AC Timestamp, see Section 4.4.6 o Add MAC ACL Entry, see Section 4.4.7 o Add Static MAC ACL Entry, see Section 4.4.9 o CAPWAP Timers, see Section 4.4.10 o Change State Event, see Section 4.4.11 o Decryption Error Report Period, see Section 4.4.15 o Delete MAC ACL Entry, see Section 4.4.16 o Delete Static MAC ACL Entry, see Section 4.4.18 o Idle Timeout, see Section 4.4.22 o Location Data, see Section 4.4.26 o Radio Administrative State, see Section 4.4.28 o Statistics Timer, see Section 4.4.31 o WTP Fallback, see Section 4.4.35 o WTP Name, see Section 4.4.42 8.5. Configuration Update Response The Configuration Update Response message is the acknowledgement message for the Configuration Update Request message. The Configuration Update Response message is sent by a WTP after receiving a Configuration Update Request message. When an AC receives a Configure Update Response message the result code indicates if the WTP successfully accepted the configuration. Calhoun, Editor, et al. Expires November 6, 2006 [Page 83] Internet-Draft CAPWAP Protocol Specification May 2006 The following message element MUST be present in the Configuration Update message. Result Code, see Section 4.4.29 The following message elements MAY be present in the Configuration Update message. o AC IPv4 List, see Section 4.4.2 o AC IPv6 List, see Section 4.4.3 8.6. Change State Event Request The Change State Event Request message is used by the WTP to inform the AC of a change in the operational state. The Change State Event Request message is sent by the WTP when it receives a Configuration Response message that includes a Change State Event message element. It is also sent when the WTP detects an operational failure with a radio. The Change State Event Request message may be sent in either the Configure or Run state (see Section 2.3. When an AC receives a Change State Event message it will respond with a Change State Event Response message and make any necessary modifications to internal WTP data structures. The following message elements MUST be present in the Change State Event Request message. o Change State Event message element, see Section 4.4.11 8.7. Change State Event Response The Change State Event Response message acknowledges the Change State Event Request message. A Change State Event Response message is by a WTP after receiving a Change State Event Request message. The Change State Event Response message carries no message elements. Its purpose is to acknowledge the receipt of the Change State Event Request message. The WTP does not need to perform any special processing of the Change State Event Response message. Calhoun, Editor, et al. Expires November 6, 2006 [Page 84] Internet-Draft CAPWAP Protocol Specification May 2006 8.8. Clear Config Indication The Clear Config Indication message is used to reset a WTP's configuration. The Clear Config Indication message is sent by an AC to request that a WTP reset its configuration to the manufacturing default configuration. The Clear Config Indication message is sent while in the Run CAPWAP state. The Clear Config Indication message carries no message elements. When a WTP receives a Clear Config Indication message it resets its configuration to the manufacturing default configuration. Calhoun, Editor, et al. Expires November 6, 2006 [Page 85] Internet-Draft CAPWAP Protocol Specification May 2006 9. Device Management Operations This section defines CAPWAP operations responsible for debugging, gathering statistics, logging, and firmware management. 9.1. Image Data Request The Image Data Request message is used to update firmware on the WTP. This message and its companion response message are used by the AC to ensure that the image being run on each WTP is appropriate. Image Data Request messages are exchanged between the WTP and the AC to download a new firmware image to the WTP. When a WTP or AC receives an Image Data Request message it will respond with an Image Data Response message. The message elements contained within the Image Data Request is required in order to determine the intent of the request. Note that only one message element may be present in any given Image Data Request message. The decision that new firmware is to downloaded to the WTP can occur in one of two methods: When the WTP joins the AC, and each exchange their software revision, the WTP may opt to initiate a firmware download by sending an Image Data Request, which contains an Image Filename message element. Once the WTP is in the CAPWAP state, it is possible for the AC to cause the WTP to initiate a firmware download by initiating an Image Data Request, with the Initiate Download message element. The WTP would then transmit the Image Filename message element to start the download process. Regardless of how the download was initiated, once the AC receives an Image Data Request with the Image Filename message element, it begins the transfer process by transmitting its own request with the Image Data message element. This continues until the whole firmware image has been transfered. The following message elements MAY be included in the Image Data Request Message. o Image Data, see Section 4.4.23 o Image Filename, see Section 4.4.24 o Initiate Download, see Section 4.4.25 Calhoun, Editor, et al. Expires November 6, 2006 [Page 86] Internet-Draft CAPWAP Protocol Specification May 2006 9.2. Image Data Response The Image Data Response message acknowledges the Image Data Request message. An Image Data Response message is sent in response to a received Image Data Request message. Its purpose is to acknowledge the receipt of the Image Data Request message. The Image Data Response message carries no message elements. No action is necessary on receipt. 9.3. Reset Request The Reset Request message is used to cause a WTP to reboot. A Reset Request message is sent by an AC to cause a WTP to reinitialize its operation. The Reset Request carries no message elements. When a WTP receives a Reset Request it will respond with a Reset Response and then reinitialize itself. 9.4. Reset Response The Reset Response message acknowledges the Reset Request message. A Reset Response message is sent by the WTP after receiving a Reset Request message. The Reset Response message carries no message elements. Its purpose is to acknowledge the receipt of the Reset Request message. When an AC receives a Reset Response message, it is notified that the WTP will reinitialize its operation. 9.5. WTP Event Request WTP Event Request message is used by a WTP to send information to its AC. The WTP Event Request message may be sent periodically, or sent in response to an asynchronous event on the WTP. For example, a WTP MAY collect statistics and use the WTP Event Request message to transmit the statistics to the AC. When an AC receives a WTP Event Request message it will respond with a WTP Event Response message. Calhoun, Editor, et al. Expires November 6, 2006 [Page 87] Internet-Draft CAPWAP Protocol Specification May 2006 The WTP Event Request message MUST contain one of the message elements listed below, or a message element that is defined for a specific wireless technology. o Decryption Error Report, see Section 4.4.14 o Duplicate IPv4 Address, see Section 4.4.20 o Duplicate IPv6 Address, see Section 4.4.21 9.6. WTP Event Response The WTP Event Response message acknowledges receipt of the WTP Event Request message. A WTP Event Response message issent by an AC after receiving a WTP Event Request message. The WTP Event Response message carries no message elements. 9.7. Data Transfer Request The Data Transfer Request message is used to deliver debug information from the WTP to the AC. Data Transfer Request messages are sent by the WTP to the AC when the WTP determines that it has important information to send to the AC. For instance, if the WTP detects that its previous reboot was caused by a system crash, it can send the crash file to the AC. The remote debugger function in the WTP also uses the Data Transfer Request message to send console output to the AC for debugging purposes. When the AC receives a Data Transfer Request message it responds to the WTP ith a Data Transfer Response message. The AC MAY log the information received. The Data Transfer Request message MUST contain one of the message elements listed below. o Data Transfer Mode, see Section 4.4.13 o Data Transfer Data, see Section 4.4.12 9.8. Data Transfer Response The Data Transfer Response message acknowledges the Data Transfer Request message. Calhoun, Editor, et al. Expires November 6, 2006 [Page 88] Internet-Draft CAPWAP Protocol Specification May 2006 A Data Transfer Response message is sent in response to a received Data Transfer Request message. Its purpose is to acknowledge receipt of the Data Transfer Request message. The Data Transfer Response message carries no message elements. Upon receipt of a Data Transfer Response message, the WTP transmits more information, if more information is available. Calhoun, Editor, et al. Expires November 6, 2006 [Page 89] Internet-Draft CAPWAP Protocol Specification May 2006 10. Mobile Session Management Messages in this section are used by the AC to create, modify or delete mobile station session state on the WTPs. 10.1. Mobile Config Request The Mobile Config Request message is used to create, modify or delete mobile session state on a WTP. The message is sent by the AC to the WTP, and may contain one or more message elements. The message elements for this CAPWAP control message include information that is generally highly technology specific. Refer to the appropriate binding section or document for the definitions of the messages elements that may be used in this control message. The following CAPWAP Control message elements MAY be included in the Mobile Config Request message. o Add Mobile Station, see Section 4.4.8 o Delete Mobile Station, see Section 4.4.17 10.2. Mobile Config Response The Mobile Configuration Response message is used to acknowledge a previously received Mobile Configuration Request message, and MUST include a Result Code message element, see Section 4.4.29 which indicates whether an error occurred on the WTP. This message requires no special processing, and is only used to acknowledge receipt of the Mobile Configuration Request message. Calhoun, Editor, et al. Expires November 6, 2006 [Page 90] Internet-Draft CAPWAP Protocol Specification May 2006 11. IEEE 802.11 Binding This section defines the extensions required for the CAPWAP protocol to be used with the IEEE 802.11 protocol. 