1、March 2003 doc.:IEEE 802.11-03/154r1Submission page 1 Aboba, MicrosoftIEEE P802.11Wireless LANsVirtual Access PointsDate: May 22, 2003Authors: Bernard Aboba MicrosoftOne Microsoft Way, Redmond, WA 98052-6399Phone: +1 425-706-6605E-mail: AbstractThis paper reviews issues relating to virtual access po
2、ints, access points which simultaneously advertise access to multiple networks. By enabling a single physical AP to present itself to the STA as multiple “virtual APs” additional flexibility is provided in situations where simultaneous support for multiple access methods is required. In addition, vi
3、rtual APs enable more economical deployment in situations where multiple providers would otherwise build out multiple networks within the same geographic area. This paper begins by describing the benefits of virtual APs, and then discusses the mechanisms used to implement this capability today. The
4、approaches are reviewed and compared, and a standard approach is recommended. Table of Contents1. Introduction21.1 What is a Virtual Access Point? 21.2 What are the benefits of Virtual APs? .21.3 The Virtual AP concept 32 MAC layer issues52.1. Multiple SSIDs .52.1.1 Multiple SSIDs/Beacon, Single Bea
5、con, Single BSSID 62.1.2 Single SSIDs/Beacon, Single Beacon, Single BSSID 62.1.3 Single SSIDs/Beacon, Multiple Beacon, Single BSSID 72.1.4 Single SSIDs/Beacon, Multiple Beacon, Multiple BSSIDs .72.2 Multiple VLANs82.2.3 Per-VLAN default keys 93. IP layer issues 93.1 IP addresses .93.2 DNS configurat
6、ion.104. Application layer issues.104.1 AAA configuration 104.2 Virtual MIBs.105. References12March 2003 doc.:IEEE 802.11-03/154r1Submission page 2 Aboba, Microsoft1. Introduction1.1 What is a Virtual Access Point?A “Virtual Access Point” is a logical entity that exists within a physical Access Poin
7、t (AP). When a single physical AP supports multiple “Virtual APs”, each Virtual AP appears to stations (STAs) to be an independent physical AP, even though only a single physical AP is present. For example, multiple Virtual APs might exist within a single physical AP, each advertising a distinct SSI
8、D and capability set. Alternatively, multiple Virtual APs might advertise the same SSID but a different capability set allowing access to be provided via Web Portal, WEP, and WPA simultaneously. Where APs are shared by multiple providers, Virtual APs provide each provider with separate authenticatio
9、n and accounting data for their users, as well as diagnostic information, without sharing sensitive management traffic or data between providers. 1.2 What are the benefits of Virtual APs? Virtual APs allow a single provider to offer multiple services, as well as enabling multiple providers to share
10、the same physical infrastructure. Advantages include: Channel conservation. Multiple providers are becoming the norm within public spaces such as airports. Within an airport, it might be necessary to support an FAA network, one or more airline networks, and perhaps one or more Wireless ISPs (WISPs).
11、 However, in the US and Europe, 802.11b networks can only support three usable channels, and in France and Japan only one channel is available. Once the channels are utilized by existing APs, additional APs will interfere with each other and reduce performance. By allowing a single network to be use
12、d for multiple purposes, Virtual APs conserve channels. Capital expenditure reduction. Wireless LAN deployment is expensive, and in the current economic environment, raising capital is difficult. In order to provide a better return on the installation and maintenance costs of wireless infrastructure
13、 deployment, it is less expensive to build infrastructure and share it among multiple providers, than to build overlapping infrastructure. Since each Virtual AP is a logically separate entity, providers may use Virtual APs to offer multiple services on the same physical infrastructure. Example 1: Gu
14、est networks. An enterprise customer could use Virtual AP capabilities in order to offer access to guests as well as employees without having to deploy multiple AP networks. One Virtual AP can advertise the “GUEST” SSID, offering access to an Internet VLAN, while another Virtual AP can advertise the
15、 “CORPNET” SSID, offering access to the corporate network VLAN. Virtual APs also allow providers to share the same physical infrastructure, while offering access to distinct networks. March 2003 doc.:IEEE 802.11-03/154r1Submission page 3 Aboba, MicrosoftExample 2: Web Portal/WPA transition. A Wirele
16、ss ISP (WISP) formerly offering Web Portal access might want to add support for WPA. In order to allow both WISP access and WPA to coexist simultaneously, one Virtual AP can advertise the “EXAMPLE” SSID with Open Authentication, while another Virtual AP can advertise the “EXAMPLE” SSID, but with WPA
17、 support. Example 3: WLAN resale. An infrastructure provider can resell access to the WLAN network, allowing each reseller to advertise their own unique set of services. For example, access could be offered via Web Portal, WPA or RSN simultaneously without having to deploy separate networks. For exa
