計算機外文翻譯9_第1頁
已閱讀1頁,還剩55頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)

文檔簡介

1、<p>  RFC 5415 CAPWAP Protocol Specification March 2009</p><p>  2. Protocol Overview</p><p>  The CAPWAP protocol is a generic protocol defining AC and WTP control&

2、lt;/p><p>  and data plane communication via a CAPWAP protocol transport</p><p>  mechanism. CAPWAP Control messages, and optionally CAPWAP Data</p><p>  messages, are secured using D

3、atagram Transport Layer Security (DTLS)</p><p>  [RFC4347]. DTLS is a standards-track IETF protocol based upon TLS.</p><p>  The underlying security-related protocol mechanisms of TLS have been

4、</p><p>  successfully deployed for many years.</p><p>  The CAPWAP protocol transport layer carries two types of payload,</p><p>  CAPWAP Data messages and CAPWAP Control messages.

5、 CAPWAP Data</p><p>  messages encapsulate forwarded wireless frames. CAPWAP protocol</p><p>  Control messages are management messages exchanged between a WTP and</p><p>  an AC.

6、 The CAPWAP Data and Control packets are sent over separate</p><p>  UDP ports. Since both data and control packets can exceed the</p><p>  Maximum Transmission Unit (MTU) length, the payload

7、of a CAPWAP Data</p><p>  or Control message can be fragmented. The fragmentation behavior is</p><p>  defined in Section 3.</p><p>  The CAPWAP Protocol begins with a Discovery ph

8、ase. The WTPs send a</p><p>  Discovery Request message, causing any Access Controller (AC)</p><p>  receiving the message to respond with a Discovery Response message.</p><p>  Fr

9、om the Discovery Response messages received, a WTP selects an AC</p><p>  with which to establish a secure DTLS session. In order to establish</p><p>  the secure DTLS connection, the WTP will

10、need some amount of pre-</p><p>  provisioning, which is specified in Section 12.5. CAPWAP protocol</p><p>  messages will be fragmented to the maximum length discovered to be</p><p&

11、gt;  supported by the network.</p><p>  Once the WTP and the AC have completed DTLS session establishment, a</p><p>  configuration exchange occurs in which both devices agree on version</p&g

12、t;<p>  information. During this exchange, the WTP may receive provisioning</p><p>  settings. The WTP is then enabled for operation.</p><p>  When the WTP and AC have completed the ver

13、sion and provision exchange</p><p>  and the WTP is enabled, the CAPWAP protocol is used to encapsulate</p><p>  the wireless data frames sent between the WTP and AC. The CAPWAP</p><

14、p>  protocol will fragment the L2 frames if the size of the encapsulated</p><p>  wireless user data (Data) or protocol control (Management) frames</p><p>  causes the resulting CAPWAP protoc

15、ol packet to exceed the MTU</p><p>  supported between the WTP and AC. Fragmented CAPWAP packets are</p><p>  reassembled to reconstitute the original encapsulated payload. MTU</p><

16、p>  Discovery and Fragmentation are described in Section 3.</p><p>  The CAPWAP protocol provides for the delivery of commands from the AC</p><p>  to the WTP for the management of stations t

17、hat are communicating with</p><p>  the WTP. This may include the creation of local data structures in</p><p>  the WTP for the stations and the collection of statistical</p><p>  

18、information about the communication between the WTP and the stations.</p><p>  The CAPWAP protocol provides a mechanism for the AC to obtain</p><p>  statistical information collected by the WTP

19、.</p><p>  The CAPWAP protocol provides for a keep-alive feature that preserves</p><p>  the communication channel between the WTP and AC. If the AC fails to</p><p>  appear alive,

20、 the WTP will try to discover a new AC.</p><p>  2.1. Wireless Binding Definition</p><p>  The CAPWAP protocol is independent of a specific WTP radio</p><p>  technology, as well i

21、ts associated wireless link layer protocol.</p><p>  Elements of the CAPWAP protocol are designed to accommodate the</p><p>  specific needs of each wireless technology in a standard way.</p&

