GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools

Problem, Formatting or Query -  Send Feedback

Was this page helpful?-10+1


rfc:rfc5412

Independent Submission P. Calhoun Request for Comments: 5412 R. Suri Category: Historic N. Cam-Winget ISSN: 2070-1721 Cisco Systems, Inc.

                                                           M. Williams
                                                 GWhiz Arts & Sciences
                                                              S. Hares
                                                             B. O'Hara
                                                               S.Kelly
                                                         February 2010
                 Lightweight Access Point Protocol

Abstract

 In recent years, there has been a shift in wireless LAN (WLAN)
 product architectures from autonomous access points to centralized
 control of lightweight access points.  The general goal has been to
 move most of the traditional wireless functionality such as access
 control (user authentication and authorization), mobility, and radio
 management out of the access point into a centralized controller.
 The IETF's CAPWAP (Control and Provisioning of Wireless Access
 Points) WG has identified that a standards-based protocol is
 necessary between a wireless Access Controller and Wireless
 Termination Points (the latter are also commonly referred to as
 Lightweight Access Points).  This specification defines the
 Lightweight Access Point Protocol (LWAPP), which addresses the
 CAPWAP's (Control and Provisioning of Wireless Access Points)
 protocol requirements.  Although the LWAPP protocol is designed to be
 flexible enough to be used for a variety of wireless technologies,
 this specific document describes the base protocol and an extension
 that allows it to be used with the IEEE's 802.11 wireless LAN
 protocol.

Status of This Memo

 This document is not an Internet Standards Track specification; it is
 published for the historical record.
 This document defines a Historic Document for the Internet community.
 This is a contribution to the RFC Series, independently of any other
 RFC stream.  The RFC Editor has chosen to publish this document at
 its discretion and makes no statement about its value for
 implementation or deployment.  Documents approved for publication by
 the RFC Editor are not a candidate for any level of Internet
 Standard; see Section 2 of RFC 5741.

Calhoun, et al. Historic [Page 1] RFC 5412 Lightweight Access Point Protocol February 2010

 Information about the current status of this document, any errata,
 and how to provide feedback on it may be obtained at
 http://www.rfc-editor.org/info/rfc5412.

IESG Note

 This RFC documents the LWAPP protocol as it was when submitted to the
 IETF as a basis for further work in the CAPWAP Working Group, and
 therefore it may resemble the CAPWAP protocol specification in RFC
 5415 as well as other IETF work.  This RFC is being published solely
 for the historical record.  The protocol described in this RFC has
 not been thoroughly reviewed and may contain errors and omissions.
 RFC 5415 documents the standards track solution for the CAPWAP
 Working Group and obsoletes any and all mechanisms defined in this
 RFC.  This RFC is not a candidate for any level of Internet Standard
 and should not be used as a basis for any sort of Internet
 deployment.

Copyright Notice

 Copyright (c) 2010 IETF Trust and the persons identified as the
 document authors.  All rights reserved.
 This document is subject to BCP 78 and the IETF Trust's Legal
 Provisions Relating to IETF Documents
 (http://trustee.ietf.org/license-info) in effect on the date of
 publication of this document.  Please review these documents
 carefully, as they describe your rights and restrictions with respect
 to this document.

Calhoun, et al. Historic [Page 2] RFC 5412 Lightweight Access Point Protocol February 2010

Table of Contents

 1. Introduction ....................................................8
    1.1. Conventions Used in This Document ..........................9
 2. Protocol Overview ..............................................10
    2.1. Wireless Binding Definition ...............................11
    2.2. LWAPP State Machine Definition ............................12
 3. LWAPP Transport Layers .........................................20
    3.1. LWAPP Transport Header ....................................21
         3.1.1. VER Field ..........................................21
         3.1.2. RID Field ..........................................21
         3.1.3. C Bit ..............................................21
         3.1.4. F Bit ..............................................21
         3.1.5. L Bit ..............................................22
         3.1.6. Fragment ID ........................................22
         3.1.7. Length .............................................22
         3.1.8. Status and WLANS ...................................22
         3.1.9. Payload ............................................22
    3.2. Using IEEE 802.3 MAC as LWAPP Transport ...................22
         3.2.1. Framing ............................................23
         3.2.2. AC Discovery .......................................23
         3.2.3. LWAPP Message Header Format over IEEE 802.3
                MAC Transport ......................................23
         3.2.4. Fragmentation/Reassembly ...........................24
         3.2.5. Multiplexing .......................................24
    3.3. Using IP/UDP as LWAPP Transport ...........................24
         3.3.1. Framing ............................................24
         3.3.2. AC Discovery .......................................25
         3.3.3. LWAPP Message Header Format over IP/UDP Transport ..25
         3.3.4. Fragmentation/Reassembly for IPv4 ..................26
         3.3.5. Fragmentation/Reassembly for IPv6 ..................26
         3.3.6. Multiplexing .......................................26
 4. LWAPP Packet Definitions .......................................26
    4.1. LWAPP Data Messages .......................................27
    4.2. LWAPP Control Messages Overview ...........................27
         4.2.1. Control Message Format .............................28
         4.2.2. Message Element Format .............................29
         4.2.3. Quality of Service .................................31
 5. LWAPP Discovery Operations .....................................31
    5.1. Discovery Request .........................................31
         5.1.1. Discovery Type .....................................32
         5.1.2. WTP Descriptor .....................................33
         5.1.3. WTP Radio Information ..............................34
    5.2. Discovery Response ........................................34
         5.2.1. AC Address .........................................35
         5.2.2. AC Descriptor ......................................35
         5.2.3. AC Name ............................................36
         5.2.4. WTP Manager Control IPv4 Address ...................37

Calhoun, et al. Historic [Page 3] RFC 5412 Lightweight Access Point Protocol February 2010

         5.2.5. WTP Manager Control IPv6 Address ...................37
    5.3. Primary Discovery Request .................................38
         5.3.1. Discovery Type .....................................38
         5.3.2. WTP Descriptor .....................................38
         5.3.3. WTP Radio Information ..............................38
    5.4. Primary Discovery Response ................................38
         5.4.1. AC Descriptor ......................................39
         5.4.2. AC Name ............................................39
         5.4.3. WTP Manager Control IPv4 Address ...................39
         5.4.4. WTP Manager Control IPv6 Address ...................39
 6. Control Channel Management .....................................39
    6.1. Join Request ..............................................39
         6.1.1. WTP Descriptor .....................................40
         6.1.2. AC Address .........................................40
         6.1.3. WTP Name ...........................................40
         6.1.4. Location Data ......................................41
         6.1.5. WTP Radio Information ..............................41
         6.1.6. Certificate ........................................41
         6.1.7. Session ID .........................................42
         6.1.8. Test ...............................................42
         6.1.9. XNonce .............................................42
    6.2. Join Response .............................................43
         6.2.1. Result Code ........................................44
         6.2.2. Status .............................................44
         6.2.3. Certificate ........................................45
         6.2.4. WTP Manager Data IPv4 Address ......................45
         6.2.5. WTP Manager Data IPv6 Address ......................45
         6.2.6. AC IPv4 List .......................................46
         6.2.7. AC IPv6 List .......................................46
         6.2.8. ANonce .............................................47
         6.2.9. PSK-MIC ............................................48
    6.3. Join ACK ..................................................48
         6.3.1. Session ID .........................................49
         6.3.2. WNonce .............................................49
         6.3.3. PSK-MIC ............................................49
    6.4. Join Confirm ..............................................49
         6.4.1. Session ID .........................................50
         6.4.2. PSK-MIC ............................................50
    6.5. Echo Request ..............................................50
    6.6. Echo Response .............................................50
    6.7. Key Update Request ........................................51
         6.7.1. Session ID .........................................51
         6.7.2. XNonce .............................................51
    6.8. Key Update Response .......................................51
         6.8.1. Session ID .........................................51
         6.8.2. ANonce .............................................51
         6.8.3. PSK-MIC ............................................52
    6.9. Key Update ACK ............................................52

Calhoun, et al. Historic [Page 4] RFC 5412 Lightweight Access Point Protocol February 2010

         6.9.1. WNonce .............................................52
         6.9.2. PSK-MIC ............................................52
    6.10. Key Update Confirm .......................................52
         6.10.1. PSK-MIC ...........................................52
    6.11. Key Update Trigger .......................................52
         6.11.1. Session ID ........................................53
 7. WTP Configuration Management ...................................53
    7.1. Configuration Consistency .................................53
    7.2. Configure Request .........................................54
         7.2.1. Administrative State ...............................54
         7.2.2. AC Name ............................................55
         7.2.3. AC Name with Index .................................55
         7.2.4. WTP Board Data .....................................56
         7.2.5. Statistics Timer ...................................56
         7.2.6. WTP Static IP Address Information ..................57
         7.2.7. WTP Reboot Statistics ..............................58
    7.3. Configure Response ........................................58
         7.3.1. Decryption Error Report Period .....................59
         7.3.2. Change State Event .................................59
         7.3.3. LWAPP Timers .......................................60
         7.3.4. AC IPv4 List .......................................60
         7.3.5. AC IPv6 List .......................................61
         7.3.6. WTP Fallback .......................................61
         7.3.7. Idle Timeout .......................................61
    7.4. Configuration Update Request ..............................62
         7.4.1. WTP Name ...........................................62
         7.4.2. Change State Event .................................62
         7.4.3. Administrative State ...............................62
         7.4.4. Statistics Timer ...................................62
         7.4.5. Location Data ......................................62
         7.4.6. Decryption Error Report Period .....................62
         7.4.7. AC IPv4 List .......................................62
         7.4.8. AC IPv6 List .......................................62
         7.4.9. Add Blacklist Entry ................................63
         7.4.10. Delete Blacklist Entry ............................63
         7.4.11. Add Static Blacklist Entry ........................64
         7.4.12. Delete Static Blacklist Entry .....................64
         7.4.13. LWAPP Timers ......................................65
         7.4.14. AC Name with Index ................................65
         7.4.15. WTP Fallback ......................................65
         7.4.16. Idle Timeout ......................................65
    7.5. Configuration Update Response .............................65
         7.5.1. Result Code ........................................65
    7.6. Change State Event Request ................................65
         7.6.1. Change State Event .................................66
    7.7. Change State Event Response ...............................66
    7.8. Clear Config Indication ...................................66
 8. Device Management Operations ...................................66

Calhoun, et al. Historic [Page 5] RFC 5412 Lightweight Access Point Protocol February 2010

    8.1. Image Data Request ........................................66
         8.1.1. Image Download .....................................67
         8.1.2. Image Data .........................................67
    8.2. Image Data Response .......................................68
    8.3. Reset Request .............................................68
    8.4. Reset Response ............................................68
    8.5. WTP Event Request .........................................68
         8.5.1. Decryption Error Report ............................69
         8.5.2. Duplicate IPv4 Address .............................69
         8.5.3. Duplicate IPv6 Address .............................70
    8.6. WTP Event Response ........................................70
    8.7. Data Transfer Request .....................................71
         8.7.1. Data Transfer Mode .................................71
         8.7.2. Data Transfer Data .................................71
    8.8. Data Transfer Response ....................................72
 9. Mobile Session Management ......................................72
    9.1. Mobile Config Request .....................................72
         9.1.1. Delete Mobile ......................................73
    9.2. Mobile Config Response ....................................73
         9.2.1. Result Code ........................................74
 10. LWAPP Security ................................................74
    10.1. Securing WTP-AC Communications ...........................74
    10.2. LWAPP Frame Encryption ...................................75
    10.3. Authenticated Key Exchange ...............................76
         10.3.1. Terminology .......................................76
         10.3.2. Initial Key Generation ............................77
         10.3.3. Refreshing Cryptographic Keys .....................81
    10.4. Certificate Usage ........................................82
 11. IEEE 802.11 Binding ...........................................82
    11.1. Division of Labor ........................................82
         11.1.1. Split MAC .........................................83
         11.1.2. Local MAC .........................................85
    11.2. Roaming Behavior and 802.11 Security .....................87
    11.3. Transport-Specific Bindings ..............................88
         11.3.1. Status and WLANS Field ............................88
    11.4. BSSID to WLAN ID Mapping .................................89
    11.5. Quality of Service .......................................89
    11.6. Data Message Bindings ....................................90
    11.7. Control Message Bindings .................................90
         11.7.1. Mobile Config Request .............................90
         11.7.2. WTP Event Request .................................96
    11.8. 802.11 Control Messages ..................................97
         11.8.1. IEEE 802.11 WLAN Config Request ...................98
         11.8.2. IEEE 802.11 WLAN Config Response .................103
         11.8.3. IEEE 802.11 WTP Event ............................103
    11.9. Message Element Bindings ................................105
         11.9.1. IEEE 802.11 WTP WLAN Radio Configuration .........105
         11.9.2. IEEE 802.11 Rate Set .............................107

Calhoun, et al. Historic [Page 6] RFC 5412 Lightweight Access Point Protocol February 2010

         11.9.3. IEEE 802.11 Multi-Domain Capability ..............107
         11.9.4. IEEE 802.11 MAC Operation ........................108
         11.9.5. IEEE 802.11 Tx Power .............................109
         11.9.6. IEEE 802.11 Tx Power Level .......................110
         11.9.7. IEEE 802.11 Direct Sequence Control ..............110
         11.9.8. IEEE 802.11 OFDM Control .........................111
         11.9.9. IEEE 802.11 Antenna ..............................112
         11.9.10. IEEE 802.11 Supported Rates .....................113
         11.9.11. IEEE 802.11 CFP Status ..........................114
         11.9.12. IEEE 802.11 WTP Mode and Type ...................114
         11.9.13. IEEE 802.11 Broadcast Probe Mode ................115
         11.9.14. IEEE 802.11 WTP Quality of Service ..............115
         11.9.15. IEEE 802.11 MIC Error Report From Mobile ........117
    11.10. IEEE 802.11 Message Element Values .....................117
 12. LWAPP Protocol Timers ........................................118
    12.1. MaxDiscoveryInterval ....................................118
    12.2. SilentInterval ..........................................118
    12.3. NeighborDeadInterval ....................................118
    12.4. EchoInterval ............................................118
    12.5. DiscoveryInterval .......................................118
    12.6. RetransmitInterval ......................................119
    12.7. ResponseTimeout .........................................119
    12.8. KeyLifetime .............................................119
 13. LWAPP Protocol Variables .....................................119
    13.1. MaxDiscoveries ..........................................119
    13.2. DiscoveryCount ..........................................119
    13.3. RetransmitCount .........................................119
    13.4. MaxRetransmit ...........................................120
 14. NAT Considerations ...........................................120
 15. Security Considerations ......................................121
    15.1. Certificate-Based Session Key Establishment .............122
    15.2. PSK-Based Session Key Establishment .....................123
 16. Acknowledgements .............................................123
 17. References ...................................................123
    17.1. Normative References ....................................123
    17.2. Informative References ..................................124

Calhoun, et al. Historic [Page 7] RFC 5412 Lightweight Access Point Protocol February 2010

1. Introduction

 Unlike wired network elements, Wireless Termination Points (WTPs)
 require a set of dynamic management and control functions related to
 their primary task of connecting the wireless and wired mediums.
 Today, protocols for managing WTPs are either manual static
 configuration via HTTP, proprietary Layer 2-specific, or non-existent
 (if the WTPs are self-contained).  The emergence of simple 802.11
 WTPs that are managed by a WLAN appliance or switch (also known as an
 Access Controller, or AC) suggests that having a standardized,
 interoperable protocol could radically simplify the deployment and
 management of wireless networks.  In many cases, the overall control
 and management functions themselves are generic and could apply to an
 AP for any wireless Layer 2 (L2) protocol.  Being independent of
 specific wireless Layer 2 technologies, such a protocol could better
 support interoperability between Layer 2 devices and enable smoother
 intertechnology handovers.
 The details of how these functions would be implemented are dependent
 on the particular Layer 2 wireless technology.  Such a protocol would
 need provisions for binding to specific technologies.
 LWAPP assumes a network configuration that consists of multiple WTPs
 communicating either via Layer 2 (Medium Access Control (MAC)) or
 Layer 3 (IP) to an AC.  The WTPs can be considered as remote radio
 frequency (RF) interfaces, being controlled by the AC.  The AC
 forwards all L2 frames it wants to transmit to a WTP via the LWAPP
 protocol.  Packets from mobile nodes are forwarded by the WTP to the
 AC, also via this protocol.  Figure 1 illustrates this arrangement as
 applied to an IEEE 802.11 binding.
                +-+         802.11 frames          +-+
                | |--------------------------------| |
                | |              +-+               | |
                | |--------------| |---------------| |
                | |  802.11 PHY/ | |     LWAPP     | |
                | | MAC sublayer | |               | |
                +-+              +-+               +-+
                STA              WTP                AC
                      Figure 1: LWAPP Architecture

Calhoun, et al. Historic [Page 8] RFC 5412 Lightweight Access Point Protocol February 2010

 Security is another aspect of Wireless Termination Point management
 that is not well served by existing solutions.  Provisioning WTPs
 with security credentials, and managing which WTPs are authorized to
 provide service are today handled by proprietary solutions.  Allowing
 these functions to be performed from a centralized AC in an
 interoperable fashion increases manageability and allows network
 operators to more tightly control their wireless network
 infrastructure.
 This document describes the Lightweight Access Point Protocol
 (LWAPP), allowing an AC to manage a collection of WTPs.  The protocol
 is defined to be independent of Layer 2 technology, but an 802.11
 binding is provided for use in growing 802.11 wireless LAN networks.
 Goals:
 The following are goals for this protocol:
 1. Centralization of the bridging, forwarding, authentication, and
    policy enforcement functions for a wireless network.  Optionally,
    the AC may also provide centralized encryption of user traffic.
    This will permit reduced cost and higher efficiency when applying
    the capabilities of network processing silicon to the wireless
    network, as it has already been applied to wired LANs.
 2. Permit shifting of the higher-level protocol processing burden
    away from the WTP.  This leaves the computing resource of the WTP
    to the timing-critical applications of wireless control and
    access.  This makes the most efficient use of the computing power
    available in WTPs that are the subject of severe cost pressure.
 3. Providing a generic encapsulation and transport mechanism, the
    protocol may be applied to other access point types in the future
    by adding the binding.
 The LWAPP protocol concerns itself solely with the interface between
 the WTP and the AC.  Inter-AC, or mobile-to-AC communication is
 strictly outside the scope of this document.

1.1. Conventions Used in This Document

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in RFC 2119 [1].

Calhoun, et al. Historic [Page 9] RFC 5412 Lightweight Access Point Protocol February 2010

2. Protocol Overview

 LWAPP is a generic protocol defining how Wireless Termination Points
 communicate with Access Controllers.  Wireless Termination Points and
 Access Controllers may communicate either by means of Layer 2
 protocols or by means of a routed IP network.
 LWAPP messages and procedures defined in this document apply to both
 types of transports unless specified otherwise.  Transport
 independence is achieved by defining formats for both MAC-level and
 IP-level transport (see Section 3).  Also defined are framing,
 fragmentation/reassembly, and multiplexing services to LWAPP for each
 transport type.
 The LWAPP Transport layer carries two types of payload.  LWAPP data
 messages are forwarded wireless frames.  LWAPP control messages are
 management messages exchanged between a WTP and an AC.  The LWAPP
 transport header defines the "C-bit", which is used to distinguish
 data and control traffic.  When used over IP, the LWAPP data and
 control traffic are also sent over separate UDP ports.  Since both
 data and control frames can exceed Path Maximum Transmission Unit
 (PMTU), the payload of an LWAPP data or control message can be
 fragmented.  The fragmentation behavior is highly dependent upon the
 lower-layer transport and is defined in Section 3.
 The Lightweight Access Protocol (LWAPP) begins with a discovery
 phase.  The WTPs send a Discovery Request frame, causing any Access
 Controller (AC), receiving that frame to respond with a Discovery
 Response.  From the Discovery Responses received, a WTP will select
 an AC with which to associate, using the Join Request and Join
 Response.  The Join Request also provides an MTU discovery mechanism,
 to determine whether there is support for the transport of large
 frames between the WTP and its AC.  If support for large frames is
 not present, the LWAPP frames will be fragmented to the maximum
 length discovered to be supported by the network.
 Once the WTP and the AC have joined, a configuration exchange is
 accomplished that will cause both devices to agree on version
 information.  During this exchange, the WTP may receive provisioning
 settings.  For the 802.11 binding, this information would typically
 include a name (802.11 Service Set Identifier, SSID), and security
 parameters, the data rates to be advertised, as well as the radio
 channel (channels, if the WTP is capable of operating more than one
 802.11 MAC and Physical Layer (PHY) simultaneously) to be used.
 Finally, the WTPs are enabled for operation.

Calhoun, et al. Historic [Page 10] RFC 5412 Lightweight Access Point Protocol February 2010

 When the WTP and AC have completed the version and provision exchange
 and the WTP is enabled, the LWAPP encapsulates the wireless frames
 sent between them.  LWAPP will fragment its packets, if the size of
 the encapsulated wireless user data (Data) or protocol control
 (Management) frames cause the resultant LWAPP packet to exceed the
 MTU supported between the WTP and AC.  Fragmented LWAPP packets are
 reassembled to reconstitute the original encapsulated payload.
 In addition to the functions thus far described, LWAPP also provides
 for the delivery of commands from the AC to the WTP for the
 management of devices that are communicating with the WTP.  This may
 include the creation of local data structures in the WTP for the
 managed devices and the collection of statistical information about
 the communication between the WTP and the 802.11 devices.  LWAPP
 provides the ability for the AC to obtain any statistical information
 collected by the WTP.
 LWAPP also provides for a keepalive feature that preserves the
 communication channel between the WTP and AC.  If the AC fails to
 appear alive, the WTP will try to discover a new AC to communicate
 through.
 This document uses terminology defined in [5].

2.1. Wireless Binding Definition

 This draft standard specifies a protocol independent of a specific
 wireless access point radio technology.  Elements of the protocol are
 designed to accommodate specific needs of each wireless technology in
 a standard way.  Implementation of this standard for a particular
 wireless technology must follow the binding requirements defined for
 that technology.  This specification includes a binding for the IEEE
 802.11 (see Section 11).
 When defining a binding for other technologies, the authors MUST
 include any necessary definitions for technology-specific messages
 and all technology-specific message elements for those messages.  At
 a minimum, a binding MUST provide the definition for a binding-
 specific Statistics message element, which is carried in the WTP
 Event Request message, and Add Mobile message element, which is
 carried in the Mobile Configure Request.  If any technology-specific
 message elements are required for any of the existing LWAPP messages
 defined in this specification, they MUST also be defined in the
 technology-binding document.
 The naming of binding-specific message elements MUST begin with the
 name of the technology type, e.g., the binding for IEEE 802.11,
 provided in this standard, begins with "IEEE 802.11".

