Network Working Group                                 P. Calhoun, Editor
Internet-Draft                                       Cisco Systems, Inc.
Expires: November 6, December 23, 2006                         M. Montemurro, Editor
                                                        Chantry Networks
                                                      Research In Motion
                                                      D. Stanley, Editor
                                                          Aruba Networks
                                                             May 5,
                                                           June 21, 2006

                     CAPWAP Protocol Specification
              draft-ietf-capwap-protocol-specification-01
              draft-ietf-capwap-protocol-specification-02

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on November 6, December 23, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   Wireless LAN product architectures have evolved from single
   autonomous access points to systems consisting of a centralized
   controller and Wireless Termination Points (WTPs).  The general goal
   of centralized control architectures is to move access control,
   including user authentication and authorization, mobility management
   and radio management from the single access point to a centralized
   controller.

   This specification defines the Control And Provisioning of Wireless
   Access Points (CAPWAP) Protocol.  The CAPWAP protocol meets the IETF
   CAPWAP working group protocol requirements.  The CAPWAP protocol is
   designed to be flexible, allowing it to be used for a variety of
   wireless technologies.  This document describes the base CAPWAP
   protocol, including an extension which supports the IEEE 802.11
   wireless LAN protocol.  Future extensions will enable support of
   additional wireless technologies.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   7
     1.1.   Goals  . . . . . . . . . . . . . . . . . . . . . . . . .   7   8
     1.2.   Conventions used in this document  . . . . . . . . . . .   8
     1.3.   Contributing Authors . . . . . . . . . . . . . . . . . .   8   9
     1.4.   Acknowledgements . . . . . . . . . . . . . . . . . . . .  10
     1.5.   Terminology  . . . . . . . . . . . . . . . . . . . . . .  10
   2.  Protocol Overview . . . . . . . . . . . . . . . . . . . . . .  11  12
     2.1.   Wireless Binding Definition  . . . . . . . . . . . . . .  12  13
     2.2.   CAPWAP Session Establishment Overview  . . . . . . . . .  12  13
     2.3.   CAPWAP State Machine Definition  . . . . . . . . . . . .  14  15
       2.3.1.   CAPWAP Protocol State Transitions  . . . . . . . . .  15  16
       2.3.2.   CAPWAP to DTLS Commands  . . . . . . . . . . . . . .  22  23
       2.3.3.   DTLS to CAPWAP Notifications . . . . . . . . . . .  23 .  24
       2.3.4.   DTLS State Transitions . . . . . . . . . . . . . .  23 .  24
     2.4.   Use of DTLS in the CAPWAP Protocol . . . . . . . . . . .  26  27
       2.4.1.   DTLS Handshake Processing  . . . . . . . . . . . . .  27  28
       2.4.2.   DTLS Error Handling  . . . . . . . . . . . . . . . .  28  29
       2.4.3.   DTLS Rehandshake Behavior  . . . . . . . . . . . . .  29  30
       2.4.4.   DTLS EndPoint Authentication . . . . . . . . . . .  32 .  33
   3.  CAPWAP Transport  . . . . . . . . . . . . . . . . . . . . . .  35  36
     3.1.   UDP Transport  . . . . . . . . . . . . . . . . . . . . .  35  36
     3.2.   AC Discovery . . . . . . . . . . . . . . . . . . . . . .  35  36
     3.3.   Fragmentation/Reassembly . . . . . . . . . . . . . . . .  36  37
   4.  CAPWAP Packet Formats . . . . . . . . . . . . . . . . . . . .  37  38
     4.1.   CAPWAP Transport Header  . . . . . . . . . . . . . . . .  38  39
     4.2.   CAPWAP Data Messages . . . . . . . . . . . . . . . . . .  40  42
     4.3.   CAPWAP Control Messages  . . . . . . . . . . . . . . . .  41  42
       4.3.1.   Control Message Format . . . . . . . . . . . . . .  41 .  43
       4.3.2.   Control Message Quality of Service . . . . . . . .  44 .  45
     4.4.   CAPWAP Protocol Message Elements . . . . . . . . . . . .  44  45
       4.4.1.   AC Descriptor  . . . . . . . . . . . . . . . . . . .  45  48
       4.4.2.   AC IPv4 List . . . . . . . . . . . . . . . . . . .  46 .  49
       4.4.3.   AC IPv6 List . . . . . . . . . . . . . . . . . . .  46 .  50
       4.4.4.   AC Name  . . . . . . . . . . . . . . . . . . . . . .  47  50
       4.4.5.   AC Name with Index . . . . . . . . . . . . . . . .  47 .  50
       4.4.6.   AC Timestamp . . . . . . . . . . . . . . . . . . .  48 .  51
       4.4.7.   Add MAC ACL Entry  . . . . . . . . . . . . . . . . .  48  51
       4.4.8.   Add Mobile Station . . . . . . . . . . . . . . . .  49 .  52
       4.4.9.   Add Static MAC ACL Entry . . . . . . . . . . . . .  49 .  53
       4.4.10.  CAPWAP Timers  . . . . . . . . . . . . . . . . . . .  50  53
       4.4.11.   Change State Event  . . . . . . . . . . . . . . . .  50
       4.4.12.  Data Transfer Data . . . . . . . . . . . . . . . .  51
       4.4.13. .  54
       4.4.12.  Data Transfer Mode . . . . . . . . . . . . . . . .  52
       4.4.14. .  54
       4.4.13.  Decryption Error Report  . . . . . . . . . . . . . .  52
       4.4.15.  55
       4.4.14.  Decryption Error Report Period . . . . . . . . . .  53
       4.4.16. .  55
       4.4.15.  Delete MAC ACL Entry . . . . . . . . . . . . . . .  53
       4.4.17. .  56
       4.4.16.  Delete Mobile Station  . . . . . . . . . . . . . . .  54
       4.4.18.  56
       4.4.17.  Delete Static MAC ACL Entry  . . . . . . . . . . . .  54
       4.4.19.  57
       4.4.18.  Discovery Type . . . . . . . . . . . . . . . . . .  55
       4.4.20. .  57
       4.4.19.  Duplicate IPv4 Address . . . . . . . . . . . . . .  55
       4.4.21. .  58
       4.4.20.  Duplicate IPv6 Address . . . . . . . . . . . . . .  56
       4.4.22. .  59
       4.4.21.  Idle Timeout . . . . . . . . . . . . . . . . . . .  56
       4.4.23. .  59
       4.4.22.  Image Data . . . . . . . . . . . . . . . . . . . .  57
       4.4.24. .  60
       4.4.23.  Image Filename . . . . . . . . . . . . . . . . . .  57
       4.4.25. .  60
       4.4.24.  Initiate Download  . . . . . . . . . . . . . . . . .  58
       4.4.26.  61
       4.4.25.  Location Data  . . . . . . . . . . . . . . . . . . .  58
       4.4.27.  61
       4.4.26.  MTU Discovery Padding  . . . . . . . . . . . . . . .  59
       4.4.28.  62
       4.4.27.  Radio Administrative State . . . . . . . . . . . .  59
       4.4.29. .  62
       4.4.28.  Result Code  . . . . . . . . . . . . . . . . . . . .  60
       4.4.30.  63
       4.4.29.  Session ID . . . . . . . . . . . . . . . . . . . .  60
       4.4.31. .  64
       4.4.30.  Statistics Timer . . . . . . . . . . . . . . . . .  61
       4.4.32. .  64
       4.4.31.  Vendor Specific Payload  . . . . . . . . . . . . . .  61
       4.4.33.  64
       4.4.32.  WTP Board Data . . . . . . . . . . . . . . . . . .  62
       4.4.34. .  65
       4.4.33.  WTP Descriptor . . . . . . . . . . . . . . . . . .  63
       4.4.35. .  66
       4.4.34.  WTP Fallback . . . . . . . . . . . . . . . . . . .  64
       4.4.36. .  68
       4.4.35.  WTP Frame Encapsulation Type Tunnel Mode  . . . . . . . . . . .  65
       4.4.37. . . . .  68
       4.4.36.  WTP IPv4 IP Address  . . . . . . . . . . . . . . . .  66
       4.4.38.  69
       4.4.37.  WTP MAC Type . . . . . . . . . . . . . . . . . . .  66
       4.4.39. .  69
       4.4.38.  WTP Radio Information  . . . . . . . . . . . . . . .  67
       4.4.40.  70
       4.4.39.  WTP Manager Control IPv4 Address . . . . . . . . .  67
       4.4.41. .  71
       4.4.40.  WTP Manager Control IPv6 Address . . . . . . . . .  68
       4.4.42. .  71
       4.4.41.  WTP Name . . . . . . . . . . . . . . . . . . . . .  69 .  72
       4.4.42.  WTP Operational Statistics . . . . . . . . . . . . .  72
       4.4.43.  WTP Reboot Radio Statistics . . . . . . . . . . . . . . .  69 .  73
       4.4.44.  WTP Reboot Statistics  . . . . . . . . . . . . . . .  74
       4.4.45.  WTP Static IP Address Information  . . . . . . . . .  70  76
     4.5.   CAPWAP Protocol Timers . . . . . . . . . . . . . . . . .  71  77
       4.5.1.   DiscoveryInterval  . . . . . . . . . . . . . . . . .  71  77
       4.5.2.   DTLSRehandshake  . . . . . . . . . . . . . . . . . .  71  77
       4.5.3.   DTLSSessionDelete  . . . . . . . . . . . . . . . . .  71  77
       4.5.4.   EchoInterval . . . . . . . . . . . . . . . . . . .  71 .  77
       4.5.5.   KeyLifetime  . . . . . . . . . . . . . . . . . . . .  71  77
       4.5.6.   MaxDiscoveryInterval . . . . . . . . . . . . . . .  72 .  78
       4.5.7.   NeighborDeadInterval . . . . . . . . . . . . . . .  72 .  78
       4.5.8.   ResponseTimeout  . . . . . . . . . . . . . . . . . .  72  78
       4.5.9.   RetransmitInterval . . . . . . . . . . . . . . . .  72 .  78
