[Docs] [txt|pdf] [Tracker] [WG] [Email] [Nits]

Versions: 00 01

   Operations Group                                            I. Singh
   Internet Draft                                          P. Francisco
   Expires: December 2005                              Chantry Networks
                                                              June 2005

               Evaluation of CAPWAP Tunneling Protocol (CTP)

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on December 8, 2005.

Copyright Notice

      Copyright (C) The Internet Society (2005).


   This document presents a self evaluation of the CAPWAP Tunneling
   Protocol (CTP) with respect to the requirements presented in the
   CAPWAP Objectives draft.  This work is to aid in the official working
   group evaluation of the candidate protocols for CAPWAP.

Francisco              Expires - December 2005               [Page 1]

 Internet-Draft             CTP Evaluation                   June 2005

Table of Contents

   1. Definitions....................................................3
      1.1 Conventions used in this document..........................3
   2. Introduction...................................................3
   3. Objectives Responses...........................................3
      3.1 Mandatory and Accepted Objectives..........................3
         3.1.1 Logical Groups........................................3
         3.1.2 Support for Traffic Separation........................3
         3.1.3 Wireless Terminal Transparency........................4
         3.1.4 Configuration Consistency.............................4
         3.1.5 Firmware Trigger......................................4
         3.1.6 Monitoring and Exchange of System-wide Resource State.5
         3.1.7 Resource Control Objective............................5
         3.1.8 CAPWAP Protocol Security..............................6
         3.1.9 System-wide Security..................................6
         3.1.10 IEEE 802.11i Considerations..........................7
         3.1.11 Interoperability Objective...........................7
         3.1.12 Vendor Independence..................................8
         3.1.13 Vendor Flexibility...................................8
      3.2 Desirable Objectives.......................................9
         3.2.1 Multiple Authentication Mechanisms....................9
         3.2.2 Support for Future Wireless Technologies..............9
         3.2.3 Support for New IEEE Requirements.....................9
         3.2.4 Interconnection Objective............................10
         3.2.5 Access Control.......................................10
      3.3 Non-objectives............................................10
         3.3.1 Support for Non-CAPWAP WTPs..........................10
         3.3.2 Technical Specifications.............................11
      3.4 Operator Requirements.....................................11
         3.4.1 AP Fast Handoff......................................11
   4. Compliance Table..............................................11
   5. Security considerations.......................................12
   6. References....................................................12
   7. Author's Addresses............................................12
      Intellectual Property and Copyright Statements ...............13

Francisco              Expires - December 2005               [Page 2]

 Internet-Draft             CTP Evaluation                   June 2005

1.   Definitions

1.1    Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC-2119 [1]

2.   Introduction

   The authors of the CAPWAP Tunneling Protocol(CTP) [2] believe that
   CTP provides a robust solution in the form of a protocol that
   addresses the issues raised in the CAPWAP Problem Statement draft
   [3].  CTP can be run over an L2 or an L3 network and it is extensible
   to support WTPs which terminate other radio technologies than IEEE

   Given below is a brief analysis of the protocol with respect to the
   objectives draft [4] that has been presented and discussed in the WG.

3.   Objectives Responses
3.1    Mandatory and Accepted Objectives

3.1.1      Logical Groups
   The ability to control and manage physical WTPs in terms of logical
   groups.        Protocol Evaluation
   CTP natively recognizes WTP devices as logical groups. The protocol
   provides capabilities discovery mechanisms (CTP_CAP_REQ/RESP) to
   allow a device to enumerate physical and logical associations. These
   associations are then carried forth into the protocol exchange and
   state machines to decouple the logical operations such as Virtual
   Radios from physical resources.        Compliance
   CTP is compliant with this objective.

3.1.2      Support for Traffic Separation
   This objective pertains to the need to maintain separation of control
   and data traffic in the operation of the protocol.        Protocol Evaluation
   CTP provides specific message types providing for support of easy
   separation of control and data paths. The CTP payload is explicitly
   enumerated with itÆs own type (CTP Draft Section 5.3.1, CTP_DATA). In
   addition the CTP implementation, by terminating the 802.1d conversion
   at the WTP, provides a configurable option per logical WTP device to

Francisco              Expires - December 2005               [Page 3]

 Internet-Draft             CTP Evaluation                   June 2005

   indicate whether data traffic should be returned to the controller,
   via tunneling, or natively be handled by the WTP by bridging locally
   onto the wired network.  This only applies to data packets, whereas
   the control channel within CTP is completely separate and terminates
   at the controller always.        Compliance
   CTP is compliant with this objective.

