RFC 5415
Control And Provisioning of Wireless Access Points (CAPWAP) Protocol Specification
Pages: 155
Proposed Standard
→ Errata
Obsoletes: 5414
Updated by: 8553 8996
Proposed Standard
→ Errata
Obsoletes: 5414
Updated by: 8553 8996
Part 1 of 6 – Pages 1 to 11
Network Working Group P. Calhoun, Ed. Request for Comments: 5415 Cisco Systems, Inc. Category: Standards Track M. Montemurro, Ed. Research In Motion D. Stanley, Ed. Aruba Networks March 2009 Control And Provisioning of Wireless Access Points (CAPWAP) Protocol Specification Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
Abstract
This specification defines the Control And Provisioning of Wireless Access Points (CAPWAP) Protocol, meeting the objectives defined by the CAPWAP Working Group in RFC 4564. The CAPWAP protocol is designed to be flexible, allowing it to be used for a variety of wireless technologies. This document describes the base CAPWAP protocol, while separate binding extensions will enable its use with additional wireless technologies.Table of Contents
1. Introduction ....................................................7 1.1. Goals ......................................................8 1.2. Conventions Used in This Document ..........................9 1.3. Contributing Authors .......................................9 1.4. Terminology ...............................................10 2. Protocol Overview ..............................................11 2.1. Wireless Binding Definition ...............................12 2.2. CAPWAP Session Establishment Overview .....................13 2.3. CAPWAP State Machine Definition ...........................15 2.3.1. CAPWAP Protocol State Transitions ..................17 2.3.2. CAPWAP/DTLS Interface ..............................31 2.4. Use of DTLS in the CAPWAP Protocol ........................33 2.4.1. DTLS Handshake Processing ..........................33 2.4.2. DTLS Session Establishment .........................35 2.4.3. DTLS Error Handling ................................35 2.4.4. DTLS Endpoint Authentication and Authorization .....36 3. CAPWAP Transport ...............................................40 3.1. UDP Transport .............................................40 3.2. UDP-Lite Transport ........................................41 3.3. AC Discovery ..............................................41 3.4. Fragmentation/Reassembly ..................................42 3.5. MTU Discovery .............................................43 4. CAPWAP Packet Formats ..........................................43 4.1. CAPWAP Preamble ...........................................46 4.2. CAPWAP DTLS Header ........................................46 4.3. CAPWAP Header .............................................47 4.4. CAPWAP Data Messages ......................................50 4.4.1. CAPWAP Data Channel Keep-Alive .....................51 4.4.2. Data Payload .......................................52 4.4.3. Establishment of a DTLS Data Channel ...............52 4.5. CAPWAP Control Messages ...................................52 4.5.1. Control Message Format .............................53 4.5.2. Quality of Service .................................56 4.5.3. Retransmissions ....................................57 4.6. CAPWAP Protocol Message Elements ..........................58 4.6.1. AC Descriptor ......................................61
4.6.2. AC IPv4 List .......................................64
4.6.3. AC IPv6 List .......................................64
4.6.4. AC Name ............................................65
4.6.5. AC Name with Priority ..............................65
4.6.6. AC Timestamp .......................................66
4.6.7. Add MAC ACL Entry ..................................66
4.6.8. Add Station ........................................67
4.6.9. CAPWAP Control IPv4 Address ........................68
4.6.10. CAPWAP Control IPv6 Address .......................68
4.6.11. CAPWAP Local IPv4 Address .........................69
4.6.12. CAPWAP Local IPv6 Address .........................69
4.6.13. CAPWAP Timers .....................................70
4.6.14. CAPWAP Transport Protocol .........................71
4.6.15. Data Transfer Data ................................72
4.6.16. Data Transfer Mode ................................73
4.6.17. Decryption Error Report ...........................73
4.6.18. Decryption Error Report Period ....................74
4.6.19. Delete MAC ACL Entry ..............................74
4.6.20. Delete Station ....................................75
4.6.21. Discovery Type ....................................75
4.6.22. Duplicate IPv4 Address ............................76
4.6.23. Duplicate IPv6 Address ............................77
4.6.24. Idle Timeout ......................................78
4.6.25. ECN Support .......................................78
4.6.26. Image Data ........................................79
4.6.27. Image Identifier ..................................79
4.6.28. Image Information .................................80
4.6.29. Initiate Download .................................81
4.6.30. Location Data .....................................81
4.6.31. Maximum Message Length ............................81
4.6.32. MTU Discovery Padding .............................82
4.6.33. Radio Administrative State ........................82
4.6.34. Radio Operational State ...........................83
4.6.35. Result Code .......................................84
4.6.36. Returned Message Element ..........................85
4.6.37. Session ID ........................................86
4.6.38. Statistics Timer ..................................87
4.6.39. Vendor Specific Payload ...........................87
4.6.40. WTP Board Data ....................................88
4.6.41. WTP Descriptor ....................................89
4.6.42. WTP Fallback ......................................92
4.6.43. WTP Frame Tunnel Mode .............................92
4.6.44. WTP MAC Type ......................................93
4.6.45. WTP Name ..........................................94
4.6.46. WTP Radio Statistics ..............................94
4.6.47. WTP Reboot Statistics .............................96
4.6.48. WTP Static IP Address Information .................97
