版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)
文檔簡介
1、<p> RFC 5415 CAPWAP Protocol Specification March 2009</p><p> 2. Protocol Overview</p><p> The CAPWAP protocol is a generic protocol defining AC and WTP control&
2、lt;/p><p> and data plane communication via a CAPWAP protocol transport</p><p> mechanism. CAPWAP Control messages, and optionally CAPWAP Data</p><p> messages, are secured using D
3、atagram Transport Layer Security (DTLS)</p><p> [RFC4347]. DTLS is a standards-track IETF protocol based upon TLS.</p><p> The underlying security-related protocol mechanisms of TLS have been
4、</p><p> successfully deployed for many years.</p><p> The CAPWAP protocol transport layer carries two types of payload,</p><p> CAPWAP Data messages and CAPWAP Control messages.
5、 CAPWAP Data</p><p> messages encapsulate forwarded wireless frames. CAPWAP protocol</p><p> Control messages are management messages exchanged between a WTP and</p><p> an AC.
6、 The CAPWAP Data and Control packets are sent over separate</p><p> UDP ports. Since both data and control packets can exceed the</p><p> Maximum Transmission Unit (MTU) length, the payload
7、of a CAPWAP Data</p><p> or Control message can be fragmented. The fragmentation behavior is</p><p> defined in Section 3.</p><p> The CAPWAP Protocol begins with a Discovery ph
8、ase. The WTPs send a</p><p> Discovery Request message, causing any Access Controller (AC)</p><p> receiving the message to respond with a Discovery Response message.</p><p> Fr
9、om the Discovery Response messages received, a WTP selects an AC</p><p> with which to establish a secure DTLS session. In order to establish</p><p> the secure DTLS connection, the WTP will
10、need some amount of pre-</p><p> provisioning, which is specified in Section 12.5. CAPWAP protocol</p><p> messages will be fragmented to the maximum length discovered to be</p><p&
11、gt; supported by the network.</p><p> Once the WTP and the AC have completed DTLS session establishment, a</p><p> configuration exchange occurs in which both devices agree on version</p&g
12、t;<p> information. During this exchange, the WTP may receive provisioning</p><p> settings. The WTP is then enabled for operation.</p><p> When the WTP and AC have completed the ver
13、sion and provision exchange</p><p> and the WTP is enabled, the CAPWAP protocol is used to encapsulate</p><p> the wireless data frames sent between the WTP and AC. The CAPWAP</p><
14、p> protocol will fragment the L2 frames if the size of the encapsulated</p><p> wireless user data (Data) or protocol control (Management) frames</p><p> causes the resulting CAPWAP protoc
15、ol packet to exceed the MTU</p><p> supported between the WTP and AC. Fragmented CAPWAP packets are</p><p> reassembled to reconstitute the original encapsulated payload. MTU</p><
16、p> Discovery and Fragmentation are described in Section 3.</p><p> The CAPWAP protocol provides for the delivery of commands from the AC</p><p> to the WTP for the management of stations t
17、hat are communicating with</p><p> the WTP. This may include the creation of local data structures in</p><p> the WTP for the stations and the collection of statistical</p><p>
18、information about the communication between the WTP and the stations.</p><p> The CAPWAP protocol provides a mechanism for the AC to obtain</p><p> statistical information collected by the WTP
19、.</p><p> The CAPWAP protocol provides for a keep-alive feature that preserves</p><p> the communication channel between the WTP and AC. If the AC fails to</p><p> appear alive,
20、 the WTP will try to discover a new AC.</p><p> 2.1. Wireless Binding Definition</p><p> The CAPWAP protocol is independent of a specific WTP radio</p><p> technology, as well i
21、ts associated wireless link layer protocol.</p><p> Elements of the CAPWAP protocol are designed to accommodate the</p><p> specific needs of each wireless technology in a standard way.</p&
22、gt;<p> Implementation of the CAPWAP protocol for a particular wireless</p><p> technology MUST follow the binding requirements defined for that</p><p> technology.</p><p>
23、; When defining a binding for wireless technologies, the authors MUST</p><p> include any necessary definitions for technology-specific messages</p><p> and all technology-specific message el
24、ements for those messages. At</p><p> a minimum, a binding MUST provide:</p><p> 1. The definition for a binding-specific Statistics message element,</p><p> carried in the WTP
25、Event Request message.</p><p> 2. A message element carried in the Station Configuration Request</p><p> message to configure station information on the WTP.</p><p> 3. A WTP Rad
26、io Information message element carried in the Discovery,</p><p> Primary Discovery, and Join Request and Response messages,</p><p> indicating the binding-specific radio types supported at the
