doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.

Avoiding Interactions with Lazy-WDS Equipment

Name Affiliation Address Phonee-mail

Javier Cardona +1 415 974 6770

14082223713

978-288-4566

613-763-5827

+49-241-802-5829

Microsoft Corp. +1 425 7064351

cozybit Inc. 165 Jessie St., San Francisco, CA 94105

javier@cozybit.com

Raja BanerjeaSandesh GoelRonak Chokshi

Marvell Semiconductor

5488 Marvell Lane, Santa Clara, CA 94087

{rajab,sgoel,rchokshi}@marvell.com

Bilel Jamoussi Bob Withrow

Nortel Networks 600 Technology ParkBillerica, MA 01821

{jamoussi,bwithrow}@marvell.com

Osama Aboul-Magd

Nortel Networks 3500 Carling AvenueOttawa, ONT, CanadaK2H-8E9

osama@nortel.com

Guido Hiertz Philips ComNets, Chair of Communication Networks, RWTH Aachen University, Kopernikusstr. 16, 52074 Aachen, Germany

hiertz@ieee.org

Thomas Kuehnel One Microsoft Way, Redmond, WA 98052

tkuehnel@microsoft.com

Date: 2008-03-15

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 2

Abstract

Mesh multicast traffic will trigger unwanted responses on Access Points that implement Lazy-WDS.  A frame format change is proposed that will avoid these interactions and make a more efficient use of the 802.11 header address fields.

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 3

BackgroundThe origin of this problem is summarized in IEEE Std 802.11TM-2007:

3.170 wireless distribution system (WDS): (...) This standard describes such a frame format, but does not describe how such a mechanism or frame format would be used.

The Wi-Fi Alliance is also silent about the use of the WDS frame format.

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 4

Background

So vendors had to get creative. There are two ways APs use WDS frames:

• Static WDS configuration– Network managers manually enter a list of WDS-peers

• Dynamic WDS configuration (most commonly known as Lazy-WDS)– Access Points automatically "discover" WDS peers.

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 5

What triggers automatic peer discovery?

• We've empirically established that some Lazy-WDS Access Points will assign WDS-peer status to any STA that transmits a multicast WDS frame (i.e if bit8, 1st octet of the Receiver Address is set).

• Ah, and this is regardless of the value of the protected bit in the frame control header.

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 6

The birth of a WDS-peer link

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 7

How does that affect 802.11s?

• Resolution 11-07/799r6 established that mesh will use WDS frame format. This means that each MP that forwards a broadcast/multicast frame in the vicinity of a Lazy-WDS AP will be treated as a WDS-peer.

• There is a large deployed population of Lazy-WDS Access Points... being in the vicinity of one is not hard.

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 8

So?

Mesh Points in range of Lazy-WDS APs will cause two serious problems: spurious traffic and DDoS attack on the AP.

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 9

Spurious Traffic

• Lazy-APs will retransmit all multicast traffic in the BSS to each and every MP in range.

• The AP does not consider the Mesh Sequence number to limit broadcast flooding.

• N MPs in range -> Each multicast frame is retransmitted N times by the AP.

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 10

Spurious Traffic

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 11

Spurious Traffic

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 12

Distributed Denial of Service Attack

• Apparently Lazy-WDS APs were designed to support only a small number of WDS peer links.

• A large number of MPs near a Lazy-WDS AP will carry out a DDoS attack on the Access Point.

• Service to the BSS will be disrupted.

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 13

Distributed Denial of Service Attack

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 14

Because of these problems we propose...

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 15

Broadcast and Multicast Packet Transmission According to Draft 1.09

• Broadcast mesh packets are transmitted using 4 address frame formats with Address 1 as either unicast or broadcast/multicast.

• If Address 1 is unicast there is no issue.

• However if Address 1 is broadcast then…

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 16

Broadcast and Multicast Packet Transmission According to Draft 1.09

11A.5.5.3.1 At Source MPs For non Proxied entriesAddress 1 = Broadcast or MulticastAddress 2 = Source MP MAC addressAddress 3 = Broadcast or MulticastAddress 4 = Source MP MAC Address

From Proxied entitiesAddress 1 = Broadcast or MulticastAddress 2 = Source MP MAC addressAddress 3 = Broadcast or MulticastAddress 4 = Source MP MAC AddressAE: Add 5 = Broadcast or MulticastAE:Addr 6 = Address of Proxied entity

11A.5.5.3.2 At Intermediate and destination MPsFor non Proxied entriesAddress 1 = Broadcast or MulticastAddress 2 = Intermediate MP MAC addressAddress 3 = Broadcast or MulticastAddress 4 = Source MP MAC Address

From Proxied entitiesAddress 1 = Broadcast or MulticastAddress 2 = Intermediate MP MAC addressAddress 3 = Broadcast or MulticastAddress 4 = Source MP MAC AddressAE:Addr 5 = Broadcast or MulticastAE:Addr 6 = Address of Proxied entity

Observations• A lot of redundant fields• Broadcast/multicast address repeated 2 times in non-proxied case• Broadcast/multicast address repeated 3 times in proxied case