       4.5.10.  SilentInterval . . . . . . . . . . . . . . . . . .  72 .  78
       4.5.11.  WaitJoin . . . . . . . . . . . . . . . . . . . . .  72 .  78
     4.6.   CAPWAP Protocol Variables  . . . . . . . . . . . . . . .  73  79
       4.6.1.   DiscoveryCount . . . . . . . . . . . . . . . . . .  73 .  79
       4.6.2.   MaxDiscoveries . . . . . . . . . . . . . . . . . .  73 .  79
       4.6.3.   MaxRetransmit  . . . . . . . . . . . . . . . . . . .  73  79
       4.6.4.   RetransmitCount  . . . . . . . . . . . . . . . . . .  73  79
   5.  CAPWAP Discovery Operations . . . . . . . . . . . . . . . . .  74  80
     5.1.   Discovery Request Message  . . . . . . . . . . . . . . .  74  80
     5.2.   Discovery Response Message . . . . . . . . . . . . . . .  75  81
     5.3.   Primary Discovery Request Message  . . . . . . . . . . .  75  81
     5.4.   Primary Discovery Response . . . . . . . . . . . . . . .  76  82
   6.  CAPWAP Join Operations  . . . . . . . . . . . . . . . . . . .  77  83
     6.1.   Join Request . . . . . . . . . . . . . . . . . . . . . .  77  83
     6.2.   Join Response  . . . . . . . . . . . . . . . . . . . . .  78  84
   7.  Control Channel Management  . . . . . . . . . . . . . . . . .  79  85
     7.1.   Echo Request . . . . . . . . . . . . . . . . . . . . . .  79  85
     7.2.   Echo Response  . . . . . . . . . . . . . . . . . . . . .  79  85
   8.  WTP Configuration Management  . . . . . . . . . . . . . . . .  80  86
     8.1.   Configuration Consistency  . . . . . . . . . . . . . . .  80  86
       8.1.1.   Configuration Flexibility  . . . . . . . . . . . . .  81  87
     8.2.   Configuration Status . . . . . . . . . . . . . . . . . .  81  87
     8.3.   Configuration Status Response  . . . . . . . . . . . . .  82  88
     8.4.   Configuration Update Request . . . . . . . . . . . . . .  82  88
     8.5.   Configuration Update Response  . . . . . . . . . . . . .  83  89
     8.6.   Change State Event Request . . . . . . . . . . . . . . .  84  90
     8.7.   Change State Event Response  . . . . . . . . . . . . . .  84  90
     8.8.   Clear Config Indication Configuration Request  . . . . . . . . . . . . . .  90
     8.9.   Clear Configuration Response . . . .  85 . . . . . . . . . .  91
   9.  Device Management Operations  . . . . . . . . . . . . . . . .  86  92
     9.1.   Image Data Request . . . . . . . . . . . . . . . . . . .  86  92
     9.2.   Image Data Response  . . . . . . . . . . . . . . . . . .  87  93
     9.3.   Reset Request  . . . . . . . . . . . . . . . . . . . . .  87  93
     9.4.   Reset Response . . . . . . . . . . . . . . . . . . . . .  87  93
     9.5.   WTP Event Request  . . . . . . . . . . . . . . . . . . .  87  93
     9.6.   WTP Event Response . . . . . . . . . . . . . . . . . . .  88  94
     9.7.   Data Transfer Request  . . . . . . . . . . . . . . . . .  88  94
     9.8.   Data Transfer Response . . . . . . . . . . . . . . . . .  88  95
   10. Mobile Session Management . . . . . . . . . . . . . . . . . .  90  96
     10.1.  Mobile Config Configuration Request . . . . . . . . . . . . . . . . .  90  96
     10.2.  Mobile Config Configuration Response  . . . . . . . . . . . . . . . . .  90  96
   11. IEEE 802.11 Binding . . . . . . . . . . . . . . . . . . . . .  91  97
     11.1.  Split MAC and Local MAC Functionality  . . . . . . . . .  91  97
       11.1.1.  Split MAC  . . . . . . . . . . . . . . . . . . . . .  91  97
       11.1.2.  Local MAC  . . . . . . . . . . . . . . . . . . . . .  93  99
     11.2.  Roaming Behavior . . . . . . . . . . . . . . . . . . . .  96 102
     11.3.  Group Key Refresh  . . . . . . . . . . . . . . . . . . .  97 103
     11.4.  Transport specific bindings  . . . . . . . . . . . . . .  97
     11.5.  BSSID to WLAN ID Mapping . . . . . . . . . . . . . . . .  99
     11.6. 103
     11.5.  Quality of Service for IEEE 802.11 Control Messages  . . . . . . . .  99
     11.7. 104
     11.6.  IEEE 802.11 Specific CAPWAP Control Messages . . . . . . 100
       11.7.1. 104
       11.6.1.  IEEE 802.11 WLAN Config Configuration Request . . . . . . . . . . 100
       11.7.2. 104
       11.6.2.  IEEE 802.11 WLAN Config Configuration Response  . . . . . . 105
     11.7.  CAPWAP Data Message Bindings . . . 101
     11.8.  Data Message bindings . . . . . . . . . . . 106
     11.8.  CAPWAP Control Message bindings  . . . . . . . . 101
     11.9.  Control Message bindings . . . . 107
       11.8.1.  Configuration Status Message . . . . . . . . . . . . 101
       11.9.1.   Mobile Config Request 107
       11.8.2.  Configuration Status Response Message  . . . . . . . 108
       11.8.3.  Configuration Update Request Message . . . . . . . . 101
       11.9.2.   WTP Event 108
       11.8.4.  Mobile Config Request  . . . . . . . . . . . . . . . 109
       11.8.5.  WTP Event Request  . . 101
       11.9.3.   Configuration Messages . . . . . . . . . . . . . . 102
     11.10. . 109
     11.9.  IEEE 802.11 Message Element Definitions  . . . . . . . . 102
       11.10.1. 109
       11.9.1.  IEEE 802.11 Add WLAN . . . . . . . . . . . . . . . 102
       11.10.2. . 110
       11.9.2.  IEEE 802.11 Antenna  . . . . . . . . . . . . . . . . 106
       11.10.3. 114
       11.9.3.  IEEE 802.11 Assigned WTP BSSID . . . . . . . . . . 107
       11.10.4.  IEEE 802.11 Broadcast Probe Mode  . . . . . . . . . 108
       11.10.5. 115
       11.9.4.  IEEE 802.11 Delete WLAN  . . . . . . . . . . . . . . 108
       11.10.6. 115
       11.9.5.  IEEE 802.11 Direct Sequence Control  . . . . . . . . 109
       11.10.7. 116
       11.9.6.  IEEE 802.11 Information Element  . . . . . . . . . . 110
       11.10.8. 117
       11.9.7.  IEEE 802.11 MAC Operation  . . . . . . . . . . . . . 110
       11.10.9. 117
       11.9.8.  IEEE 802.11 MIC Countermeasures  . . . . . . . . . . 112
       11.10.10. 119
       11.9.9.  IEEE 802.11 MIC Error Report From Mobile . . . . . 112
       11.10.11. IEEE 802.11 Mobile  . . . . . . . . . . . . . . . . 113
       11.10.12. 120
       11.9.10. IEEE 802.11 Mobile Session Key . . . . . . . . . . 114
       11.10.13. . 121
       11.9.11. IEEE 802.11 Multi-domain Multi-Domain Capability  . . . . . . . . 116
       11.10.14. 122
       11.9.12. IEEE 802.11 OFDM Control . . . . . . . . . . . . . 117
       11.10.15. . 123
       11.9.13. IEEE 802.11 Rate Set . . . . . . . . . . . . . . . 118
       11.10.16. . 124
       11.9.14. IEEE 802.11 RSNA Error Report From Mobile  . . . . . 125
       11.9.15. IEEE 802.11 Station QoS Profile  . . . . . . . . . . 126
       11.9.16. IEEE 802.11 Statistics . . . . . . . . . . . . . . 118
       11.10.17. . 127
       11.9.17. IEEE 802.11 Supported Rates  . . . . . . . . . . . . 120
       11.10.18. 130
       11.9.18. IEEE 802.11 Tx Power . . . . . . . . . . . . . . . 121
       11.10.19. . 131
       11.9.19. IEEE 802.11 Tx Power Level . . . . . . . . . . . . 121
       11.10.20. . 131
       11.9.20. IEEE 802.11 Update Mobile QoS  . . . . . . . . . . . 122
       11.10.21. 132
       11.9.21. IEEE 802.11 Update WLAN  . . . . . . . . . . . . . . 122
       11.10.22. 133
       11.9.22. IEEE 802.11 WTP Quality of Service . . . . . . . . 125
       11.10.23. IEEE 802.11 WTP Radio Fail Alarm Indication . . . . 126
       11.10.24. 134
       11.9.23. IEEE 802.11 WTP Radio Configuration  . . . . . . . . 127
       11.10.25. Station QoS Profile . . . . . . . . . . . . 136
       11.9.24. IEEE 802.11 WTP Radio Fail Alarm Indication  . . . . 128
     11.11. 137
     11.10. Technology Specific Message Element Values . . . . . . . 129 138
   12. NAT Considerations  . . . . . . . . . . . . . . . . . . . . . 130 139
   13. Security Considerations . . . . . . . . . . . . . . . . . . . 132 141
     13.1.  CAPWAP Security  . . . . . . . . . . . . . . . . . . . . 132 141
       13.1.1.  Converting Protected Data into Unprotected Data  . . 133 142
       13.1.2.  Converting Unprotected Data into Protected Data
                (Insertion)  . . . . . . . . . . . . . . . . . . . . 133 142
       13.1.3.  Deletion of Protected Records  . . . . . . . . . . . 133 142
       13.1.4.  Insertion of Unprotected Records . . . . . . . . . 133 . 142
     13.2.  Use of Preshared Keys in CAPWAP  . . . . . . . . . . . . 133 142
     13.3.  Use of Certificates in CAPWAP  . . . . . . . . . . . . . 134 143
     13.4.  AAA Security . . . . . . . . . . . . . . . . . . . . . . 134 144
     13.5.  IEEE 802.11 Security . . . . . . . . . . . . . . . . . . 135 144
   14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 136 146
   15. References  . . . . . . . . . . . . . . . . . . . . . . . . . 137 147
     15.1.  Normative References . . . . . . . . . . . . . . . . . . 137 147
     15.2.  Informational References . . . . . . . . . . . . . . . . 138 148
   Editors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . 140 150
   Intellectual Property and Copyright Statements  . . . . . . . . . 141 151

