Topic #1 DTLS Related Issues Pat R. Calhoun. Issue 226: Transition to Join State Current CAPWAP state machine requires knowledge of DTLS state machine.

Slides:



Advertisements
Similar presentations
Virtual Trunk Protocol
Advertisements

Lectures on File Management
FIPA Interaction Protocol. Request Interaction Protocol Summary –Request Interaction Protocol allows one agent to request another to perform some action.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Dynamic Host Configuration Protocol (DHCP)
MOBILITY SUPPORT IN IPv6
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
1 27-Jun-15 S Ward Abingdon and Witney College VLAN Trunking protocol CCNA Exploration Semester 3 Chapter 4.
Internet Command Message Protocol (ICMP) CS-431 Dick Steflik.
CS 6401 IPv6 Outline Background Structure Deployment.
CMPT 471 Networking II Address Resolution IPv6 Neighbor Discovery 1© Janice Regan, 2012.
VLAN Trunking Protocol (VTP) W.lilakiatsakun. VLAN Management Challenge (1) It is not difficult to add new VLAN for a small network.
Applicability Statement v1.1 Feedback: DirectTrust May 5, 2015.
CAPWAP Editor’s Report Pat R. Calhoun Cisco Systems, Inc.
Cisco IOS & Router Config Semester 2V2 Chapter 6.
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
1 Version 3.1 modified by Brierley Module 8 TCP/IP Suite Error and Control Messages.
Guide to TCP/IP, Third Edition Chapter 8: The Dynamic Host Configuration Protocol.
VLAN Trunking Protocol
VLAN Trunking Protocol (VTP)
1. Insert the Resource CD into your CD-ROM drive, click Start and choose Run. In the field that appears, enter F:\XXX\Setup.exe (if “F” is the letter of.
UNIT IP Datagram Fragmentation Figure 20.7 IP datagram.
Yang Shi, Chris Elliott, Yong Zhang IETF 73 rd 18 Nov 2008, Minneapolis CAPWAP WG MIB Drafts Report.
CCNA 3 Week 9 VLAN Trunking. Copyright © 2005 University of Bolton Origins Dates back to radio and telephone Trunk carries multiple channels over a single.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH_Handover primitives and scenarios Date Submitted: April, 30,
© 2002, Cisco Systems, Inc. All rights reserved..
Yang Shi (Richard), Yong Zhang IETF 74 th 26 March 2009, San Francisco CAPWAP WG MIB Drafts Report.
Light Weight Access Point Protocol (LWAPP) Pat R. Calhoun draft-ohara-capwap-lwapp-01.txt.
Guide to TCP/IP, Third Edition Chapter 8: The Dynamic Host Configuration Protocol.
March 2007 CAPWAP Protocol Specification Editors' Report March 2007
BAI513 - PROTOCOLS ARP BAIST – Network Management.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.
STORE AND FORWARD & CUT THROUGH FORWARD Switches can use different forwarding techniques— two of these are store-and-forward switching and cut-through.
1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Dynamic Host Configuration Protocol (DHCP)
March 2006 CAPWAP Protocol Specification Update March 2006
Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Issues Discussions CAPWAP Interim Jan 24-25, 2007 Mahalingam Mani.
July 2007 CAPWAP Protocol Specification Editors' Report July 2007
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
RFC 4068bis draft-ietf-mipshop-fmipv6-rfc4068bis-01.txt Rajeev Koodli.
1 15-Mar-16 VLAN Trunking protocol CCNA Exploration Semester 3 Chapter 4.
Issue EAPoL-Key message generation at WTP or AC Issue 199, summarized as:...the WTP maintains the KeyRSC while the AC requires this information to.
Chapter 5. An IP address is simply a series of binary bits (ones and zeros). How many binary bits are used? 32.
VTP VLAN Trunking Protocol Create once and send to the other switches. VTP is a messaging protocol that uses Layer 2 trunk frames to manage the addition,
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.
Exploration 3 Chapter 4. What is VTP? VTP allows a network manager to configure a switch so that it will propagate VLAN configurations to other switches.
IP: Addressing, ARP, Routing
Instructor Materials Chapter 9: Transport Layer
© 2002, Cisco Systems, Inc. All rights reserved.
Topic #3 DTLS/CAPWAP Interactions
Instructor Materials Chapter 5: Ethernet
PANA Issues and Resolutions
Topic #1 & #5 “All that has to do with header formats”
Net 431 D: ADVANCED COMPUTER NETWORKS
VLAN Trunking Protocol
Routing and Switching Essentials v6.0
Proposal for IEEE 802.1CQ-LAAP
Proposal for IEEE 802.1CQ-LAAP
Issue Discussion: KeyRSC (43)
Implementing an OpenFlow Switch on the NetFPGA platform
AP Power Down Notification
How to install and manage exchange server 2010 OP Saklani.
Presentation transcript:

