Capwap study notes--first acquaintance Capwap (v)

3. CAPWAP Binding for IEEE 802.11

The ¢CAPWAP protocol itself does not include any of the specified wireless technologies. It relies on binding protocols to extend support for specific wireless technologies.

¢RFC5416 is used to extend Capwap support for IEEE 802.11 networks. which defines the control message field, the new control message, the message element.

¢ Note that this protocol only supports the IEEE 802.11-2007 specification and does not support the Ad hoc network pattern defined in IEEE 802.11-2007 standard (that is, point-to-dot mode, or IBSS). Also does not apply to data frames in the four-address format (this data frame is typically used for bridges and is not specified in the IEEE 802.11-2007 standard). The protocol does not support IEEE 802.11n.

Some terms:

Basic Service Set (BSS): A collection of basic services (a set of central-controlled basic services). Refers to a wireless network consisting of the controlled STA and its control structure.

Independent basic Service Set (IBSS): A set of independent basic services, also known as a special network, is a 802.11 network of interconnected, non-infrastructure sites that are designed for point-to-point connectivity. IBSS mode does not have a wireless infrastructure backbone, but requires at least 2 sta.

3.1 Binding identifiers

Based on the description of the Capwap header in section 4.3 of RFC5415, the Wbid field identifies the wireless technology being bound. For 802.11, the field is evaluated to 1.

3.2 Functional Divisions

Since Capwap is protocol-independent, when binding 802.11, it is necessary to divide the functionality required by 802.11, and the functionality provided by 802.11 is divided by the provider (AC or WTP) to clarify the functions that each need to implement. In short, it is the 802.11 functions that AC and WTP need to implement separately.

3.2.1 Split MAC

¢split MAC

In IEEE802.11, the division of AC and WTP in Split Mac is as follows:

Thus, in Split Mac, the distribution and integration services are done in AC, so all user data is tunneled between WTP and AC. However, all real-time IEEE802.11 services, including Beacon and probe response frames, are processed in WTP.

The EAP protocol and RNSA Key management functions, such as associated requests and 802.1x, are also done on AC. This shows that authentication, Authorization, and Accounting (AAA) are also on AC.

The control modules of the IEEE802.11 are all done on AC, and the real-time scheduling and queuing functions are done on the WTP. Note that this does not mean that AC does not provide additional policy and scheduling functions

Use 802.1X end user authentication and advanced encryption Standard-counter mode with CBC-MAC Protocol (AES-CCMP) encryption.

The ' (-) ' represents the frame being processed on the WTP.

The process is as follows:

The WTP generates an IEEE 802.11 beacon frame, which includes the robust Security Network information Element (Rsnie), which supports 802.1X and aes-ccmp.

The WTP processes the probe request and responds to the corresponding probe response. The WTP can choose whether to forward this request to AC.

WTP forwards IEEEE 802.11 authentication and associated frames to AC.

Once the association is successful, AC sends a station CONFIGURATION request to the WTP.

If the WTP provides cryptographic decryption service, once the client completes the IEEE802.11 key exchange, AC sends another station Configuration Request.

The WTP forwards all received IEEE 802.11 management frames to the WTP.

All IEEE 802.11 station data frames are routed between WTP and AC in a tunnel.

Note: When the 802.11 decryption is done in the WTP, the WTP must parse the data frame sent to AC and ensure that the frame format is consistent with the unprotected 802.11 frame format. For data frames that AC sends to WTP, AC must set the protection field in the frame to 0 to ensure that the WTP is able to handle the frame correctly. When the 802.11 plus decryption is done at AC, the WTP should not parse the data frames sent to AC.

3.2.2 Local MAC

¢local MAC

In IEEE802.11, the division of AC and WTP in the local Mac is as follows:

In local Mac mode, Integration Services are done on the WTP and distributed services can be done on WTP or AC. If the message generated at Ac,station is not forwarded to AC in its original format, it is encapsulated in a 802.3 frame format.