1.  Introduction

   The emergence of centralized architectures, in which simple IEEE
   802.11 WTPs are managed by an Access Controller (AC) suggests that a
   standards based, interoperable protocol could radically simplify the
   deployment and management of wireless networks.  WTPs require a set
   of dynamic management and control functions related to their primary
   task of connecting the wireless and wired mediums.  Traditional
   protocols for managing WTPs are either manual static configuration
   via HTTP, proprietary Layer 2 specific or non-existent (if the WTPs
   are self-contained).  This document describes the CAPWAP Protocol, a
   standard, interoperable protocol which enables an AC to manage a
   collection of WTPs.  While the protocol is defined to be independent
   of layer 2 technology, an IEEE 802.11 binding is provided to support
   IEEE 802.11 wireless LAN networks.

   CAPWAP assumes a network configuration consisting of multiple WTPs
   communicating via the Internet Protocol (IP) to an AC.  WTPs are
   viewed as remote RF interfaces controlled by the AC.  The AC forwards CAPWAP
   protocol supports two modes of operation: Split and Local MAC.  In
   Split MAC mode all L2 wireless data and management frames to be transmitted by a WTP to that WTP are
   encapsulated via the CAPWAP
   protocol.  L2 protocol and exchanged between the AC and
   the WTP.  In the example of 802.11, as shown in Figure 1, the 802.11
   frames received from a mobile nodes (STAs) node (STA) are forwarded directly encapsulated by
   the WTP and forwarded to the AC.

              +-+         802.11 frames          +-+
              | |--------------------------------| |
              | |              +-+               | |
              | |--------------| |---------------| |
              | |  802.11 PHY/ | |     CAPWAP    | |
              | | MAC sublayer | |               | |
              +-+              +-+               +-+
              STA              WTP                AC using the

   Figure 1: Representative CAPWAP protocol.  Both Split-MAC and Architecture for Split MAC

   The Local MAC arhcitectures are supported.  Figure 1 illustrates this
   arrangement mode of operation allows for the data frames to be
   either locally bridged, or tunneled as applied 802.3 frames.  The latter
   implies that the WTP performs the 802 bridging function.  In either
   case the L2 wireless management frames are processed locally by the
   WTP, and then forwarded to the AC.  Figure 2 provides an example
   using the IEEE 802.11 binding. binding, where a station transmits an 802.11
   frame, which is encapsulated as 802.3 and forwarded to the AC.

              +-+ 802.11 frames +-+ 802.3 frames +-+
              | |---------------| |--------------| |
              | |--------------------------------| |               | |              +-+              | |
              | |--------------| |---------------| |--------------| |
              | |  802.11 PHY/  | |     CAPWAP   | |
              | | MAC sublayer  | |              | |
              +-+               +-+              +-+
              STA               WTP               AC

   Figure 1: 2: Representative CAPWAP Architecture for Split Local MAC

   Provisioning WTPs with security credentials, and managing which WTPs
   are authorized to provide service are traditionally handled by
   proprietary solutions.  Allowing these functions to be performed from
   a centralized AC in an interoperable fashion increases manageability
   and allows network operators to more tightly control their wireless
   network infrastructure.

1.1.  Goals

   The goals for the CAPWAP protocol are listed below:

   1. To centralize the bridging, forwarding, authentication and policy enforcement functions
      for a wireless network.  Optionally, the  The AC may also provide centralized
      bridging, forwarding, and encryption of user traffic.
      Centralization of these functions will enable reduced cost and
      higher efficiency by applying the capabilities of network
      processing silicon to the wireless network, as in wired LANs.

   2. To enable shifting of the higher level protocol processing from
      the WTP.  This leaves the time critical applications of wireless
      control and access in the WTP, making efficient use of the
      computing power available in WTPs which are the subject to severe
      cost pressure.

   3. To provide a generic encapsulation and transport mechanism,
      enabling the CAPWAP protocol to be applied to other access point
      types in the future, via a specific wireless binding.

   The CAPWAP protocol concerns itself solely with the interface between
   the WTP and the AC.  Inter-AC, or mobile node (STA) to AC
   communication is strictly outside the scope of this document.

1.2.  Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].

1.3.  Contributing Authors

   This section lists and acknowledges the authors of significant text
   and concepts included in this specification.  [Note: This section
   needs work to accurately reflect the contribution of each author and
   this work will be done in revision 01 of this document.]

   The CAPWAP Working Group selected the Lightweight Access Point
   Protocol (LWAPP) [add reference, when available]to be used as the
   basis of the CAPWAP protocol specification.  The following people are
   authors of the LWAPP document:

      Bob O'Hara, Cisco Systems, Inc.,170 West Tasman Drive, San Jose, CA  95134
      Phone: +1 408-853-5513, Email: bob.ohara@cisco.com

      Pat Calhoun, Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA  95134
      Phone: +1 408-853-5269, Email: pcalhoun@cisco.com

      Rohit Suri, Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA  95134
      Phone: +1 408-853-5548, Email: rsuri@cisco.com

      Nancy Cam Winget, Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA  95134
      Phone: +1 408-853-0532, Email: ncamwing@cisco.com

      Scott Kelly, Aruba Networks, 1322 Crossman Ave, Sunnyvale, CA 94089
      Phone: +1  408-754-8408, Email: skelly@arubanetworks.com

      Michael Glenn Williams, Nokia, Inc., 313 Fairchild Drive, Mountain View, CA  94043
      Phone: +1 650-714-7758, Email: Michael.G.Williams@Nokia.com

      Sue Hares, Nexthop Technologies, Inc., 825 Victors Way, Suite 100, Ann Arbor, MI  48108
      Phone: +1 734 222 1610, Email: shares@nexthop.com

   DTLS is used as the security solution for the CAPWAP protocol.  The
   following people are authors of significant DTLS-related text
   included in this document:

      Scott Kelly, Aruba Networks, 1322 Crossman Ave, Sunnyvale, CA 94089
      Phone: +1  408-754-8408, Email: skelly@arubanetworks.com

      Eric Rescorla, Network Resonance, 2483 El Camino Real, #212,Palo Alto CA, 94303
      Email: ekr@networkresonance.com

   The concept of using DTLS to secure the CAPWAP protocol was part of
   the Secure Light Access Point Protocol (SLAPP) proposal [add
   reference when available].  The following people are authors of the
   SLAPP proposal:

      Partha Narasimhan, Aruba Networks, 1322 Crossman Ave, Sunnyvale, CA  94089
      Phone: +1 408-480-4716, Email: partha@arubanetworks.com

      Dan Harkins, Tropos Networks, 555 Del Rey Avenue, Sunnyvale, CA, 95085
      Phone: +1 408 470 7372, Email: dharkins@tropos.com

      Subbu Ponnuswamy, Aruba Networks, 1322 Crossman Ave, Sunnyvale, CA  94089
      Phone: +1 408-754-1213, Email: subbu@arubanetworks.com

1.4.  Acknowledgements

   The authors thank Michael Vakulenko for contributing text that
   describes how CAPWAP can be used over a layer 3 (IP/UDP) network.