Topic #1 DTLS Related Issues Pat R. Calhoun

Issue 226: Transition to Join State Current CAPWAP state machine requires knowledge of DTLS state machine and inspection of DTLS packets

Issue 226: Original CAPWAP State Machine / < \ v |d | b | | Idle |-->| Discovery |--->| Sulking | | a c | ^ |aa ^ |e / \ | | V f| v k| | | h i j | | /--| Join |->| Configure |-->| Image Data | | | | g | | | "c1, ^ ^ ^ m| ^ |l | | | "c4 " " " | / / | /----/ | | " " " " V |s v V | | “ " " " o | | “ " " " | Run |->| Reset | / | “ " " " n p | “ " " " "c2 ^ ^ c3" ^ \---"-----"--"---" "----" / " “ CAPWAP ~~~~"~~~~~"~~"~~~"~~~~~~~~“~~~~"~~~~~~~~~~~~"~~~"~~~~~~~~~~~~ “ " “ " " " " " DTLS v " "n2 \"""""\ " “ v "n6,n7 /--> " W " " " | /-| Idle | " C| Auth |--"~-"----"----->| Shutdown | \P | | " V “ “ " /--->| |<----\ | | |X Z| " ^ U| " " n4 " | | | | | | " | | " " n5," | ^ | | | | v "n1 |Y | n3“ v n8" |R |Q | | | | | S | | | | | Init | \->| Run |<--| Rekey | | | | | | |-->| | | | | | T | | | \ / | \ /

Issue 226: Current State Machine Text Idle to Join (aa): This transition occurs when the WTP presents a DTLSClientHello message containing a valid cookie to the AC. WTP: This transition is a no-op for the WTP. AC: The AC does not maintain state information until the WTP presents a DTLS ClientHello message containing a valid cookie. Upon receipt of a DTLS ClientHello message containing a valid cookie, the AC creates session state and transitions to the Join state.

Issue 226: Pat’s issues The original intent was to use DTLS as a “black box” I believe that the CAPWAP specification should be sufficient to implement (and get interoperability), yet not dictate DTLS state machine

Issue 226: Originally Proposed Solution /=================>=====================================\ " /===============<=================================\ “ " " /=============<=============================\ " “ " " " /===========<=========\ " " “ " " " " n4,n5,n6" n8" n3" v " " " " " " " " | DTLS Idle | | DTLS Setup | | DTLS Run | " " " " " " " " ^ "n1 ^c4 ^ ^ "n2 c3^ n7" ^ " " " " " " " " " " " " " DTLS "~"~"~"~~~"~~~"~~~~~"~~~~~~"~~"~~~~~~~~~"~~~~~~~"~~~~"~~"~~~~~~~~ " " " " " " \======"=="=======\ " /====/ " " CAPWAP ^ v v v " " " " " " " " “ " " " " " " /=======/ " " " " " “ " " " " " " " " " " " " “ " " " " "c1 v "c2 d "c2 " v " " “ " " " \=> " “ " " " | Idle |-->| Disc | | Auth | " “ " " \===> a " “ " " b| ^ |d /==================/ “ " " | | /----/ " / "----\ " " v f| | v s| "c5 | " " | r t | " " | Sulking | | Reset | | " " | " " ^ ^ ^ | " " q | | | | " " | Data Check | / /-----/ | | " " < \ | | | " " p| k| j | v " \======> " c5| Join |---->| Configure |---->| Image Data | \========= g h

Issue 226: Issues with Proposal Commands and notifications are not state transitions, they are events. The state machine is difficult to follow –for instance, the auth state has no input/output transitions

