Access Point internal protocol and its implementation on the Access Point (1)
The IEEE 802.11 Protocol defines the specification and basic structure of the MAC layer and physical layer of the wireless LAN, but does not specify the construction of the wireless LAN. This leaves a lot of free space for the function design of the AP and its distributed system, but it also brings problems to the movement of the STA on the wireless site, this prevents Stas from freely moving between APS produced by different vendors. To solve this problem, the IEEE Working Group has developed the 802.11f Protocol and elaborated on the Inter-Access Point Protocol (IAPP) of the Access Point. The IAPP Protocol aims to provide users with the mobile function between APs, to meet the increasing mobility needs of users. The IAPP protocol only solves the link layer communication problem caused by user mobility. To ensure smooth communication between the IP layer of a mobile user, you must use the mobile IP address or DHCP technology. Combining the IAPP protocol features with these technologies can provide users with a complete mobility solution.
Introduction to IEEE 802.11f Protocol
In a wireless LAN, the Mobile Behavior of the site STA may cause the following problems:
1) The old AP (the AP connected to the STA last time) will think that it is still connected to the STA. when it receives the STA packet, it will still send the packet in the local BSS. This will lead to a waste of wireless resources and the occupation of AP resources. Therefore, the new AP (the AP that receives the reconnect request message from the STA) needs to notify the old AP about the STA switch and release the unilateral connection with the STA.
2) When the STA performs MAC layer authentication or other authentication (such as 802.1x Authentication) on the old AP, the corresponding user information will be left on the old AP. When the STA switches to the new AP, if a time-consuming authentication process is required, the switching efficiency is not high. Therefore, when an AP switches to the STA, the new AP needs to obtain the user information of the STA from the old AP, and then re-build the working environment of the STA to correctly manage the STA.
3) because the STA only provides the MAC address (that is, the old BSSID) of the old AP during the switchover, the new AP also needs to know the IP address and other information of the old AP to communicate with the old AP, therefore, the new AP is required to be able to query its IP address based on the BSSID of the old AP.
4) layer-2 forwarding devices such as bridges and switches may exist in the wired network connected to the AP. When the STA moves from the subnet segment connected by one port of the bridge to the subnet segment of another port, if the forwarding table of the bridge cannot be updated, the messages sent by other network nodes to the STA cannot be correctly delivered to the current location of the STA, resulting in the loss of the STA packets. Therefore, the new AP must notify these L2 devices to update the forwarding table when processing the request for reconnecting to the STA. To solve the above problem, we need to use the IAPP internal protocol of the Access Point recommended in the IEEE 802.11f protocol. The IAPP protocol is a protocol developed by the IEEE 802.11 Working Group for AP intercommunication. its main function is to facilitate the creation and maintenance of the auto scaling service set and support the movement of 802.11 mobile sites between APs, ensure that each mobile site has only one connection relationship with the AP at a specified time. Shows the AP protocol structure with IAPP:
AP protocol structure containing IAPP
In, the shadow part indicates that there is no connection between modules. APME (AP management entity) is the management entity in the AP. It manages and coordinates various protocol function modules in the AP and the 802.11 Site management entity (SME) connected to the AP ), iapp sap calls the IAPP service through the service access point. IAPP is the main protocol module supporting STA movement on the AP, and it also supports a RADIUS client. When an AP is initialized to an ESS or the AP's 802.11 MAC layer instructs APME that a STA is switched to the AP, APME uses the IAPP service primitive, call the IAPP protocol module to send a RADIUS message to interact with the RADIUS server, or broadcast an IAPP message based on TCP/IP or UDP/IP to communicate with other APs in the DS domain to complete the IAPP operation. The RADIUS protocol is necessary for the IAPP module to perform secure and correct operations. Especially when the BSSID of another AP is given, the IAPP should be able to query the RADIUS server, find the IP addresses of other APs in the ESS, and obtain relevant security information to protect the content of the specific IAPP data packets. In addition to the 802.11 AP protocol, devices in the Network may use the IAPP protocol. l2 network devices, such as bridges and switches, are also affected by the IAPP protocol.