Calhoun, et al. Historic [Page 11] RFC 5412 Lightweight Access Point Protocol February 2010

2.2. LWAPP State Machine Definition

 The following state diagram represents the life cycle of a WTP-AC
 session:
    /-------------\
    |             v
    |       +------------+
    |      C|    Idle    |<-----------------------------------\
    |       +------------+<-----------------------\           |
    |        ^    |a    ^                         |           |
    |        |    |     \----\                    |           |
    |        |    |          |                 +------------+ |
    |        |    |          |          -------| Key Confirm| |
    |        |    |          |        w/       +------------+ |
    |        |    |          |        |           ^           |
    |        |    |          |t       V           |5          |
    |        |    |        +-----------+       +------------+ |
    |       /     |       C|    Run    |       | Key Update | |
    |     /       |       r+-----------+------>+------------+ |
    |    /        |              ^    |s      u        x|     |
    |   |         v              |    |                 |     |
    |   |   +--------------+     |    |                 v     |y
    |   |  C|  Discovery   |    q|    \--------------->+-------+
    |   |  b+--------------+    +-------------+        | Reset |
    |   |     |d     f|  ^      |  Configure  |------->+-------+
    |   |     |       |  |      +-------------+p           ^
    |   |e    v       |  |              ^                  |
    |  +---------+    v  |i            2|                  |
    | C| Sulking |   +------------+    +--------------+    |
    |  +---------+  C|    Join    |--->| Join-Confirm |    |
    |               g+------------+z   +--------------+    |
    |                   |h      m|        3|       |4      |
    |                   |        |         |       v       |o
    |\                  |        |         |     +------------+
     \\-----------------/         \--------+---->| Image Data |C
      \------------------------------------/     +------------+n
                      Figure 2: LWAPP State Machine
 The LWAPP state machine, depicted above, is used by both the AC and
 the WTP.  For every state defined, only certain messages are
 permitted to be sent and received.  In all of the LWAPP control
 messages defined in this document, the state for which each command
 is valid is specified.

Calhoun, et al. Historic [Page 12] RFC 5412 Lightweight Access Point Protocol February 2010

 Note that in the state diagram figure above, the 'C' character is
 used to represent a condition that causes the state to remain the
 same.
 The following text discusses the various state transitions, and the
 events that cause them.
 Idle to Discovery (a):  This is the initialization state.
    WTP:  The WTP enters the Discovery state prior to transmitting the
          first Discovery Request (see Section 5.1).  Upon entering
          this state, the WTP sets the DiscoveryInterval timer (see
          Section 12).  The WTP resets the DiscoveryCount counter to
          zero (0) (see Section 13).  The WTP also clears all
          information from ACs (e.g., AC Addresses) it may have
          received during a previous discovery phase.
     AC:  The AC does not need to maintain state information for the
          WTP upon reception of the Discovery Request, but it MUST
          respond with a Discovery Response (see Section 5.2).
 Discovery to Discovery (b):  This is the state the WTP uses to
 determine to which AC it wishes to connect.
    WTP:  This event occurs when the DiscoveryInterval timer expires.
          The WTP transmits a Discovery Request to every AC to which
          the WTP hasn't received a response.  For every transition to
          this event, the WTP increments the DisoveryCount counter.
          See Section 5.1 for more information on how the WTP knows to
          which ACs it should transmit the Discovery Requests.  The
          WTP restarts the DiscoveryInterval timer.
     AC:  This is a noop.
 Discovery to Sulking (d):  This state occurs on a WTP when Discovery
 or connectivity to the AC fails.
    WTP:  The WTP enters this state when the DiscoveryInterval timer
          expires and the DiscoveryCount variable is equal to the
          MaxDiscoveries variable (see Section 13).  Upon entering
          this state, the WTP will start the SilentInterval timer.
          While in the Sulking state, all LWAPP messages received are
          ignored.
     AC:  This is a noop.
 Sulking to Idle (e):  This state occurs on a WTP when it must restart
 the discovery phase.

Calhoun, et al. Historic [Page 13] RFC 5412 Lightweight Access Point Protocol February 2010

    WTP:  The WTP enters this state when the SilentInterval timer (see
          Section 12) expires.
     AC:  This is a noop.
 Discovery to Join (f):  This state is used by the WTP to confirm its
 commitment to an AC that it wishes to be provided service.
    WTP:  The WTP selects the best AC based on the information it
          gathered during the discovery phase.  It then transmits a
          Join Request (see Section 6.1) to its preferred AC.  The WTP
          starts the WaitJoin timer (see Section 12).
     AC:  The AC enters this state for the given WTP upon reception of
          a Join Request.  The AC processes the request and responds
          with a Join Response.
 Join to Join (g):  This state transition occurs during the join
 phase.
    WTP:  The WTP enters this state when the WaitJoin timer expires,
          and the underlying transport requires LWAPP MTU detection
          (Section 3).
     AC:  This state occurs when the AC receives a retransmission of a
          Join Request.  The WTP processes the request and responds
          with the Join Response.
 Join to Idle (h):  This state is used when the join process has
 failed.
    WTP:  This state transition occurs if the WTP is configured to use
          pre-shared key (PSK) security and receives a Join Response
          that includes an invalid PSK-MIC (Message Integrity Check)
          message element.
     AC:  The AC enters this state when it transmits an unsuccessful
          Join Response.
 Join to Discovery (i):  This state is used when the join process has
 failed.
    WTP:  The WTP enters this state when it receives an unsuccessful
          Join Response.  Upon entering this state, the WTP sets the
          DiscoveryInterval timer (see Section 12).  The WTP resets
          the DiscoveryCount counter to zero (0) (see Section 13).
          This state transition may also occur if the PSK-MIC (see
          Section 6.2.9) message element is invalid.

Calhoun, et al. Historic [Page 14] RFC 5412 Lightweight Access Point Protocol February 2010

     AC:  This state transition is invalid.
 Join to Join-Confirm (z):  This state is used to provide key
 confirmation during the join process.
    WTP:  This state is entered when the WTP receives a Join Response.
          In the event that certificate-based security is utilized,
          this transition will occur if the Certificate message
          element is present and valid in the Join Response.  For pre-
          shared key security, the Join Response must include a valid
          and authenticated PSK-MIC message element.  The WTP MUST
          respond with a Join ACK, which is used to provide key
          confirmation.
     AC:  The AC enters this state when it receives a valid Join ACK.
          For certificate-based security, the Join ACK MUST include
          the WNonce message element.  For pre-shared key security,
          the message must include a valid PSK-MIC message element.
          The AC MUST respond with a Join Confirm message, which
          includes the Session Key message element.
 Join-Confirm to Idle (3):  This state is used when the join process
 has failed.
    WTP:  This state transition occurs when the WTP receives an
          invalid Join Confirm.
     AC:  The AC enters this state when it receives an invalid Join
          ACK.
 Join-Confirm to Configure (2):  This state is used by the WTP and the
 AC to exchange configuration information.
    WTP:  The WTP enters this state when it receives a successful Join
          Confirm and determines that its version number and the
          version number advertised by the AC are the same.  The WTP
          transmits the Configure Request (see Section 7.2) message to
          the AC with a snapshot of its current configuration.  The
          WTP also starts the ResponseTimeout timer (see Section 12).
     AC:  This state transition occurs when the AC receives the
          Configure Request from the WTP.  The AC must transmit a
          Configure Response (see Section 7.3) to the WTP, and may
          include specific message elements to override the WTP's
          configuration.

Calhoun, et al. Historic [Page 15] RFC 5412 Lightweight Access Point Protocol February 2010

 Join-Confirm to Image Data (4):  This state is used by the WTP and
 the AC to download executable firmware.
    WTP:  The WTP enters this state when it receives a successful Join
          Confirm, and determines that its version number and the
          version number advertised by the AC are different.  The WTP
          transmits the Image Data Request (see Section 8.1) message
          requesting that the AC's latest firmware be initiated.
     AC:  This state transition occurs when the AC receives the Image
          Data Request from the WTP.  The AC must transmit an Image
          Data Response (see Section 8.2) to the WTP, which includes a
          portion of the firmware.
 Image Data to Image Data (n):  This state is used by the WTP and the
 AC during the firmware download phase.
    WTP:  The WTP enters this state when it receives an Image Data
          Response that indicates that the AC has more data to send.
     AC:  This state transition occurs when the AC receives the Image
          Data Request from the WTP while already in this state, and
          it detects that the firmware download has not completed.
 Image Data to Reset (o):  This state is used when the firmware
 download is completed.
    WTP:  The WTP enters this state when it receives an Image Data
          Response that indicates that the AC has no more data to
          send, or if the underlying LWAPP transport indicates a link
          failure.  At this point, the WTP reboots itself.
     AC:  This state transition occurs when the AC receives the Image
          Data Request from the WTP while already in this state, and
          it detects that the firmware download has completed or if
          the underlying LWAPP transport indicates a link failure.
          Note that the AC itself does not reset, but it places the
          specific WTP's context it is communicating with in the reset
          state: meaning that it clears all state associated with the
          WTP.
 Configure to Reset (p):  This state transition occurs if the
 configure phase fails.
    WTP:  The WTP enters this state when the reliable transport fails
          to deliver the Configure Request, or if the ResponseTimeout
          timer (see Section 12) expires.

Calhoun, et al. Historic [Page 16] RFC 5412 Lightweight Access Point Protocol February 2010

     AC:  This state transition occurs if the AC is unable to transmit
          the Configure Response to a specific WTP.  Note that the AC
          itself does not reset, but it places the specific WTP's
          context it is communicating with in the reset state: meaning
          that it clears all state associated with the WTP.
 Configure to Run (q):  This state transition occurs when the WTP and
 AC enter their normal state of operation.
    WTP:  The WTP enters this state when it receives a successful
          Configure Response from the AC.  The WTP initializes the
          HeartBeat timer (see Section 12), and transmits the Change
          State Event Request message (see Section 7.6).
     AC:  This state transition occurs when the AC receives the Change
          State Event Request (see Section 7.6) from the WTP.  The AC
          responds with a Change State Event Response (see Section
          7.7) message.  The AC must start the Session ID and
          NeighborDead timers (see Section 12).
 Run to Run (r):  This is the normal state of operation.
    WTP:  This is the WTP's normal state of operation, and there are
          many events that cause this to occur:
       Configuration Update:  The WTP receives a Configuration Update
       Request (see Section 7.4).  The WTP MUST respond with a
       Configuration Update Response (see Section 7.5).
       Change State Event:  The WTP receives a Change State Event
       Response, or determines that it must initiate a Change State
       Event Request, as a result of a failure or change in the state
       of a radio.
       Echo Request:  The WTP receives an Echo Request message
       (Section 6.5), to which it MUST respond with an Echo Response
       (see Section 6.6).
       Clear Config Indication:  The WTP receives a Clear Config
       Indication message (Section 7.8).  The WTP MUST reset its
       configuration back to manufacturer defaults.
       WTP Event:  The WTP generates a WTP Event Request to send
       information to the AC (Section 8.5).  The WTP receives a WTP
       Event Response from the AC (Section 8.6).

Calhoun, et al. Historic [Page 17] RFC 5412 Lightweight Access Point Protocol February 2010

       Data Transfer:  The WTP generates a Data Transfer Request to
       the AC (Section 8.7).  The WTP receives a Data Transfer
       Response from the AC (Section 8.8).
       WLAN Config Request:  The WTP receives a WLAN Config Request
       message (Section 11.8.1), to which it MUST respond with a WLAN
       Config Response (see Section 11.8.2).
       Mobile Config Request:  The WTP receives an Mobile Config
       Request message (Section 9.1), to which it MUST respond with a
       Mobile Config Response (see Section 9.2).
     AC:  This is the AC's normal state of operation, and there are
          many events that cause this to occur:
       Configuration Update:  The AC sends a Configuration Update
       Request (see Section 7.4) to the WTP to update its
       configuration.  The AC receives a Configuration Update Response
       (see Section 7.5) from the WTP.
       Change State Event:  The AC receives a Change State Event
       Request (see Section 7.6), to which it MUST respond with the
       Change State Event Response (see Section 7.7).
       Echo:  The AC sends an Echo Request message (Section 6.5) or
       receives the associated Echo Response (see Section 6.6) from
       the WTP.
       Clear Config Indication:  The AC sends a Clear Config
       Indication message (Section 7.8).
       WLAN Config:  The AC sends a WLAN Config Request message
       (Section 11.8.1) or receives the associated WLAN Config
       Response (see Section 11.8.2) from the WTP.
       Mobile Config:  The AC sends a Mobile Config Request message
       (Section 9.1) or receives the associated Mobile Config Response
       (see Section 9.2) from the WTP.
       Data Transfer:  The AC receives a Data Transfer Request from
       the AC (see Section 8.7) and MUST generate the associated Data
       Transfer Response message (see Section 8.8).
       WTP Event:  The AC receives a WTP Event Request from the AC
       (see Section 8.5) and MUST generate the associated WTP Event
       Response message (see Section 8.6).

Calhoun, et al. Historic [Page 18] RFC 5412 Lightweight Access Point Protocol February 2010

 Run to Reset (s):  This event occurs when the AC wishes for the WTP
 to reboot.
    WTP:  The WTP enters this state when it receives a Reset Request
          (see Section 8.3).  It must respond with a Reset Response
          (see Section 8.4), and once the reliable transport
          acknowledgement has been received, it must reboot itself.
     AC:  This state transition occurs either through some
          administrative action, or via some internal event on the AC
          that causes it to request that the WTP disconnect.  Note
          that the AC itself does not reset, but it places the
          specific WTPs context it is communicating with in the reset
          state.
 Run to Idle (t):  This event occurs when an error occurs in the
 communication between the WTP and the AC.
    WTP:  The WTP enters this state when the underlying reliable
          transport is unable to transmit a message within the
          RetransmitInterval timer (see Section 12), and the maximum
          number of RetransmitCount counter has reached the
          MaxRetransmit variable (see Section 13).
     AC:  The AC enters this state when the underlying reliable
          transport in unable to transmit a message within the
          RetransmitInterval timer (see Section 12), and the maximum
          number of RetransmitCount counter has reached the
          MaxRetransmit variable (see Section 13).
 Run to Key Update (u):  This event occurs when the WTP and the AC are
 to exchange new keying material, with which it must use to protect
 all future messages.
    WTP:  This state transition occurs when the KeyLifetime timer
          expires (see Section 12).
     AC:  The WTP enters this state when it receives a Key Update
          Request (see Section 6.7).
 Key Update to Key Confirm (w):  This event occurs during the rekey
 phase and is used to complete the loop.
    WTP:  This state transition occurs when the WTP receives the Key
          Update Response.  The WTP MUST only accept the message if it
          is authentic.  The WTP responds to this response with a Key
          Update ACK.

Calhoun, et al. Historic [Page 19] RFC 5412 Lightweight Access Point Protocol February 2010

     AC:  The AC enters this state when it receives an authenticated
          Key Update ACK message.
 Key Confirm to Run (5):  This event occurs when the rekey exchange
 phase is completed.
    WTP:  This state transition occurs when the WTP receives the Key
          Update Confirm.  The newly derived encryption key and
          Initialization Vector (IV) must be plumbed into the crypto
          module after validating the message's authentication.
     AC:  The AC enters this state when it transmits the Key Update
          Confirm message.  The newly derived encryption key and IV
          must be plumbed into the crypto module after transmitting a
          Key Update Confirm message.
 Key Update to Reset (x):  This event occurs when the key exchange
 phase times out.
    WTP:  This state transition occurs when the WTP does not receive a
          Key Update Response from the AC.
     AC:  The AC enters this state when it is unable to process a Key
          Update Request.
 Reset to Idle (y):  This event occurs when the state machine is
 restarted.
    WTP:  The WTP reboots itself.  After rebooting, the WTP will start
          its LWAPP state machine in the Idle state.
     AC:  The AC clears out any state associated with the WTP.  The AC
          generally does this as a result of the reliable link layer
          timing out.

3. LWAPP Transport Layers

 The LWAPP protocol can operate at Layer 2 or 3.  For Layer 2 support,
 the LWAPP messages are carried in a native Ethernet frame.  As such,
 the protocol is not routable and depends upon Layer 2 connectivity
 between the WTP and the AC.  Layer 3 support is provided by
 encapsulating the LWAPP messages within UDP.

Calhoun, et al. Historic [Page 20] RFC 5412 Lightweight Access Point Protocol February 2010

3.1. LWAPP Transport Header

 All LWAPP protocol packets are encapsulated using a common header
 format, regardless of the transport used to carry the frames.
 However, certain flags are not applicable for a given transport, and
 it is therefore necessary to refer to the specific transport section
 in order to determine which flags are valid.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |VER| RID |C|F|L|    Frag ID    |            Length             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          Status/WLANs         |   Payload...  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

3.1.1. VER Field

 A 2-bit field that contains the version of LWAPP used in this packet.
 The value for this document is 0.

3.1.2. RID Field

 A 3-bit field that contains the Radio ID number for this packet.
 WTPs with multiple radios but a single MAC address use this field to
 indicate which radio is associated with the packet.

3.1.3. C Bit

 The control message 'C' bit indicates whether this packet carries a
 data or control message.  When this bit is zero (0), the packet
 carries an LWAPP data message in the payload (see Section 4.1).  When
 this bit is one (1), the packet carries an LWAPP control message as
 defined in Section 4.2 for consumption by the addressed destination.

3.1.4. F Bit

 The Fragment 'F' bit indicates whether this packet is a fragment.
 When this bit is one (1), the packet is a fragment and MUST be
 combined with the other corresponding fragments to reassemble the
 complete information exchanged between the WTP and AC.

Calhoun, et al. Historic [Page 21] RFC 5412 Lightweight Access Point Protocol February 2010

3.1.5. L Bit

 The Not Last 'L' bit is valid only if the 'F' bit is set and
 indicates whether the packet contains the last fragment of a
 fragmented exchange between the WTP and AC.  When this bit is 1, the
 packet is not the last fragment.  When this bit is 0, the packet is
 the last fragment.

3.1.6. Fragment ID

 An 8-bit field whose value is assigned to each group of fragments
 making up a complete set.  The Fragment ID space is managed
 individually for every WTP/AC pair.  The value of Fragment ID is
 incremented with each new set of fragments.  The Fragment ID wraps to
 zero after the maximum value has been used to identify a set of
 fragments.  LWAPP only supports up to 2 fragments per frame.

3.1.7. Length

 The 16-bit length field contains the number of bytes in the Payload.
 The field is encoded as an unsigned number.  If the LWAPP packet is
 encrypted, the length field includes the Advanced Encryption Standard
 Counter with CBC-MAC (AES-CCM) MIC (see Section 10.2 for more
 information).

3.1.8. Status and WLANS

 The interpretation of this 16-bit field is binding-specific.  Refer
 to the transport portion of the binding for a wireless technology for
 the specification.

3.1.9. Payload

 This field contains the header for an LWAPP data message or LWAPP
 control message, followed by the data associated with that message.

3.2. Using IEEE 802.3 MAC as LWAPP Transport

 This section describes how the LWAPP protocol is provided over native
 Ethernet frames.  An LWAPP packet is formed from the MAC frame
 header, followed by the LWAPP message header.  The following figure
 provides an example of the frame formats used when LWAPP is used over
 the IEEE 802.3 transport.

Calhoun, et al. Historic [Page 22] RFC 5412 Lightweight Access Point Protocol February 2010

    Layer 2 LWAPP Data Frame
    +-----------------------------------------------------------+
    | MAC Header | LWAPP Header [C=0] | Forwarded Data ...      |
    +-----------------------------------------------------------+
    Layer 2 LWAPP Control Frame
    +---------------------------------------------------+
    | MAC Header | LWAPP Header [C=1] | Control Message |
    +---------------------------------------------------+
    | Message Elements ... |
    +----------------------+

3.2.1. Framing

 Source Address
 A MAC address belonging to the interface from which this message is
 sent.  If multiple source addresses are configured on an interface,
 then the one chosen is implementation-dependent.
 Destination Address
 A MAC address belonging to the interface to which this message is to
 be sent.  This destination address MAY be either an individual
 address or a multicast address, if more than one destination
 interface is intended.
 Ethertype
 The Ethertype field is set to 0x88bb.

3.2.2. AC Discovery

 When run over IEEE 802.3, LWAPP messages are distributed to a
 specific MAC-level broadcast domain.  The AC discovery mechanism used
 with this transport is for a WTP to transmit a Discovery Request
 message to a broadcast destination MAC address.  The ACs will receive
 this message and reply based on their policy.

3.2.3. LWAPP Message Header Format over IEEE 802.3 MAC Transport

 All of the fields described in Section 3.1 are used when LWAPP uses
 the IEEE 802.3 MAC transport.

Calhoun, et al. Historic [Page 23] RFC 5412 Lightweight Access Point Protocol February 2010

3.2.4. Fragmentation/Reassembly

 Fragmentation at the MAC layer is managed using the F, L, and Frag ID
 fields of the LWAPP message header.  The LWAPP protocol only allows a
 single packet to be fragmented into 2, which is sufficient for a
 frame that exceeds MTU due to LWAPP encapsulation.  When used with
 Layer 2 (Ethernet) transport, both fragments MUST include the LWAPP
 header.

3.2.5. Multiplexing

 LWAPP control messages and data messages are distinguished by the 'C'
 bit in the LWAPP message header.

3.3. Using IP/UDP as LWAPP Transport

 This section defines how LWAPP makes use of IP/UDP transport between
 the WTP and the AC.  When this transport is used, the MAC layer is
 controlled by the IP stack, and there are therefore no special MAC-
 layer requirements.  The following figure provides an example of the
 frame formats used when LWAPP is used over the IP/UDP transport.  IP
 stacks can be either IPv4 or IPv6.
    Layer 3 LWAPP Data Frame
    +--------------------------------------------+
    | MAC Header | IP | UDP | LWAPP Header [C=0] |
    +--------------------------------------------+
    |Forwarded Data ... |
    +-------------------+
    Layer 3 LWAPP Control Frame
    +--------------------------------------------+
    | MAC Header | IP | UDP | LWAPP Header [C=1] |
    +--------------------------------------------+
    | Control Message | Message Elements ... |
    +-----------------+----------------------+

3.3.1. Framing

 Communication between the WTP and AC is established according to the
 standard UDP client/server model.  The connection is initiated by the
 WTP (client) to the well-known UDP port of the AC (server) used for
 control messages.  This UDP port number of the AC is 12222 for LWAPP
 data and 12223 for LWAPP control frames.

Calhoun, et al. Historic [Page 24] RFC 5412 Lightweight Access Point Protocol February 2010

3.3.2. AC Discovery

 When LWAPP is run over routed IP networks, the WTP and the AC do not
 need to reside in the same IP subnet (broadcast domain).  However, in
 the event the peers reside on separate subnets, there must exist a
 mechanism for the WTP to discover the AC.
 As the WTP attempts to establish communication with the AC, it sends
 the Discovery Request message and receives the corresponding response
 message from the AC.  The WTP must send the Discovery Request message
 to either the limited broadcast IP address (255.255.255.255), a well
 known multicast address, or the unicast IP address of the AC.  Upon
 receipt of the message, the AC issues a Discovery Response message to
 the unicast IP address of the WTP, regardless of whether a Discovery
 Request was sent as a broadcast, multicast, or unicast message.
 Whether the WTP uses a limited IP broadcast, multicast or unicast IP
 address is implementation-dependent.
 In order for a WTP to transmit a Discovery Request to a unicast
 address, the WTP must first obtain the IP address of the AC.  Any
 static configuration of an AC's IP address on the WTP non-volatile
 storage is implementation-dependent.  However, additional dynamic
 schemes are possible: for example:
 DHCP:  A comma-delimited, ASCII-encoded list of AC IP addresses is
        embedded inside a DHCP vendor-specific option 43 extension.
        An example of the actual format of the vendor-specific payload
        for IPv4 is of the form "10.1.1.1, 10.1.1.2".
  DNS:  The DNS name "LWAPP-AC-Address" MAY be resolvable to one or
        more AC addresses.

3.3.3. LWAPP Message Header Format over IP/UDP Transport

 All of the fields described in Section 3.1 are used when LWAPP uses
 the IPv4/UDP or IPv6/UDP transport, with the following exceptions.