11.1. Split MAC and Local MAC Functionality The CAPWAP protocol, when used with IEEE 802.11 devices, requires a specific behavior from the WTP and the AC, to support the required IEEE 802.11 protocol functions. For both the Split and Local MAC approaches, the CAPWAP functions, as defined in the taxonomy specification [Add reference], reside in the AC. 11.1.1. Split MAC This section shows the division of labor between the WTP and the AC in a Split MAC architecture. Figure 3 shows the clear separation of functionality among CAPWAP components. Function Location Distribution Service AC Integration Service AC Beacon Generation WTP Probe Response Generation WTP Power Mgmt/Packet Buffering WTP Fragmentation/Defragmentation WTP/AC Assoc/Disassoc/Reassoc AC 802.11e Classifying AC Scheduling WTP/AC Queuing WTP 802.11i 802.1X/EAP AC RSNA Key Management AC 802.11 Encryption/Decryption WTP/AC Figure 3: Mapping of 802.11 Functions for Split MAC Architecture The Distribution and Integration services reside on the AC, and therefore all user data is tunneled between the WTP and the AC. As noted above, all real-time IEEE 802.11 services, including the beacon and probe response frames, are handled on the WTP. All remaining IEEE 802.11 MAC management frames are supported on the Calhoun, Editor, et al. Expires November 6, 2006 [Page 91] Internet-Draft CAPWAP Protocol Specification May 2006 AC, including the Association Request which allows the AC to be involved in the access policy enforcement portion of the IEEE 802.11 protocol. The IEEE 802.1X and IEEE 802.11i key management function are also located on the AC. While the admission control component of IEEE 802.11e resides on the AC, the real time scheduling and queuing functions are on the WTP. Note this does not exclude the AC from providing additional policing and scheduling functionality. Note that in the following figure, the use of '( - )' indicates that processing of the frames is done on the WTP. Client WTP AC Beacon <----------------------------- Probe Request ----------------------------( - )-------------------------> Probe Response <----------------------------- 802.11 AUTH/Association <---------------------------------------------------------> Mobile Config Request[Add Mobile (Clear Text, 802.1X)] <-------------------------> 802.1X Authentication & 802.11i Key Exchange <---------------------------------------------------------> Mobile Config Request[Add Mobile (AES-CCMP, PTK=x)] <-------------------------> 802.11 Action Frames <---------------------------------------------------------> 802.11 DATA (1) <---------------------------( - )-------------------------> Figure 4: Split MAC Message Flow Figure 4 provides an illustration of the division of labor in a Split MAC architecture. In this example, a WLAN has been created that is configured for IEEE 802.11i, using AES-CCMP for privacy. The following process occurs: o The WTP generates the IEEE 802.11 beacon frames, using information provided to it through the Add WLAN (see Section Section 11.10.1) message element. Calhoun, Editor, et al. Expires November 6, 2006 [Page 92] Internet-Draft CAPWAP Protocol Specification May 2006 o The WTP processes the probe request and responds with a corresponding probe response. The probe request is then forwarded to the AC for optional processing. o The WTP forwards the IEEEE 802.11 Authentication and Association frames to the AC, which is responsible for responding to the client. o Once the association is complete, the AC transmits an CAPWAP Add Mobile Station request to the WTP (see Section Section 4.4.8. In the above example, the WLAN is configured for IEEE 802.1X, and therefore the '802.1X only' policy bit is enabled. o If the WTP is providing encryption/decryption services, once the client has completed the IEEE 802.11i key exchange, the AC transmits another Add Mobile request to the WTP, stating the security policy to enforce for the client (in this case AES-CCMP), as well as the encryption key to use. If encryption/decryption is handled in the AC, the Add Mobile Station request would have the encryption policy set to "Clear Text". o The WTP forwards any 802.11 Action frames received to the AC. o All client data frames are tunneled between the WTP and the AC. Note that the WTP is responsible for encrypting and decrypting frames, if it was indicated in the Add Mobile request. 11.1.2. Local MAC This section shows the division of labor between the WTP and the AC in a Local MAC architecture. Figure 5 shows the clear separation of functionality among CAPWAP components. Calhoun, Editor, et al. Expires November 6, 2006 [Page 93] Internet-Draft CAPWAP Protocol Specification May 2006 Function Location Distribution Service WTP Integration Service WTP Beacon Generation WTP Probe Response WTP Power Mgmt/Packet Buffering WTP Fragmentation/Defragmentation WTP Assoc/Disassoc/Reassoc WTP 802.11e Classifying WTP Scheduling WTP Queuing WTP 802.11i 802.1X/EAP AC RSNA Key Management AC 802.11 Encryption/Decryption WTP Figure 5: Mapping of 802.11 Functions for Local AP Architecture Given the Distribution and Integration Services exist on the WTP, client data frames are not forwarded to the AC, with the exception listed in the following paragraphs. While the MAC is terminated on the WTP, it is necessary for the AC to be aware of mobility events within the WTPs. As a consequence, the WTP MUST forward the IEEE 802.11 Association Requests to the AC, and the AC MAY reply with a failed Association Response if it deems it necessary. The IEEE 802.1X and RSNA Key Management function resides in the AC. Therefore, the WTP MUST forward all IEEE 802.1X/RSNA Key Management frames to the AC and forward the associated responses to the station. Note that in the following figure, the use of '( - )' indicates that processing of the frames is done on the WTP. Calhoun, Editor, et al. Expires November 6, 2006 [Page 94] Internet-Draft CAPWAP Protocol Specification May 2006 Client WTP AC Beacon <----------------------------- Probe <----------------------------> 802.11 AUTH <----------------------------- 802.11 Association <---------------------------( - )-------------------------> Mobile Config Request[Add Mobile (Clear Text, 802.1X)] <-------------------------> 802.1X Authentication & 802.11i Key Exchange <---------------------------------------------------------> 802.11 Action Frames <---------------------------------------------------------> Mobile Config Request[Add Mobile (AES-CCMP, PTK=x)] <-------------------------> 802.11 DATA <-----------------------------> Figure 6: Local MAC Message Flow Figure 6 provides an illustration of the division of labor in a Local MAC architecture. In this example, a WLAN has been created that is configured for IEEE 802.11i, using AES-CCMP for privacy. The following process occurs: o The WTP generates the IEEE 802.11 beacon frames, using information provided to it through the Add WLAN (see Section 11.10.1) message element. o The WTP processes the probe request and responds with a corresponding probe response. o The WTP forwards the IEEE 802.11 Authentication and Association frames to the AC, which is responsible for responding to the client. o Once the association is complete, the AC transmits an CAPWAP Add Mobile Station message element to the WTP (see Section Section 4.4.8. In the above example, the WLAN is configured for IEEE 802.1X, and therefore the '802.1X only' policy bit is enabled. Calhoun, Editor, et al. Expires November 6, 2006 [Page 95] Internet-Draft CAPWAP Protocol Specification May 2006 o The WTP forwards all IEEE 802.1X and IEEE 802.11i key exchange messages to the AC for processing. o The AC transmits another Add Mobile Station message element to the WTP, stating the security policy to enforce for the client (in this case AES-CCMP), as well as the encryption key to use. The Add Mobile Station message element MAY include a VLAN name, which when present is used by the WTP to identify the VLAN on which the user's data frames are to be bridged. o The WTP forwards any IEEE 802.11 Action frames received to the AC. 11.2. Roaming Behavior It is important that CAPWAP implementations react properly to mobile devices associating to the networks in how they generate Add Mobile and Delete Mobile messages. This section expands upon the examples provided in the previous section, and describes how the CAPWAP control protocol is used in order to provide secure roaming. Once a client has successfully associated with the network in a secure fashion, it is likely to attempt to roam to another WTP. Figure 7 shows an example of a currently associated station moving from its "Old WTP" to a "new WTP". The figure is useful for multiple different security policies, including IEEE 802.1X and dynamic WEP keys, WPA or even WPA2 both with key caching (where the IEEE 802.1x exchange would be bypassed) and without. Client Old WTP WTP AC Association Request/Response <--------------------------------------( - )--------------> Mobile Config Request[Add Mobile (Clear Text, 802.1X)] <----------------> 802.1X Authentication (if no key cache entry exists) <--------------------------------------( - )--------------> 802.11i 4-way Key Exchange <--------------------------------------( - )--------------> Mobile Config Request[Delete Mobile] <----------------------------------> Mobile Config Request[Add Mobile (AES-CCMP, PTK=x)] <----------------> Figure 7: Client Roaming Example Calhoun, Editor, et al. Expires November 6, 2006 [Page 96] Internet-Draft CAPWAP Protocol Specification May 2006 11.3. Group Key Refresh Periodically, the Group Key (GTK)for the BSS needs to be updated. The AC uses an EAPoL frame to update the group key for each STA in the BSS. While the AC is updating the GTK, each L2 broadcast frame transmitted to the BSS needs to be duplicated and transmitted using both the current GTK and the new GTK. Once the GTK update process has completed, broadcast frames transmitted to the BSS will be encrypted using the new GYT In the case of Split MAC, the AC needs to duplicate all broadcast packets and update the key index so that the packet is transmitted using both the current and new GTK to ensure that all STA's in the BSS receive the broadcast frames. In the case of local MAC, the WTP needs to duplicate and transmit broadcast frames using the appropriate index to ensure that all STA's in the BSS continue to receive