3.1.3      Wireless Terminal Transparency
   This objective specifies the need for the protocol to be client
   agnostic.  That is, the wireless terminals need not be aware of the
   existence of the CAPWAP protocol running underneath.        Protocol Evaluation
   CTP provides mainly a set of provisioning methods for the WTPs
   operations and data tunneling, but itÆs operation is transparent to
   the connecting client. The connecting client simply interacts with
   the WTPÆs wireless MAC implementation and itÆs traffic is bridge to
   the network point of presence which may selectively be the controller
   or the local wired infrastructure. In Controller mode the traffic is
   encapsulated for transport but the client remains un-aware that
   additional transport is taking place.  Shipping products with CTP
   implementations have shown that this protocol does not have any
   adverse effects, interoperability or otherwise, on the wireless
   terminals.        Compliance
   CTP is compliant with this objective.

3.1.4      Configuration Consistency
   This objectives pertains to the protocolÆs ability to provide
   consistent state information of the WTPs at the AC.        Protocol Evaluation
   CTP makes provisions for the periodic retrieval of WTP information
   (CTP_Stats_REQ/RESP, CTP_STATS_Notify) such as RF statistics and Load
   factors as per standard MIB specifications.        Compliance
   CTP is compliant with this objective.

3.1.5       Firmware Trigger
   This objective states that the protocol must have the ability to
   trigger WTP firmware updates.  It does not necessarily state the need
   for the protocol to integrate a software update mechanism within the
   protocol itself.

Francisco              Expires - December 2005               [Page 4]

 Internet-Draft             CTP Evaluation                   June 2005        Protocol Evaluation
   After the device capability exchange phase (CTP-CAP_REQ/RESP) which
   allows for the identification of the type of WTP connecting, CTP
   protocol specifies a phase of firmware image validation (CTP-
   Software-upgrade-req/resp, section 5.1.5) by which the WTP indicates
   to the Controller what version of image it is currently running and
   the response validates and requests an update if necessary.
   Conversely, the Controller may explicitly request (Under
   administratorÆs control) the firmware upgrade for a specified WTP.
   CTP does not specify the actual method for firmware upgrade, but
   rather assumes the application of standardized binary transport
   protocols (FTP/TFTP).        Compliance
   CTP is compliant with this objective.

3.1.6       Monitoring and Exchange of System-wide Resource State
   This objective states that the protocol must incorporate the ability
   for the WTP to send statistics, congestion indications and other
   pertinent wireless state information to the AC.         Protocol Evaluation
   CTP protocol provides for the periodic exchange of a WTPÆs
   operational statistics (CTP-Stats-req/resp, CTP-Stats-Notify, Section
   5.2.7-9). The statistics characteristics may be enhanced to convey
   necessary information set.         Compliance
   CTP is compliant with this objective.

3.1.7       Resource Control Objective
   This objective pertains to the ability of the protocol to provide a
   mapping mechanism of the IEEE 802.11e QOS priorities across the
   wireless and wired infrastructure.         Protocol Evaluation
   CTP, by virtue of being an IP based transport protocol, provides
   several mechanisms to ensure the preservation of QoS markers within
   the original data packet. The protocol header (CTP Section 4.1)
   natively defines an 8-bit field for relaying of QoS policy related
   information in a transport independent manner. This allows the WTP
   and Controller to classify and guarantee the preservation of any
   802.11e identifiers between the two entities. In addition, CTP
   implementation must copy the TOS fields of the original data packet
   onto the tunnel header.  The corresponding QoS markers are also
   mapped to the layer 2 if 802.1q implemented in the interconnecting

Francisco              Expires - December 2005               [Page 5]

 Internet-Draft             CTP Evaluation                   June 2005         Compliance
   CTP is compliant with this objective.

3.1.8       CAPWAP Protocol Security
   This objective concerns the security of the CAPWAP protocol.  The
   protocol must support mutual authentication of the WTP and the AC and
   the communication channel between the two entities must be secured.
   In addition, however, the protocol must not preclude the possibility
   of supporting asymmetric authentication mechanisms.         Protocol Evaluation
   First of all, as currently defined, CTP does not support a pre-shared
   key mechanism for mutual authentication.  It assumes the existence of
   digital certificates on the WTP and AC.  The mutual authentication
   mechanism between WTP and AC using digital certificates as described
   in the CTP draft is very similar to the method employed in the LWAPP
   draft [5].  As such, some of the recent comments on the WG email list
   regarding the security of LWAPPÆs mutual authentication also applies
   to CTP.  Specifically in the area of the generation of the encryption
   key.  Currently CTP specifies that the encryption key is generated by
   the AC and is securely transported to the WTP.  An obvious
   improvement would be for the WTP and the AC to mutually contribute to
   the generation of the encryption key by providing independently
   generated random material for the session keys.

