doc.: IEEE 802.11-02/xxxr0 Mike Moreton Month 2002 doc.: IEEE 802.11-02/xxxr0 November 2003 802/802.1X/802.11 Architecture Mike Moreton Mike Moreton, Synad Technologies John Doe, His Company

802.1Q Architectural Model November 2003 Mike Moreton, Synad Technologies

802.1Q – Position of LLC November 2003 Mike Moreton, Synad Technologies

SAPs in 802 (Not generally named in the standards) November 2003 SAPs in 802 (Not generally named in the standards) ISS = Internal Sublayer Service Mike Moreton, Synad Technologies

802.1X Controlled and Uncontrolled Ports November 2003 802.1X Controlled and Uncontrolled Ports There are two instances of LLC/SNAP per MAC entity, one for the controlled port, and one for the uncontrolled port. The MAC SAP always forwards a copy of each received frame to the uncontrolled LLC/SNAP entity. If the controlled port is authorised, then a copy is also sent to the controlled LLC/SNAP entity, and a further copy to the ISS SAP. When the controlled port is unauthorised, the MAC SAP will not pass frames for transmission received from the controlled LLC/SNAP entity, and the ISS SAP will not pass any frames for transmission. Mike Moreton, Synad Technologies

November 2003 802.1X Architecture Mike Moreton, Synad Technologies

Alternative 802.1X Port Architecture November 2003 Alternative 802.1X Port Architecture The SNAP SAPs are split into controlled and uncontrolled. When the controlled port is authorised, traffic may pass via all SNAP SAPs and via the ISS SAP. When the controlled port is not authorised, traffic may only pass via the uncontrolled SNAP SAPs. Mike Moreton, Synad Technologies

Alternative 802.1X Controlled/Uncontrolled November 2003 Alternative 802.1X Controlled/Uncontrolled Mike Moreton, Synad Technologies

802.11 in the 802.1 Architecture 802.11 is a shared access LAN November 2003 802.11 in the 802.1 Architecture 802.11 is a shared access LAN Not suitable for Port-Based Access Control. 802.1X suggests 802.11 associations can be used as “pseudo-ports”. But this requires isolation between STAs, which isn’t practical in 802.11 2003 TGi provides STA isolation by using a unique pairwise key for each one. But no isolation for group addresses. Only one copy is sent out, encrypted with a separate group key. TGi can not be modelled in the 802.1 architecture purely as a set of pseudo-ports, one per association. Mike Moreton, Synad Technologies

802.11 in 802.1 – a Possible Solution November 2003 802.11 in 802.1 – a Possible Solution Each 802.11i association is modelled as a pseudo-port. However, the MAC entity for these ports is required to discard group addressed frames for transmission. Received group addressed frames are processed as normal. There is an additional permanent port used for transmitting group addressed frames The MAC entity for this port will only pass group addressed frames for transmission. All other frames (including received frames) are discarded. Is not controlled by 802.1X – always authorised. 802.11i will encrypt these frames, and may not send them if no STAs are associated. Mike Moreton, Synad Technologies

802.11 in 802.1 – The Diagram MAC Relay Entity EAPOL November 2003 802.11 in 802.1 – The Diagram EAPOL MAC Relay Entity Group Addressed Pseudo-Port STA 1 Pseudo-Port STA 2 Pseudo-Port STA 3 Pseudo-Port STA 4 Pseudo-Port STA 5 Pseudo-Port Mike Moreton, Synad Technologies

802.11 in 802.1 – Group Addressed Frame Flow November 2003 802.11 in 802.1 – Group Addressed Frame Flow The originating STA forwards the frame to the AP as a directed unicast frame This is the way 802.11 has always done it It is received on the AP pseudo-port for that association. Assuming the associated controlled port is authorised, the frame is forwarded (with the recovered group address) to the Relay Agent. The Relay Agent distributes the frame to all ports other than the one it was received from. Each association pseudo port that receives the frame will discard it before transmission, as it does not have a unicast destination address. The multicast pseudo port will transmit the frame. All STAs will receive a single copy of the frame. The originating STA will discard the frame based on the source address. Again, this is the way 802.11 has always done it. Mike Moreton, Synad Technologies

November 2003 802.11 Attached Bridges Standard 802.11 APs do not forward frames for unknown addresses Can’t attach an 802.1D bridge via 802.11 Standard defines 4 address format that could be used to carry unknown frames, but doesn’t describe how to use it. Many suppliers use proprietary indications in the association message to indicate an attached bridge, so that unknown frames can be forwarded to it. Mike Moreton, Synad Technologies

802.11 Bridging Some Questions November 2003 802.11 Bridging Some Questions How do you secure who can be a bridge? Can it be anyone? Should an Ethernet 802.1X switch also discard unknown frames? If so, maybe “bridge indication” should be in 802.1X. What happens when multiple bridges are associated? Perhaps use group address? Mike Moreton, Synad Technologies