IEEE 802.1X [ieee.802-1x.2004], EAP, and IEEE RSNA Key Management [ieee.802-11.2007] functions are all in AC. Therefore, the WTP must forward all IEEE 802.1X, EAP, and RSNA Key management messages to AC, and forward the AC response to station.

Use AES-CCMP for encryption:

WTP generates IEEE 802.11 beacon messages

WTP handles probe Request, and answers a probe Response

WTP forwards IEEE 802.11 authentication and association to AC.

Once the association is successful, AC sends a station CONFIGURATION request to the WTP.

WTP forwards all Eee 802.1X and IEEE 802.11 key exchange messages to AC.

The WTP forwards all IEEE 802.11 Management action messages to AC.

The WTP can also use the 802.3 message format or 802.11 message format to send the client data message to the AC using a tunnel.

3.3 STA Roaming

Once a client have successfully associated with the network in a

Secure fashion, it is likely to attempt to roam to another WTP.

Figure 6 shows the example of a currently associated station moving

From its ' old WTP ' to a ' New WTP '. The figure was valid for multiple

Different security policies, including IEEE 802.1X and Wireless

Protected Access (WPA) or Wireless Protected Access 2 (WPA2) [WPA].

If an STA that has successfully connected to the WTP wants to move to the new WTP, this behavior is called "roaming".

3.4 Group Key Refresh

Because the BSS group Key (GTK) needs to be refreshed at intervals. In the case of Split Mac, AC needs to copy all the broadcast messages, update the key index, and send the message repeatedly in the current and new GTK mode to ensure that all stations on the BSS can receive the broadcast packet. In the local Mac, this process is done by the WTP.

Basic Service Set (BSS): A set of stations controlled by A single coordination function.

AC uses the IEEE 802.11 Configuration request as a signal that the GTK needs to be updated. Then, AC starts to update GTK for each station. In this process, the AC (split Mac) or the WTP (Local MAC) must copy the broadcast message and encrypt it with the new and current GTK. When AC completes the GTK update, AC transmits an IEEE 802.11 Configuration request with the new GTK.

3.5 CAPWAP Data Channel QoS Behavior

The CAPWAP IEEE 802.11 binding specification provides the WTP QoS support for IEEE802.11 data packets.

3.5.1 IEEE 802.11 Data Frames

When a WLAN is created on the WTP, a default QoS service policy is used, allowing the WTP to use the default QoS values for each associated station.

AC can modify this QoS policy by sending the update station QoS message.

In addition to the default policy, the IEEE 802.11 protocol allows each station to require its own special QoS policy, specifically through the Tspec information element.

The WTP uses the differentiated Services Code Point (DSCP) or 802.1p to implement the QoS mechanism, but the two approaches are not incompatible, and AC can require WTP to be unused, use either of them, or use both.

The tagging policy field of the 802.11 WTP quality of Service message is used to indicate which QoS policy is selected, as follows:

0 1 2 3 4 5 6 7

+-+-+-+-+-+-+-+-+

| RSVD | p| q| d| o| i|

+-+-+-+-+-+-+-+-+

P indicates that WTP uses the 802.1p mechanism to implement QOS,D, which means that WTP uses the DSCP mechanism to implement QoS, and the remaining three fields refer to RFC 5416, 2.6.1.1 Chapters and 2.6.1.2 Chapters.

DSCP

DSCP Differential Service code point (Differentiated Services), the IETF released the QoS classification standard for Diff-serv (differentiated Service) in December 1998. It uses the 6-bit and unused 2-bit bytes in the service class TOS identifier byte of each packet IP header to prioritize by encoding values.

The DSCP is a combination of the IP precedence and service type fields. To take advantage of legacy routers that only support IP precedence, the DSCP value is used because the DSCP value is compatible with the IP precedence field.