IAPP protocol operation process
The IAPP protocol can be used on the AP to support the movement of the STA in the subnet. The IAPP protocol operation process is analyzed in the following two cases: the STA initiates a connection to the AP and the reconnection request.
1) IAPP operation process when STA initiates a connection request
IAPP operation process when STA initiates a connection request
When the local AP's APME receives the STA in the BSS and initiates a 802.11 MAC layer connection request to the AP, if you agree to the connection, and return the ASSOCIATE in the STA. after indication, initiate ADD to local IAPP. request. The local IAPP receives the ADD. after the request, start the validation timer and broadcast the XID frame with the source MAC address as the sta mac address and the iapp add-policy packet containing the sta mac address and connection serial number to the local subnet. When the IAPP of the Peer AP receives the ADD-policy packet, it extracts the MAC address and connection serial number of the STA and encapsulates It In The iapp add. the APME In the indication primitive is sent to itself. After receiving the message, the APME checks its connection list. If the connection relationship with the STA is retained, and the connection sequence number is equal to ADD. if the sequence number contained in the indication primitive is old, it will be released, but if the connection sequence number is greater than ADD. if the indication primitive contains a new serial number, the peer AP repeats the preceding process, broadcast the XID frame of the source MAC address as the sta mac address and the iapp add-notify packet containing the sta mac address to the local subnet again, and notify the original AP to interrupt the connection with the STA. An XID frame is a link layer identifier exchange update response frame. When a L2 device on the subnet, such as a bridge or a switch, receives this frame, update the forwarding table based on the source MAC address of the frame. If, before the timer times out, the IAPP receives a response from the L2 device on the subnet and other APs, the ADD. confirm primitive is called to notify the local APME and STA that the connection is successful. Otherwise, the connection is lost. APME will interrupt the connection to the STA.
2) IAPP operation process when Stas sends a request for a lifting connection
IAPP operation process when Stas sends a request for a lifting connection
When the AP's 802.11 MAC layer receives a reconnection request from the STA, it will call the MLME primitive REASSOCIATE. indication to notify the local APME. The local APME extracts the BSSID of the old AP, the MAC address of the STA, and the connection serial number in the request message, which is encapsulated in the IAPP primitive MOVE. request and initiates a connection notification request to the IAPP. IAPP receives MOVE. after a request is sent, the radius access-REQUEST message is sent to interact with the RADIUS server, or locally, the corresponding relationship between the ap mac address and IP address in the ESS in the AP is queried, resolve the BSSID of the old AP to an IP address. After receiving the IP address of the old AP, the new AP sends the iapp move-MOVE y packet to the old AP connected to the STA in TCP session mode. The packet contains the MAC address of the STA. After the old AP responds, it sends the saved context information about the STA to the new AP using the MOVE-response Message and releases the connection between the AP and the STA. After receiving the response packet from the old AP, the new AP reconstructs the user environment of the STA, and then broadcasts the XID frame with the MAC address of the STA in the local subnet, after an XID frame is received by a layer-2 device on the subnet, the corresponding records in the forwarding table are updated based on the source MAC address of the frame. After the IAPP broadcasts a notification message to the network, it calls the MOVE. confirm primitive to notify APME. If you want to encrypt the iapp move-Response packet, the RADIUS server will reply to the new AP, including the IP address of the old AP and the security domain. These security domains not only contain the shared key for the new and old AP communication, but also use the AP password in the RADIUS registry for encryption. After receiving a reply from the RADIUS server, the new AP sends the Security domain to the old AP as a Send-Security-Block message, which is the first information exchanged between the AP and the iapp tcp. The old AP returns an ACK-Security-Block packet, so that the new and old AP have a shared key, which can encrypt all packets in the AP session.