   Also, based on discussion on the WG list it is not clear whether the
   use of pre-shared key for mutual authentication is required or simply
   that the authentication must be mutual.  Nevertheless, we believe
   that adding another method of mutual authentication, ie. with using
   pre-shared keys, will enhance the flexibility of the CTP protocol,
   but at the cost of increased protocol complexity.         Compliance
   CTP is partially compliant with this objective.

3.1.9       System-wide Security
   The protocol must not adversely affect the security of the wireless
   and wired networks on which it runs.         Protocol Evaluation
   CTP defines that any exchanges of control based material such as PMK
   is natively encrypted. All Control messages are mutually encrypted
   between the WTP and controller. In lieu of a thorough security and
   cryptographic analysis of the protocol by peers, the authors believe
   that the encryption/keying mechanism currently provides adequate
   protection against un-authorized compromise of the transported
   information which, in turn, would not adversely affect the security
   of the wireless or wired network.

Francisco              Expires - December 2005               [Page 6]

 Internet-Draft             CTP Evaluation                   June 2005         Compliance
   The protocol is partially compliant with this objective pending a
   thorough security and cryptographic review.

3.1.10        IEEE 802.11i Considerations
   The CAPWAP protocol must determine the exact structure of the
   centralized WLAN architecture in which authentication needs to be
   supported, i.e. the location of major authentication components.

   This may be achieved during WTP initialization where major
   capabilities are distinguished.

   The protocol must allow for the exchange of key information when
   authenticator and encryption roles are located in distinct entities.          Protocol Evaluation
   During the capabilities exchange phase of the CTP protocol it is
   determined whether the WTP implementation is a split-MAC or a local-
   MAC implementation.  This would in turn lead the AC to engage the
   appropriate authentication modules of 802.11i.  The CTP protocol
   defines that all control exchanges between WTP and Controller are
   encrypted with own key pairs.  Therefore , the keying information
   that is required is appropriately transported between WTP and AC in a
   secure fashion.  For local-MAC implementation any frames relating to
   authentication are relayed as control messages (CTP-Auth-Req/resp).
   For split-MAC, the transport of this sensitive information may also
   be carried as payload for the same message and therefore provide
   encryption for transport.          Compliance
   CTP is compliant with this objective.

3.1.11        Interoperability Objective
   The objective specifies that the protocol must include a capabilities
   exchange mechanism so that different types of WTPs can be managed by
   ACs.  That is, local-MAC and split-MAC WTPs may be recognized by the
   AC through protocol exchange and appropriate handling within the
   protocol would ensue as a result of this capability exchange.          Protocol Evaluation
   The CTP protocol as specified, provides a mechanism for capabilities
   exchange (CTP-caps-req/resp) that could be leveraged to allow the WTP
   and the Controller to negotiate the operational mode as to whether
   split-MAC or Local-MAC is implemented in the WTP.  In its current
   form the draft does not specify the differences in the transport and
   configuration that would occur if the WTP supports split-MAC.  The

Francisco              Expires - December 2005               [Page 7]

 Internet-Draft             CTP Evaluation                   June 2005

   authors are aware of this limitation in the draft and are working on
   the same.          Compliance
   In its current form CTP is partially compliant with this objective.         Protocol Specifications
   This objective states that any vendor of a WTP or AC or any person
   may implement the CAPWAP protocol and that all such implementations
   should interoperate.          Protocol Evaluation
   CTP specification fully specify the protocol and its operation within
   WTPs and ACs.  It also indicates the configuration and statistics
   capabilities come from MIB specifications that are published by IEEE
   that fully describe the managed objects within an WTP.  Although full
   MIB specifications from IEEE are considered work in progress the
   authors believe that the work done there will enable full
   interoperability as, presumably, the specifications coming from IEEE
   will be complete and not require any knowledge of any vendor specific
   wireless device information.          Compliance
   CTP is compliant with this objective.

