IEEE 802.11 describes a communication architecture, which may enable computing devices to communicate via wireless local area networks (WLANs). One of the building blocks for the WLAN is the basic service set (BSS). A BSS may comprise a plurality of computing devices, or stations (STA), which may communicate wirelessly via one or more RF channels within an RF coverage area. The span of an RF coverage area may be determined based on the distance over which a source STA may transmit data via an RF channel, which may be received by a destination STA.
IEEE 802.11 comprises a variety of security methods. These methods include wired equivalent privacy (WEP), the temporal key integrity protocol (TKIP), counter mode with cipher-block chaining message authentication code (CBC-MAC) protocol (CCMP), IEEE 802.1X and robust secure network association (RSNA) algorithms. The various security methods may be utilized to enable secure communications between STAs. An exemplary method for secure communications may utilize encryption of data transmitted between a source STA and a destination STA to prevent a user at a eavesdropping STA from gaining access to the unencrypted (also referred to as “clear text” or “plaintext”) data. Within the context of the medium access control (MAC) protocol layer of IEEE 802.11, the data may be referred to as MAC layer service data unit (MSDU) data. The data may be communicated within the frame body (or payload) field within protocol data units (PDUs) referred to as data frames. Within the context of the MAC protocol layer of IEEE 802.11, the frame may be referred to as a MAC layer protocol data unit (MPDU). Each data frame may also comprise a sequence number (SN) field.
An exemplary method for secure communications involves the computation of a message integrity code (MIC). The MIC may be computed based on MSDU plaintext data, the MSDU source address (SA) field, the MSDU destination address (DA) field, and the MSDU priority field. The MIC may alternatively be computed based on MPDU plaintext data, the MPDU header including address fields, priority field, and other components of the MPDU header. A reserved field may also be included in the MIC computation. The MIC is appended to the plaintext data to form an extended data field. The extended data field may also comprise a pad field. The extended data field may be encrypted to generate an MPDU frame body field. The data MPDU, with encrypted frame body field, may be transmitted from a source STA to a destination STA in a secure communication link. Data, which is transmitted in this fashion, may be referred to as “protected data”. The destination STA may send an acknowledgment (ACK) to the source STA to confirm successful receipt of the MPDU. An ACK is referred to as a control frame.
IEEE 802.11 supports a block ACK (BA) capability. The BA capability enables a source STA to transmit a plurality of sequence numbered frames during a communication session while receiving a single BA from the destination STA, which indicates successful reception of any number of frames from within a sequentially numbered block of frames. The BA capability is established between a source STA and a destination STA through an exchange of frames referred to as management frames. For example, in a typical exchange of management frames, the source STA may transmit an ADDBA request management frame to the destination STA. The destination STA may transmit an ACK frame to the source STA to acknowledge receipt of the ADDBA request frame. The destination STA may subsequently transmit an ADDBA response frame to the source STA. The source STA may transmit an ACK frame to the destination STA to acknowledge receipt of the ADDBA response frame.
The exchange of management frames between the source STA and the destination STA identifies the data frames, which are to be the subject of block acknowledgment based on a (SA,DA,TID) tuple, where TID refers to a traffic identifier value. Each transmitted data frame, which is to be the subject of BA may comprise the TID value within the TID field within the frame. The TID value may be determined during the exchange of management frames.
During the communication session identified by the (SA,DA,TID) tuple, the source STA and the destination STA may each maintain state information related to the communication. The state information may be represented as a scorecard. The source STA (TX) scorecard may comprise a TX scorecard left edge (LE) pointer, a TX scorecard right edge (RE) pointer and a TX scorecard size parameter. When a current window is first established:TX(size)=TX(RE)−TX(LEinit)+1where TX(RE) refers to the TX scorecard RE pointer value, TX(LEinit) refers to the initial TX scorecard LE pointer value, and TX(size) refers to the TX scorecard size parameter value. The TX(size) represents a transmit window size, typically measured in frames, which corresponds to the maximum number of frames that a source STA may transmit without receiving an ACK. The TX(LEinit) value represents the lowest number SN value for a transmitted data frame within the transmit window. As the source STA receives acknowledgment of previously transmitted frames within the transmit window, the TX scorecard LE pointer may reflect a current LE pointer value TX(LEcur), which represents the lowest numbered SN value within the transmit window for which an ACK has not been received. At any given time, the source STA may transmit frames for which the SN value is within the range:TX(LEcur)≦SN<TX(LEcur)+TX(size)where:TX(RE)=TX(LEcur)+TX(size)−1The source STA may also accept ACK frames, which acknowledge receipt of transmitted frames within the transmit window.The destination STA (RX) scorecard may comprise an RX scorecard LE pointer, an RX scorecard RE pointer, an RX buffer window LE pointer, an RX buffer window RE pointer and an RX window size parameter.