27、 WTP</p><p><b> and AC.</b></p><p> If technology-specific message elements are required for any of the</p><p> existing CAPWAP messages defined in this specification
28、, they MUST</p><p> also be defined in the technology binding document.</p><p> The naming of binding-specific message elements MUST begin with the</p><p> name of the technology
29、 type, e.g., the binding for IEEE 802.11,</p><p> provided in [RFC5416], begins with "IEEE 802.11".</p><p> The CAPWAP binding concept MUST also be used in any future</p><
30、p> specifications that add functionality to either the base CAPWAP</p><p> protocol specification, or any published CAPWAP binding</p><p> specification. A separate WTP Radio Information
31、message element MUST</p><p> be created to properly advertise support for the specification. This</p><p> mechanism allows for future protocol extensibility, while providing</p><p&
32、gt; the necessary capabilities advertisement, through the WTP Radio</p><p> Information message element, to ensure WTP/AC interoperability.</p><p> 2.2. CAPWAP Session Establishment Overview
33、</p><p> This section describes the session establishment process message</p><p> exchanges between a CAPWAP WTP and AC. The annotated ladder diagram</p><p> shows the AC on the
34、 right, the WTP on the left, and assumes the use</p><p> of certificates for DTLS authentication. The CAPWAP protocol state</p><p> machine is described in detail in Section 2.3. Note that D
35、TLS allows</p><p> certain messages to be aggregated into a single frame, which is</p><p> denoted via an asterisk in Figure 3.</p><p> ============ =====
36、=======</p><p> WTP AC</p><p> ============ ============</p><p> [----------- begin optional discovery ------------]<
37、/p><p> Discover Request</p><p> ------------------------------------></p><p> Discover Response</p><p> <------------------------------------</p><p&g
38、t; [----------- end optional discovery ------------]</p><p> (-- begin DTLS handshake --)</p><p> ClientHello</p><p> ------------------------------------></p><p&g
39、t; HelloVerifyRequest (with cookie)</p><p> <------------------------------------</p><p> ClientHello (with cookie)</p><p> ------------------------------------></p>
40、<p> ServerHello,</p><p> Certificate,</p><p> ServerHelloDone*</p><p> <------------------------------------</p><p> (-- WTP callout for AC authorizatio
41、n --)</p><p> Certificate (optional),</p><p> ClientKeyExchange,</p><p> CertificateVerify (optional),</p><p> ChangeCipherSpec,</p><p><b> Fini
42、shed*</b></p><p> ------------------------------------></p><p> (-- AC callout for WTP authorization --)</p><p> ChangeCipherSpec,</p><p><b> Finishe
43、d*</b></p><p> <------------------------------------</p><p> (-- DTLS session is established now --)</p><p> Join Request</p><p> -------------------------
44、-----------></p><p> Join Response</p><p> <------------------------------------</p><p> [-- Join State Complete --]</p><p> (-- assume image is up to date --
45、)</p><p> Configuration Status Request</p><p> ------------------------------------></p><p> Configuration Status Response</p><p> <--------------------------
46、----------</p><p> [-- Configure State Complete --]</p><p> Change State Event Request</p><p> ------------------------------------></p><p> Change State Event R
47、esponse</p><p> <------------------------------------</p><p> [-- Data Check State Complete --]</p><p> (-- enter RUN state --)</p><p><b> :</b></
48、p><p><b> :</b></p><p> Echo Request</p><p> ------------------------------------></p><p> Echo Response</p><p> <---------------------
49、---------------</p><p><b> :</b></p><p><b> :</b></p><p> Event Request</p><p> ------------------------------------></p><p>
50、; Event Response</p><p> <------------------------------------</p><p><b> :</b></p><p><b> :</b></p><p> Figure 3: CAPWAP Control Protoc
51、ol Exchange</p><p> At the end of the illustrated CAPWAP message exchange, the AC and WTP</p><p> are securely exchanging CAPWAP Control messages. This illustration</p><p> is p
52、rovided to clarify protocol operation, and does not include any</p><p> possible error conditions. Section 2.3 provides a detailed</p><p> description of the corresponding state machine.</
53、p><p> 2.3. CAPWAP State Machine Definition</p><p> The following state diagram represents the lifecycle of a WTP-AC</p><p> session. Use of DTLS by the CAPWAP protocol results in
54、 the</p><p> juxtaposition of two nominally separate yet tightly bound state</p><p> machines. The DTLS and CAPWAP state machines are coupled through an</p><p> API consisting o
55、f commands (see Section 2.3.2.1) and notifications</p><p> (see Section 2.3.2.2). Certain transitions in the DTLS state machine</p><p> are triggered by commands from the CAPWAP state machine
56、, while</p><p> certain transitions in the CAPWAP state machine are triggered by</p><p> notifications from the DTLS state machine.</p><p> /-------------------------------------
