Network Working Group P. Calhoun Internet-Draft B. O'Hara Expires: October 2, 2005 Airespace S. Kelly Facetime Communications R. Suri Airespace M. Williams Nokia, Inc. S. Hares Nexthop Technologies, Inc. N. Cam Winget Cisco Systems, Inc. March 31, 2005 Light Weight Access Point Protocol (LWAPP) draft-ohara-capwap-lwapp-02 Status of this Memo This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on October 2, 2005. Copyright Notice Calhoun, et al. Expires October 2, 2005 [Page 1] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Copyright (C) The Internet Society (2005). Abstract In the recent years, there has been a shift in wireless LAN product architectures from autonomous access points to centralized control of light weight access points. The general goal has been to move most of the traditional wireless functionality such as access control (user authentication and authorization), mobility and radio management out of the access point into a centralized controller. The IETF's CAPWAP WG has identified that a standards based protocol is necessary between a wireless Access Controller and Wireless Termination Points (the latter are also commonly referred to as Light Weight Access Points). This specification defines the Light Weight Access Point Protocol (LWAPP), which addresses the CAPWAP's protocol requirements. Although the LWAPP protocol is designed to be flexible enough to be used for a variety of wireless technologies, this specific document describes the base protocol, and an extension that allows it to be used with the IEEE's 802.11 wireless LAN protocol. Calhoun, et al. Expires October 2, 2005 [Page 2] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 8 1.1 Conventions used in this document . . . . . . . . . . . 9 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . 10 2.1 Wireless Binding Definition . . . . . . . . . . . . . . 11 2.2 LWAPP State Machine Definition . . . . . . . . . . . . . 12 3. LWAPP Transport Layers . . . . . . . . . . . . . . . . . . . 20 3.1 LWAPP Transport Header . . . . . . . . . . . . . . . . . 20 3.1.1 VER Field . . . . . . . . . . . . . . . . . . . . . 20 3.1.2 RID Field . . . . . . . . . . . . . . . . . . . . . 20 3.1.3 C Bit . . . . . . . . . . . . . . . . . . . . . . . 20 3.1.4 F Bit . . . . . . . . . . . . . . . . . . . . . . . 20 3.1.5 L Bit . . . . . . . . . . . . . . . . . . . . . . . 21 3.1.6 Fragment ID . . . . . . . . . . . . . . . . . . . . 21 3.1.7 Length . . . . . . . . . . . . . . . . . . . . . . . 21 3.1.8 Status and WLANS . . . . . . . . . . . . . . . . . . 21 3.1.9 Payload . . . . . . . . . . . . . . . . . . . . . . 21 3.2 Using IEEE 802.3 MAC as LWAPP transport . . . . . . . . 21 3.2.1 Framing . . . . . . . . . . . . . . . . . . . . . . 22 3.2.2 AC Discovery . . . . . . . . . . . . . . . . . . . . 22 3.2.3 LWAPP Message Header format over IEEE 802.3 MAC transport . . . . . . . . . . . . . . . . . . . . . 22 3.2.4 Fragmentation/Reassembly . . . . . . . . . . . . . . 22 3.2.5 Multiplexing . . . . . . . . . . . . . . . . . . . . 23 3.3 Using IPv4/UDP as LWAPP transport . . . . . . . . . . . 23 3.3.1 Framing . . . . . . . . . . . . . . . . . . . . . . 23 3.3.2 AC Discovery . . . . . . . . . . . . . . . . . . . . 23 3.3.3 LWAPP Message Header format over IPv4/UDP transport 24 3.3.4 Fragmentation/Reassembly . . . . . . . . . . . . . . 24 3.3.5 Multiplexing . . . . . . . . . . . . . . . . . . . . 25 4. LWAPP Packet Definitions . . . . . . . . . . . . . . . . . . 26 4.1 LWAPP Data Messages . . . . . . . . . . . . . . . . . . 26 4.2 LWAPP Control Messages Overview . . . . . . . . . . . . 26 4.2.1 Control Message Format . . . . . . . . . . . . . . . 27 4.2.2 Message Element Format . . . . . . . . . . . . . . . 29 5. LWAPP Discovery Operations . . . . . . . . . . . . . . . . . 31 5.1 Discovery Request . . . . . . . . . . . . . . . . . . . 31 5.1.1 Discovery Type . . . . . . . . . . . . . . . . . . . 32 5.1.2 WTP Descriptor . . . . . . . . . . . . . . . . . . . 32 5.1.3 WTP Radio Information . . . . . . . . . . . . . . . 33 5.2 Discovery Response . . . . . . . . . . . . . . . . . . . 33 5.2.1 AC Address . . . . . . . . . . . . . . . . . . . . . 34 5.2.2 AC Descriptor . . . . . . . . . . . . . . . . . . . 34 5.2.3 AC Name . . . . . . . . . . . . . . . . . . . . . . 35 5.2.4 WTP Manager Control IP Address . . . . . . . . . . . 35 5.3 Primary Discovery Request . . . . . . . . . . . . . . . 36 5.3.1 Discovery Type . . . . . . . . . . . . . . . . . . . 36 Calhoun, et al. Expires October 2, 2005 [Page 3] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 5.3.2 WTP Descriptor . . . . . . . . . . . . . . . . . . . 36 5.3.3 WTP Radio Information . . . . . . . . . . . . . . . 36 5.4 Primary Discovery Response . . . . . . . . . . . . . . . 36 5.4.1 AC Descriptor . . . . . . . . . . . . . . . . . . . 37 5.4.2 AC Name . . . . . . . . . . . . . . . . . . . . . . 37 5.4.3 WTP Manager Control IP Address . . . . . . . . . . . 37 6. Control Channel Management . . . . . . . . . . . . . . . . . 38 6.1 Join Request . . . . . . . . . . . . . . . . . . . . . . 38 6.1.1 WTP Descriptor . . . . . . . . . . . . . . . . . . . 39 6.1.2 AC Address . . . . . . . . . . . . . . . . . . . . . 39 6.1.3 WTP Name . . . . . . . . . . . . . . . . . . . . . . 39 6.1.4 Location Data . . . . . . . . . . . . . . . . . . . 39 6.1.5 WTP Radio Information . . . . . . . . . . . . . . . 39 6.1.6 Certificate . . . . . . . . . . . . . . . . . . . . 40 6.1.7 Session ID . . . . . . . . . . . . . . . . . . . . . 40 6.1.8 Test . . . . . . . . . . . . . . . . . . . . . . . . 40 6.1.9 WNonce . . . . . . . . . . . . . . . . . . . . . . . 41 6.1.10 DH-Params . . . . . . . . . . . . . . . . . . . . . 41 6.2 Join Response . . . . . . . . . . . . . . . . . . . . . 42 6.2.1 Result Code . . . . . . . . . . . . . . . . . . . . 42 6.2.2 Status . . . . . . . . . . . . . . . . . . . . . . . 43 6.2.3 Certificate . . . . . . . . . . . . . . . . . . . . 43 6.2.4 Session Key . . . . . . . . . . . . . . . . . . . . 43 6.2.5 WTP Manager Data IP Address . . . . . . . . . . . . 44 6.2.6 AC List . . . . . . . . . . . . . . . . . . . . . . 44 6.2.7 ANonce . . . . . . . . . . . . . . . . . . . . . . . 45 6.2.8 PSK-MIC . . . . . . . . . . . . . . . . . . . . . . 45 6.2.9 DH-Params . . . . . . . . . . . . . . . . . . . . . 46 6.3 Join ACK . . . . . . . . . . . . . . . . . . . . . . . . 46 6.3.1 Session ID . . . . . . . . . . . . . . . . . . . . . 46 6.3.2 WNonce . . . . . . . . . . . . . . . . . . . . . . . 46 6.3.3 PSK-MIC . . . . . . . . . . . . . . . . . . . . . . 46 6.4 Join Confirm . . . . . . . . . . . . . . . . . . . . . . 46 6.4.1 Session ID . . . . . . . . . . . . . . . . . . . . . 47 6.4.2 ANonce . . . . . . . . . . . . . . . . . . . . . . . 47 6.4.3 PSK-MIC . . . . . . . . . . . . . . . . . . . . . . 47 6.5 Echo Request . . . . . . . . . . . . . . . . . . . . . . 47 6.6 Echo Response . . . . . . . . . . . . . . . . . . . . . 47 6.7 Key Update Request . . . . . . . . . . . . . . . . . . . 48 6.7.1 Session ID . . . . . . . . . . . . . . . . . . . . . 48 6.8 Key Update Response . . . . . . . . . . . . . . . . . . 48 6.8.1 Session Key . . . . . . . . . . . . . . . . . . . . 49 6.9 Key Update Trigger . . . . . . . . . . . . . . . . . . . 49 6.9.1 Session ID . . . . . . . . . . . . . . . . . . . . . 49 7. WTP Configuration Management . . . . . . . . . . . . . . . . 50 7.1 Configure Request . . . . . . . . . . . . . . . . . . . 50 7.1.1 Administrative State . . . . . . . . . . . . . . . . 50 7.1.2 AC Name . . . . . . . . . . . . . . . . . . . . . . 51 Calhoun, et al. Expires October 2, 2005 [Page 4] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 7.1.3 AC Name with Index . . . . . . . . . . . . . . . . . 51 7.1.4 WTP Board Data . . . . . . . . . . . . . . . . . . . 51 7.1.5 Statistics Timer . . . . . . . . . . . . . . . . . . 52 7.1.6 WTP Static IP Address Information . . . . . . . . . 52 7.1.7 WTP Reboot Statistics . . . . . . . . . . . . . . . 53 7.2 Configure Response . . . . . . . . . . . . . . . . . . . 53 7.2.1 Decryption Error Report Period . . . . . . . . . . . 54 7.2.2 Change State Event . . . . . . . . . . . . . . . . . 54 7.2.3 LWAPP Timers . . . . . . . . . . . . . . . . . . . . 55 7.2.4 AC List . . . . . . . . . . . . . . . . . . . . . . 55 7.2.5 WTP Fallback . . . . . . . . . . . . . . . . . . . . 55 7.2.6 Idle Timeout . . . . . . . . . . . . . . . . . . . . 56 7.3 Configuration Update Request . . . . . . . . . . . . . . 56 7.3.1 WTP Name . . . . . . . . . . . . . . . . . . . . . . 56 7.3.2 Change State Event . . . . . . . . . . . . . . . . . 57 7.3.3 Administrative State . . . . . . . . . . . . . . . . 57 7.3.4 Statistics Timer . . . . . . . . . . . . . . . . . . 57 7.3.5 Location Data . . . . . . . . . . . . . . . . . . . 57 7.3.6 Decryption Error Report Period . . . . . . . . . . . 57 7.3.7 AC List . . . . . . . . . . . . . . . . . . . . . . 57 7.3.8 Add Blacklist Entry . . . . . . . . . . . . . . . . 57 7.3.9 Delete Blacklist Entry . . . . . . . . . . . . . . . 58 7.3.10 Add Static Blacklist Entry . . . . . . . . . . . . . 58 7.3.11 Delete Static Blacklist Entry . . . . . . . . . . . 59 7.3.12 LWAPP Timers . . . . . . . . . . . . . . . . . . . . 59 7.3.13 AC Name with Index . . . . . . . . . . . . . . . . . 59 7.3.14 WTP Fallback . . . . . . . . . . . . . . . . . . . . 59 7.3.15 Idle Timeout . . . . . . . . . . . . . . . . . . . . 59 7.4 Configuration Update Response . . . . . . . . . . . . . 59 7.4.1 Result Code . . . . . . . . . . . . . . . . . . . . 60 7.5 Change State Event Request . . . . . . . . . . . . . . . 60 7.5.1 Change State Event . . . . . . . . . . . . . . . . . 60 7.6 Change State Event Response . . . . . . . . . . . . . . 60 7.7 Clear Config Indication . . . . . . . . . . . . . . . . 61 8. Device Management Operations . . . . . . . . . . . . . . . . 62 8.1 Image Data Request . . . . . . . . . . . . . . . . . . . 62 8.1.1 Image Download . . . . . . . . . . . . . . . . . . . 62 8.1.2 Image Data . . . . . . . . . . . . . . . . . . . . . 62 8.2 Image Data Response . . . . . . . . . . . . . . . . . . 63 8.3 Reset Request . . . . . . . . . . . . . . . . . . . . . 63 8.4 Reset Response . . . . . . . . . . . . . . . . . . . . . 63 8.5 WTP Event Request . . . . . . . . . . . . . . . . . . . 63 8.5.1 Decryption Error Report . . . . . . . . . . . . . . 64 8.5.2 Duplicate IP Address . . . . . . . . . . . . . . . . 64 8.6 WTP Event Response . . . . . . . . . . . . . . . . . . . 65 8.7 Data Transfer Request . . . . . . . . . . . . . . . . . 65 8.7.1 Data Transfer Mode . . . . . . . . . . . . . . . . . 65 8.7.2 Data Transfer Data . . . . . . . . . . . . . . . . . 66 Calhoun, et al. Expires October 2, 2005 [Page 5] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 8.8 Data Transfer Response . . . . . . . . . . . . . . . . . 66 9. Mobile Session Management . . . . . . . . . . . . . . . . . 67 9.1 Mobile Config Request . . . . . . . . . . . . . . . . . 67 9.1.1 Delete Mobile . . . . . . . . . . . . . . . . . . . 67 9.2 Mobile Config Response . . . . . . . . . . . . . . . . . 68 9.2.1 Result Code . . . . . . . . . . . . . . . . . . . . 68 10. Session Key Generation . . . . . . . . . . . . . . . . . . 69 10.1 Securing WTP-AC communications . . . . . . . . . . . . . 69 10.2 LWAPP Frame Encryption . . . . . . . . . . . . . . . . . 70 10.3 Authenticated Key Exchange . . . . . . . . . . . . . . . 71 10.3.1 Certificate Based Approach . . . . . . . . . . . . . 71 10.3.2 Pre-Shared Key Approach . . . . . . . . . . . . . . 74 11. IEEE 802.11 Binding . . . . . . . . . . . . . . . . . . . 78 11.1 Division of labor . . . . . . . . . . . . . . . . . . . 78 11.1.1 Split MAC . . . . . . . . . . . . . . . . . . . . . 78 11.1.2 Local MAC . . . . . . . . . . . . . . . . . . . . . 79 11.2 Transport specific bindings . . . . . . . . . . . . . . 79 11.2.1 Status and WLANS field . . . . . . . . . . . . . . . 79 11.3 Data Message bindings . . . . . . . . . . . . . . . . . 80 11.4 Control Message bindings . . . . . . . . . . . . . . . . 80 11.4.1 Mobile Config Request . . . . . . . . . . . . . . . 80 11.4.2 WTP Event Request . . . . . . . . . . . . . . . . . 85 11.5 802.11 Control Messages . . . . . . . . . . . . . . . . 87 11.5.1 IEEE 802.11 WLAN Config Request . . . . . . . . . . 87 11.5.2 IEEE 802.11 WLAN Config Response . . . . . . . . . . 91 11.5.3 IEEE 802.11 WTP Event . . . . . . . . . . . . . . . 91 11.6 Message Element Bindings . . . . . . . . . . . . . . . . 92 11.6.1 IEEE 802.11 WTP WLAN Radio Configuration . . . . . . 93 11.6.2 IEEE 802.11 Rate Set . . . . . . . . . . . . . . . . 94 11.6.3 IEEE 802.11 Multi-domain Capability . . . . . . . . 95 11.6.4 IEEE 802.11 MAC Operation . . . . . . . . . . . . . 95 11.6.5 IEEE 802.11 Tx Power . . . . . . . . . . . . . . . . 97 11.6.6 IEEE 802.11 Tx Power Level . . . . . . . . . . . . . 97 11.6.7 IEEE 802.11 Direct Sequence Control . . . . . . . . 97 11.6.8 IEEE 802.11 OFDM Control . . . . . . . . . . . . . . 98 11.6.9 IEEE 802.11 Antenna . . . . . . . . . . . . . . . . 99 11.6.10 IEEE 802.11 Supported Rates . . . . . . . . . . . 99 11.6.11 IEEE 802.11 CFP Status . . . . . . . . . . . . . . 100 11.6.12 IEEE 802.11 WTP Mode and Type . . . . . . . . . . 100 11.6.13 IEEE 802.11 Broadcast Probe Mode . . . . . . . . . 101 11.6.14 IEEE 802.11 WTP Quality of Service . . . . . . . . 101 11.6.15 IEEE 802.11 MIC Error Report From Mobile . . . . . 102 11.7 IEEE 802.11 Message Element Values . . . . . . . . . . . 103 12. LWAPP Protocol Timers . . . . . . . . . . . . . . . . . . 104 12.1 MaxDiscoveryInterval . . . . . . . . . . . . . . . . . . 104 12.2 SilentInterval . . . . . . . . . . . . . . . . . . . . . 104 12.3 NeighborDeadInterval . . . . . . . . . . . . . . . . . . 104 12.4 EchoInterval . . . . . . . . . . . . . . . . . . . . . . 104 Calhoun, et al. Expires October 2, 2005 [Page 6] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 12.5 DiscoveryInterval . . . . . . . . . . . . . . . . . . . 104 12.6 RetransmitInterval . . . . . . . . . . . . . . . . . . . 104 12.7 ResponseTimeout . . . . . . . . . . . . . . . . . . . . 105 12.8 KeyLifetime . . . . . . . . . . . . . . . . . . . . . . 105 13. LWAPP Protocol Variables . . . . . . . . . . . . . . . . . 106 13.1 MaxDiscoveries . . . . . . . . . . . . . . . . . . . . . 106 13.2 DiscoveryCount . . . . . . . . . . . . . . . . . . . . . 106 13.3 RetransmitCount . . . . . . . . . . . . . . . . . . . . 106 13.4 MaxRetransmit . . . . . . . . . . . . . . . . . . . . . 106 14. Security Considerations . . . . . . . . . . . . . . . . . 107 14.1 Certificate based Session Key establishment . . . . . . 107 14.2 PSK based Session Key establishment . . . . . . . . . . 108 15. IANA Considerations . . . . . . . . . . . . . . . . . . . 109 16. IPR Statement . . . . . . . . . . . . . . . . . . . . . . 110 17. References . . . . . . . . . . . . . . . . . . . . . . . . 111 17.1 Normative References . . . . . . . . . . . . . . . . . . 111 17.2 Informational References . . . . . . . . . . . . . . . . 112 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 112 Intellectual Property and Copyright Statements . . . . . . . 114 Calhoun, et al. Expires October 2, 2005 [Page 7] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 1. Introduction Unlike wired network elements, Wireless Termination Points (WTPs) require a set of dynamic management and control functions related to their primary task of connecting the wireless and wired mediums. Today, protocols for managing WTPs are either manual static configuration via HTTP, proprietary Layer 2 specific or non-existent (if the WTPs are self-contained). The emergence of simple 802.11 WTPs that are managed by a WLAN appliance or switch (also known as an Access Controller, or AC) suggests that having a standardized, interoperable protocol could radically simplify the deployment and management of wireless networks. In many cases the overall control and management functions themselves are generic and could apply to an AP for any wireless Layer 2 protocol. Being independent of specific wireless Layer 2 technologies, such a protocol could better support interoperability between Layer 2 devices and enable smoother intertechnology handovers. The details of how these functions would be implemented are dependent on the particular Layer 2 wireless technology. Such a protocol would need provisions for binding to specific technologies. LWAPP assumes a network configuration that consists of multiple WTPs communicating either via layer 2 (MAC) or layer 3 (IP) to an AC. The WTPs can be considered as remote RF interfaces, being controlled by the AC. The AC forwards all L2 frames it wants to transmit to an WTP via the LWAPP protocol. Packets from mobile nodes are forwarded by the WTP to the AC, also via this protocol. Figure 1 illustrates this arrangement as applied to an IEEE 802.11 binding. +-+ 802.11frames +-+ | |--------------------------------| | | | +-+ | | | |--------------| |---------------| | | | 802.11 PHY/ | | LWAPP | | | | MAC sublayer | | | | +-+ +-+ +-+ STA WTP AC Figure 1: LWAPP Architecture Security is another aspect of Wireless Termination Point management that is not well served by existing solutions. Provisioning WTPs with security credentials, and managing which WTPs are authorized to provide service are today handled by proprietary solutions. Allowing these functions to be performed from a centralized AC in an interoperable fashion increases managability and allows network operators to more tightly control their wireless network Calhoun, et al. Expires October 2, 2005 [Page 8] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 infrastructure. This document describes the Light Weight Access Point Protocol (LWAPP), allowing an AC to manage a collection of WTPs. The protocol is defined to be independent of Layer 2 technology, but an 802.11 binding is provided for use in growing 802.11 wireless LAN networks. Goals The following are goals for this protocol: 1. Centralization of the bridging, forwarding, authentication and policy enforcement functions for a wireless network. Optionally, the AC may also provide centralized encryption of user traffic. This will permit reduced cost and higher efficiency when applying the capabilities of network processing silicon to the wireless network, as it has already been applied to wired LANs. 2. Permit shifting of the higher level protocol processing burden away from the WTP. This leaves the computing resource of the WTP to the timing critical applications of wireless control and access. This makes the most efficient use of the computing power available in WTPs that are the subject of severe cost pressure. 3. Providing a generic encapsulation and transport mechanism, the protocol may be applied to other access point type in the future by adding the binding. The LWAPP protocol concerns itself solely with the interface between the WTP and the AC. Inter-AC, or mobile to AC communication is strictly outside the scope of this document. 1.1 Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. Calhoun, et al. Expires October 2, 2005 [Page 9] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 2. Protocol Overview LWAPP is a generic protocol defining how Wireless Termination Points communicate with Access Controllers. Wireless Termination Points and Access Controllers may communicate either by means of Layer 2 protocols or by means of a routed IP network. LWAPP messages and procedures defined in this document apply to both types of transports unless specified otherwise. Transport independence is achieved by defining formats for both MAC level and IP level transport (see Section 3). Also defined are framing, fragmentation/reassembly, and multiplexing services to LWAPP for each transport type. The LWAPP Transport layer carries two types of payload. LWAPP Data Messages are forwarded wireless frames. LWAPP Control Messages are management messages exchanged between an WTP and an AC. The LWAPP transport header defines the "C-bit", which is used to distinguish data and control traffic. When used over IP, the LWAPP data and control traffic are also sent over separate UDP ports. Since both data and control frames can exceed PMTU, the payload of an LWAPP data or control message can be fragmented. The fragmentation behavior is highly dependent upon the lower layer transport and is defined in Section 3. The Light Weight Access Protocol (LWAPP) begins with a discovery phase. The WTPs send a Discovery Request frame, causing any Access Controller (AC) , receiving that frame to respond with a Discovery Response. From the Discovery Responses received, an WTP will select an AC with which to associate, using the Join Request and Join Response. The Join Request also provides an MTU discovery mechanism, to determine whether there is support for the transport of large frames between the WTP and it's AC. If support for large frames is not present, the LWAPP frames will be fragmented to the maximum length discovered to be supported by the network. Once the WTP and the AC have joined, a configuration exchange is accomplished that will cause both devices to agree on version information. During this exchange the WTP may receive provisioning settings. For the 802.11 binding, this information would typically include a name (802.11 Service Set Identifier, SSID), and security parameters, the data rates to be advertised as well as the radio channel (channels, if the WTP is capable of operating more than one 802.11 MAC and PHY simultaneously) to be used. Finally, the WTPs are enabled for operation. When the WTP and AC have completed the version and provision exchange and the WTP is enabled, the LWAPP encapsulates the wireless frames Calhoun, et al. Expires October 2, 2005 [Page 10] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 sent between them. LWAPP will fragment its packets, if the size of the encapsulated wireless user data (Data) or protocol control (Management) frames causes the resultant LWAPP packet to exceed the MTU supported between the WTP and AC. Fragmented LWAPP packets are reassembled to reconstitute the original encapsulated payload. In addition to the functions thus far described, LWAPP also provides for the delivery of commands from the AC to the WTP for the management of devices that are communicating with the WTP. This may include the creation of local data structures in the WTP for the managed devices and the collection of statistical information about the communication between the WTP and the 802.11 devices. LWAPP provides the ability for the AC to obtain any statistical information collected by the WTP. LWAPP also provides for a keep alive feature that preserves the communication channel between the WTP and AC. If the AC fails to appear alive, the WTP will try to discover a new AC to communicate through. This Document uses terminology defined in [5] 2.1 Wireless Binding Definition This draft standard specifies a protocol independent of a specific wireless access point radio technology. Elements of the protocol are designed to accommodate specific needs of each wireless technology in a standard way. Implementation of this standard for a particular wireless technology must follow the binding requirements defined for that technology. This specification includes a binding for the IEEE 802.11 (see Section 11). When defining a binding for other technologies, the authors MUST include any necessary definitions for technology-specific messages and all technology-specific message