   The authors thank Russ Housley and Charles Clancy for their
   assistance in provide a security review of the LWAPP specification.
   Charles' review can be found at [16].

2.  Protocol Overview

   The CAPWAP protocol is a generic protocol defining AC and WTP

1.5.  Terminology

   Station (STA): A device that contains an IEEE 802.11 conformant
   medium access control (MAC) and data plane communication via physical layer (PHY) interface to the
   wireless medium (WM).

   Basic Service Set (BSS): A set of stations controlled by a CAPWAP protocol transport
   mechanism.  CAPWAP single
   coordination function.

   Portal: The logical point at which medium access control messages, and optionally CAPWAP (MAC)
   service data
   messages, are secured using Datagram Transport Layer Security (DTLS)
   [14].  DTLS is units (MSDUs) from a standards-track IETF protocol based upon TLS.  The
   underlying security-related protocol mechanisms of TLS have been
   successfully deployed non-IEEE 802.11 local area network
   (LAN) enter the distribution system (DS) of an extended service set
   (ESS).

   Distribution System Service (DSS): The set of services provided by
   the distribution system (DS) that enable the medium access control
   (MAC) layer to transport MAC service data units (MSDUs) between
   stations that are not in direct communication with each other over a
   single instance of the wireless medium (WM).  These services include
   the transport of MSDUs between the access points (APs) of basic
   service sets (BSSs) within an extended service set (ESS), transport
   of MSDUs between portals and BSSs within an ESS, and transport of
   MSDUs between stations in the same BSS in cases where the MSDU has a
   multicast or broadcast destination address, or where the destination
   is an individual address, but the station sending the MSDU chooses to
   involve DSS.  DSSs are provided between pairs of IEEE 802.11 MACs.

   Integration: The service that enables delivery of medium access
   control (MAC) service data units (MSDUs) between the distribution
   system (DS) and an existing, non-IEEE 802.11 local area network (via
   a portal).

   Distribution: The service that, by using association information,
   delivers medium access control (MAC) service data units (MSDUs)
   within the distribution system (DS).

2.  Protocol Overview

   The CAPWAP protocol is a generic protocol defining AC and WTP control
   and data plane communication via a CAPWAP protocol transport
   mechanism.  CAPWAP control messages, and optionally CAPWAP data
   messages, are secured using Datagram Transport Layer Security (DTLS)
   [15].  DTLS is a standards-track IETF protocol based upon TLS.  The
   underlying security-related protocol mechanisms of TLS have been
   successfully deployed for many years.

   The CAPWAP protocol Transport layer carries two types of payload,
   CAPWAP Data messages and CAPWAP Control messages.  CAPWAP Data
   messages are encapsulate forwarded wireless frames.  CAPWAP protocol
   Control messages are management messages exchanged between a WTP and
   an AC.  The CAPWAP Data and Control packets are sent over separate
   UDP ports.  Since both data and control frames can exceed the PMTU,
   the payload of a CAPWAP data or control message can be fragmented.
   The fragmentation behavior is defined in Section 3.

   The CAPWAP Protocol begins with a discovery phase.  The WTPs send a
   Discovery Request message, causing any Access Controller (AC)
   receiving the message to respond with a Discovery Response message.
   From the Discovery Response messages received, a WTP will select an
   AC with which to establish a secure DTLS session.  CAPWAP protocol
   messages will be fragmented to the maximum length discovered to be
   supported by the network.

   Once the WTP and the AC have completed DTLS session establishment, a
   configuration exchange occurs in which both devices to agree on
   version information.  During this exchange the WTP may receive
   provisioning settings.  For the IEEE 802.11 binding, this information
   typically includes a name (IEEE 802.11 Service Set Identifier, SSID)
   security parameters, the data rates to be advertised and the
   associated radio channel(s) to be used.  The WTP is then enabled for
   operation.

   When the WTP and AC have completed the version and provision exchange
   and the WTP is enabled, the CAPWAP protocol is used to encapsulate
   the wireless data frames sent between the WTP and AC.  The CAPWAP
   protocol will fragment the L2 frames if the size of the encapsulated
   wireless user data (Data) or protocol control (Management) frames
   causes the resulting CAPWAP protocol packet to exceed the MTU
   supported between the WTP and AC.  Fragmented CAPWAP packets are
   reassembled to reconstitute the original encapsulated payload.

   The CAPWAP protocol provides for the delivery of commands from the AC
   to the WTP for the management of mobile units (STAs) that are
   communicating with the WTP.  This may include the creation of local
   data structures in the WTP for the mobile units and the collection of
   statistical information about the communication between the WTP and
   the mobile units.  The CAPWAP protocol provides a mechanism for the
   AC to obtain statistical information collected by the WTP.

   The CAPWAP protocol provides for a keep alive feature that preserves
   the communication channel between the WTP and AC.  If the AC fails to
   appear alive, the WTP will try to discover a new AC.

   This Document uses terminology defined in [5].

2.1.  Wireless Binding Definition

   The CAPWAP protocol is independent of a specific WTP radio
   technology.  Elements of the CAPWAP protocol are designed to
   accommodate the specific needs of each wireless technology in a
   standard way.  Implementation of the CAPWAP protocol for a particular
   wireless technology must follow the binding requirements defined for
   that technology.  This specification includes a binding for the IEEE
   802.11 standard(see Section 11).

   When defining a binding for other wireless technologies, the authors
   MUST include any necessary definitions for technology-specific
   messages and all technology-specific message elements for those
   messages.  At a minimum, a binding MUST provide the definition for a
   binding-specific Statistics message element, carried in the WTP Event
   Request message, and a Mobile message element, carried in the Mobile
   Configure Request.  If technology specific message elements are
   required for any of the existing CAPWAP messages defined in this
   specification, they MUST also be defined in the technology binding
   document.

   The naming of binding-specific message elements MUST begin with the
   name of the technology type, e.g., the binding for IEEE 802.11,
   provided in this specification, begins with "IEEE 802.11"."

2.2.  CAPWAP Session Establishment Overview

   This section describes the session establishment process message
   exchanges in the ideal case.  The annotated ladder diagram shows the
   AC on the right, the WTP on the left, and assumes the use of
   certificates for DTLS authentication.  The CAPWAP Protocol State
   Machine is described in detail in Section 2.3.

           ============                         ============
               WTP                                   AC
           ============                         ============
            [----------- begin optional discovery ------------]

            Discover Request     ------>
                                 <------       Discover Response

            [----------- end optional discovery ------------]

                        (--- begin dtls handshake ---)

           ClientHello           ------>
                                 <------       HelloVerifyRequest
                                                   (with cookie)

           ClientHello           ------>
           (with cookie)
                                 <------       ServerHello
                                 <------       Certificate
                                 <------       ServerHelloDone

           (WTP callout for AC authorization)

           Certificate*
           ClientKeyExchange
           CertificateVerify*
           [ChangeCipherSpec]
           Finished              ------>

                                            (AC callout for WTP
                                              authorization)

                                               [ChangeCipherSpec]
                                 <------       Finished

                      (--- DTLS session is established now ---)

           Join Request           ------>
                                 <------       Join Response

                      ( ---assume image is up to date ---)

           Configure Request      ------->
                                 <------       Configure Response

                         (--- enter RUN state ---)

                                   :
                                   :

           Echo Request           ------->
                                 <------       Echo Response
                                   :
                                   :

           EventRequest          ------->
                                 <------       Event Response

                                   :
                                   :

   At the end of the illustrated CAPWAP message exchange, the AC and WTP
   are securely exchanging CAPWAP control messages.  This is an
   idealized illustration, provided to clarify protocol operation.
   Section 2.3 provides a detailed description of the corresponding
   state machine.

2.3.  CAPWAP State Machine Definition

   The following state diagram represents the lifecycle of a WTP-AC
   session.  Use of DTLS by the CAPWAP protocol results in the
   juxtaposition of two nominally separate yet tightly bound state
   machines.  The DTLS and CAPWAP state machines are coupled through an
   API consisting of commands (from CAPWAP to DTLS) and notifications
   (from (DTLS to CAPWAP).  Certain transitions in the DTLS state
   machine are triggered by commands from the CAPWAP state machine,
   while certain transitions in the CAPWAP state machine are triggered
   by notifications from the DTLS state machine.

   This section defines the CAPWAP Integrated State Machine.  In the
   figure below, single lines (denoted with '-' and '|') are used to
   illustrate state transitions.  Double lines (denoted with '=' and
   '"') are used to illustrate commands and notifications between DTLS
   and CAPWAP.  A line composed of '~' characters is used to delineate
   the boundary between nominal CAPWAP and DTLS state machine
   components.

