Light weight access point protocol lwapp
Download
1 / 17

Light Weight Access Point Protocol (LWAPP) - PowerPoint PPT Presentation


  • 132 Views
  • Uploaded on

Light Weight Access Point Protocol (LWAPP). Pat R. Calhoun draft-ohara-capwap-lwapp-01.txt. Introduction. Components of protocol: Discovery phase Control Channel Management Join (binding phase) Creates LWAPP security association Watchdog Key Update WTP Configuration

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Light Weight Access Point Protocol (LWAPP)' - alexa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Light weight access point protocol lwapp

Light Weight Access Point Protocol (LWAPP)

Pat R. Calhoun

draft-ohara-capwap-lwapp-01.txt


Introduction
Introduction

  • Components of protocol:

    • Discovery phase

    • Control Channel Management

      • Join (binding phase)

        • Creates LWAPP security association

      • Watchdog

      • Key Update

    • WTP Configuration

      • WTP initiated Configuration Request

      • AC initiated Configuration Update

      • WTP Config Clear


Introduction cont
Introduction (cont.)

  • Components of protocol:

    • Device Management Operations

      • WTP Reset

      • WTP Firmware Download

      • WTP Event Notification (Unsolicited events, such as statistics)

    • Mobile Management

      • Create forwarding policies on WTP

    • IEEE 802.11 Technology Binding

      • WLAN (service) Configuration


Wtp ac communication
WTP/AC Communication

WTP

AC

Discovery Phase

Join Phase

Security Association Established – encryption enabled

Either:

1)

or

2)

WTP Configuration

AP Advertises service

Image Data Transfer

AP Reboots with new firmware


New lwapp state machine
New LWAPP State Machine

  • /------------\ | v | +------------+ | C| Idle |<-----------------------------------\ | +------------+<-----------------------\ | | ^ |a ^ | | | | | \----\ | | | | | |tu | | | | | +-----------+------>+------------+ | | / | C| Run | | Key Update | | | / | r+-----------+<------+------------+ | | / | ^ |swx| | | | v | | | | | | +--------------+ | | v |y | | C| Discovery | q| \--------------->+-------+ | | b+--------------+ +-------------+ | Reset | | | |df| ^ | Configure |------->+-------+ | | | | | +-------------+p ^ | |e v | | ^ ^ | | +---------+ v |i |k2| | | C| Sulking | +------------+ +--------------+ | | +---------+ C| Join |--->| Join-Confirm | | | g+------------+z +--------------+ | | |hm| 3| |4 | | | | | v |o |\ | | | +------------+ \\-----------------/ \--------+---->| Image Data |C \------------------------------------/ +------------+n


New lwapp state machine1
New LWAPP State Machine

  • State machine is now consistent with text throughout the document

  • New text in -01 now has explicit text about state machine behavior, for instance:

    Idle to Discovery (a): This is the initialization state.

    WTP: The WTP enters the Discovery state prior to transmitting the first Discovery Request (see Section 5.1). Upon entering this state, the WTP sets the DiscoveryInterval timer (see Section 12). The WTP resets the DiscoveryCount counter to

    zero (0) (see Section 13). The WTP also clears all information

    from ACs (e.g., AC Addresses) it may have received during a

    previous Discovery phase. AC: The AC does not need to maintain state information for the WTP upon reception of the Discovery Request, but it MUST respond with a Discovery Response (see Section 5.2).


Technology bindings
Technology Bindings

  • Added text about how to add new technology bindings (section 2.1)

  • Moved and renamed all 802.11 specific protocol components to 802.11 binding (section 11)

  • Defined IEEE 802.11 specific message elements in binding section

    • Mobile Config Request (section 11.4.1)

    • WTP Event Request (section 11.4.2)


Technology bindings cont
Technology Bindings (cont.)

  • Introduced IEEE 802.11 specific commands

    • IEEE 802.11 WLAN Config Request

    • IEEE 802.11 WLAN Config Response

    • IEEE 802.11 WTP Event

  • Many IEEE 802.11 specific message elements are defined in section 11


Lwapp transport
LWAPP Transport

  • LWAPP is transport agnostic.