Issue 226: Revised Proposed Solution w x | Run |-->| Reset |-\ |y u ^ ^ ^ | / | | | | Data Check | / / | | < \ | | | t| s| j| | | | Join |---->| Configure |---->| Image Data | | q r | ^ p| | | \ \ | \ \ | | / < \ | | | / < \ | | | | | | n| |o z| v v | | | | | DTLS Setup | | DTLS Connect | | DTLS TD | | | | | g| ^ ^ |h ^ ^ v v | | | | | | | | | | | \ \ | / / | | | | | | | | | | v |e f| v |j |k | \-> | | Idle |-->| Disc | | Authorize | \---> a b| ^ |c | | /----/ v d| | | | Sulking |<-/

Issue 226: New State Machine Events Idle -> DTLS Setup –WTP: The WTP initiates this transition by invoking the DTLSStart command, which starts the DTLS session establishment with the chosen AC. This decision is performed via local configuration of the AC. –AC: The AC initiates this transition by invoking the DTLSListen command, which informs the DTLS stack that it is willing to listen for an incoming session. The AC MAY provide optional qualifiers in the DTLSListen to only accept session requests from specific WTP. Discovery -> DTLS Setup –WTP: The WTP initiates this transition by invoking the DTLSStart command (see Section ), which starts the DTLS session establishment with the chosen AC. The decision of which AC to connect to is the result of the discovery phase, which is described in Section 3.2. –AC: The AC initiates this transition by invoking the DTLSListen command (see Section ), which informs the DTLS stack that it is willing to listen for an incoming session. The AC MAY have maintained state information when it received the Discovery Request in order to provide optional qualifiers in the DTLSListen command to only accept session requests from specific WTP. Note that maintaining state information based on an unsecured discovery request MAY lead to a Denial of Service attack. Therefore the AC SHOULD ensure that the state information is freed after a period, which is implementation specific.

Issue 226: New State Machine Events DTLS Setup -> Idle –WTP: The WTP initiates this state transition when it receives a DTLSEstablishFail notification from DTLS (see Section ). This error notification aborts the secure DTLS session establishment. When this transition occurs, the FailedDTLSSessionCount counter is incremented. –AC: The WTP initiates this state transition when it receives a DTLSEstablishFail notification from DTLS (see Section ). This error notification means a DTLS session was attempted with a WTP, but failed. The notification should include information such as the offending WTP, and the reason for the failure. When this transition occurs, the FailedDTLSSessionCount counter is incremented.

Issue 226: New State Machine Events DTLS Setup -> Authorize –WTP: This state transition occurs when the WTP receives the DTLSPeerAuthorize notification (see Section ). Upon entering this state, the WTP MAY perform an authorization check against the AC's credentials. The method by which this authorization is performed is outside the scope of the CAPWAP specification. –AC: This state transition occurs when the AC receives the DTLSPeerAuthorize notification (see Section ). Upon entering this state, the AC MAY perform an authorization check against the WTP's credentials. The method by which this authorization is performed is outside the scope of the CAPWAP specification. Authorize - > DTLS Connect –WTP: This state transition occurs when the WTP has either opted to forgo the authorization check of the AC's credentials, or the credentials were successfully authorized. This is done by invoking the DTLSAccept DTLS command (see Section ).. –AC: This state transition occurs when the AC has either opted to forgo the authorization check of the WTP's credentials, or the credentials were successfully authorized. This is done by invoking the DTLSAccept DTLS command (see Section ).

Issue 226: New State Machine Events Authorize - > DTLS Teardown –WTP: This state transition occurs when the WTP was unable to authorize the AC, via its credentials. The WTP then aborts the DTLS session, which is done by invoking DTLSAbortSession (see Section ). –AC: This state transition occurs when the AC was unable to authorize the WTP, via its credentials. The AC then aborts the DTLS session, which is done by invoking DTLSAbortSession (see Section ).