            /-------------<----------------+--------------------\
            v                              |d                   |
         +------+  b+-----------+    +----------+               |
         | Idle |-->| Discovery |--->|  Sulking |               |
         +------+ a +-----------+ c  +----------+               |
          ^   |aa    ^ |e            /----------------------\   |
          |   V     f| v            k|                      |   |
       h +--------------+  +------------+ i +------------+j |   |
      /--|    Join      |->|  Configure |-->| Image Data |  |   |
      |  +--------------+ g+------------+   +------------+  |   |
      |   "c1,  ^  ^   ^        m|            ^    |l       |   |
      |   "c4   "  "   "         |    /-------/    |   /----/   |
      |   "     "  "   "         V    |s           v   V        |
      |   "     "  "   "   +------------+ o+------------+       |
      |   "     "  "   "   |    Run     |->|    Reset   |-------/
      |   "     "  "   "  n+------------+  +------------+   p
      |   "     "  "   "        "c2  ^       ^  c3"   ^
      \---"-----"--"---"--------"----"-------/    "   "     CAPWAP
   ~~~~~~~"~~~~~"~~"~~~"~~~~~~~~"~~~~"~~~~~~~~~~~~"~~~"~~~~~~~~~~~~
          "     "  "   "        "    "            "   "      DTLS
          v     "  "n2 \"""""\  "    "            v   "n6,n7
   /-->+------+ " W+------+  "  "    "      +------------+
   | /-| Idle | " C| Auth |--"~-"----"----->|  Shutdown  |-------\P
   | | +------+ "  +------+V "  "    " /--->|            |<----\ |
   | |X     Z|  "   ^  U|    "  " n4 " |    +------------+     | |
   | |       |  "   |   |    "  " n5," |         ^             | |
   | |       v  "n1 |Y  |  n3"  v  n8" |R        |Q            | |
   | |      +--------+  |  +------------+  S+------------+     | |
   | |      |  Init  |  \->|    Run     |<--|   Rekey    |     | |
   | |      +--------+     |            |-->|            |     | |
   | |                     +------------+T  +------------+     | |
   | \---------------------------------------------------------/ |
   \-------------------------------------------------------------/

   Figure 2: 3: CAPWAP Integrated State Machine

   The CAPWAP protocol state machine, depicted above, is used by both
   the AC and the WTP.  In cases where states are not shared (i.e. not
   implemented in one or the other of the AC or WTP), this is explicitly
   called out in the transition descriptions below.  For every state
   defined, only certain messages are permitted to be sent and received.
   The CAPWAP control messages definitions specify the state(s) in which
   each message is valid.

2.3.1.  CAPWAP Protocol State Transitions

   The following text discusses the various state transitions, and the
   events that cause them.  This section does not discuss interactions
   between DTLS- and CAPWAP-specific states.  Those interactions, as
   well as DTLS-specific states and transitions, are discussed in
   subsequent sections.

   Idle to Discovery (a): This transition occurs once device
      initialization is complete.

      WTP: The WTP enters the Discovery state prior to transmitting the
         first Discovery Request message (see Section 5.1).  Upon
         entering this state, the WTP sets the DiscoveryInterval timer
         (see Section 4.5).  The WTP resets the DiscoveryCount counter
         to zero (0) (see Section 4.6).  The WTP also clears all
         information from ACs it may have received during a previous
         Discovery phase.

      AC: The AC does not maintain state information for the WTP upon
         reception of the Discovery Request message, but it SHOULD
         respond with a Discovery Response message (see Section 5.2).
         This transition is a no-op for the AC.

   Idle to Join (aa): This transition occurs when the WTP presents a
      DTLS ClientHello message containing a valid cookie to the AC.

      WTP: This transition is a no-op for the WTP.

      AC: The AC does not maintain state information until the WTP
         presents a DTLS ClientHello message containing a valid cookie.
         Upon receipt of a DTLS ClientHello message containing a valid
         cookie, the AC creates session state and transitions to the
         Join state.

   Discovery to Discovery (b): In the Discovery state, the WTP
      determines which AC to connect to.

      WTP: This transition occurs when the DiscoveryInterval timer
         expires.  If the WTP is configured with a list of ACs, it
         transmits a Discovery Request message to every AC from which it
         has not received a Discovery Response message.  For every
         transition to this event, the WTP increments the DiscoveryCount
         counter.  See Section 5.1 for more information on how the WTP
         knows the ACs to which it should transmit the Discovery Request
         messages.  The WTP restarts the DiscoveryInterval timer
         whenever it transmits Discovery Request messages.

      AC: This is a no-op.

   Discovery to Sulking (c): This transition occurs on a WTP when
      Discovery or connectivity to the AC fails.

      WTP: The WTP enters this state when the DiscoveryInterval timer
         expires and the DiscoveryCount variable is equal to the
         MaxDiscoveries variable (see Section 4.6).  Upon entering this
         state, the WTP shall start the SilentInterval timer.  While in
         the Sulking state, all received CAPWAP protocol messages
         received shall be ignored.

      AC: This is a no-op.

   Sulking to Idle (d): This transition occurs on a WTP when it must
      restart the discovery phase.

      WTP: The WTP enters this state when the SilentInterval timer (see
         Section 4.5) expires.

      AC: This is a no-op.

   Discovery to Join (e): This transition occurs when the WTP sends a
      ClientHello message to the AC, confirming that it wishes to be
      provided services by the AC.

         WTP: The WTP selects the best AC based either on information it
         gathered during the Discovery Phase or on its configuration.
         It then sends a JoinRequest message to its preferred AC, sets
         the WaitJoin timer, and awaits the Join Response Message.

         AC: This is a no-op for the AC.

   Join to Discovery (f): This state transition is used to return the
      WTP to the Discovery state when an unresponsive AC is encountered.

      WTP: The WTP re-enters the Discovery state when the WaitJoin timer
         expires.

      AC: This is a no-op.

   Join to Configure (g): This state transition is used by the WTP and
      the AC to exchange configuration information.

      WTP: The WTP enters the Configure state when it successfully
         completes the Join operation.  If it determines that its
         version number and the version number advertised by the AC are
         the same, the WTP transmits the Configuration Status message
         (see Section 8.2) to the AC with a snapshot of its current
         configuration.  The WTP also starts the ResponseTimeout timer
         (see ).  (Section 4.5) If the version numbers are not the same,
         the WTP will immediately transition to Image Data state (see
         transition (i)).

      AC: This state transition occurs immediately after the AC
         transmits the Join Response message to the WTP.  If the AC
         receives the Configuration Status message from the WTP, the AC
         must transmit a Configuration Status Response message(see
         Section 8.3) to the WTP, and may include specific message
         elements to override the WTP's configuration.  If the AC
         instead receives the Image Data Request from the WTP, it
         immediately transitions to the Image Data state (see transition
         (i)).

   Join to Reset (h): This state transition occurs when the WaitJoin
      Timer expires.

      WTP: The state transition occurs when the WTP WaitJoin timer
         expires, or upon DTLS negotiation failure.

      AC: Thise state transition occurs when the AC WaitJoin timer
         expires, or or upon DTLS negotiation failure.

   Configure to Image Data (i): This state transition is used by the WTP
      and the AC to download executable firmware.

      WTP: The WTP enters the Image Data state when it successfully
         comletes DTLS session establishment, and determines that its
         version number and the version number advertised by the AC are
         different.  The WTP transmits the Image Data Request (see
         Section 9.1) message requesting that a download of the AC's
         latest firmware be initiated.

      AC: This state transition occurs when the AC receives the Image
         Data Request message from the WTP.  The AC must transmit an
         Image Data Response message (see Section 9.2) to the WTP, which
         includes a portion of the firmware.

   Image Data to Image Data (j): The Image Data state is used by WTP and
      the AC during the firmware download phase.

      WTP: The WTP enters the Image Data state when it receives an Image
         Data Response message indicating that the AC has more data to
         send.

      AC: This state transition occurs when the AC receives the Image
         Data Request message from the WTP while already in the Image
         Data state, and it detects that the firmware download has not
         completed.

   Configure to Reset (k): This state transition is used to reset the
      connection to the AC prior to restarting the WTP with a new
      configuration.

      WTP: The WTP enters the Reset state when it determines that a
         reset of the WTP is required, due to the characteristics of a
         new configuration.

      AC: The AC transitions to the Reset state when it receives the
         DTLSPeerDisconnect (n7) notification.

   Image Data to Reset (l): This state transition is used to reset the
      DTLS connection prior to restarting the WTP after an image
      download.

      WTP: When an image download completes, the WTP enters the Reset
         state, and terminates the DTLS connection, sending a
         DTLSShutdown command to the DTLS state machine.

      AC: The AC enters the Reset state upon receipt of a DTLSIdle (n6)
         notification.

   Configure to Run (m): This state transition occurs when the WTP and
      AC enter their normal state of operation.

      WTP: The WTP enters this state when it receives a successful
         Configuration Status Response message from the AC.  The WTP
         initializes the HeartBeat timer (see Section 4.5), and
         transmits the Change State Event Request message (see
         Section 8.6).

      AC: This state transition occurs when the AC receives the Change
         State Event Request message (see Section 8.6) from the WTP.