3.3.3.1. F Bit

 This flag field is not used with this transport, and MUST be set to
 zero.

3.3.3.2. L Bit

 This flag field is not used with this transport, and MUST be set to
 zero.

Calhoun, et al. Historic [Page 25] RFC 5412 Lightweight Access Point Protocol February 2010

3.3.3.3. Frag ID

 This field is not used with this transport, and MUST be set to zero.

3.3.4. Fragmentation/Reassembly for IPv4

 When LWAPP is implemented at L3, the transport layer uses IP
 fragmentation to fragment and reassemble LWAPP messages that are
 longer than the MTU size used by either the WTP or AC.  The details
 of IP fragmentation are covered in [8].  When used with the IP
 transport, only the first fragment would include the LWAPP header.

3.3.5. Fragmentation/Reassembly for IPv6

 IPv6 does MTU discovery so fragmentation and re-assembly is not
 necessary for UDP packets.

3.3.6. Multiplexing

 LWAPP messages convey control information between WTP and AC, as well
 as binding specific data frames or binding specific management
 frames.  As such, LWAPP messages need to be multiplexed in the
 transport sub-layer and be delivered to the proper software entities
 in the endpoints of the protocol.  However, the 'C' bit is still used
 to differentiate between data and control frames.
 In case of Layer 3 connection, multiplexing is achieved by use of
 different UDP ports for control and data packets (see Section 3.3.1).
 As part of the Join procedure, the WTP and AC may negotiate different
 IP Addresses for data or control messages.  The IP address returned
 in the AP Manager Control IP Address message element is used to
 inform the WTP with the IP address to which it must send all control
 frames.  The AP Manager Data IP Address message element MAY be
 present only if the AC has a different IP address that the WTP is to
 use to send its data LWAPP frames.
 In the event the WTP and AC are separated by a NAT, with the WTP
 using private IP address space, it is the responsibility of the NAT
 to manage appropriate UDP port mapping.

4. LWAPP Packet Definitions

 This section contains the packet types and format.  The LWAPP
 protocol is designed to be transport-agnostic by specifying packet
 formats for both MAC frames and IP packets.  An LWAPP packet consists
 of an LWAPP Transport Layer packet header followed by an LWAPP
 message.

Calhoun, et al. Historic [Page 26] RFC 5412 Lightweight Access Point Protocol February 2010

 Transport details can be found in Section 3.

4.1. LWAPP Data Messages

 An LWAPP data message is a forwarded wireless frame.  When forwarding
 wireless frames, the sender simply encapsulates the wireless frame in
 an LWAPP data packet, using the appropriate transport rules defined
 in Section 3.
 In the event that the encapsulated frame would exceed the transport
 layer's MTU, the sender is responsible for the fragmentation of the
 frame, as specified in the transport-specific section of Section 3.
 The actual format of the encapsulated LWAPP data frame is subject to
 the rules defined under the specific wireless technology binding.

4.2. LWAPP Control Messages Overview

 The LWAPP Control protocol provides a control channel between the WTP
 and the AC.  The control channel is the series of control messages
 between the WTP and AC, associated with a session ID and key.
 Control messages are divided into the following distinct message
 types:
 Discovery:  LWAPP Discovery messages are used to identify potential
    ACs, their load and capabilities.
 Control Channel Management:  Messages that fall within this
    classification are used for the discovery of ACs by the WTPs as
    well as the establishment and maintenance of an LWAPP control
    channel.
 WTP Configuration:  The WTP Configuration messages are used by the AC
    to push a specific configuration to the WTPs with which it has a
    control channel.  Messages that deal with the retrieval of
    statistics from the WTP also fall in this category.
 Mobile Session Management:  Mobile Session Management messages are
    used by the AC to push specific mobile policies to the WTP.
 Firmware Management:  Messages in this category are used by the AC to
    push a new firmware image down to the WTP.
 Control Channel, WTP Configuration, and Mobile Session Management
 MUST be implemented.  Firmware Management MAY be implemented.
 In addition, technology-specific bindings may introduce new control
 channel commands that depart from the above list.

Calhoun, et al. Historic [Page 27] RFC 5412 Lightweight Access Point Protocol February 2010

4.2.1. Control Message Format

 All LWAPP control messages are sent encapsulated within the LWAPP
 header (see Section 3.1).  Immediately following the header is the
 LWAPP control header, which has the following format:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Message Type |    Seq Num    |      Msg Element Length       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           Session ID                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |      Msg Element [0..N]       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

4.2.1.1. Message Type

 The Message Type field identifies the function of the LWAPP control
 message.  The valid values for a Message Type are the following:
                Description                       Value
                Discovery Request                    1
                Discovery Response                   2
                Join Request                         3
                Join Response                        4
                Join ACK                             5
                Join Confirm                         6
                Unused                             7-9
                Configure Request                   10
                Configure Response                  11
                Configuration Update Request        12
                Configuration Update Response       13
                WTP Event Request                   14
                WTP Event Response                  15
                Change State Event Request          16
                Change State Event Response         17
                Unused                           18-21
                Echo Request                        22
                Echo Response                       23
                Image Data Request                  24
                Image Data Response                 25
                Reset Request                       26
                Reset Response                      27
                Unused                           28-29
                Key Update Request                  30
                Key Update Response                 31
                Primary Discovery Request           32

Calhoun, et al. Historic [Page 28] RFC 5412 Lightweight Access Point Protocol February 2010

                Primary Discovery Response          33
                Data Transfer Request               34
                Data Transfer Response              35
                Clear Config Indication             36
                WLAN Config Request                 37
                WLAN Config Response                38
                Mobile Config Request               39
                Mobile Config Response              40

4.2.1.2. Sequence Number

 The Sequence Number field is an identifier value to match request/
 response packet exchanges.  When an LWAPP packet with a request
 message type is received, the value of the Sequence Number field is
 copied into the corresponding response packet.
 When an LWAPP control frame is sent, its internal sequence number
 counter is monotonically incremented, ensuring that no two requests
 pending have the same sequence number.  This field will wrap back to
 zero.

4.2.1.3. Message Element Length

 The length field indicates the number of bytes following the Session
 ID field.  If the LWAPP packet is encrypted, the length field
 includes the AES-CCM MIC (see Section 10.2 for more information).

4.2.1.4. Session ID

 The Session ID is a 32-bit unsigned integer that is used to identify
 the security context for encrypted exchanges between the WTP and the
 AC.  Note that a Session ID is a random value that MUST be unique
 between a given AC and any of the WTPs with which it may be
 communicating.

4.2.1.5. Message Element [0..N]

 The message element(s) carry the information pertinent to each of the
 control message types.  Every control message in this specification
 specifies which message elements are permitted.

4.2.2. Message Element Format

 The message element is used to carry information pertinent to a
 control message.  Every message element is identified by the Type
 field, whose numbering space is managed via IANA (see Section 16).
 The total length of the message elements is indicated in the Message
 Element Length field.

Calhoun, et al. Historic [Page 29] RFC 5412 Lightweight Access Point Protocol February 2010

 All of the message element definitions in this document use a diagram
 similar to the one below in order to depict their formats.  Note that
 in order to simplify this specification, these diagrams do not
 include the header fields (Type and Length).  However, in each
 message element description, the header's field values will be
 defined.
 Note that additional message elements may be defined in separate IETF
 documents.
 The format of a message element uses the TLV format shown here:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |      Type     |             Length            |   Value ...   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 where Type (8 bits) identifies the character of the information
 carried in the Value field and Length (16 bits) indicates the number
 of bytes in the Value field.

4.2.2.1. Generic Message Elements

 This section includes message elements that are not bound to a
 specific control message.

4.2.2.1.1. Vendor Specific

 The Vendor-Specific Payload is used to communicate vendor-specific
 information between the WTP and the AC.  The value contains the
 following format:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       Vendor Identifier                       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          Element ID           |   Value...    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   104 for Vendor Specific
 Length:   >= 7
 Vendor Identifier:   A 32-bit value containing the IANA-assigned "SMI
    Network Management Private Enterprise Codes" [13].

Calhoun, et al. Historic [Page 30] RFC 5412 Lightweight Access Point Protocol February 2010

 Element ID:   A 16-bit Element Identifier that is managed by the
    vendor.
 Value:   The value associated with the vendor-specific element.

4.2.3. Quality of Service

 It is recommended that LWAPP control messages be sent by both the AC
 and the WTP with an appropriate Quality-of-Service precedence value,
 ensuring that congestion in the network minimizes occurrences of
 LWAPP control channel disconnects.  Therefore, a Quality-of-Service-
 enabled LWAPP device should use:
 802.1P:   The precedence value of 7 SHOULD be used.
 DSCP:   The Differentiated Services Code Point (DSCP) tag value of 46
         SHOULD be used.

5. LWAPP Discovery Operations

 The Discovery messages are used by a WTP to determine which ACs are
 available to provide service, as well as the capabilities and load of
 the ACs.

5.1. Discovery Request

 The Discovery Request is used by the WTP to automatically discover
 potential ACs available in the network.  A WTP must transmit this
 command even if it has a statically configured AC, as it is a
 required step in the LWAPP state machine.
 Discovery Requests MUST be sent by a WTP in the Discover state after
 waiting for a random delay less of than MaxDiscoveryInterval, after a
 WTP first comes up or is (re)initialized.  A WTP MUST send no more
 than a maximum of MaxDiscoveries discoveries, waiting for a random
 delay less than MaxDiscoveryInterval between each successive
 discovery.
 This is to prevent an explosion of WTP Discoveries.  An example of
 this occurring would be when many WTPs are powered on at the same
 time.
 Discovery Requests MUST be sent by a WTP when no Echo Responses are
 received for NeighborDeadInterval and the WTP returns to the Idle
 state.  Discovery Requests are sent after NeighborDeadInterval, they
 MUST be sent after waiting for a random delay less than

Calhoun, et al. Historic [Page 31] RFC 5412 Lightweight Access Point Protocol February 2010

 MaxDiscoveryInterval.  A WTP MAY send up to a maximum of
 MaxDiscoveries discoveries, waiting for a random delay less than
 MaxDiscoveryInterval between each successive discovery.
 If a Discovery Response is not received after sending the maximum
 number of Discovery Requests, the WTP enters the Sulking state and
 MUST wait for an interval equal to SilentInterval before sending
 further Discovery Requests.
 The Discovery Request message may be sent as a unicast, broadcast, or
 multicast message.
 Upon receiving a Discovery Request, the AC will respond with a
 Discovery Response sent to the address in the source address of the
 received Discovery Request.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

5.1.1. Discovery Type

 The Discovery message element is used to configure a WTP to operate
 in a specific mode.
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    | Discovery Type|
    +-+-+-+-+-+-+-+-+
 Type:   58 for Discovery Type
 Length:   1
 Discovery Type:   An 8-bit value indicating how the AC was
    discovered.  The following values are supported:
    0 -  Broadcast
    1 -  Configured

Calhoun, et al. Historic [Page 32] RFC 5412 Lightweight Access Point Protocol February 2010

5.1.2. WTP Descriptor

 The WTP Descriptor message element is used by the WTP to communicate
 its current hardware/firmware configuration.  The value contains the
 following fields.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                      Hardware   Version                       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                      Software   Version                       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          Boot   Version                       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Max Radios  | Radios in use |    Encryption Capabilities    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   3 for WTP Descriptor
 Length:   16
 Hardware Version:   A 32-bit integer representing the WTP's hardware
    version number.
 Software Version:   A 32-bit integer representing the WTP's Firmware
    version number.
 Boot Version:   A 32-bit integer representing the WTP's boot loader's
    version number.
 Max Radios:   An 8-bit value representing the number of radios (where
    each radio is identified via the RID field) supported by the WTP.
 Radios in Use:   An 8-bit value representing the number of radios
    present in the WTP.
 Encryption Capabilities:   This 16-bit field is used by the WTP to
    communicate its capabilities to the AC.  Since most WTPs support
    link-layer encryption, the AC may make use of these services.
    There are binding-dependent encryption capabilites.  A WTP that
    does not have any encryption capabilities would set this field to
    zero (0).  Refer to the specific binding for the specification.

Calhoun, et al. Historic [Page 33] RFC 5412 Lightweight Access Point Protocol February 2010

5.1.3. WTP Radio Information

 The WTP Radio Information message element is used to communicate the
 radio information in a specific slot.  The Discovery Request MUST
 include one such message element per radio in the WTP.  The Radio-
 Type field is used by the AC in order to determine which technology-
 specific binding is to be used with the WTP.
 The value contains two fields, as shown:
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |   Radio Type  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   4 for WTP Radio Information
 Length:   2
 Radio ID:   The Radio Identifier, typically refers to some interface
    index on the WTP.
 Radio Type:   The type of radio present.  The following values are
    supported:
    1 - 802.11bg:   An 802.11bg radio.
    2 - 802.11a:   An 802.11a radio.
    3 - 802.16:   An 802.16 radio.
    4 - Ultra Wideband:   A UWB radio.
    7 - all:   Used to specify all radios in the WTP.

5.2. Discovery Response

 The Discovery Response is a mechanism by which an AC advertises its
 services to requesting WTPs.
 Discovery Responses are sent by an AC after receiving a Discovery
 Request.

Calhoun, et al. Historic [Page 34] RFC 5412 Lightweight Access Point Protocol February 2010

 When a WTP receives a Discovery Response, it MUST wait for an
 interval not less than DiscoveryInterval for receipt of additional
 Discovery Responses.  After the DiscoveryInterval elapses, the WTP
 enters the Joining state and will select one of the ACs that sent a
 Discovery Response and send a Join Request to that AC.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

5.2.1. AC Address

 The AC Address message element is used to communicate the identity of
 the AC.  The value contains two fields, as shown:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Reserved    |                  MAC Address                  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                 MAC Address                   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   2 for AC Address
 Length:   7
 Reserved:   MUST be set to zero
 MAC Address:   The MAC address of the AC

5.2.2. AC Descriptor

 The AC Descriptor message element is used by the AC to communicate
 its current state.  The value contains the following fields:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Reserved    |                 Hardware  Version ...         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     HW Ver    |                 Software  Version ...         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     SW Ver    |            Stations           |     Limit     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Limit     |            Radios             |   Max Radio   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Max Radio   |    Security   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Calhoun, et al. Historic [Page 35] RFC 5412 Lightweight Access Point Protocol February 2010

 Type:   6 for AC Descriptor
 Length:   17
 Reserved:   MUST be set to zero
 Hardware Version:   A 32-bit integer representing the AC's hardware
    version number.
 Software Version:   A 32-bit integer representing the AC's Firmware
    version number.
 Stations:   A 16-bit integer representing the number of mobile
    stations currently associated with the AC.
 Limit:   A 16-bit integer representing the maximum number of stations
    supported by the AC.
 Radios:   A 16-bit integer representing the number of WTPs currently
    attached to the AC.
 Max Radio:   A 16-bit integer representing the maximum number of WTPs
    supported by the AC.
 Security:   An 8-bit bitmask specifying the security schemes
    supported by the AC.  The following values are supported (see
    Section 10):
    1 -  X.509 Certificate-Based
    2 -  Pre-Shared Secret

5.2.3. AC Name

 The AC Name message element contains an ASCII representation of the
 AC's identity.  The value is a variable-length byte string.  The
 string is NOT zero terminated.
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    | Name ...
    +-+-+-+-+-+-+-+-+
 Type:   31 for AC Name
 Length:   > 0

Calhoun, et al. Historic [Page 36] RFC 5412 Lightweight Access Point Protocol February 2010

 Name:   A variable-length ASCII string containing the AC's name.

5.2.4. WTP Manager Control IPv4 Address

 The WTP Manager Control IPv4 Address message element is sent by the
 AC to the WTP during the discovery process and is used by the AC to
 provide the interfaces available on the AC, and their current load.
 This message element is useful for the WTP to perform load balancing
 across multiple interfaces.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |           WTP Count           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   99 for WTP Manager Control IPv4 Address
 Length:   6
 IP Address:   The IP address of an interface.
 WTP Count:   The number of WTPs currently connected to the interface.

5.2.5. WTP Manager Control IPv6 Address

 The WTP Manager Control IPv6 Address message element is sent by the
 AC to the WTP during the discovery process and is used by the AC to
 provide the interfaces available on the AC, and their current load.
 This message element is useful for the WTP to perform load balancing
 across multiple interfaces.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |           WTP Count           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Calhoun, et al. Historic [Page 37] RFC 5412 Lightweight Access Point Protocol February 2010

 Type:   137 for WTP Manager Control IPv6 Address
 Length:   6
 IP Address:   The IP address of an interface.
 WTP Count:   The number of WTPs currently connected to the interface.

5.3. Primary Discovery Request

 The Primary Discovery Request is sent by the WTP in order to
 determine whether its preferred (or primary) AC is available.
 Primary Discovery Requests are sent by a WTP when it has a primary AC
 configured, and is connected to another AC.  This generally occurs as
 a result of a failover, and is used by the WTP as a means to discover
 when its primary AC becomes available.  As a consequence, this
 message is only sent by a WTP when it is in the Run state.
 The frequency of the Primary Discovery Requests should be no more
 often than the sending of the Echo Request message.
 Upon receiving a Discovery Request, the AC will respond with a
 Primary Discovery Response sent to the address in the source address
 of the received Primary Discovery Request.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

5.3.1. Discovery Type

 The Discovery Type message element is defined in Section 5.1.1.

5.3.2. WTP Descriptor

 The WTP Descriptor message element is defined in Section 5.1.2.

5.3.3. WTP Radio Information

 A WTP Radio Information message element must be present for every
 radio in the WTP.  This message element is defined in Section 5.1.3.

5.4. Primary Discovery Response

 The Primary Discovery Response is a mechanism by which an AC
 advertises its availability and services to requesting WTPs that are
 configured to have the AC as its primary AC.

Calhoun, et al. Historic [Page 38] RFC 5412 Lightweight Access Point Protocol February 2010

 Primary Discovery Responses are sent by an AC after receiving a
 Primary Discovery Request.
 When a WTP receives a Primary Discovery Response, it may opt to
 establish an LWAPP connection to its primary AC, based on the
 configuration of the WTP Fallback Status message element on the WTP.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

5.4.1. AC Descriptor

 The Discovery Type message element is defined in Section 5.2.2.

5.4.2. AC Name

 The AC Name message element is defined in Section 5.2.3.

5.4.3. WTP Manager Control IPv4 Address

 A WTP Radio Information message element MAY be present for every
 radio in the WTP that is reachable via IPv4.  This message element is
 defined in Section 5.2.4.

5.4.4. WTP Manager Control IPv6 Address

 A WTP Radio Information message element must be present for every
 radio in the WTP that is reachable via IPv6.  This message element is
 defined in Section 5.2.5.

6. Control Channel Management

 The Control Channel Management messages are used by the WTP and AC to
 create and maintain a channel of communication on which various other
 commands may be transmitted, such as configuration, firmware update,
 etc.

6.1. Join Request

 The Join Request is used by a WTP to inform an AC that it wishes to
 provide services through it.
 Join Requests are sent by a WTP in the Joining state after receiving
 one or more Discovery Responses.  The Join Request is also used as an
 MTU discovery mechanism by the WTP.  The WTP issues a Join Request
 with a Test message element, bringing the total size of the message
 to exceed MTU.

Calhoun, et al. Historic [Page 39] RFC 5412 Lightweight Access Point Protocol February 2010

 If the transport used does not provide MTU path discovery, the
 initial Join Request is padded with the Test message element to 1596
 bytes.  If a Join Response is received, the WTP can forward frames
 without requiring any fragmentation.  If no Join Response is
 received, it issues a second Join Request padded with the Test
 payload to a total of 1500 bytes.  The WTP continues to cycle from
 large (1596) to small (1500) packets until a Join Response has been
 received, or until both packets' sizes have been retransmitted 3
 times.  If the Join Response is not received after the maximum number
 of retransmissions, the WTP MUST abandon the AC and restart the
 discovery phase.
 When an AC receives a Join Request, it will respond with a Join
 Response.  If the certificate-based security mechanism is used, the
 AC validates the certificate found in the request.  If valid, the AC
 generates a session key that will be used to secure the control
 frames it exchanges with the WTP.  When the AC issues the Join
 Response, the AC creates a context for the session with the WTP.
 If the pre-shared session key security mechanism is used, the AC
 saves the WTP's nonce, found in the WNonce message element, and
 creates its own nonce, which it includes in the ANonce message
 element.  Finally, the AC creates the PSK-MIC, which is computed
 using a key that is derived from the PSK.
 A Join Request that includes both a WNonce and a Certificate message
 element MUST be considered invalid.
 Details on the key generation are found in Section 10.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

6.1.1. WTP Descriptor

 The WTP Descriptor message element is defined in Section 5.1.2.

6.1.2. AC Address

 The AC Address message element is defined in Section 5.2.1.

6.1.3. WTP Name

 The WTP Name message element value is a variable-length byte string.
 The string is NOT zero terminated.

Calhoun, et al. Historic [Page 40] RFC 5412 Lightweight Access Point Protocol February 2010

     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    | Name ...
    +-+-+-+-+-+-+-+-+
 Type:   5 for WTP Name
 Length:   > 0
 Name:   A non-zero-terminated string containing the WTP's name.

6.1.4. Location Data

 The Location Data message element is a variable-length byte string
 containing user-defined location information (e.g., "Next to
 Fridge").  The string is NOT zero terminated.
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    | Location ...
    +-+-+-+-+-+-+-+-+
 Type:   35 for Location Data
 Length:   > 0
 Location:   A non-zero-terminated string containing the WTP's
    location.

6.1.5. WTP Radio Information

 A WTP Radio Information message element must be present for every
 radio in the WTP.  This message element is defined in Section 5.1.3.

6.1.6. Certificate

 The Certificate message element value is a byte string containing a
 DER-encoded x.509v3 certificate.  This message element is only
 included if the LWAPP security type used between the WTP and the AC
 makes use of certificates (see Section 10 for more information).
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    | Certificate...
    +-+-+-+-+-+-+-+-+

Calhoun, et al. Historic [Page 41] RFC 5412 Lightweight Access Point Protocol February 2010

 Type:   44 for Certificate
 Length:   > 0
 Certificate:   A non-zero-terminated string containing the device's
    certificate.

6.1.7. Session ID

 The Session ID message element value contains a randomly generated
 [4] unsigned 32-bit integer.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           Session ID                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   45 for Session ID
 Length:   4
 Session ID:   32-bit random session identifier.

6.1.8. Test

 The Test message element is used as padding to perform MTU discovery,
 and it MAY contain any value, of any length.
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    |  Padding ...
    +-+-+-+-+-+-+-+-+
 Type:   18 for Test
 Length:   > 0
 Padding:   A variable-length pad.

6.1.9. XNonce

 The XNonce is used by the WTP to communicate its random nonce during
 the join or rekey phase.  See Section 10 for more information.

Calhoun, et al. Historic [Page 42] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   111 for XNonce
 Length:   16
 Nonce:   1 16-octet random nonce.