3.1.12        Vendor Independence
   This objective states that the CAPWAP protocol must not be reliant on
   any underlying vendor implementation of hardware of either the WTP or
   the AC.          Protocol Evaluation
   CTP does not assume any underlying hardware architecture of the WTPs
   or the ACs.  In addition any dependency on MIB definitions in its
   current form also does not assume any reliance on hardware
   specifications.          Compliance
   CTP is compliant with this objective.

3.1.13        Vendor Flexibility
   The protocol must not be bound to any specific MAC.          Protocol Evaluation
   CTP has been completely implemented on hardware from at least two
   different vendors whose wireless MAC implementations are completely
   independent.  Given this fact as well as CTPÆs inherent agnosticity
   of wireless implementation, CTP can be implemented without knowledge
   of underlying vendor hardware.

Francisco              Expires - December 2005               [Page 8]

 Internet-Draft             CTP Evaluation                   June 2005          Compliance
   CTP is compliant with this objective.

3.2     Desirable Objectives

3.2.1        Multiple Authentication Mechanisms
   This objective specifies the requirement that the protocol should be
   able to support authentication mechanisms other than IEEE 802.11i.          Protocol Evaluation
   Since CTP is wireless terminal agnostic, and since the PMK key
   exchange is generic (for example, does not assume any authentication
   mechanism in the form of an EAP type), CTP does not prevent the
   operation of any other authentication mechanism.          Compliance
   CTP is compliant with this objective.

3.2.2        Support for Future Wireless Technologies
   This objective states that the protocol should be able to be extended
   to future layer 2 wireless technologies and should not be limited to
   only supporting IEEE 802.11.          Protocol Evaluation
   The current specification lists alternative layer 2 wireless
   technologies that and be indicated as part of the capabilities
   exchange phase.  The protocol is sufficiently modular in that the
   configuration, statistics and other management functions of these
   wireless devices can be supported.  If indeed there are layer 2
   wireless specific elements that need to be added, those are easily
   supported by extensions to the protocol.          Compliance
   CTP is compliant with this objective.

3.2.3        Support for New IEEE Requirements
   The protocol must be able to accommodate defined changes or
   extensions to the IEEE 802.11 specifications.         Protocol Evaluation
   Currently CTP maps 802.11 specific messages into generic messages
   within CTP.  In other words it provides an abstraction layer to layer
   2 wireless specific commands and functions.  As new 802.11
   specifications arise, whether the intelligence to interpret them is
   required in the AC or the WTP is irrelevant.  There will be work
   required to interpret these new extensions on both the AC as well as
   the WTP.  The CTP specification is constructed so that a new
   extension would result in a new message type.  So it can accommodate
   the changes as they arise.

Francisco              Expires - December 2005               [Page 9]

 Internet-Draft             CTP Evaluation                   June 2005         Compliance
   CTP is compliant with this objective.

3.2.4        Interconnection Objective
   The CAPWAP protocol must not be constrained by the underlying
   transport technologies of the wired medium.          Protocol Evaluation
   CTP is agnostic to the underlying transport technology as it is
   implemented as UDP.  This was done with the assumption that the
   transport technology can carry IP packets across its medium either L2
   or L3 network.  Currently CTP is IPv4 specific and needs to be
   updated to be IP version agnostic as well.          Compliance
   CTP is partially compliant with this objective in terms of not having
   specified IPv6 header types.

3.2.5        Access Control
   This objective pertains to the ability of the protocol to exchange
   information required for access control of WTPs and wireless
   terminals.          Protocol Evaluation
   CTP provides specific messages, e.g. CTP-MU-
   Connect/Disconnect/Authenticate messages, that control the access of
   wireless terminals.  In addition to the actual mutual authentication
   of WTPs and ACs, the registration phase contains a AP-ID field that
   needs to be verified by the AC.  This field needs to be checked by
   the AC and the mechanism for this check is not within the scope of
   any CAPWAP work.  However, the CTP protocol itself provides this
   identification token as a means of access control of the WTP.          Compliance
   CTP is compliant with this objective.

3.3     Non-objectives

   The current objectives draft states this section as ôRejected
   Objectivesö.  We have used the term ôNon-Objectivesö for this section
   based on the discussion on the WG email list.