57、\</p><p> | /-------------------------\|</p><p> | p| ||</p><p> | q+----------+ r +------------+ ||</p><p> | |
58、Run |-->| Reset |-\||</p><p> | +----------+ +------------+ |||</p><p> n| o ^ ^ ^ s|||</p><p> +------------+--------/ |
59、| |||</p><p> | Data Check | /-------/ | |||</p><p> +------------+<-------\ | | |||</p><p> | | | |||</p
60、><p> /------------------+--------\ | |||</p><p> f| m| h| j v k| |||</p><p> +--------+ +-----------+ +--------------+|||</p><
61、p> | Join |---->| Configure | | Image Data ||||</p><p> +--------+ n +-----------+ +--------------+|||</p><p> ^ |g i| l| |||</p>
62、;<p> | | \-------------------\ | |||</p><p> | \--------------------------------------\| | |||</p><p> \------------------------\ || | |||</p&
63、gt;<p> /--------------<----------------+---------------\ || | |||</p><p> | /------------<----------------+-------------\ | || | |||</p><p> | | 4 |d
64、 t| | vv v vvv</p><p> | | +----------------+ +--------------+ +-----------+</p><p> | | | DTLS Setup | | DTLS Connect |-->| DTLS TD |</p><p> /-|-|---
65、+----------------+ +--------------+ e +-----------+</p><p> | | | |$ ^ ^ |5 ^6 ^ ^ |w</p><p> v v v | | | | \-------\ | | |</p>
66、<p> | | | | | | \---------\ | | /-----------/ |</p><p> | | | | | \--\ | | | | |</p><p> | | | | | | | | | | |&
67、lt;/p><p> | | | v 3| 1 |% # v | |a |b v</p><p> | | \->+------+-->+------+ +-----------+ +--------+</p><p> | | | Idle | | Disc | | Autho
68、rize | | Dead |</p><p> | | +------+<--+------+ +-----------+ +--------+</p><p> | | ^ 0^ 2 |!</p><p> | | | | | +-------+</p>
69、<p> *| |u | \---------+---| Start |</p><p> | | |@ | +-------+</p><p> | \->+---------+<------/</p><p> \--->| Sulking |</p><p
70、> +---------+&</p><p> Figure 4: CAPWAP Integrated State Machine</p><p> The CAPWAP protocol state machine, depicted above, is used by both</p><p> the AC and the WTP. I
71、n cases where states are not shared (i.e., not</p><p> implemented in one or the other of the AC or WTP), this is explicitly</p><p> called out in the transition descriptions below. For every
72、 state</p><p> defined, only certain messages are permitted to be sent and received.</p><p> The CAPWAP Control message definitions specify the state(s) in which</p><p> each mes
73、sage is valid.</p><p> Since the WTP only communicates with a single AC, it only has a</p><p> single instance of the CAPWAP state machine. The state machine works</p><p> diffe
74、rently on the AC since it communicates with many WTPs. The AC</p><p> uses the concept of three threads. Note that the term thread used</p><p> here does not necessarily imply that implement
75、ers must use threads,</p><p> but it is one possible way of implementing the AC's state machine.</p><p> Listener Thread: The AC's Listener thread handles inbound DTLS</p><
76、;p> session establishment requests, through the DTLSListen command.</p><p> Upon creation, the Listener thread starts in the DTLS Setup state.</p><p> Once a DTLS session has been validate
77、d, which occurs when the</p><p> state machine enters the "Authorize" state, the Listener thread</p><p> creates a WTP session-specific Service thread and state context.</p>&
78、lt;p> The state machine transitions in Figure 4 are represented by</p><p> numerals. It is necessary for the AC to protect itself against</p><p> various attacks that exist with non-authe
79、nticated frames. See</p><p> Section 12 for more information.</p><p> Discovery Thread: The AC's Discovery thread is responsible for</p><p> receiving, and responding to,
80、Discovery Request messages. The</p><p> state machine transitions in Figure 4 are represented by numerals.</p><p> Note that the Discovery thread does not maintain any per-WTP-</p><
81、;p> specific context information, and a single state context exists.</p><p> It is necessary for the AC to protect itself against various</p><p> attacks that exist with non-authenticated
82、frames. See Section 12</p><p> for more information.</p><p> Service Thread: The AC's Service thread handles the per-WTP states,</p><p> and one such thread exists per-WTP
83、 connection. This thread is</p><p> created by the Listener thread when the Authorize state is</p><p> reached. When created, the Service thread inherits a copy of the</p><p>
84、state machine context from the Listener thread. When</p><p> communication with the WTP is complete, the Service thread is</p><p> terminated and all associated resources are released. The s
85、tate</p><p> machine transitions in Figure 4 are represented by alphabetic and</p><p> punctuation characters.</p><p> 2.3.1. CAPWAP Protocol State Transitions</p><p&
86、gt; This section describes the various state transitions, and the events</p><p> that cause them. This section does not discuss interactions between</p><p> DTLS- and CAPWAP-specific states.