elements for those messages. At a minimum, a binding MUST provide the definition for a binding-specific Statistics message element, which is carried in the WTP Event Request message, and Add Mobile message element, which is carried in the Mobile Configure Request. If any technology specific message elements are required for any of the existing LWAPP messages defined in this specification, they MUST also be defined in the technology binding document. The naming of binding-specific message elements MUST begin with the name of the technology type, e.g., the binding for IEEE 802.11, provided in this standard, begins with "IEEE 802.11"." Calhoun, et al. Expires October 2, 2005 [Page 11] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 2.2 LWAPP State Machine Definition The following state diagram represents the lifecycle of an WTP-AC session: /-------------\ | v | +------------+ | C| Idle |<-----------------------------------\ | +------------+<-----------------------\ | | ^ |a ^ | | | | | \----\ | | | | | |t u | | | | | +-----------+------>+------------+ | | / | C| Run | | Key Update | | | / | r+-----------+<------+------------+ | | / | ^ |s w x| | | | v | | | | | | +--------------+ | | v |y | | C| Discovery | q| \--------------->+-------+ | | b+--------------+ +-------------+ | Reset | | | |d f| ^ | Configure |------->+-------+ | | | | | +-------------+p ^ | |e v | | ^ ^ | | +---------+ v |i |k 2| | | C| Sulking | +------------+ +--------------+ | | +---------+ C| Join |--->| Join-Confirm | | | g+------------+z +--------------+ | | |h m| 3| |4 | | | | | v |o |\ | | | +------------+ \\-----------------/ \--------+---->| Image Data |C \------------------------------------/ +------------+n Figure 2: LWAPP State Machine The LWAPP state machine, depicted above, is used by both the AC and the WTP. For every state defined, only certain messages are permitted to be sent and received. In all of the LWAPP control messages defined in this document, the state for which each command is valid is specified. Note that in the state diagram figure above, the 'C' character is used to represent a condition that causes the state to remain the same. The following text discusses the various state transitions, and the Calhoun, et al. Expires October 2, 2005 [Page 12] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 events that cause them. Idle to Discovery (a): This is the initialization state. WTP: The WTP enters the Discovery state prior to transmitting the first Discovery Request (see Section 5.1). Upon entering this state, the WTP sets the DiscoveryInterval timer (see Section 12). The WTP resets the DiscoveryCount counter to zero (0) (see Section 13). The WTP also clears all information from ACs (e.g., AC Addresses) it may have received during a previous Discovery phase. AC: The AC does not need to maintain state information for the WTP upon reception of the Discovery Request, but it MUST respond with a Discovery Response (see Section 5.2). Discovery to Discovery (b): This is the state the WTP uses to determine which AC it wishes to connect to. WTP: This event occurs when the DiscoveryInterval timer expires. The WTP transmits a Discovery Request to every AC which the WTP hasn't received a response to. For every transition to this event, the WTP increments DisoveryCount counter. See Section 5.1) for more information on how the WTP knows which ACs it should transmit the Discovery Requests to. The WTP restarts the DiscoveryInterval timer. AC: This is a noop. Discovery to Sulking (d): This state occurs on a WTP when Discovery or connectivity to the AC fails. WTP: The WTP enters this state when the DiscoveryInterval timer expires and the DiscoveryCount variable is equal to the MaxDiscoveries variable (see Section 13). Upon entering this state, the WTP will start the SilentInterval timer. While in the Sulking state, all LWAPP messages received are ignored. AC: This is a noop. Sulking to Idle (e): This state occurs on a WTP when it must restart the discovery phase. WTP: The WTP enters this state when the SilentInterval timer (see Section 12) expires. AC: This is a noop. Discovery to Join (f): This state is used by the WTP to confirm its commitment to an AC that it wishes to be provided service. WTP: The WTP selects the best AC based on the information it gathered during the Discovery Phase. It then transmits a Join Request (see Section 6.1 to its preferred AC. The WTP starts the WaitJoin Timer (see Section 12). AC: The AC enters this state for the given WTP upon reception of a Join Request. The AC processes the request and responds with a Join Response. Join to Join (g): This state transition occurs during the join phase. Calhoun, et al. Expires October 2, 2005 [Page 13] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 WTP: The WTP enters this state when the WaitJoin timer expires, and the underlying transport requires LWAPP MTU detection Section 3). AC: This state occurs when the AC receives a retransmission of a Join Request. The WTP processes the request and responds with the Join Response.. Join to Idle (h): This state is used when the join process failed. WTP: This state transition occurs if the WTP is configured to use PSK security and receives a Join Response that includes an invalid PSK-MIC message element. AC: The AC enters this state when it transmits an unsuccessful Join Response. Join to Discovery (i): This state is used when the join process failed. WTP: The WTP enters this state when it receives an unsuccessful Join Response. Upon entering this state, the WTP sets the DiscoveryInterval timer (see Section 12). The WTP resets the DiscoveryCount counter to zero (0) (see Section 13). This state transition may also occur if the PSK-MIC (see Section 6.2.8) message element is invalid. AC: This state transition is invalid. Join to Join-Confirm (z): This state is used solely with the LWAPP PSK Mode, and is used for the purposes of key confirmation. WTP: This state is entered when the WTP receives a Join Response that includes a valid PSK-MIC message element. The WTP MUST respond with a Join ACK, which is used to provide key confirmation. AC: The AC enters this state when it receives a Join ACK that includes a valid PSK-MIC message element. The AC MUST respond with a Join Confirm message, which includes the Session Key message element. Join to Configure (k): This state is used by the WTP and the AC to exchange configuration information. WTP: The WTP enters this state when it receives a successful Join Response, and determines that its version number and the version number advertised by the AC are the same. The WTP transmits the Configure Request (see Section 7.1) message to the AC with a snapshot of its current configuration. This state transition is only valid when the Certificate message element is present in the Join Response, and not if the PSK-MIC message element is present. The WTP also starts the ResponseTimeout timer (see Section 12). AC: This state transition occurs when the AC receives the Configure Request from the WTP. Note that the AC MUST only allow this state transition if the Join process used certificate based security, through the presence on the Certificate message element. The AC must transmit a Configure Response (see Section 7.2) to the WTP, and may include specific Calhoun, et al. Expires October 2, 2005 [Page 14] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 message elements to override the WTP's configuration. Join to Image Data (m): This state is used by the WTP and the AC to download executable firmware. WTP: The WTP enters this state when it receives a successful Join Response, and determines that its version number and the version number advertised by the AC are different. This state transition is only valid when the Certificate message element is present in the Join Response, and not if the PSK-MIC message element is present. The WTP transmits the Image Data Request (see Section 8.1) message requesting that the AC's latest firmware be initiated. AC: This state transition occurs when the AC receives the Image Data Request from the WTP. Note that the AC MUST only allow this state transition if the Join process used certificate based security, through the presence on the Certificate message element. The AC must transmit a Image Data Response (see Section 8.2) to the WTP, which includes a portion of the firmware. Join-Confirm to Idle (3): This state is used when the join process failed. WTP: This state transition occurs when the WTP receives an invalid Join Confirm. AC: The AC enters this state when it receives an invalid Join ACK. Join-Confirm to Configure (2): This state is used by the WTP and the AC to exchange configuration information. WTP: The WTP enters this state when it receives a successful Join Confirm, and determines that its version number and the version number advertised by the AC are the same. The WTP transmits the Configure Request (see Section 7.1) message to the AC with a snapshot of its current configuration. The WTP also starts the ResponseTimeout timer (see Section 12). AC: This state transition occurs when the AC receives the Configure Request from the WTP. The AC must transmit a Configure Response (see Section 7.2) to the WTP, and may include specific message elements to override the WTP's configuration. Join-Confirm to Image Data (4): This state is used by the WTP and the AC to download executable firmware. WTP: The WTP enters this state when it receives a successful Join Confirm, and determines that its version number and the version number advertised by the AC are different. The WTP transmits the Image Data Request (see Section 8.1) message requesting that the AC's latest firmware be initiated. AC: This state transition occurs when the AC receives the Image Data Request from the WTP. The AC must transmit a Image Data Response (see Section 8.2) to the WTP, which includes a portion of the firmware. Calhoun, et al. Expires October 2, 2005 [Page 15] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Image Data to Image Data (n): This state is used by WTP and the AC during the firmware download phase. WTP: The WTP enters this state when it receives a Image Data Response that indicates that the AC has more data to send. AC: This state transition occurs when the AC receives the Image Data Request from the WTP while already in this state, and it detects that the firmware download has not completed. Image Data to Reset (o): This state is used when the firmware download is completed. WTP: The WTP enters this state when it receives a Image Data Response that indicates that the AC has no more data to send, or if the underlying LWAPP transport indicates a link failure. At this point, the WTP reboots itself. AC: This state transition occurs when the AC receives the Image Data Request from the WTP while already in this state, and it detects that the firmware download has completed, or if the underlying LWAPP transport indicates a link failure. Note that the AC itself does not reset, but it places the specific WTPs context it is communicating with in the reset state, meaning that it clears all state associated with the WTP. Configure to Reset (p): This state transition occurs if the Configure phase fails. WTP: The WTP enters this state when the reliable transport fails to deliver the Configure Request, or if the ResponseTimeout Timer (see Section 12)expires. AC: This state transition occurs if the AC is unable to transmit the Configure Response to a specific WTP. Note that the AC itself does not reset, but it places the specific WTPs context it is communicating with in the reset state, meaning that it clears all state associated with the WTP. Configure to Run (q): This state transition occurs when the WTP and AC enters their normal state of operation. WTP: The WTP enters this state when it receives a successful Configure Response from the AC. The WTP initializes the HeartBeat Timer (see Section 12), and transmits the Change State Event Request message (see Section 7.5). AC: This state transition occurs when the AC receives the Change State Event Request (see Section 7.5) from the WTP. The AC responds with a Change State Event Response (see Section 7.6) message. The AC must start the Session ID and Neighbor Dead timers (see Section 12). Run to Run (r): This is the normal state of operation. WTP: This is the WTP's normal state of operation, and there are many events that cause this to occur: Configuration Update: The WTP receives a Configuration Update Request (see Section 7.3). The WTP MUST respond with a Configuration Update Response (see Section 7.4). Calhoun, et al. Expires October 2, 2005 [Page 16] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Change State Event: The WTP receives a Change State Event Response, or determines that it must initiate a Change State Event Request, as a result of a failure or change in the state of a radio. Echo Request: The WTP receives an Echo Request message Section 6.5), which it MUST respond with an Echo Response (see Section 6.6). Clear Config Indication: The WTP receives a Clear Config Indication message Section 7.7). The WTP MUST reset its configuration back to manufacturer defaults. WTP Event: The WTP generates a WTP Event Request to send information to the AC Section 8.5). The WTP receives a WTP Event Response from the AC Section 8.6). Data Transfer: The WTP generates a Data Transfer Request to the AC Section 8.7). The WTP receives a Data Transfer Response from the AC Section 8.8). WLAN Config Request: The WTP receives an WLAN Config Request message Section 11.5.1), which it MUST respond with an WLAN Config Response (see Section 11.5.2). Mobile Config Request: The WTP receives an Mobile Config Request message Section 9.1), which it MUST respond with an Mobile Config Response (see Section 9.2). AC: This is the AC's normal state of operation, and there are many events that cause this to occur: Configuration Update: The AC sends a Configuration Update Request (see Section 7.3) to the WTP to update its configuration. The AC receives a Configuration Update Response (see Section 7.4) from the WTP. Change State Event: The AC receives a Change State Event Request (see Section 7.5), which it MUST respond to with the Change State Event Response (see Section 7.6). Echo: The AC sends an Echo Request message Section 6.5) or receives the associated Echo Response (see Section 6.6) from the WTP. Clear Config Indication: The AC sends a Clear Config Indication message Section 7.7). WLAN Config: The AC sends an WLAN Config Request message Section 11.5.1) or receives the associated WLAN Config Response (see Section 11.5.2) from the WTP. Mobile Config: The AC sends an Mobile Config Request message Section 9.1) or receives the associated Mobile Config Response (see Section 9.2) from the WTP. Data Transfer: The AC receives a Data Transfer Request from the AC (see Section 8.7) and MUST generate the associated Data Transfer Response message (see Section 8.8). Calhoun, et al. Expires October 2, 2005 [Page 17] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 WTP Event: The AC receives a WTP Event Request from the AC (see Section 8.5) and MUST generate the associated WTP Event Response message (see Section 8.6). Run to Reset (s): This event occurs when the AC wishes for the WTP to reboot. WTP: The WTP enters this state when it receives a Reset Request (see Section 8.3). It must respond with a Reset Response (see Section 8.4), and once the reliable transport acknowledgement has been received, it must reboot itself. AC: This state transition occurs either through some administrative action, or via some internal event on the AC that causes it to request that the WTP disconnect. Note that the AC itself does not reset, but it places the specific WTPs context it is communicating with in the reset state. Run to Idle (t): This event occurs when an error occurs in the communication between the WTP and the AC. WTP: The WTP enters this state when the underlying reliable transport in unable to transmit a message within the RetransmitInterval timer (see Section 12), and the maximum number of RetransmitCount counter has reached the MaxRetransmit variable (see Section 13). AC: The AC enters this state when the underlying reliable transport in unable to transmit a message within the RetransmitInterval timer (see Section 12), and the maximum number of RetransmitCount counter has reached the MaxRetransmit variable (see Section 13). Run to Key Update (u): This event occurs when the WTP and the AC are to exchange new keying material, with which it must use to protect all future messages. WTP: This state transition occurs when the KeyLifetime timer expires (see Section 12). AC: The WTP enters this state when it receives a Key Update Request (see Section 6.7). It must create new keying material and include it in the Key Update Response (see Section 6.8). Key Update to Run (w): This event occurs when the key exchange phase is completed. WTP: This state transition occurs when the WTP receives the Key Update Response. The WTP must plumb the new keys in its crypto module, allowing it to communicate with the AC using the new key. AC: The AC enters this state when it transmits the Key Update Response message. The key is then plumbed into its crypto module, allowing it to communicate with the WTP using the new key. Key Update to Reset (x): This event occurs when the key exchange phase times out. Calhoun, et al. Expires October 2, 2005 [Page 18] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 WTP: This state transition occurs when the WTP does not receive a Key Update Response from the AC. AC: The AC enters this state when it is unable to process a Key Update Request. Reset to Idle (y): This event occurs when the state machine is restarted. WTP: The WTP reboots itself. After reboot the WTP will start its LWAPP state machine in the Idle state. AC: The AC clears out any state associated with the WTP. The AC generally does this as a result of the reliable link layer timing out. Calhoun, et al. Expires October 2, 2005 [Page 19] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 3. LWAPP Transport Layers The LWAPP protocol can operate at layer 2 or 3. For layer 2 support, the LWAPP messages are carried in a native Ethernet frame. As such, the protocol is not routable and depends upon layer 2 connectivity between the WTP and the AC. Layer 3 support is provided by encapsulating the LWAPP messages within UDP. 3.1 LWAPP Transport Header All LWAPP protocol packets are encapsulated using a common header format, regardless of the transport used to carry the frames. However, certain flags are not applicable for a given transport, and it is therefore necessary to refer to the specific transport section in order to determine which flags are valid. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |VER| RID |C|F|L| Frag ID | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status/WLANs | Payload... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.1.1 VER Field A 2 bit field which contains the version of LWAPP used in this packet. The value for this draft is 0. 3.1.2 RID Field A 3 bit field which contains the Radio ID number for this packet. WTPs with multiple radios but a single MAC Address use this field to indicate which radio is associated with the packet. 3.1.3 C Bit The Control Message 'C' bit indicates whether this packet carries a data or control message. When this bit is zero (0), the packet carries an LWAPP data message in the payload (see Section 4.1). When this bit is one (1), the packet carries an LWAPP control message as defined in section Section 4.2 for consumption by the addressed destination. 3.1.4 F Bit The Fragment 'F' bit indicates whether this packet is a fragment. Calhoun, et al. Expires October 2, 2005 [Page 20] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 When this bit is one (1), the packet is a fragment and MUST be combined with the other corresponding fragments to reassemble the complete information exchanged between the WTP and AC. 3.1.5 L Bit The Not Last 'L' bit is valid only if the 'F' bit is set and indicates whether the packet contains the last fragment of a fragmented exchange between WTP and AC. When this bit is 1, the packet is not the last fragment. When this bit is 0, the packet is the last fragment. 3.1.6 Fragment ID An 8 bit field whose value is assigned to each group of fragments making up a complete set. The fragment ID space is managed individually for every WTP/AC pair. The value of Fragment ID is incremented with each new set of fragments. The Fragment ID wraps to zero after the maximum value has been used to identify a set of fragments. LWAPP only supports up to 2 fragments per frame. 3.1.7 Length The 16 bit length field contains the number of bytes in the Payload. The field is encoded as an unsigned number. If the LWAPP packet is encrypted, the length field includes the AES-CCM MIC (see Section 10.2 for more information). 3.1.8 Status and WLANS The interpretation of this 16 bit field is binding specific. Refer to the transport portion of the binding for a wireless technology for the specification. 3.1.9 Payload This field contains the header for an LWAPP Data Message or LWAPP Control Message, followed by the data associated with that message. 3.2 Using IEEE 802.3 MAC as LWAPP transport This section describes how the LWAPP protocol is provided over native ethernet frames. An LWAPP packet is formed from the MAC frame header followed by the LWAPP message header. The following figure provides an example of the frame formats used when LWAPP is used over the IEEE 802.3 transport. Calhoun, et al. Expires October 2, 2005 [Page 21] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Layer 2 LWAPP Data Frame +-----------------------------------------------------------+ | MAC Header | LWAPP Header [C=0] | Forwarded Data ... | +-----------------------------------------------------------+ Layer 2 LWAPP Control Frame +---------------------------------------------------+ | MAC Header | LWAPP Header [C=1] | Control Message | +---------------------------------------------------+ | Message Elements ... | +----------------------+ 3.2.1 Framing Source Address A MAC address belonging to the interface from which this message is sent. If multiple source addresses are configured on an interface, then the one chosen is implementation dependent. Destination Address A MAC address belonging to the interface to which this message is to be sent. This destination address MAY be either an individual address or a multicast address, if more than one destination interface is intended. Ethertype The Ethertype field is set to 0x88bb. 3.2.2 AC Discovery When run over IEEE 802.3, LWAPP messages are distributed to a specific MAC level broadcast domain. The AC discovery mechanism used with this transport is for an WTP to transmit a Discovery Request message to a broadcast destination MAC address. The ACs will receive this message and reply based on their policy. 3.2.3 LWAPP Message Header format over IEEE 802.3 MAC transport All of the fields described in Section 3.1 are used when LWAPP uses the IEEE 802.3 MAC transport. 3.2.4 Fragmentation/Reassembly Fragmentation at the MAC layer is managed using the F,L and Frag ID Calhoun, et al. Expires October 2, 2005 [Page 22] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 fields of the LWAPP message header. The LWAPP protocol only allows a single packet to be fragmented into 2, which is sufficient for a frame that exceeds MTU due to LWAPP encapsulation. When used with layer 2 (Ethernet) transport, both fragments MUST include the LWAPP header. 