Last Post: September 5, 2006:
The NIST Guide to IEEE 802.11i: Establishing Robust Security Networks, published June 2006, is very well done regarding IEEE 802.11 WLAN security, but not so well done regarding some WLAN fundamentals. Valid arguments for better IEEE WLAN security are more credible when IEEE WLAN terms are used correctly.
For example the guide worsens a common misunderstanding of how 802.11 Basic Service Sets (BSS) are logically joined, incorrectly equating the Distribution System (DS) with the medium between multiple Access Points (AP). Consider these definitions in section 2.2 of the guide: "An AP logically connects STAs with a distribution system (DS), which is typically an organization?¡é?€??s wired infrastructure. APs can also logically connect wireless STAs with each other without accessing a distribution system." "In infrastructure mode, an AP connects wireless STAs to each other or to a distribution system, typically a wired network."
The IEEE 802.11 standard introduces the DS as being the conduit for connecting BSSs and forming Extended Service Sets (ESS), and later describes a Wireless Distribution System (WDS) between multiple APs as an example of such a DS.
The standard defines an ESS as a set of one or more BSS's joined in such a way that Logical Link Control (LLC) clients on all WLAN stations are able to communicate transparently. A WDS accomplishes an ESS, but so does connecting each of multiple APs to a common Ethernet. Does this make the Ethernet a wired distribution system? The standard does not speak to this specific question.
Elsewhere in the standard we find that a DS is a fundamental part of every AP whether or not the AP is connected to an Ethernet. A station uses an AP's DS association service to associate with that AP. A station uses its AP's DS distribution service to communicate with other stations associated to the same AP. A station uses its AP's DS integration service when it communicates through an attached Ethernet portal to wired or wireless devices. In all these cases the DS is entirely inside the AP.
A station sending a frame to its AP sends the frame "to the DS". An AP sending a frame to one of its stations sends the frame "from the DS". Bits in the WLAN frame header visible to WLAN protocol analyzers verify this is so. An AP sending a frame to an attached Ethernet also sends the frame out of the DS, but it takes a fair amount of reading between the lines of the standard to come to this conclusion, and there is no "from the DS" bit to be seen by an Ethernet protocol analyzer.
IEEE 802.11 Task Group M proposes to clarify the AP functional description, and refers to a typical AP instance as an Access Unit (AU). Its Draft 4, Annex M, plainly states that a DS within an AU does not extend to include an attached Ethernet. It also explains that multiple AUs when connected to a common Ethernet naturally interoperate as though their multiple DSs were a single DS.
An ESS of one AP with its one DS, an ESS of multiple APs connected by a monolithic WDS, and an ESS of multiple Ethernet connected APs and their separate DSs, all look alike to LLC clients on WLAN stations. Each provides transparent data-link connectivity for WLAN stations. The fact that workstations or servers (nodes) on the Ethernet in the last case are on a common data-link broadcast domain and common IP subnet with WLAN stations, does not make those nodes members of a WLAN, an ESS, or a DS.
The bottom line is that every IEEE 802.11 DS known to man ends at the Ethernet boundary of its AP(s) and in no way includes the Ethernet LAN nor Ethernet nodes. Similarly an ESS includes only WLAN stations and no Ethernet nodes.
The NIST guide will need scores of corrections to text and graphics to put the DSs back where they belong -- inside the APs.
I hope this helps. Thanks. /criss
IEEE 802.1D section 6.5.4:
"A Bridge to an IEEE 802.11 LAN shall connect to an IEEE 802.11 Portal, which in turn connects to an IEEE 802.11 Distribution System."
Maybe you should send a note to NIST.
NIST requests comments on NIST SP 800-97 by July 7, 2006. Please submit comments to email@example.com with "Comments SP800-97/802.11i" in the subject line.
I did several times and received no response. Someone who noticed this post referred me to one of the authors with whom I have since exchanged email. He seems to have found the post helpful and wants to hear more.
Some 802.11 access points using proprietary protocols apparently share association tables and bridge tables within an ESS either across 802.11 links (WDS) or across 802.3 links. This could enable any MAC client on any BSS or any Ethernet of any AP to communicate with any other MAC client within the same ESS, and improve reassociation performance.
Allied Telesyn AT-WA7400:
"The Inter-Access-Point Protocol (IAPP) enforces a unique association through an extended service set (ESS) for the secure exchange of the station?¡é?€??s security information between access points."
Netgear WAG302v2 offers similar functionality.
The 802.11 DSs are coming out of their APs and merging -- across Ethernets as well as wireless links.
I hope this helps. Thanks. /criss hyde