broadcast frames. The Group Key update procedure is given in the following figure. The AC will signal the update to the GTK using an 802.11 Configuration Request frame with the new GTK, its index, and the Key Status set to 3 (begin GTK update). The AC will then begin updating the GTK for each STA. During this time, the AC (for Split MAC) or WTP (for Local MAC) must duplicate broadcast packets and transmit them encrypted with both the current and new GTK. When the AC has completed the GTK update to all STA's in the BSS, the AC must transmit an 802.11 Configuration Request frame containing the new GTK, its index, and the Key Status set to 4 (GTK update complete). Client WTP AC 802.11 Config Request ( Update WLAN (GTK, GTK Index, GTK Start) <---------------------------------------------- 802.1X EAPoL (GTK Message 1) <-------------( - )------------------------------------------- 802.1X EAPoL (GTK Message 2) -------------( - )-------------------------------------------> 802.11 Config Request ( Update WLAN (GTK, GTK Index, GTK Complete) <--------------------------------------------- Figure 8: Group Key Update Procedure 11.4. Transport specific bindings All CAPWAP transports have the following IEEE 802.11 specific bindings: Calhoun, Editor, et al. Expires November 6, 2006 [Page 97] Internet-Draft CAPWAP Protocol Specification May 2006 Payload encapsulation The CAPWAP protocol defines the CAPWAP data frame, which is used to encapsulate a wireless payload. For IEEE 802.11, the IEEE 802.11 header and payload are encapsulated (excluding the IEEE 802.11 FCS checksum). The IEEE 802.11 FCS checksum is handled by the WTP. This allows the WTP to validate a frame prior to sending it to the AC. Similarly, when an AC wishes to transmit a frame towards a station, the WTP computes and adds the FCS checksum. CAPWAP Header Reserved field The reserved CAPWAP header field (see figure Section 4.1) is only used with CAPWAP data frames, and it serves two purposes, depending upon the direction of the frame. For packets from the WTP to the AC, the field uses the format described in the IEEE 802.11 Frame Info" field. However, for frames sent by the AC to the WTP, the format used is described in described in the Destination WLANs field. IEEE 802.11 Frame Info When an CAPWAP data frame is received from a station over the air, it is encapsulated and this field is used to include radio and PHY specific information associated with the frame. When used with the IEEE 802.11 binding, the field follows the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RSSI | SNR | Data Rate | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ RSSI: RSSI is a signed, 8-bit value. It is the received signal strength indication, in dBm. SNR: SNR is a signed, 8-bit value. It is the signal to noise ratio of the received IEEE 802.11 frame, in dB. Data Rate: The data rate field is a 16 bit unsigned value. The contents of the field is set to 1/10th of the data rate of the packet received by the WTP. For instance, a packet received at 5.5Mbps would be set to 55, while 11Mbps would be set to 110. Destination WLANs The Destination WLAN field is used to specify the target WLANs for a given frame, and is only used with broadcast and multicast frames. This field allows the AC to transmit a single broadcast or multicast frame to the WTP, and allows the WTP to perform the necessary frame replication services. The field uses the following format: Calhoun, Editor, et al. Expires November 6, 2006 [Page 98] Internet-Draft CAPWAP Protocol Specification May 2006 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WLAN | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ WLAN: This bit field indicates the WLAN ID (see section Section 11.10.1) which the WTP will transmit the associated frame on. For instance, if a multicast packet is to be transmitted on WLANs 1 and 3, bits 1 and 3 of this field would be enabled. Note this field is to be set to zero for unicast packets and is unused if the WTP is not providing encryption services. Reserved: This field MUST be set to zero. 11.5. BSSID to WLAN ID Mapping The CAPWAP protocol allows the WTP to assign BSSIDs upon creation of a WLAN (see Section Section 11.10.1). While manufacturers are free to assign BSSIDs using any arbitrary mechanism, it is advised that where possible the BSSIDs are assigned as a contiguous block. When assigned as a block, implementations can still assign any of the available BSSIDs to any WLAN. One possible method is for the WTP to assign the address using the following algorithm: base BSSID address + WLAN ID. The WTP communicates the maximum number of BSSIDs that it supports during the Config Request within the IEEE 802.11 WTP WLAN Radio Configuration message element (see Section 11.10.24). 11.6. Quality of Service for Control Messages It is recommended that IEEE 802.11 MAC management frames be sent by both the AC and the WTP with appropriate Quality of Service values, ensuring that congestion in the network minimizes occurrences of packet loss. Therefore, a Quality of Service enabled CAPWAP device should use: 802.1P: The precedence value of 6 SHOULD be used for all IEEE 802.11 MAC management frames, except for Probe Requests which SHOULD use 4. DSCP: The DSCP tag value of 46 SHOULD be used for all IEEE 802.11 MAC management frames, except for Probe Requests which SHOULD use 34. Calhoun, Editor, et al. Expires November 6, 2006 [Page 99] Internet-Draft CAPWAP Protocol Specification May 2006 11.7. IEEE 802.11 Specific CAPWAP Control Messages This section defines CAPWAP Control Messages that are specific to the IEEE 802.11 binding. The two messages are defined as IEEE 802.11 WLAN Config Request and IEEE 802.11 WLAN Config Response. See Section 4.3.1.1 The valid message types for IEEE 802.11 specific control messages are listed below. The IANA Enterprise number used with these messages is 13277 CAPWAP Control Message Message Type Value IEEE 802.11 WLAN Config Request 3398912 IEEE 802.11 WLAN Config Response 3398913 11.7.1. IEEE 802.11 WLAN Config Request The IEEE 802.11 WLAN Configuration Request is sent by the AC to the WTP in order to change services provided by the WTP. This control message is used to either create, update or delete a WLAN on the WTP. The IEEE 802.11 WLAN Configuration Request is sent as a result of either some manual admistrative process (e.g., deleting a WLAN), or automatically to create a WLAN on a WTP. When sent automatically to create a WLAN, this control message is sent after the CAPWAP Configure Update Request message has been received by the WTP. Upon receiving this control message, the WTP will modify the necessary services, and transmit an IEEE 802.11 WLAN Configuration Response. A WTP MAY provide service for more than one WLAN, therefore every WLAN is identified through a numerical index. For instance, a WTP that is capable of supporting up to 16 SSIDs, could accept up to 16 IEEE 802.11 WLAN Configuration Request messages that include the Add WLAN message element. Since the index is the primary identifier for a WLAN, an AC MAY attempt to ensure that the same WLAN is identified through the same index number on all of its WTPs. An AC that does not follow this approach MUST find some other means of maintaining a WLAN Identifier to SSID mapping table. The following message elements may be included in the IEEE 802.11 WLAN Config Request message. Only one message element MUST be present. Calhoun, Editor, et al. Expires November 6, 2006 [Page 100] Internet-Draft CAPWAP Protocol Specification May 2006 o IEEE 802.11 Add WLAN, see Section 11.10.1 o IEEE 802.11 Delete WLAN, see Section 11.10.5 o IEEE 802.11 Update WLAN, see Section 11.10.21 o IEEE 802.11 Information Element, see Section 11.10.7 11.7.2. IEEE 802.11 WLAN Config Response The IEEE 802.11 WLAN Configuration Response is sent by the AC to the WTP as an acknowledgement of the receipt of an IEEE 802.11 WLAN Configuration Request. The following message elements may be included in the IEEE 802.11 WLAN Config Request message. Only one message element MUST be present. o IEEE 802.11 Assigned WTP BSSID, see Section 11.10.3 11.8. Data Message bindings There are no CAPWAP Data Message bindings for IEEE 802.11. 11.9. Control Message bindings This section describes he IEEE 802.11 specific message elements included in CAPWAP Control Messages. 11.9.1. Mobile Config Request The following IEEE 802.11 specific message elements MAY used with the CAPWAP Mobile Config Request message. o IEEE 802.11 Mobile, see Section 11.10.11 o IEEE 802.11 Mobile Session Key, see Section 11.10.12 o Station QOS Profile, see Section 11.10.25 11.9.2. WTP Event Request The following IEEE 802.11 specific message elements may be included in the CAPWAP WTP Event Request message. o IEEE 802.11 MIC Countermeasures, see Section 11.10.9 Calhoun, Editor, et al. Expires November 6, 2006 [Page 101] Internet-Draft CAPWAP Protocol Specification May 2006 o IEEE 802.11 Statistics, see Section 11.10.16 o IEEE 802.11 WTP Radio Fail Alarm Indication, see Section 11.10.23 11.9.3. Configuration Messages This section defines the IEEE 802.11 Message Elements which MAY be included in the Configuration Status, Configuration Status Response, Configuration Update Request and Mobile Config Request CAPWAP control meessages. The binding of message elements to CAPWAP control messages is shown below: Conf Conf Conf Mobile Message Element Stat Stat Upd Config Req Msg Resp Msg Msg IEEE 802.11 Antenna X X X IEEE 802.11 Broadcast Probe Mode X X IEEE 802.11 Direct Sequence Control X X X IEEE 802.11 MAC Operation X X X IEEE 802.11 MIC Error Report From Mobile X IEEE 802.11 Mobile Session Key X IEEE 802.11 Multi-domain Capability X X X IEEE 802.11 OFDM Control X X X IEEE 802.11 Rate Set X X IEEE 802.11 Supported Rates X X IEEE 802.11 Tx Power X X X IEEE 802.11 Tx Power Level X IEEE 802.11 Update Mobile QoS X IEEE 802.11 WTP Mode and Type X? X IEEE 802.11 WTP Quality of Service X X IEEE 802.11 WTP Radio Configuration X X X 11.10. IEEE 802.11 Message Element Definitions 11.10.1. IEEE 802.11 Add WLAN The Add WLAN message element is used by the AC to define a wireless LAN on the WTP. The inclusion of this message element MUST also include IEEE 802.11 Information Element message elements, containing the following 802.11 IEs: Power Capability information element Calhoun, Editor, et al. Expires November 6, 2006 [Page 102] Internet-Draft CAPWAP Protocol Specification May 2006 WPA information element RSN information element EDCA Parameter Set information element QoS Capability information element WMM information element The message element uses the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN ID | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encryption Policy | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Index | Key Status | QoS | Auth Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Mode | Tunnel Mode | Suppress SSID | SSID ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1024 for IEEE 802.11 Add WLAN Length: >= 49 Radio ID: An 8-bit value representing the radio. Calhoun, Editor, et al. Expires November 6, 2006 [Page 103] Internet-Draft CAPWAP Protocol Specification May 2006 WLAN ID: An 8-bit value specifying the WLAN Identifier. Reserved: A 16-bit value that MUST be set to zero. Encryption Policy: A 32-bit value specifying the encryption scheme to apply to traffic to and from the mobile station. The applicability of the encryption policy depends upon the security policy. For static WEP keys, which is true when the 'Shared Key' bit is set, this encryption policy is relevant for both unicast and multicast traffic. For encryption schemes that employ a separate encryption key for unicast and multicast traffic, the encryption policy defined here only applies to multicast data. In these scenarios, the unicast encryption policy is communicated via the Add Mobile Station (Section 4.4.8). 