Beruflich Dokumente
Kultur Dokumente
11-07/2161r1
Abstract
Motivation
• Segregating traffic for “visitors” who should only have
access to the Internet and limited facilities, from
“insider” traffic.
• Provision of different services for free and
subscriptions services in Hot Zone or Municipal
systems. (May also segregate subscription service
through different carriers.)
• In mesh environments, ability to safely forward data
through nodes with limited trust.
• To enable aggregation of traffic over a single
infrastructure for efficient deployment.
• Dedicated traffic segregation by type, such as VoIP
Submission Slide 3 Donald Eastlake 3rd, Motorola
July 2007 doc.: IEEE 802.11-07/2161r1
Example Scenario I
(unified infrastructure,
Internet
single interface end stations)
Firewall
Protected
Services
MAP 2
MAP 1
AP 2
Local Station
Local Station Local Station
Guest Station
Local VLAN Local Station
Guest VLAN
Guest Station
Wired Connection
Submission Slide 4
July 2007 doc.: IEEE 802.11-07/2161r1
Example Scenario II
(diverse mesh,
Internet
multi-interface mesh points)
Organization 1
Infrastructure
Org 2 Organization 2
Organization 1 Service
Organization 2 Service
MPP
Org 1
MP Org 2
Org 2 MP
MP
Org 1
MP Org 3
MP
Org 2 Org 1
MP MP
Submission Slide 5
July 2007 doc.: IEEE 802.11-07/2161r1
Tentative Requirements
1. Advertising Availability of Services
2. Associating/Authenticating/Authorizing for One or
more Specific Services
3. Multiple Service Security Channels Between Two
Stations
4. Transit Frame Labelling
5. Protection of Segregated Data from Unauthorized
Access
6. Configuration and Management
2. Associating/Authenticating/Authorizing
for a Specific Service
• Current practice: Only one association, 802.11i
security.
• Work in progress:
– TGw (Protected Management Frames) to extends security to some
control messages
– TGs (Mesh Networking) with authentication to mesh distinguished
from authentication to an AP
– TGu (Interworking with External Networks) different
credentials/authentication for different back end carriers
• Possible new work: Different credentials/authentication
for different Services/VLANs.
• Current Practice:
– Current standard explicitly permits 802.1Q-Tag in payload
(802.11-2007 Annex M) but Q-Tag’s priority and VLAN ID fields
are otherwise ignored.
– Only obvious way is to use different MAC addresses.
• Work in Progress: none...(?)
• Possible new work:
– Header addition to distinguish Service/VLAN
– Other mechanisms
• Current Practice:
– SNMP (Simple Network Management Protcol)
– GVRP (GARP VLAN Registration Protocol)
– Proprietary command line interfaces and protocols
• Work in Progress: SNMP MIB (Management
Information Base) additions by TGu (Interworking
with External Networks)
• Possible new work:
– MIB additions or other mechanisms for configuration and
management including setting-up and deleting VLANs
Straw Polls
• Results in WNG SC during morning session on 17 July:
References
• Standard 802.11-2007 – WLANs
• Standard 802.1Q-2005 – VLANs, GVRP
• Draft 802.11s D1.05 – ESS Mesh Networking
• Draft 802.11u D1.0 – Interworking with External
Networks
• Draft 802.11w D2.0, – Protected Management Frames
• IETF STD 62 (IETF RFCs 3411 through 3418) – SNMP