Issue 226: New State Machine Events DTLS Connect -> Idle –WTP: This state transition occurs when the WTP receives the DTLSAborted notification (see Section ), indicating that the DTLS session was not successfully established. When this notification is received, the FailedDTLSSessionCount counter is incremented. –AC: This state transition occurs when the AC receives the DTLSAborted notification (see Section ), indicating that the DTLS session was not successfully established. When this notification is received, the FailedDTLSSessionCount counter is incremented. DTLS Connect -> Join –WTP: This state transition occurs when the WTP receives the DTLSEstablished notification (see Section ), indicating that the DTLS session was successfully established. When this notification is received, the FailedDTLSSessionCount counter is set to zero. –AC: This state transition occurs when the AC receives the DTLSEstablished notification (see Section ), indicating that the DTLS session was successfully established. When this notification is received, the FailedDTLSSessionCount counter is set to zero. Join - > DTLS Teardown –WTP: This state transition occurs when the WTP receives a Join Response with a Result Code message element containing an error. This causes the WTP to initiate the DTLSShutdown command (see Section ). –AC: This state transition occurs when the AC transmits a Join Response with a Result Code message element containing an error. This causes the WTP to initiate the DTLSShutdown command (see Section ).

Issue 226: New State Machine Events Run -> DTLS Teardown –WTP: The WTP enters this state when it receives a one of the following DTLS notifications: DTLSAborted, DTLSReassemblyFailure, or DTLSPeerDisconnect (see Section ). The WTP MAY decide to tear down the DTLS session if it receives frequent DTLSDecapFailure notifications. –AC: The AC enters this state when it receives a one of the following DTLS notifications: DTLSAborted, DTLSReassemblyFailure, DTLSDecapFailure or DTLSPeerDisconnect (see Section ). The AC MAY decide to tear down the DTLS session if it receives frequent DTLSDecapFailure notifications. Reset -> DTLS Teardown –WTP: This state transition occurs when the WTP receives a Reset Request. This causes the WTP to initiate the DTLSShutdown command (see Section ). –AC: This state transition occurs when the AC receives a Reset Response. This causes the AC to initiate the DTLSShutdown command (see Section ). DTLS Teardown -> Idle –WTP: This state transition occurs when the WTP receives a DTLSPeerDisconnect notification (see Section ). –AC: This state transition occurs when the AC receives a DTLSPeerDisconnect notification (see Section ).

Issue 229: DTLSMtuUpdate Undefined Issue: The current spec makes references to the DTLSMtuUpdate command that is not present in the CAPWAP to DTLS commands. Proposed Resolution: Add the following text to section : o DTLSMtuUpdate is called by the CAPWAP protocol to modify the MTU size used by the DTLS module. The default value size is 1468.

Topic #7 Join and Discovery Related Issues Pat R. Calhoun

Issue 13: define how MTU of 1596 was chosen The original issue was raised as: –e) Page Section 6.1 Join Request -- 3rd paragraph -- Why the 1596 MTU limit -- how was this number chosen ? == (RIF routes if vlan ?) if I use then I have seen h/w do 1522 (4 byte vlan tag) -- some number a little bigger than 1522 and h/w do 16K bytes -- (intel ixp 4xx series) --- The 16K number is bigger than the 4k SDU for wireless medium... Would it be better to base the discovery on the MTU of the wireless media and work down ? Proposed Resolution: Reject. The offending text was removed long ago. There are no references to MTU sizes in the Join Request section.

Issue 149: IPv6 Multicast address for Discovery phase The issue states: As IPv6 protocol does not have broadcast address so can the CAPWAP protocol be more specific for the multicast address to be used in the discovery phase: 1.Have one address assigned for AC “All ACs multicast address “, this has advantage of limiting the traffic and also it is extendable for new solution like some communication between AC etc 2.2 Use all node multicast address.

Issue 149: IPv6 Multicast address for Discovery phase Proposed resolution: –Add to the end of the following sentence: “The WTP must send the Discovery Request message to either the limited broadcast IP address ( ), a well known multicast address or to the unicast IP address of the AC. “ –“For IPv6 networks, since broadcast does not exist, the use of “All ACs multicast address” is used instead.” Add to IANA considerations: “to assign an organization local multicast address called the “All ACs multicast address” from the IPv6 multicast address registry”

Issue: 175 WTP Board Data belongs in the Join, not configure Issue: WTP Board Data belongs in the Join, not configure. – Agreed, but wonder even more why we are duplicating this information across both the WTP Descriptor and the WTP Board Data message elements. Dorothy has fixed this already, and is included in -04/-01

Issue: 175 WTP Board Data belongs in the Join, not configure Removed WTP Serial Number, WTP Model Number, Board ID and Board Revision (already in WTP Board Data) New text: WTP Descriptor […] Type: The following values are supported. The Hardware Version, Software Version, and Boot Version values MUST be included. 0 - Hardware Version: The WTP's hardware version number. 1 - Software Version: The WTP's Firmware version number. 2 - Boot Version: The WTP's boot loader's version number.