3.2.5 Multiplexing LWAPP control messages and data messages are distinguished by the C Bit in the LWAPP message header. 3.3 Using IPv4/UDP as LWAPP transport This section defines how LWAPP makes use of IPV4/UDP transport between the WTP and the AC. When this transport is used, the MAC layer is controlled by the IPv4 stack, and there are therefore no special MAC layer requirements. The following figure provides an example of the frame formats used when LWAPP is used over the IPv4/UDP transport. Layer 3 LWAPP Data Frame +--------------------------------------------+ | MAC Header | IP | UDP | LWAPP Header [C=0] | +--------------------------------------------+ |Forwarded Data ... | +-------------------+ Layer 3 LWAPP Control Frame +--------------------------------------------+ | MAC Header | IP | UDP | LWAPP Header [C=1] | +--------------------------------------------+ | Control Message | Message Elements ... | +-----------------+----------------------+ 3.3.1 Framing Communication between WTP and AC is established according to the standard UDP client/server model. The connection is initiated by the WTP (client) to the well-known UDP port of the AC (server) used for control messages. This UDP port number of the AC is 12222 for LWAPP data and 12223 for LWAPP control frames. 3.3.2 AC Discovery When LWAPP is run over routed IPv4 networks, the WTP and the AC do not need to reside in the same IP subnet (broadcast domain). However, in the event the peers reside on separate subnets, there Calhoun, et al. Expires October 2, 2005 [Page 23] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 must exist a mechanism for the WTP to discover the AC. As the WTP attempts to establish communication with the AC, it sends the Discovery Request message and receives the corresponding response message from the AC. The WTP must send the Discovery Request message to either the limited broadcast IP address (255.255.255.255), a well known multicast address or to the unicast IP address of the AC. Upon receipt of the message, the AC issues a Discovery Response message to the unicast IP address of the WTP, regardless of whether Discovery Request was sent as a broadcast, multicast or unicast message. Whether the WTP uses a limited IP broadcast, multicast or unicast IP address is implementation dependent. In order for a WTP to transmit a Discovery Request to a unicast address, the WTP must first obtain the IP address of the AC. Any static configuration of an AC's IP address on the WTP non-volatile storage is implementation dependent. However, additional dynamic schemes are possible, for example: DHCP: A comma delimited ASCII encoded list of AC IP addresses is embedded inside a DHCP vendor specific option 43 extension. An example of the actual format of the vendor specific payload is of the form "10.1.1.1, 10.1.1.2". DNS: The DNS name "LWAPP-AC-Address" MAY be resolvable to or more AC addresses 3.3.3 LWAPP Message Header format over IPv4/UDP transport All of the fields described in Section 3.1 are used when LWAPP uses the IPv4/UDP transport, with the following exceptions: 3.3.3.1 F Bit This flag field is not used with this transport, and MUST be set to zero. 3.3.3.2 L Bit This flag field is not used with this transport, and MUST be set to zero. 3.3.3.3 Frag ID This field is not used with this transport, and MUST be set to zero. 3.3.4 Fragmentation/Reassembly When LWAPP is implemented at L3, the transport layer uses IP Calhoun, et al. Expires October 2, 2005 [Page 24] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 fragmentation to fragment and reassemble LWAPP messages that are longer than MTU size used by either WTP or AC. The details of IP fragmentation are covered in [8]. When used with the IP transport, only the first fragment would include the LWAPP header [ed: IP fragmentation may raise security concerns and bring additional configuration requirements for certain firewalls and NATs. One alternative is to re-use the layer 2 (application layer) fragmentation reassembly. Comments are welcomed.] 3.3.5 Multiplexing LWAPP messages convey control information between WTP and AC, as well as binding specific data frames or binding specific management frames. As such, LWAPP messages need to be multiplexed in the transport sub-layer and be delivered to the proper software entities in the endpoints of the protocol. However, the 'C' bit is still used to differentiate between data and control frames. In case of Layer 3 connection, multiplexing is achieved by use of different UDP ports for control and data packets (see Section 3.3.1. As part of Join procedure, the WTP and AC may negotiate different IP Addresses for data or control messages. The IP Address returned in the AP Manager Control IP Address message element is used to inform the WTP with the IP address to which it must sent all control frames. The AP Manager Data IP Address message element MAY be present only if the AC has a different IP Address which the WTP is to use to send its data LWAPP frames. In the event the WTP and AC are separated by a NAT, with the WTP using private IP address space, it is the responsibility of the NAT to manage appropriate UDP port mapping. Calhoun, et al. Expires October 2, 2005 [Page 25] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 4. LWAPP Packet Definitions This section contains the packet types and format. The LWAPP protocol is designed to be transport agnostic by specifying packet formats for both MAC frames and IP packets. An LWAPP packet consists of an LWAPP Transport Layer packet header followed by an LWAPP message. Transport details can be found in Section 3. 4.1 LWAPP Data Messages An LWAPP data message is a forwarded wireless frame. When forwarding wireless frames, the sender simply encapsulates the wireless frame in an LWAPP data packet, using the appropriate transport rules defined in section Section 3. In the event that the encapsulated frame would exceed the transport layer's MTU, the sender is responsible for the fragmentation of the frame, as specified in the transport specific section of Section 3. The actual format of the encapsulated LWAPP data frame is subject to the rules defined under the specific wireless technology binding. 4.2 LWAPP Control Messages Overview The LWAPP Control protocol provides a control channel between the WTP and the AC. The control channel is the series of control messages between the WTP and AC, associated with a session ID and key. Control messages are divided into the following distinct message types: Discovery: LWAPP Discovery messages are used to identify potential ACs, their load and capabilities. Control Channel Management: Messages that fall within this classification are used for the discovery of ACs by the WTPs as well as the establishment and maintenance of an LWAPP control channel. WTP Configuration: The WTP Configuration messages are used by the AC to push a specific configuration to the WTPs it has a control channel with. Messages that deal with the retrieval of statistics from the WTP also fall in this category. Mobile Session Management: Mobile session management messages are used by the AC to push specific mobile policies to the WTP. Firmware Management: Messages in this category are used by the AC to push a new firmware image down to the WTP. Control Channel, WTP Configuration and Mobile Session Management MUST be implemented. Firmware Management MAY be implemented. Calhoun, et al. Expires October 2, 2005 [Page 26] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 In addition, technology specific bindings may introduce new control channel commands that depart from the above list. 4.2.1 Control Message Format All LWAPP control messages are sent encapsulated within the LWAPP header (see Section 3.1). Immediately following the header, is the LWAPP control header, which has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Type | Seq Num | Msg Element Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Msg Element [0..N] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4.2.1.1 Message Type The Message Type field identifies the function of the LWAPP control message. The valid values for Message Type are the following: Calhoun, et al. Expires October 2, 2005 [Page 27] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Description Value Discovery Request 1 Discovery Response 2 Join Request 3 Join Response 4 Join ACK 5 Join Confirm 6 Unused 7-9 Configure Request 10 Configure Response 11 Configuration Update Request 12 Configuration Update Response 13 WTP Event Request 14 WTP Event Response 15 Change State Event Request 16 Change State Event Response 17 Unused 18-21 Echo Request 22 Echo Response 23 Image Data Request 24 Image Data Response 25 Reset Request 26 Reset Response 27 Unused 28-29 Key Update Request 30 Key Update Response 31 Primary Discovery Request 32 Primary Discovery Response 33 Data Transfer Request 34 Data Transfer Response 35 Clear Config Indication 36 WLAN Config Request 37 WLAN Config Response 38 Mobile Config Request 39 Mobile Config Response 40 4.2.1.2 Sequence Number The Sequence Number Field is an identifier value to match request/response packet exchanges. When an LWAPP packet with a request message type is received, the value of the sequence number field is copied into the corresponding response packet. When an LWAPP control frame is sent, its internal sequence number counter is monotonically incremented, ensuring that no two requests pending have the same sequence number. This field will wrap back to zero. Calhoun, et al. Expires October 2, 2005 [Page 28] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 4.2.1.3 Message Element Length The Length field indicates the number of bytes following the Session ID field. If the LWAPP packet is encrypted, the length field includes the AES-CCM MIC (see Section 10.2 for more information). 4.2.1.4 Session ID The Session ID is a 32-bit unsigned integer that is used to identify the security context for encrypted exchanges between the WTP and the AC. Note that a Session ID is a random value that MUST be unique between a given AC and any of the WTP it may be communicating with. 4.2.1.5 Message Element[0..N] The message element(s) carry the information pertinent to each of the control message types. Every control message in this specification specifies which message elements are permitted. 4.2.2 Message Element Format The message element is used to carry information pertinent to a control message. Every message element is identified by the Type field, whose numbering space is managed via IANA (see Section 15). The total length of the message elements is indicated in the Message Element Length field. All of the message element definitions in this document use a diagram similar to the one below in order to depict its format. Note that in order to simplify this specification, these diagrams do not include the header fields (Type and Length). However, in every message element description, the header's fields values will be defined. Note that additional message elements may be defined in separate IETF documents. The format of a message element uses the TLV format shown here: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Where Type (8 bit) identifies the character of the information carried in the Value field and Length (16 bits) indicates the number of bytes in the Value field. Calhoun, et al. Expires October 2, 2005 [Page 29] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 4.2.2.1 Generic Message Elements This section includes message elements that are not bound to a specific control message. 4.2.2.1.1 Vendor Specific The Vendor Specific Payload is used to communicate vendor specific information between the WTP and the AC. The value contains the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Element ID | Value... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 104 for Vendor Specific Length: >= 7 Vendor Identifier: A 32-bit value containing the IANA assigned "SMI Network Management Private Enterprise Codes" [11] Element ID: A 16-bit Element Identifier which is managed by the vendor. Value: The value associated with the vendor specific element. Calhoun, et al. Expires October 2, 2005 [Page 30] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 5. LWAPP Discovery Operations The Discovery messages are used by an WTP to determine which ACs are available to provide service, as well as the capabilities and load of the ACs. 5.1 Discovery Request The Discovery Request is used by the WTP to automatically discover potential ACs available in the network. An WTP must transmit this command even if it has a statically configured AC, as it is a required step in the LWAPP state machine. Discovery Requests MUST be sent by an WTP in the Discover state after waiting for a random delay less than MaxDiscoveryInterval, after an WTP first comes up or is (re)initialized. An WTP MUST send no more than a maximum of MaxDiscoveries discoveries, waiting for a random delay less than MaxDiscoveryInterval between each successive discovery. This is to prevent an explosion of WTP Discoveries. An example of this occurring would be when many WTPs are powered on at the same time. Discovery requests MUST be sent by an WTP when no echo responses are received for NeighborDeadInterval and the WTP returns to the Idle state. Discovery requests are sent after NeighborDeadInterval, they MUST be sent after waiting for a random delay less than MaxDiscoveryInterval. An WTP MAY send up to a maximum of MaxDiscoveries discoveries, waiting for a random delay less than MaxDiscoveryInterval between each successive discovery. If a discovery response is not received after sending the maximum number of discovery requests, the WTP enters the Sulking state and MUST wait for an interval equal to SilentInterval before sending further discovery requests. The Discovery Request message may be sent as a unicast, broadcast or multicast message. Upon receiving a discovery request, the AC will respond with a Discovery Response sent to the address in the source address of the received discovery request. The following subsections define the message elements that MUST be included in this LWAPP operation. Calhoun, et al. Expires October 2, 2005 [Page 31] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 5.1.1 Discovery Type The Discovery message element is used to configure an WTP to operate in a specific mode. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Discovery Type| +-+-+-+-+-+-+-+-+ Type: 58 for Discovery Type Length: 1 Discovery Type: An 8-bit value indicating how the AC was discovered. The following values are supported: 0 - Broadcast 1 - Configured 5.1.2 WTP Descriptor The WTP descriptor message element is used by the WTP to communicate it's current hardware/firmware configuration. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hardware Version | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Software Version | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Boot Version | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Max Radios | Radios in use | Encryption Capabilities | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 3 for WTP Descriptor Length: 16 Hardware Version: A 32-bit integer representing the WTP's hardware version number Software Version: A 32-bit integer representing the WTP's Firmware version number Boot Version: A 32-bit integer representing the WTP's boot loader's version number Max Radios: An 8-bit value representing the number of radios (where each radio is identified via the RID field) supported by the WTP Calhoun, et al. Expires October 2, 2005 [Page 32] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Radios in use: An 8-bit value representing the number of radios present in the WTP Encryption Capabilities: This 16-bit field is used by the WTP to communicate it's capabilities to the AC. Since most WTPs support link layer encryption, the AC may make use of these services. There are binding dependent encryption capabilites. An WTP that does not have any encryption capabilities would set this field to zero (0). Refer to the specific binding for the specification. 5.1.3 WTP Radio Information The WTP radios information message element is used to communicate the radio information in a specific slot. The Discovery Request MUST include one such message element per radio in the WTP. The Radio-Type field is used by the AC in order to determine which technology specific binding is to be used with the WTP. The value contains two fields, as shown. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Radio Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 4 for WTP Radio Information Length: 2 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Radio Type: The type of radio present. The following values are supported 1 - 802.11bg: An 802.11bg radio. 2 - 802.11a: An 802.11a radio. 3 - 802.16: An 802.16 radio. 4 - Ultra Wideband: An UWB radio. 7 - all: Used to specify all radios in the WTP. 5.2 Discovery Response The Discovery Response is a mechanism by which an AC advertises its services to requesting WTPs. Discovery Responses are sent by an AC after receiving a Discovery Request. When an WTP receives a Discovery Response, it MUST wait for an interval not less than DiscoveryInterval for receipt of additional Discovery Responses. After the DiscoveryInterval elapses, the WTP Calhoun, et al. Expires October 2, 2005 [Page 33] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 enters the Joining state and will select one of the ACs that sent a Discovery Response and send a Join Request to that AC. The following subsections define the message elements that MUST be included in this LWAPP operation. 5.2.1 AC Address The AC address message element is used to communicate the identity of the AC. The value contains two fields, as shown. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 2 for AC Address Length: 7 Reserved: MUST be set to zero Mac Address: The MAC Address of the AC 5.2.2 AC Descriptor The AC payload message element is used by the AC to communicate it's current state. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | Hardware Version ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HW Ver | Software Version ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SW Ver | Stations | Limit | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Limit | Radios | Max Radio | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Max Radio | Security | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 6 for AC Descriptor Length: 17 Calhoun, et al. Expires October 2, 2005 [Page 34] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Reserved: MUST be set to zero Hardware Version: A 32-bit integer representing the AC's hardware version number Software Version: A 32-bit integer representing the AC's Firmware version number Stations: A 16-bit integer representing number of mobile stations currently associated with the AC Limit: A 16-bit integer representing the maximum number of stations supported by the AC Radios: A 16-bit integer representing the number of WTPs currently attached to the AC Max Radio: A 16-bit integer representing the maximum number of WTPs supported by the AC Security: A 8 bit bit mask specifying the security schemes supported by the AC. The following values are supported: 1 - X.509 Certificate Based (Section 10.3.1) 2 - Pre-Shared Secret (Section 10.3.2) 5.2.3 AC Name The AC name message element contains an ASCII representation of the AC's identity. The value is a variable length byte string. The string is NOT zero terminated. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Name ... +-+-+-+-+-+-+-+-+ Type: 31 for AC Name Length: > 0 Name: A variable length ASCII string containing the AC's name 5.2.4 WTP Manager Control IP Address The WTP Manager Control IP Address message element is sent by the AC to the WTP during the discovery process and is used by the AC to provide the interfaces available on the AC, and their current load. This message elemenet is useful for the WTP to perform load balancing across multiple interfaces. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Count | Calhoun, et al. Expires October 2, 2005 [Page 35] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 99 for WTP Manager Control IP Address Length: 6 IP Address: The IP Address of an interface. WTP Count: The number of WTPs currently connected to the interface. 5.3 Primary Discovery Request The Primary Discovery Request is sent by the WTP in order to determine whether its preferred (or primary) AC is available. Primary Discovery Request are sent by an WTP when it has a primary AC configured, and is connected to another AC. This generally occurs as a result of a failover, and is used by the WTP as a means to discover when its primary AC becomes available. As a consequence, this message is only sent by a WTP when it is in the Run state. The frequency of the Primary Discovery Requests should be no more often than the sending of the Echo Request message. Upon receiving a discovery request, the AC will respond with a Primary Discovery Response sent to the address in the source address of the received Primary Discovery Request. The following subsections define the message elements that MUST be included in this LWAPP operation. 5.3.1 Discovery Type The Discovery Type message element is defined in section Section 5.1.1. 5.3.2 WTP Descriptor The WTP Descriptor message element is defined in section Section 5.1.2. 5.3.3 WTP Radio Information An WTP Radio Information message element must be present for every radio in the WTP. This message element is defined in section Section 5.1.3. 5.4 Primary Discovery Response The Primary Discovery Response is a mechanism by which an AC advertises its availability and services to requesting WTPs that are Calhoun, et al. Expires October 2, 2005 [Page 36] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 configured to have the AC as its primary AC. Primary Discovery Responses are sent by an AC after receiving a Primary Discovery Request. When an WTP receives a Primary Discovery Response, it may opt to establish an LWAPP connection to its primary AC, based on the configuration of the WTP Fallback Status message element on the WTP. The following subsections define the message elements that MUST be included in this LWAPP operation. 5.4.1 AC Descriptor The Discovery Type message element is defined in section Section 5.2.2. 5.4.2 AC Name The AC Name message element is defined in section Section 5.2.3. 