3.3.1        Support for Non-CAPWAP WTPs
   This objective states that the CAPWAP protocol should be capable of
   recognizing legacy WTPs and existing network management systems.          Protocol Evaluation

Francisco              Expires - December 2005              [Page 10]

 Internet-Draft             CTP Evaluation                   June 2005

   This requirement is more of a feature for centralized WLAN network
   applications and thus does not apply to the CAPWAP problem statement.          Compliance
   CTP is compliant with this objective.

3.3.2        Technical Specifications
   This objective states that WTP vendors should not have to share
   technical specifications for hardware and software to AC vendors in
   order for interoperability to be achieved.          Protocol Evaluation
   As discussed earlier, CTP is hardware and vendor agnostic.          Compliance
   CTP is compliant with this objective.

3.4     Operator Requirements

3.4.1       AP Fast Handoff
   This objective states that the CAPWAP protocol operations must not
   impede or obstruct the efficiency of fast handoff procedures.          Protocol Evaluation
   In the CTP protocol, the signaling of roaming events are efficiently
   encoded in the CTP-MU messages.  Also, the 802.1x messaging is
   centralized allowing efficient use of CPU resources at the AC.  In
   effect, the mere existence of the centralized architecture ensures
   that the efficiency of fast handoffs is improved rather than impeded.          Compliance
   CTP complies with this objective.

4.   Compliance Table

   Given below is a table summarizing the compliance to the objectives.
   C = Compliant, P = Partially compliant, N = Non-compliant.

   | Objective Type                                     | Compliance |
   | Logical Groups                                     |     C      |
   | Support for Traffic Separation                     |     C      |
   | Wireless Terminal Transparency                     |     C      |
   | Configuration Consistency                          |     C      |
   | Firmware Trigger                                   |     C      |
   | Monitoring & Exchange of System-wide Resource State|     C      |
   | Resource Control Objective                         |     C      |
   | CAPWAP Protocol Security                           |     P      |

Francisco              Expires - December 2005              [Page 11]

 Internet-Draft             CTP Evaluation                   June 2005

   | System-wide Security                               |     P      |
   | IEEE 802.11i Considerations                        |     C      |
   | Interoperability Objective                         |     P      |
   | Protocol Specifications                            |     C      |
   | Vendor Independence                                |     C      |
   | Vendor Flexibility                                 |     C      |
   | Multiple Authentication Mechanisms                 |     C      |
   | Support for Future Wireless Technologies           |     C      |
   | Support for New IEEE Requirements                  |     C      |
   | Interconnection Objective                          |     P      |
   | Access Control                                     |     C      |
   | Support for Non-CAPWAP WTPs                        |     C      |
   | Technical Specifications                           |     C      |
   | AP Fast Handoff                                    |     C      |

5.   Security considerations

   This document provides a self evaluation of CTP in respect to the
   CAPWAP objectives.  The CTP draft itself has a section that
   catalogues all the pertinent security concerns.  Therefore, in this
   draft there are no new security considerations to be discussed.

6.   References

   [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
      Levels", BCP 14, RFC 2119, March 1997

   [2] Singh, I., et. al., ôCAPWAP Tunneling Protocolö, draft-singh-
      capwap-ctp-01.txt (work in progress), April 2005.

   [3] Calhoun, P., "CAPWAP Problem Statement", draft-ietf-capwap-
      problem-statement-02.txt (work in progress), September 2004.

   [4] Govindan, S., et. al., ôObjectives for Control and Provisioning
      of Wireless Access Points (CAPWAP)ö, draft-ietf-capwap-objectives-
      02.txt (work in progress), April 2005

   [5] Calhoun, et. al., ôLight Weight Access Point Protocol (LWAPP)ö,
      draft-ohara-capwap-lwapp-02.txt (work in progress), April 2005

7.   Author's Addresses

   Paulo Francisco

Francisco              Expires - December 2005              [Page 12]

 Internet-Draft             CTP Evaluation                   June 2005

   Chantry Networks Inc.
   1900 Minnesota Court
   Mississauga, ON L5N 3C9

   Phone: +1 905-363-6410
   Email: paulo.francisco@siemens.com

   Inderpreet Singh
   Chantry Networks Inc.
   1900 Minnesota Court
   Mississauga, ON L5N 3C9

   Phone: +1 905-363-6412
   Email: inderpreet.singh@siemens.com

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11. Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementers or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive

Disclaimer of Validity

   This document and the information contained herein are provided on an

Francisco              Expires - December 2005              [Page 13]

 Internet-Draft             CTP Evaluation                   June 2005

Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Francisco              Expires - December 2005              [Page 14]

Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/