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 17

Broadcast and Multicast Packet Transmission According to Draft 1.09

MPs

MP1

MP2

MP3

Address 1 = Broadcast or MulticastAddress 2 = MPs MAC AddrAddress 3 = Broadcast or MulticastAddress 4 = MPs MAC AddressSQ1

Address 1 = Broadcast or MulticastAddress 2 = MPs MAC AddrAddress 3 = Broadcast or MulticastAddress 4 = MPs MAC AddressSQ1

Address 1 = Broadcast or MulticastAddress 2 = MP1 MAC AddrAddress 3 = Broadcast or MulticastAddress 4 = MPs MAC AddressSQ1

Address 1 = Broadcast or MulticastAddress 2 = MP2 MAC AddrAddress 3 = Broadcast or MulticastAddress 4 = MPs MAC AddressSQ1

Determines duplicate Packet based on <MPs, SQ1>

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 18

Broadcast and Multicast Packet Transmission According to Draft 1.09

MPs1MPi1

MPi2

MP3

Address 1 = Broadcast or MulticastAddress 2 = MPs1 MAC AddrAddress 3 = Broadcast or MulticastAddress 4 = MPs1 MAC AddressAE:Addr 5 =Broadcast or MulticastAE:Addr 6= SSQ1

Address 1 = Broadcast or MulticastAddress 2 = MPi1 MAC AddrAddress 3 = Broadcast or MulticastAddress 4 = MPs1 MAC AddressAE:Addr 5 =Broadcast or MulticastAE:Addr 6 = SSQ1

Address 1 = Broadcast or MulticastAddress 2 = MPi2 MAC AddrAddress 3 = Broadcast or MulticastAddress 4 = MPs2 MAC AddressAE:Addr 5 =Broadcast or MulticastAE:Addr 6 = SSQ1

S

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 19

Broadcast and Multicast Packet Transmission Proposed Solution

11A.5.5.3.1 At Source MPs For non Proxied entriesAddress 1 = Broadcast or MulticastAddress 2 = Source MP MAC addressAddress 3 = Source MP MAC Address

From Proxied entitiesAddress 1 = Broadcast or MulticastAddress 2 = Source MP MAC addressAddress 3 = Source MP MAC addressAE:Addr 4 = Address of Proxied entity

11A.5.5.3.2 At Intermediate MPsFor non Proxied entriesAddress 1 = Broadcast or MulticastAddress 2 = Intermediate MP MAC addressAddress 3 = Source MP MAC Address

From Proxied entitiesAddress 1 = Broadcast or MulticastAddress 2 = Intermediate MP MAC addressAddress 3 = Source MP MAC AddressAE:Add 4 = Address of Proxied entity

• Use 3 address formats for all non-proxied broadcast/multicast data frames• Use AE=01 to carry proxied entity in proxied broadcast/multicast frame• Addr1, Addr2, Addr3 are TA, RA and SA respectively• From DS = 1, To DS = 0• Addr4 is proxied entity when AE=01

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 20

Broadcast and Multicast Packet Transmission Proposed Solution

MPs

MP1

MP2

MP3

Address 1 = Broadcast or MulticastAddress 2 = MPs MAC AddrAddress 3 = MPs MAC AddressSQ1

Address 1 = Broadcast or MulticastAddress 2 = MPs MAC AddrAddress 3 = MPs MAC AddressSQ1

Address 1 = Broadcast or MulticastAddress 2 = MP1 MAC AddrAddress 3 = MPs MAC AddressSQ1

Address 1 = Broadcast or MulticastAddress 2 = MP2 MAC AddrAddress 3 = MPs MAC AddressSQ1

Determines duplicate Packet based on <MPs, SQ1>

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 21

Broadcast and Multicast PacketTransmission Proposed Solution

MPs1MPi1

MPi2

MP3

Addr4 is proxied entity when AE=01Address 1 = Broadcast or MulticastAddress 2 = MPs1 MAC AddrAddress 3 = MPs1 MAC AddrAE:Addr 4 = SSQ1

Addr4 is proxied entity when AE=01Address 1 = Broadcast or MulticastAddress 2 = MPi1 MAC AddrAddress 3 = MPs1 MAC AddressAE:Addr 4 = SSQ1

Addr4 is proxied entity when AE=01Address 1 = Broadcast or MulticastAddress 2 = MPi2 MAC AddrAddress 3 = MPs2 MAC AddressAE:Addr 4 = SSQ1

Use <MPs,SQ> to determine duplicate packets.

MPs2

S

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 22

Changes Required1. Modify 11.A.5.5.3.1 and 11.A.5.5.3.2 to describe transmission of 3 address broadcast and

multicast data frames2. Modify Table s2 to allow AE=01 for broadcast/multicast data frames as well

doc.: IEEE 802.11-08/0278r5

Submission

March 2008

Javier Cardona et al.Slide 23

Straw Poll

Would you support the proposed modifications to mesh broadcast frames as presented in this submission?

1) Yes 2) No 3) DK/DC