4.7. CAPWAP Protocol Timers ....................................98
4.7.1. ChangeStatePendingTimer ............................98
4.7.2. DataChannelKeepAlive ...............................98
4.7.3. DataChannelDeadInterval ............................99
4.7.4. DataCheckTimer .....................................99
4.7.5. DiscoveryInterval ..................................99
4.7.6. DTLSSessionDelete ..................................99
4.7.7. EchoInterval .......................................99
4.7.8. IdleTimeout ........................................99
4.7.9. ImageDataStartTimer ...............................100
4.7.10. MaxDiscoveryInterval .............................100
4.7.11. ReportInterval ...................................100
4.7.12. RetransmitInterval ...............................100
4.7.13. SilentInterval ...................................100
4.7.14. StatisticsTimer ..................................100
4.7.15. WaitDTLS .........................................101
4.7.16. WaitJoin .........................................101
4.8. CAPWAP Protocol Variables ................................101
4.8.1. AdminState ........................................101
4.8.2. DiscoveryCount ....................................101
4.8.3. FailedDTLSAuthFailCount ...........................101
4.8.4. FailedDTLSSessionCount ............................101
4.8.5. MaxDiscoveries ....................................102
4.8.6. MaxFailedDTLSSessionRetry .........................102
4.8.7. MaxRetransmit .....................................102
4.8.8. RetransmitCount ...................................102
4.8.9. WTPFallBack .......................................102
4.9. WTP Saved Variables ......................................102
4.9.1. AdminRebootCount ..................................102
4.9.2. FrameEncapType ....................................102
4.9.3. LastRebootReason ..................................103
4.9.4. MacType ...........................................103
4.9.5. PreferredACs ......................................103
4.9.6. RebootCount .......................................103
4.9.7. Static IP Address .................................103
4.9.8. WTPLinkFailureCount ...............................103
4.9.9. WTPLocation .......................................103
4.9.10. WTPName ..........................................103
5. CAPWAP Discovery Operations ...................................103
5.1. Discovery Request Message ................................103
5.2. Discovery Response Message ...............................105
5.3. Primary Discovery Request Message ........................106
5.4. Primary Discovery Response ...............................107
6. CAPWAP Join Operations ........................................108
6.1. Join Request .............................................108
6.2. Join Response ............................................110
7. Control Channel Management ....................................111
7.1. Echo Request .............................................111
7.2. Echo Response ............................................112
8. WTP Configuration Management ..................................112 8.1. Configuration Consistency ................................112 8.1.1. Configuration Flexibility .........................113 8.2. Configuration Status Request .............................114 8.3. Configuration Status Response ............................115 8.4. Configuration Update Request .............................116 8.5. Configuration Update Response ............................117 8.6. Change State Event Request ...............................117 8.7. Change State Event Response ..............................118 8.8. Clear Configuration Request ..............................119 8.9. Clear Configuration Response .............................119 9. Device Management Operations ..................................120 9.1. Firmware Management ......................................120 9.1.1. Image Data Request ................................124 9.1.2. Image Data Response ...............................125 9.2. Reset Request ............................................126 9.3. Reset Response ...........................................127 9.4. WTP Event Request ........................................127 9.5. WTP Event Response .......................................128 9.6. Data Transfer ............................................128 9.6.1. Data Transfer Request .............................130 9.6.2. Data Transfer Response ............................131 10. Station Session Management ...................................131 10.1. Station Configuration Request ...........................131 10.2. Station Configuration Response ..........................132 11. NAT Considerations ...........................................132 12. Security Considerations ......................................134 12.1. CAPWAP Security .........................................134 12.1.1. Converting Protected Data into Unprotected Data ..135 12.1.2. Converting Unprotected Data into Protected Data (Insertion) .......................135 12.1.3. Deletion of Protected Records ....................135 12.1.4. Insertion of Unprotected Records .................135 12.1.5. Use of MD5 .......................................136 12.1.6. CAPWAP Fragmentation .............................136 12.2. Session ID Security .....................................136 12.3. Discovery or DTLS Setup Attacks .........................137 12.4. Interference with a DTLS Session ........................137 12.5. CAPWAP Pre-Provisioning .................................138 12.6. Use of Pre-Shared Keys in CAPWAP ........................139 12.7. Use of Certificates in CAPWAP ...........................140 12.8. Use of MAC Address in CN Field ..........................140 12.9. AAA Security ............................................141 12.10. WTP Firmware ...........................................141 13. Operational Considerations ...................................141 14. Transport Considerations .....................................142 15. IANA Considerations ..........................................143 15.1. IPv4 Multicast Address ..................................143