6.2. Join Response

 The Join Response is sent by the AC to indicate to a WTP whether it
 is capable and willing to provide service to it.
 Join Responses are sent by the AC after receiving a Join Request.
 Once the Join Response has been sent, the Heartbeat timer is
 initiated for the session to EchoInterval.  Expiration of the timer
 will result in deletion of the AC-WTP session.  The timer is
 refreshed upon receipt of the Echo Request.
 If the security method used is certificate-based, when a WTP receives
 a Join Response, it enters the Joined state and initiates either a
 Configure Request or Image Data to the AC to which it is now joined.
 Upon entering the Joined state, the WTP begins timing an interval
 equal to NeighborDeadInterval.  Expiration of the timer will result
 in the transmission of the Echo Request.
 If the security method used is pre-shared-secret-based, when a WTP
 receives a Join Response that includes a valid PSK-MIC message
 element, it responds with a Join ACK that also MUST include a locally
 computed PSK-MIC message element.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

Calhoun, et al. Historic [Page 43] RFC 5412 Lightweight Access Point Protocol February 2010

6.2.1. Result Code

 The Result Code message element value is a 32-bit integer value,
 indicating the result of the request operation corresponding to the
 sequence number in the message.  The Result Code is included in a
 successful Join Response.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                         Result Code                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   2 for Result Code
 Length:   4
 Result Code:   The following values are defined:
    0  Success
    1  Failure (AC List message element MUST be present)

6.2.2. Status

 The Status message element is sent by the AC to the WTP in a non-
 successful Join Response message.  This message element is used to
 indicate the reason for the failure and should only be accompanied
 with a Result Code message element that indicates a failure.
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    |    Status     |
    +-+-+-+-+-+-+-+-+
 Type:   60 for Status
 Length:   1
 Status:   The Status field indicates the reason for an LWAPP failure.
    The following values are supported:

Calhoun, et al. Historic [Page 44] RFC 5412 Lightweight Access Point Protocol February 2010

    1 -  Reserved - do not use
    2 -  Resource Depletion
    3 -  Unknown Source
    4 -  Incorrect Data

6.2.3. Certificate

 The Certificate message element is defined in Section 6.1.6.  Note
 this message element is only included if the WTP and the AC make use
 of certificate-based security as defined in Section 10.

6.2.4. WTP Manager Data IPv4 Address

 The WTP Manager Data IPv4 Address message element is optionally sent
 by the AC to the WTP during the join phase.  If present, the IP
 Address contained in this message element is the address the WTP is
 to use when sending any of its LWAPP data frames.
 Note that this message element is only valid when LWAPP uses the
 IP/UDP Layer 3 transport.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   138 for WTP Manager Data IPv4 Address
 Length:   4
 IP Address:   The IP address of an interface.

6.2.5. WTP Manager Data IPv6 Address

 The WTP Manager Data IPv6 Address message element is optionally sent
 by the AC to the WTP during the join phase.  If present, the IP
 Address contained in this message element is the address the WTP is
 to use when sending any of its LWAPP data frames.
 Note that this message element is only valid when LWAPP uses the
 IP/UDP Layer 3 transport.

Calhoun, et al. Historic [Page 45] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           IP Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   139 for WTP Manager Data IPv6 Address
 Length:   4
 IP Address:   The IP address of an interface.

6.2.6. AC IPv4 List

 The AC List message element is used to configure a WTP with the
 latest list of ACs in a cluster.  This message element MUST be
 included if the Join Response returns a failure indicating that the
 AC cannot handle the WTP at this time, allowing the WTP to find an
 alternate AC to which to connect.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       AC IP Address[]                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   59 for AC List
 Length:   >= 4
 AC IP Address:   An array of 32-bit integers containing an AC's IPv4
    Address.

6.2.7. AC IPv6 List

 The AC List message element is used to configure a WTP with the
 latest list of ACs in a cluster.  This message element MUST be
 included if the Join Response returns a failure indicating that the
 AC cannot handle the WTP at this time, allowing the WTP to find an
 alternate AC to which to connect.

Calhoun, et al. Historic [Page 46] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       AC IP Address[]                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       AC IP Address[]                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       AC IP Address[]                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       AC IP Address[]                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   141 for AC List
 Length:   >= 4
 AC IP Address:   An array of 32-bit integers containing an AC's IPv6
    Address.

6.2.8. ANonce

 The ANonce message element is sent by an AC during the join or rekey
 phase.  The contents of the ANonce are encrypted as described in
 Section 10 for more information.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   108 for ANonce
 Length:   16
 Nonce:   An encrypted, 16-octet random nonce.

Calhoun, et al. Historic [Page 47] RFC 5412 Lightweight Access Point Protocol February 2010

6.2.9. PSK-MIC

 The PSK-MIC message element includes a message integrity check, whose
 purpose is to provide confirmation to the peer that the sender has
 the proper session key.  This message element is only included if the
 security method used between the WTP and the AC is the pre-shared
 secret mechanism.  See Section 10 for more information.
 When present, the PSK-MIC message element MUST be the last message
 element in the message.  The MIC is computed over the complete LWAPP
 packet, from the LWAPP control header as defined in Section 4.2.1 to
 the end of the packet (which MUST be this PSK-MIC message element).
 The MIC field in this message element and the Sequence Number field
 in the LWAPP control header MUST be set to zeroes prior to computing
 the MIC.  The length field in the LWAPP control header must already
 include this message element prior to computing the MIC.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |       SPI       |                    MIC ...
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   109 for PSK-MIC
 Length:   > 1
 SPI:   The Security Parameter Index (SPI) field specifies the
    cryptographic algorithm used to create the message integrity
    check.  The following values are supported:
    0 -  Unused
    1 -  HMAC-SHA-1 (RFC 2104 [15])
 MIC:   A 20-octet Message Integrity Check.

6.3. Join ACK

 The Join ACK message is sent by the WTP upon receiving a Join
 Response, which has a valid PSK-MIC message element, as a means of
 providing key confirmation to the AC.  The Join ACK is only used in
 the case where the WTP makes use of the pre-shared key LWAPP mode
 (see Section 10 for more information).
 Note that the AC should never receive this message unless the
 security method used between the WTP and the AC is pre-shared-secret-
 based.

Calhoun, et al. Historic [Page 48] RFC 5412 Lightweight Access Point Protocol February 2010

 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

6.3.1. Session ID

 The Session ID message element is defined in Section 6.1.7.

6.3.2. WNonce

 The WNonce message element is sent by a WTP during the join or rekey
 phase.  The contents of the ANonce are encrypted as described in
 Section 10 for more information.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Nonce                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   107 for WNonce
 Length:   16
 Nonce:   An encrypted, 16-octet random nonce.

6.3.3. PSK-MIC

 The PSK-MIC message element is defined in Section 6.2.9.

6.4. Join Confirm

 The Join Confirm message is sent by the AC upon receiving a Join ACK,
 which has a valid PSK-MIC message element, as a means of providing
 key confirmation to the WTP.  The Join Confirm is only used in the
 case where the WTP makes use of the pre-shared key LWAPP mode (see
 Section 10 for more information).
 If the security method used is pre-shared-key-based, when a WTP
 receives a Join Confirm, it enters the Joined state and initiates
 either a Configure Request or Image Data to the AC to which it is now

Calhoun, et al. Historic [Page 49] RFC 5412 Lightweight Access Point Protocol February 2010

 joined.  Upon entering the Joined state, the WTP begins timing an
 interval equal to NeighborDeadInterval.  Expiration of the timer will
 result in the transmission of the Echo Request.
 This message is never received, or sent, when the security type used
 between the WTP and the AC is certificated-based.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

6.4.1. Session ID

 The Session ID message element is defined in Section 6.1.7.

6.4.2. PSK-MIC

 The PSK-MIC message element is defined in Section 6.2.9.

6.5. Echo Request

 The Echo Request message is a keepalive mechanism for the LWAPP
 control message.
 Echo Requests are sent periodically by a WTP in the Run state (see
 Figure 2) to determine the state of the connection between the WTP
 and the AC.  The Echo Request is sent by the WTP when the Heartbeat
 timer expires, and it MUST start its NeighborDeadInterval timer.
 The Echo Request carries no message elements.
 When an AC receives an Echo Request, it responds with an Echo
 Response.

6.6. Echo Response

 The Echo Response acknowledges the Echo Request, and is only accepted
 while in the Run state (see Figure 2).
 Echo Responses are sent by an AC after receiving an Echo Request.
 After transmitting the Echo Response, the AC should reset its
 Heartbeat timer to expire in the value configured for EchoInterval.
 If another Echo request is not received by the AC when the timer
 expires, the AC SHOULD consider the WTP to no longer be reachable.
 The Echo Response carries no message elements.

Calhoun, et al. Historic [Page 50] RFC 5412 Lightweight Access Point Protocol February 2010

 When a WTP receives an Echo Response it stops the
 NeighborDeadInterval timer, and starts the Heartbeat timer to
 EchoInterval.
 If the NeighborDeadInterval timer expires prior to receiving an Echo
 Response, the WTP enters the Idle state.

6.7. Key Update Request

 The Key Update Request is used by the WTP to initiate the rekeying
 phase.  This message is sent by a WTP when in the Run state and MUST
 include a new unique Session Identifier.  This message MUST also
 include a unique nonce in the XNonce message element, which is used
 to protect against replay attacks (see Section 10).
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

6.7.1. Session ID

 The Session ID message element is defined in Section 6.1.7.

6.7.2. XNonce

 The XNonce message element is defined in Section 6.1.9.

6.8. Key Update Response

 The Key Update Response is sent by the AC in response to the request
 message, and includes an encrypted ANonce, which is used to derive
 new session keys.  This message MUST include a Session Identifier
 message element, whose value MUST be identical to the one found in
 the Key Update Request.
 The AC MUST include a PSK-MIC message element, which provides message
 integrity over the whole message.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

6.8.1. Session ID

 The Session ID message element is defined in Section 6.1.7.

6.8.2. ANonce

 The ANonce message element is defined in Section 6.2.8.

Calhoun, et al. Historic [Page 51] RFC 5412 Lightweight Access Point Protocol February 2010

6.8.3. PSK-MIC

 The PSK-MIC message element is defined in Section 6.2.9.

6.9. Key Update ACK

 The Key Update ACK is sent by the WTP and includes an encrypted
 version of the WTP's nonce, which is used in the key derivation
 process.  The session keys derived are then used as new LWAPP control
 message encryption keys (see Section 10).
 The WTP MUST include a PSK-MIC message element, which provides
 message integrity over the whole message.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

6.9.1. WNonce

 The WNonce message element is defined in Section 6.3.2.

6.9.2. PSK-MIC

 The PSK-MIC message element is defined in Section 6.2.9.

6.10. Key Update Confirm

 The Key Update Confirm closes the rekeying loop, and allows the WTP
 to recognize that the AC has received and processed the Key Update
 messages.  At this point, the WTP updates its session key in its
 crypto engine, and the associated Initialization Vector, ensuring
 that all future LWAPP control frames are encrypted with the newly
 derived encryption key.
 The WTP MUST include a PSK-MIC message element, which provides
 message integrity over the whole message.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

6.10.1. PSK-MIC

 The PSK-MIC message element is defined in Section 6.2.9.

6.11. Key Update Trigger

 The Key Update Trigger is used by the AC to request that a Key Update
 Request be initiated by the WTP.

Calhoun, et al. Historic [Page 52] RFC 5412 Lightweight Access Point Protocol February 2010

 Key Update Triggers are sent by an AC in the Run state to inform the
 WTP to initiate a Key Update Request message.
 When a WTP receives a Key Update Trigger, it generates a Key Update
 Request.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

6.11.1. Session ID

 The Session ID message element is defined in Section 6.1.7.

7. WTP Configuration Management

 The Wireless Termination Point Configuration messages are used to
 exchange configuration between the AC and the WTP.

7.1. Configuration Consistency

 The LWAPP protocol provides flexibility in how WTP configuration is
 managed.  To put it simply, a WTP has one of two options:
 1. The WTP retains no configuration and simply abides by the
    configuration provided by the AC.
 2. The WTP retains the configuration of parameters provided by the AC
    that are non-default values.
 If the WTP opts to save configuration locally, the LWAPP protocol
 state machine defines the "Configure" state, which is used during the
 initial binding WTP-AC phase, which allows for configuration
 exchange.  During this period, the WTP sends its current
 configuration overrides to the AC via the Configure Request message.
 A configuration override is a parameter that is non-default.  One
 example is that in the LWAPP protocol, the default antenna
 configuration is an internal-omni antenna.  However, a WTP that
 either has no internal antennas, or has been explicitely configured
 by the AC to use external antennas would send its antenna
 configuration during the configure phase, allowing the AC to become
 aware of the WTP's current configuration.
 Once the WTP has provided its configuration to the AC, the AC sends
 down its own configuration.  This allows the WTP to inherit the
 configuration and policies on the AC.

Calhoun, et al. Historic [Page 53] RFC 5412 Lightweight Access Point Protocol February 2010

 An LWAPP AC maintains a copy of each active WTP's configuration.
 There is no need for versioning or other means to identify
 configuration changes.  If a WTP becomes inactive, the AC MAY delete
 the configuration associated with it.  If a WTP were to fail, and
 connect to a new AC, it would provide its overridden configuration
 parameters, allowing the new AC to be aware of the WTP's
 configuration.
 As a consequence, this model allows for resiliency, whereby in light
 of an AC failure, another AC could provide service to the WTP.  In
 this scenario, the new AC would be automatically updated on any
 possible WTP configuration changes -- eliminating the need for Inter-
 AC communication or the need for all ACs to be aware of the
 configuration of all WTPs in the network.
 Once the LWAPP protocol enters the Run state, the WTPs begin to
 provide service.  However, it is quite common for administrators to
 require that configuration changes be made while the network is
 operational.  Therefore, the Configuration Update Request is sent by
 the AC to the WTP in order to make these changes at run-time.

7.2. Configure Request

 The Configure Request message is sent by a WTP to send its current
 configuration to its AC.
 Configure Requests are sent by a WTP after receiving a Join Response,
 while in the Configure state.
 The Configure Request carries binding-specific message elements.
 Refer to the appropriate binding for the definition of this
 structure.
 When an AC receives a Configure Request, it will act upon the content
 of the packet and respond to the WTP with a Configure Response.
 The Configure Request includes multiple Administrative State message
 elements.  There is one such message element for the WTP, and then
 one per radio in the WTP.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

7.2.1. Administrative State

 The Administrative Event message element is used to communicate the
 state of a particular radio.  The value contains the following
 fields.

Calhoun, et al. Historic [Page 54] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |  Admin State  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   27 for Administrative State
 Length:   2
 Radio ID:   An 8-bit value representing the radio to configure.  The
    Radio ID field may also include the value of 0xff, which is used
    to identify the WTP itself.  Therefore, if an AC wishes to change
    the administrative state of a WTP, it would include 0xff in the
    Radio ID field.
 Admin State:   An 8-bit value representing the administrative state
    of the radio.  The following values are supported:
    1 -  Enabled
    2 -  Disabled

7.2.2. AC Name

 The AC Name message element is defined in Section 5.2.3.

7.2.3. AC Name with Index

 The AC Name with Index message element is sent by the AC to the WTP
 to configure preferred ACs.  The number of instances where this
 message element would be present is equal to the number of ACs
 configured on the WTP.
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Index     |   AC Name...
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   90 for AC Name with Index
 Length:   5
 Index:   The index of the preferred server (e.g., 1=primary,
    2=secondary).
 AC Name:   A variable-length ASCII string containing the AC's name.

Calhoun, et al. Historic [Page 55] RFC 5412 Lightweight Access Point Protocol February 2010

7.2.4. WTP Board Data

 The WTP Board Data message element is sent by the WTP to the AC and
 contains information about the hardware present.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |            Card ID            |         Card Revision         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          WTP Model                            |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          WTP Model                            |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                      WTP Serial Number ...                    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           Reserved                            |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                     Ethernet MAC Address                      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |      Ethernet MAC Address     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   50 for WTP Board Data
 Length:   26
 Card ID:   A hardware identifier.
 Card Revision:   4-byte Revision of the card.
 WTP Model:   8-byte WTP Model Number.
 WTP Serial Number:   24-byte WTP Serial Number.
 Reserved:   A 4-byte reserved field that MUST be set to zero (0).
 Ethernet MAC Address:   MAC address of the WTP's Ethernet interface.

7.2.5. Statistics Timer

 The Statistics Timer message element value is used by the AC to
 inform the WTP of the frequency that it expects to receive updated
 statistics.

Calhoun, et al. Historic [Page 56] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |        Statistics Timer       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   37 for Statistics Timer
 Length:   2
 Statistics Timer:   A 16-bit unsigned integer indicating the time, in
    seconds.

7.2.6. WTP Static IP Address Information

 The WTP Static IP Address Information message element is used by an
 AC to configure or clear a previously configured static IP address on
 a WTP.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          IP Address                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                            Netmask                            |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                            Gateway                            |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Static     |
    +-+-+-+-+-+-+-+-+
 Type:   82 for WTP Static IP Address Information
 Length:   13
 IP Address:   The IP address to assign to the WTP.
 Netmask:   The IP Netmask.
 Gateway:   The IP address of the gateway.
 Netmask:   The IP Netmask.
 Static:   An 8-bit Boolean stating whether or not the WTP should use
    a static IP address.  A value of zero disables the static IP
    address, while a value of one enables it.

Calhoun, et al. Historic [Page 57] RFC 5412 Lightweight Access Point Protocol February 2010

7.2.7. WTP Reboot Statistics

 The WTP Reboot Statistics message element is sent by the WTP to the
 AC to communicate information about reasons why reboots have
 occurred.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          Crash Count          |     LWAPP Initiated Count     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |      Link Failure Count       | Failure Type  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   67 for WTP Reboot Statistics
 Length:   7
 Crash Count:   The number of reboots that have occurred due to a WTP
    crash.
 LWAPP Initiated Count:   The number of reboots that have occurred at
    the request of some LWAPP message, such as a change in
    configuration that required a reboot or an explicit LWAPP reset
    request.
 Link Failure Count:   The number of times that an LWAPP connection
    with an AC has failed.
 Failure Type:   The last WTP failure.  The following values are
    supported:
    0 -  Link Failure
    1 -  LWAPP Initiated
    2 -  WTP Crash

7.3. Configure Response

 The Configure Response message is sent by an AC and provides an
 opportunity for the AC to override a WTP's requested configuration.
 Configure Responses are sent by an AC after receiving a Configure
 Request.

Calhoun, et al. Historic [Page 58] RFC 5412 Lightweight Access Point Protocol February 2010

 The Configure Response carries binding-specific message elements.
 Refer to the appropriate binding for the definition of this
 structure.
 When a WTP receives a Configure Response, it acts upon the content of
 the packet, as appropriate.  If the Configure Response message
 includes a Change State Event message element that causes a change in
 the operational state of one of the Radios, the WTP will transmit a
 Change State Event to the AC as an acknowledgement of the change in
 state.
 The following subsections define the message elements that MUST be
 included in this LWAPP operation.

7.3.1. Decryption Error Report Period

 The Decryption Error Report Period message element value is used by
 the AC to inform the WTP of how frequently it should send decryption
 error report messages.
     0                   1                   2
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |        Report Interval        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   38 for Decryption Error Report Period
 Length:   3
 Radio ID:   The Radio Identifier: typically refers to some interface
    index on the WTP.
 Report Interval:   A 16-bit, unsigned integer indicating the time, in
    seconds.

7.3.2. Change State Event

 The WTP Radio Information message element is used to communicate the
 operational state of a radio.  The value contains two fields, as
 shown.
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |     State     |     Cause     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Calhoun, et al. Historic [Page 59] RFC 5412 Lightweight Access Point Protocol February 2010

 Type:   26 for Change State Event
 Length:   3
 Radio ID:   The Radio Identifier: typically refers to some interface
    index on the WTP.
 State:   An 8-bit Boolean value representing the state of the radio.
    A value of one disables the radio, while a value of two enables
    it.
 Cause:   In the event of a radio being inoperable, the Cause field
    would contain the reason the radio is out of service.  The
    following values are supported:
    0 -  Normal
    1 -  Radio Failure
    2 -  Software Failure

7.3.3. LWAPP Timers

 The LWAPP Timers message element is used by an AC to configure LWAPP
 timers on a WTP.
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Discovery   | Echo Request  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   68 for LWAPP Timers
 Length:   2
 Discovery:   The number of seconds between LWAPP Discovery packets
    when the WTP is in the discovery mode.
 Echo Request:   The number of seconds between WTP Echo Request LWAPP
    messages.

7.3.4. AC IPv4 List

 The AC List message element is defined in Section 6.2.6.

Calhoun, et al. Historic [Page 60] RFC 5412 Lightweight Access Point Protocol February 2010

7.3.5. AC IPv6 List

 The AC List message element is defined in Section 6.2.7.

7.3.6. WTP Fallback

 The WTP Fallback message element is sent by the AC to the WTP to
 enable or disable automatic LWAPP fallback in the event that a WTP
 detects its preferred AC, and is not currently connected to it.
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    |     Mode      |
    +-+-+-+-+-+-+-+-+
 Type:   91 for WTP Fallback
 Length:   1
 Mode:   The 8-bit Boolean value indicates the status of automatic
    LWAPP fallback on the WTP.  A value of zero disables the fallback
    feature, while a value of one enables it.  When enabled, if the
    WTP detects that its primary AC is available, and it is not
    connected to it, it SHOULD automatically disconnect from its
    current AC and reconnect to its primary.  If disabled, the WTP
    will only reconnect to its primary through manual intervention
    (e.g., through the Reset Request command).

7.3.7. Idle Timeout

 The Idle Timeout message element is sent by the AC to the WTP to
 provide it with the idle timeout that it should enforce on its active
 mobile station entries.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                            Timeout                            |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   97 for Idle Timeout
 Length:   4
 Timeout:   The current idle timeout to be enforced by the WTP.

Calhoun, et al. Historic [Page 61] RFC 5412 Lightweight Access Point Protocol February 2010

7.4. Configuration Update Request

 Configure Update Requests are sent by the AC to provision the WTP
 while in the Run state.  This is used to modify the configuration of
 the WTP while it is operational.
 When an AC receives a Configuration Update Request it will respond
 with a Configuration Update Response, with the appropriate Result
 Code.
 The following subsections define the message elements introduced by
 this LWAPP operation.

7.4.1. WTP Name

 The WTP Name message element is defined in Section 6.1.3.

7.4.2. Change State Event

 The Change State Event message element is defined in Section 7.3.2.

7.4.3. Administrative State

 The Administrative State message element is defined in Section 7.2.1.

7.4.4. Statistics Timer

 The Statistics Timer message element is defined in Section 7.2.5.

7.4.5. Location Data

 The Location Data message element is defined in Section 6.1.4.

7.4.6. Decryption Error Report Period

 The Decryption Error Report Period message element is defined in
 Section 7.3.1.

7.4.7. AC IPv4 List

 The AC List message element is defined in Section 6.2.6.

7.4.8. AC IPv6 List

 The AC List message element is defined in Section 6.2.7.

Calhoun, et al. Historic [Page 62] RFC 5412 Lightweight Access Point Protocol February 2010

7.4.9. Add Blacklist Entry

 The Add Blacklist Entry message element is used by an AC to add a
 blacklist entry on a WTP, ensuring that the WTP no longer provides
 any service to the MAC addresses provided in the message.  The MAC
 addresses provided in this message element are not expected to be
 saved in non-volative memory on the WTP.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Num of Entries|                 MAC Address[]                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                 MAC Address[]                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   65 for Add Blacklist Entry
 Length:   >= 7
 Num of Entries:   The number of MAC addresses in the array.
 MAC Address:   An array of MAC addresses to add to the blacklist
    entry.

7.4.10. Delete Blacklist Entry

 The Delete Blacklist Entry message element is used by an AC to delete
 a previously added blacklist entry on a WTP, ensuring that the WTP
 provides service to the MAC addresses provided in the message.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Num of Entries|                 MAC Address[]                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                 MAC Address[]                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   66 for Delete Blacklist Entry
 Length:   >= 7
 Num of Entries:   The number of MAC addresses in the array.
 MAC Address:   An array of MAC addresses to delete from the blacklist
    entry.