0 - Encrypt WEP 104: All packets to/from the mobile station must be encrypted using standard 104 bit WEP. 1 - Clear Text: All packets to/from the mobile station do not require any additional crypto processing by the WTP. 2 - Encrypt WEP 40: All packets to/from the mobile station must be encrypted using standard 40 bit WEP. 3 - Encrypt WEP 128: All packets to/from the mobile station must be encrypted using standard 128 bit WEP. 4 - Encrypt AES-CCMP 128: All packets to/from the mobile station must be encrypted using 128 bit AES CCMP [7] 5 - Encrypt TKIP-MIC: All packets to/from the mobile station must be encrypted using TKIP and authenticated using Michael [24] Key: A 32 byte Session Key to use with the encryption policy. Key-Index: The Key Index associated with the key. Key Status: A 1 byte value that specifies the state and usage of the key that has been included. The following values describe the key usage and its status: 0 - A value of zero, with the 'Encryption Policy' field set to any value other than 'Clear Text' means that the WLAN uses per-station encryption keys, and therefore the key in the 'Key' field is only used for multicast traffic. Calhoun, Editor, et al. Expires November 6, 2006 [Page 104] Internet-Draft CAPWAP Protocol Specification May 2006 1 - When set to one, the WLAN employs a shared WEP key, also known as a static WEP key, and uses the encryption key for both unicast and multicast traffic for all stations. 2 - The value of 2 indicates that the AC will begin rekeying the GTK with the STA's in the BSS. It is only valid when IEEE 802.11i is enabled as the security policy for the BSS. 3 - The value of 3 indicates that the AC has completed rekeying the GTK and broadcast packets no longer need to be duplicated and transmitted with both GTK's. QOS: An 8-bit value specifying the QoS policy to enforce for the station. The following values are supported: 0 - Best Effort 1 - Video 2 - Voice 3 - Background Auth Type: An 8-bit value specifying the supported authentication type. The following values are supported: 0 - Open System 1 - WEP Shared Key 2 - WPA/WPA2 802.1X 3 - WPA/WPA2 PSK MAC Mode: This field specifies whether the WTP should support the WLAN in Local or Split MAC modes. Note that the AC MUST NOT request a mode of operation that was not advertised by the WTP during the discovery process (see section Section 4.4.38). The following values are supported: 0 - Local-MAC: Service for the WLAN is to be provided in Local MAC mode. Calhoun, Editor, et al. Expires November 6, 2006 [Page 105] Internet-Draft CAPWAP Protocol Specification May 2006 1 - Split-MAC: Service for the WLAN is to be provided in Split MAC mode. Tunnel Mode: This field specifies the tunneling type to be used for all stations associated with the WLAN. Note that the AC MUST NOT request a mode of operation that was not advertised by the WTP during the discovery process (see section Section 4.4.36). The following values are supported: 0 - Local Bridging: All user traffic is to be locally bridged. 1 - 802.3 Tunnel: All user traffic is to be tunneled to the AC in 802.3 format (see section Section 4.2). 2 - 802.11 Bridging: All user traffic is to be tunneled to the AC in 802.11 format. Supress SSID: A boolean indicating whether the SSID is to be advertised by the WTP. A value of zero supresses the SSID in the 802.11 Beacon and Probe Response frames, while a value of one will cause the WTP to populate the field. SSID: The SSID attribute is the service set identifier that will be advertised by the WTP for this WLAN. 11.10.2. IEEE 802.11 Antenna The antenna message element is communicated by the WTP to the AC to provide information on the antennas available. The AC MAY use this element to reconfigure the WTP's antennas. The value contains the following fields: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Diversity | Combiner | Antenna Cnt | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Antenna Selection [0..N] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1025 for IEEE 802.11 Antenna Length: >= 5 Radio ID: An 8-bit value representing the radio to configure. Calhoun, Editor, et al. Expires November 6, 2006 [Page 106] Internet-Draft CAPWAP Protocol Specification May 2006 Diversity: An 8-bit value specifying whether the antenna is to provide receive diversity. The following values are supported: 0 - Disabled 1 - Enabled (may only be true if the antenna can be used as a receive antenna) Combiner: An 8-bit value specifying the combiner selection. The following values are supported: 1 - Sectorized (Left) 2 - Sectorized (Right) 3 - Omni 4 - MIMO Antenna Count: An 8-bit value specifying the number of Antenna Selection fields. Antenna Selection: One 8-bit antenna configuration value per antenna in the WTP. The following values are supported: 1 - Internal Antenna 2 - External Antenna 11.10.3. IEEE 802.11 Assigned WTP BSSID The IEEE 802.11 Assigned WTP BSSID is only included by the WTP when the IEEE 802.11 WLAN Config Request included the IEEE 802.11 Add WLAN message element. The value field of this message element contains the BSSID that has been assigned by the WTP, which allows the WTP to perform its own BSSID assignment. The WTP is free to assign the BSSIDs the way it sees fit, but it is highly recommended that the WTP assign the BSSID using the following algorithm: BSSID = {base BSSID} + WLAN ID. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BSSID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BSSID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 107] Internet-Draft CAPWAP Protocol Specification May 2006 Type: 1026 for IEEE 802.11 Assigned WTP BSSID Length: 6 BSSID: The BSSID assigned by the WTP for the WLAN created as a result of receiving an IEEE 802.11 Add WLAN. 11.10.4. IEEE 802.11 Broadcast Probe Mode The Broadcast Probe Mode message element indicates whether a WTP will respond to NULL SSID probe requests. Since broadcast NULL probes are not sent to a specific BSSID, the WTP cannot know which SSID the sending station is querying. Therefore, this behavior must be global to the WTP. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Status | +-+-+-+-+-+-+-+-+ Type: 1027 for IEEE 802.11 Broadcast Probe Mode Length: 1 Status: An 8-bit boolean indicating the status of whether a WTP shall response to a NULL SSID probe request. A value of zero disables NULL SSID probe response, while a value of one enables it. 11.10.5. IEEE 802.11 Delete WLAN The delete WLAN message element is used to inform the WTP that a previously created WLAN is to be deleted. The value contains the following fields: 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1028 for IEEE 802.11 Delete WLAN Length: 3 Calhoun, Editor, et al. Expires November 6, 2006 [Page 108] Internet-Draft CAPWAP Protocol Specification May 2006 Radio ID: An 8-bit value representing the radio WLAN ID: A 16-bit value specifying the WLAN Identifier 11.10.6. IEEE 802.11 Direct Sequence Control The direct sequence control message element is a bi-directional element. When sent by the WTP, it contains the current state. When sent by the AC, the WTP MUST adhere to the values. This element is only used for 802.11b radios. The value has the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | Current Chan | Current CCA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Energy Detect Threshold | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1029 for IEEE 802.11 Direct Sequence Control Length: 8 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero Current Channel: This attribute contains the current operating frequency channel of the DSSS PHY. Current CCA: The current CCA method in operation. Valid values are: 1 - energy detect only (edonly) 2 - carrier sense only (csonly) 4 - carrier sense and energy detect (edandcs) 8 - carrier sense with timer (cswithtimer) 16 - high rate carrier sense and energy detect (hrcsanded) Energy Detect Threshold: The current Energy Detect Threshold being used by the DSSS PHY. Calhoun, Editor, et al. Expires November 6, 2006 [Page 109] Internet-Draft CAPWAP Protocol Specification May 2006 11.10.7. IEEE 802.11 Information Element The IEEE 802.11 Information Element is used to communicate any IE defined in the IEEE 802.11 protocol. The data field contains the raw IE as it would be included within an IEEE 802.11 MAC management message. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- |B|P| Flags | Info Element +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type: 1030 for IEEE 802.11 Information Element Length: >= 2 B: When set, the WTP is to include the information element in beacons associated with the WLAN. P: When set, the WTP is to include the information element in probe responses associated with the WLAN. Flags: Reserved field and MUST be set to zero. Info Element: The IEEE 802.11 Information Element, which includes the type, length and value field. 11.10.8. IEEE 802.11 MAC Operation The MAC operation message element is sent by the AC to set the 802.11 MAC parameters on the WTP. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | RTS Threshold | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Short Retry | Long Retry | Fragmentation Threshold | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Tx MSDU Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Rx MSDU Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 110] Internet-Draft CAPWAP Protocol Specification May 2006 Type: 1031 for IEEE 802.11 MAC Operation Length: 16 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero RTS Threshold: This attribute indicates the number of octets in an MPDU, below which an RTS/CTS handshake MUST NOT be performed. An RTS/CTS handshake MUST be performed at the beginning of any frame exchange sequence where the MPDU is of type Data or Management, the MPDU has an individual address in the Address1 field, and the length of the MPDU is greater than this threshold. Setting this attribute to be larger than the maximum MSDU size MUST have the effect of turning off the RTS/CTS handshake for frames of Data or Management type transmitted by this STA. Setting this attribute to zero MUST have the effect of turning on the RTS/CTS handshake for all frames of Data or Management type transmitted by this STA. The default value of this attribute MUST be 2347. Short Retry: This attribute indicates the maximum number of transmission attempts of a frame, the length of which is less than or equal to RTSThreshold, that MUST be made before a failure condition is indicated. The default value of this attribute MUST be 7. Long Retry: This attribute indicates the maximum number of transmission attempts of a frame, the length of which is greater than dot11RTSThreshold, that MUST be made before a failure condition is indicated. The default value of this attribute MUST be 4. Fragmentation Threshold: This attribute specifies the current maximum size, in octets, of the MPDU that MAY be delivered to the PHY. An MSDU MUST be broken into fragments if its size exceeds the value of this attribute after adding MAC headers and trailers. An MSDU or MMPDU MUST be fragmented when the resulting frame has an individual address in the Address1 field, and the length of the frame is larger than this threshold. The default value for this attribute MUST be the lesser of 2346 or the aMPDUMaxLength of the attached PHY and MUST never exceed the lesser of 2346 or the aMPDUMaxLength of the attached PHY. The value of this attribute MUST never be less than 256. Calhoun, Editor, et al. Expires November 6, 2006 [Page 111] Internet-Draft CAPWAP Protocol Specification May 2006 Tx MSDU Lifetime: This attribute speficies the elapsed time in TU, after the initial transmission of an MSDU, after which further attempts to transmit the MSDU MUST be terminated. The default value of this attribute MUST be 512. Rx MSDU Lifetime: This attribute specifies the elapsed time in TU, after the initial reception of a fragmented MMPDU or MSDU, after which further attempts to reassemble the MMPDU or MSDU MUST be terminated. The default value MUST be 512. 11.10.9. IEEE 802.11 MIC Countermeasures The MIC Countermeasures message element is sent by the WTP to the AC to indicate the occurrence of a MIC failure. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN ID | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1032 for IEEE 802.11 MIC Countermeasures Length: 8 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP. WLAN ID: This 8-bit unsigned integer includes the WLAN Identifier, on which the MIC failure occurred. MAC Address: The MAC Address of the mobile station that caused the MIC failure. 11.10.10. IEEE 802.11 MIC Error Report From Mobile The MIC Error Report From Mobile message element is sent by an AC to an WTP when it receives a MIC failure notification, via the Error bit in the EAPOL-Key frame. Calhoun, Editor, et al. Expires November 6, 2006 [Page 112] Internet-Draft CAPWAP Protocol Specification May 2006 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Client MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Client MAC Address | BSSID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BSSID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1033 for IEEE 802.11 MIC Error Report From Mobile Length: 14 Client MAC Address: The Client MAC Address of the station reporting the MIC failure. BSSID: The BSSID on which the MIC failure is being reported. Radio ID: The Radio Identifier, typically refers to some interface index on the WTP WLAN ID: The WLAN ID on which the MIC failure is being reported. 11.10.11. IEEE 802.11 Mobile The IEEE 802.11 Mobile message element accompanies the Add Mobile message element, and is used to deliver IEEE 802.11 station policy from the AC to the WTP. The latest IEEE 802.11 Mobile message element overrides any previously received message elements. If the QoS field is set, the WTP MUST observe and provide policing of the 802.11e priority tag to ensure that it does not exceed the value provided by the AC. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Association ID | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Capabilities | WLAN ID |Supported Rates +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 113] Internet-Draft CAPWAP Protocol Specification May 2006 Type: 1034 for Add IEEE 802.11 Mobile Length: >= 8 Radio ID: An 8-bit value representing the radio Association ID: A 16-bit value specifying the IEEE 802.11 Association Identifier Flags: The Flags field MUST be set to zero Capabilities: A 16-bit field containing the IEEE 802.11 capabilities to use with the mobile. WLAN ID: An 8-bit value specifying the WLAN Identifier Supported Rates: The variable length field containing the supported rates to be used with the mobile station. 11.10.12. IEEE 802.11 Mobile Session Key The Mobile Session Key Payload message element is sent when the AC determines that encryption of a mobile station must be performed in the WTP. This message element MUST NOT be present without the IEEE 802.11 Mobile (see Section 11.10.11) message element, and MUST NOT be sent if the WTP had not specifically advertised support for the requested encryption scheme. If the IEEE 802.11 Mobile Session Key message element's EAP-Only bit is set, the WTP MUST drop all IEEE 802.11 packets that do not contain EAP packets. Note that when EAP-Only is set, the Encryption Policy field MAY be set, and therefore it is possible to inform a WTP to only accept encrypted EAP packets. Once the mobile station has successfully completed EAP authentication, the AC must send a new Add Mobile message element to remove the EAP Only restriction, and optionally push the session key down to the WTP. Calhoun, Editor, et al. Expires November 6, 2006 [Page 114] Internet-Draft CAPWAP Protocol Specification May 2006 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address |E|C| Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encryption Policy | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Pairwise TSC | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Pairwise TSC | Pairwise RSC | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Pairwise RSC | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session Key... +-+-+-+-+-+-+-+- Type: 1035 for IEEE 802.11 Mobile Session Key Length: >= 25 MAC Address: The mobile station's MAC Address Flags: A 16 bit field, whose unused bits MUST be set to zero. The following bits are defined: E: The one bit EAP-Only field is set by the AC to inform the WTP that is MUST NOT accept any 802.11 data frames, other than IEEE 802.1X frames. This is the equivalent of the WTP's IEEE 802.1X port for the mobile station to be in the closed state. When set, the WTP MUST drop any non-IEEE 802.1X packets it receives from the mobile station. C: The one bit field is set by the AC to inform the WTP that encryption services will be provided by the AC. When set, the WTP SHOULD police frames received from stations to ensure that they comply to the stated encryption policy, but does not need to take specific cryptographic action on the frame. Similarly, for transmitted frames, the WTP only needs to forward already encrypted frames. Encryption Policy: The policy field informs the WTP how to handle packets from/to the mobile station. The following values are supported: Calhoun, Editor, et al. Expires November 6, 2006 [Page 115] Internet-Draft CAPWAP Protocol Specification May 2006 0 - Encrypt WEP 104: All packets to/from the mobile station must be encrypted using standard 104 bit WEP. 1 - Clear Text: All packets to/from the mobile station do not require any additional crypto processing by the WTP. 2 - Encrypt WEP 40: All packets to/from the mobile station must be encrypted using standard 40 bit WEP. 3 - Encrypt WEP 128: All packets to/from the mobile station must be encrypted using standard 128 bit WEP. 4 - Encrypt AES-CCMP 128: All packets to/from the mobile station must be encrypted using 128 bit AES CCMP [7] 5 - Encrypt TKIP-MIC: All packets to/from the mobile station must be encrypted using TKIP and authenticated using Michael [24] Pairwise TSC: The 6 byte Transmit Sequence Counter (TSC) field to use for unicast packets transmitted to the mobile. Pairwise RSC: The 6 byte Receive Sequence Counter (RSC) to use for unicast packets received from the mobile. Session Key: The session key the WTP is to use when encrypting traffic to/from the mobile station. For dynamically created keys, this is commonly known as a Pairwise Transient Key (PTK). 11.10.13. IEEE 802.11 Multi-domain Capability The multi-domain capability message element is used by the AC to inform the WTP of regulatory limits. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | First Channel # | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Number of Channels | Max Tx Power Level | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1036 for IEEE 802.11 Multi-Domain Capability Length: 8 Calhoun, Editor, et al. Expires November 6, 2006 [Page 116] Internet-Draft CAPWAP Protocol Specification May 2006 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero First Channnel #: This attribute indicates the value of the lowest channel number in the subband for the associated domain country string. Number of Channels: This attribute indicates the value of the total number of channels allowed in the subband for the associated domain country string. Max Tx Power Level: This attribute indicates the maximum transmit power, in dBm, allowed in the subband for the associated domain country string. 