22、gt;<p>  Implementation of the CAPWAP protocol for a particular wireless</p><p>  technology MUST follow the binding requirements defined for that</p><p>  technology.</p><p>

23、;  When defining a binding for wireless technologies, the authors MUST</p><p>  include any necessary definitions for technology-specific messages</p><p>  and all technology-specific message el

24、ements for those messages. At</p><p>  a minimum, a binding MUST provide:</p><p>  1. The definition for a binding-specific Statistics message element,</p><p>  carried in the WTP

25、Event Request message.</p><p>  2. A message element carried in the Station Configuration Request</p><p>  message to configure station information on the WTP.</p><p>  3. A WTP Rad

26、io Information message element carried in the Discovery,</p><p>  Primary Discovery, and Join Request and Response messages,</p><p>  indicating the binding-specific radio types supported at the

27、 WTP</p><p><b>  and AC.</b></p><p>  If technology-specific message elements are required for any of the</p><p>  existing CAPWAP messages defined in this specification

28、, they MUST</p><p>  also be defined in the technology binding document.</p><p>  The naming of binding-specific message elements MUST begin with the</p><p>  name of the technology

29、 type, e.g., the binding for IEEE 802.11,</p><p>  provided in [RFC5416], begins with "IEEE 802.11".</p><p>  The CAPWAP binding concept MUST also be used in any future</p><

30、p>  specifications that add functionality to either the base CAPWAP</p><p>  protocol specification, or any published CAPWAP binding</p><p>  specification. A separate WTP Radio Information

31、message element MUST</p><p>  be created to properly advertise support for the specification. This</p><p>  mechanism allows for future protocol extensibility, while providing</p><p&

32、gt;  the necessary capabilities advertisement, through the WTP Radio</p><p>  Information message element, to ensure WTP/AC interoperability.</p><p>  2.2. CAPWAP Session Establishment Overview

33、</p><p>  This section describes the session establishment process message</p><p>  exchanges between a CAPWAP WTP and AC. The annotated ladder diagram</p><p>  shows the AC on the

34、 right, the WTP on the left, and assumes the use</p><p>  of certificates for DTLS authentication. The CAPWAP protocol state</p><p>  machine is described in detail in Section 2.3. Note that D

35、TLS allows</p><p>  certain messages to be aggregated into a single frame, which is</p><p>  denoted via an asterisk in Figure 3.</p><p>  ============ =====

36、=======</p><p>  WTP AC</p><p>  ============ ============</p><p>  [----------- begin optional discovery ------------]<

37、/p><p>  Discover Request</p><p>  ------------------------------------></p><p>  Discover Response</p><p>  <------------------------------------</p><p&g

38、t;  [----------- end optional discovery ------------]</p><p>  (-- begin DTLS handshake --)</p><p>  ClientHello</p><p>  ------------------------------------></p><p&g

39、t;  HelloVerifyRequest (with cookie)</p><p>  <------------------------------------</p><p>  ClientHello (with cookie)</p><p>  ------------------------------------></p>

40、<p>  ServerHello,</p><p>  Certificate,</p><p>  ServerHelloDone*</p><p>  <------------------------------------</p><p>  (-- WTP callout for AC authorizatio

41、n --)</p><p>  Certificate (optional),</p><p>  ClientKeyExchange,</p><p>  CertificateVerify (optional),</p><p>  ChangeCipherSpec,</p><p><b>  Fini

42、shed*</b></p><p>  ------------------------------------></p><p>  (-- AC callout for WTP authorization --)</p><p>  ChangeCipherSpec,</p><p><b>  Finishe

43、d*</b></p><p>  <------------------------------------</p><p>  (-- DTLS session is established now --)</p><p>  Join Request</p><p>  -------------------------

44、-----------></p><p>  Join Response</p><p>  <------------------------------------</p><p>  [-- Join State Complete --]</p><p>  (-- assume image is up to date --

45、)</p><p>  Configuration Status Request</p><p>  ------------------------------------></p><p>  Configuration Status Response</p><p>  <--------------------------