         The AC responds with a Change State Event Response (see
         Section 8.7) message.  The AC must start the
         NeighborDeadInterval timer (see Section 4.5).

   Run to Run (n): This is the normal state of operation.

      WTP: This is the WTP's normal state of operation.  There are many
         events that result this state transition:

         Configuration Update: The WTP receives a Configuration Update
            Request message(see Section 8.4).  The WTP MUST respond with
            a Configuration Update Response message (see Section 8.5).

         Change State Event: The WTP receives a Change State Event
            Response message, or determines that it must initiate a
            Change State Event Request message, as a result of a failure
            or change in the state of a radio.

         Echo Request: The WTP receives an Echo Request message (see
            Section 7.1), to which it MUST respond with an Echo Response
            message(see Section 7.2).

         Clear Config Indication: Request: The WTP receives a Clear Config
            Indication Configuration
            Request message (see Section 8.8).  The WTP MUST reset its
            configuration back to manufacturer defaults.

         WTP Event: The WTP generates a WTP Event Request message to
            send information to the AC (see Section 9.5).  The WTP
            receives a WTP Event Response message from the AC (see
            Section 9.6).

         Data Transfer: The WTP generates a Data Transfer Request
            message to the AC (see Section 9.7).  The WTP receives a
            Data Transfer Response message from the AC (see
            Section 9.8).

         WLAN Config Configuration Request: The WTP receives a WLAN Config
            Configuration Request message (see Section 11.7.1), 11.6.1), to which
            it MUST respond with a WLAN Config Configuration Response message
            (see Section 11.7.2). 11.6.2).

         Mobile Config Configuration Request: The WTP receives a Mobile Config
            Request message (see Section 10.1), to which it MUST respond
            with a Mobile Config Response message (see Section 10.2).

      AC: This is the AC's normal state of operation:

         Configuration Update: The AC sends a Configuration Update
            Request message (see Section 8.4) to the WTP to update its
            configuration.  The AC receives a Configuration Update
            Response message (see Section 8.5) from the WTP.

         Change State Event: The AC receives a Change State Event
            Request message (see Section 8.6), to which it MUST respond
            with the Change State Event Response message (see
            Section 8.7).

         Echo: The AC sends an Echo Request message Section 7.1 or
            receives the corresponding Echo Response message, see
            Section 7.2 from the WTP.

         Clear Config Indication: Response: The AC sends receives a Clear Config Indication Configuration
            Response message (see Section 8.8). 8.9).

         WLAN Config: The AC sends a WLAN Config Configuration Request message
            (see Section 11.7.1) 11.6.1) or receives the corresponding WLAN Config
            Configuration Response message (see Section 11.7.2) 11.6.2) from the
            WTP.

         Mobile Config: The AC sends a Mobile Config Configuration Request
            message (see Section 10.1) or receives the corresponding
            Mobile
            Config Configuration Response message (see Section 10.2)
            from the WTP.

         Data Transfer: The AC receives a Data Transfer Request message
            from the AC (see Section 9.7) and MUST generate a
            corresponding Data Transfer Response message (see
            Section 9.8).

         WTP Event: The AC receives a WTP Event Request message from the
            AC (see Section 9.5) and MUST generate a corresponding WTP
            Event Response message (see Section 9.6).

   Run to Reset(o): This state transition is used when the AC or WTP
      wish to tear down the connection.  This may occur as part of
      normal operation, or due to error conditions.

      WTP: The WTP enters the Reset state when it initiates orderly
         termination of the DTLS connection, or when the underlying
         reliable transport is unable to transmit a message within the
         RetransmitInterval timer, see Section 4.5 The WTP also enters
         the Reset state upon receiving a DTLS session termination
         message (DTLS alert) from the AC.  The WTP sends a DTLSReset
         command to the DTLS state machine.

      AC: The AC enters the Idle state when it initiates orderly
         termination of the DTLS connection, or when the underlying
         reliable transport is unable to transmit a message within the
         RetransmitInterval timer (see Section 4.5), and the maximum
         number of RetransmitCount counter has reached the MaxRetransmit
         variable (see Section 4.6).  The AC also enters the Reset state
         upon receiving a DTLS session termination message from the WTP.

   Reset to Idle (p): This state transition occurs when the state
      machine is restarted following a system restart, an unrecoverable
      error on the AC-WTP connection, or orderly session teardown.

      WTP: The WTP clears any state associated with any AC and enters
         the Idle state.

      AC: The AC clears any state associated with the WTP and enters the
         idle state.

   Run to Image Data (s): This state transition occurs when the AC
      transmits an Image Data Request to the WTP, with the Initiate
      Download message element.  The means by which the AC decides to
      download firmware is undefined, but could occur through an
      administrative action.

      WTP: The WTP enters this state when it receives an an Image Data
         Request to the WTP, with the Initiate Download message element.
         The WTP responds by transmitting an Image Data Request with the
         Image Filename message element included..

      AC: This state transition occurs when the AC decides that an WTP
         is to update its firmware by sending an Image Data Request to
         the WTP, with the Initiate Download message element.

2.3.2.  CAPWAP to DTLS Commands

   Four commands are defined for the CAPWAP to DTLS API.  These
   "commands" are conceptual, and may be implemented as one or more
   function calls.  This API definition is provided to clarify
   interactions between the DTLS and CAPWAP components of the integrated
   CAPWAP state machine.

   Below is a list of the minimal command API:

   o  c1: DTLSStart is sent to the DTLS module to cause a DTLS session
      to be established.

   o  c2: DTLSRehandshake is sent to the DTLS module to cause initiation
      of a rehandshake (DTLS rekey).

   o  c3: DTLSShutdown is sent to the DTLS module to cause session
      teardown.

   o  c4: DTLSAbort is sent to the DTLS module to cause session teardown
      when the WaitJoin timer expires.

2.3.3.  DTLS to CAPWAP Notifications

   Eight notifications are defined for the DTLS to CAPWAP API.  These
   "notifications" are conceptual, and may be implemented in numerous
   ways (e.g. as function return values).  This API definition is
   provided to clarify interactions between the DTLS and CAPWAP
   components of the integrated CAPWAP state machine.

   Below is a list of the API notifications:

   o  n1: DTLSInitFailure is sent to the CAPWAP module to indicate an
      initialization failure, which may be due to out of memory or other
      internal error condition.

   o  n2: DTLSAuthenticateFail or DTLSAuthorizeFail is sent to the
      CAPWAP module to indicate peer authentication or authorization
      failures, respectively.

   o  n3: DTLSEstablished is sent to the CAPWAP module to indicate that
      that a secure channel now exists.

   o  n4: DTLSEncapFailure may be sent to CAPWAP to indicate an
      encapsulation failure.  DTLSDecapFailure may be sent to CAPWAP to
      indicate an encryption/authentication failure

   o  n5: DTLSRehandshake is sent to the CAPWAP module to indicate DTLS
      rehandshake initiation by peer.

   o  n6: DTLSIdle is sent to the CAPWAP module to indicate that session
      abort (as requested by CAPWAP) is complete; this occurs when the
      WaitJoin timer expires, or when CAPWAP is executing an orderly
      session shutdown.

   o  n7: DTLSPeerDisconnect is sent to the CAPWAP module to indicate
      DTLS session teardown by peer.  Note that the n7 notification, can
      be received while in the Join, Configure, Image Data, Run and
      Reset states, and always causes a transition to the Reset state.

   o  n8: DTLSReassemblyFailure may be sent to the CAPWAP module to
      indicate DTLS fragment reassembly failure.

2.3.4.  DTLS State Transitions

   This section describes the transitions in the DTLS-specific portion
   of the state machine.

   Idle to Init (Z): This transition indicates the begining of a DTLS
      session.

      WTP: The state ransition is triggered by receipt of the DTLSStart
         command from the CAPWAP state machine, and causes the WTP to
         send a DTLS ClientHello to the AC.

      AC: The state transition is triggered by receipt of the DTLSStart
         command from the CAPWAP state machine.  The AC starts the
         WaitJoin timer and awaits reception of a DTLS ClientHello
         message

   Init to Authenticate/Authorize (Y) This transition indicates that the
      DTLS handshake is in progress.

      WTP: The WTP executes this state transition upon receipt of a
         valid ServerHello.

      AC: The AC executes this transition upon receipt of a certificate
         payload (if configured for public key authentication) or upon
         receipt of the ClientKeyExchange payload if configured for
         preshared keys.

   Init to Idle(X) This state transition occurs upon timeout of the
      WaitJoin Timer.

      WTP: Upon receiving a DTLSAbort command from the CAPWAP state
         machine, the WTP DTLS state machine transitions to Idle state.

      AC: Upon receiving a DTLSAbort command from the CAPWAP state
         machine, the AC DTLS state machine transitions to Idle state.

   Authenticate/Authorize to Authenticate/Authorize (W) This state
      transition is a Loopback state, representing execution of the TLS
      handshake protocol, including authorization callbacks to the
      CAPWAP architecture.

      WTP: Upon receiving AC credential, attempt to execute associated
         validation, authentication, and authorization callbacks.  Note
         that credentials may span protocol messages, in which case the
         WTP will remain in this state pending receipt of all credential
         payloads.