Calhoun, et al. Historic [Page 63] RFC 5412 Lightweight Access Point Protocol February 2010

7.4.11. Add Static Blacklist Entry

 The Add Static Blacklist Entry message element is used by an AC to
 add a permanent Blacklist Entry on a WTP, ensuring that the WTP no
 longer provides any service to the MAC addresses provided in the
 message.  The MAC addresses provided in this message element are
 expected to be saved in non-volative memory on the WTP.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Num of Entries|                 MAC Address[]                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                 MAC Address[]                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   70 for Delete Blacklist Entry
 Length:   >= 7
 Num of Entries:   The number of MAC addresses in the array.
 MAC Address:   An array of MAC addresses to add to the permanent
    blacklist entry.

7.4.12. Delete Static Blacklist Entry

 The Delete Static Blacklist Entry message element is used by an AC to
 delete a previously added static blacklist entry on a WTP, ensuring
 that the WTP provides service to the MAC addresses provided in the
 message.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Num of Entries|                 MAC Address[]                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                 MAC Address[]                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   71 for Delete Blacklist Entry
 Length:   >= 7
 Num of Entries:   The number of MAC addresses in the array.
 MAC Address:   An array of MAC addresses to delete from the static
    blacklist entry.

Calhoun, et al. Historic [Page 64] RFC 5412 Lightweight Access Point Protocol February 2010

7.4.13. LWAPP Timers

 The LWAPP Timers message element is defined in Section 7.3.3.

7.4.14. AC Name with Index

 The AC Name with Index message element is defined in Section 7.2.3.

7.4.15. WTP Fallback

 The WTP Fallback message element is defined in Section 7.3.6.

7.4.16. Idle Timeout

 The Idle Timeout message element is defined in Section 7.3.7.

7.5. Configuration Update Response

 The Configuration Update Response is the acknowledgement message for
 the Configuration Update Request.
 Configuration Update Responses are sent by a WTP after receiving a
 Configuration Update Request.
 When an AC receives a Configure Update Response, the result code
 indicates if the WTP successfully accepted the configuration.
 The following subsections define the message elements that must be
 present in this LWAPP operation.

7.5.1. Result Code

 The Result Code message element is defined in Section 6.2.1.

7.6. Change State Event Request

 The Change State Event is used by the WTP to inform the AC of a
 change in the operational state.
 The Change State Event message is sent by the WTP when it receives a
 Configuration Response that includes a Change State Event message
 element.  It is also sent in the event that the WTP detects an
 operational failure with a radio.  The Change State Event may be sent
 in either the Configure or Run state (see Figure 2).
 When an AC receives a Change State Event it will respond with a
 Change State Event Response and make any necessary modifications to
 internal WTP data structures.

Calhoun, et al. Historic [Page 65] RFC 5412 Lightweight Access Point Protocol February 2010

 The following subsections define the message elements that must be
 present in this LWAPP operation.

7.6.1. Change State Event

 The Change State Event message element is defined in Section 7.3.2.

7.7. Change State Event Response

 The Change State Event Response acknowledges the Change State Event.
 Change State Event Responses are sent by a WTP after receiving a
 Change State Event.
 The Change State Event Response carries no message elements.  Its
 purpose is to acknowledge the receipt of the Change State Event.
 The WTP does not need to perform any special processing of the Change
 State Event Response message.

7.8. Clear Config Indication

 The Clear Config Indication is used to reset a WTP's configuration.
 The Clear Config Indication is sent by an AC to request that a WTP
 reset its configuration to manufacturing defaults.  The Clear Config
 Indication message is sent while in the Run LWAPP state.
 The Reset Request carries no message elements.
 When a WTP receives a Clear Config Indication, it will reset its
 configuration to manufacturing defaults.

8. Device Management Operations

 This section defines LWAPP operations responsible for debugging,
 gathering statistics, logging, and firmware management.

8.1. Image Data Request

 The Image Data Request is used to update firmware on the WTP.  This
 message and its companion response are used by the AC to ensure that
 the image being run on each WTP is appropriate.
 Image Data Requests are exchanged between the WTP and the AC to
 download a new program image to a WTP.
 When a WTP or AC receives an Image Data Request, it will respond with

Calhoun, et al. Historic [Page 66] RFC 5412 Lightweight Access Point Protocol February 2010

 an Image Data Response.
 The format of the Image Data and Image Download message elements are
 described in the following subsections.

8.1.1. Image Download

 The Image Download message element is sent by the WTP to the AC and
 contains the image filename.  The value is a variable-length byte
 string.  The string is NOT zero terminated.

8.1.2. Image Data

 The Image Data message element is present when sent by the AC and
 contains the following fields.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Opcode    |           Checksum            |  Image Data   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          Image Data ...                       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   33 for Image Data
 Length:   >= 5
 Opcode:   An 8-bit value representing the transfer opcode.  The
    following values are supported:
    3 -  Image Data is included.
    5 -  An error occurred.  Transfer is aborted.
 Checksum:   A 16-bit value containing a checksum of the Image Data
    that follows.
 Image Data:   The Image Data field contains 1024 characters, unless
    the payload being sent is the last one (end of file).

Calhoun, et al. Historic [Page 67] RFC 5412 Lightweight Access Point Protocol February 2010

8.2. Image Data Response

 The Image Data Response acknowledges the Image Data Request.
 An Image Data Responses is sent in response to an Image Data Request.
 Its purpose is to acknowledge the receipt of the Image Data Request
 packet.
 The Image Data Response carries no message elements.
 No action is necessary on receipt.

8.3. Reset Request

 The Reset Request is used to cause a WTP to reboot.
 Reset Requests are sent by an AC to cause a WTP to reinitialize its
 operation.
 The Reset Request carries no message elements.
 When a WTP receives a Reset Request it will respond with a Reset
 Response and then reinitialize itself.

8.4. Reset Response

 The Reset Response acknowledges the Reset Request.
 Reset Responses are sent by a WTP after receiving a Reset Request.
 The Reset Response carries no message elements.  Its purpose is to
 acknowledge the receipt of the Reset Request.
 When an AC receives a Reset Response, it is notified that the WTP
 will now reinitialize its operation.

8.5. WTP Event Request

 The WTP Event Request is used by a WTP to send information to its AC.
 These types of events may be periodical, or some asynchronous event
 on the WTP.  For instance, a WTP collects statistics and uses the WTP
 Event Request to transmit this information to the AC.
 When an AC receives a WTP Event Request, it will respond with a WTP
 Event Request.

Calhoun, et al. Historic [Page 68] RFC 5412 Lightweight Access Point Protocol February 2010

 The WTP Event Request message MUST contain one of the following
 message element described in the next subsections, or a message
 element that is defined for a specific technology.

8.5.1. Decryption Error Report

 The Decryption Error Report message element value is used by the WTP
 to inform the AC of decryption errors that have occurred since the
 last report.
     0                   1                   2
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |Num Of Entries |      Mobile MAC Address       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       Mobile MAC Address[]                    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   39 for Decryption Error Report
 Length:   >= 8
 Radio ID:   The Radio Identifier, typically refers to some interface
    index on the WTP.
 Num Of Entries:   An 8-bit unsigned integer indicating the number of
    mobile MAC addresses.
 Mobile MAC Address:   An array of mobile station MAC addresses that
    have caused decryption errors.

8.5.2. Duplicate IPv4 Address

 The Duplicate IPv4 Address message element is used by a WTP to inform
 an AC that it has detected another host using the same IP address it
 is currently using.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          IP Address                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          MAC Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          MAC Address          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   77 for Duplicate IPv4 Address

Calhoun, et al. Historic [Page 69] RFC 5412 Lightweight Access Point Protocol February 2010

 Length:   10
 IP Address:   The IP address currently used by the WTP.
 MAC Address:   The MAC address of the offending device.

8.5.3. Duplicate IPv6 Address

 The Duplicate IPv6 Address message element is used by a WTP to inform
 an AC that it has detected another host using the same IP address it
 is currently using.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          IP Address                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          IP Address                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          IP Address                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          IP Address                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          MAC Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          MAC Address          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   77 for Duplicate IPv6 Address
 Length:   10
 IP Address:   The IP address currently used by the WTP.
 MAC Address:   The MAC address of the offending device.

8.6. WTP Event Response

 The WTP Event Response acknowledges the WTP Event Request.
 WTP Event Responses are sent by an AC after receiving a WTP Event
 Request.
 The WTP Event Response carries no message elements.

Calhoun, et al. Historic [Page 70] RFC 5412 Lightweight Access Point Protocol February 2010

8.7. Data Transfer Request

 The Data Transfer Request is used to upload debug information from
 the WTP to the AC.
 Data Transfer Requests are sent by the WTP to the AC when it
 determines that it has important information to send to the AC.  For
 instance, if the WTP detects that its previous reboot was caused by a
 system crash, it would want to send the crash file to the AC.  The
 remote debugger function in the WTP also uses the Data Transfer
 Request in order to send console output to the AC for debugging
 purposes.
 When an AC receives a Data Transfer Request, it will respond with a
 Data Transfer Response.  The AC may log the information received as
 it sees fit.
 The Data Transfer Request message MUST contain ONE of the following
 message element described in the next subsection.

8.7.1. Data Transfer Mode

 The Data Transfer Mode message element is used by the AC to request
 information from the WTP for debugging purposes.
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    |   Data  Type   |
    +-+-+-+-+-+-+-+-+
 Type:   52 for Data Transfer Mode
 Length:   1
 Data Type:   An 8-bit value describing the type of information being
    requested.  The following values are supported:
    1 -  WTP Crash Data
    2 -  WTP Memory Dump

8.7.2. Data Transfer Data

 The Data Transfer Data message element is used by the WTP to provide
 information to the AC for debugging purposes.

Calhoun, et al. Historic [Page 71] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Data Type   |  Data Length  |    Data ....
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   53 for Data Transfer Data
 Length:   >= 3
 Data Type:   An 8-bit value describing the type of information being
    sent.  The following values are supported:
    1 -  WTP Crash Data
    2 -  WTP Memory Dump
 Data Length:   Length of data field.
 Data:   Debug information.

8.8. Data Transfer Response

 The Data Transfer Response acknowledges the Data Transfer Request.
 A Data Transfer Response is sent in response to a Data Transfer
 Request.  Its purpose is to acknowledge the receipt of the Data
 Transfer Request packet.
 The Data Transfer Response carries no message elements.
 Upon receipt of a Data Transfer Response, the WTP transmits more
 information, if any is available.

9. Mobile Session Management

 Messages in this section are used by the AC to create, modify, or
 delete mobile station session state on the WTPs.

9.1. Mobile Config Request

 The Mobile Config Request message is used to create, modify, or
 delete mobile session state on a WTP.  The message is sent by the AC
 to the WTP, and may contain one or more message elements.  The

Calhoun, et al. Historic [Page 72] RFC 5412 Lightweight Access Point Protocol February 2010

 message elements for this LWAPP control message include information
 that is generally highly technology-specific.  Therefore, please
 refer to the appropriate binding section or document for the
 definitions of the messages elements that may be used in this control
 message.
 This section defines the format of the Delete Mobile message element,
 since it does not contain any technology-specific information.

9.1.1. Delete Mobile

 The Delete Mobile message element is used by the AC to inform a WTP
 that it should no longer provide service to a particular mobile
 station.  The WTP must terminate service immediately upon receiving
 this message element.
 The transmission of a Delete Mobile message element could occur for
 various reasons, including administrative reasons, as a result of the
 fact that the mobile has roamed to another WTP, etc.
 Once access has been terminated for a given station, any future
 packets received from the mobile must result in a deauthenticate
 message, as specified in [6].
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |                  MAC Address                  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                  MAC Address                  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   30 for Delete Mobile
 Length:   7
 Radio ID:   An 8-bit value representing the radio
 MAC Address:   The mobile station's MAC address

9.2. Mobile Config Response

 The Mobile Configuration Response is used to acknowledge a previously
 received Mobile Configuration Request, and includes a Result Code
 message element that indicates whether an error occurred on the WTP.
 This message requires no special processing and is only used to
 acknowledge the Mobile Configuration Request.

Calhoun, et al. Historic [Page 73] RFC 5412 Lightweight Access Point Protocol February 2010

 The Data Transfer Request message MUST contain the message elements
 described in the next subsection.

9.2.1. Result Code

 The Result Code message element is defined in Section 6.2.1.

10. LWAPP Security

 Note: This version only defines a certificate and a shared-secret-
 based mechanism to secure control LWAPP traffic exchanged between the
 WTP and the AC.

10.1. Securing WTP-AC Communications

 While it is generally straightforward to produce network
 installations in which the communications medium between the WTP and
 AC is not accessible to the casual user (e.g., these LAN segments are
 isolated, and no RJ45 or other access ports exist between the WTP and
 the AC), this will not always be the case.  Furthermore, a determined
 attacker may resort to various, more sophisticated monitoring and/or
 access techniques, thereby compromising the integrity of this
 connection.
 In general, a certain level of threat on the local (wired) LAN is
 expected and accepted in most computing environments.  That is, it is
 expected that in order to provide users with an acceptable level of
 service and maintain reasonable productivity levels, a certain amount
 of risk must be tolerated.  It is generally believed that a certain
 perimeter is maintained around such LANs, that an attacker must have
 access to the building(s) in which such LANs exist, and that they
 must be able to "plug in" to the LAN in order to access the network.
 With these things in mind, we can begin to assess the general
 security requirements for AC-WTP communications.  While an in-depth
 security analysis of threats and risks to these communications is
 beyond the scope of this document, some discussion of the motivation
 for various security-related design choices is useful.  The
 assumptions driving the security design thus far include the
 following:
 o  WTP-AC communications take place over a wired connection that may
    be accessible to a sophisticated attacker.
 o  access to this connection is not trivial for an outsider (i.e.,
    someone who does not "belong" in the building) to access.

Calhoun, et al. Historic [Page 74] RFC 5412 Lightweight Access Point Protocol February 2010

 o  if authentication and/or privacy of end-to-end traffic for which
    the WTP and AC are intermediaries is required, this may be
    provided via IPsec [14].
 o  privacy and authentication for at least some WTP-AC control
    traffic is required (e.g., Wired Equivalent Privacy (WEP) keys for
    user sessions, passed from the AC to the WTP).
 o  the AC can be trusted to generate strong cryptographic keys.
 The AC-WTP traffic can be considered to consist of two types: data
 traffic (e.g., to or from an end user), and control traffic, which is
 strictly between the AC and WTP.  Since data traffic may be secured
 using IPsec (or some other end-to-end security mechanism), we confine
 our solution to control traffic.  The resulting security consists of
 two components: an authenticated key exchange and control traffic
 security encapsulation.  The security encapsulation is accomplished
 using AES-CCM, described in [3].  This encapsulation provides for
 strong AES-based authentication and encryption [2].  The exchange of
 cryptographic keys used for CCM is described below.

10.2. LWAPP Frame Encryption

 While the LWAPP protocol uses AES-CCM to encrypt control traffic, it
 is important to note that not all control frames are encrypted.  The
 LWAPP discovery and join phase are not encrypted.  The Discovery
 messages are sent in the clear since there does not exist a security
 association between the WTP and the AC during the discovery phase.
 The join phase is an authenticated exchange used to negotiate
 symmetric session keys (see Section 10.3).
 Once the join phase has been successfully completed, the LWAPP state
 machine Figure 2 will move to the Configure state, at which time all
 LWAPP control frames are encrypted using AES-CCM.
 Encryption of a control message begins at the Message Element field:
 meaning the Msg Type, Seq Num, Msg Element Length, and Session ID
 fields are left intact (see Section 4.2.1).
 The AES-CCM 12-byte authentication data is appended to the end of the
 message.  The authentication data is calculated from the start of the
 LWAPP packet and includes the complete LWAPP control header (see
 Section 4.2.1).

Calhoun, et al. Historic [Page 75] RFC 5412 Lightweight Access Point Protocol February 2010

 The AES-CCM block cipher protocol requires an initialization vector.
 The LWAPP protocol requires that the WTP and the AC maintain two
 separate IVs, one for transmission and one for reception.  The IV
 derived during the key exchange phase by both the WTP and the AC is
 used as the base for all encrypted packets with a new key.

10.3. Authenticated Key Exchange

 This section describes the key management component of the LWAPP
 protocol.  There are two modes supported by LWAPP: certificate and
 pre-shared key.

10.3.1. Terminology

 This section details the key management protocol that makes use of
 pre-shared secrets.
 The following notations are used throughout this section:
 o  PSK - the pre-shared key shared between the WTP and the AC.
 o  Kpriv - the private key of a public-private key pair.
 o  Kpub - the public key of the pair.
 o  SessionID - a randomly generated LWAPP session identifier,
    provided by the WTP in the Join Request.
 o  E-x{Kpub, M} - RSA encryption of M using X's public key.
 o  D-x{Kpriv, C} - RSA decryption of C using X's private key.
 o  AES-CMAC(key, packet) - A message integrity check, using AES-CMAC
    and key, of the complete LWAPP packet, with the Sequence Number
    field and the payload of the PSK-MIC message element set to zero.
 o  AES-E(key, plaintext) - Plaintext is encrypted with key, using
    AES.
 o  AES-D(key, ciphertext) - ciphertext is decrypted with key, using
    AES.
 o  Certificate-AC - AC's Certificate.
 o  Certificate-WTP - WTP's Certificate.
 o  WTP-MAC - The WTP's MAC address.

Calhoun, et al. Historic [Page 76] RFC 5412 Lightweight Access Point Protocol February 2010

 o  AC-MAC - The AC's MAC address.
 o  RK0 - the root key, which is created through a Key Derivation
    Function (KDF) function.
 o  RK0E - the root Encryption key, derived from RK0.
 o  RK0M - the root MIC key, derived from RK0.
 o  SK1 - the session key.
 o  SK1C - the session confirmation key, derived from SK.
 o  SK1E - the session encryption key, derived from SK.
 o  SK1W - the session keywrap key, derived from SK (see RFC 3394
    [9]).
 o  WNonce - The WTP's randomly generated nonce.
 o  ANonce - The AC's randomly generated nonce.
 o  EWNonce - The payload of the WNonce message element, which
    includes the WNonce.
 o  EANonce - The payload of the ANonce message element, which
    includes the ANonce.

10.3.2. Initial Key Generation

 The AC and WTP accomplish mutual authentication and a cryptographic
 key exchange in a dual round trip using the Join Request, Join
 Response, Join ACK, and Join Confirm (see Section 6.1).
 The following text describes the exchange between the WTP and the AC
 that creates a session key, which is used to secure LWAPP control
 messages.
 o  The WTP creates a Join Request using the following process:
    o  If certificate-based security is used, the WTP adds the
       Certificate message element (see Section 6.1.6) with its
       contents set to Certificate-WTP.
    o  The WTP adds the Session ID message element (see Section 6.1.7)
       with the contents set to a randomly generated session
       identifier (see RFC 1750 [4]).  The WTP MUST save the Session
       ID in order to validate the Join Response.

Calhoun, et al. Historic [Page 77] RFC 5412 Lightweight Access Point Protocol February 2010

    o  The WTP creates a random nonce, included in the XNonce message
       element (see Section 6.1.9).  The WTP MUST save the XNonce to
       validate the Join Response.
    o  The WTP transmits the Join Request to the AC.
 o  Upon receiving the Join Request, the AC uses the following
    process:
    o  The AC creates the Join Response, and ensures that the Session
       ID message element matches the value found in the Join Request.
    o  If certificate-based security is used, the AC:
       o  adds the Certificate-AC to the Certificate message element.
       o  creates a random 'AC Nonce' and encrypts it using the
          following algorithm E-wtp(Kpub, XNonce XOR 'AC Nonce').  The
          encrypted contents are added to the ANonce's message element
          payload.
    o  If a pre-shared-key-based security is used, the AC:
       o  creates RK0 through the following algorithm: RK0 = KDF-
          256{PSK, "LWAPP PSK Top K0" || Session ID || WTP-MAC || AC-
          MAC}, where WTP-MAC is the WTP's MAC address in the form
          "xx:xx:xx:xx:xx:xx".  Similarly, the AC-MAC is an ASCII
          encoding of the AC's MAC address, of the form "xx:xx:xx:xx:
          xx:xx".  The resulting K0 is split into the following:
          o  The first 16 octets are known as RK0E, and are used as an
             encryption key.
          o  The second 16 octets are known as RK0M, and are used for
             MIC'ing purposes.
       o  The AC creates a random 'AC Nonce' and encrypts it using the
          following algorithm: AES-E(RK0E, XNonce XOR 'AC Nonce').
          The encrypted contents are added to the ANonce's message
          element payload.
       o  The AC adds a MIC to the contents of the Join Response using
          AES-CMAC(RK0M, Join Response) and adds the resulting hash to
          the PSK-MIC (Section 6.2.9) message element.
 o  Upon receiving the Join Response, the WTP uses the following
    process:

Calhoun, et al. Historic [Page 78] RFC 5412 Lightweight Access Point Protocol February 2010

    o  If a pre-shared key is used, the WTP authenticates the Join
       Response's PSK-MIC message element.  If authentication fails,
       the packet is dropped.
    o  The WTP decrypts the ANonce message element and XOR's the value
       with XNonce to retrieve the 'AC Nonce'.  The ANonce payload is
       referred to as ciphertext below:
       o  If a pre-shared key is used, use AES-D(RK0E, ciphertext).
          The 'AC Nonce' is then recovered using XNonce XOR plaintext.
       o  If certificates are used, use d-wtp(Kpriv, ciphertext).  The
          'AC Nonce' is then recovered using XNonce XOR plaintext.
    o  The WTP creates a random 'WTP Nonce'.
    o  The WTP uses the KDF function to create a 64-octet session key
       (SK).  The KDF function used is as follows: KDF-512{'WTP Nonce'
       || 'AC Nonce', "LWAPP Key Generation", WTP-MAC || AC-MAC}.  The
       KDF function is defined in [7].
    o  SK is then broken down into three separate session keys with
       different purposes:
       o  The first 16 octets are known as SK1C, and are used as a
          confirmation key.
       o  The second 16 octets are known as SK1E, and are as the
          encryption key.
       o  The third 16 octets are known as SK1D, and are used as the
          keywrap key.
       o  The fourth 16 octets are known as IV, and are used as the
          Initialization Vector during encryption.
    o  The WTP creates the Join ACK message.
    o  If certificate-based security is used, the AC:
       o  encrypts the 'WTP Nonce' using the following algorithm: E-
          ac(Kpub, 'WTP Nonce').  The encrypted contents are added to
          the WNonce's message element payload.
    o  If a pre-shared-key-based security is used, the AC:

Calhoun, et al. Historic [Page 79] RFC 5412 Lightweight Access Point Protocol February 2010

       o  encrypts the 'WTP Nonce' using the following algorithm:
          AES-E(RK0E, 'WTP Nonce').  The encrypted contents are added
          to the WNonce's message element payload.
    o  The WTP adds a MIC to the contents of the Join ACK using
       AES-CMAC(SK1M, Join ACK) and adds the resulting hash to the
       PSK-MIC (Section 6.2.9) message element.
    o  The WTP then transmits the Join ACK to the AC.
 o  Upon receiving the Join ACK, the AC uses the following process:
    o  The AC authenticates the Join ACK through the PSK-MIC message
       element.  If authentic, the AC decrypts the WNonce message
       element to retrieve the 'WTP Nonce'.  If the Join ACK cannot be
       authenticated, the packet is dropped.
    o  The AC decrypts the WNonce message element to retrieve the 'WTP
       Nonce'.  The WNonce payload is referred to as ciphertext below:
       o  If a pre-shared key is used, use AES-D(RK0E, ciphertext).
          The plaintext is then considered the 'WTP Nonce'.
       o  If certificates are used, use d-ac(Kpriv, ciphertext).  The
          plaintext is then considered the 'WTP Nonce'.
    o  The AC then uses the KDF function to create a 64-octet session
       key (SK).  The KDF function used is as follows: KDF-512{'WTP
       Nonce' || 'AC Nonce', "LWAPP Key Generation", WTP-MAC ||
       AC-MAC}.  The KDF function is defined in [7].  The SK is split
       into SK1C, SK1E, SK1D, and IV, as previously noted.
    o  The AC creates the Join Confirm.
    o  The AC adds a MIC to the contents of the Join Confirm using
       AES-CMAC(SK1M, Join Confirm) and adds the resulting hash to the
       MIC (Section 6.2.9) message element.
    o  The AC then transmits the Join Confirm to the WTP.
 o  Upon receiving the Join Confirm, the WTP uses the following
    process:
    o  The WTP authenticates the Join Confirm through the PSK-MIC
       message element.  If the Join Confirm cannot be authenticated,
       the packet is dropped.