5.4.3 WTP Manager Control IP Address An WTP Radio Information message element must be present for every radio in the WTP. This message element is defined in section Section 5.2.4. Calhoun, et al. Expires October 2, 2005 [Page 37] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 6. Control Channel Management The Control Channel Management messages are used by the WTP and AC to create and maintain a channel of communication on which various other commands may be transmitted, such as configuration, firmware update, etc. 6.1 Join Request The Join Request is used by an WTP to inform an AC that it wishes to provide services through it. Join Requests are sent by an WTP in the Joining state after receiving one or more Discovery Responses. The Join Request is also used as an MTU discovery mechanism by the WTP. The WTP issues a Join Request with a Test message element, bringing the total size of the message to exceed MTU. If the transport used does not provide MTU path discovery, the initial Join Request is padded with the Test message element to 1596 bytes. If a Join Response is received, the WTP can forward frames without requiring any fragmentation. If no Join Response is received, it issues a second Join Request padded with the Test payload to a total of 1500 bytes. The WTP continues to cycle from large (1596) to small (1500) packets until a Join Response has been received , or until both packets sizes have been retransmitted 3 times . If the Join Response is not received after the maximum number of retransmissions, the WTP MUST abandon the AC and restart the discovery phase. When an AC receives a Join Request it will respond with a Join Response. If the certificate based security mechanism is used, the AC validates the certificate found in the request. If valid, the AC generates a session key which will be used to secure the control frames it exchanges with the WTP. When the AC issues the Join Response, the AC creates a context for the session with the WTP. If the pre-shared session key security mechanism is used, the AC saves the WTP's nonce, found in the WNonce message element, creates its own nonce which it includes in the ANonce message element. Finally, the AC creates the PSK-MIC, which is computed using a key that is derived from the PSK. A Join Request that includes both a WNonce and a Certificate message element MUST be considered invalid. Details on the key generation is found in Section 10. Calhoun, et al. Expires October 2, 2005 [Page 38] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 The following subsections define the message elements that MUST be included in this LWAPP operation. 6.1.1 WTP Descriptor The WTP Descriptor message element is defined in section Section 5.1.2. 6.1.2 AC Address The AC Address message element is defined in section Section 5.2.1. 6.1.3 WTP Name The WTP name message element value is a variable length byte string. The string is NOT zero terminated. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Name ... +-+-+-+-+-+-+-+-+ Type: 5 for WTP Name Length: > 0 Name: A non zero terminated string containing the WTP's name. 6.1.4 Location Data The location data message element is a variable length byte string containing user defined location information (e.g. "Next to Fridge"). The string is NOT zero terminated. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Location ... +-+-+-+-+-+-+-+-+ Type: 35 for Location Data Length: > 0 Location: A non zero terminated string containing the WTP's location. 6.1.5 WTP Radio Information An WTP Radio Information message element must be present for every radio in the WTP. This message element is defined in section Calhoun, et al. Expires October 2, 2005 [Page 39] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Section 5.1.3. 6.1.6 Certificate The certificate message element value is a byte string containing a DER-encoded x.509v3 certificate. This message element is only included if the LWAPP security type used between the WTP and the AC makes use of certificates (see Section 10 for more information). 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Certificate... +-+-+-+-+-+-+-+-+ Type: 44 for Certificate Length: > 0 Certificate: A non zero terminated string containing the device's certificate. 6.1.7 Session ID The session ID message element value contains a randomly generated [4] unsigned 32-bit integer. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 45 for Session ID Length: 4 Session ID: 32 bit random session identifier. 6.1.8 Test The test message element is used as padding to perform MTU discovery, and MAY contain any value, of any length. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Padding ... +-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 40] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 18 for Test Length: > 0 Padding: A variable length pad. 6.1.9 WNonce The wnonce message element is sent by a WTP that is configured to make use of the pre-shared key security mechanism. See Section 10.3.2 for more information. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 107 for WNonce Length: 16 Nonce: A 16 octet random nonce. 6.1.10 DH-Params The DH-Params message element is used in order for the WTP and the AC to perform a Diffie Hellman exchange. This message element contains the g, p, g^x mod p - where x is the exponent chosen by the sender. See Section 10.3.2 for more information. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 41] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 111 for DH-Params Length: 16 Nonce: Contains g, p, g^x mod p, where 'x' is the exponent chosen by the sender. 6.2 Join Response The Join Response is sent by the AC to indicate to an WTP whether it is capable and willing to provide service to it. Join Responses are sent by the AC after receiving a Join Request. Once the Join Response has been sent, the heartbeat timer is initiated for the session to EchoInterval. Expiration of the timer will result in deletion of the AC-WTP session. The timer is refreshed upon receipt of the Echo Request. If the security method used is certificate based, when a WTP receives a Join Response it enters the Joined state and initiates either a Configure Request or Image Data to the AC to which it is now joined. Upon entering the Joined state, the WTP begins timing an interval equal to NeighborDeadInterval. Expiration of the timer will result in the transmission of the Echo Request. If the security method used is pre-shared secret based, when a WTP receives a Join Response that includes a valid PSK-MIC message element, it responds with a Join ACK that also MUST include a locally computed PSK-MIC message element. The following subsections define the message elements that MUST be included in this LWAPP operation. 6.2.1 Result Code The Result Code message element value is a 32-bit integer value, indicating the result of the request operation corresponding to the sequence number in the message. The Result Code is included in a successful Join Response. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Result Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 2 for Result Code Calhoun, et al. Expires October 2, 2005 [Page 42] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Length: 4 Result Code: The following values are defined: 0 Success 1 Failure (AC List message element MUST be present) 6.2.2 Status The Status message element is sent by the AC to the WTP in a non-successful Join Response message. This message element is used to indicate the reason for the failure and should only be accompanied with a Result Code message element that indicates a failure. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Status | +-+-+-+-+-+-+-+-+ Type: 60 for Status Length: 1 Status: The status field indicates the reason for an LWAPP failure. The following values are supported: 1 - Reserved - do not use 2 - Resource Depletion 3 - Unknown Source 4 - Incorrect Data 6.2.3 Certificate The Certificate message element is defined in section Section 6.1.6. Note this message element is only included if the WTP and the AC make use of certificate based security as defined in section Section 10. 6.2.4 Session Key The Session Key message element is sent by the AC to the WTP and includes the randomly generated session key, which is used to protect the LWAPP control messages. More details are available in Section 10. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security | Session Key .... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 43] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 46 for Session Key Length: > 1 Security: The LWAPP security model used. The following values are supported: 0 - Unused 1 - X.509 Certificate Based (Section 10.3.1) 2 - Pre-Shared Secret (Section 10.3.2) Session Key: An Encrypted Session Key. The encryption procedures used for this field depends upon the security model used, which are defined in section Section 10. 6.2.5 WTP Manager Data IP Address The WTP Manager Data IP Address message element is optionally sent by the AC to the WTP during the join phase. If present, the IP Address contained in this message element is the address the WTP is to use when sending any of its LWAPP data frames. Note this message element is only valid when LWAPP uses the IP/UDP layer 3 transport 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: TBD for WTP Manager Data IP Address Length: 4 IP Address: The IP Address of an interface. 6.2.6 AC List The AC List message element is used to configure an WTP with the latest list of ACs in a cluster. This message element MUST be included if the Join Response returns a failure indicating that the AC cannot handle the WTP at this time, allowing the WTP to find an alternate AC to connect to. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AC IP Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 44] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 59 for AC List Length: >= 4 AC IP Address: An array of 32-bit integers containing an AC's IP Address. 6.2.7 ANonce The anonce message element is sent by a AC that is configured to make use of the pre-shared key security method. See Section 10.3.2 for more information. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 108 for Test Length: 16 Nonce: A 16 octet random nonce. 6.2.8 PSK-MIC The PSK-MIC message element includes a message integrity check, whose purpose is to provide confirmation to the peer that the sender has the proper session key. This message element is only included if the security method used between the WTP and the AC is the pre-shared secret mechanism. See Section 10.3.2 for more information. When present, the PSK-MIC message element MUST be the last message element in the message. The MIC is computed over the complete LWAPP packet, from the LWAPP control header as defined in Section 4.2.1 to the end of the packet (which MUST be this PSK-MIC message element). The MIC field in this message element and the sequence number field in the LWAPP control header MUST be set to zeroes prior to computing the MIC. The length field in the LWAPP control header must already include this message element prior to computing the MIC. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | MIC ... Calhoun, et al. Expires October 2, 2005 [Page 45] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 109 for PSK-MIC Length: > 1 SPI: The SPI field specifies the cryptographic algorithm used to create the message integrity check. The following values are supported: 0 - Unused 1 - HMAC-SHA-1 (RFC 2104 [14]) MIC: A 20 octet Message Integrity Check. 6.2.9 DH-Params The Certificate message element is defined in section Section 6.1.10. Note this message element is only included if the WTP and the AC make use of pre-shared key based security as defined in section Section 10.3.2. 6.3 Join ACK The Join ACK message is sent by the WTP upon receiving a Join Response, which has a valid PSK-MIC message element, as a means of providing key confirmation to the AC. The Join ACK is only used in the case where the WTP makes use of the pre-shared key LWAPP mode (See Section 10.3.2 for more information). Note that the AC should never receive this message unless the security method used between the WTP and the AC is pre-shared secret based. The following subsections define the message elements that MUST be included in this LWAPP operation. 6.3.1 Session ID The Session ID message element is defined in section Section 6.1.7. 6.3.2 WNonce The WNonce message element is defined in section Section 6.1.9. 6.3.3 PSK-MIC The PSK-MIC message element is defined in section Section 6.2.8. 6.4 Join Confirm The Join Confirm message is sent by the AC upon receiving a Join ACK, Calhoun, et al. Expires October 2, 2005 [Page 46] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 which has a valid PSK-MIC message element, as a means of providing key confirmation to the WTP. The Join Confirm is only used in the case where the WTP makes use of the pre-shared key LWAPP mode (See Section 10.3.2 for more information). If the security method used is pre-shared key based, when an WTP receives a Join Confirm it enters the Joined state and initiates either a Configure Request or Image Data to the AC to which it is now joined. Upon entering the Joined state, the WTP begins timing an interval equal to NeighborDeadInterval. Expiration of the timer will result in the transmission of the Echo Request. This message is never received, or sent, when the security type used between the WTP and the AC is certificated based. The following subsections define the message elements that MUST be included in this LWAPP operation. 6.4.1 Session ID The Session ID message element is defined in section Section 6.1.7. 6.4.2 ANonce The ANonce message element is defined in section Section 6.2.7. 6.4.3 PSK-MIC The PSK-MIC message element is defined in section Section 6.2.8. 6.5 Echo Request The Echo Request message is a keepalive mechanism for the LWAPP control message. Echo Requests are sent periodically by an WTP in the Run state (see Figure 2) to determine the state of the connection between the WTP and the AC. The Echo Request is sent by the WTP when the Heartbeat timer expires, and it MUST start its NeighborDeadInterval timer. The Echo Request carries no message elements. When an AC receives an Echo Request it responds with an Echo Response. 6.6 Echo Response The Echo Response acknowledges the Echo Request, and are only Calhoun, et al. Expires October 2, 2005 [Page 47] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 accepted while in the Run state (see Figure 2). Echo Responses are sent by an AC after receiving an Echo Request. After transmitting the Echo Response, the AC should reset its Heartbeat timer to expire in the value configured for EchoInterval. If another Echo request is not received by the AC when the timer expires, the AC SHOULD consider the WTP to no longer be reachable. The Echo Response carries no message elements. When an WTP receives an Echo Response it stops the NeighborDeadInterval timer, and starts the Heartbeat timer to EchoInterval. If the NeighborDeadInterval timer expires prior to receiving an Echo Response, the WTP enters the Idle state. 6.7 Key Update Request The Key Update Request updates the LWAPP session key used to secure messages between the WTP and the AC. Key Update Requests are sent by an WTP in the Run state to update a session key. The Session ID message element MUST include a new session identifier. When an AC receives a Key Update Request it generates a new key (see Section 10) and responds with a Key Update Response. The following subsections define the message elements that MUST be included in this LWAPP operation. 6.7.1 Session ID The Session ID message element is defined in section Section 6.1.7. 6.8 Key Update Response The Key Update Response updates the LWAPP session key used to secure messages between the WTP and the AC, and acknowledges the Key Update Request. Key Update Responses are sent by a AC after receiving a Key Update Request. The Key Update Responses is secured using public key cryptography when certificates were used in the Join Request/Response exchange. However, the session keys are AES Key-wrapped when the AC and WTP invoked PSK-mode to establish the first session key. Calhoun, et al. Expires October 2, 2005 [Page 48] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 When an WTP receives a Key Update Response it will use the information contained in the Session Key message element to determine the keying material used to encrypt the LWAPP communications between the WTP and the AC. The following subsections define the message elements that MUST be included in this LWAPP operation. 6.8.1 Session Key The Session Key message element is defined in section Section 6.2.4. 6.9 Key Update Trigger The Key Update Trigger is used by the AC to request that a Key Update Request be initiated by the WTP. Key Update Trigger are sent by an AC in the Run state to inform the WTP to initiate a Key Update Request message. When a WTP receives a Key Update Trigger it generates a key Update Request. The following subsections define the message elements that MUST be included in this LWAPP operation. 6.9.1 Session ID The Session ID message element is defined in section Section 6.1.7. Calhoun, et al. Expires October 2, 2005 [Page 49] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 7. WTP Configuration Management The Wireless Termination Point Configuration messages are used to exchange configuration between the AC and the WTP. 7.1 Configure Request The Configure Request message is sent by an WTP to send its current configuration to its AC. Configure Requests are sent by an WTP after receiving a Join Response, while in the Configure state. The Configure Request carries binding specific message elements. Refer to the appropriate binding for the definition of this structure. When an AC receives a Configure Request it will act upon the content of the packet and respond to the WTP with a Configure Response. The Configure Request includes multiple Administrative State message Elements. There is one such message element for the WTP, and then one per radio in the WTP. The following subsections define the message elements that MUST be included in this LWAPP operation. 7.1.1 Administrative State The administrative event message element is used to communicate the state of a particular radio. The value contains the following fields. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Admin State | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 27 for Administrative State Length: 2 Radio ID: An 8-bit value representing the radio to configure. The Radio ID field may also include the value of 0xff, which is used to identify the WTP itself. Therefore, if an AC wishes to change the administrative state of an WTP, it would include 0xff in the Radio ID field. Calhoun, et al. Expires October 2, 2005 [Page 50] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Admin State: An 8-bit value representing the administrative state of the radio. The following values are supported: 1 - Enabled 2 - Disabled 7.1.2 AC Name The AC Name message element is defined in section Section 5.2.3. 7.1.3 AC Name with Index The AC Name with Index message element is sent by the AC to the WTP to configure preferred ACs. The number of instances where this message element would be present is equal to the number of ACs configured on the WTP. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Index | AC Name... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 90 for AC Name with Index Length: 5 Index: The index of the preferred server (e.g., 1=primary, 2=secondary). AC Name: A variable length ASCII string containing the AC's name. 7.1.4 WTP Board Data The WTP Board Data message element is sent by the WTP to the AC and contains information about the hardware present. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Card ID | Card Revision | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Model | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Model | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Serial Number ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 51] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 | Ethernet MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 50 for WTP Board Data Length: 26 Card ID: A hardware identifier. Card Revision: 4 byte Revision of the card. WTP Model: 8 byte WTP Model Number. WTP Serial Number: 24 byte WTP Serial Number. Reserved: A 4 byte reserved field that MUST be set to zero (0). Ethernet MAC Address: MAC Address of the WTP's Ethernet interface. 7.1.5 Statistics Timer The statistics timer message element value is used by the AC to inform the WTP of the frequency which it expects to receive updated statistics. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Statistics Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 37 for Statistics Timer Length: 2 Statistics Timer: A 16-bit unsigned integer indicating the time, in seconds 7.1.6 WTP Static IP Address Information The WTP Static IP Address Information message element is used by an AC to configure or clear a previously configured static IP address on an WTP. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Netmask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Gateway | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Static | +-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 52] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 82 for WTP Static IP Address Information Length: 13 IP Address: The IP Address to assign to the WTP. Netmask: The IP Netmask. Gateway: The IP address of the gateway. Netmask: The IP Netmask. Static: An 8-bit boolean stating whether the WTP should use a static IP address or not. A value of zero disables the static IP address, while a value of one enables it. 7.1.7 WTP Reboot Statistics The WTP Reboot Statistics message element is sent by the WTP to the AC to communicate information about reasons why reboots have occurred. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Crash Count | LWAPP Initiated Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Link Failure Count | Failure Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 67 for WTP Reboot Statistics Length: 7 Crash Count: The number of reboots that have occurred due to an WTP crash. LWAPP Initiated Count: The number of reboots that have occured at the request of some LWAPP message, such as a change in configuration that required a reboot or an explicit LWAPP reset request. Link Failure Count: The number of times that an LWAPP connection with an AC has failed. Failure Type: The last WTP failure. The following values are supported: 0 - Link Failure 1 - LWAPP Initiated 2 - WTP Crash 7.2 Configure Response The Configure Response message is sent by an AC and provides an opportunity for the AC to override an WTP's requested configuration. Configure Responses are sent by an AC after receiving a Configure Request. Calhoun, et al. Expires October 2, 2005 [Page 53] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 The Configure Response carries binding specific message elements. Refer to the appropriate binding for the definition of this structure. When an WTP receives a Configure Response it acts upon the content of the packet, as appropriate. If the Configure Response message includes a Change State Event message element that causes a change in the operational state of one of the Radio, the WTP will transmit a Change State Event to the AC, as an acknowledgement of the change in state. The following subsections define the message elements that MUST be included in this LWAPP operation. 7.2.1 Decryption Error Report Period The Decryption Error Report Period message element value is used by the AC to inform the WTP how frequently it should send decryption error report messages. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Report Interval | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 38 for Decryption Error Report Period Length: 3 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Report Interval: A 16-bit unsigned integer indicating the time, in seconds 7.2.2 Change State Event The WTP radios information message element is used to communicate the operational state of a radio. The value contains two fields, as shown. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | State | Cause | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 54] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 26 for Change State Event Length: 3 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP. State: An 8-bit boolean value representing the state of the radio. A value of one disables the radio, while a value of two enables it. Cause: In the event of a radio being inoperable, the cause field would contain the reason the radio is out of service. Cause: In the event of a radio being inoperable, the cause field would contain the reason the radio is out of service. The following values are supported: 0 - Normal 1 - Radio Failure 2 - Software Failure 7.2.3 LWAPP Timers The LWAPP Timers message element is used by an AC to configure LWAPP timers on an WTP. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Discovery | Echo Request | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 68 for LWAPP Timers Length: 2 Discovery: The number of seconds between LWAPP Discovery packets, when the WTP is in the discovery mode. Echo Request: The number of seconds between WTP Echo Request LWAPP messages. 7.2.4 AC List The AC List message element is defined in section Section 6.2.6. 7.2.5 WTP Fallback The WTP Fallback message element is sent by the AC to the WTP to enable or disable automatic LWAPP fallback in the event that an WTP detects its preferred AC, and is not currently connected to it. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Mode | Calhoun, et al. Expires October 2, 2005 [Page 55] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 +-+-+-+-+-+-+-+-+ Type: 91 for WTP Fallback Length: 1 Mode: The 8-bit boolean value indicates the status of automatic LWAPP fallback on the WTP. A value of zero disables the fallback feature, while a value of one enables it. When enabled, if the WTP detects that its primary AC is available, and it is not connected to it, it SHOULD automatically disconnect from its current AC and reconnect to its primary. If disabled, the WTP will only reconnect to its primary through manual intervention (e.g., through the Reset Request command). 7.2.6 Idle Timeout The Idle Timeout message element is sent by the AC to the WTP to provide it with the idle timeout that it should enforce on its active mobile station entries. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timeout | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 97 for Idle Timeout Length: 4 Timeout: The current idle timeout to be enforced by the WTP. 7.3 Configuration Update Request Configure Update Requests are sent by the AC to provision the WTP while in the Run state. This is used to modify the configuration of the WTP while it is operational. When an AC receives a Configuration Update Request it will respond with a Configuration Update Response, with the appropriate Result Code. The following subsections define the message elements introduced by this LWAPP operation. 7.3.1 WTP Name The WTP Name message element is defined in section Section 6.1.3. Calhoun, et al. Expires October 2, 2005 [Page 56] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 7.3.2 Change State Event The Change State Event message element is defined in section Section 7.2.2. 7.3.3 Administrative State The Administrative State message element is defined in section Section 7.1.1. 7.3.4 Statistics Timer The Statistics Timer message element is defined in section Section 7.1.5. 7.3.5 Location Data The Location Data message element is defined in section Section 6.1.4. 7.3.6 Decryption Error Report Period The Decryption Error Report Period message element is defined in section Section 7.2.1. 7.3.7 AC List The AC List message element is defined in section Section 6.2.6. 7.3.8 Add Blacklist Entry The Add Blacklist Entry message element is used by an AC to add a blacklist entry on an WTP, ensuring that the WTP no longer provides any service to the MAC addresses provided in the message. The MAC Addresses provided in this message element are not expected to be saved in non-volative memory on the WTP. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num of Entries| MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 57] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 65 for Add Blacklist Entry Length: >= 7 Num of Entries: The number of MAC Addresses in the array. MAC Address: An array of MAC Addresses to add to the blacklist entry. 7.3.9 Delete Blacklist Entry The Delete Blacklist Entry message element is used by an AC to delete a previously added blacklist entry on an WTP, ensuring that the WTP provides service to the MAC addresses provided in the message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num of Entries| MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 66 for Delete Blacklist Entry Length: >= 7 Num of Entries: The number of MAC Addresses in the array. MAC Address: An array of MAC Addresses to delete from the blacklist entry. 7.3.10 Add Static Blacklist Entry The Add Static Blacklist Entry message element is used by an AC to add a permanent blacklist entry on an WTP, ensuring that the WTP no longer provides any service to the MAC addresses provided in the message. The MAC Addresses provided in this message element are expected to be saved in non-volative memory on the WTP. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num of Entries| MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 70 for Delete Blacklist Entry Length: >= 7 Num of Entries: The number of MAC Addresses in the array. Calhoun, et al. Expires October 2, 2005 [Page 58] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 MAC Address: An array of MAC Addresses to add to the permanent blacklist entry. 7.3.11 Delete Static Blacklist Entry The Delete Static Blacklist Entry message element is used by an AC to delete a previously added static blacklist entry on an WTP, ensuring that the WTP provides service to the MAC addresses provided in the message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Num of Entries| MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 71 for Delete Blacklist Entry Length: >= 7 Num of Entries: The number of MAC Addresses in the array. MAC Address: An array of MAC Addresses to delete from the static blacklist entry. 7.3.12 LWAPP Timers The LWAPP Timers message element is defined in section Section 7.2.3. 7.3.13 AC Name with Index The AC Name with Index message element is defined in section Section 7.1.3. 7.3.14 WTP Fallback The WTP Fallback message element is defined in section Section 7.2.5. 7.3.15 Idle Timeout The Idle Timeout message element is defined in section Section 7.2.6. 7.4 Configuration Update Response The Configuration Update Response is the acknowledgement message for the Configuration Update Request. Configuration Update Responses are sent by an WTP after receiving a Configuration Update Request. Calhoun, et al. Expires October 2, 2005 [Page 59] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 When an AC receives a Configure Update Response the result code indicates if the WTP successfully accepted the configuration. The following subsections define the message elements that must be present in this LWAPP operation. 7.4.1 Result Code The Result Code message element is defined in section Section 6.2.1. 7.5 Change State Event Request The Change State Event is used by the WTP to inform the AC of a change in the operational state. The Change State Event message is sent by the WTP when it receives a Configuration Response that includes a Change State Event message element. It is also sent in the event that the WTP detects an operational failure with a radio. The Change State Event may be sent in either the Configure or Run state (see Figure 2. When an AC receives a Change State Event it will respond with a Change State Event Response and make any necessary modifications to internal WTP data structures. The following subsections define the message elements that must be present in this LWAPP operation. 7.5.1 Change State Event The Change State Event message element is defined in section Section 7.2.2. 7.6 Change State Event Response The Change State Event Response acknowledges the Change State Event. Change State Event Response are sent by an WTP after receiving a Change State Event. The Change State Event Response carries no message elements. Its purpose is to acknowledge the receipt of the Change State Event. The WTP does not need to perform any special processing of the Change State Event Response message. Calhoun, et al. Expires October 2, 2005 [Page 60] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 7.7 Clear Config Indication The Clear Config Indication is used to reset an WTP's configuration. The Clear Config Indication is sent by an AC to request that an WTP reset its configuration to manufacturing defaults. The Clear Config Indication message is sent while in the Run LWAPP state. The Reset Request carries no message elements. When an WTP receives a Clear Config Indication it will reset its configuration to manufacturing defaults. Calhoun, et al. Expires October 2, 2005 [Page 61] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 8. Device Management Operations This section defines LWAPP operations responsible for debugging, gathering statistics, logging, and firmware management. 8.1 Image Data Request The Image Data Request is used to update firmware on the WTP. This message and its companion response are used by the AC to ensure that the image being run on each WTP is appropriate. Image Data Requests are exchanged between the WTP and the AC to download a new program image to an WTP. When an WTP or AC receives an Image Data Request it will respond with a Image Data Response. The format of the Image Data and Image Download message elements are described in the following subsections. 8.1.1 Image Download The image download message element is sent by the WTP to the AC and contains the image filename. The value is a variable length byte string. The string is NOT zero terminated. 8.1.2 Image Data The image data message element is present when sent by the AC and contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Opcode | Checksum | Image Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Image Data ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 33 for Image Data Length: >= 5 Opcode: An 8-bit value representing the transfer opcode. The following values are supported: 3 - Image data is included 5 - An error occurred. Transfer is aborted Calhoun, et al. Expires October 2, 2005 [Page 62] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Checksum: A 16-bit value containing a checksum of the image data that follows Image Data: The Image Data field contains 1024 characters, unless the payload being sent is the last one (end of file) 8.2 Image Data Response The Image Data Response acknowledges the Image Data Request. An Image Data Responses is sent in response to an Image Data Request. Its purpose is to acknowledge the receipt of the Image Data Request packet. The Image Data Response carries no message elements. No action is necessary on receipt. 8.3 Reset Request The Reset Request is used to cause an WTP to reboot. Reset Requests are sent by an AC to cause an WTP to reinitialize its operation. The Reset Request carries no message elements. When an WTP receives a Reset Request it will respond with a Reset Response and then reinitialize itself. 8.4 Reset Response The Reset Response acknowledges the Reset Request. Reset Responses are sent by an WTP after receiving a Reset Request. The Reset Response carries no message elements. Its purpose is to acknowledge the receipt of the Reset Request. When an AC receives a Reset Response it is notified that the WTP will now reinitialize its operation. 8.5 WTP Event Request WTP Event Request is used by an WTP to send an information to its AC. These types of events may be periodical, or some asynchronous event on the WTP. For instance, an WTP collects statistics and uses the WTP Event Request to transmit this information to the AC. Calhoun, et al. Expires October 2, 2005 [Page 63] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 When an AC receives a WTP Event Request it will respond with a WTP Event Request. The WTP Event Request message MUST contain one of the following message element described in the next subsections, or a message element that is defined for a specific technology. 8.5.1 Decryption Error Report The Decryption Error Report message element value is used by the WTP to inform the AC of decryption errors that have occured since the last report. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID |Num Of Entries | Mobile MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mobile MAC Address[] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 39 for Decryption Error Report Length: >= 8 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Num Of Entries: An 8-bit unsigned integer indicating the number of mobile MAC addresses. Mobile MAC Address: An array of mobile station MAC addresses that have caused decryption errors. 8.5.2 Duplicate IP Address The Duplicate IP Address message element is used by an WTP to inform an AC that it has detected another host using the same IP address it is currently using. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 64] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 77 for Duplicate IP Address Length: 10 IP Address: The IP Address currently used by the WTP. MAC Address: The MAC Address of the offending device. 8.6 WTP Event Response WTP Event Response acknowledges the WTP Event Request. WTP Event Response are sent by an AC after receiving a WTP Event Request. The WTP Event Response carries no message elements. 8.7 Data Transfer Request The Data Transfer Request is used to upload debug information from the WTP to the AC. Data Transfer Requests are sent by the WTP to the AC when it determines that it has important information to send to the AC. For instance, if the WTP detects that its previous reboot was caused by a system crash, it would want to send the crash file to the AC. The remote debugger function in the WTP also uses the data transfer request in order to send console output to the AC for debugging purposes. When an AC receives an Data Transfer Request it will respond with a Data Transfer Response. The AC may log the information received, as it sees fit. The data transfer request message MUST contain ONE of the following message element described in the next subsection. 8.7.1 Data Transfer Mode The Data Transfer Mode message element is used by the AC to request information from the WTP for debugging purposes. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Data Type | +-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 65] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 52 for Data Transfer Mode Length: 1 Data Type: An 8-bit value the type of information being requested. The following values are supported: 1 - WTP Crash Data 2 - WTP Memory Dump 8.7.2 Data Transfer Data The Data Transfer Data message element is used by the WTP to provide information to the AC for debugging purposes. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Type | Data Length | Data .... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 53 for Data Transfer Data Length: >= 3 Data Type: An 8-bit value the type of information being sent. The following values are supported: 1 - WTP Crash Data 2 - WTP Memory Dump Data Length: Length of data field. Data: Debug information. 8.8 Data Transfer Response The Data Transfer Response acknowledges the Data Transfer Request. An Data Transfer Response is sent in response to an Data Transfer Request. Its purpose is to acknowledge the receipt of the Data Transfer Request packet. The Data Transfer Response carries no message elements. Upon receipt of a Data Transfer Response, the WTP transmits more information, if any is available. Calhoun, et al. Expires October 2, 2005 [Page 66] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 9. Mobile Session Management Messages in this section are used by the AC to create, modify or delete mobile station session state on the WTPs. 9.1 Mobile Config Request The Mobile Config Request message is used to create, modify or delete mobile session state on an WTP. The message is sent by the AC to the WTP, and may contain one or more message elements. The message elements for this LWAPP control message include information that is generally highly technology specific. Therefore, please refer to the appropriate binding section or document for the definitions of the messages elements that may be used in this control message. This section defines the format of the Delete Mobile message element, since it does not contain any technology specific information. 9.1.1 Delete Mobile The Delete Mobile message element is used by the AC to inform an WTP that it should no longer provide service to a particular mobile station. The WTP must terminate service immediately upon receiving this message element. The transmission of a Delete Mobile message element could occur for various reasons, including for administrative reaons, as a result of the fact that the mobile has roamed to another WTP, etc. Once access has been terminated for a given station, any future packets received from the mobile must result in a deauthenticate message, as specified in [6]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 30 for Delete Mobile Length: 7 Radio ID: An 8-bit value representing the radio MAC Address: The mobile station's MAC Address Calhoun, et al. Expires October 2, 2005 [Page 67] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 9.2 Mobile Config Response The Mobile Configuration Response is used to acknowledge a previously received Mobile Configuration Request, and includes a Result Code message element which indicates whether an error occured on the WTP. This message requires no special processing, and is only used to acknowledge the Mobile Configuration Request. The data transfer request message MUST contain the message elements described in the next subsection. 9.2.1 Result Code The Result Code message element is defined in section Section 6.2.1. Calhoun, et al. Expires October 2, 2005 [Page 68] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 10. Session Key Generation Note: This version only defines a certificate and a shared secret based mechanism to secure control LWAPP traffic exchanged between the WTP and the AC. 10.1 Securing WTP-AC communications While it is generally straightforward to produce network installations in which the communications medium between the WTP and AC is not accessible to the casual user (e.g. these LAN segments are isolated, no RJ45 or other access ports exist between the WTP and the AC), this will not always be the case. Furthermore, a determined attacker may resort to various more sophisticated monitoring and/or access techniques, thereby compromising the integrity of this connection. In general, a certain level of threat on the local (wired) LAN is expected and accepted in most computing environments. That is, it is expected that in order to provide users with an acceptable level of service and maintain reasonable productivity levels, a certain amount of risk must be tolerated. It is generally believed that a certain perimeter is maintained around such LANs, that an attacker must have access to the building(s) in which such LANs exist, and that they must be able to "plug in" to the LAN in order to access the network. With these things in mind, we can begin to assess the general security requirements for AC-WTP communications. While an in-depth security analysis of threats and risks to these communication is beyond the scope of this document, some discussion of the motivation for various security-related design choices is useful. The assumptions driving the security design thus far include the following: o WTP-AC communications take place over a wired connection which may be accessible to a sophisticated attacker o access to this connection is not trivial for an outsider (i.e. someone who does not "belong" in the building) to access o if authentication and/or privacy of end to end traffic for which the WTP and AC are intermediaries is required, this may be provided via IPsec [13]. o privacy and authentication for at least some WTP-AC control traffic is required (e.g. WEP keys for user sessions, passed from AC to WTP) o the AC can be trusted to generate strong cryptographic keys AC-WTP traffic can be considered to consist of two types: data traffic (e.g. to or from an end user), and control traffic which is strictly between the AC and WTP. Since data traffic may be secured Calhoun, et al. Expires October 2, 2005 [Page 69] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 using IPsec (or some other end-to-end security mechanism), we confine our solution to control traffic. The resulting security consists of two components: an authenticated key exchange, and control traffic security encapsulation. The security encapsulation is accomplished using AES CCM, described in [3]. This encapsulation provides for strong AES-based authentication and encryption. The exchange of cryptographic keys used for CCM is described below. 