802 802 1x 802 11 architecture l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
802/802.1X/802.11 Architecture PowerPoint Presentation
Download Presentation
802/802.1X/802.11 Architecture

Loading in 2 Seconds...

play fullscreen
1 / 14

802/802.1X/802.11 Architecture - PowerPoint PPT Presentation


  • 130 Views
  • Uploaded on

802/802.1X/802.11 Architecture. Mike Moreton. 802.1Q Architectural Model. 802.1Q – Position of LLC. SAPs in 802 (Not generally named in the standards). ISS = Internal Sublayer Service.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '802/802.1X/802.11 Architecture' - topaz


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
802 802 1x 802 11 architecture

802/802.1X/802.11 Architecture

Mike Moreton

Mike Moreton, Synad Technologies

802 1q architectural model
802.1Q Architectural Model

Mike Moreton, Synad Technologies

802 1q position of llc
802.1Q – Position of LLC

Mike Moreton, Synad Technologies

saps in 802 not generally named in the standards
SAPs in 802 (Not generally named in the standards)

ISS = Internal Sublayer Service

Mike Moreton, Synad Technologies

802 1x controlled and uncontrolled ports
There are two instances of LLC/SNAP per MAC entity, one for the controlled port, and one for the uncontrolled port.

The MAC SAP always forwards a copy of each received frame to the uncontrolled LLC/SNAP entity.

If the controlled port is authorised, then a copy is also sent to the controlled LLC/SNAP entity, and a further copy to the ISS SAP.

When the controlled port is unauthorised, the MAC SAP will not pass frames for transmission received from the controlled LLC/SNAP entity, and the ISS SAP will not pass any frames for transmission.

802.1X Controlled and Uncontrolled Ports

Mike Moreton, Synad Technologies

802 1x architecture
802.1X Architecture

Mike Moreton, Synad Technologies

alternative 802 1x port architecture
Alternative 802.1X Port Architecture
  • The SNAP SAPs are split into controlled and uncontrolled.
  • When the controlled port is authorised, traffic may pass via all SNAP SAPs and via the ISS SAP.
  • When the controlled port is not authorised, traffic may only pass via the uncontrolled SNAP SAPs.

Mike Moreton, Synad Technologies

alternative 802 1x controlled uncontrolled
Alternative 802.1X Controlled/Uncontrolled

Mike Moreton, Synad Technologies

802 11 in the 802 1 architecture
802.11 in the 802.1 Architecture
  • 802.11 is a shared access LAN
    • Not suitable for Port-Based Access Control.
  • 802.1X suggests 802.11 associations can be used as “pseudo-ports”.
    • But this requires isolation between STAs, which isn’t practical in 802.11 2003
  • TGi provides STA isolation by using a unique pairwise key for each one.
  • But no isolation for group addresses.
    • Only one copy is sent out, encrypted with a separate group key.
    • TGi can not be modelled in the 802.1 architecture purely as a set of pseudo-ports, one per association.

Mike Moreton, Synad Technologies

802 11 in 802 1 a possible solution
802.11 in 802.1 – a Possible Solution
  • Each 802.11i association is modelled as a pseudo-port.
    • However, the MAC entity for these ports is required to discard group addressed frames for transmission.
    • Received group addressed frames are processed as normal.
  • There is an additional permanent port used for transmitting group addressed frames
    • The MAC entity for this port will only pass group addressed frames for transmission. All other frames (including received frames) are discarded.
    • Is not controlled by 802.1X – always authorised.
    • 802.11i will encrypt these frames, and may not send them if no STAs are associated.

Mike Moreton, Synad Technologies

802 11 in 802 1 the diagram
802.11 in 802.1 – The Diagram

EAPOL

MAC Relay Entity

Group Addressed Pseudo-Port

STA 1 Pseudo-Port

STA 2 Pseudo-Port

STA 3 Pseudo-Port

STA 4 Pseudo-Port

STA 5 Pseudo-Port

Mike Moreton, Synad Technologies

802 11 in 802 1 group addressed frame flow
802.11 in 802.1 – Group Addressed Frame Flow
  • The originating STA forwards the frame to the AP as a directed unicast frame
    • This is the way 802.11 has always done it
  • It is received on the AP pseudo-port for that association. Assuming the associated controlled port is authorised, the frame is forwarded (with the recovered group address) to the Relay Agent.
  • The Relay Agent distributes the frame to all ports other than the one it was received from.
  • Each association pseudo port that receives the frame will discard it before transmission, as it does not have a unicast destination address.
  • The multicast pseudo port will transmit the frame.
  • All STAs will receive a single copy of the frame.
  • The originating STA will discard the frame based on the source address.
    • Again, this is the way 802.11 has always done it.

Mike Moreton, Synad Technologies

802 11 attached bridges
802.11 Attached Bridges
  • Standard 802.11 APs do not forward frames for unknown addresses
    • Can’t attach an 802.1D bridge via 802.11
  • Standard defines 4 address format that could be used to carry unknown frames, but doesn’t describe how to use it.
  • Many suppliers use proprietary indications in the association message to indicate an attached bridge, so that unknown frames can be forwarded to it.

Mike Moreton, Synad Technologies

802 11 bridging some questions
802.11 Bridging Some Questions
  • How do you secure who can be a bridge?
    • Can it be anyone?
  • Should an Ethernet 802.1X switch also discard unknown frames?
    • If so, maybe “bridge indication” should be in 802.1X.
  • What happens when multiple bridges are associated?
    • Perhaps use group address?

Mike Moreton, Synad Technologies