Protected management frames
Current 802.11 standard defines "frame" types for use in management and control of wireless links. IEEE 802.11w is the Protected Management Frames standard for theOverview
* Single and unified solution needed for all IEEE 802.11 Protection-capable Management Frames. * It uses the existing security mechanisms rather than creating new security scheme or new management frame format. * It is an optional feature in 802.11 and is required for 802.11 implementations that support TKIP or CCMP. * Its use is optional and can be negotiable between STAs.Classes
* Class 1 ** Beacon and probe request/response ** Authentication and de-authentication ** Announcement traffic indication message (ATIM) ** Spectrum management action ** Radio measurement action between STAs in IBSS * Class 2 ** Association request/response ** Re-association request/response ** Disassociation * Class 3 ** Disassociation/de-authentication ** QoS action frame ** Radio measurement action in infrastructure BSS ** Future 11v management framesUnprotected frames
It is infeasible/not possible to protect the frame sent before four-ways handshake because it is sent prior to key establishment. The management frames, which are sent after key establishment, can be protected. Infeasible to protect: * Beacon and probe request/response * Announcement traffic indication message (ATIM) * Authentication * Association request/response * Spectrum management actionProtected frames
Protection-capable management frames are those sent after key establishment that can be protected using existing protection key hierarchy in 802.11 and its amendments. Only TKIP/AES frames are protected and WEP/open frames are not protected. The following management frames can be protected: * Disassociate * Deauthenticate * Action Frames: Block ACK Request/Response (AddBA), QoS Admission Control, Radio Measurement, Spectrum Management, Fast BSS Transition * Channel Switch Announcement directed to a client (Unicast) Management frames that are required before AP and client have exchanged the transmission keys via the 4 way handshake remain unprotected: * Beacons * Probes * Authentication * Association * Announcement Traffic Indication Message * Channel Switch Announcement as Broadcast Uni-cast Protection-capable Management Frames are protected by the same cipher suite as an ordinary data MPDU. * MPDU payload is TKIP or CCMP encrypted. * MPDU payload and header are TKIP or CCMP integrity protected. * Protected frame field of frame control field is set. * Only cipher suites already implemented are required. * Sender's pairwise temporal key (PTK) protects unicast management frame. Broad-/Multicast Robust Management Frames are protected using Broadcast/multicast integrity protocol (BIP) * Use Integrity Group Temporal Key (IGTK) received during WPA key handshake * Use Information Element: Management MIC IE with Sequence Number + Cryptographic Hash (AES128-CMAC based)Replay protection
Replay protection is provided by already existing mechanisms. Specifically, there is a (per-station, per-key, per-priority) counter for each transmitted frame; this is used as a nonce/initialization vector (IV) in cryptographic encapsulation/decapsulation, and the receiving station ensures that the received counter is increasing.Usage
The 802.11w amendment is implemented in Linux and BSD's as part of the 80211mac driver code base, which is used by several wireless driver interfaces; i.e., ath9k. The feature is easily enabled in most recent kernels and Linux OS's using these combinations. OpenWrt in particular provides an easy toggle as part of the base distribution. The feature has been implemented for the first time intoSee also
*References
External links