      AC: Upon receipt of the WTP credential, attempt to execute
         associated validation, authentication, and authorization
         callbacks.  Note that credentials may span protocol messages,
         in which case the AC will remain in this state pending receipt
         of all credential payloads.

    Authenticate/Authorize to Shutdown (V) This state transition
      indicates a failure of the DTLS handshake.

      WTP: Send a DTLSAuthenticateFail or DTLSAuthorizeFail to the
         CAPWAP state machine, depending on the exact cause of the
         error.  May send a DTLS notification to the AC to indicate
         failure.

      AC: Send a DTLSAuthenticateFail or DTLSAuthorizeFail to the CAPWAP
         state machine, depending on the exact cause of the error.  May
         send a DTLS Notification to the AC to indicate failure.

   Authenticate/Authorize to Run (U) This state transition occurs upon
      successful completion of the DTLS handshake.

      WTP: Send a DTLSEstablished notification to the CAPWAP state
         machine.

      AC: Send a DTLSEstablished notification to the CAPWAP state
         machine.

   Run to Rekey (T) This state transition occurs when a DTLS rehandshake
      is in progress; this is initiated when either (a) the DTLS state
      machine receives the DTLSRehandshake command from CAPWAP, or (b) a
      DTLS rehandshake message is received from the peer..

      WTP: If CAPWAP issued a DTLSRehandshake command, initiate
         rehandshake with the peer; note that control traffic may
         continue to flow using existing secure association.  If the
         rehandshake is initiated by the peer, send a DTLSRehandshake
         notification to CAPWAP.

      AC: If CAPWAP issued a DTLSRehandshake command, initiate
         rehandshake with the peer; note that control traffic may
         continue to flow using existing secure association.  If the
         rehandshake is initiated by the peer, send a DTLSRehandshake
         notification to CAPWAP.

   Run to Shutdown (S) This state transition indicates a shutdown of the
      DTLS channel.

      WTP: This state transition occurs when the CAPWAP state machine
         sends a DTLSShutdown command, or when the the AC terminates the
         DTLS session.

      AC: This state transition occurs when CAPWAP state machine sends a
         DTLSShutdown command, or when the WTP terminates the DTLS
         session.

    Rekey to Run (R) This state transition indicates the successful
      completion of a DTLS rehandshake.

      WTP: This state transition occurs when the WTP receives the DTLS
         Finished message from the AC, completing the DTLS re-handshake.

      AC: This state transition occurs when the AC sends a DTLS Finished
         message to the WTP, completing the DTLS re-handshake.

   Rekey to Shutdown (Q) This state transition indicates the failure of
      the DTLS rekey operation.

      WTP: This state transition occurs when there is a failure in the
         rehandshake negotiation with the AC.

      AC: This state transition occurs when there is a failure in the
         rehandshake negotiation with the WTP.

   Shutdown to Idle (P) This state transition occurs upon transmission
      of a DTLS Session termination message, or upon receipt of a DTLS
      session termination message.

      WTP: This state transition occurs after the WTP transmits the DTLS
         session termination message.  If the WTP receives a DTLS
         session termination message, it sends the DTLSPeerDisconnect
         notification to CAPWAP and moves to the Idle state.

      AC: This state transition occurs after the AC transmits the DTLS
         session termination message.  If the AC receives a DTLS session
         termination message, it sends the DTLSPeerDisconnect
         notification to CAPWAP and moves to the Idle state.

2.4.  Use of DTLS in the CAPWAP Protocol

   DTLS is used as a tightly-integrated, secure wrapper for the CAPWAP
   protocol.  In this document DTLS and CAPWAP are discussed as
   nominally distinct entitites; however they are very closely coupled,
   and may even be implemented inseparably.  Since there are DTLS
   library implementations currently available, and since security
   protocols (e.g.  IPsec, TLS) are often implemented in widely
   available acceleration hardware, it is both convenient and forward-
   looking to maintain a modular distinction in this document.

   This section describes a detailed walk-through of the interactions
   between the DTLS module and the CAPWAP module, via 'commands' (CAPWAP
   to DTLS) and 'notifications' (DTLS to CAPWAP) as they would be
   encountered during the normal course of operation.

2.4.1.  DTLS Handshake Processing

   Details of the DTLS handshake process are specified in [DTLS].  This
   section describes the interactions between the DTLS session
   establishment process and the CAPWAP protocol.  In the normal case,
   the DTLS handshake will proceed as follows (NOTE: this example uses
   certificates, but preshared keys are also supported):

           ============                         ============
               WTP                                   AC
           ============                         ============

             ClientHello           ------>
                                 <------       HelloVerifyRequest
                                                   (with cookie)

           ClientHello           ------>
           (with cookie)
                                 <------       ServerHello
                                 <------       Certificate
                                 <------       ServerHelloDone

           (WTP callout for AC authorization)

           Certificate*
           ClientKeyExchange
           CertificateVerify*
           [ChangeCipherSpec]
           Finished              ------>

                                            (AC callout for WTP
                                              authorization)

                                               [ChangeCipherSpec]
                                 <------       Finished

   DTLS, as specified, provides its own retransmit timers with an
   exponential back-off.  However, it will never terminate the handshake
   due to non-responsiveness; rather, it will continue to increase its
   back-off timer period.  Hence, timing out incomplete DTLS handshakes
   is entirely the responsiblity of the CAPWAP protocol.

2.4.1.1.  Join Operations

   The WTP, either through the Discovery process, or through pre-
   configuration, determines the AC to connect to.  The WTP uses DTLS to
   establish a secure connection to the selected AC.  Prior to
   initiation of the DTLS handshake, the WTP sets the WaitJoin timer.
   Upon receipt of a ClientHello message containing a valid cookie, the
   AC sets the WaitJoin timer.  If the Join operation has not completed
   prior to timer expiration, the Join process is aborted, the WTP
   transitions back to Discovery state, and the AC transitions back to
   Idle state.  Upon successful completion of the Join process the
   WaitJoin timer is deactivated.

2.4.2.  DTLS Error Handling

   If the AC does not respond to any DTLS messages sent by the WTP, the
   DTLS specification calls for the WTP to retransmit these messages.
   If the WaitJoin timer expires, CAPWAP will issue the DTLSAbort
   command, causing DTLS to terminate the handshake and remove any
   allocated session context.  Note that DTLS MAY send a single TLS
   Alert message to the AC to indicate session termination.

   If the WTP does not respond to any DTLS messages sent by the AC, the
   CAPWAP protocol allows for three possiblities, listed below.  Note
   that DTLS MAY send a single TLS Alert message to the AC to indicate
   session termination.

   o  The message was lost in transit; in this case, the WTP will re-
      transmit its last outstanding message, since it did not receive
      the reply.

   o  The WTP sent a DTLS Alert, which was lost in transit; in this
      case, the AC's WaitJoin timer will expire, and the session will be
      terminated.

   o  Communication with the WTP has completely failed; in this case,
      the AC's WaitJoin timer will expire, and the session will be
      terminated.

   The DTLS specification provides for retransmission of unacknowledged
   requests.  If retransmissions remain unacknowledged, the WaitJoin
   timer will eventually expire, at which time the CAPWAP module will
   terminate the session.

   If a cookie fails to validate, this could represent a WTP error, or
   it could represent a DoS attack.  Hence, AC resource utilization
   SHOULD be minimized.  The AC MAY log a message indicating the
   failure, but SHOULD NOT attempt to reply to the WTP.

   Since DTLS handshake messages are potentially larger than the maximum
   record size, DTLS supports fragmenting of handshake messages across
   multiple records.  There are several potential causes of re-assembly
   errors, including overlapping and/or lost fragments.  The DTLS module
   MUST send a DTLSReassemblyFailure notification to CAPWAP.  Whether
   precise information is given along with notification is an
   implementation issue, and hence is beyond the scope of this document.
   Upon receipt of such an error, the CAPWAP protocol implementation
   SHOULD log an appropriate error message.  Whether processing
   continues or the DTLS session is terminated is implementation
   dependent.

   DTLS decapsulation errors consist of three types: decryption errors,
   and authentication errors, and malformed DTLS record headers.  Since
   DTLS authenticates the data prior to encapsulation, if decryption
   fails, it is difficult to detect this without first attempting to
   authenticate the packet.  If authentication fails, a decryption error
   is also likely, but not guaranteed.  Rather than attempt to derive
   (and require the implementation of) algorithms for detecting
   decryption failures, these are reported as authentication failures.
   The DTLS module MUST provide a DTLSDecapFailure notification to
   CAPWAP when such errors occur.  If a malformed DTLS record header is
   detected, the packets SHOULD be silently discarded, and the receiver
   MAY log an error message.

   There is currently only one encapsulation error defined: MTU
   exceeeded.  As part of DTLS session establishment, CAPWAP informs
   DTLS of the MTU size.  This may be dynamically modified at any time
   when CAPWAP sends the DTLSMtuUpdate command to DTLS.  DTLS returns
   this notification to CAPWAP whenever a transmission request will
   result in a packet which exceeds the MTU.

2.4.3.  DTLS Rehandshake Behavior

   DTLS rekeying (known in DTLS as "rehandshake") requires special
   attention, as the DTLS specification provides no rehandshake
   triggering mechanism.  Rather, the application (in this case, CAPWAP)