10.2 LWAPP Frame Encryption While, the LWAPP protocol uses AES-CCM to encrypt control traffic, it is important to note that not all control frames are encrypted. The LWAPP discovery and join phase are not encrypted. The Discovery messages are sent in the clear since there does not exist a security association between the WTP and the AC during the discovery phase. The Join phase is an authenticated exchange used to negotiate symmetric session keys (see Section 6.2.4). Once the join phase has been successfully completed, the LWAPP state machine Figure 2 will move to the Configure state, at which time all LWAPP control frames are encrypted using AES-CCM. Encryption of a control message begins at the Message Element field, meaning the Msg Type, Seq Num, Msg Element Length and Session ID fields are left intact (see Section 4.2.1). The AES-CCM 12 byte authentication data is appended to the end of the message. The authentication data is calculated from the start of the LWAPP packet, and includes the complete LWAPP control header (see Section 4.2.1). The AES-CCM block cipher protocol requires an initialization vector. The LWAPP protocol requires that the WTP and the AC maintain two separate IVs, one for transmission and one for reception. The IV is initialized on both the WTP and the AC to the Session ID, and the IV is monotonically increased for every packet transmitted. Note that the IV is implicit, and is not transmitted in the LWAPP header, and therefore an LWAPP device MUST keep track of both bi-directional IVs. The IV is 13 bytes long, and the first byte is set to zero, while the remaining twelve bytes are set to the monotonically increasing 32 bit counter previously mentioned. The following pseudo code provides an example of how the IVs are managed for a transmitted packet. Calhoun, et al. Expires October 2, 2005 [Page 70] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 void SetNonce(char *buffer, int sessionId, int xmitIv) { if (xmitIv == 0) { xmitIv = sessionId; memset(buffer, '\0', 13); /* Initialize the IV Buffer */ buffer[1] = (xmitIv >> 24) & 0xff; buffer[2] = (xmitIv >> 16) & 0xff; buffer[3] = (xmitIv >> 8) & 0xff; buffer[4] = (xmitIv & 0xff); buffer[5] = (xmitIv >> 24) & 0xff; buffer[6] = (xmitIv >> 16) & 0xff; buffer[7] = (xmitIv >> 8) & 0xff; buffer[8] = (xmitIv & 0xff); buffer[9] = (xmitIv >> 24) & 0xff; buffer[10] = (xmitIv >> 16) & 0xff; buffer[11] = (xmitIv >> 8) & 0xff; buffer[12] = (xmitIv & 0xff); } else { xmitIv = bignuminc-12(xmitIv); } return; } 10.3 Authenticated Key Exchange This section describes the key management component of the LWAPP protocol. There are two modes supported by LWAPP; certificate and pre-shared key. 10.3.1 Certificate Based Approach This section details the key management protocol which makes use of X.509 certificates. The following notations are used throughout this section: o Kpriv - the private key of a public-private key pair o Kpub - the public key of the pair o KeyMaterial - output of KDF-256(key, WTP-MAC) o K1 - AES-CCM Encryption Key o K2 - AES Key-Wrap Key Calhoun, et al. Expires October 2, 2005 [Page 71] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 o SessionID - randomly generated LWAPP session identifier, provided by the WTP in the Join Request o M - a clear-text message o C - a cipher-text message. o S - signed cipher-text message. o PKCS1(z) - the PKCS#1 encapsulation of z o E-x{Kpriv, M} - RSA encryption of M using X's private key o E-x{Kpub, M} - RSA encryption of M using X's public key o S-x{M} - an RSA digital signature over M produced by X o V-x{S-x, M} - RSA verification of X's digital signature over M o D-x{Kpriv, C} - RSA decryption of C using X's private key o D-x{Kpub, C} - RSA decryption of C using X's public key o Certificate-AC - AC's Certificate o Certificate-WTP - WTP's Certificate 10.3.1.1 Session Key Generation The AC and WTP accomplish mutual authentication and a cryptographic key exchange in a single round trip using the Join Request and Response pair (see Section 6.1). Note that the constant 'x' is used in the above notations to represent one of the parties in the LWAPP exchange. For instance, if the WTP must encrypt some text, it would use its own private key, and therefore the notation "E-wtp{Kpriv, M}" would be used. The following text describes the exchange between the WTP and the AC that creates a session key, which is used to secure LWAPP control messages. o The WTP adds the Certificate message element (see Section 6.1.6) with the contents set to Certificate-WTP in the Join Request. o The WTP adds the Session ID message element (see Section 6.1.7) with the contents set to a randomly generated session identifer (see RFC 1750 [4]) in the Join Request. The WTP MUST save the Session ID in order to validate the Join Response. o Upon receiving the Join Request, the AC verifies Certificate-WTP, encoded in the Certificate message element. The AC SHOULD also perform some authorization check, ensuring that the WTP is allowed to connect to the AC. o The AC generates a 32 byte random session key. The first 16 bytes, K1 are used to protect the LWAPP traffic while the latter 16 bytes, K2 are used to keywrap the keys in the Key Update Response using RFC 3394 [10]. o The AC encrypts the key into cipher-text (C), using E-wtp{Kpub , PKCS1(KeyMaterial)}. This encrypts the PKCS#1-encoded key material with the public key of the WTP, so that only the WTP can decrypt it and determine the session keys. Calhoun, et al. Expires October 2, 2005 [Page 72] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 o The AC encrypts the concatenation of sessionID and cipher text (C) into cipher text(Cª), using E-ac{Kpriv, SessionID|C}. This encrypts using the private key of AC and can be decrypted using the public key of AC, proving that AC produced this; this forms the basis of trust for WTP with respect to the source of the session keys. The cipher-text (Cª) is then copied into the session key field within the Session Key message element. o AC creates the Join Response, and includes two message elements. Certificate-AC is included in the Certificate message element. The Session Key message element is added, with the Security field set to one (1 - X.509 Certificate Based), and the cipher-text (Cª) is included in the Session Key field. The resulting Join Response is sent to the WTP. o WTP verifies authenticity of Certificate-AC in the Join Response's Certificate message element. o WTP computes D-ac{Kpub, 'Cª}, where 'Cª is the content of Session Key field in Session Key Message element. The resulting data includes the SessionID and cipher text (C). SessionID is validated against the SessionID that was sent in the Join Request. o WTP computes PKCS1(KeyMaterial) = D-ac{Kpriv , C}, decrypting the session keys using its private key, where C is the cipher text retrieved by decrypting the session key field in earlier step. Since these were encrypted with the WTP's public key, only the WTP can successfully decrypt the session key. The resulting 32 octet KeyMaterial is split into two 16 octet keys, K1 and K2, respectively. o K1 is now plumbed into the crypto engine as the AES-CCM session key. From this point on, all control protocol payloads between the WTP and AC are encrypted and authenticated using the new session key. 10.3.1.2 Refreshing Cryptographic Keys Since AC-WTP associations will tend to be relatively long-lived, it is sensible to periodically refresh the encryption and authentication keys; this is referred to as "rekeying". When the key lifetime reaches 95% of the configured value, identified in the KeyLifetime timer (see Section 12), the rekeying will proceed as follows: o WTP generates a fresh random Session identier value and encodes it within the Key Update Request's Session ID message element. The new session identifier is saved on the WTP in order to verify the Key Update Response. The protected Key Update Request is sent to the AC. o The AC generates a 32 byte random session key. The first 16 bytes, K1 are used to protect the LWAPP traffic while the latter 16 bytes, K2 are used to keywrap the keys in the Key Update Response using RFC 3394 [10]. Calhoun, et al. Expires October 2, 2005 [Page 73] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 o The AC encrypts the key into cipher-text (C), using E-wtp{Kpub , PKCS1(KeyMaterial)}. This encrypts the PKCS#1-encoded key material with the public key of the WTP, so that only the WTP can decrypt it and determine the session keys. o The AC encrypts the concatenation of sessionID and cipher text (C) into cipher text(Cª), using E-ac{Kpriv, SessionID|C}. This encrypts using the private key of AC and can be decrypted using the public key of AC, proving that AC produced this; this forms the basis of trust for WTP with respect to the the source of the session keys. The cipher-text (Cª) is then copied into the session key field within the Session Key message element. o AC creates the Key Update Response message, and includes the Session Key message element with the Security field set to one (1 - X.509 Certificate Based), and the cipher-text (Cª) is included in the Session Key field. The resulting encrypted Key Update Response is sent to the WTP. o WTP computes D-ac{Kpub, Cª}, where Cª is the conten of Session Key field in Session Key Message element. The resulting data includes the SessionID and cipher text (C). SessionID is validated against the SessionID that was sent in the Join Request. o WTP computes PKCS1(KeyMaterial) = D-ac{Kpriv , C}, decrypting the session keys using its private key, where C is the cipher text retrieved by decrypting the session key field in earlier step. Since these were encrypted with the WTP's public key, only the WTP can successfully decrypt the session key. The resulting 32 octet KeyMaterial is split into two 16 octet keys, K1 and K2, respectively. o K1 is now plumbed into the crypto engine as the AES-CCM session key. From this point on, all control protocol payloads between the WTP and AC are encrypted and authenticated using the new session key. If WTP does not receive the Key Update Response by the time the ResponseTimeout timer expires (see Section 12), the WTP MUST delete the new and old session information, and reset the state machine to the Idle state. Following a rekey process, both the WTP and the AC keep the previous encryption for one second in order to be able to process packets that arrive out of order. 10.3.2 Pre-Shared Key Approach This section details the key management protocol which makes use of pre-shared secrets. The following notations are used throughout this section: Calhoun, et al. Expires October 2, 2005 [Page 74] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 o PSK - the pre-shared key shared between the WTP and the AC o K0 - the result of a KDF using the PSK and the WTP's MAC Address o K1 - the confirmation Key o K2 - the encryption Key o K3 - the keywrap Key (see RFC 3394 [10]) o KeyMaterial - concatenation of K1, K2 and K3 o SessionID - randomly generated LWAPP session identifier, provided by the WTP in the Join Request o MIC(K1, packet) - A message integrity check, using HMAC-SHA1 and K1, of the complete LWAPP packet, with the sequence number field set to zero. o E(K0E, plaintext) - Plaintext is encrypted with K0E, using AES-CBC. o D(K0E, cryptotext) - Cryptotext is decrypted with K0E, using AES-CBC. o WNonce - The WTP's randomly generated Nonce. o ANonce - The AC's randomly generated Nonce. o EWNonce - The payload of the WNonce message element, which includes the WNonce. o EANonce - The payload of the ANonce message element, which includes the ANonce. o WTP-MAC - The WTP's MAC Address. o AC-MAC - The AC's MAC Address. 10.3.2.1 Session Key Generation The AC and WTP accomplish mutual authentication and a cryptographic key exchange in a dual round trip using the Join Request, Join Response, Join ACK and Join Confirm (see Section 6.1). The following text describes the exchange between the WTP and the AC that creates a session key, which is used to secure LWAPP control messages. o The WTP creates K0 through the following algorithm: K0 = KDF-256{PSK, "LWAPP PSK Top K0" || Session ID || WTP-MAC || AC-MAC}, where WTP-MAC is the WTP's MAC Address in the form "xx:xx:xx:xx:xx:xx". Similarly, the AC-MAC is an ASCII encoding of the AC's MAC Address, of the form "xx:xx:xx:xx:xx:xx". The first 16 octets is the K0 encryption key (K0E), and the second 16 octets is the K0 Derivation key (K0D). o The WTP creates a random nonce, known as WNonce, and encrypts it using the following algorithm: EWNonce = E{K0E, WNonce}. The encrypted nonce is added to the Join Request's WNonce message element (see Section 6.1.9). o The WTP adds the Session ID message element (see Section 6.1.7) with the contents set to a randomly generated session identifer (see RFC 1750 [4]) in the Join Request. The WTP MUST save the Session ID in order to validate the Join Response. Calhoun, et al. Expires October 2, 2005 [Page 75] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 o Upon receiving the Join Request, the AC creates K0, using K0 = KDF-256{PSK, "LWAPP PSK Top K0" || Session ID || WTP-MAC || AC-MAC}. WNonce = D{K0E, EWNonce}, where EWNonce is found in the WNonce message element. o The AC then creates its own random nonce, known as ANonce. The WANonce is then created, through E{K0E, NOT WNonce || ANonce}. "NOT WNonce" means that the AC takes WNonce and inverts all of the bits within the field. The results of the encryption is inserted in the Join Response's ANonce message element (see Section 6.1.9). o The AC then uses the KDF function to create a 48 octet session key. The KDF function used is as follows: KDF-384{K0D, "LWAPP Key Generation", WNonce || ANonce || WTP-MAC || AC-MAC}. The KDF function is defined in [7]. The resulting octets are split into three 16 octet keys (K1, K2 and K3, in that exact order). o The AC creates the PSK-MIC (see Section 6.2.8) message element whose payload includes MIC{K1, Join Response} using K1 as the confirmation key, which is added to the Join Response. The resulting Join Response is sent to the WTP. o Upon receiving the Join Response, the WTP decrypts ANonce from the contents of the ANonce message element, using ANonce = D{K0E, WANonce} o The WTP uses a KDF function to create a 48 octet session key. The KDF function used is as follows: KDF-384{K0D, "LWAPP Key Generation", WNonce || ANonce || WTP-MAC || AC-MAC}. The KDF function is defined in [7]. The resulting octets are split into three 16 octet keys (K1, K2 and K3, in that exact order). o WTP verifies authenticity of the PSK-MIC field by using MIC{K1, Join Response}. o The WTP creates the PSK-MIC message element whose payload includes MIC{K1, Join ACK}, which is added to the Join ACK, as well as the WNonce message element. The resulting Join ACK is sent to the AC. o AC verifies that WTP's Nonce in the Join ACK's WNonce message element matches the value it had received in the Join Request. o AC verifies authenticity of the PSK-MIC message element, by using its own saved version of K1. It then creates another PSK-MIC message element, whose payload includes MIC{K1, Join Confirm}, which is added to the Join Confirm, as well as the Session ID message element. The resulting Join Confirm is sent to the WTP. o WTP verifies authenticity of the PSK-MIC message element, by using its own saved version of K1, using the SessionID it had used in the original Join Request. o K2 is now plumbed into the crypto engine as the AES-CCM session key. From this point on, all control protocol payloads between the WTP and AC are encrypted and authenticated using the new session key. Calhoun, et al. Expires October 2, 2005 [Page 76] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 10.3.2.2 Refreshing Cryptographic Keys Since AC-WTP associations will tend to be relatively long-lived, it is sensible to periodically refresh the encryption and authentication keys; this is referred to as "rekeying". When the key lifetime reaches 95% of the configured value, identified in the KeyLifetime timer (see Section 12), the rekeying will proceed as follows: o WTP generates a fresh random Session identier value and encodes it within the Key Update Request's Session ID message element. The new session identifier is saved on the WTP in order to verify the Key Update Response. The Key Update Request is sent to the AC. o The AC generates 2 new random 16 octet, which are the new K2 and K3. This new K3 is the AES Key Wrap key that will be used in the next rekey event. These two session keys are concatenated into a 32 octet value, which is encrypted using the AES Key Wrap (see RFC 3384 [9]), and using K3, which was either created in the KDF function during the Join phase, or communicated in the previous Key Update Response to the WTP. The output of the AES Key Wrap function is used as the Payload of the Session Key message element. o AC then sends a protected Key Update Response message to the WTP using the old session key. Once the message has been sent, the new K2 session key is plumbed into the AC's crypto engine. o WTP verifies that SessionID in the Key Update Response's Session Key message element matches an outstanding request o WTP uses the AES Key Wrap function, with the K3 which it had received from the AC in the original Join phase, or mututally generated in the previous Join Update Request exchange. The output of the Key Wrap function is a 32 octet value, which is split into two separate 16 octet session keys, K2 and K3. o K2 is now plumbed into the crypto engine as the AES-CCM session key. From this point on, all control protocol payloads between the WTP and AC are encrypted and authenticated using the new session key. If WTP does not receive the Key Update Response by the time the ResponseTimeout timer expires (see Section 12), the WTP MUST delete the new and old session information, and reset the state machine to the Idle state. Following a rekey process, both the WTP and the AC keep the previous encryption for one second in order to be able to process packets that arrive out of order. Calhoun, et al. Expires October 2, 2005 [Page 77] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 11. IEEE 802.11 Binding This section defines the extensions required for the LWAPP protocol to be used with the IEEE 802.11 protocol. 11.1 Division of labor The LWAPP protocol, when used with IEEE 802.11 devices, requires a specific behavior from the WTP and the AC, specifically in terms of which 802.11 protocol functions are handled. 11.1.1 Split MAC This section discusses the roles and responsibilities of the WTP and the AC when the LWAPP protocol is used in a Split MAC mode. The responsibility of the WTP is to handle the following functions: o 802.11 Control Protocol. These functions are very latency sensitive, and include such functions as packet acknowledgement, retransmissions, etc. o 802.11 Beacons. The information elements to be included in the beacon is controlled by the AC. Since inter-beacon timing is very critical, the actual beacons are generated by the WTP. Any 802.11 protocol extension that requires changes within the beacon on a per frame basis (e.g., 802.11e's QBSS) must be handled solely within the WTP. o 802.11 Probe Response. As with the beacons, the information to include in the probe responses is sent by the AC. Stations generally expect probe requests to be responded to within 3 to 10 milliseconds, and as a consequence it is very difficult to provide this function in the AC. Note that the WTP does forward the Probe Requests received to the AC, for its own information. Whether the AC makes use of these frames is implementation dependent, and is outside the scope of this document. o 802.11e Frame Queuing. The 802.11e standard defines a control protocol, which is carried within the 802.11 MAC management protocol, as well as defines how packet prioritization is handled through various timing parameters. The actual packet prioritization must be handled in the WTP, since only the WTP has complete visibility into the RF. o 802.11i Frame Encryption. The 802.11i standard defines a control protocol used for the establishment of a security association, as well as a means to encrypt and decrypt 802.11 data frames. The actual encryption and decryption services MAY occur in the WTP. The responsibility of the AC is to handle the following functions: Calhoun, et al. Expires October 2, 2005 [Page 78] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 o 802.11 MAC Management. All 802.11 MAC Management frames not listed above are handled exclusively within the AC. This includes the 802.11 (re)association request, action frames, etc. o 802.11 Data. The WTP simply encapsulates all 802.11 data frames received, and forwards them to the AC. o 802.11e Resource Reservat. The 802.11e standard defines a control protocol, which is carried within the 802.11 MAC management protocol, as well as defines how packet prioritization is handled through various timing parameters. The signaling defined in this specification is handled within the AC. o 802.11i Authentication and Key Exchange. The 802.11i standard defines a control protocol used for the establishment of a security association, as well as a means to encrypt and decrypt 802.11 data frames. The authentication (802.1X/EAP) and key exchange component of this standard is handled within the AC. 11.1.2 Local MAC This section discusses the roles and responsibilities of the WTP and the AC when the LWAPP protocol is used in a Local MAC mode. TBD 11.2 Transport specific bindings All LWAPP transports have the following IEEE 802.11 specific bindings: 11.2.1 Status and WLANS field The interpretation of this 16 bit field depends on the direction of transmission of the packet. Refer to the figure in Section Section 3.1. Status When an LWAPP packet is transmitted from an WTP to an AC, this field is called the status field and indicates radio resource information associated with the frame. When the message is an LWAPP control message this field is transmitted as zero. The status field is divided into the signal strength and signal to noise ratio with which an IEEE 802.11 frame was received, encoded in the following manner: 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 Calhoun, et al. Expires October 2, 2005 [Page 79] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RSSI | SNR | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ RSSI: RSSI is a signed, 8-bit value. It is the received signal strength indication, in dBm. SNR: SNR is a signed, 8-bit value. It is the signal to noise ratio of the received IEEE 802.11 frame, in dB. WLANs field: When an LWAPP data message is transmitted from an AC to an WTP, this 16 bit field indicates on which WLANs the encapsulated IEEE 802.11 frame is to be transmitted. For unicast packets, this field is not used by the WTP. For broadcast or multicast packets, the WTP might require this information if it provides encryption services. Given that a single broadcast or multicast packet might need to be sent to multiple wireless LANs (presumably each with a different broadcast key), this field is defined as a bit field. A bit set indicates a WLAN ID (see Section Section 11.5.1.1) which will be sent the data. The WLANS field is encoded in the following manner: 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WLAN ID(s) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 11.3 Data Message bindings There are no LWAPP Data Message bindings for IEEE 802.11. 11.4 Control Message bindings The IEEE 802.11 binding has the following Control Message definitions. 11.4.1 Mobile Config Request This section contains the 802.11 specific message elements that are used with the Mobile Config Request. 11.4.1.1 Add Mobile The Add Mobile Request is used by the AC to inform an WTP that it should forward traffic from a particular mobile station. The add mobile request may also include security parameters that must be enforced by the WTP for the particular mobile. Calhoun, et al. Expires October 2, 2005 [Page 80] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 When the AC sends an Add Mobile Request, it includes any security parameters that may be required. An AC that wishes to update a mobile's policy on an WTP may be done by simply sending a new Add Mobile message element. When an WTP receives an Add Mobile message element, it must first override any existing state it may have for the mobile station in question. The latest Add Mobile overrides any previously received messages. If the Add Mobile message element's EAP Only bit is set, the WTP MUST drop all 802.11 packets that do not contain EAP packets. Note that when EAP Only is set, the Encryption Policy field MAY have additional values, and therefore it is possible to inform an WTP to only accept encrypted EAP packets. Once the mobile station has successfully completed EAP authentication, the AC must send a new Add Mobile message element to push the session key down to the WTP as well as to remove the EAP Only restriction. If the QoS field is set, the WTP MUST observe and provide policing of the 802.11e priority tag to ensure that it does not exceed the value provided by the AC. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Association ID | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address |E|C| Encryption Policy | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Encrypt Policy | Session Key... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Pairwise TSC... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Pairwise RSC... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Capabilities | WLAN ID | WME Mode | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 802.11e Mode | Qos | Supported Rates | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Supported Rates | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 29 for Add Mobile Length: 36 Calhoun, et al. Expires October 2, 2005 [Page 81] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Radio ID: An 8-bit value representing the radio Association ID: A 16-bit value specifying the 802.11 Association Identifier MAC Address: The mobile station's MAC Address E: The one bit field is set by the AC to inform the WTP that is MUST NOT accept any 802.11 data frames, other than 802.1X frames. This is the equivalent of the WTP's 802.1X port for the mobile station to be in the closed state. When set, the WTP MUST drop any non-802.1X packets it receives from the mobile station. C: The one bit field is set by the AC to inform the WTP that encryption services will be provided by the AC. When set, the WTP SHOULD police frames received from stations to ensure that they comply to the stated encryption policy, but does not need to take specific cryptographic action on the frame. Similarly, for transmitted frames, the WTP only needs to forward already encrypted frames. Encryption Policy: The policy field informs the WTP how to handle packets from/to the mobile station. The following values are supported: 0 - Encrypt WEP 104: All packets to/from the mobile station must be encrypted using standard 104 bit WEP. 1 - Clear Text: All packets to/from the mobile station do not require any additional crypto processing by the WTP. 2 - Encrypt WEP 40: All packets to/from the mobile station must be encrypted using standard 40 bit WEP. 3 - Encrypt WEP 128: All packets to/from the mobile station must be encrypted using standard 128 bit WEP. 4 - Encrypt AES-CCMP 128: All packets to/from the mobile station must be encrypted using 128 bit AES CCMP [7] 5 - Encrypt TKIP-MIC: All packets to/from the mobile station must be encrypted using TKIP and authenticated using Michael [15] Session Key: A 32 octet session key the WTP is to use when encrypting traffic to or decrypting traffic from the mobile station. The type of key is determined based on the Encryption Policy field. Pairwise TSC: The TSC to use for unicast packets transmitted to the mobile. Pairwise RSC: The RSC to use for unicast packets received from the mobile. Capabilities: A 16-bit field containing the 802.11 capabilities to use with the mobile. WLAN ID: An 8-bit value specifying the WLAN Identifier WME Mode: A 8-bit boolean used to identify whether the station is WME capable. A value of zero is used to indicate that the station is not WME capable, while a value of one means that the station is WME capable. Calhoun, et al. Expires October 2, 2005 [Page 82] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 802.11e Mode: A 8-bit boolean used to identify whether the station is 802.11e capable. A value of zero is used to indicate that the station is not 802.11e capable, while a value of one means that the station is 802.11e capable. QoS: An 8-bit value specifying the QoS policy to enforce for the station. The following values are supported: PRC: TO CHECK 0 - Silver (Best Effort) 1 - Gold (Video) 2 - Platinum (Voice) 3 - Bronze (Background) Supported Rates: The supported rates to be used with the mobile station. 11.4.1.2 IEEE 802.11 Mobile Session Key The Mobile Session Key Payload message element is sent when the AC determines that encryption of a mobile station must be performed in the WTP. This message element MUST NOT be present without the Add Mobile (see Section 11.4.1.1) message element, and MUST NOT be sent if the WTP had not specifically advertised support for the requested encryption scheme (see ???). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | Encryption Policy | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encryption Policy | Session Key... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 105 for IEEE 802.11 Mobile Session Key Length: >= 11 MAC Address: The mobile station's MAC Address Encryption Policy: The policy field informs the WTP how to handle packets from/to the mobile station. The following values are supported: 0 - Encrypt WEP 104: All packets to/from the mobile station must be encrypted using standard 104 bit WEP. 1 - Clear Text: All packets to/from the mobile station do not require any additional crypto processing by the WTP. 2 - Encrypt WEP 40: All packets to/from the mobile station must be encrypted using standard 40 bit WEP. 3 - Encrypt WEP 128: All packets to/from the mobile station must be encrypted using standard 128 bit WEP. Calhoun, et al. Expires October 2, 2005 [Page 83] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 4 - Encrypt AES-CCMP 128: All packets to/from the mobile station must be encrypted using 128 bit AES CCMP [7] 5 - Encrypt TKIP-MIC: All packets to/from the mobile station must be encrypted using TKIP and authenticated using Michael [15] Session Key: The session key the WTP is to use when encrypting traffic to/from the mobile station. 11.4.1.3 QoS Profile The QoS Profile Payload message element contains the maximum 802.11e priority tag that may be used by the station. Any packets received that exceeds the value encoded in this message element must either be dropped or tagged using the maximum value permitted by to the user. The priority tag must be between zero (0) and seven (7). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | 802.1P Precedence Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: TBD for IEEE 802.11 QOS Profile Length: 12 MAC Address: The mobile station's MAC Address 802.1P Precedence Tag: The maximum 802.1P precedence value that the WTP will allow in the TID field in the extended 802.11e QOS Data header. 11.4.1.4 IEEE 802.11 Update Mobile QoS The Update Mobile QoS message element is used to change the Quality of Service policy on the WTP for a given mobile station. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Association ID | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | QoS Profile | Vlan Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DSCP Tag | 802.1P Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 84] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 106 for IEEE 802.11 Update Mobile QoS Length: 14 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Association ID: The 802.11 Association Identifier. MAC Address: The mobile station's MAC Address. QoS Profile: An 8-bit value specifying the QoS policy to enforce for the station. The following values are supported: 0 - Silver (Best Effort) 1 - Gold (Video) 2 - Platinum (Voice) 3 - Bronze (Background) VLAN Identifier: PRC. DSCP Tag: The DSCP label to use if packets are to be DSCP tagged. 802.1P Tag: The 802.1P precedence value to use if packets are to be 802.1P tagged. 11.4.2 WTP Event Request This section contains the 802.11 specific message elements that are used with the WTP Event Request message. 11.4.2.1 IEEE 802.11 Statistics The statistics message element is sent by the WTP to transmit it's current statistics. The value contains the following fields. Calhoun, et al. Expires October 2, 2005 [Page 85] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Tx Fragment Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Tx Fragment Cnt| Multicast Tx Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mcast Tx Cnt | Failed Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Failed Count | Retry Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Retry Count | Multiple Retry Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Multi Retry Cnt| Frame Duplicate Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Frame Dup Cnt | RTS Success Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RTS Success Cnt| RTS Failure Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |RTS Failure Cnt| ACK Failure Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |ACK Failure Cnt| Rx Fragment Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Rx Fragment Cnt| Multicast RX Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mcast Rx Cnt | FCS Error Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | FCS Error Cnt| Tx Frame Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Tx Frame Cnt | Decryption Errors | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Decryption Errs| +-+-+-+-+-+-+-+-+ Type: 38 for Statistics Length: 57 Radio ID: An 8-bit value representing the radio. Tx Fragment Count: A 32-bit value representing the number of fragmented frames transmitted. Multicast Tx Count: A 32-bit value representing the number of multicast frames transmitted. Failed Count: A 32-bit value representing the transmit excessive retries. Retry Count: A 32-bit value representing the number of transmit retries. Calhoun, et al. Expires October 2, 2005 [Page 86] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Multiple Retry Count: A 32-bit value representing the number of transmits that required more than one retry. Frame Duplicate Count: A 32-bit value representing the duplicate frames received. RTS Success Count: A 32-bit value representing the number of successfully transmitted Ready To Send (RTS). RTS Failure Count: A 32-bit value representing the failed transmitted RTS. ACK Failure Count: A 32-bit value representing the number of failed acknowledgements. Rx Fragment Count: A 32-bit value representing the number of fragmented frames received. Multicast RX Count: A 32-bit value representing the number of multicast frames received. FCS Error Count: A 32-bit value representing the number of FCS failures. Decryption Errors: A 32-bit value representing the number of Decryption errors that occured on the WTP. Note that this field is only valid in cases where the WTP provides encryption/decryption services. 11.5 802.11 Control Messages This section will define LWAPP Control Messages that are specific to the IEEE 802.11 binding. 11.5.1 IEEE 802.11 WLAN Config Request The IEEE 802.11 WLAN Configuration Request is sent by the AC to the WTP in order to change services provided by the WTP. This control message is used to either create, update or delete a WLAN on the WTP. The IEEE 802.11 WLAN Configuration Request is sent as a result of either some manual admistrative process (e.g., deleting a WLAN), or automatically to create a WLAN on an WTP. When sent automatically to create a WLAN, this control message is sent after the LWAPP Configuration Request message has been received by the WTP. Upon receiving this control message, the WTP will modify the necessary services, and transmit an IEEE 802.11 WLAN Configuration Response. An WTP MAY provide service for more than one WLAN, therefore every WLAN is identified through a numerical index. For instance, an WTP that is capable of supporting up to 16 SSIDs, could accept up to 16 IEEE 802.11 WLAN Configuration Request messages that include the Add WLAN message element. Calhoun, et al. Expires October 2, 2005 [Page 87] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Since the index is the primary identifier for a WLAN, an AC SHOULD attempt to ensure that the same WLAN is identified through the same index number on all of its WTPs. An AC that does not follow this approach MUST find some other means of maintaining a WLAN Identifier to SSID mapping table. The following subsections define the message elements that are value for this LWAPP operation. Only one message MUST be present. 11.5.1.1 IEEE 802.11 Add WLAN The Add WLAN message element is used by the AC to define a wireless LAN on the WTP. The value contains the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN Capability | WLAN ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encryption Policy | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Index | Shared Key | WPA Data Len |WPA IE Data ...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RSN Data Len |RSN IE Data ...| Reserved .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WME Data Len |WME IE Data ...| 11e Data Len |11e IE Data ...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | QoS | Auth Type |Broadcast SSID | Reserved... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SSID ... | +-+-+-+-+-+-+-+-+ Type: 7 for IEEE 802.11 Add WLAN Length: >= 298 Radio ID: An 8-bit value representing the radio. WLAN Capability: A 16-bit value containing the capabilities to be advertised by the WTP within the Probe and Beacon messages. WLAN ID: A 16-bit value specifying the WLAN Identifier. Encryption Policy: A 32-bit value specifying the encryption scheme to apply to traffic to and from the mobile station. The following values are supported: 0 - Encrypt WEP 104: All packets to/from the mobile station must be encrypted using standard 104 bit WEP. Calhoun, et al. Expires October 2, 2005 [Page 88] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 1 - Clear Text: All packets to/from the mobile station do not require any additional crypto processing by the WTP. 2 - Encrypt WEP 40: All packets to/from the mobile station must be encrypted using standard 40 bit WEP. 3 - Encrypt WEP 128: All packets to/from the mobile station must be encrypted using standard 128 bit WEP. 4 - Encrypt AES-CCMP 128: All packets to/from the mobile station must be encrypted using 128 bit AES CCMP [7] 5 - Encrypt TKIP-MIC: All packets to/from the mobile station must be encrypted using TKIP and authenticated using Michael [15] 6 - Encrypt CKIP: All packets to/from the mobile station must be encrypted using Cisco TKIP. Key: A 32 byte Session Key to use with the encryption policy. Key-Index: The Key Index associated with the key. Shared Key: A 1 byte boolean that specifies whether the key included in the Key field is a shared WEP key. A value of zero is used to state that the key is not a shared WEP key, while a value of one is used to state that the key is a shared WEP key. WPA Data Len: Length of the WPA IE. WPA IE: A 32 byte field containing the WPA Information Element. RSN Data Len: Length of the RSN IE. RSN IE: A 64 byte field containing the RSN Information Element. Reserved: A 49 byte reserved field, which MUST be set to zero (0). WME Data Len: Length of the WME IE. WME IE: A 32 byte field containing the WME Information Element. DOT11E Data Len: Length of the 802.11e IE. DOT11E IE: A 32 byte field containing the 802.11e Information Element. QOS: An 8-bit value specifying the QoS policy to enforce for the station. The following values are supported: 0 - Silver (Best Effort) 1 - Gold (Video) 2 - Platinum (Voice) 3 - Bronze (Background) Auth Type: An 8-bit value specifying the station's authentication type. The following values are supported: 0 - Open System 1 - WEP Shared Key 2 - WPA/WPA2 802.1X 3 - WPA/WPA2 PSK Broadcast SSID: A boolean indicating whether the SSID is to be broadcast by the WTP. A value of zero disables SSID broadcast, while a value of one enables it. Calhoun, et al. Expires October 2, 2005 [Page 89] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Reserved: A 40 byte reserved field. SSID: The SSID attribute is the service set identifier that will be advertised by the WTP for this WLAN. 11.5.1.2 IEEE 802.11 Delete WLAN The delete WLAN message element is used to inform the WTP that a previously created WLAN is to be deleted. The value contains the following fields: 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 28 for IEEE 802.11 Delete WLAN Length: 3 Radio ID: An 8-bit value representing the radio WLAN ID: A 16-bit value specifying the WLAN Identifier 11.5.1.3 IEEE 802.11 Update WLAN The Update WLAN message element is used by the AC to define a wireless LAN on the WTP. The value contains the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN ID |Encrypt Policy | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encryption Policy | Key... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Index | Shared Key | WLAN Capability | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 34 for IEEE 802.11 Update WLAN Length: 43 Radio ID: An 8-bit value representing the radio. WLAN ID: A 16-bit value specifying the WLAN Identifier. Encryption Policy: A 32-bit value specifying the encryption scheme to apply to traffic to and from the mobile station. The following values are supported: Calhoun, et al. Expires October 2, 2005 [Page 90] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 0 - Encrypt WEP 104: All packets to/from the mobile station must be encrypted using standard 104 bit WEP. 1 - Clear Text: All packets to/from the mobile station do not require any additional crypto processing by the WTP. 2 - Encrypt WEP 40: All packets to/from the mobile station must be encrypted using standard 40 bit WEP. 3 - Encrypt WEP 128: All packets to/from the mobile station must be encrypted using standard 128 bit WEP. 4 - Encrypt AES-CCMP 128: All packets to/from the mobile station must be encrypted using 128 bit AES CCMP [7] 5 - Encrypt TKIP-MIC: All packets to/from the mobile station must be encrypted using TKIP and authenticated using Michael [15] 6 - Encrypt CKIP: All packets to/from the mobile station must be encrypted using Cisco TKIP. Key: A 32 byte Session Key to use with the encryption policy. Key-Index: The Key Index associated with the key. Shared Key: A 1 byte boolean that specifies whether the key included in the Key field is a shared WEP key. A value of zero means that the key is not a shared WEP key, while a value of one is used to state that the key is a shared WEP key. WLAN Capability: A 16-bit value containing the capabilities to be advertised by the WTP within the Probe and Beacon messages. 11.5.2 IEEE 802.11 WLAN Config Response The IEEE 802.11 WLAN Configuration Response is sent by the WTP to the AC as an acknowledgement of the receipt of an IEEE 802.11 WLAN Configuration Request. This LWAPP control message does not include any message elements. 11.5.3 IEEE 802.11 WTP Event The IEEE 802.11 WTP Event LWAPP message is used by the WTP in order to report asynchronous events to the AC. There is no reply message expected from the AC, except that the message is acknowledged via the reliable transport. When the AC receives the IEEE 802.11 WTP Event, it will take whatever action is necessary, depending upon the message elements present in the message. The IEEE 802.11 WTP Event message MUST contain one of the following message element described in the next subsections. 11.5.3.1 IEEE 802.11 MIC Countermeasures The MIC Countermeasures message element is sent by the WTP to the AC Calhoun, et al. Expires October 2, 2005 [Page 91] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 to indicate the occurrence of a MIC failure. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN ID | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 61 for IEEE 802.11 MIC Countermeasures Length: 8 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP. WLAN ID: This 8-bit unsigned integer includes the WLAN Identifier, on which the MIC failure occurred. MAC Address: The MAC Address of the mobile station that caused the MIC failure. 11.5.3.2 IEEE 802.11 WTP Radio Fail Alarm Indication The WTP Radio Fail Alarm Indication message element is sent by the WTP to the AC when it detects a radio failure. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Type | Status | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 95 for WTP Radio Fail Alarm Indication Length: 4 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Type: The type of radio failure detected. The following values are supported: 1 - Receiver 2 - Transmitter Status: An 8-bit boolean indicating whether the radio failure is being reported or cleared. A value of zero is used to clear the event, while a value of one is used to report the event. Pad: Reserved field MUST be set to zero (0). 11.6 Message Element Bindings The IEEE 802.11 Message Element binding has the following definitions: Calhoun, et al. Expires October 2, 2005 [Page 92] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Conf Conf Conf Add Req Resp Upd Mobile IEEE 802.11 WTP WLAN Radio Configuration X X X IEEE 802.11 Rate Set X X IEEE 802.11 Multi-domain Capability X X X IEEE 802.11 MAC Operation X X X IEEE 802.11 Tx Power X X X IEEE 802.11 Tx Power Level X IEEE 802.11 Direct Sequence Control X X X IEEE 802.11 OFDM Control X X X IEEE 802.11 Supported Rates X X IEEE 802.11 Antenna X X X IEEE 802.11 CFP Status X X IEEE 802.11 Broadcast Probe Mode X X IEEE 802.11 WTP Mode and Type X? X IEEE 802.11 WTP Quality of Service X X IEEE 802.11 MIC Error Report From Mobile X IEEE 802.11 Update Mobile QoS X IEEE 802.11 Mobile Session Key X VOIP STUFF 11.6.1 IEEE 802.11 WTP WLAN Radio Configuration The WTP WLAN radio configuration is used by the AC to configure a Radio on the WTP. The message element value contains the following Fields: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | Occupancy Limit | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CFP Per | CFP Maximum Duration | BSS ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BSS ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BSS ID | Beacon Period | DTIM Per | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Country String | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 8 for IEEE 802.11 WTP WLAN Radio Configuration Length: 20 Calhoun, et al. Expires October 2, 2005 [Page 93] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero Occupancy Limit: This attribute indicates the maximum amount of time, in TU, that a point coordinator MAY control the usage of the wireless medium without relinquishing control for long enough to allow at least one instance of DCF access to the medium. The default value of this attribute SHOULD be 100, and the maximum value SHOULD be 1000. CFP Period: The attribute describes the number of DTIM intervals between the start of CFPs. CFP Maximum Duration: The attribute describes the maximum duration of the CFP in TU that MAY be generated by the PCF. BSSID: The WLAN Radio's base MAC Address. For WTPs that support more than a single WLAN, the value of the WLAN Identifier is added to the last octet of the BSSID. Therefore, a WTP that supports 16 WLANs MUST have 16 MAC Addresses reserved for it, and the last nibble is used to represent the WLAN ID. Beacon Period: This attribute specifies the number of TU that a station uses for scheduling Beacon transmissions. This value is transmitted in Beacon and Probe Response frames. DTIM Period: This attribute specifies the number of beacon intervals that elapses between transmission of Beacons frames containing a TIM element whose DTIM Count field is 0. This value is transmitted in the DTIM Period field of Beacon frames. Country Code: This attribute identifies the country in which the station is operating. The first two octets of this string is the two character country code as described in document ISO/IEC 3166- 1. The third octet MUST be one of the following: 1. an ASCII space character, if the regulations under which the station is operating encompass all environments in the country, 2. an ASCII 'O' character, if the regulations under which the station is operating are for an outdoor environment only, or 3. an ASCII 'I' character, if the regulations under which the station is operating are for an indoor environment only 11.6.2 IEEE 802.11 Rate Set The rate set message element value is sent by the AC and contains the supported operational rates. It contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Rate Set | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 94] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 16 for IEEE 802.11 Rate Set Length: 4 Radio ID: An 8-bit value representing the radio to configure. Rate Set: The AC generates the Rate Set that the WTP is to include in it's Beacon and Probe messages. 