11.10.14. IEEE 802.11 OFDM Control The OFDM control message element is a bi-directional element. When sent by the WTP, it contains the current state. When sent by the AC, the WTP MUST adhere to the values. This element is only used for 802.11a radios. The value contains the following fields: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | Current Chan | Band Support | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TI Threshold | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1037 for IEEE 802.11 OFDM Control Length: 8 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero Current Channel: This attribute contains the current operating frequency channel of the OFDM PHY. Band Supported: The capability of the OFDM PHY implementation to operate in the three U-NII bands. Coded as an integer value of a three bit field as follows: capable of operating in the lower (5.15-5.25 GHz) U-NII band Calhoun, Editor, et al. Expires November 6, 2006 [Page 117] Internet-Draft CAPWAP Protocol Specification May 2006 capable of operating in the middle (5.25-5.35 GHz) U-NII band capable of operating in the upper (5.725-5.825 GHz) U-NII band For example, for an implementation capable of operating in the lower and mid bands this attribute would take the value TI Threshold: The Threshold being used to detect a busy medium (frequency). CCA MUST report a busy medium upon detecting the RSSI above this threshold. 11.10.15. IEEE 802.11 Rate Set The rate set message element value is sent by the AC and contains the supported operational rates. It contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Rate Set... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1038 for IEEE 802.11 Rate Set Length: >= 3 Radio ID: An 8-bit value representing the radio to configure. Rate Set: The AC generates the Rate Set that the WTP is to include in it's Beacon and Probe messages. The length of this field is between 2 and 8 bytes. 11.10.16. IEEE 802.11 Statistics The statistics message element is sent by the WTP to transmit it's current statistics. The value contains the following fields. Calhoun, Editor, et al. Expires November 6, 2006 [Page 118] Internet-Draft CAPWAP Protocol Specification May 2006 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Tx Fragment Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Multicast Tx Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Failed Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Retry Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Multiple Retry Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Frame Duplicate Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RTS Success Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RTS Failure Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ACK Failure Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Rx Fragment Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Multicast RX Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FCS Error Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Tx Frame Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Decryption Errors | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1039 for Statistics Length: 60 Radio ID: An 8-bit value representing the radio. Tx Fragment Count: A 32-bit value representing the number of fragmented frames transmitted. Multicast Tx Count: A 32-bit value representing the number of multicast frames transmitted. Calhoun, Editor, et al. Expires November 6, 2006 [Page 119] Internet-Draft CAPWAP Protocol Specification May 2006 Failed Count: A 32-bit value representing the transmit excessive retries. Retry Count: A 32-bit value representing the number of transmit retries. Multiple Retry Count: A 32-bit value representing the number of transmits that required more than one retry. Frame Duplicate Count: A 32-bit value representing the duplicate frames received. RTS Success Count: A 32-bit value representing the number of successfully transmitted Ready To Send (RTS). RTS Failure Count: A 32-bit value representing the failed transmitted RTS. ACK Failure Count: A 32-bit value representing the number of failed acknowledgements. Rx Fragment Count: A 32-bit value representing the number of fragmented frames received. Multicast RX Count: A 32-bit value representing the number of multicast frames received. FCS Error Count: A 32-bit value representing the number of FCS failures. Decryption Errors: A 32-bit value representing the number of Decryption errors that occurred on the WTP. Note that this field is only valid in cases where the WTP provides encryption/ decryption services. 11.10.17. IEEE 802.11 Supported Rates The supported rates message element is sent by the WTP to indicate the rates that it supports. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Supported Rates... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 120] Internet-Draft CAPWAP Protocol Specification May 2006 Type: 1040 for IEEE 802.11 Supported Rates Length: >= 3 Radio ID: An 8-bit value representing the radio. Supported Rates: The WTP includes the Supported Rates that its hardware supports. The format is identical to the Rate Set message element and is between 2 and 8 bytes in length. 11.10.18. IEEE 802.11 Tx Power The Tx power message element value is bi-directional. When sent by the WTP, it contains the current power level of the radio in question. When sent by the AC, it contains the power level the WTP MUST adhere to. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | Current Tx Power | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1041 for IEEE 802.11 Tx Power Length: 4 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero Current Tx Power: This attribute contains the transmit output power in mW. 11.10.19. IEEE 802.11 Tx Power Level The Tx power level message element is sent by the WTP and contains the different power levels supported. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Num Levels | Power Level [n] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, Editor, et al. Expires November 6, 2006 [Page 121] Internet-Draft CAPWAP Protocol Specification May 2006 Type: 1042 for IEEE 802.11 Tx Power Level Length: >= 4 Radio ID: An 8-bit value representing the radio to configure. Num Levels: The number of power level attributes. Power Level: Each power level fields contains a supported power level, in mW. 11.10.20. IEEE 802.11 Update Mobile QoS The Update Mobile QoS message element is used to change the Quality of Service policy on the WTP for a given mobile station. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | DSCP Tag | 802.1P Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1043 for IEEE 802.11 Update Mobile QoS Length: 8 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP MAC Address: The mobile station's MAC Address. DSCP Tag: The DSCP label to use if packets are to be DSCP tagged. 802.1P Tag: The 802.1P precedence value to use if packets are to be IEEE 802.1P tagged. 11.10.21. IEEE 802.11 Update WLAN The Update WLAN message element is used by the AC to define a wireless LAN on the WTP. The inclusion of this message element MUST also include the IEEE 802.11 Information Element message element, containing the following 802.11 IEs: Calhoun, Editor, et al. Expires November 6, 2006 [Page 122] Internet-Draft CAPWAP Protocol Specification May 2006 Power Capability information element WPA information element RSN information element EDCA Parameter Set information element QoS Capability information element WMM information element The message element uses the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN ID |Encrypt Policy | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encryption Policy | Key... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Index | Shared Key | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1044 for IEEE 802.11 Update WLAN Length: 43 Radio ID: An 8-bit value representing the radio. WLAN ID: A 16-bit value specifying the WLAN Identifier. Encryption Policy: A 32-bit value specifying the encryption scheme to apply to traffic to and from the mobile station. The applicability of the encryption policy depends upon the security policy. For static WEP keys, which is true when the 'Shared Key' bit is set, this encryption policy is relevant for both unicast and multicast traffic. For encryption schemes that employ a separate encryption key for unicast and multicast traffic, the encryption policy defined here only applies to multicast data. In these scenarios, the unicast encryption policy is communicated via the Add Mobile Station (Section 4.4.8). Calhoun, Editor, et al. Expires November 6, 2006 [Page 123] Internet-Draft CAPWAP Protocol Specification May 2006 The following values are supported: 0 - Encrypt WEP 104: All packets to/from the mobile station must be encrypted using standard 104 bit WEP. 1 - Clear Text: All packets to/from the mobile station do not require any additional crypto processing by the WTP. 2 - Encrypt WEP 40: All packets to/from the mobile station must be encrypted using standard 40 bit WEP. 3 - Encrypt WEP 128: All packets to/from the mobile station must be encrypted using standard 128 bit WEP. 4 - Encrypt AES-CCMP 128: All packets to/from the mobile station must be encrypted using 128 bit AES CCMP [7] 5 - Encrypt TKIP-MIC: All packets to/from the mobile station must be encrypted using TKIP and authenticated using Michael [24] Key: A 32 byte Session Key to use with the encryption policy. Key-Index: The Key Index associated with the key. Key Status: A 1 byte value that specifies the state and usage of the key that has been included. The following values describe the key usage and its status: 0 - A value of zero, with the 'Encryption Policy' field set to any value other than 'Clear Text' means that the WLAN uses per-station encryption keys, and therefore the key in the 'Key' field is only used for multicast traffic. 1 - When set to one, the WLAN employs a shared WEP key, also known as a static WEP key, and uses the encryption key for both unicast and multicast traffic for all stations. 2 - The value of 2 indicates that the AC will begin rekeying the GTK with the STA's in the BSS. It is only valid when IEEE 802.11i is enabled as the security policy for the BSS. 3 - The value of 3 indicates that the AC has completed rekeying the GTK and broadcast packets no longer need to be duplicated and transmitted with both GTK's. Calhoun, Editor, et al. Expires November 6, 2006 [Page 124] Internet-Draft CAPWAP Protocol Specification May 2006 11.10.22. IEEE 802.11 WTP Quality of Service The WTP Quality of Service message element value is sent by the AC to the WTP to communicate quality of service configuration information. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Tag Packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1045 for IEEE 802.11 WTP Quality of Service Length: >= 2 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Tag Packets: An value indicating whether CAPWAP packets should be tagged with for QoS purposes. The following values are currently supported: 0 - Untagged 1 - 802.1P 2 - DSCP Immediately following the above header is the following data structure. This data structure will be repeated five times; once for every QoS profile. The order of the QoS profiles are Voice, Video, Best Effort and Background. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Queue Depth | CWMin | CWMax | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CWMax | AIFS | Dot1P Tag | DSCP Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Queue Depth: The number of packets that can be on the specific QoS transmit queue at any given time. Calhoun, Editor, et al. Expires November 6, 2006 [Page 125] Internet-Draft CAPWAP Protocol Specification May 2006 CWMin: The Contention Window minimum value for the QoS transmit queue. CWMax: The Contention Window maximum value for the QoS transmit queue. AIFS: The Arbitration Inter Frame Spacing to use for the QoS transmit queue. Dot1P Tag: The 802.1P precedence value to use if packets are to be 802.1P tagged. DSCP Tag: The DSCP label to use if packets are to be DSCP tagged. 11.10.23. IEEE 802.11 WTP Radio Fail Alarm Indication The WTP Radio Fail Alarm Indication message element is sent by the WTP to the AC when it detects a radio failure. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Type | Status | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1046 for WTP Radio Fail Alarm Indication Length: 4 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Type: The type of radio failure detected. The following values are supported: 1 - Receiver 2 - Transmitter Status: An 8-bit boolean indicating whether the radio failure is being reported or cleared. A value of zero is used to clear the event, while a value of one is used to report the event. Pad: Reserved field MUST be set to zero (0). Calhoun, Editor, et al. Expires November 6, 2006 [Page 126] Internet-Draft CAPWAP Protocol Specification May 2006 11.10.24. IEEE 802.11 WTP Radio Configuration The WTP WLAN radio configuration is used by the AC to configure a Radio on the WTP, and by the WTP to deliver its radio configuration to the AC. The message element value contains the following fields: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | Num of BSSIDs | DTIM Period | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BSSID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BSSID | Beacon Period | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Country Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1047 for IEEE 802.11 WTP WLAN Radio Configuration Length: 16 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero BSSID: The WLAN Radio's base MAC Address. Number of BSSIDs: This attribute contains the maximum number of BSSIDs supported by the WTP. This value restricts the number of logical networks supported by the WTP, and is between 1 and 16. DTIM Period: This attribute specifies the number of beacon intervals that elapse between transmission of Beacons frames containing a TIM element whose DTIM Count field is 0. This value is transmitted in the DTIM Period field of Beacon frames. Beacon Period: This attribute specifies the number of TU that a station uses for scheduling Beacon transmissions. This value is transmitted in Beacon and Probe Response frames. Country Code: This attribute identifies the country in which the station is operating. Special attention is required with use of this field, as implementations which take action based on this field could violate regulatory requirements. Some regulatory bodies do permit configuration of the country code under certain Calhoun, Editor, et al. Expires November 6, 2006 [Page 127] Internet-Draft CAPWAP Protocol Specification May 2006 restrictions, such as the FCC, when WTPs are certified as Software Defined Radios. The WTP and AC may ignore the value of this field, depending upon regulatory requirements, for example to avoid classification as a Software Defined Radio. When this field is used, the first two octets of this string is the two character country code as described in document ISO/IEC 3166- 1, and the third octet MUST have the value 1, 2 or 3 as defined below. When the value of the third octet is 255, the country code field is not used, and MUST be ignored 1 an ASCII space character, if the regulations under which the station is operating encompass all environments in the country, 2 an ASCII 'O' character, if the regulations under which the station is operating are for an outdoor environment only, or 3 an ASCII 'I' character, if the regulations under which the station is operating are for an indoor environment only 255 Country Code field is not used; ignore the field. 11.10.25. Station QoS Profile The Station QoS Profile Payload message element contains the maximum IEEE 802.11e priority tag that may be used by the station. Any packet received that exceeds the value encoded in this message element must either be dropped or tagged using the maximum value permitted by to the user. The priority tag must be between zero (0) and seven (7). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | 802.1P Precedence Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 1048 for IEEE 802.11 Station QOS Profile Length: 8 MAC Address: The mobile station's MAC Address Calhoun, Editor, et al. Expires November 6, 2006 [Page 128] Internet-Draft CAPWAP Protocol Specification May 2006 802.1P Precedence Tag: The maximum 802.1P precedence value that the WTP will allow in the TID field in the extended 802.11e QOS Data header. 11.11. Technology Specific Message Element Values This section lists IEEE 802.11 specific values for any generic CAPWAP message elements which include fields whose values are technology specific. IEEE 802.11 uses the following values: 4 - Encrypt AES-CCMP 128: WTP supports AES-CCMP, as defined in [7]. 5 - Encrypt TKIP-MIC: WTP supports TKIP and Michael, as defined in [24]. Calhoun, Editor, et al. Expires November 6, 2006 [Page 129] Internet-Draft CAPWAP Protocol Specification May 2006 12. NAT Considerations There are two specific situations in which a NAT system may be used in conjunction with a CAPWAP-enabled system. The first consists of a configuration where the WTP is behind a NAT system. Given that all communication is initiated by the WTP, and all communication is performed over IP using two UDP ports, the protocol easily traverses NAT systems in this configuration. The second configuration is one where the AC sits behind a NAT. Two issues exist in this situation. First, an AC communicates its interfaces, and associated WTP load on these interfaces, through the WTP Manager Control IP Address. This message element is currently mandatory, and if NAT compliance became an issue, it would be possible to either: 1. Make the WTP Manager Control IP Address optional, allowing the WTP to simply use the known IP Address. However, note that this approach would eliminate the ability to perform load balancing of WTP across ACs, and therefore is not the recommended approach. 2. Allow an AC to be able to configure a NAT'ed address for every associated AC that would generally be communicated in the WTP Manager Control IP Address message element. 3. Require that if a WTP determines that the AC List message element consists of a set of IP Addresses that are different from the AC's IP Address it is currently communicating with, then assume that NAT is being enforced, and require that the WTP communicate with the original AC's IP Address (and ignore the WTP Manager Control IP Address message element(s)). Another issue related to having an AC behind a NAT system is CAPWAP's support for the CAPWAP Objective to allow the control and data plane to be separated. In order to support this requirement, the CAPWAP protocol defines the WTP Manager Data IP Address message element, which allows the AC to inform the WTP that the CAPWAP data frames are to be forwarded to a separate IP Address. This feature MUST be disabled when an AC is behind a NAT. However, there is no easy way to provide some default mechanism that satisfies both the data/ control separation and NAT objectives, as they directly conflict with each other. As a consequence, user intervention will be required to support such networks. The CAPWAP protocol allows for all of the ACs identities supporting a group of WTPs to be communicated through the AC List message element. This feature must be disabled when the AC is behind a NAT and the IP Address that is embedded would be invalid. Calhoun, Editor, et al. Expires November 6, 2006 [Page 130] Internet-Draft CAPWAP Protocol Specification May 2006 The CAPWAP protocol has a feature that allows an AC to configure a static IP address on a WTP. The WTP Static IP Address Information message element provides such a function, however this feature SHOULD NOT be used in NAT'ed environments, unless the administrator is familiar with the internal IP addressing scheme within the WTP's private network, and does not rely on the public address seen by the AC. When a WTP detects the duplicate address condition, it generates a message to the AC, which includes the Duplicate IP Address message element. The IP Address embedded within this message element is different from the public IP address seen by the AC. Calhoun, Editor, et al. Expires November 6, 2006 [Page 131] Internet-Draft CAPWAP Protocol Specification May 2006 13. Security Considerations This section describes security considerations for the CAPWAP protocol. It also provides security recommendations for protocols used in conjunction with CAPWAP. 