Interpretations

Answering questions that may arise related to the meaning of portions of an IEEE standard concerning specific applications.

IEEE Standards Interpretations for IEEE Std 802.11i™-2004 IEEE Standard for Information technology— Telecommunications and information exchange between systems— Local and metropolitan area networks— Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications Amendment 6: Medium Access Control (MAC) Security Enhancements

Copyright © 2008 by the Institute of Electrical and Electronics Engineers, Inc. 3 Park Avenue New York, New York 10016-5997 USA All Rights Reserved.

This is an interpretation of IEEE Std 802.11i-2004.

Interpretations are issued to explain and clarify the intent of a standard and do not constitute an alteration to the original standard. In addition, interpretations are not intended to supply consulting information. Permission is hereby granted to download and print one copy of this document. Individuals seeking permission to reproduce and/or distribute this document in its entirety or portions of this document must contact the IEEE Standards Department for the appropriate license. Use of the information contained in this document is at your own risk.

IEEE Standards Department Copyrights and Permissions 445 Hoes Lane, Piscataway, New Jersey 08855-1331, USA

November 2008

Interpretation Request #1
(2-05/06 - use of 802.1X™ uncontrolled port by 802.11i) Topic: Conflicting statements in 802.11i on the use of the 802.1X uncontrolled port Relevant Clauses: 5.4.2.2, 6.1.4, 8.5.4 Classification: Unambigious

In 5.4.2.2: "However, a given protocol may need to bypass the authorization function and make use of the IEEE 802.1X Uncontrolled Port."

In 6.1.4: "The IEEE 802.1X Controlled/Uncontrolled Ports discard the MSDU if the Controlled Port is not enabled or if the MSDU does not represent an IEEE 802.1X frame."

The applicable conditions for the case in question is a non-IEEE 802.1X frame such an IP datagram allowed to make use of IEEE 802.1X Uncontrolled Port before Controlled Port is enabled in a certain case? The question comes up because IETF PANA WG is defining a mode in which PANA protocol messages, carried in IP datagrams, make use of IEEE 802.1X Uncontrolled Port over IEEE 802.11i.

It appears that there is a strict architectural boundary between IEEE 802.11i and IEEE 802.1X in that the IEEE 802.11i state machines order and filter events that are related to IEEE 802.1X so that IEEE 802.1X™ state machines can process them. If so, how IEEE 802.1X state machines process those events should be governed by IEEE 802.1X, not by IEEE 802.11i. In that sense, shouldn't the above quoted text in both 5.4.2.2 and 6.1.4 be interpreted as informative, not normative?

Interpretation Response #1
The standard is unambiguous on this issue. While 5.4.2.2 states a general capability of IEEE 802.1X, 6.1.4 places a limitation on this usage in IEEE 802.11. Subclause 8.5.4 further specifies this limitation in an ESS:

In an ESS, the AP indicates that the IEEE 802.11™ link is available by invoking the MLME-ASSOCIATE.indication or MLME-REASSOCIATE.indication primitive. At this point the Authenticator's Controlled Port corresponding to the STA's association is blocked, and communication of all non-IEEE 802.1X MSDUs sent or received via the Controlled Port is not authorized.

Interpretation Request #2
2-05/06 (use of 802.1X uncontrolled port by 802.11i) Topic:conflicting statements in 802.11i on the use of the 802.1X uncontrolled port Relevant Clause: 5.4.2.2, 6.1.4, 8.5.4 Classification:Unambiguous

The following interpretation is requested:

1. The specific designation of the standard, including the year of publication: IEEE Std 802.11i 2004

2. The specific subsection being questioned

In Clause 5.4.2.2:

"However, a given protocol may need to bypass the authorization function and make use of the IEEE 802.1X Uncontrolled Port."

In Clause 6.1.4:

"The IEEE 802.1X Controlled/Uncontrolled Ports discard the MSDU if the Controlled Port is not enabled or if the MSDU does not represent an IEEE 802.1X frame."

3. The applicable conditions for the case in question

Is a non-802.1X frame such an IP datagram allowed to make use of 802.1X Uncontrolled Port before Controlled Port is enabled in a certain case? The question comes up because IETF PANA WG is defining a mode in which PANA protocol messages, carried in IP datagrams, make use of 802.1X Uncontrolled Port over 802.11i.

It appears that there is a strict architectural boundary between 802.11i and 802.1X in that the 802.11i state machines order and filter events that are related to 802.1X so that 802.1X state machines can process them. If so, how 802.1X state machines process those events should be governed by 802.1X, not by 802.11i. In that sense, shouldn't the above quoted text in both Clause 5.4.2.2 and Clause 6.1.4 be interpreted as informative, not normative?

Interpretation Response #2
The standard is unambiguous on this issue. While 5.4.2.2 states a general capability of 802.1X, clause 6.1.4 places a limitation on this usage in 802.11. Clause 8.5.4 further specifies this limitation in an ESS:

In an ESS, the AP indicates that the IEEE 802.11 link is available by invoking the MLME-ASSOCIATE.indication or MLME-REASSOCIATE.indication primitive. At this point the Authenticator’s Controlled Port corresponding to the STA’s association is blocked, and communication of all non-IEEE 802.1X MSDUs sent or received via the Controlled Port is not authorized.