18、mple, one Virtual AP could advertise the “SLOWNET” SSID, offering rates of 1 and 2 Mbps, along with support for a Web portal with open authentication (no WEP). Another Virtual AP could advertise the “FASTWPA” SSID, offering rates of 1, 2, 5.5 and 11 Mbps and support for WPA, while yet another Virtua
19、l AP could advertise the “FASTRSN” SSID, offering rates of 1,2,5.5 and 11 Mbps and support for RSN. STAs signed up with the SLOWNET service can then associate with that network via the Web Portal, while STAs signed up with the FASTRSN service and supporting RSN can associate with that network. Since
20、 the “SLOWNET”, “FASTWPA” and “FASTRSN” Virtual APs coexist within the same physical AP, no additional equipment is needed to enable this.1.3 The Virtual AP concept A Virtual AP is a logical entity that to a STA is indistinguishable from a physical AP residing within the same enclosure. As with all
21、idealizations, a Virtual AP implementation may approximate the ideal behavior to a greater or lesser degree. Virtual and physical AP implementations are compared in Figure 1. Figure 1. The Virtual AP ConceptMarch 2003 doc.:IEEE 802.11-03/154r1Submission page 4 Aboba, MicrosoftIn order to provide STA
22、s with the illusion of multiple physical APs within the same enclosure, it is necessary for Virtual APs to emulate the operation of physical APs at the MAC layer. Emulating the operation of a physical AP at the radio frequency layer is typically not possible within a Virtual AP, unless multiple radi
23、os are available. As noted in Figure 1, Virtual APs emulate the MAC layer behavior of physical APs by operating with distinct BSSIDs, SSIDs, capability advertisements and default key sets.In order to provide providers sharing an AP with their own distinct authentication and accounting data as well a
24、s diagnostics, it is desirable to provide partial emulation of the IP and Application Layer behavior of physical APs. At the IP layer, the behavior of distinct physical APs is emulated by allocating a distinct IP address, and potentially a Fully Qualified Domain Name (FQDN) to each Virtual AP. At th
25、e Application Layer, the behavior of distinct physical APs may be emulated by providing each Virtual AP with its own set of SNMPv3 secrets and SNMPv2 communities, RADIUS shared secrets, and Web and telnet login identities. To provide the desired emulation at the MAC, IP and Application Layers, it is
26、 necessary to solve several technical problems: Multiple SSIDs. In order to support multiple Virtual APs within a single physical AP, it is necessary to define how APs can support multiple SSIDs, and how STAs can discover those SSIDs. This allows each Virtual AP to each advertise its own SSID. Multi
27、ple capability advertisements. Since each Virtual AP may wish to offer a different set of services, it is necessary for each Virtual AP to advertise its own set of capabilities. In some cases, this may require the same SSID to be advertised with multiple capability sets. Multiple VLANs. It is typica
28、lly desirable to avoid intermixing of traffic from distinct Virtual APs. For example, on an AP shared by the FAA, an airline and a Wireless ISP (WISP), it would be undesirable for a WISP user to be able to snoop on or inject traffic into the FAA network. This can be achieved by allocating a unique V
29、LAN to each Virtual AP. Since each VLAN represents a unique broadcast domain, in order to provide separation, each VLAN requires a unique default key. Multiple RADIUS configurations. To allow each Virtual AP to be separately configured without affecting other Virtual APs, it is desirable to allow mu
30、ltiple RADIUS configurations, one for each virtual AP. For example, each Virtual AP might be configured to use a different RADIUS proxy. Multiple virtual SNMP MIBs. To enable each Virtual AP to be separately managed, it is desirable a unique virtual MIB per Virtual AP. This can be accomplished by al
31、locating each Virtual AP its own IP address, or by use of SNMPv3 context RFC2975. March 2003 doc.:IEEE 802.11-03/154r1Submission page 5 Aboba, Microsoft Pre-authentication routing. In the Association/Reassociation Request, the STA indicates the SSID it is associating with. Since 802.11 supports auth
32、entication prior to association, it is possible for an AP to receive an authentication request prior to association. Since Virtual APs may support multiple authentication models, before responding to a pre-authentication request, it is necessary to determine the SSID (and Virtual AP) to which it is
33、targeted. 2 MAC layer issues2.1. Multiple SSIDsIn IEEE80211, the SSID is a field between 0 and 32 octets that may be included as an Information Element (IE) within management frames. A zero length SSID indicates the broadcast SSID “any”. Management frames supporting the SSID IE include the Beacon, P
