Computer Network laboratory

Inter Access Point Protocol (IAPP) 802.11f

CN@Lab Outline
Introduction IAPP Protocol Overview RADIUS Protocol Usage AP to AP Interactions
Station Move Process Station Add Process Station Cache Process

2004/8/10

CN@Lab Introduction (1/2)

IAPP( Inter Access-Point Protocol ) is designed for the enforcement of unique association throughout a ESS ( Extended Service Set ) and for secure exchange of station's security context between current access point(AP) and new AP during handoff period. Based on security level, communication session keys between APs are distributed by a RADIUS server.
3
2004/8/10

CN@Lab Introduction (2/2)

Proactive caching is suggested to avoid long handoff delay caused by IAPP communication between two APs as well as AP and RADIUS server. With proactive caching, current access point distributes the security context of the mobile station to neighboring access points BEFORE the station actually handoffs.

2004/8/10

CN@Lab AP Architecture with IAPP

2004/8/10

CN@Lab

Inter-AP Recommended Practice Overview (1/2)

The IAPP is implemented on top of IP and is an extension to existing management protocols. The IAPP entity must be able to find and use a RADIUS server to look up the IP addresses of other APs in the ESS when given the BSSIDs of those other APs (if a local capability to perform such a translation is not present), and to obtain security information to protect the content of certain IAPP packets. (By RADIUS Client)

2004/8/10

CN@Lab

Inter-AP Recommended Practice Overview (2/2)

IAPP relies on a STA making use of Reassociation Request frame when roaming from one AP to another, in order to provide the most complete services to the APs. When a STA uses the 802.11 Association Request, rather than the Reassociation Request, the IAPP may not be able to notify the AP at which the STA was previously associated of the new association.
7
2004/8/10

CN@Lab Inter-AP Security Risks (1/2)

The attacker can use IAPP or forged 802.11 MAC management frames as a Denial-ofService (DoS) attack against a STA state in its AP.
It can capture MOVE packets to gather information on the STA that is roaming. It can act as a rogue AP in the ESS.

The attack can best be eliminated by providing packet authentication to all MOVE and ADDs.
By ESP (IP Sec)

2004/8/10

CN@Lab Inter-AP Security Risks (2/2)

The use of ESP with RADIUS for the Key Management provides for discovery of Rogue APs. The use of ESP for IAPP MOVEs prevents a STA from roaming from a Rogue AP to a valid AP in the ESS. It also blocks the move of the STA context information to a Rogue AP if the STA roams to it.
9
2004/8/10

CN@Lab IAPP Protocol Overview (1/5)

IAPP-ADD
When the IAPP receives an IAPP-ADD.request it should send an IAPP ADD-notify packet and a Layer 2 Update Frame. IAPP ADD-notify packet ESS (multicast address) IAPP ADD-notify packet contains the MAC address of the STA and the Sequence Number from the Association request sent by the STA. On receiving this message, receive update
Association table Forwarding table

10

2004/8/10

CN@Lab IAPP Protocol Overview (2/5)

STA 1 STA x

11

2004/8/10

CN@Lab IAPP Protocol Overview (3/5)

IAPP-MOVE (Reassociation)
New AP IAPP MOVE-Notify packet Old AP IAPP MOVE-Response packet carries the Context block back to New AP The IAPP MOVE-Notify and MOVE-Response are IP packets carried in a TCP session between APs. If it is desired to encrypt the IAPP MOVE-response packet, then old AP asks RADIUS for Security Blocks.

12

2004/8/10

CN@Lab IAPP Protocol Overview (4/5)

13

2004/8/10

CN@Lab IAPP Protocol Overview (5/5)

IAPP-CACHE-NOTIFY
The IAPP entity may send IAPP-CACHE-NOTIFY packet with the given context to each of its neighboring APs. Sender (AP) IAPP-CACHE-NOTIFY packet. Start a response timer. Receivers (APs) IAPP-CACHE-RESPONSE packet Timeout neighbor AP list.

14

2004/8/10

Formation and Maintenance of the ESS (1/2)

Three levels of support for ESS formation are possible with the IAPP capabilities described here:
1) No administrative or security support; (Small ESS) 2) Support for dynamic mapping of BSSID to IP addresses; (RADIUS) 3) Support for encryption and authentication of IAPP messages. (RADIUS)

CN@Lab

15

2004/8/10

Formation and Maintenance of the ESS (2/2)

Each RADIUS server must also be configured with the following information for each BSSID:
a) BSSID, b) RADIUS BSSID Secret at least 160 bits in length c) IP address or DNS name d) Cipher suites supported by the AP for the protection of IAPP communications.

CN@Lab

16

2004/8/10

CN@Lab RADIUS Protocol Usage (1/2)

RADIUS Registration Access-Request
Register the APs membership in the ESS Establish a secure channel for broadcast communications to all APs in the ESS

RADIUS Registration Access-Accept.

If the RADIUS Server permits the AP entrance into the ESS, it returns a Registration Access-Accept packet. Receipt of a valid RADIUS Registration Access-Accept packet both confirms that the AP is a valid member of the ESS, and also provides the AP with the appropriate security information for establishing a secure group communications channel for IAPP.

RADIUS Registration Access-Reject

17
2004/8/10

CN@Lab RADIUS Protocol Usage (2/2)

RADIUS Access-Request
Upon receipt of an IAPP-MOVE.request, the receiving AP
a) must establish that the Old BSSID is a valid member of the New BSSIDs ESS, and b) may establish a secure channel for communications with the Old BSSID

RADIUS Access-Accept
The RADIUS Server verify that the Old BSSID is a valid member of the ESS of which the New BSSID is a member.

RADIUS Access-Reject

18

2004/8/10

CN@Lab AP to AP Interactions
Station Move Process Station Add Process Station Cache Process

19

2004/8/10

CN@Lab Proactive Caching

Neighbor Graphs and Dynamic Learning Proactive Cache Algorithm Consistency of the Cache

20

2004/8/10

CN@Lab Packet Formats (1/2)

An IAPP packet is carried in the TCP or UDP protocols over IP. The port number assigned to IAPP is 35173.

Version : 0 Identifier Field: The two-octet Identifier field aids in matching requests and responses. Length Field Data Field
21
2004/8/10

CN@Lab Packet Formats (2/2)

22

2004/8/10

CN@Lab ADD-notify Packet

The ADD-notify packet is sent using the IAPP over UDP and IP.

The IAPP Multicast address is 224.0.1.178.

23

2004/8/10

CN@Lab MOVE-notify Packet

The Context Block is a container for information defined in other 802.11 standards that needs to be forwarded from one AP to another upon reassociation of a STA. The Context Block is a series of information elements.

24

2004/8/10

CN@Lab Information Element Definitions

25

2004/8/10

CN@Lab MOVE-response Packet

The MOVE-response packet is sent using the IAPP, over TCP and IP.

26

2004/8/10

CN@Lab CACHE-notify Packet

The Context Timeout is the number of seconds for which the neighboring AP should maintain the STA Context before removing it from the cache.

27

2004/8/10

CN@Lab CACHE-response Packet

Format

Status

28

2004/8/10

CN@Lab Send-Security-Block packet

The Send-Security-Block packet is sent using the IAPP, over TCP and IP.

ACK-Security-Block packet

29

2004/8/10