Received frames may initially be stored in the RX buffer. At the destination STA, the MAC layer protocol entity may extract the payload field portion from received frames, which may be passed to a higher layer protocol entity (for example, a network layer protocol entity). Prior to passing the payload to the higher layer protocol entity, the MAC layer protocol entity may decrypt the payload field portion. The RX buffer window LE pointer value minus one, RXbuf(LE)−1, represents the highest SN value for a received frame for which the payload portion has been passed to a higher layer protocol entity. Based on the value RXbuf(LE), an RX buffer window RE pointer value, RXbuf(RE), may be determined:RXbuf(RE)=RXbuf(LE)+RX(size)−1where RX(size) refers to the RX window size parameter value. The RX(size) represents a receive window size, typically measured in frames, which corresponds to the maximum number of frames that a destination STA may store within a receive buffer. At any given time, the destination STA may normally receive frames for which the SN value is within the range:RXbuf(LE)≦SN<RXbuf(RE)Frames received from the source STA for which SN<RXbuf(LE) may be discarded at the destination STA.
The destination STA may adjust the RXbuf(LE) in response to receipt of a control frame from the source STA. For example, an initial RXbuf(LEinit) value may be established at a destination STA based upon receipt of a control frame from the source STA. For example, the source STA may transmit a block acknowledgment request (BAR) control frame to the destination STA. The BAR frame may comprise a starting sequence number (SSN) value. The destination STA may utilize the SSN value in the received BAR control frame to establish the value RXbuf(LEinit):RXbuf(LEinit)=SSN An initial RX scorecard LE pointer value RXsc(LEinit) may also be established based on the received SSN value:RXsc(LEinit)=SSN 
Normally, the MAC layer passes payload portions of received frames to a higher protocol entity when the received frames comprise a contiguous block of sequentially numbered frames. However, if there were any previously buffered frames associated with the (SA,DA,TID) communication session at the time that the BAR frame is received for which SN<SSN, the payload portions of the previously buffered frames may be passed to the higher layer protocol entity even if there are gaps in the sequence numbering among the previously stored frames. This may result in discard of the payload portions for some or all of the previously buffered frames at the higher layer protocol entity.
The destination STA may respond to receipt of the BAR control frame by transmitting a block acknowledgment (BA) control frame to the source STA. The BA control frame may comprise a bitmap field. The bitmap field may indicate whether the destination STA has successfully received any among a block of transmitted data frames from the source STA for data frame sequence number values SN≧SSN. For example, the first position in the bitmap may correspond to a frame with a sequence number value SN=SSN. A bit value=0 may indicate that a frame with the corresponding SN value has not been received by the destination STA. For example, a successful receipt of a frame received with a given SN value is indicated by a bit value=1 for a corresponding bit position in the bit map.
The destination STA may also adjust the RXbuf(LE) value in response to receipt of a data frame from the source STA. For example, when the destination STA receives a data frame for which SNrec>RXbuf(RE), an updated RX buffer window RE pointer value, RXbufupd(RE), may be established:RXbufupd(RE)=SNrec Based on the updated RXbufupd(RE) value, an updated RX buffer window LE pointer value, RXbufupd(LE), may be established:RXbufupd(LE)=RXbufupd(RE)−RX(size)+1
If there were any currently buffered data frames for which SN<RXbufupd(LE), the payload portions of those currently buffered frames may be passed to the higher layer protocol entity even if there are gaps in the sequence numbering among the currently stored frames. This may result in discard of the payload portions for some or all of those currently buffered frames at the higher layer protocol entity.
A destination STA may send a BA control frame to the source STA in response to an explicit request from the source STA or in response to an implicit request from the source STA. An example of an explicit request is a BAR control frame. An example, of an implicit request is a data frame, which comprises an indication that a BA is requested from the destination STA by the source STA. The destination STA may report successful receipt of some data frames in the BA control frame, while indicating that other data frames have not been received. In response to an implicit BA request, the RXbuf(LE) value may not change if the lowest SN numbered frame in the bitmap field of the BA frame has not been successfully received. For example, the first bit in the bitmap field of the BA frame may indicate whether the lowest SN numbered frame has been successfully received. The sequence number for the lowest SN numbered frame may be indicated in the SSN field within the transmitted BA frame. Regardless of whether the destination STA sends a BA control frame in response to an explicit request from the source STA, or in response to an implicit request, the source STA, which receives the BA control frame, may utilize the SSN field value and the bitmap field values to adjust one or more TX scorecard pointer values.
For a destination STA, which utilizes persistent RX scorecard maintenance, RX scorecard information is maintained after transmission of a BA frame. Thus, each subsequent BA frame transmitted for a given receive window reflects the history of successful data frame receipts within the receive window. Consequently, for a destination STA, which utilizes persistent RX scorecard maintenance, RXsc(LE)=RXbuf(LE).
For a destination STA, which utilizes dynamic RX scorecard maintenance, RX scorecard information is not maintained after a BA frame has been transmitted. In this regard, the destination STA “forgets” that a data frame has been successfully received once the receipt of the data frame has been acknowledged via a transmitted BA frame. For a destination STA, which utilizes dynamic RX scorecard maintenance the RXsc(LE) scorecard value is updated for each currently received data frame:RXsc(LE)=SNrec−RX(size)+1where SNrec represents the sequence number for a currently received data frame.
In current IEEE 802.11 security methods, the sequence number field in transmitted data frames is not protected. Furthermore, transmitted control frames, such as BAR control frames and BA control frames, are also not protected.
Further limitations and disadvantages of conventional and traditional approaches will become apparent to one of skill in the art, through comparison of such systems with some aspects of the present invention as set forth in the remainder of the present application with reference to the drawings.