15.2. IPv6 Multicast Address ..................................144
15.3. UDP Port ................................................144
15.4. CAPWAP Message Types ....................................144
15.5. CAPWAP Header Flags .....................................144
15.6. CAPWAP Control Message Flags ............................145
15.7. CAPWAP Message Element Type .............................145
15.8. CAPWAP Wireless Binding Identifiers .....................145
15.9. AC Security Types .......................................146
15.10. AC DTLS Policy .........................................146
15.11. AC Information Type ....................................146
15.12. CAPWAP Transport Protocol Types ........................146
15.13. Data Transfer Type .....................................147
15.14. Data Transfer Mode .....................................147
15.15. Discovery Types ........................................147
15.16. ECN Support ............................................148
15.17. Radio Admin State ......................................148
15.18. Radio Operational State ................................148
15.19. Radio Failure Causes ...................................148
15.20. Result Code ............................................149
15.21. Returned Message Element Reason ........................149
15.22. WTP Board Data Type ....................................149
15.23. WTP Descriptor Type ....................................149
15.24. WTP Fallback Mode ......................................150
15.25. WTP Frame Tunnel Mode ..................................150
15.26. WTP MAC Type ...........................................150
15.27. WTP Radio Stats Failure Type ...........................151
15.28. WTP Reboot Stats Failure Type ..........................151
16. Acknowledgments ..............................................151
17. References ...................................................151
17.1. Normative References ....................................151
17.2. Informative References ..................................153
1. Introduction
This document describes the CAPWAP protocol, a standard, interoperable protocol that enables an Access Controller (AC) to manage a collection of Wireless Termination Points (WTPs). The CAPWAP protocol is defined to be independent of Layer 2 (L2) technology, and meets the objectives in "Objectives for Control and Provisioning of Wireless Access Points (CAPWAP)" [RFC4564]. The emergence of centralized IEEE 802.11 Wireless Local Area Network (WLAN) architectures, in which simple IEEE 802.11 WTPs are managed by an Access Controller (AC), suggested that a standards-based, interoperable protocol could radically simplify the deployment and management of wireless networks. WTPs require a set of dynamic management and control functions related to their primary task of connecting the wireless and wired mediums. Traditional protocols for managing WTPs are either manual static configuration via HTTP, proprietary Layer 2-specific or non-existent (if the WTPs are self- contained). An IEEE 802.11 binding is defined in [RFC5416] to support use of the CAPWAP protocol with IEEE 802.11 WLAN networks. CAPWAP assumes a network configuration consisting of multiple WTPs communicating via the Internet Protocol (IP) to an AC. WTPs are viewed as remote radio frequency (RF) interfaces controlled by the AC. The CAPWAP protocol supports two modes of operation: Split and Local MAC (medium access control). In Split MAC mode, all L2 wireless data and management frames are encapsulated via the CAPWAP protocol and exchanged between the AC and the WTP. As shown in Figure 1, the wireless frames received from a mobile device, which is referred to in this specification as a Station (STA), are directly encapsulated by the WTP and forwarded to the AC. +-+ wireless frames +-+ | |--------------------------------| | | | +-+ | | | |--------------| |---------------| | | |wireless PHY/ | | CAPWAP | | | | MAC sublayer | | | | +-+ +-+ +-+ STA WTP AC Figure 1: Representative CAPWAP Architecture for Split MAC The Local MAC mode of operation allows for the data frames to be either locally bridged or tunneled as 802.3 frames. The latter implies that the WTP performs the 802.11 Integration function. In either case, the L2 wireless management frames are processed locally
by the WTP and then forwarded to the AC. Figure 2 shows the Local MAC mode, in which a station transmits a wireless frame that is encapsulated in an 802.3 frame and forwarded to the AC. +-+wireless frames +-+ 802.3 frames +-+ | |----------------| |--------------| | | | | | | | | |----------------| |--------------| | | |wireless PHY/ | | CAPWAP | | | | MAC sublayer | | | | +-+ +-+ +-+ STA WTP AC Figure 2: Representative CAPWAP Architecture for Local MAC Provisioning WTPs with security credentials and managing which WTPs are authorized to provide service are traditionally handled by proprietary solutions. Allowing these functions to be performed from a centralized AC in an interoperable fashion increases manageability and allows network operators to more tightly control their wireless network infrastructure.1.1. Goals
The goals for the CAPWAP protocol are listed below: 1. To centralize the authentication and policy enforcement functions for a wireless network. The AC may also provide centralized bridging, forwarding, and encryption of user traffic. Centralization of these functions will enable reduced cost and higher efficiency by applying the capabilities of network processing silicon to the wireless network, as in wired LANs. 2. To enable shifting of the higher-level protocol processing from the WTP. This leaves the time-critical applications of wireless control and access in the WTP, making efficient use of the computing power available in WTPs, which are subject to severe cost pressure. 3. To provide an extensible protocol that is not bound to a specific wireless technology. Extensibility is provided via a generic encapsulation and transport mechanism, enabling the CAPWAP protocol to be applied to many access point types in the future, via a specific wireless binding. The CAPWAP protocol concerns itself solely with the interface between the WTP and the AC. Inter-AC and station-to-AC communication are strictly outside the scope of this document.