87、 Those interactions, and DTLS-</p><p> specific states and transitions, are discussed in Section 2.3.2.</p><p> Start to Idle (0): This transition occurs once device initialization</p>
88、<p> is complete.</p><p> WTP: This state transition is used to start the WTP's CAPWAP</p><p> state machine.</p><p> AC: The AC creates the Discovery and Listener
89、 threads and starts</p><p> the CAPWAP state machine.</p><p> Idle to Discovery (1): This transition occurs to support the CAPWAP</p><p> discovery process.</p><p>
90、 WTP: The WTP enters the Discovery state prior to transmitting the</p><p> first Discovery Request message (see Section 5.1). Upon</p><p> entering this state, the WTP sets the DiscoveryInt
91、erval</p><p> timer (see Section 4.7). The WTP resets the DiscoveryCount</p><p> counter to zero (0) (see Section 4.8). The WTP also clears</p><p> all information from ACs it
92、may have received during a</p><p> previous Discovery phase.</p><p> AC: This state transition is executed by the AC's Discovery</p><p> thread, and occurs when a Discovery
93、 Request message is</p><p> received. The AC SHOULD respond with a Discovery Response</p><p> message (see Section 5.2).</p><p> Discovery to Discovery (#): In the Discovery st
94、ate, the WTP</p><p> determines to which AC to connect.</p><p> WTP: This transition occurs when the DiscoveryInterval timer</p><p> expires. If the WTP is configured with a li
95、st of ACs, it</p><p> transmits a Discovery Request message to every AC from which</p><p> it has not received a Discovery Response message. For every</p><p> transition to this
96、 event, the WTP increments the</p><p> DiscoveryCount counter. See Section 5.1 for more</p><p> information on how the WTP knows the ACs to which it should</p><p> transmit the
97、Discovery Request messages. The WTP restarts</p><p> the DiscoveryInterval timer whenever it transmits Discovery</p><p> Request messages.</p><p> AC: This is an invalid state
98、 transition for the AC.</p><p> Discovery to Idle (2): This transition occurs on the AC's Discovery</p><p> thread when the Discovery processing is complete.</p><p> WTP: T
99、his is an invalid state transition for the WTP.</p><p> AC: This state transition is executed by the AC's Discovery</p><p> thread when it has transmitted the Discovery Response, in</
100、p><p> response to a Discovery Request.</p><p> Discovery to Sulking (!): This transition occurs on a WTP when AC</p><p> Discovery fails.</p><p> WTP: The WTP enter
101、s this state when the DiscoveryInterval timer</p><p> expires and the DiscoveryCount variable is equal to the</p><p> MaxDiscoveries variable (see Section 4.8). Upon entering</p><p
102、> this state, the WTP MUST start the SilentInterval timer.</p><p> While in the Sulking state, all received CAPWAP protocol</p><p> messages MUST be ignored.</p><p> AC: Th
103、is is an invalid state transition for the AC.</p><p> Sulking to Idle (@): This transition occurs on a WTP when it must</p><p> restart the Discovery phase.</p><p> WTP: The WT
104、P enters this state when the SilentInterval timer (see</p><p> Section 4.7) expires. The FailedDTLSSessionCount,</p><p> DiscoveryCount, and FailedDTLSAuthFailCount counters are</p>&l
105、t;p> reset to zero.</p><p> AC: This is an invalid state transition for the AC.</p><p> Sulking to Sulking (&): The Sulking state provides the silent</p><p> period, m
106、inimizing the possibility for Denial-of-Service (DoS)</p><p><b> attacks.</b></p><p> WTP: All packets received from the AC while in the sulking state</p><p> are ig
107、nored.</p><p> AC: This is an invalid state transition for the AC.</p><p> Idle to DTLS Setup (3): This transition occurs to establish a secure</p><p> DTLS session with the p
108、eer.</p><p> WTP: The WTP initiates this transition by invoking the DTLSStart</p><p> command (see Section 2.3.2.1), which starts the DTLS session</p><p> establishment with the
109、 chosen AC and the WaitDTLS timer is</p><p> started (see Section 4.7). When the Discovery phase is</p><p> bypassed, it is assumed the WTP has locally configured ACs.</p><p> A
110、C: Upon entering the Idle state from the Start state, the newly</p><p> created Listener thread automatically transitions to the</p><p> DTLS Setup and invokes the DTLSListen command (see<
111、;/p><p> Section 2.3.2.1), and the WaitDTLS timer is started (see</p><p> Section 4.7).</p><p> Discovery to DTLS Setup (%): This transition occurs to establish a</p><p&
112、gt; secure DTLS session with the peer.</p><p> WTP: The WTP initiates this transition by invoking the DTLSStart</p><p> command (see Section 2.3.2.1), which starts the DTLS session</p>
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 眾賞文庫僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
評論
0/150
提交評論