46、----------</p><p>  [-- Configure State Complete --]</p><p>  Change State Event Request</p><p>  ------------------------------------></p><p>  Change State Event R

47、esponse</p><p>  <------------------------------------</p><p>  [-- Data Check State Complete --]</p><p>  (-- enter RUN state --)</p><p><b>  :</b></

48、p><p><b>  :</b></p><p>  Echo Request</p><p>  ------------------------------------></p><p>  Echo Response</p><p>  <---------------------

49、---------------</p><p><b>  :</b></p><p><b>  :</b></p><p>  Event Request</p><p>  ------------------------------------></p><p>

50、;  Event Response</p><p>  <------------------------------------</p><p><b>  :</b></p><p><b>  :</b></p><p>  Figure 3: CAPWAP Control Protoc

51、ol Exchange</p><p>  At the end of the illustrated CAPWAP message exchange, the AC and WTP</p><p>  are securely exchanging CAPWAP Control messages. This illustration</p><p>  is p

52、rovided to clarify protocol operation, and does not include any</p><p>  possible error conditions. Section 2.3 provides a detailed</p><p>  description of the corresponding state machine.</

53、p><p>  2.3. CAPWAP State Machine Definition</p><p>  The following state diagram represents the lifecycle of a WTP-AC</p><p>  session. Use of DTLS by the CAPWAP protocol results in

54、 the</p><p>  juxtaposition of two nominally separate yet tightly bound state</p><p>  machines. The DTLS and CAPWAP state machines are coupled through an</p><p>  API consisting o

55、f commands (see Section 2.3.2.1) and notifications</p><p>  (see Section 2.3.2.2). Certain transitions in the DTLS state machine</p><p>  are triggered by commands from the CAPWAP state machine

56、, while</p><p>  certain transitions in the CAPWAP state machine are triggered by</p><p>  notifications from the DTLS state machine.</p><p>  /-------------------------------------

57、\</p><p>  | /-------------------------\|</p><p>  | p| ||</p><p>  | q+----------+ r +------------+ ||</p><p>  | |

58、Run |-->| Reset |-\||</p><p>  | +----------+ +------------+ |||</p><p>  n| o ^ ^ ^ s|||</p><p>  +------------+--------/ |

59、| |||</p><p>  | Data Check | /-------/ | |||</p><p>  +------------+<-------\ | | |||</p><p>  | | | |||</p

60、><p>  /------------------+--------\ | |||</p><p>  f| m| h| j v k| |||</p><p>  +--------+ +-----------+ +--------------+|||</p><

61、p>  | Join |---->| Configure | | Image Data ||||</p><p>  +--------+ n +-----------+ +--------------+|||</p><p>  ^ |g i| l| |||</p>

62、;<p>  | | \-------------------\ | |||</p><p>  | \--------------------------------------\| | |||</p><p>  \------------------------\ || | |||</p&

63、gt;<p>  /--------------<----------------+---------------\ || | |||</p><p>  | /------------<----------------+-------------\ | || | |||</p><p>  | | 4 |d

64、 t| | vv v vvv</p><p>  | | +----------------+ +--------------+ +-----------+</p><p>  | | | DTLS Setup | | DTLS Connect |-->| DTLS TD |</p><p>  /-|-|---

65、+----------------+ +--------------+ e +-----------+</p><p>  | | | |$ ^ ^ |5 ^6 ^ ^ |w</p><p>  v v v | | | | \-------\ | | |</p>

66、<p>  | | | | | | \---------\ | | /-----------/ |</p><p>  | | | | | \--\ | | | | |</p><p>  | | | | | | | | | | |&

67、lt;/p><p>  | | | v 3| 1 |% # v | |a |b v</p><p>  | | \->+------+-->+------+ +-----------+ +--------+</p><p>  | | | Idle | | Disc | | Autho

68、rize | | Dead |</p><p>  | | +------+<--+------+ +-----------+ +--------+</p><p>  | | ^ 0^ 2 |!</p><p>  | | | | | +-------+</p>