11.6.3 IEEE 802.11 Multi-domain Capability The multi-domain capability message element is used by the AC to inform the WTP of regulatory limits. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | First Channel # | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Number of Channels | Max Tx Power Level | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 10 for IEEE 802.11 Multi-Domain Capability Length: 8 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero First Channnel #: This attribute indicates the value of the lowest channel number in the subband for the associated domain country string. Number of Channels: This attribute indicates the value of the total number of channels allowed in the subband for the associated domain country string. Max Tx Power Level: This attribute indicates the maximum transmit power, in dBm, allowed in the subband for the associated domain country string. 11.6.4 IEEE 802.11 MAC Operation The MAC operation message element is sent by the AC to set the 802.11 MAC parameters on the WTP. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | RTS Threshold | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Short Retry | Long Retry | Fragmentation Threshold | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Tx MSDU Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 95] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 | Rx MSDU Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 11 for IEEE 802.11 MAC Operation Length: 16 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero RTS Threshold: This attribute indicates the number of octets in an MPDU, below which an RTS/CTS handshake MUST NOT be performed. An RTS/CTS handshake MUST be performed at the beginning of any frame exchange sequence where the MPDU is of type Data or Management, the MPDU has an individual address in the Address1 field, and the length of the MPDU is greater than this threshold. Setting this attribute to be larger than the maximum MSDU size MUST have the effect of turning off the RTS/CTS handshake for frames of Data or Management type transmitted by this STA. Setting this attribute to zero MUST have the effect of turning on the RTS/CTS handshake for all frames of Data or Management type transmitted by this STA. The default value of this attribute MUST be 2347. Short Retry: This attribute indicates the maximum number of transmission attempts of a frame, the length of which is less than or equal to RTSThreshold, that MUST be made before a failure condition is indicated. The default value of this attribute MUST be 7. Long Retry: This attribute indicates the maximum number of transmission attempts of a frame, the length of which is greater than dot11RTSThreshold, that MUST be made before a failure condition is indicated. The default value of this attribute MUST be 4. Fragmentation Threshold: This attribute specifies the current maximum size, in octets, of the MPDU that MAY be delivered to the PHY. An MSDU MUST be broken into fragments if its size exceeds the value of this attribute after adding MAC headers and trailers. An MSDU or MMPDU MUST be fragmented when the resulting frame has an individual address in the Address1 field, and the length of the frame is larger than this threshold. The default value for this attribute MUST be the lesser of 2346 or the aMPDUMaxLength of the attached PHY and MUST never exceed the lesser of 2346 or the aMPDUMaxLength of the attached PHY. The value of this attribute MUST never be less than 256. Tx MSDU Lifetime: This attribute speficies the elapsed time in TU, after the initial transmission of an MSDU, after which further attempts to transmit the MSDU MUST be terminated. The default value of this attribute MUST be 512. Rx MSDU Lifetime: This attribute specifies the elapsed time in TU, after the initial reception of a fragmented MMPDU or MSDU, after which further attempts to reassemble the MMPDU or MSDU MUST be terminated. The default value MUST be 512. Calhoun, et al. Expires October 2, 2005 [Page 96] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 11.6.5 IEEE 802.11 Tx Power The Tx power message element value is bi-directional. When sent by the WTP, it contains the current power level of the radio in question. When sent by the AC, it contains the power level the WTP MUST adhere to. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | Current Tx Power | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 12 for IEEE 802.11 Tx Power Length: 4 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero Current Tx Power: This attribute contains the transmit output power in mW. 11.6.6 IEEE 802.11 Tx Power Level The Tx power level message element is sent by the WTP and contains the different power levels supported. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Num Levels | Power Level [n] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 13 for IEEE 802.11 Tx Power Level Length: >= 4 Radio ID: An 8-bit value representing the radio to configure. Num Levels: The number of power level attributes. Power Level: Each power level fields contains a supported power level, in mW. 11.6.7 IEEE 802.11 Direct Sequence Control The direct sequence control message element is a bi-directional element. When sent by the WTP, it contains the current state. When sent by the AC, the WTP MUST adhere to the values. This element is only used for 802.11b radios. The value has the following fields. Calhoun, et al. Expires October 2, 2005 [Page 97] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | Current Chan | Current CCA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Energy Detect Threshold | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 14 for IEEE 802.11 Direct Sequence Control Length: 8 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero Current Channel: This attribute contains the current operating frequency channel of the DSSS PHY. Current CCA: The current CCA method in operation. Valid values are: 1 - energy detect only (edonly) 2 - carrier sense only (csonly) 4 - carrier sense and energy detect (edandcs) 8 - carrier sense with timer (cswithtimer) 16 - high rate carrier sense and energy detect (hrcsanded) Energy Detect Threshold: The current Energy Detect Threshold being used by the DSSS PHY. 11.6.8 IEEE 802.11 OFDM Control The OFDM control message element is a bi-directional element. When sent by the WTP, it contains the current state. When sent by the AC, the WTP MUST adhere to the values. This element is only used for 802.11a radios. The value contains the following fields: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Reserved | Current Chan | Band Support | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TI Threshold | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 15 for IEEE 802.11 OFDM Control Length: 8 Radio ID: An 8-bit value representing the radio to configure. Reserved: MUST be set to zero Current Channel: This attribute contains the current operating frequency channel of the OFDM PHY. Band Supported: The capability of the OFDM PHY implementation to operate in the three U-NII bands. Coded as an integer value of a three bit field as follows: Calhoun, et al. Expires October 2, 2005 [Page 98] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 capable of operating in the lower (5.15-5.25 GHz) U-NII band capable of operating in the middle (5.25-5.35 GHz) U-NII band capable of operating in the upper (5.725-5.825 GHz) U-NII band For example, for an implementation capable of operating in the lower and mid bands this attribute would take the value TI Threshold: The Threshold being used to detect a busy medium (frequency). CCA MUST report a busy medium upon detecting the RSSI above this threshold. 11.6.9 IEEE 802.11 Antenna The antenna message element is communicated by the WTP to the AC to provide information on the antennas available. The AC MAY use this element to reconfigure the WTP's antennas. The value contains the following fields: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Diversity | Combiner | Antenna Cnt | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Antenna Selection [0..N] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 41 for IEEE 802.11 Antenna Length: >= 8 Radio ID: An 8-bit value representing the radio to configure. Diversity: An 8-bit value specifying whether the antenna is to provide receive diversity. The following values are supported: 0 - Disabled 1 - Enabled (may only be true if the antenna can be used as a receive antenna) Combiner: An 8-bit value specifying the combiner selection. The following values are supported: 1 - Sectorized (Left) 2 - Sectorized (Right) 3 - Omni 4 - Mimo Antenna Count: An 8-bit value specifying the number of Antenna Selection fields. Antenna Selection: One 8-bit antenna configuration value per antenna in the WTP. The following values are supported: 1 - Internal Antenna 2 - External Antenna 11.6.10 IEEE 802.11 Supported Rates The supported rates message element is sent by the WTP to indicate Calhoun, et al. Expires October 2, 2005 [Page 99] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 the rates that it supports. The value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Supported Rates | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 16 for IEEE 802.11 Supported Rates Length: 4 Radio ID: An 8-bit value representing the radio. Supported Rates: The WTP includes the Supported Rates that it's hardware supports. The format is identical to the Rate Set message element. 11.6.11 IEEE 802.11 CFP Status The CFP Status message element is sent to provide the CF Polling configuration. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Status | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 48 for IEEE 802.11 CFP Status Length: 2 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Status: An 8-bit boolean containing the status of the CF Polling feature. A value of zero disables CFP Status, while a value of one enables it. 11.6.12 IEEE 802.11 WTP Mode and Type The WTP Mode and Type message element is used to configure an WTP to operate in a specific mode. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mode | Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Calhoun, et al. Expires October 2, 2005 [Page 100] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Type: 54 for IEEE 802.11 WTP Mode and Type Length: 2 Mode: An 8-bit value the type of information being sent. The following values are supported: 0 - Normal Mode 1 - Monitoring Mode 2 - REAP Mode 3 - Rogue Detector Mode 4 - Sniffer Mode Type: The type field is not currently used. 11.6.13 IEEE 802.11 Broadcast Probe Mode The Broadcast Probe Mode message element indicates whether an WTP will respond to NULL SSID probe requests. Since broadcast NULL probes are not sent to a specific BSSID, the WTP cannot know which SSID the sending station is querying. Therefore, this behavior must be global to the WTP. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Status | +-+-+-+-+-+-+-+-+ Type: 51 for IEEE 802.11 Broadcast Probe Mode Length: 1 Status: An 8-bit boolean indicating the status of whether an WTP shall response to a NULL SSID probe request. A value of zero disables NULL SSID probe response, while a value of one enables it. 11.6.14 IEEE 802.11 WTP Quality of Service The WTP Quality of Service message element value is sent by the AC to the WTP to communicate quality of service configuration information. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | Tag Packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 57 for IEEE 802.11 WTP Quality of Service Length: 12 Calhoun, et al. Expires October 2, 2005 [Page 101] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Radio ID: The Radio Identifier, typically refers to some interface index on the WTP Tag Packets: An value indicating whether LWAPP packets should be tagged with for QoS purposes. The following values are currently supported: 0 - Untagged 1 - 802.1P 2 - DSCP Immediately following the above header is the following data structure. This data structure will be repeated five times; once for every QoS profile. The order of the QoS profiles are Uranium, Platinum, Gold, Silver and Bronze. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Queue Depth | CWMin | CWMax | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CWMax | AIFS | CBR | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Dot1P Tag | DSCP Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Queue Depth: The number of packets that can be on the specific QoS transmit queue at any given time. CWMin: The Contention Window minimum value for the QoS transmit queue. CWMax: The Contention Window maximum value for the QoS transmit queue. AIFS: The Arbitration Inter Frame Spacing to use for the QoS transmit queue. CBR: The CBR value to observe for the QoS transmit queue. Dot1P Tag: The 802.1P precedence value to use if packets are to be 802.1P tagged. DSCP Tag: The DSCP label to use if packets are to be DSCP tagged. 11.6.15 IEEE 802.11 MIC Error Report From Mobile The MIC Error Report From Mobile message element is sent by an AC to an WTP when it receives a MIC failure notification, via the Error bit in the EAPOL-Key frame. Calhoun, et al. Expires October 2, 2005 [Page 102] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Client MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Client MAC Address | BSSID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BSSID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Radio ID | WLAN ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 79 for IEEE 802.11 MIC Error Report From Mobile Length: 14 Client MAC Address: The Client MAC Address of the station reporting the MIC failure. BSSID: The BSSID on which the MIC failure is being reported. Radio ID: The Radio Identifier, typically refers to some interface index on the WTP WLAN ID: The WLAN ID on which the MIC failure is being reported. 11.7 IEEE 802.11 Message Element Values This section lists IEEE 802.11 specific values for any generic LWAPP message elements which include fields whose values are technology specific. IEEE 802.11 uses the following values: 4 - Encrypt AES-CCMP 128: WTP supports AES-CCMP, as defined in [7]. 5 - Encrypt TKIP-MIC: WTP supports TKIP and Michael, as defined in [15]. Calhoun, et al. Expires October 2, 2005 [Page 103] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 12. LWAPP Protocol Timers An WTP or AC that implements LWAPP discovery MUST implement the following timers. 12.1 MaxDiscoveryInterval The maximum time allowed between sending discovery requests from the interface, in seconds. Must be no less than 2 seconds and no greater than 180 seconds. Default: 20 seconds. 12.2 SilentInterval The minimum time, in seconds, an WTP MUST wait after failing to receive any responses to its discovery requests, before it MAY again send discovery requests. Default: 30 12.3 NeighborDeadInterval The minimum time, in seconds, an WTP MUST wait without having received Echo Responses to its Echo Requests, before the destination for the Echo Request may be considered dead. Must be no less than 2*EchoInterval seconds and no greater than 240 seconds. Default: 60 12.4 EchoInterval The minimum time, in seconds, between sending echo requests to the AC with which the WTP has joined. Default: 30 12.5 DiscoveryInterval The minimum time, in seconds, that an WTP MUST wait after receiving a Discovery Response, before sending a join request. Default: 5 12.6 RetransmitInterval The minimum time, in seconds, which a non-acknowledged LWAPP packet will be retransmitted. Calhoun, et al. Expires October 2, 2005 [Page 104] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Default: 3 12.7 ResponseTimeout The minimum time, in seconds, which an LWAPP Request message must be responded to. Default: 1 12.8 KeyLifetime The maximum time, in seconds, which an LWAPP session key is valid. Default: 28800 Calhoun, et al. Expires October 2, 2005 [Page 105] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 13. LWAPP Protocol Variables An WTP or AC that implements LWAPP discovery MUST allow for the following variables to be configured by system management; default values are specified so as to make it unnecessary to configure any of these variables in many cases. 13.1 MaxDiscoveries The maximum number of discovery requests that will be sent after an WTP boots. Default: 10 13.2 DiscoveryCount The number of discoveries transmitted by a WTP to a single AC. This is a monotonically increasing counter. 13.3 RetransmitCount The number of retransmissions for a given LWAPP packet. This is a monotonically increasing counter. 13.4 MaxRetransmit The maximum number of retransmissions for a given LWAPP packet before the link layer considers the peer dead. Default: 5 Calhoun, et al. Expires October 2, 2005 [Page 106] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 14. Security Considerations LWAPP uses either an authenticated key exchange or key agreement mechanism to ensure peer authenticity and establish fresh session keys to protect the LWAPP communications. Fresh keying material is ensured in certificated based construction as the AC generates new keying material in either the Join Response or Key Update Response (see RFC 1750 [4]. In the PSK construction both parties, WTP and AC mutually derive new keying material through the exchange of the nonces in the Join Request/Response exchange. The rekeys are ensured new keying material through the Key Update Response. It is important to note that Perfect Forward Secrecy is not a requirement for the LWAPP protocol. 14.1 Certificate based Session Key establishment LWAPP uses public key cryptography to ensure trust between the WTP and the AC. During the Join phase, the AC generates a session key, which is used to secure future control messages. The WTP does not participate in the key generation, but public key cryptography is used to authenticate the resulting key material. A secured delivery mechanism to place the certificate in the devices is required. In order to maximize session key security, the WTP and AC periodically update the session keys, which are encrypted using public key cryptography. This ensures that a potentially previously compromised key does not affect the security of communication with new key material. One question that periodically arises is why the Join Request is not signed. It was felt that requiring a signature in this messages was not required for the following reasons: 1. The Join Request is replayable, so requiring a signature doesn't provide much protection unless the switches keep track of all previous Join Requests from a given WTP. One alternative would have been to add a timestamp, but this introduces clock synchronization issues. Further, authentication occurs in a later exchange anyway (see point 2 below). 2. The WTP is authenticated by virtue of the fact that it can decrypt and then use the session keys (encrypted with its own public key), so it *is* ultimately authenticated. 3. A signed Join Request provides a potential Denial of Service attack on the AC, which would have to authenticate each (potentially malicious) message. The WTP-Certificate that is included in the Join Request MUST be Calhoun, et al. Expires October 2, 2005 [Page 107] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 validated by the AC. It is also good practice that the AC perform some form of authorization, ensuring that the WTP in question is allowed to establish an LWAPP session with it. 14.2 PSK based Session Key establishment Use of a fixed shared secret of limited entropy (for example, a PSK that is relatively short, or was chosen by a human and thus may contain less entropy than its length would imply) may allow an attacker to perform a brute-force or dictionary attack to recover the secret. It is RECOMMENDED that implementations that allow the administrator to manually configure the PSK also provide a functionality for generating a new random PSK, taking RFC 1750 [4] into account. Since the key generation does not expose the nonces in plaintext, there are no practical passive attacks possible. Calhoun, et al. Expires October 2, 2005 [Page 108] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 15. IANA Considerations This document requires no action by IANA. Calhoun, et al. Expires October 2, 2005 [Page 109] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 16. IPR Statement The IETF has been notified of intellectual property rights claimed in regard to some or all of the specification contained in this document. For more information consult the online list of claimed rights. Please refer to http://www.ietf.org/ietf/IPR for more information. Calhoun, et al. Expires October 2, 2005 [Page 110] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 17. References 17.1 Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, . [3] Whiting, D., Housley, R. and N. Ferguson, "Counter with CBC-MAC (CCM)", RFC 3610, September 2003. [4] Eastlake, D., Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994. [5] Manner, J. and M. Kojo, "Mobility Related Terminology", RFC 3753, June 2004. [6] "Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications", IEEE Standard 802.11, 1999, . [7] "Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6: Medium Access Control (MAC) Security Enhancements", IEEE Standard 802.11i, July 2004, . [8] Clark, D., "IP datagram reassembly algorithms", RFC 815, July 1982. [9] Stokes, E., Weiser, R., Moats, R. and R. Huber, "Lightweight Directory Access Protocol (version 3) Replication Requirements", RFC 3384, October 2002. [10] Schaad, J. and R. Housley, "Advanced Encryption Standard (AES) Key Wrap Algorithm", RFC 3394, September 2002. Calhoun, et al. Expires October 2, 2005 [Page 111] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 17.2 Informational References [11] Reynolds, J., "Assigned Numbers: RFC 1700 is Replaced by an On-line Database", RFC 3232, January 2002. [12] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. [13] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [14] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997. [15] "WiFi Protected Access (WPA) rev 1.6", April 2003. Authors' Addresses Pat R. Calhoun Airespace 110 Nortech Parkway San Jose, CA 95134 Phone: +1 408-635-2000 Email: pcalhoun@airespace.com Bob O'Hara Airespace 110 Nortech Parkway San Jose, CA 95134 Phone: +1 408-635-2025 Email: bob@airespace.com Scott Kelly Facetime Communications 1159 Triton Dr Foster City, CA 94404 Phone: +1 650 572-5846 Email: scott@hyperthought.com Calhoun, et al. Expires October 2, 2005 [Page 112] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Rohit Suri Airespace 110 Nortech Parkway San Jose, CA 95134 Phone: +1 408-635-2026 Email: rsuri@airespace.com Michael Glenn Williams Nokia, Inc. 313 Fairchild Drive Mountain View, CA 94043 Phone: +1 650-714-7758 Email: Michael.G.Williams@Nokia.com Sue Hares Nexthop Technologies, Inc. 825 Victors Way, Suite 100 Ann Arbor, MI 48108 Phone: +1 734 222 1610 Email: shares@nexthop.com Nancy Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 Phone: +1 408-853-0532 Email: ncamwing@cisco.com Calhoun, et al. Expires October 2, 2005 [Page 113] Internet-Draft Light Weight Access Point Protocol (LWAPP) March 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Calhoun, et al. Expires October 2, 2005 [Page 114]