34、robe Request/Response, and Association/Reassociation Request frames. In order to discover SSIDs, the STA may support passive and/or active scanning. In passive scanning, the STA listens on a given channel for Beacons and Probe Responses, but does not issue its own Probe Requests. In active scanning,
35、 the STA issues a Probe Request to obtain this information more quickly. Since in 802.11 it is only possible for a STA to associate with a single AP and only a single SSID IE may be included within an Association/Reassociation Request, it is only possible for a STA to be associated with a single SSI
36、D at a time.In order to support multiple SSIDs per AP, the following approaches may be considered: 1. Multiple SSIDs/Beacon, Single Beacon, Single BSSID. In this approach, the AP only uses a single BSSID, and sends a single Beacon. The AP includes multiple SSID Information Elements (IEs) within the
37、Beacon or Probe Response, with the Beacon interval remaining unchanged. 扩展协议,有兼容性问题2. Single SSID/Beacon, Single Beacon, Single BSSID. In this approach, the AP only uses a single BSSID and sends a single Beacon. Each Beacon or Probe Response contains only one SSID IE. Only the capabilities correspon
38、ding to the “primary” SSID are sent in the Beacon and in response to a Probe Request for the broadcast SSID. However, the AP responds to Probe Requests for “secondary” SSIDs with a Probe Response including the capabilities corresponding to that SSID.广播一个主 SSID,隐藏其他 SSID3. Single SSID/Beacon, Multipl
39、e Beacons, Single BSSID. In this approach, the AP only uses a single BSSID, but sends multiple Beacons, each with a single SSID IE. The AP responds to Probe Requests for supported SSIDs (including a Request for the broadcast SSID) with a Probe Response including the capabilities corresponding to eac
40、h SSID.4. Single SSID/Beacon, Multiple Beacons, Multiple BSSIDs. In this approach, the AP uses multiple BSSIDs. Each Beacon or Probe Response contains only a single SSID IE. The AP sends Beacons for each Virtual AP that it supports at the standard Beacon interval, using a unique BSSID for each one.
41、The AP responds to March 2003 doc.:IEEE 802.11-03/154r1Submission page 6 Aboba, MicrosoftProbe Requests for supported BSSIDs (including a Request for the broadcast SSID) with a Probe Response including the capabilities corresponding to each BSSID.The IEEE 802.11 specification does not provide guidan
42、ce on which of these approaches is appropriate, and as a result, multiple incompatible approaches have been chosen by vendors. Unfortunately, as will be described, several of these approaches result in interoperability problems or undesirable side effects. Given the importance of Virtual AP support,
43、 it is highly desirable for the industry to converge on a single approach. As described below, approach 4 (Single SSID/Beacon, Multiple Beacons, Multiple BSSIDs) appears to be superior: it is the most compatible with the Virtual AP concept, is compatible with existing STAs, allows the discovery of n
44、ew SSIDs, and does not increase the time required for a passive scan. It is therefore recommended that this approach be selected by vendors desiring to support Virtual APs. More details on each of the approaches is given below. 2.1.1 Multiple SSIDs/Beacon, Single Beacon, Single BSSIDIn this approach
45、, an AP includes multiple SSID IEs within the Beacon and Probe Response, with the Beacon interval remaining unchanged. Upon receiving a Probe Request with the broadcast SSID, the AP responds with multiple SSIDs inside the Probe Response. Since IEEE80211 does not state explicitly how many SSID IEs ma
46、y be included within management frames, this approach does not appear to be forbidden, and it supports both passive and active scanning. However, in practice many STA implementations assume that there can only be a single SSID IE within a management frame, and do not react well to multiple SSID IEs
47、within a single Beacon or Probe Response. Thus, this approach has limited interoperability and typically requires STAs and APs from the same vendor. In addition, all SSIDs are advertised from the same originating BSSID. As a result, STAs receive multicast/broadcast traffic from Virtual APs which the
48、y are not associated with. This traffic is subsequently discarded as a decrypt error, since the STA only obtains the default key corresponding to the associated SSID. Another limitation of this approach is that it requires each SSID to offer the same set of capabilities, limiting the ability of Virt
49、ual APs to differentiate themselves. For example, on the same physical AP it may be desirable to provide a “high security” Virtual AP that supports RSN, alongside a “WISP” Virtual AP supporting Web Portal access. Given the inflexibility and poor interoperability of this approach, its use is discouraged. 2.1.2 Single SSIDs/Beacon, Single Beacon, Single BSSIDIn this approach, Beacons and Probe Responses contain only one SSID IE. The AP includes a “primary” SSID in the Beacon, and responds to Probe Requests for the broadcast SSID only with a Probe Re
