Market, adoption of wireless LAN (WLAN) technology has exploded, as users from a wide range of backgrounds and vertical industries have brought this technology into their homes, offices, and increasingly into the public air space. This Inflection point has highlighted not only the limitations of ear her-generation systems, but also the changing role that WLAN technology now plays in people's work and lifestyles across the globe. Indeed, WLANs are rapidly changing from convenience networks to business-critical networks. Increasingly, users are depending on WLANs to improve the timeliness and productivity of their communications and applications, and in doing so, require greater visibility, security, management, and performance from their networks.
The IEEE (Institute of Electrical and Electronic Engineers) 802.11 standard provides guidelines for allowing users to wirelessly connect to a network and access basic services provided therein. It has become more evident in recent years that security and controlled access are necessities in light of the large amount of sensitive information that is communicated over networks today.
Traditionally, the security and controlled access efforts of wireless networking, and more specifically of layer 2 and the 802.11 MAC protocol have been directed toward protecting the data content of the transmission and not toward the prevention of session disruption. In other words, prior efforts have only been directed toward protecting the sensitivity of the content of the data transmitted and not toward the protection of the transmission of management frame packets which control session integrity and quality.
Management frame protection (MFP) generally refers to the use of message integrity checks (MICs), typically appended as Information Elements (IEs), in connection with wireless management frames (e.g., beacons, authentication requests, re-association requests, de-authentication requests, disassociation requests, etc.) transmitted by access points and/or wireless clients. There are generally two approaches to management frame protection (MFP). The first approach detects possible attacks. This approach is purely infrastructure based, in that scanning wireless access points observe communication exchanges between other (data) wireless access points and wireless clients in order to detect spoofed management frames. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.
A second approach prevents attacks. This approach is wireless access point-wireless client based in that a given wireless access point and a wireless client validate each other's management frames (e.g., validate media access control (MAC) addresses) using message integrity checks (MICs) appended to the wireless management frames. During association and authentication to the network, the wireless client and access point exchange one or more MFP session keys that can be used to generate and validate MICs that are appended to wireless management frames.
Given the different approaches to these methods, they are considered mutually exclusive to the extent that if a wireless client is MFP-client protected, the management frames to that wireless client will not also be MFP-infrastructure protected. That is, because they do not have the keys generated between the access points and the clients, scanning wireless access points cannot analyze the content of the exchanges (such as the MICs) due to the management-frame protection mechanisms. While the prevention approach is effectively stronger, it loses some of the advantages of the detection approach in that it cannot make use of additional scanning wireless access points.