1.2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].1.3. Contributing Authors
This section lists and acknowledges the authors of significant text and concepts included in this specification. The CAPWAP Working Group selected the Lightweight Access Point Protocol (LWAPP) [LWAPP] to be used as the basis of the CAPWAP protocol specification. The following people are authors of the LWAPP document: Bob O'Hara Email: bob.ohara@computer.org Pat Calhoun, Cisco Systems, Inc. 170 West Tasman Drive, San Jose, CA 95134 Phone: +1 408-902-3240, Email: pcalhoun@cisco.com Rohit Suri, Cisco Systems, Inc. 170 West Tasman Drive, San Jose, CA 95134 Phone: +1 408-853-5548, Email: rsuri@cisco.com Nancy Cam Winget, Cisco Systems, Inc. 170 West Tasman Drive, San Jose, CA 95134 Phone: +1 408-853-0532, Email: ncamwing@cisco.com Scott Kelly, Aruba Networks 1322 Crossman Ave, Sunnyvale, CA 94089 Phone: +1 408-754-8408, Email: skelly@arubanetworks.com Michael Glenn Williams, Nokia, Inc. 313 Fairchild Drive, Mountain View, CA 94043 Phone: +1 650-714-7758, Email: Michael.G.Williams@Nokia.com Sue Hares, Green Hills Software 825 Victors Way, Suite 100, Ann Arbor, MI 48108 Phone: +1 734 222 1610, Email: shares@ndzh.com Datagram Transport Layer Security (DTLS) [RFC4347] is used as the security solution for the CAPWAP protocol. The following people are authors of significant DTLS-related text included in this document:
Scott Kelly, Aruba Networks
1322 Crossman Ave, Sunnyvale, CA 94089
Phone: +1 408-754-8408
Email: skelly@arubanetworks.com
Eric Rescorla, Network Resonance
2483 El Camino Real, #212,Palo Alto CA, 94303
Email: ekr@networkresonance.com
The concept of using DTLS to secure the CAPWAP protocol was part of
the Secure Light Access Point Protocol (SLAPP) proposal [SLAPP]. The
following people are authors of the SLAPP proposal:
Partha Narasimhan, Aruba Networks
1322 Crossman Ave, Sunnyvale, CA 94089
Phone: +1 408-480-4716
Email: partha@arubanetworks.com
Dan Harkins
Trapeze Networks
5753 W. Las Positas Blvd, Pleasanton, CA 94588
Phone: +1-925-474-2212
EMail: dharkins@trpz.com
Subbu Ponnuswamy, Aruba Networks
1322 Crossman Ave, Sunnyvale, CA 94089
Phone: +1 408-754-1213
Email: subbu@arubanetworks.com
The following individuals contributed significant security-related
text to the document [RFC5418]:
T. Charles Clancy, Laboratory for Telecommunications Sciences,
8080 Greenmead Drive, College Park, MD 20740
Phone: +1 240-373-5069, Email: clancy@ltsnet.net
Scott Kelly, Aruba Networks
1322 Crossman Ave, Sunnyvale, CA 94089
Phone: +1 408-754-8408, Email: scott@hyperthought.com
1.4. Terminology
Access Controller (AC): The network entity that provides WTP access
to the network infrastructure in the data plane, control plane,
management plane, or a combination therein.
CAPWAP Control Channel: A bi-directional flow defined by the AC IP Address, WTP IP Address, AC control port, WTP control port, and the transport-layer protocol (UDP or UDP-Lite) over which CAPWAP Control packets are sent and received. CAPWAP Data Channel: A bi-directional flow defined by the AC IP Address, WTP IP Address, AC data port, WTP data port, and the transport-layer protocol (UDP or UDP-Lite) over which CAPWAP Data packets are sent and received. Station (STA): A device that contains an interface to a wireless medium (WM). Wireless Termination Point (WTP): The physical or network entity that contains an RF antenna and wireless Physical Layer (PHY) to transmit and receive station traffic for wireless access networks. This document uses additional terminology defined in [RFC3753].
(page 11 continued on part 2)