Issue: 175 WTP Board Data belongs in the Join, not configure The following changes have also been made: –WTP Descriptor present in Discovery (not WTP Board Data) –WTP Descriptor present in Join Request (not WTP Board Data) –WTP Board Data present in Configuration Status (not WTP Descriptor)

Issue 219: Insufficient description of WTPs during discovery This issue states that a WTP has no way of advertising what bindings it plans to use – or what bindings are supported on the AC. The issue argues that the discovery process needs to take this into account in the AC candidate selection process.

Issue 219: Insufficient description of WTPs during discovery WTP Descriptor The WTP descriptor message element is used by a WTP to communicate it's current hardware/firmware configuration. The value contains the following fields | Max Radios | Radios in use | Encryption Capabilities | |Num of Binding | Reserved | Wireless Binding Supported... | | Vendor Identifier | | Type=0 | Length | | Value | Vendor Identifier | | Type=1 | Length | | Value | Vendor Identifier | | Type=2 | Length | | Value

Issue 219: Insufficient description of WTPs during discovery Num of Binding: An 8-bit value representing the number of 16-bit Wireless Binding Supported fields present in the WTP Descriptor. Reserved: A set of reserved bits for future use. All implementations complying with this protocol MUST set to zero any bits that are reserved in the version of the protocol supported by that implementation. Receivers MUST ignore all bits not defined for the version of the protocol they support. Wireless Binding Supported: One or more 16-bit value representing the CAPWAP binding supported by the WTP. The following values are supported: 1 - IEEE : The IEEE CAPWAP binding (see [12]). 2 - IEEE : The IEEE CAPWAP binding. 3 - EPCGlobal: The EPCGlobal CAPWAP binding.

Issue 219: Insufficient description of WTPs during discovery AC Descriptor The AC payload message element is used by the AC to communicate it's current state. The value contains the following fields | Stations | Limit | | Active WTPs | Max WTPs | | Security | R-MAC Field | Reserved1 | DTLS Policy | |Num of Binding | Reserved | Wireless Binding Supported... | | Vendor Identifier | | Type=4 | Length | | Value | Vendor Identifier | | Type=5 | Length | | Value

Issue 219: Insufficient description of WTPs during discovery Num of Binding: An 8-bit value representing the number of 16-bit Wireless Binding Supported fields present in the AC Descriptor. Reserved: A set of reserved bits for future use. All implementations complying with this protocol MUST set to zero any bits that are reserved in the version of the protocol supported by that implementation. Receivers MUST ignore all bits not defined for the version of the protocol they support. Wireless Binding Supported: One or more 16-bit value representing the CAPWAP binding supported by the AC. The following values are supported: 1 - IEEE : The IEEE CAPWAP binding (see [12]). 2 - IEEE : The IEEE CAPWAP binding. 3 - EPCGlobal: The EPCGlobal CAPWAP binding.

Issue 219: Insufficient description of WTPs during discovery 3.2. AC Discovery The AC Discovery phase allows the WTP to determine which ACs are available, and chose the best AC to establish a CAPWAP session with. The discovery phase occurs when the WTP enters the Discovery state, which is optional. A WTP does not need to perform the AC discovery if it has a pre-configured AC which it wishes to utilize. This section details the mechanism used by the WTP to dynamically discovery candidate ACs. A WTP and an AC will frequently not reside in the same IP subnet (broadcast domain). When this occurs, the WTP must be capable of discovering the AC, without requiring that multicast services are enabled in the network. [...] Once the WTP has received Discovery Responses from the candidate ACs, it MAY use other factors in determining which is the preferred AC. For instance, the AC Descriptor, present in the Discovery Response, provides the list of CAPWAP bindings supported by the AC. A WTP MAY decide to connect to an AC based on the supported bindings advertised.

