1. Field
This disclosure relates to wireless local area networks and, in particular, to wireless access points that support multiple single-user local area networks.
2. Description of the Related Art
Current wireless local area networks (LANs) commonly adhere to the Wi-Fi™ industry standard which is based on the Institute of Electrical and Electronics Engineers' (IEEE) 802.11 standards. The fundamental building block of an 802.11 LAN is a basic service set (BSS) comprising two or more “stations” or user devices in wireless communication with each other. IEEE 802.11 defines an “infrastructure mode” in which each BSS includes an “access point” that acts as a master to control the stations within that BSS. IEEE 802.11 also defines ad-hoc networks of user devices without a controlling access point and mesh networks.
As shown in FIG. 1, an infrastructure mode BSS 120 includes an access point 125 and one or more user devices which may include, for example, a smart phone 130, a tablet 132, a personal computer 134, a printer 136, and other devices. The access point 125 may be, for example, a wireless router. The access point 125 may control communications between the user devices 132-136, and may provide a path for the user devices 132-136 to communicate with a cloud 110 via a wired or wireless connection 115. In this context, the term “cloud” means a network, which may be or include the Internet, and all of the devices connected to the network.
The BSS 120 is identified by a string of 0 to 32 octets (bytes) called a service set identifier or SSID. Commonly, but not necessarily, the SSID is a human-readable text string which may be referred to as the “network name”.
The BSS 120 may be configured as “public” or “private.” A public BSS is not password protected. Traffic on a private BSS is controlled by a password used to derive a key to encrypt communications over the BSS. To join a private BSS, a user device must provide 125 the appropriate password to the access point.
The BSS 120 may be constrained by one or more policies enforced by the access point 125. Policies may control or constrain who is allowed access to the BSS, what type of traffic is allowed or not allowed on the BSS, and how traffic is communicated over the BSS. For example, policies may prohibit certain types of traffic within the BSS or may prohibit the BSS from accessing specific websites or types of websites within the cloud 110.
Each device, including the access point, within a BSS is identified by at least one unique media access control address (MAC address). A MAC address is a 48-bit binary number which is commonly written as six groups of two hexadecimal digits separated by colons (e.g. 00:00:00:00:00:00). Unique MAC addresses are commonly assigned by device manufacturers and are stored in hardware (for example read-only memory) within each device. In some situations, a device may be assigned a locally-controlled, not necessarily unique, MAC address that overrides the unique MAC addressed assigned by the device manufacturer. One of the 48 bits is used as a flag to indicate if the address is globally-unique or locally controlled. A second one of the 48 bits is used as a flag to indicate if the address is a unicast address or a multicast address.
All traffic with the BSS 120 is in the form of short packets which are called “frames” in the IEEE 802.11 standards. Each frame consists of a MAC header, an optional payload, and a frame check sequence. The MAC header includes a MAC address of the source device, a MAC address of the intended receiver (or receivers in the case of a multicast address), and a variety of control fields and flags. The payload length may be from 0 to 2304 bytes plus any overhead from security encapsulation. Each frame may be one of a management frame used to manage the BSS, a control frame to control traffic over the BSS, or a data frame.
The access point 125 may periodically broadcast a “beacon” control frame announcing the presence of the BSS 120. The beacon control frame includes the MAC address of the access point as the source address and a broadcast destination address. Upon receipt of the beacon frame, a user device wanting to join the BSS 120 will send an associate request frame to the MAC address of the control point. A handshake process may then be performed to verify the identity of the user device and allow the user device to join the BSS 120.
Alternatively, a user device may broadcast a request to join a particular BSS without first receiving a beacon frame from the access point for the BSS. If the client request is received by the appropriate access point, the handshake process may then ensue.
A deficiency in a typical BSS is illustrated in FIG. 2, which is a block diagram of a BSS 220 shared by two users, identified as User 1 and User 2. Sharing of a BSS by two or more users may occur in many public locations. For example, User 1 and User 2 may be different persons occupying different rooms in a hotel or dormitory, different offices in a building, different classrooms in school, or different staterooms on a cruise ship. BSS 220 includes a single access point 225, devices 232, 234, and 236 belonging to User 1, and devices 242, 244, and 246 belonging to User 2. More than two users may share a BSS, each user may have more or fewer than three devices, and each user may have different devices than those shown in FIG. 2.
The problem that may occur with a shared BSS, such as the BSS 220, is that communications between devices belonging to one user may inadvertently or maliciously be received at a device belonging to a different user. When a user device joins a private BSS using a passphrase, two types of encryption keys are exchanged between the user device and the access point. The first encryption key is the pairwise temporal key (PTK). The PTK is unique to each user device and is used by the user device and the access point for all unicast traffic during session (i.e. for all traffic destined only for that user device). The second encryption key is the group temporal key (GTK). The GTK is used by the access point for broadcast traffic. Since each BSS uses only a single GTK, broadcast traffic can be decrypted by all user devices on the BSS. There is no way to isolate broadcast traffic to a group of devices belonging to a single user. For example, if a device like an Apple TV belonging to a first user is broadcasting, every other user's devices on the BSS will receive the broadcast traffic. The only way to prevent broadcast traffic from reaching all users on a BSS is for the administrator to set the access point to block device to device traffic, which would result in no one (not even the owner of the apple TV) receiving the traffic.
Throughout this description, elements appearing in figures are assigned three-digit reference designators, where the most significant digit is the figure number and the two least significant digits are specific to the element. An element that is not described in conjunction with a figure may be presumed to have the same characteristics and function as a previously-described element having the same reference designator.