Calhoun, et al. Historic [Page 80] RFC 5412 Lightweight Access Point Protocol February 2010

 o  SK1E is now plumbed into the AC and WTP's crypto engine as the
    AES-CCM LWAPP control encryption session key.  Furthermore, the
    random IV is used as the base Initialization Vector.  From this
    point on, all control protocol payloads between the WTP and AC are
    encrypted and authenticated using the new session key.

10.3.3. Refreshing Cryptographic Keys

 Since AC-WTP associations will tend to be relatively long-lived, it
 is sensible to periodically refresh the encryption and authentication
 keys; this is referred to as "rekeying".  When the key lifetime
 reaches 95% of the configured value, identified in the KeyLifetime
 timer (see Section 12), the rekeying will proceed as follows:
 o  The WTP creates RK0 through the previously defined KDF algorithm:
    RK0 = KDF-256{SK1D, "LWAPP PSK Top K0" || Session ID || WTP-MAC ||
    AC-MAC}.  Note that the difference in this specific instance is
    that SK1D that was previously generated is used instead of the
    PSK.  Note this is used in both the certificate and pre-shared key
    modes.  The resulting RK0 creates RK0E, RK0M.
 o  The remaining steps used are identical to the join process, with
    the exception that the rekey messages are used instead of join
    messages, and the fact that the messages are encrypted using the
    previously created SK1E.  This means the Join Request is replaced
    with the Rekey Request, the Join Response is replaced with the
    Rekey Response, etc.  The two differences between the rekey and
    the join process are:
    o  The Certificate-WTP and Certificate-AC are not included in the
       Rekey-Request and Rekey-Response, respectively.
    o  Regardless of whether certificates or pre-shared keys were used
       in the initial key derivation, the process now uses the pre-
       shared key mode only, using SK1D as the "PSK".
 o  The Key Update Request is sent to the AC.
 o  The newly created SK1E is now plumbed into the AC and WTP's crypto
    engine as the AES-CCM LWAPP control encryption session key.
    Furthermore, the new random IV is used as the base Initialization
    Vector.  From this point on, all control protocol payloads between
    the WTP and AC are encrypted and authenticated using the new
    session key.

Calhoun, et al. Historic [Page 81] RFC 5412 Lightweight Access Point Protocol February 2010

    If either the WTP or the AC do not receive an expected response by
    the time the ResponseTimeout timer expires (see Section 12), the
    WTP MUST delete the new and old session information, and reset the
    state machine to the Idle state.
    Following a rekey process, both the WTP and the AC keep the
    previous encryption for 5-10 seconds in order to be able to
    process packets that arrive out of order.

10.4. Certificate Usage

 Validation of the certificates by the AC and WTP is required so that
 only an AC may perform the functions of an AC and that only a WTP may
 perform the functions of a WTP.  This restriction of functions to the
 AC or WTP requires that the certificates used by the AC MUST be
 distinguishable from the certificate used by the WTP.  To accomplish
 this differentiation, the x.509v3 certificates MUST include the
 Extensions field [10] and MUST include the NetscapeComment [11]
 extension.
 For an AC, the value of the NetscapeComment extension MUST be the
 string "CAPWAP AC Device Certificate".  For a WTP, the value of the
 NetscapeComment extension MUST be the string "CAPWAP WTP Device
 Certificate".
 Part of the LWAPP certificate validation process includes ensuring
 that the proper string is included in the NetscapeComment extension,
 and only allowing the LWAPP session to be established if the
 extension does not represent the same role as the device validating
 the certificate.  For instance, a WTP MUST NOT accept a certificate
 whose NetscapeComment field is set to "CAPWAP WTP Device
 Certificate".

11. IEEE 802.11 Binding

 This section defines the extensions required for the LWAPP protocol
 to be used with the IEEE 802.11 protocol.

11.1. Division of Labor

 The LWAPP protocol, when used with IEEE 802.11 devices, requires a
 specific behavior from the WTP and the AC, specifically in terms of
 which 802.11 protocol functions are handled.
 For both the Split and Local MAC approaches, the CAPWAP functions, as
 defined in the taxonomy specification, reside in the AC.

Calhoun, et al. Historic [Page 82] RFC 5412 Lightweight Access Point Protocol February 2010

11.1.1. Split MAC

 This section shows the division of labor between the WTP and the AC
 in a Split MAC architecture.  Figure 3 shows the clear separation of
 functionality among LWAPP components.
     Function                               Location
         Distribution Service                      AC
         Integration Service                       AC
         Beacon Generation                         WTP
         Probe Response                            WTP
         Power Mgmt/Packet Buffering               WTP
         Fragmentation/Defragmentation             WTP
         Assoc/Disassoc/Reassoc                    AC
    802.11e
         Classifying                               AC
         Scheduling                                WTP/AC
         Queuing                                   WTP
    802.11i
         802.1X/EAP                                AC
         Key Management                            AC
         802.11 Encryption/Decryption              WTP or AC
     Figure 3: Mapping of 802.11 Functions for Split MAC Architecture
 The Distribution and Integration services reside on the AC, and
 therefore all user data is tunneled between the WTP and the AC.  As
 noted above, all real-time 802.11 services, including the control
 protocol and the beacon and Probe Response frames, are handled on the
 WTP.
 All remaining 802.11 MAC management frames are supported on the AC,
 including the Association Request, which allows the AC to be involved
 in the access policy enforcement portion of the 802.11 protocol.  The
 802.1X and 802.11i key management function are also located on the
 AC.
 While the admission control component of 802.11e resides on the AC,
 the real-time scheduling and queuing functions are on the WTP.  Note
 that this does not exclude the AC from providing additional policing
 and scheduling functionality.
 Note that in the following figure, the use of '( - )' indicates that
 processing of the frames is done on the WTP.

Calhoun, et al. Historic [Page 83] RFC 5412 Lightweight Access Point Protocol February 2010

    Client                       WTP                        AC
             Beacon
    <-----------------------------
          Probe Request
    ----------------------------( - )------------------------->
          Probe Response
    <-----------------------------
                     802.11 AUTH/Association
    <--------------------------------------------------------->
                       Add Mobile (Clear Text, 802.1X Only)
                                    <------------------------->
           802.1X Authentication & 802.11i Key Exchange
    <--------------------------------------------------------->
                                Add Mobile (AES-CCMP, PTK=x)
                                    <------------------------->
                      802.11 Action Frames
    <--------------------------------------------------------->
                          802.11 DATA (1)
    <---------------------------( - )------------------------->
                     Figure 4: Split MAC Message Flow
 Figure 4 provides an illustration of the division of labor in a Split
 MAC architecture.  In this example, a WLAN has been created that is
 configured for 802.11i, using AES-CCMP for privacy.  The following
 process occurs:
 o  The WTP generates the 802.11 beacon frames, using information
    provided to it through the Add WLAN (see Section 11.8.1.1) message
    element.
 o  The WTP processes the Probe Request and responds with a
    corresponding Probe Response.  The problem request is then
    forwarded to the AC for optional processing.
 o  The WTP forwards the 802.11 Authentication and Association frames
    to the AC, which is responsible for responding to the client.
 o  Once the association is complete, the AC transmits an LWAPP Add
    Mobile Request to the WTP (see Section 11.7.1.1).  In the above
    example, the WLAN is configured for 802.1X, and therefore the
    '802.1X only' policy bit is enabled.
 o  If the WTP is providing encryption/decryption services, once the
    client has completed the 802.11i key exchange, the AC transmits
    another Add Mobile Request to the WTP, stating the security policy
    to enforce for the client (in this case AES-CCMP), as well as the

Calhoun, et al. Historic [Page 84] RFC 5412 Lightweight Access Point Protocol February 2010

    encryption key to use.  If encryption/decryption is handled in the
    AC, the Add Mobile Request would have the encryption policy set to
    "Clear Text".
 o  The WTP forwards any 802.11 Action frames received to the AC.
 o  All client data frames are tunneled between the WTP and the AC.
    Note that the WTP is responsible for encrypting and decrypting
    frames, if it was indicated in the Add Mobile Request.

11.1.2. Local MAC

 This section shows the division of labor between the WTP and the AC
 in a Local MAC architecture.  Figure 5 shows the clear separation of
 functionality among LWAPP components.
     Function                               Location
         Distribution Service                      WTP
         Integration Service                       WTP
         Beacon Generation                         WTP
         Probe Response                            WTP
         Power Mgmt/Packet Buffering               WTP
         Fragmentation/Defragmentation             WTP
         Assoc/Disassoc/Reassoc                    WTP
    802.11e
         Classifying                               WTP
         Scheduling                                WTP
         Queuing                                   WTP
    802.11i
         802.1X/EAP                                AC
         Key Management                            AC
         802.11 Encryption/Decryption              WTP
    Figure 5: Mapping of 802.11 Functions for Local AP Architecture
 Given that Distribution and Integration Services exist on the WTP,
 client data frames are not forwarded to the AC, with the exception
 listed in the following paragraphs.
 While the MAC is terminated on the WTP, it is necessary for the AC to
 be aware of mobility events within the WTPs.  As a consequence, the
 WTP MUST forward the 802.11 Association Requests to the AC, and the
 AC MAY reply with a failed Association Response if it deems it
 necessary.

Calhoun, et al. Historic [Page 85] RFC 5412 Lightweight Access Point Protocol February 2010

 The 802.1X and 802.11i Key Management function resides in the AC.
 Therefore, the WTP MUST forward all 802.1X/Key Management frames to
 the AC and forward the associated responses to the station.
 Note that in the following figure, the use of '( - )' indicates that
 processing of the frames is done on the WTP.
    Client                       WTP                        AC
             Beacon
    <-----------------------------
              Probe
    <---------------------------->
           802.11 AUTH
    <-----------------------------
                        802.11 Association
    <---------------------------( - )------------------------->
                       Add Mobile (Clear Text, 802.1X Only)
                                    <------------------------->
           802.1X Authentication & 802.11i Key Exchange
    <--------------------------------------------------------->
                      802.11 Action Frames
    <--------------------------------------------------------->
                                Add Mobile (AES-CCMP, PTK=x)
                                    <------------------------->
            802.11 DATA
    <----------------------------->
                     Figure 6: Local MAC Message Flow
 Figure 6 provides an illustration of the division of labor in a Local
 MAC architecture.  In this example, a WLAN has been created that is
 configured for 802.11i, using AES-CCMP for privacy.  The following
 process occurs:
 o  The WTP generates the 802.11 beacon frames, using information
    provided to it through the Add WLAN (see Section 11.8.1.1) message
    element.
 o  The WTP processes the Probe Request and responds with a
    corresponding Probe Response.
 o  The WTP forwards the 802.11 Authentication and Association frames
    to the AC, which is responsible for responding to the client.

Calhoun, et al. Historic [Page 86] RFC 5412 Lightweight Access Point Protocol February 2010

 o  Once the association is complete, the AC transmits an LWAPP Add
    Mobile Request to the WTP (see Section 11.7.1.1.  In the above
    example, the WLAN is configured for 802.1X, and therefore the
    '802.1X only' policy bit is enabled.
 o  The WTP forwards all 802.1X and 802.11i key exchange messages to
    the AC for processing.
 o  The AC transmits another Add Mobile Request to the WTP, stating
    the security policy to enforce for the client (in this case, AES-
    CCMP), as well as the encryption key to use.  The Add Mobile
    Request MAY include a VLAN name, which when present is used by the
    WTP to identify the VLAN on which the user's data frames are to be
    bridged.
 o  The WTP forwards any 802.11 Action frames received to the AC.
 o  The WTP locally bridges all client data frames, and provides the
    necessary encryption and decryption services.

11.2. Roaming Behavior and 802.11 Security

 It is important that LWAPP implementations react properly to mobile
 devices associating to the networks in how they generate Add Mobile
 and Delete Mobile messages.  This section expands upon the examples
 provided in the previous section, and describes how the LWAPP control
 protocol is used in order to provide secure roaming.
 Once a client has successfully associated with the network in a
 secure fashion, it is likely to attempt to roam to another access
 point.  Figure 7 shows an example of a currently associated station
 moving from its "Old WTP" to a new "WTP".  The figure is useful for
 multiple different security policies, including standard 802.1X and
 dynamic WEP keys, WPA or even WPA2 both with key caching (where the
 802.1x exchange would be bypassed) and without.

Calhoun, et al. Historic [Page 87] RFC 5412 Lightweight Access Point Protocol February 2010

    Client              Old WTP              WTP              AC
                  Association Request/Response
     <--------------------------------------( - )-------------->
                        Add Mobile (Clear Text, 802.1X Only)
                                              <---------------->
     802.1X Authentication (if no key cache entry exists)
     <--------------------------------------( - )-------------->
                   802.11i 4-way Key Exchange
     <--------------------------------------( - )-------------->
                                 Delete Mobile
                            <---------------------------------->
                                 Add Mobile (AES-CCMP, PTK=x)
                                              <---------------->
                     Figure 7: Client Roaming Example

11.3. Transport-Specific Bindings

 All LWAPP transports have the following IEEE 802.11 specific
 bindings:

11.3.1. Status and WLANS Field

 The interpretation of this 16-bit field depends on the direction of
 transmission of the packet.  Refer to the figure in Section 3.1.
 Status
 When an LWAPP packet is transmitted from a WTP to an AC, this field
 is called the Status field and indicates radio resource information
 associated with the frame.  When the message is an LWAPP control
 message this field is transmitted as zero.
 The Status field is divided into the signal strength and signal-to-
 noise ratio with which an IEEE 802.11 frame was received, encoded in
 the following manner:
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     RSSI      |     SNR       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 RSSI:   RSSI is a signed, 8-bit value.  It is the received signal
    strength indication, in dBm.

Calhoun, et al. Historic [Page 88] RFC 5412 Lightweight Access Point Protocol February 2010

 SNR:   SNR is a signed, 8-bit value.  It is the signal-to-noise ratio
    of the received IEEE 802.11 frame, in dB.
 WLANs field:   When an LWAPP data message is transmitted from an AC
    to a WTP, this 16-bit field indicates on which WLANs the
    encapsulated IEEE 802.11 frame is to be transmitted.  For unicast
    packets, this field is not used by the WTP.  For broadcast or
    multicast packets, the WTP might require this information if it
    provides encryption services.
    Given that a single broadcast or multicast packet might need to be
    sent to multiple wireless LANs (presumably each with a different
    broadcast key), this field is defined as a bit field.  A bit set
    indicates a WLAN ID (see Section 11.8.1.1), which will be sent the
    data.  The WLANS field is encoded in the following manner:
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          WLAN ID(s)           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

11.4. BSSID to WLAN ID Mapping

 The LWAPP protocol makes assumptions regarding the BSSIDs used on the
 WTP.  It is a requirement for the WTP to use a contiguous block of
 BSSIDs.  The WLAN Identifier field, which is managed by the AC, is
 used as an offset into the BSSID list.
 For instance, if a WTP had a base BSSID address of 00:01:02:00:00:00,
 and the AC sent an Add WLAN message with a WLAN Identifier of 2 (see
 Section 11.8.1.1), the BSSID for the specific WLAN on the WTP would
 be 00:01:02:00:00:02.
 The WTP communicates the maximum number of BSSIDs that it supports
 during the Config Request within the IEEE 802.11 WTP WLAN Radio
 Configuration message element (see Section 11.9.1).

11.5. Quality of Service

 It is recommended that 802.11 MAC management be sent by both the AC
 and the WTP with appropriate Quality-of-Service (QoS) values,
 ensuring that congestion in the network minimizes occurrences of
 packet loss.  Therefore, a QoS-enabled LWAPP device should use:
 802.1P:   The precedence value of 6 SHOULD be used for all 802.11 MAC
    management messages, except for Probe Requests, which SHOULD use
    4.

Calhoun, et al. Historic [Page 89] RFC 5412 Lightweight Access Point Protocol February 2010

 DSCP:   The DSCP tag value of 46 SHOULD be used for all 802.11 MAC
    management messages, except for Probe Requests, which SHOULD use
    34.

11.6. Data Message Bindings

 There are no LWAPP data message bindings for IEEE 802.11.

11.7. Control Message Bindings

 The IEEE 802.11 binding has the following control message
 definitions.

11.7.1. Mobile Config Request

 This section contains the 802.11-specific message elements that are
 used with the Mobile Config Request.

11.7.1.1. Add Mobile

 The Add Mobile Request is used by the AC to inform a WTP that it
 should forward traffic from a particular mobile station.  The Add
 Mobile Request may also include security parameters that must be
 enforced by the WTP for the particular mobile.
 When the AC sends an Add Mobile Request, it includes any security
 parameters that may be required.  An AC that wishes to update a
 mobile's policy on a WTP may do so by simply sending a new Add Mobile
 message element.
 When a WTP receives an Add Mobile message element, it must first
 override any existing state it may have for the mobile station in
 question.  The latest Add Mobile overrides any previously received
 messages.  If the Add Mobile message element's EAP-Only bit is set,
 the WTP MUST drop all 802.11 packets that do not contain EAP packets.
 Note that when EAP Only is set, the Encryption Policy field MAY have
 additional values, and therefore it is possible to inform a WTP to
 only accept encrypted EAP packets.  Once the mobile station has
 successfully completed EAP authentication, the AC must send a new Add
 Mobile message element to push the session key down to the WTP as
 well as to remove the EAP Only restriction.
 If the QoS field is set, the WTP MUST observe and provide policing of
 the 802.11e priority tag to ensure that it does not exceed the value
 provided by the AC.

Calhoun, et al. Historic [Page 90] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |        Association ID         |  MAC Address  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          MAC Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  MAC Address  |E|C|            Encryption Policy              |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |Encrypt Policy |                Session Key...                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                        Pairwise TSC...                        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                        Pairwise RSC...                        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          Capabilities         |   WLAN ID     |    WME Mode   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | 802.11e Mode  |      Qos      |        Supported Rates        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                        Supported Rates                        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          VLAN Name...
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   29 for Add Mobile
 Length:   36
 Radio ID:   An 8-bit value representing the radio.
 Association ID:   A 16-bit value specifying the 802.11 Association
    Identifier.
 MAC Address:   The mobile station's MAC address.
 E:   The 1-bit field is set by the AC to inform the WTP that it MUST
    NOT accept any 802.11 data frames, other than 802.1X frames.  This
    is the equivalent of the WTP's 802.1X port for the mobile station
    to be in the closed state.  When set, the WTP MUST drop any
    non-802.1X packets it receives from the mobile station.
 C:   The 1-bit field is set by the AC to inform the WTP that
    encryption services will be provided by the AC.  When set, the WTP
    SHOULD police frames received from stations to ensure that they
    comply to the stated encryption policy, but does not need to take
    specific cryptographic action on the frame.  Similarly, for
    transmitted frames, the WTP only needs to forward already
    encrypted frames.

Calhoun, et al. Historic [Page 91] RFC 5412 Lightweight Access Point Protocol February 2010

 Encryption Policy:   The policy field informs the WTP how to handle
    packets from/to the mobile station.  The following values are
    supported:
    0 -  Encrypt WEP 104: All packets to/from the mobile station must
         be encrypted using a standard 104-bit WEP.
    1 -  Clear Text: All packets to/from the mobile station do not
         require any additional crypto processing by the WTP.
    2 -  Encrypt WEP 40: All packets to/from the mobile station must
         be encrypted using a standard 40-bit WEP.
    3 -  Encrypt WEP 128: All packets to/from the mobile station must
         be encrypted using a standard 128-bit WEP.
    4 -  Encrypt AES-CCMP 128: All packets to/from the mobile station
         must be encrypted using a 128-bit AES-CCMP [7].
    5 -  Encrypt TKIP-MIC: All packets to/from the mobile station must
         be encrypted using Temporal Key Integrity Protocol (TKIP) and
         authenticated using Michael [16].
 Session Key:   A 32-octet session key the WTP is to use when
    encrypting traffic to or decrypting traffic from the mobile
    station.  The type of key is determined based on the Encryption
    Policy field.
 Pairwise TSC:   The TKIP Sequence Counter (TSC) to use for unicast
    packets transmitted to the mobile.
 Pairwise RSC:   The Receive Sequence Counter (RSC) to use for unicast
    packets received from the mobile.
 Capabilities:   A 16-bit field containing the 802.11 capabilities to
    use with the mobile.
 WLAN ID:   An 8-bit value specifying the WLAN Identifier.
 WME Mode:   An 8-bit Boolean used to identify whether the station is
    WME capable.  A value of zero is used to indicate that the station
    is not Wireless Multimedia Extension (WME) capable, while a value
    of one means that the station is WME capable.
 802.11e Mode:   An 8-bit Boolean used to identify whether the station
    is 802.11e-capable.  A value of zero is used to indicate that the
    station is not 802.11e-capable, while a value of one means that
    the station is 802.11e-capable.

Calhoun, et al. Historic [Page 92] RFC 5412 Lightweight Access Point Protocol February 2010

 QoS:   An 8-bit value specifying the QoS policy to enforce for the
    station.  The following values are supported: PRC: TO CHECK
    0 -  Silver (Best Effort)
    1 -  Gold (Video)
    2 -  Platinum (Voice)
    3 -  Bronze (Background)
 Supported Rates:   The supported rates to be used with the mobile
    station.
 VLAN Name:   An optional variable string containing the VLAN Name on
    which the WTP is to locally bridge user data.  Note that this
    field is only valid with Local MAC WTPs.

11.7.1.2. IEEE 802.11 Mobile Session Key

 The Mobile Session Key Payload message element is sent when the AC
 determines that encryption of a mobile station must be performed in
 the WTP.  This message element MUST NOT be present without the Add
 Mobile message element, and MUST NOT be sent if the WTP had not
 specifically advertised support for the requested encryption scheme
 (see Section 11.7.1.1).
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           MAC Address                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          MAC Address          |       Encryption Policy       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |       Encryption Policy       |        Session Key...         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   105 for IEEE 802.11 Mobile Session Key
 Length:   >= 11
 MAC Address: The mobile station's MAC address.
 Encryption Policy: The policy field informs the WTP how to handle
    packets from/to the mobile station.  The following values are
    supported:

Calhoun, et al. Historic [Page 93] RFC 5412 Lightweight Access Point Protocol February 2010

    0 -  Encrypt WEP 104: All packets to/from the mobile station must
         be encrypted using a standard 104-bit WEP.
    1 -  Clear Text: All packets to/from the mobile station do not
         require any additional crypto processing by the WTP.
    2 -  Encrypt WEP 40: All packets to/from the mobile station must
         be encrypted using a standard 40-bit WEP.
    3 -  Encrypt WEP 128: All packets to/from the mobile station must
         be encrypted using a standard 128-bit WEP.
    4 -  Encrypt AES-CCMP 128: All packets to/from the mobile station
         must be encrypted using a 128-bit AES-CCMP [7].
    5 -  Encrypt TKIP-MIC: All packets to/from the mobile station must
         be encrypted using TKIP and authenticated using Michael [16].
 Session Key: The session key the WTP is to use when encrypting
    traffic to/from the mobile station.