69、<p>  *| |u | \---------+---| Start |</p><p>  | | |@ | +-------+</p><p>  | \->+---------+<------/</p><p>  \--->| Sulking |</p><p

70、>  +---------+&</p><p>  Figure 4: CAPWAP Integrated State Machine</p><p>  The CAPWAP protocol state machine, depicted above, is used by both</p><p>  the AC and the WTP. I

71、n cases where states are not shared (i.e., not</p><p>  implemented in one or the other of the AC or WTP), this is explicitly</p><p>  called out in the transition descriptions below. For every

72、 state</p><p>  defined, only certain messages are permitted to be sent and received.</p><p>  The CAPWAP Control message definitions specify the state(s) in which</p><p>  each mes

73、sage is valid.</p><p>  Since the WTP only communicates with a single AC, it only has a</p><p>  single instance of the CAPWAP state machine. The state machine works</p><p>  diffe

74、rently on the AC since it communicates with many WTPs. The AC</p><p>  uses the concept of three threads. Note that the term thread used</p><p>  here does not necessarily imply that implement

75、ers must use threads,</p><p>  but it is one possible way of implementing the AC's state machine.</p><p>  Listener Thread: The AC's Listener thread handles inbound DTLS</p><

76、;p>  session establishment requests, through the DTLSListen command.</p><p>  Upon creation, the Listener thread starts in the DTLS Setup state.</p><p>  Once a DTLS session has been validate

77、d, which occurs when the</p><p>  state machine enters the "Authorize" state, the Listener thread</p><p>  creates a WTP session-specific Service thread and state context.</p>&

78、lt;p>  The state machine transitions in Figure 4 are represented by</p><p>  numerals. It is necessary for the AC to protect itself against</p><p>  various attacks that exist with non-authe

79、nticated frames. See</p><p>  Section 12 for more information.</p><p>  Discovery Thread: The AC's Discovery thread is responsible for</p><p>  receiving, and responding to,

80、Discovery Request messages. The</p><p>  state machine transitions in Figure 4 are represented by numerals.</p><p>  Note that the Discovery thread does not maintain any per-WTP-</p><

81、;p>  specific context information, and a single state context exists.</p><p>  It is necessary for the AC to protect itself against various</p><p>  attacks that exist with non-authenticated

82、frames. See Section 12</p><p>  for more information.</p><p>  Service Thread: The AC's Service thread handles the per-WTP states,</p><p>  and one such thread exists per-WTP

83、 connection. This thread is</p><p>  created by the Listener thread when the Authorize state is</p><p>  reached. When created, the Service thread inherits a copy of the</p><p>  

84、state machine context from the Listener thread. When</p><p>  communication with the WTP is complete, the Service thread is</p><p>  terminated and all associated resources are released. The s

85、tate</p><p>  machine transitions in Figure 4 are represented by alphabetic and</p><p>  punctuation characters.</p><p>  2.3.1. CAPWAP Protocol State Transitions</p><p&

86、gt;  This section describes the various state transitions, and the events</p><p>  that cause them. This section does not discuss interactions between</p><p>  DTLS- and CAPWAP-specific states.

87、 Those interactions, and DTLS-</p><p>  specific states and transitions, are discussed in Section 2.3.2.</p><p>  Start to Idle (0): This transition occurs once device initialization</p>

88、<p>  is complete.</p><p>  WTP: This state transition is used to start the WTP's CAPWAP</p><p>  state machine.</p><p>  AC: The AC creates the Discovery and Listener

89、 threads and starts</p><p>  the CAPWAP state machine.</p><p>  Idle to Discovery (1): This transition occurs to support the CAPWAP</p><p>  discovery process.</p><p>

90、  WTP: The WTP enters the Discovery state prior to transmitting the</p><p>  first Discovery Request message (see Section 5.1). Upon</p><p>  entering this state, the WTP sets the DiscoveryInt

91、erval</p><p>  timer (see Section 4.7). The WTP resets the DiscoveryCount</p><p>  counter to zero (0) (see Section 4.8). The WTP also clears</p><p>  all information from ACs it