Issue 219: Insufficient description of WTPs during discovery Result Code [...] Result Code: The following values are defined: [...] 9 Join Failure (Binding Not Supported) 5.1. Discovery Request Message [...] The WTP Descriptor included in the Discovery Request includes the CAPWAP bindings supported by the WTP Discovery Response Message [...] The AC Descriptor included in the Discovery Request includes the CAPWAP bindings supported by the AC. The AC MAY include only the bindings it shares in common with the WTP, known through the WTP Descriptor received in the Discovery Request, or it MAY include all of the bindings supported. The WTP MAY use the supported bindings in its AC decision process. Note that if it uses an AC that does not support a specific CAPWAP binding, service for that binding MUST NOT be provided to stations.

Issue 219: Insufficient description of WTPs during discovery 6.1. Join Request [...] The WTP Descriptor included in the Join Request includes only the CAPWAP bindings supported by the AC that the WTP expects to utilize. Including a binding that is unsupported by the AC will result in a failed Join Response Join Response [...] If the WTP Descriptor in the Join Request included a binding that is not supported by the AC, the AC sets the Result Code message element to "Binding Not Supported".

Topic #2 Configuration Related Issues Pat R. Calhoun

Issue 72: get WLAN Config message The original request, which lead to the issue being created, was a request for a new set of messages that allow an AC to request the WTP to provide its current configuration. At the time of the discussion, I disagreed this feature was needed in the CAPWAP protocol, because at the time of a reboot the WTP provides its stored configuration, if any. The AC then proceeds by providing its own configuration. The claim was that it was necessary for the AC to be able to "pull" the configuration from the WTP, ensuring it has an accurate picture of the WTP's config. There was also a mention that WTP bugs could exist that would cause the WTP to not process the configuration properly. I believe that the current proposal for issue 73 now allows the WTP to return an error code should it be unable to apply a specific configuration message element. The AC can then decide whether it wishes the WTP to provide service anyhow. This ensures the AC will know the WTP's config. I also do not believe that a standard should be encumbered to help identify bugs on WTPs. I do not believe that we have addressed the original request, however the question is whether we have addressed it in spirit. I believe we have with the proposed text in issue 73.

Issue 73: Problems with setting initial config I have introduced a new message element, which is described below: 4.5. CAPWAP Protocol Message Elements [...] Returned Message Element 46 Here I have defined new result codes that allow the WTP to communicate why it was unable to apply the configuration, and two different reasons: Result Code [...] Result Code: The following values are defined: [...] 10 Failure (Unable to Apply Requested Configuration - Service Provided Anyhow) 11 Failure (Unable to Apply Requested Configuration - Service Not Provided)

Issue 73: Problems with setting initial config In the event that the WTP is unable to partially apply the requested configuration, the Change State Event includes one or more "Returned Message Element" which includes the offending information element Returned Message Element The Returned Message Element is sent by the WTP within the Change State Event Request in order to communicate to the AC which message elements in the Configuration Status Response it was unable to apply locally. The Returned Message Element contains a result code that is used to indicate the reason why the configuration could not be applied, and encapsulates the offending message element | Reason | Message Element Reason: The reason why the configuration in the offending message element could not be applied by the WTP 1 - Unknown Message Element 2 - Unsupported Message Element 3 - Unknown Message Element Value 4 - Unsupported Message Element Value Message Element: The Message Element field encapsulates the message element sent by the AC in the Configuration Status Response message that caused the error.

Issue 73: Problems with setting initial config Finally, the Change State Event text has been modified to indicate its expanded purpose, and the new message elements it may carry 8.7. Change State Event Request The Change State Event Request message is used by the WTP for two main purposes: o When sent by the WTP following the reception Configuration Status Response from the AC, the WTP uses the Change State Event to provide an update on the WTP radio's operational state as well as to confirm that the configuration provided by the AC was successfully applied. o When sent during the Run state, the WTP uses the Change State Event to notify the AC of an unexpected change in the WTP's radio operational state. When an AC receives a Change State Event Request message it will respond with a Change State Event Response message and make any necessary modifications to internal WTP data structures. The AC MAY decide not to provide service to the WTP if it receives an error, based on local policy, which is done by transitioning to the CAPWAP Reset state. …

Issue 73: Problems with setting initial config … The Change State Event Request is sent by a WTP to acknowledge or report an error condition to the AC for a requested configuration through the Configuration Status Response. The Change State Event Request includes the Result Code message element, which indicates whether the configuration was successfully applied. If the WTP is unable to apply a specfic configuration request, it indicates the failure by including one or more Returned Message Element message elements (see Section ). The following message elements MUST be present in the Change State Event Request message. o Radio Operational State, see Section o Result Code, see Section One or more of the following message elements MAY be present in the Change State Event Request message. o Returned Message Element, see Section Therefore, I believe the request defined in issue 73 has been satisfied.