11.7.1.3. Station QoS Profile

 The Station QoS Profile Payload message element contains the maximum
 802.11e priority tag that may be used by the station.  Any packets
 received that exceed the value encoded in this message element must
 either be dropped or tagged using the maximum value permitted to the
 user.  The priority tag must be between zero (0) and seven (7).
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           MAC Address                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          MAC Address          |     802.1P Precedence Tag     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   140 for IEEE 802.11 Station QoS Profile
 Length:   12
 MAC Address:   The mobile station's MAC address.
 802.1P Precedence Tag:   The maximum 802.1P precedence value that the
    WTP will allow in the Traffic Identifier (TID) field in the
    extended 802.11e QoS Data header.

Calhoun, et al. Historic [Page 94] RFC 5412 Lightweight Access Point Protocol February 2010

11.7.1.4. IEEE 802.11 Update Mobile QoS

 The Update Mobile QoS message element is used to change the Quality-
 of-Service policy on the WTP for a given mobile station.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |        Association ID         |  MAC Address  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          MAC Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  MAC Address  |  QoS Profile  |        Vlan Identifier        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   DSCP Tag    |  802.1P Tag   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   106 for IEEE 802.11 Update Mobile QoS
 Length:   14
 Radio ID:   The Radio Identifier, typically refers to some interface
    index on the WTP.
 Association ID:   The 802.11 Association Identifier.
 MAC Address:   The mobile station's MAC address.
 QoS Profile:   An 8-bit value specifying the QoS policy to enforce
    for the station.  The following values are supported:
    0 -  Silver (Best Effort)
    1 -  Gold (Video)
    2 -  Platinum (Voice)
    3 -  Bronze (Background)
 VLAN Identifier:   PRC.
 DSCP Tag:   The DSCP label to use if packets are to be DSCP tagged.
 802.1P Tag:   The 802.1P precedence value to use if packets are to be
    802.1P-tagged.

Calhoun, et al. Historic [Page 95] RFC 5412 Lightweight Access Point Protocol February 2010

11.7.2. WTP Event Request

 This section contains the 802.11-specific message elements that are
 used with the WTP Event Request message.

11.7.2.1. IEEE 802.11 Statistics

 The Statistics message element is sent by the WTP to transmit its
 current statistics.  The value contains the following fields:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |               Tx Fragment Count               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |Tx Fragment Cnt|               Multicast Tx Count              |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Mcast Tx Cnt  |                  Failed Count                 |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Failed Count  |                  Retry Count                  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Retry Count  |             Multiple Retry Count              |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |Multi Retry Cnt|             Frame Duplicate Count             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Frame Dup Cnt |               RTS Success Count               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |RTS Success Cnt|               RTS Failure Count               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |RTS Failure Cnt|               ACK Failure Count               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |ACK Failure Cnt|               Rx Fragment Count               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |Rx Fragment Cnt|               Multicast RX Count              |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Mcast Rx Cnt  |                FCS Error  Count               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | FCS Error  Cnt|                 Tx Frame Count                |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Tx Frame Cnt  |               Decryption Errors               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |Decryption Errs|
    +-+-+-+-+-+-+-+-+
 Type:   38 for Statistics
 Length:   57

Calhoun, et al. Historic [Page 96] RFC 5412 Lightweight Access Point Protocol February 2010

 Radio ID:   An 8-bit value representing the radio.
 Tx Fragment Count:   A 32-bit value representing the number of
    fragmented frames transmitted.
 Multicast Tx Count:   A 32-bit value representing the number of
    multicast frames transmitted.
 Failed Count:   A 32-bit value representing the transmit excessive
    retries.
 Retry Count:   A 32-bit value representing the number of transmit
    retries.
 Multiple Retry Count:   A 32-bit value representing the number of
    transmits that required more than one retry.
 Frame Duplicate Count:   A 32-bit value representing the duplicate
    frames received.
 RTS Success Count:   A 32-bit value representing the number of
    successfully transmitted Ready To Send (RTS).
 RTS Failure Count:   A 32-bit value representing the failed
    transmitted RTS.
 ACK Failure Count:   A 32-bit value representing the number of failed
    acknowledgements.
 Rx Fragment Count:   A 32-bit value representing the number of
    fragmented frames received.
 Multicast RX Count:   A 32-bit value representing the number of
    multicast frames received.
 FCS Error Count:   A 32-bit value representing the number of Frame
    Check Sequence (FCS) failures.
 Decryption Errors:   A 32-bit value representing the number of
    Decryption errors that occurred on the WTP.  Note that this field
    is only valid in cases where the WTP provides encryption/
    decryption services.

11.8. 802.11 Control Messages

 This section will define LWAPP control messages that are specific to
 the IEEE 802.11 binding.

Calhoun, et al. Historic [Page 97] RFC 5412 Lightweight Access Point Protocol February 2010

11.8.1. IEEE 802.11 WLAN Config Request

 The IEEE 802.11 WLAN Configuration Request is sent by the AC to the
 WTP in order to change services provided by the WTP.  This control
 message is used to either create, update, or delete a WLAN on the
 WTP.
 The IEEE 802.11 WLAN Configuration Request is sent as a result of
 either some manual administrative process (e.g., deleting a WLAN), or
 automatically to create a WLAN on a WTP.  When sent automatically to
 create a WLAN, this control message is sent after the LWAPP
 Configuration Request message has been received by the WTP.
 Upon receiving this control message, the WTP will modify the
 necessary services, and transmit an IEEE 802.11 WLAN Configuration
 Response.
 An WTP MAY provide service for more than one WLAN: therefore, every
 WLAN is identified through a numerical index.  For instance, a WTP
 that is capable of supporting up to 16 SSIDs could accept up to 16
 IEEE 802.11 WLAN Configuration Request messages that include the Add
 WLAN message element.
 Since the index is the primary identifier for a WLAN, an AC SHOULD
 attempt to ensure that the same WLAN is identified through the same
 index number on all of its WTPs.  An AC that does not follow this
 approach MUST find some other means of maintaining a WLAN Identifier
 to SSID mapping table.
 The following subsections define the message elements that are of
 value for this LWAPP operation.  Only one message MUST be present.

11.8.1.1. IEEE 802.11 Add WLAN

 The Add WLAN message element is used by the AC to define a wireless
 LAN on the WTP.  The value contains the following format:

Calhoun, et al. Historic [Page 98] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |         WLAN Capability       |    WLAN ID    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                      Encryption Policy                        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Key ...                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Key Index   |   Shared Key  | WPA Data Len  |WPA IE Data ...|
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | RSN Data Len  |RSN IE Data ...|         Reserved ....         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | WME Data Len  |WME IE Data ...|  11e Data Len |11e IE Data ...|
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |      QoS      |   Auth Type   |Broadcast SSID |  Reserved...  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    SSID ...   |
    +-+-+-+-+-+-+-+-+
 Type:   7 for IEEE 802.11 Add WLAN
 Length:   >= 298
 Radio ID:   An 8-bit value representing the radio.
 WLAN Capability:   A 16-bit value containing the capabilities to be
    advertised by the WTP within the Probe and Beacon messages.
 WLAN ID:   A 16-bit value specifying the WLAN Identifier.
 Encryption Policy:   A 32-bit value specifying the encryption scheme
    to apply to traffic to and from the mobile station.
    The following values are supported:
    0 -  Encrypt WEP 104: All packets to/from the mobile station must
         be encrypted using a standard 104-bit WEP.
    1 -  Clear Text: All packets to/from the mobile station do not
         require any additional crypto processing by the WTP.
    2 -  Encrypt WEP 40: All packets to/from the mobile station must
         be encrypted using a standard 40-bit WEP.
    3 -  Encrypt WEP 128: All packets to/from the mobile station must
         be encrypted using a standard 128-bit WEP.

Calhoun, et al. Historic [Page 99] RFC 5412 Lightweight Access Point Protocol February 2010

    4 -  Encrypt AES-CCMP 128: All packets to/from the mobile station
         must be encrypted using a 128-bit AES-CCMP [7].
    5 -  Encrypt TKIP-MIC: All packets to/from the mobile station must
         be encrypted using TKIP and authenticated using Michael [16].
    6 -  Encrypt CKIP: All packets to/from the mobile station must be
         encrypted using Cisco TKIP.
 Key:   A 32-byte session key to use with the encryption policy.
 Key-Index:   The Key Index associated with the key.
 Shared Key:   A 1-byte Boolean that specifies whether the key
    included in the Key field is a shared WEP key.  A value of zero is
    used to state that the key is not a shared WEP key, while a value
    of one is used to state that the key is a shared WEP key.
 WPA Data Len:   Length of the WPA Information Element (IE).
 WPA IE:   A 32-byte field containing the WPA Information Element.
 RSN Data Len:   Length of the Robust Security Network (RSN) IE.
 RSN IE:   A 64-byte field containing the RSN Information Element.
 Reserved:   A 49-byte reserved field, which MUST be set to zero (0).
 WME Data Len:   Length of the WME IE.
 WME IE:   A 32-byte field containing the WME Information Element.
 DOT11E Data Len:   Length of the 802.11e IE.
 DOT11E IE:   A 32-byte field containing the 802.11e Information
    Element.
 QOS:   An 8-bit value specifying the QoS policy to enforce for the
    station.
    The following values are supported:
    0 -  Silver (Best Effort)
    1 -  Gold (Video)
    2 -  Platinum (Voice)

Calhoun, et al. Historic [Page 100] RFC 5412 Lightweight Access Point Protocol February 2010

    3 -  Bronze (Background)
 Auth Type:   An 8-bit value specifying the station's authentication
    type.
    The following values are supported:
    0 -  Open System
    1 -  WEP Shared Key
    2 -  WPA/WPA2 802.1X
    3 -  WPA/WPA2 PSK
 Broadcast SSID:   A Boolean indicating whether the SSID is to be
    broadcast by the WTP.  A value of zero disables SSID broadcast,
    while a value of one enables it.
 Reserved:   A 40-byte reserved field.
 SSID:   The SSID attribute is the service set identifier that will be
    advertised by the WTP for this WLAN.

11.8.1.2. IEEE 802.11 Delete WLAN

 The Delete WLAN message element is used to inform the WTP that a
 previously created WLAN is to be deleted.  The value contains the
 following fields:
     0                   1                   2
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |            WLAN ID            |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   28 for IEEE 802.11 Delete WLAN
 Length:   3
 Radio ID:   An 8-bit value representing the radio
 WLAN ID:   A 16-bit value specifying the WLAN Identifier

11.8.1.3. IEEE 802.11 Update WLAN

 The Update WLAN message element is used by the AC to define a
 wireless LAN on the WTP.  The value contains the following format:

Calhoun, et al. Historic [Page 101] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |             WLAN ID           |Encrypt Policy |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                      Encryption Policy        |     Key...    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             Key ...                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Key Index   |   Shared Key  |        WLAN Capability        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   34 for IEEE 802.11 Update WLAN
 Length:   43
 Radio ID:   An 8-bit value representing the radio.
 WLAN ID:   A 16-bit value specifying the WLAN Identifier.
 Encryption Policy:   A 32-bit value specifying the encryption scheme
    to apply to traffic to and from the mobile station.
    The following values are supported:
    0 -  Encrypt WEP 104: All packets to/from the mobile station must
         be encrypted using a standard 104-bit WEP.
    1 -  Clear Text: All packets to/from the mobile station do not
         require any additional crypto processing by the WTP.
    2 -  Encrypt WEP 40: All packets to/from the mobile station must
         be encrypted using a standard 40-bit WEP.
    3 -  Encrypt WEP 128: All packets to/from the mobile station must
         be encrypted using a standard 128-bit WEP.
    4 -  Encrypt AES-CCMP 128: All packets to/from the mobile station
         must be encrypted using a 128-bit AES-CCMP [7].
    5 -  Encrypt TKIP-MIC: All packets to/from the mobile station must
         be encrypted using TKIP and authenticated using Michael [16].
    6 -  Encrypt CKIP: All packets to/from the mobile station must be
         encrypted using Cisco TKIP.
 Key:   A 32-byte session key to use with the encryption policy.

Calhoun, et al. Historic [Page 102] RFC 5412 Lightweight Access Point Protocol February 2010

 Key-Index:   The Key Index associated with the key.
 Shared Key:   A 1-byte Boolean that specifies whether the key
    included in the Key field is a shared WEP key.  A value of zero
    means that the key is not a shared WEP key, while a value of one
    is used to state that the key is a shared WEP key.
 WLAN Capability:   A 16-bit value containing the capabilities to be
    advertised by the WTP within the Probe and Beacon messages.

11.8.2. IEEE 802.11 WLAN Config Response

 The IEEE 802.11 WLAN Configuration Response is sent by the WTP to the
 AC as an acknowledgement of the receipt of an IEEE 802.11 WLAN
 Configuration Request.
 This LWAPP control message does not include any message elements.

11.8.3. IEEE 802.11 WTP Event

 The IEEE 802.11 WTP Event LWAPP message is used by the WTP in order
 to report asynchronous events to the AC.  There is no reply message
 expected from the AC, except that the message is acknowledged via the
 reliable transport.
 When the AC receives the IEEE 802.11 WTP Event, it will take whatever
 action is necessary, depending upon the message elements present in
 the message.
 The IEEE 802.11 WTP Event message MUST contain one of the following
 message elements described in the next subsections.

11.8.3.1. IEEE 802.11 MIC Countermeasures

 The MIC Countermeasures message element is sent by the WTP to the AC
 to indicate the occurrence of a MIC failure.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |    WLAN ID    |          MAC Address          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                          MAC Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   61 for IEEE 802.11 MIC Countermeasures
 Length:   8

Calhoun, et al. Historic [Page 103] RFC 5412 Lightweight Access Point Protocol February 2010

 Radio ID:   The Radio Identifier, typically refers to some interface
    index on the WTP.
 WLAN ID:   This 8-bit unsigned integer includes the WLAN Identifier,
    on which the MIC failure occurred.
 MAC Address:   The MAC address of the mobile station that caused the
    MIC failure.

11.8.3.2. IEEE 802.11 WTP Radio Fail Alarm Indication

 The WTP Radio Fail Alarm Indication message element is sent by the
 WTP to the AC when it detects a radio failure.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |     Type      |    Status     |      Pad      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   95 for WTP Radio Fail Alarm Indication
 Length:   4
 Radio ID:   The Radio Identifier, typically refers to some interface
    index on the WTP.
 Type:   The type of radio failure detected.  The following values are
    supported:
    1 -  Receiver
    2 -  Transmitter
 Status:   An 8-bit Boolean indicating whether the radio failure is
    being reported or cleared.  A value of zero is used to clear the
    event, while a value of one is used to report the event.
 Pad:   Reserved field MUST be set to zero (0).

Calhoun, et al. Historic [Page 104] RFC 5412 Lightweight Access Point Protocol February 2010

11.9. Message Element Bindings

 The IEEE 802.11 Message Element binding has the following
 definitions:
                                              Conf  Conf  Conf  Add
                                              Req   Resp  Upd   Mobile
    IEEE 802.11 WTP WLAN Radio Configuration   X     X     X
    IEEE 802.11 Rate Set                             X     X
    IEEE 802.11 Multi-domain Capability        X     X     X
    IEEE 802.11 MAC Operation                  X     X     X
    IEEE 802.11 Tx Power                       X     X     X
    IEEE 802.11 Tx Power Level                 X
    IEEE 802.11 Direct Sequence Control        X     X     X
    IEEE 802.11 OFDM Control                   X     X     X
    IEEE 802.11 Supported Rates                X     X
    IEEE 802.11 Antenna                        X     X     X
    IEEE 802.11 CFP Status                     X           X
    IEEE 802.11 Broadcast Probe Mode                 X     X
    IEEE 802.11 WTP Mode and Type              X?          X
    IEEE 802.11 WTP Quality of Service               X     X
    IEEE 802.11 MIC Error Report From Mobile               X
    IEEE 802.11 Update Mobile QoS                                X
    IEEE 802.11 Mobile Session Key                               X

11.9.1. IEEE 802.11 WTP WLAN Radio Configuration

 The WTP WLAN radio configuration is used by the AC to configure a
 Radio on the WTP.  The message element value contains the following
 Fields:
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |    Reserved   |        Occupancy Limit        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    CFP Per    |      CFP Maximum Duration     |     BSS ID    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                            BSS ID                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     BSS ID    |        Beacon Period          |    DTIM Per   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                        Country String                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    | Num Of BSSIDs |
    +-+-+-+-+-+-+-+-+

Calhoun, et al. Historic [Page 105] RFC 5412 Lightweight Access Point Protocol February 2010

 Type:   8 for IEEE 802.11 WTP WLAN Radio Configuration
 Length:   20
 Radio ID:   An 8-bit value representing the radio to configure.
 Reserved:   MUST be set to zero
 Occupancy Limit:   This attribute indicates the maximum amount of
    time, in Time Units (TUs), that a point coordinator MAY control
    the usage of the wireless medium without relinquishing control for
    long enough to allow at least one instance of Distributed
    Coordination Function (DCF) access to the medium.  The default
    value of this attribute SHOULD be 100, and the maximum value
    SHOULD be 1000.
 CFP Period:   The attribute describes the number of DTIM intervals
    between the start of Contention-Free Periods (CFPs).
 CFP Maximum Duration:   The attribute describes the maximum duration
    of the CFP in TU that MAY be generated by the Point Coordination
    Function (PCF).
 BSSID:   The WLAN Radio's base MAC address.  For WTPs that support
    more than a single WLAN, the value of the WLAN Identifier is added
    to the last octet of the BSSID.  Therefore, a WTP that supports 16
    WLANs MUST have 16 MAC addresses reserved for it, and the last
    nibble is used to represent the WLAN ID.
 Beacon Period:   This attribute specifies the number of TUs that a
    station uses for scheduling Beacon transmissions.  This value is
    transmitted in Beacon and Probe Response frames.
 DTIM Period:   This attribute specifies the number of Beacon
    intervals that elapses between transmission of Beacons frames
    containing a TIM element whose DTIM Count field is 0.  This value
    is transmitted in the DTIM Period field of Beacon frames.
 Country Code:   This attribute identifies the country in which the
    station is operating.  The first two octets of this string is the
    two-character country code as described in document ISO/IEC 3166-
    1.  The third octet MUST be one of the following:
 1. an ASCII space character, if the regulations under which the
    station is operating encompass all environments in the country,
 2. an ASCII 'O' character, if the regulations under which the station
    is operating are for an outdoor environment only, or

Calhoun, et al. Historic [Page 106] RFC 5412 Lightweight Access Point Protocol February 2010

 3. an ASCII 'I' character, if the regulations under which the station
    is operating are for an indoor environment only.
 Number of BSSIDs:   This attribute contains the maximum number of
    BSSIDs supported by the WTP.  This value restricts the number of
    logical networks supported by the WTP.

11.9.2. IEEE 802.11 Rate Set

 The Rate Set message element value is sent by the AC and contains the
 supported operational rates.  It contains the following fields:
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |                   Rate Set                    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   16 for IEEE 802.11 Rate Set
 Length:   4
 Radio ID:   An 8-bit value representing the radio to configure.
 Rate Set:   The AC generates the Rate Set that the WTP is to include
    in its Beacon and Probe messages.

11.9.3. IEEE 802.11 Multi-Domain Capability

 The Multi-Domain Capability message element is used by the AC to
 inform the WTP of regulatory limits.  The value contains the
 following fields:
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |    Reserved   |        First Channel #        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |       Number of Channels      |       Max Tx Power Level      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   10 for IEEE 802.11 Multi-Domain Capability
 Length:   8
 Radio ID:   An 8-bit value representing the radio to configure.
 Reserved:   MUST be set to zero

Calhoun, et al. Historic [Page 107] RFC 5412 Lightweight Access Point Protocol February 2010

 First Channel #:   This attribute indicates the value of the lowest
    channel number in the subband for the associated domain country
    string.
 Number of Channels:   This attribute indicates the value of the total
    number of channels allowed in the subband for the associated
    domain country string.
 Max Tx Power Level:   This attribute indicates the maximum transmit
    power, in dBm, allowed in the subband for the associated domain
    country string.

11.9.4. IEEE 802.11 MAC Operation

 The MAC Operation message element is sent by the AC to set the 802.11
 MAC parameters on the WTP.  The value contains the following fields:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |    Reserved   |         RTS Threshold         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Short Retry  |  Long Retry   |    Fragmentation Threshold    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       Tx MSDU Lifetime                        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       Rx MSDU Lifetime                        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   11 for IEEE 802.11 MAC Operation
 Length:   16
 Radio ID:   An 8-bit value representing the radio to configure.
 Reserved:   MUST be set to zero
 RTS Threshold:   This attribute indicates the number of octets in a
    Management Protocol Data Unit (MPDU), below which an RTS/CTS
    (clear to send) handshake MUST NOT be performed.  An RTS/CTS
    handshake MUST be performed at the beginning of any frame exchange
    sequence where the MPDU is of type Data or Management, the MPDU
    has an individual address in the Address1 field, and the length of
    the MPDU is greater than this threshold.  Setting this attribute
    to be larger than the maximum MAC Service Data Unit (MSDU) size
    MUST have the effect of turning off the RTS/CTS handshake for
    frames of Data or Management type transmitted by this Station
    (STA).  Setting this attribute to zero MUST have the effect of

Calhoun, et al. Historic [Page 108] RFC 5412 Lightweight Access Point Protocol February 2010

    turning on the RTS/CTS handshake for all frames of Data or
    Management type transmitted by this STA.  The default value of
    this attribute MUST be 2347.
 Short Retry:   This attribute indicates the maximum number of
    transmission attempts of a frame, the length of which is less than
    or equal to RTSThreshold, that MUST be made before a failure
    condition is indicated.  The default value of this attribute MUST
    be 7.
 Long Retry:   This attribute indicates the maximum number of
    transmission attempts of a frame, the length of which is greater
    than dot11RTSThreshold, that MUST be made before a failure
    condition is indicated.  The default value of this attribute MUST
    be 4.
 Fragmentation Threshold:   This attribute specifies the current
    maximum size, in octets, of the MPDU that MAY be delivered to the
    PHY.  An MSDU MUST be broken into fragments if its size exceeds
    the value of this attribute after adding MAC headers and trailers.
    An MSDU or MAC Management Protocol Data Unit (MMPDU) MUST be
    fragmented when the resulting frame has an individual address in
    the Address1 field, and the length of the frame is larger than
    this threshold.  The default value for this attribute MUST be the
    lesser of 2346 or the aMPDUMaxLength of the attached PHY and MUST
    never exceed the lesser of 2346 or the aMPDUMaxLength of the
    attached PHY.  The value of this attribute MUST never be less than
    256.
 Tx MSDU Lifetime:   This attribute specifies the elapsed time in TU,
    after the initial transmission of an MSDU, after which, further
    attempts to transmit the MSDU MUST be terminated.  The default
    value of this attribute MUST be 512.
 Rx MSDU Lifetime:   This attribute specifies the elapsed time, in TU,
    after the initial reception of a fragmented MMPDU or MSDU, after
    which, further attempts to reassemble the MMPDU or MSDU MUST be
    terminated.  The default value MUST be 512.