92、may have received during a</p><p>  previous Discovery phase.</p><p>  AC: This state transition is executed by the AC's Discovery</p><p>  thread, and occurs when a Discovery

93、 Request message is</p><p>  received. The AC SHOULD respond with a Discovery Response</p><p>  message (see Section 5.2).</p><p>  Discovery to Discovery (#): In the Discovery st

94、ate, the WTP</p><p>  determines to which AC to connect.</p><p>  WTP: This transition occurs when the DiscoveryInterval timer</p><p>  expires. If the WTP is configured with a li

95、st of ACs, it</p><p>  transmits a Discovery Request message to every AC from which</p><p>  it has not received a Discovery Response message. For every</p><p>  transition to this

96、 event, the WTP increments the</p><p>  DiscoveryCount counter. See Section 5.1 for more</p><p>  information on how the WTP knows the ACs to which it should</p><p>  transmit the

97、Discovery Request messages. The WTP restarts</p><p>  the DiscoveryInterval timer whenever it transmits Discovery</p><p>  Request messages.</p><p>  AC: This is an invalid state

98、 transition for the AC.</p><p>  Discovery to Idle (2): This transition occurs on the AC's Discovery</p><p>  thread when the Discovery processing is complete.</p><p>  WTP: T

99、his is an invalid state transition for the WTP.</p><p>  AC: This state transition is executed by the AC's Discovery</p><p>  thread when it has transmitted the Discovery Response, in</

100、p><p>  response to a Discovery Request.</p><p>  Discovery to Sulking (!): This transition occurs on a WTP when AC</p><p>  Discovery fails.</p><p>  WTP: The WTP enter

101、s this state when the DiscoveryInterval timer</p><p>  expires and the DiscoveryCount variable is equal to the</p><p>  MaxDiscoveries variable (see Section 4.8). Upon entering</p><p

102、>  this state, the WTP MUST start the SilentInterval timer.</p><p>  While in the Sulking state, all received CAPWAP protocol</p><p>  messages MUST be ignored.</p><p>  AC: Th

103、is is an invalid state transition for the AC.</p><p>  Sulking to Idle (@): This transition occurs on a WTP when it must</p><p>  restart the Discovery phase.</p><p>  WTP: The WT

104、P enters this state when the SilentInterval timer (see</p><p>  Section 4.7) expires. The FailedDTLSSessionCount,</p><p>  DiscoveryCount, and FailedDTLSAuthFailCount counters are</p>&l

105、t;p>  reset to zero.</p><p>  AC: This is an invalid state transition for the AC.</p><p>  Sulking to Sulking (&): The Sulking state provides the silent</p><p>  period, m

106、inimizing the possibility for Denial-of-Service (DoS)</p><p><b>  attacks.</b></p><p>  WTP: All packets received from the AC while in the sulking state</p><p>  are ig

107、nored.</p><p>  AC: This is an invalid state transition for the AC.</p><p>  Idle to DTLS Setup (3): This transition occurs to establish a secure</p><p>  DTLS session with the p

108、eer.</p><p>  WTP: The WTP initiates this transition by invoking the DTLSStart</p><p>  command (see Section 2.3.2.1), which starts the DTLS session</p><p>  establishment with the

109、 chosen AC and the WaitDTLS timer is</p><p>  started (see Section 4.7). When the Discovery phase is</p><p>  bypassed, it is assumed the WTP has locally configured ACs.</p><p>  A

110、C: Upon entering the Idle state from the Start state, the newly</p><p>  created Listener thread automatically transitions to the</p><p>  DTLS Setup and invokes the DTLSListen command (see<

111、;/p><p>  Section 2.3.2.1), and the WaitDTLS timer is started (see</p><p>  Section 4.7).</p><p>  Discovery to DTLS Setup (%): This transition occurs to establish a</p><p&

112、gt;  secure DTLS session with the peer.</p><p>  WTP: The WTP initiates this transition by invoking the DTLSStart</p><p>  command (see Section 2.3.2.1), which starts the DTLS session</p>

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 眾賞文庫僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論