Each DSCP encoded value is mapped to a defined PHB (per-hop-behavior) identification code.

By typing the DSCP value, devices such as phones, Windows clients, and servers can also identify traffic.

IEEE 802.1P

IEEE 802.1P: LAN second-tier Qos/cos protocol for traffic prioritization

IEEE 802.1p:lan Layer 2 Qos/cos Protocol for traffic prioritization

The IEEE 802.1P specification enables a second layer of switches to provide traffic prioritization and dynamic multicast filtering services. The priority specification works in the media access control (MAC) frame layer (second layer of the OSI Reference model). The 802.1P standard also provides multicast traffic filtering to ensure that the traffic does not exceed the second layer of switched network coverage.

The 802.1P protocol header includes a 3-bit priority field that supports grouping packets into various types of traffic. The IEEE strongly recommends that network administrators implement these types of traffic, but it does not require mandatory use. Traffic types can also be defined as a second layer of quality of service (QoS) or service class (CoS) and implemented on network adapters and switches without any reservation settings required. 802.1P traffic is simply categorized and sent to the destination without the bandwidth reservation mechanism.

802.1P is an extension of the IEEE 802.1Q (VLAN tagging technology) standard, which works together. The IEEE 802.1Q standard defines the tags added for Ethernet MAC frames. The VLAN tag has two parts: VLAN ID (12-bit) and priority (3-bit). There is no priority field defined and used in the IEEE 802.1Q VLAN Standard, and the field is defined in 802.1P.

There are 8 priority levels defined in 802.1P. Although the network administrator must determine the actual mapping situation, the IEEE has made a number of recommendations. The highest priority is 7, which is applied to routing table updates for critical network traffic, such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) protocols. Priority 6 and 5 are used primarily for latency-sensitive (delay-sensitive) applications, such as interactive video and voice. Priority 4 to 1 is used primarily for controlled load (controlled-load) applications, streaming multimedia (streaming multimedia) and critical business traffic (business-critical traffic)-for example, SAP data-and " Loss eligible "flow. Priority 0 is the default value and is automatically enabled if no other priority value is set.

3.6 Run State operation

The run state is the normal state of AC and WTP.

When the WTP receives a WLAN configuration Request message, it must respond to a WLAN configuration Response message and continue to stay in the run state;

When AC sends a WLAN Configuration Request message or receives a reply from the WTP, it must also continue to remain in the run state.

Please refer to section 3.7 for Ps:wlan configuration request message and WLAN configuration Response message for the purpose and format.

3.7 IEEE 802.11 specific CAPWAP Control Messages

This section defines some Capwap control messages that apply only to 802.11 bindings.

IEEE 802.11 WLAN Configuration Request

¢ is sent by AC to the WTP to change the services provided on the WTP. This message can be used to create, upgrade, or delete a WLAN on a WTP.

¢ The message may be caused by a manual administrative configuration (for example, by deleting a WLAN) or by automatically creating a WLAN on the WTP. In the case of the latter, the message will be sent after AC receives the Capwap Configuration Update Response (refer to [RFC5415] 8.5 chapters).

After the ¢ receives this control message, the WTP will make the required modifications and then send an IEEE 802.11 WLAN Configuration Response.

¢WTP may provide multiple WLANs, so each WLAN is defined with a numeric index. For example, a WTP that supports 16 SSIDs can accept 16 IEEE 802.11 WLAN Configuration request to create a WLAN.

The ¢ index is the basic identifier of the WLAN, and AC may attempt to do all of the WTP on which it manages to be defined with the same index number as the same WLAN. AC If this method is not supported, other methods must be used to maintain a WLAN-IDENTIFIER-TO-SSID mapping table.

IEEE 802.11 WLAN Configuration Response

Sent to AC by WTP to respond to the IEEE 802.11 WLAN configuration request, telling the requested configuration whether it was successful, or an error has occurred.

Capwap study notes--first Capwap (v) (EXT)