  • Specification defines IP/UDP and IEEE 802.3

    • New text (01) now a single transport header

      • IEEE 802.3 and IP/UDP refer back to single header figure

        0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |VER| RID |C|F|L| Frag ID | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status/WLANs | Payload... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


Division of labor split mac

WTP

802.11 control protocol

802.11 beacons

802.11 probe responses

802.11e frame queuing

802.11i frame encryption

AC

802.11 MAC management

e.g., Association, Action

802.11 Data Frames

802.11e resource reservation

802.11i Auth/Key Exchange

Division of Labor – Split MAC

Local MAC behavior will be added in -03.


Lwapp data frames
LWAPP Data Frames

  • LWAPP defines the following format for the IEEE 802.11 technology binding:

    +-----------------------------------------------------------+

    |Transport Header | LWAPP Header [C=0] | 802.11 Frame...

    +-----------------------------------------------------------+


Lwapp control messages
LWAPP Control Messages

  • LWAPP defines a specific header for Control messages:

    0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message Type | Seq Num | Msg Element Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Msg Element [0..N] | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


Lwapp messages
LWAPP Messages

  • Increased the readability of every LWAPP Control message:

    • Section now includes all message elements allowed:

      5.2 Discovery Response . . . . . . . . . . . . . . . 33

      5.2.1 AC Address . . . . . . . . . . . . . . . 34

      5.2.2 AC Descriptor . . . . . . . . . . . . . 34

      5.2.3 AC Name . . . . . . . . . . . . . . . . 35

      5.2.4 WTP Manager Control IP Address . . . . . 36

    • Includes complete instructions on WTP and AC behavior, and ties back into state machine

    • Refers to all necessary timers and variables (sections 12 and 13)


Message elements
Message Elements

  • Significant formatting changes

    • Removed large message element table

    • Each message element now includes identifier number and length.

      5.1.1 Discovery Type The Discovery message element is used to configure an WTP to

      operate in a specific mode. 0 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | Discovery Type| +-+-+-+-+-+-+-+-+ Type: 58 for Discovery Type Length: 1 Discovery Type: An 8-bit value indicating how the AC was

      discovered. The following values are supported: 0 - Broadcast 1 - Configured


Security
Security

  • Significant cleanup in text detailing certificate based LWAPP security

    • Message elements clearly spell out their contents

  • Introduction of PSK

    • State machine changes

    • Changes to certain message elements to handle both modes of operation

    • Specific text detailing DH/PRF security approach

  • AC Advertises security modes supported in AC Descriptor (section 5.2.2)

  • New Security Considerations section for both modes of operation.


Certificate based security
Certificate Based Security

WTP

AC

Join request (WTP-Cert, SID)

AC Creates session keys (KeyMaterial)

Data = E-wtp{Kpub, PKCS1(KeyMaterial)}

Cipher-text = E-ac{Kpriv, SID|Data}

Join Response (AC-Cert, SID, cipher-text)

Data = D-ac{Kpub, Cipher-text}

PKCS1(KeyMaterial) = D-ac{Kpriv , data}

AES-CCM Encrypted Control Channel


Psk based security
PSK Based Security

WTP

AC

AC chooses exponent x and creates WNonce

Join request (DH-Params(g, p, g^x mod p), WNonce, SID)

AC chooses exponent y and creates ANonce

PMS = LEN_16(Z) | Z | LEN_16(PSK) | PSK

KeyMaterial = PRF(PMS, "master secret", Wnonce + Anonce)

Key Material is split into K1 (KCK), K2 (KEK) and K3 (Rekey key)

Join Response (DH-Params(g^y mod p), SID, ANonce, PSK-MIC)

WTP computes key

PSK-MIC validation provides key confirmation

Join ACK (SID, PSK-MIC)

PSK-MIC validation provides key confirmation

Join Confirm (SID, PSK-MIC)

Authenticated Join Confirm closes the state machine loop

AES-CCM Encrypted Control Channel


ad