Issue 108: Configuration Failure Processing (sub-issue 1) Config changes can fail (even when they are "not suppose to"). This may be due to a) resource deletion b) semantic constraints c) hardware failures d) software failures e) lack of authorization In the "configure request/response" (sections 7.2/7.3), the "response" message specifies configuration settings. As described, there is no mechanism for the WTP to communicate to the AC that some (or part) of the config sent by the AC to WTP failed. Thus, I suggest that the response contain no configuration. This is a duplicate of issue 73, which I believe we have satisfied.

Issue 108: Configuration Failure Processing (sub-issue 2) 2) I'm not sure that all of the configuration info can fit into one CAPWAP control message. However, a WTP needs to be able to indicate to a AC the "classes" of config info that it supports. SNMP uses the GETNEXT operation to iterate through both all classes and instances of management info (which includes config info). I suggest for CAPWAP that a WTP specify in the "configure request" the classes of configuration info and then allow an AC to use one or more "Update config request" messages to change the WTP config. I believe Michael and I responded to this via another thread that neither one of us understood why the existing fragmentation mechanism supported by CAPWAP does not resolve this issue. Duplicate of issue 173

Issue 108: Configuration Failure Processing (sub-issue 3) 3) When an AC changes the WTP config with an "Update config request", the request can fail. The response message needs to indicate which config message element(s) had an error and what was the error. Currently, this is not the case. (The error code in the result, as currently defined makes no sense to me!) Also, I didn't see if a config request was "all or nothing". That is, do the OK config values get applied and the error one not, or none get applied on any failure. This is a duplicate of issue 73, which I believe we have satisfied.

Issue 108: Configuration Failure Processing (sub-issue 4) 4) There are a lot of strange (too me) and not well defined config elements. I believe that all need to be reviewed, but this is really a separate issue. As mentioned, this is a separate issue, and is therefore not germane to issue 108.

Issue 108: Configuration Failure Processing (sub-issue 5) 5) A get config operation is needed that specifies at least a class of configuration info, and possibly additionally the instance of config info. (Again, this is because not all config info will be able to fit in a single CAPWAP message.) I do not understand the request here. Is this a duplicate of issue 72, which is a request to have the AC pull the WTPs configuration? Duplicate of 72 *and* 173.

Issue 108: Configuration Failure Processing (sub-issue 6) 6) I've ignored what should be done when an WTP has config info that is not supported by an AC, or when an AC tries to modify config info (class or specific values) that is not supported by the WTP. (CAPWAP is suppose to support WTPs and ACs from different vendors, and, thus, there can be no "tight version synchonization" as found in current products. I believe this is already addressed via the proposed text for issue 73, which is done by including the Result Code set to 10 Failure (Unable to Apply Requested Configuration - Service Provided Anyhow), and including the Returned Message Element

Issue 108: Configuration Failure Processing (Conclusion) So it appears that there are two sub-issues that have not been addressed already, sub-issues 2 and 5. Michael and I questioned whether 2 is a real problem or not, and I believe sub-issue 5 is not specified sufficiently for me to understand. I therefore do not believe that we are have sufficiently addressed this issue, but should reject this issue.

Issue 181: Configuration Status is broken I believe that this is a duplicate of issue 73, for which text has already been proposed.

Issue 190: Issues with configuration update response The issue seems to have two sub-issues. the first, identified as 42, is addressed with your suggestion below, for which proposed text was provided via issue 73. The second sub-issue, identified as 41, states that the CAPWAP protocol does not support APs that have no (or limited) nonvolatile memory. I do not believe we have provided text to support the latter. The problem statement which was published by the CAPWAP WG does not mention that memory was an issue for traditional APs, and do I believe it is in the working group's scope to solve this problem. We will add text stating that the WTP MAY save the configuration to flash, but that is implementation specific. The CAPWAP protocol does not dictate how the WTP is to utilize any optionally present non-volatile storage