13.1. CAPWAP Security As it is currently specified, the CAPWAP protocol sits between the security mechanisms specified by the wireless link layer protocol (e.g.IEEE 802.11i) and AAA. One goal of CAPWAP is to bootstrap trust between the STA and WTP using a series of preestablished trust relationships: STA WTP AC AAA ============================================== DTLS Cred AAA Cred <------------><-------------> EAP Credential <------------------------------------------> wireless link layer (e.g.802.11 PTK) <--------------> (derived) Within CAPWAP, DTLS is used to secure the link between the WTP and AC. In addition to securing control messages, it's also a link in this chain of trust for establishing link layer keys. Consequently, much rests on the security of DTLS. In some CAPWAP deployment scenarios, there are two channels between the WTP and AC: the control channel, carrying CAPWAP control messages, and the data channel, over which client data packets are tunneled between the AC and WTP. Typically, the control channel is secured by DTLS, while the data channel is not. In the remote WTP with local MAC deployment scenario, there is only one channel (a control channel) between the AC and WTP. The use of parallel protected and unprotected channels deserves special consideration, but does not create a threat. There are two potential concerns: attempting to convert protected data into un- protected data and attempting to convert un-protected data into Calhoun, Editor, et al. Expires November 6, 2006 [Page 132] Internet-Draft CAPWAP Protocol Specification May 2006 protected data. These concerns are addressed below. 13.1.1. Converting Protected Data into Unprotected Data Since CAPWAP does not support authentication-only ciphers (i.e. all supported ciphersuites include encryption and authentication), it is not possible to convert protected data into unprotected data. Since encrypted data is (ideally) indistinguishable from random data, the probability of an encrypted packet passing for a well-formed packet is effectively zero. 13.1.2. Converting Unprotected Data into Protected Data (Insertion) The use of message authentication makes it impossible for the attacker to forge protected records. This makes conversion of unprotected records to protected records impossible. 13.1.3. Deletion of Protected Records An attacker could remove protected records from the stream, though not undetectably so, due the built-in reliability of the underlying CAPWAP protocol. In the worst case, the attacker would remove the same record repeatedly, resulting in a CAPWAP session timeout and restart. This is effectively a DoS attack, and could be accomplished by a man in the middle regardless of the CAPWAP protocol security mechanisms chosen. 13.1.4. Insertion of Unprotected Records An attacker could inject packets into the unprotected channel, but this may become evident if sequence number desynchronization occurs as a result. Only if the attacker is a MiM can packets be inserted undetectably. This is a consequence of that channel's lack of protection, and not a new threat resulting from the CAPWAP security mechanism. 13.2. Use of Preshared Keys in CAPWAP While use of preshared keys may provide deployment and provisioning advantages not found in public key based deployments, it also introduces a number of operational and security concerns. In particular, because the keys must typically be entered manually, it is common for people to base them on memorable words or phrases. These are referred to as "low entropy passwords/passphrases". Use of low-entropy preshared keys, coupled with the fact that the keys are often not frequently updated, tends to significantly increase exposure. For these reasons, we make the following Calhoun, Editor, et al. Expires November 6, 2006 [Page 133] Internet-Draft CAPWAP Protocol Specification May 2006 recommendations: o When DTLS is used with a preshared-key (PSK) ciphersuite, each WTP SHOULD have a unique PSK. Since WTPs will likely be widely deployed, their physical security is not guaranteed. If PSKs are not unique for each WTP, key reuse would allow the compromise of one WTP to result in the compromise of others o Generating PSKs from low entropy passwords is NOT RECOMMENDED. o It is RECOMMENDED that implementations that allow the administrator to manually configure the PSK also provide a capability for generation of new random PSKs, taking "RFC 1750 [4]" into account. o Preshared keys SHOULD be periodically updated. Implementations may facilitate this by providing an administrative interface for automatic key generation and periodic update, or it may be accomplished manually instead. 13.3. Use of Certificates in CAPWAP For public-key-based DTLS deployments, each device SHOULD have unique credentials, with a certificate profile authorizing them to act as either a WTP or AC. If devices do not have unique credentials, it is possible that by compromising one, any other one using the same credential may also be considered to be compromised. Each device is responsible for authenticating and authorizing devices with which they communicate. At minimum, such authentication entails validation of the chain of trust leading to the peer certificate, followed by the the peer certificate itself. Implementations SHOULD also provide a secure method for verifying that the credential in question has not been revoked. Note that if the WTP relies on the AC for network connectivity (e.g. the AC is a layer 2 switch to which the WTP is directly connected), there is a chicken and egg problem, in that the WTP may not be able to contact an OCSP server or otherwise obtain an up to date CRL if a compromised AC doesn't explicitly permit this. This cannot be avoided, except through effective physical security and monitoring measures at the AC. 13.4. AAA Security The AAA protocol is used to distribute EAP keys to the ACs, and consequently its security is important to the overall system security. When used with TLS or IPsec, security guidelines specified Calhoun, Editor, et al. Expires November 6, 2006 [Page 134] Internet-Draft CAPWAP Protocol Specification May 2006 in "RFC 3539 [12]" SHOULD be followed. In general, the link between the AC and AAA server SHOULD be secured using a strong ciphersuite keyed with mutually authenticated session keys. Implementations SHOULD NOT rely solely on Basic RADIUS shared secret authentication as it is often vulnerable to dictionary attacks, but rather SHOULD use stronger underlying security mechanisms. 13.5. IEEE 802.11 Security When used with an IEEE 802.11 infrastructure with WEP encryption, the CAPWAP protocol does not add any new vulnerabilities. Derived session keys between the STA and WTP can be compromised, resulting in many well-documented attacks. Implementors SHOULD discourage the use of WEP and encourage use of technically sound cryptographic solutions such as those in an IEEE 802.11 RSN. STA authentication in CAPWAP is performed using IEEE 802.lX, and consequently EAP. Implementors SHOULD use EAP methods meeting the requirements specified in RFC 4017 [ref] Calhoun, Editor, et al. Expires November 6, 2006 [Page 135] Internet-Draft CAPWAP Protocol Specification May 2006 14. IANA Considerations A separate UDP port for data channel communications is (currently) the selected demultiplexing mechanism, and a port must be assigned for this purpose. The Message element type fields must be IANA aassigned, see Section 4.4. Calhoun, Editor, et al. Expires November 6, 2006 [Page 136] Internet-Draft CAPWAP Protocol Specification May 2006 15. References 15.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, . [3] Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC- MAC (CCM)", RFC 3610, September 2003. [4] Eastlake, D., Crocker, S., and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994. [5] Manner, J. and M. Kojo, "Mobility Related Terminology", RFC 3753, June 2004. [6] "Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications", IEEE Standard 802.11, 1999, . [7] "Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6: Medium Access Control (MAC) Security Enhancements", IEEE Standard 802.11i, July 2004, . [8] Clark, D., "IP datagram reassembly algorithms", RFC 815, July 1982. [9] Schaad, J. and R. Housley, "Advanced Encryption Standard (AES) Key Wrap Algorithm", RFC 3394, September 2002. [10] Mills, D., "Network Time Protocol (Version 3) Specification, Implementation", RFC 1305, March 1992. [11] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002. Calhoun, Editor, et al. Expires November 6, 2006 [Page 137] Internet-Draft CAPWAP Protocol Specification May 2006 [12] Aboba, B. and J. Wood, "Authentication, Authorization and Accounting (AAA) Transport Profile", RFC 3539, June 2003. [13] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", RFC 4279, December 2005. [14] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006. [15] "Netscape Certificate Extensions Specification", . [16] Clancy, C., "Security Review of the Light Weight Access Point Protocol", May 2005, . [17] Rescorla et al, E., "Datagram Transport Layer Security", June 2004. [18] "Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication", May 2005, . 15.2. Informational References [19] Reynolds, J., "Assigned Numbers: RFC 1700 is Replaced by an On- line Database", RFC 3232, January 2002. [20] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. [21] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [22] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997. [23] Karn, P. and W. Simpson, "ICMP Security Failures Messages", RFC 2521, March 1999. [24] "WiFi Protected Access (WPA) rev 1.6", April 2003. [25] Dierks et al, T., "The TLS Protocol Version 1.1", June 2005. [26] Modadugu et al, N., "The Design and Implementation of Datagram TLS", Feb 2004. [27] "The Care and Feeding of Cookie Monsters", May 2006. Calhoun, Editor, et al. Expires November 6, 2006 [Page 138] Internet-Draft CAPWAP Protocol Specification May 2006 [28] "Internet Key Exchange (IKEv2) Protocol", draft-ietf-ipsec-ikev2-17.txt", September 2004. Calhoun, Editor, et al. Expires November 6, 2006 [Page 139] Internet-Draft CAPWAP Protocol Specification May 2006 Editors' Addresses Pat R. Calhoun Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 Phone: +1 408-853-5269 Email: pcalhoun@cisco.com Michael P. Montemurro Chantry Networks 1900 Minnesota Court, Suite 125 Mississauga, ON L5N 3C9 Canada Phone: +1 905-363-6400 Email: montemurro.michael@gmail.com Dorothy Stanley Aruba Networks 1322 Crossman Ave Sunnyvale, CA 94089 Phone: +1 630-363-1389 Email: dstanley@arubanetworks.com Calhoun, Editor, et al. Expires November 6, 2006 [Page 140] Internet-Draft CAPWAP Protocol Specification May 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Calhoun, Editor, et al. Expires November 6, 2006 [Page 141]