11.9.5. IEEE 802.11 Tx Power

 The Tx Power message element value is bi-directional.  When sent by
 the WTP, it contains the current power level of the radio in
 question.  When sent by the AC, it contains the power level to which
 the WTP MUST adhere:

Calhoun, et al. Historic [Page 109] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |    Reserved   |        Current Tx Power       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   12 for IEEE 802.11 Tx Power
 Length:   4
 Radio ID:   An 8-bit value representing the radio to configure.
 Reserved:   MUST be set to zero
 Current Tx Power:   This attribute contains the transmit output power
    in mW.

11.9.6. IEEE 802.11 Tx Power Level

 The Tx Power Level message element is sent by the WTP and contains
 the different power levels supported.  The value contains the
 following fields:
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |   Num Levels  |        Power Level [n]        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   13 for IEEE 802.11 Tx Power Level
 Length:   >= 4
 Radio ID:   An 8-bit value representing the radio to configure.
 Num Levels:   The number of power level attributes.
 Power Level:   Each power level fields contains a supported power
    level, in mW.

11.9.7. IEEE 802.11 Direct Sequence Control

 The Direct Sequence Control message element is a bi-directional
 element.  When sent by the WTP, it contains the current state.  When
 sent by the AC, the WTP MUST adhere to the values.  This element is
 only used for 802.11b radios.  The value has the following fields.

Calhoun, et al. Historic [Page 110] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |    Reserved   | Current Chan  |  Current CCA  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                    Energy Detect Threshold                    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   14 for IEEE 802.11 Direct Sequence Control
 Length:   8
 Radio ID:   An 8-bit value representing the radio to configure.
 Reserved:   MUST be set to zero
 Current Channel:   This attribute contains the current operating
    frequency channel of the Direct Sequence Spread Spectrum (DSSS)
    PHY.
 Current CCA:   The current Controlled Channel Access (CCA) method in
    operation.  Valid values are:
    1 - energy detect only (edonly)
    2 - carrier sense only (csonly)
    4 - carrier sense and energy detect (edandcs)
    8 - carrier sense with timer (cswithtimer)
    16 - high-rate carrier sense and energy detect (hrcsanded)
 Energy Detect Threshold:   The current Energy Detect Threshold being
    used by the DSSS PHY.

11.9.8. IEEE 802.11 OFDM Control

 The Orthogonal Frequency Division Multiplexing (OFDM) Control message
 element is a bi-directional element.  When sent by the WTP, it
 contains the current state.  When sent by the AC, the WTP MUST adhere
 to the values.  This element is only used for 802.11a radios.  The
 value contains the following fields:

Calhoun, et al. Historic [Page 111] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |    Reserved   | Current Chan  |  Band Support |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                         TI Threshold                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   15 for IEEE 802.11 OFDM Control
 Length:   8
 Radio ID:   An 8-bit value representing the radio to configure.
 Reserved:   MUST be set to zero
 Current Channel:   This attribute contains the current operating
    frequency channel of the OFDM PHY.
 Band Supported:   The capability of the OFDM PHY implementation to
    operate in the three U-NII bands.  Coded as an integer value of a
    3-bit field as follows:
    Bit 0 -  capable of operating in the lower (5.15-5.25 GHz) U-NII
             band
    Bit 1 -  capable of operating in the middle (5.25-5.35 GHz) U-NII
             band
    Bit 2 -  capable of operating in the upper (5.725-5.825 GHz) U-NII
             band
    For example, for an implementation capable of operating in the
    lower and mid bands, this attribute would take the value.
 TI Threshold:   The threshold being used to detect a busy medium
    (frequency).  CCA MUST report a busy medium upon detecting the
    RSSI above this threshold.

11.9.9. IEEE 802.11 Antenna

 The Antenna message element is communicated by the WTP to the AC to
 provide information on the antennas available.  The AC MAY use this
 element to reconfigure the WTP's antennas.  The value contains the
 following fields:

Calhoun, et al. Historic [Page 112] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |   Diversity   |    Combiner   |  Antenna Cnt  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                    Antenna Selection [0..N]                   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   41 for IEEE 802.11 Antenna
 Length:   >= 8
 Radio ID:   An 8-bit value representing the radio to configure.
 Diversity:   An 8-bit value specifying whether the antenna is to
    provide receive diversity.  The following values are supported:
    0 -  Disabled
    1 -  Enabled (may only be true if the antenna can be used as a
         receive antenna)
 Combiner:   An 8-bit value specifying the combiner selection.  The
    following values are supported:
    1 -  Sectorized (Left)
    2 -  Sectorized (Right)
    3 -  Omni
    4 -  Mimo
 Antenna Count:   An 8-bit value specifying the number of Antenna
    Selection fields.
 Antenna Selection:   One 8-bit antenna configuration value per
    antenna in the WTP.  The following values are supported:
    1 -  Internal Antenna
    2 -  External Antenna

11.9.10. IEEE 802.11 Supported Rates

 The Supported Rates message element is sent by the WTP to indicate
 the rates that it supports.  The value contains the following fields:

Calhoun, et al. Historic [Page 113] RFC 5412 Lightweight Access Point Protocol February 2010

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |    Radio ID   |                 Supported Rates               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   16 for IEEE 802.11 Supported Rates
 Length:   4
 Radio ID:   An 8-bit value representing the radio.
 Supported Rates:   The WTP includes the Supported Rates that its
    hardware supports.  The format is identical to the Rate Set
    message element.

11.9.11. IEEE 802.11 CFP Status

 The CFP Status message element is sent to provide the CF Polling
 configuration.
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |    Status     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   48 for IEEE 802.11 CFP Status
 Length:   2
 Radio ID:   The Radio Identifier, typically refers to some interface
    index on the WTP.
 Status:   An 8-bit Boolean containing the status of the CF Polling
    feature.  A value of zero disables CFP Status, while a value of
    one enables it.

11.9.12. IEEE 802.11 WTP Mode and Type

 The WTP Mode and Type message element is used to configure a WTP to
 operate in a specific mode.
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Mode      |     Type      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Calhoun, et al. Historic [Page 114] RFC 5412 Lightweight Access Point Protocol February 2010

 Type:   54 for IEEE 802.11 WTP Mode and Type
 Length:   2
 Mode:   An 8-bit value describing the type of information being sent.
    The following values are supported:
    0 -  Split MAC
    2 -  Local MAC
 Type:   The type field is not currently used.

11.9.13. IEEE 802.11 Broadcast Probe Mode

 The Broadcast Probe Mode message element indicates whether a WTP will
 respond to NULL SSID Probe requests.  Since broadcast NULL Probes are
 not sent to a specific BSSID, the WTP cannot know which SSID the
 sending station is querying.  Therefore, this behavior must be global
 to the WTP.
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    |    Status     |
    +-+-+-+-+-+-+-+-+
 Type:   51 for IEEE 802.11 Broadcast Probe Mode
 Length:   1
 Status:   An 8-bit Boolean indicating the status of whether a WTP
    shall respond to a NULL SSID Probe request.  A value of zero
    disables the NULL SSID Probe response, while a value of one
    enables it.

11.9.14. IEEE 802.11 WTP Quality of Service

 The WTP Quality of Service message element value is sent by the AC to
 the WTP to communicate quality-of-service configuration information.
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |  Tag Packets  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   57 for IEEE 802.11 WTP Quality of Service

Calhoun, et al. Historic [Page 115] RFC 5412 Lightweight Access Point Protocol February 2010

 Length:   12
 Radio ID:   The Radio Identifier, typically refers to some interface
    index on the WTP.
 Tag Packets:   A value indicating whether LWAPP packets should be
    tagged for QoS purposes.  The following values are currently
    supported:
    0 -  Untagged
    1 -  802.1P
    2 -  DSCP
    Immediately following the above header is the following data
    structure.  This data structure will be repeated five times, once
    for every QoS profile.  The order of the QoS profiles is Uranium,
    Platinum, Gold, Silver, and Bronze.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Queue Depth  |             CWMin             |     CWMax     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     CWMax     |     AIFS      |              CBR              |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Dot1P Tag   |   DSCP Tag    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Queue Depth:   The number of packets that can be on the specific QoS
    transmit queue at any given time.
 CWMin:   The Contention Window minimum value for the QoS transmit
    queue.
 CWMax:   The Contention Window maximum value for the QoS transmit
    queue.
 AIFS:   The Arbitration Inter Frame Spacing to use for the QoS
    transmit queue.
 CBR:   The Constant Bit Rate (CBR) value to observe for the QoS
    transmit queue.
 Dot1P Tag:   The 802.1P precedence value to use if packets are to be
    802.1P tagged.

Calhoun, et al. Historic [Page 116] RFC 5412 Lightweight Access Point Protocol February 2010

 DSCP Tag:   The DSCP label to use if packets are to be DSCP tagged.

11.9.15. IEEE 802.11 MIC Error Report From Mobile

 The MIC Error Report From Mobile message element is sent by an AC to
 a WTP when it receives a MIC failure notification via the Error bit
 in the EAP over LAN (EAPOL)-Key frame.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       Client MAC Address                      |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |      Client MAC Address       |             BSSID             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                             BSSID                             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Radio ID    |    WLAN ID    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type:   79 for IEEE 802.11 MIC Error Report From Mobile
 Length:   14
 Client MAC Address:   The Client MAC address of the station reporting
    the MIC failure.
 BSSID:   The BSSID on which the MIC failure is being reported.
 Radio ID:   The Radio Identifier, typically refers to some interface
    index on the WTP.
 WLAN ID:   The WLAN ID on which the MIC failure is being reported.

11.10. IEEE 802.11 Message Element Values

 This section lists IEEE 802.11-specific values for any generic LWAPP
 message elements that include fields whose values are technology-
 specific.
 IEEE 802.11 uses the following values:
 4 - Encrypt AES-CCMP 128:   WTP supports AES-CCMP, as defined in [7].
 5 - Encrypt TKIP-MIC:   WTP supports TKIP and Michael, as defined in
     [16].

Calhoun, et al. Historic [Page 117] RFC 5412 Lightweight Access Point Protocol February 2010

12. LWAPP Protocol Timers

 A WTP or AC that implements LWAPP discovery MUST implement the
 following timers.

12.1. MaxDiscoveryInterval

 The maximum time allowed between sending Discovery Requests from the
 interface, in seconds.  Must be no less than 2 seconds and no greater
 than 180 seconds.
 Default: 20 seconds.

12.2. SilentInterval

 The minimum time, in seconds, a WTP MUST wait after failing to
 receive any responses to its Discovery Requests, before it MAY again
 send Discovery Requests.
 Default: 30

12.3. NeighborDeadInterval

 The minimum time, in seconds, a WTP MUST wait without having received
 Echo Responses to its Echo Requests, before the destination for the
 Echo Request may be considered dead.  Must be no less than
 2*EchoInterval seconds and no greater than 240 seconds.
 Default: 60

12.4. EchoInterval

 The minimum time, in seconds, between sending Echo Requests to the AC
 with which the WTP has joined.
 Default: 30

12.5. DiscoveryInterval

 The minimum time, in seconds, that a WTP MUST wait after receiving a
 Discovery Response, before sending a Join Request.
 Default: 5

Calhoun, et al. Historic [Page 118] RFC 5412 Lightweight Access Point Protocol February 2010

12.6. RetransmitInterval

 The minimum time, in seconds, that a non-acknowledged LWAPP packet
 will be retransmitted.
 Default: 3

12.7. ResponseTimeout

 The minimum time, in seconds, in which an LWAPP Request message must
 be responded to.
 Default: 1

12.8. KeyLifetime

 The maximum time, in seconds, that an LWAPP session key is valid.
 Default: 28800

13. LWAPP Protocol Variables

 A WTP or AC that implements LWAPP discovery MUST allow for the
 following variables to be configured by system management; default
 values are specified so as to make it unnecessary to configure any of
 these variables in many cases.

13.1. MaxDiscoveries

 The maximum number of Discovery Requests that will be sent after a
 WTP boots.
 Default: 10

13.2. DiscoveryCount

 The number of discoveries transmitted by a WTP to a single AC.  This
 is a monotonically increasing counter.

13.3. RetransmitCount

 The number of retransmissions for a given LWAPP packet.  This is a
 monotonically increasing counter.

Calhoun, et al. Historic [Page 119] RFC 5412 Lightweight Access Point Protocol February 2010

13.4. MaxRetransmit

 The maximum number of retransmissions for a given LWAPP packet before
 the link layer considers the peer dead.
 Default: 5

14. NAT Considerations

 There are two specific situations where a NAT system may be used in
 conjunction with LWAPP.  The first consists of a configuration where
 the WTP is behind a NAT system.  Given that all communication is
 initiated by the WTP, and all communication is performed over IP
 using a single UDP port, the protocol easily traverses NAT systems in
 this configuration.
 The second configuration is one where the AC sits behind a NAT, and
 there are two main issues that exist in this situation.  First, an AC
 communicates its interfaces and associated WTP load on these
 interfaces, through the WTP Manager Control IP Address.  This message
 element is currently mandatory, and if NAT compliance became an
 issue, it would be possible to either:
 1. make the WTP Manager Control IP Address optional, allowing the WTP
    to simply use the known IP address.  However, note that this
    approach would eliminate the ability to perform load balancing of
    WTP across ACs, and therefore is not the recommended approach.
 2. allow an AC to be able to configure a NAT'ed address for every
    associated AC that would generally be communicated in the WTP
    Manager Control IP Address message element.
 3. require that if a WTP determines that the AC List message element
    consists of a set of IP addresses that are different from the AC's
    IP address it is currently communicating with, then assume that
    NAT is being enforced, and require that the WTP communicate with
    the original AC's IP address (and ignore the WTP Manager Control
    IP Address message element(s)).
 Another issue related to having an AC behind a NAT system is LWAPP's
 support for the CAPWAP Objective to allow the control and data plane
 to be separated.  In order to support this requirement, the LWAPP
 protocol defines the WTP Manager Data IP Address message element,
 which allows the AC to inform the WTP that the LWAPP data frames are
 to be forwarded to a separate IP address.  This feature MUST be
 disabled when an AC is behind a NAT.  However, there is no easy way
 to provide some default mechanism that satisfies both the data/

Calhoun, et al. Historic [Page 120] RFC 5412 Lightweight Access Point Protocol February 2010

 control separation and NAT objectives, as they directly conflict with
 each other.  As a consequence, user intervention will be required to
 support such networks.
 LWAPP has a feature that allows for all of the AC's identities
 supporting a group of WTPs to be communicated through the AC List
 message element.  This feature must be disabled when the AC is behind
 a NAT and the IP address that is embedded would be invalid.
 The LWAPP protocol has a feature that allows an AC to configure a
 static IP address on a WTP.  The WTP Static IP Address Information
 message element provides such a function; however, this feature
 SHOULD NOT be used in NAT'ed environments, unless the administrator
 is familiar with the internal IP addressing scheme within the WTP's
 private network, and does not rely on the public address seen by the
 AC.
 When a WTP detects the duplicate address condition, it generates a
 message to the AC, which includes the Duplicate IP Address message
 element.  Once again, it is important to note that the IP address
 embedded within this message element would be different from the
 public IP address seen by the AC.

15. Security Considerations

 LWAPP uses either an authenticated key exchange or key agreement
 mechanism to ensure peer authenticity and establish fresh session
 keys to protect the LWAPP communications.
 The LWAPP protocol defines a join phase, which allows a WTP to bind a
 session with an AC.  During this process, a session key is mutually
 derived, and secured either through an X.509 certificate or a pre-
 shared key.  The resulting key exchange generates an encryption
 session key, which is used to encrypt the LWAPP control packets, and
 a key derivation key.
 During the established secure communication, the WTP and AC may rekey
 using the key update process, which is identical to the join phase,
 meaning the session keys are mutually derived.  However, the exchange
 described for pre-shared session keys is always used for the key
 update, with the pre-shared key set to the derivation key created
 either during the join, or the last key update if one has occurred.
 The key update results in a new derivation key, which is used in the
 next key update, as well as an encryption session key to encrypt the
 LWAPP control packets.

Calhoun, et al. Historic [Page 121] RFC 5412 Lightweight Access Point Protocol February 2010

 Replay protection of the Join Request is handled through an exchange
 of nonces during the join (or key update) phase.  The Join Request
 includes an XNonce, which is included in the AC's authenticated Join
 Reply's encrypted ANonce message element, allowing for the two
 messages to be bound.  Upon receipt of the Join Reply, the WTP
 generates the WNonce, and generates a set of session keys using a KDF
 function.  One of these keys is used to MIC the Join ACK.  The AC
 responds with a Join Confirm, which must also include a MIC, and
 therefore be capable of deriving the same set of session keys.
 In both the X.509 certificate and pre-shared key modes, an
 initialization vector is created through the above mentioned KDF
 function.  The IV and the KDF created encryption key are used to
 encrypt the LWAPP control frames.
 Given that authentication in the Join exchange does not occur until
 the WTP transmits the Join ACK message, it is crucial that an AC not
 delete any state for a WTP it is servicing until an authentication
 Join ACK has been received.  Otherwise, a potential Denial-of-Service
 attack exists, whereby sending a spoofed Join Request for a valid WTP
 would cause the AC to reset the WTP's connection.
 It is important to note that Perfect Forward Secrecy is not a
 requirement for the LWAPP protocol.
 Note that the LWAPP protocol does not add any new vulnerabilities to
 802.11 infrastructure that makes use of WEP for encryption purposes.
 However, implementors SHOULD discourage the use of WEP to allow the
 market to move towards technically sound cryptographic solutions,
 such as 802.11i.

15.1. Certificate-Based Session Key Establishment

 LWAPP uses public key cryptography to ensure trust between the WTP
 and the AC.  One question that periodically arises is why the Join
 Request is not signed.  Signing this request would not be optimal for
 the following reasons:
 1. The Join Request is replayable, so a signature doesn't provide
    much protection unless the switches keep track of all previous
    Join Requests from a given WTP.
 2. Replay detection is handled during the Join Reply and Join ACK
    messages.
 3. A signed Join Request provides a potential Denial-of-Service
    attack on the AC, which would have to authenticate each
    (potentially malicious) message.

Calhoun, et al. Historic [Page 122] RFC 5412 Lightweight Access Point Protocol February 2010

 The WTP-Certificate that is included in the Join Request MUST be
 validated by the AC.  It is also good practice that the AC perform
 some form of authorization, ensuring that the WTP in question is
 allowed to establish an LWAPP session with it.

15.2. PSK-Based Session Key Establishment

 Use of a fixed shared secret of limited entropy (for example, a PSK
 that is relatively short, or was chosen by a human and thus may
 contain less entropy than its length would imply) may allow an
 attacker to perform a brute-force or dictionary attack to recover the
 secret.
 It is RECOMMENDED that implementations that allow the administrator
 to manually configure the PSK also provide a functionality for
 generating a new random PSK, taking RFC 1750 [4] into account.
 Since the key generation does not expose the nonces in plaintext,
 there are no practical passive attacks possible.

16. Acknowledgements

 The authors wish to thank Michael Vakulenko for contributing text
 that describes how LWAPP can be used over a Layer 3 (IP) network.
 The authors would also like to thanks Russ Housley and Charles Clancy
 for their assistance in providing a security review of the LWAPP
 specification.  Charles' review can be found in [12].

17. References

17.1. Normative References

 [1]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
       Levels", BCP 14, RFC 2119, March 1997.
 [2]   National Institute of Standards and Technology, "Advanced
       Encryption Standard (AES)", FIPS PUB 197, November 2001,
       <http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.
 [3]   Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-
       MAC (CCM)", RFC 3610, September 2003.
 [4]   Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness
       Requirements for Security", BCP 106, RFC 4086, June 2005.
 [5]   Manner, J., Ed., and M. Kojo, Ed., "Mobility Related
       Terminology", RFC 3753, June 2004.

Calhoun, et al. Historic [Page 123] RFC 5412 Lightweight Access Point Protocol February 2010

 [6]   "Information technology - Telecommunications and information
       exchange between systems - Local and metropolitan area networks
       - Specific requirements - Part 11: Wireless LAN Medium Access
       Control (MAC) and Physical Layer (PHY) specifications", IEEE
       Standard 802.11, 2007,
       <http://standards.ieee.org/getieee802/download/802.11-2007.pdf>
 [7]   "Information technology - Telecommunications and information
       exchange between systems - Local and metropolitan area networks
       - Specific requirements - Part 11: Wireless LAN Medium Access
       Control (MAC) and Physical Layer (PHY) specifications Amendment
       6: Medium Access Control (MAC) Security Enhancements", IEEE
       Standard 802.11i, July 2004,
       http://standards.ieee.org/getieee802/download/802.11i-2004.pdf
 [8]   Clark, D., "IP datagram reassembly algorithms", RFC 815, July
       1982.
 [9]   Schaad, J. and R. Housley, "Advanced Encryption Standard (AES)
       Key Wrap Algorithm", RFC 3394, September 2002.
 [10]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley,
       R., and W. Polk, "Internet X.509 Public Key Infrastructure
       Certificate and Certificate Revocation List (CRL) Profile", RFC
       5280, May 2008.
 [11]  "Netscape-Defined Certificate Extensions",
       <http://www.redhat.com/docs/manuals/cert-
       system/admin/7.1/app_ext.html#35336>.
 [12]  Clancy, C., "Security Review of the Light-Weight Access Point
       Protocol", May 2005,
       <http://www.cs.umd.edu/~clancy/docs/lwapp-review.pdf>.

17.2. Informative References

 [13]  Reynolds, J., Ed., "Assigned Numbers: RFC 1700 is Replaced by
       an On-line Database", RFC 3232, January 2002.
 [14]   Kent, S. and K. Seo, "Security Architecture for the Internet
       Protocol", RFC 4301, December 2005.
 [15]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
       for Message Authentication", RFC 2104, February 1997.
 [16]  "WiFi Protected Access (WPA) rev 1.6", April 2003.

Calhoun, et al. Historic [Page 124] RFC 5412 Lightweight Access Point Protocol February 2010

Authors' Addresses

 Pat R. Calhoun
 Cisco Systems, Inc.
 170 West Tasman Drive
 San Jose, CA  95134
 Phone: +1 408-853-5269
 EMail: pcalhoun@cisco.com
 Rohit Suri
 Cisco Systems, Inc.
 170 West Tasman Drive
 San Jose, CA  95134
 Phone: +1 408-853-5548
 EMail: rsuri@cisco.com
 Nancy Cam-Winget
 Cisco Systems, Inc.
 170 West Tasman Drive
 San Jose, CA  95134
 Phone: +1 408-853-0532
 EMail: ncamwing@cisco.com
 Scott Kelly
 EMail: scott@hyperthought.com
 Michael Glenn Williams
 GWhiz Arts & Sciences
 1560 Newbury Road, Suite 1-204
 Newbury Park, CA 91320
 Phone: +1 805-499-1994
 EMail: gwhiz@gwhiz.com
 Sue Hares
 Phone: +1 734-604-0332
 EMail: shares@ndzh.com
 Bob O'Hara
 EMail: bob.ohara@computer.org

Calhoun, et al. Historic [Page 125]

/data/webs/external/dokuwiki/data/pages/rfc/rfc5412.txt · Last modified: 2010/02/22 22:38 (external edit)