   is expected to manage this for itself.  This section addressed
   various aspects of rehandshake behavior.

   One simple way to think of a DTLS session is as a pair of
   unidirectional channels which are tightly bound together.  A useful
   analogy is the twisted pair used for phone wiring, with one line per
   pair.  Then, the rehandshake process can be thought of using the call
   over the existing pair to establish a call over a new pair - that is,
   an entirely new session is negotiated under the protection of the
   existing session.

   This sounds simple enough, yet there is operational complexity in
   changing over to the new session.  In particular, how does each end
   know when it is safe to delete the "old" session, and switch over to
   the new one?  If DTLS were not a datagram protocol, this would be
   simpler, but the fact that message delivery is unreliable
   significantly complicates things: when the AC (the "server")
   transmits its Finished message, it cannot be sure that the WTP
   received it until the WTP transmits data on the new channel.

   This fact constrains the way in which we transition to the new
   session, and delete the old one.  The WTP, upon receipt of the AC's
   Finished message for the new session, immediately makes the new
   session active, and transmits no further data (e.g. echo requests,
   statistics, etc) on the old channel, and sends a TLS "user_cancelled"
   alert message on the old channel, after which the old session is
   immediately deleted.

   The AC, sets a DTLSSessionDelete timer, (see Section 4.5) and
   immediately makes the new session active, and transmits no further
   data (e.g. echo requests, statistics, etc) on the old channel.

   If a TLS "user_cancelled" alert message is received on the old
   channel, the session delete timer is deactivated, and the session is
   deleted.

   if the dtls-session-delete timer expires, a TLS "user_cancelled"
   alert message is transmitted on the old channel, and the session is
   deleted.

   Note that there is a slight possibility that some packets may be in
   flight when the session is deleted.  However, since CAPWAP provides
   reliable delivery, these packets will be retransmitted over the new
   channel.

2.4.3.1.  Peer Initiated Rehandshake Triggers

   Since key lifetimes are not negotiable in DTLS, it is possible that a
   rehandshake from a peer may occur at any time, and implementations
   must be prepared for this eventuality.  Presumably, communicating
   devices will be within the same domain of control.  This being the
   case, overly-aggressive rekeying may be detected by simply monitoring
   logs, assuming such activity is indeed logged.  Hence,
   implementations MUST log rekey attempts as they occur, reporting the
   time and identifying information for the peer.

   CAPWAP implementations MUST provide an administrative interface which
   permits specification of key lifetimes in seconds.  Also,
   implementations which wait until this interval has expired to begin
   the rehandshake process are liable to encounter temporary service
   lapses on heavily loaded networks, so implementations SHOULD begin
   the rehandshake before the actual lifetime has elapsed.

   Given the relatively low bandwidth we might reasonably expect over a
   CAPWAP control channel and the strength of modern cryptographic
   algorithms (e.g.  AES-128, 3DES, etc), it is reasonable to assume
   that lifetimes will typically be more than 8 hours.  Given this
   assumption, a good rule of thumb for deciding when to rekey is this:
   deduct a random number of seconds from the lifetime (say, between 1%
   and 5% of the lifetime), and begin the rehandshake process at that
   point.  Using a random value helps avert collisions, when both sides
   initiate a rehandshake at the same time (discussed further below).

2.4.3.2.  Time Based Rehandshake Triggers

   CAPWAP implementations MUST provide an administrative interface which
   permits specification of key lifetimes in seconds.  Also,
   implementations which wait until this interval has expired to begin
   the rehandshake process are liable to encounter temporary service
   lapses on heavily loaded networks, so implementations SHOULD begin
   the rehandshake before the actual lifetime has elapsed.

   Given the relatively low bandwidth we might reasonably expect over a
   CAPWAP control channel and the strength of modern cryptographic
   algorithms (e.g.  AES-128, 3DES, etc), it is reasonable to assume
   that key lifetimes will typically be more than 8 hours.  Given this
   assumption, a good rule of thumb for deciding when to rekey is this:
   deduct a random number of seconds from the lifetime (say, between 1%
   and 5% of the lifetime), and begin the rehandshake process at that
   point.  Using a random value helps avert collisions, when both sides
   initiate a rehandshake at the same time.

2.4.3.3.  Volume Based Rehandshake Triggers

   CAPWAP implementations MUST provide an administrative interface which
   permits specification of key lifetimes in packet count.  Like time-
   based, lifetimes, implementations which wait until this interval has
   expired to begin the rehandshake process may encounter temporary
   service lapses on heavily loaded networks, so implementations SHOULD
   begin the rehandshake before the actual lifetime has elapsed.

   Volume-based lifetime estimation for purposes of rehandshake
   initiation is considerably more complex than time-based lifetime.  In
   addition to avoiding collisions, the maximum burst rate must be
   known, and an extimate made, assuming rehandshake packets are lost,
   etc.  Hence, we do not specify a one-size-fits-all approach here, and
   the specific algorithm used is implementation dependent.

2.4.3.4.  Rehandshake Collisions

   A collision occurs when both sides initiate a rehandshake
   simultaneously.  No matter how much care is taken, rehandshake
   collisions are a distinct possibility.  Hence, a contention
   resolution strategy is specified.

   A rehandshake collision is detected when a system receives a
   rehandshake initiation when it has one outstanding with the same
   peer.

   When this occurs, each side will compare its own address with that of
   its peer (in network byte order).

   The one with the lower of the two addresses will ignore the peer's
   rehandshake message, and continue with its own rehandshake process.

   The one with the higher message will immediately abort its current
   rehandshake, and set the DTLSRehandshake timer (see Section 4.5); if
   the peer with the lower address does not complete the rehandshake
   before the timer expires, the peer with the higher address will re-
   initiate.

2.4.4.  DTLS EndPoint Authentication

   DTLS supports endpoint authentication with certificates or preshared
   keys.  The TLS algorithm suites for each endpoint authentication
   method are described below.

2.4.4.1.  Authenticating with Certificates

   Note that only block ciphers are currently recommended for use with
   DTLS.  To understand the reasoning behind this, see [26].
   However,support  However,
   support for AES counter mode encryption is currently progressing in
   the TLS working group, and once protocol identifiers are available,
   they will be added below.  At present, the following algorithms MUST
   be supported when using certificates for CAPWAP authentication:

   o  TLS_RSA_WITH_AES_128_CBC_SHA

   o  TLS_RSA_WITH_3DES_EDE_CBC_SHA

   The following algorithms SHOULD be supported when using certificates:

   o  TLS_DH_RSA_WITH_AES_128_CBC_SHA

   o  TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
   The following algorithms MAY be supported when using certificates:

   o  TLS_RSA_WITH_AES_256_CBC_SHA

   o  TLS_DH_RSA_WITH_AES_256_CBC_SHA

2.4.4.2.  Authenticating with Preshared Keys

   Pre-shared keys present significant challenges from a security
   perspective, and for that reason, their use is strongly discouraged.
   However, [13] [14] defines 3 several different methods for authenticating
   with preshared keys: keys, and we focus on the following two:

   o  PSK key exchange algorithm - simplest method, ciphersuites use
      only symmetric key algorithms

   o  DHE_PSK key exchange algorithm - use a PSK to authenticate a
      Diffie-Hellman exchange.  These ciphersuites give some additional
      protection against dictionary attacks and also provide Perfect
      Forward Secrecy (PFS).

   o  RSA_PSK key exchange algorithm - use RSA and certificates to
      authenticate the server, in addition to using a PSK.  This is not
      susceptible to passive attacks.

   The first approach (plain PSK) is susceptible to passive dictionary
   attacks; hence, while this alorithm MAY MUST be supported, special care
   should be taken when choosing that method.  In particular, user-
   readable passphrases SHOULD NOT be used, and use of short PSKs should SHOULD
   be strongly discouraged.  Additionally, DHE_PSK MUST be supported,
   and RSA_PSK MAY be supported.

   The following cryptographic algorithms MUST be supported when using
   preshared keys:

   o  TLS_PSK_WITH_AES_128_CBC_SHA

   o  TLS_PSK_WITH_3DES_EDE_CBC_SHA

   o  TLS_DHE_PSK_WITH_AES_128_CBC_SHA

   o  TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA

   The following algorithms SHOULD be supported when using preshared
   keys:

   o  TLS_DHE_PSK_WITH_AES_256_CBC_SHA

   The following algorithms MAY be supported when using preshared keys:

   o  TLS_PSK_WITH_AES_128_CBC_SHA

   o  TLS_PSK_WITH_AES_256_CBC_SHA

   o  TLS_PSK_WITH_3DES_EDE_CBC_SHA

   o  TLS_RSA_PSK_WITH_AES_128_CBC_SHA

   o  TLS_RSA_PSK_WITH_AES_256_CBC_SHA

   o  TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA  TLS_DHE_PSK_WITH_AES_256_CBC_SHA

2.4.4.3.  Certificate Usage

   Validation of the certificates

   When using certificates, both authentication and authorization must
   be considered.  Section 13.3 provides recommendations on how to
   authenticate a certificate and bind that to a CAPWAP entity.  This
   section deals with certificate authorization.

   Certificate authorization by the AC and WTP is required so that only
   an AC may perform the functions of an AC and that only a WTP may
   perform the functions of a WTP.  This restriction of functions to the
   AC or WTP requires that the certificates used by the AC MUST be
   distinguishable from the certificate used by the WTP.  To accomplish
   this differentiation, the x.509v3 x.509 certificates MUST include the
   Extensions
   Extended Key Usage (EKU)certificate extension [11].

   The EKU field [11] indicates one or more purposes for which a certificate
   may be used.  It is an essential part in authorization.  Its syntax
   is as follows:

              ExtKeyUsageSyntax  ::=  SEQUENCE SIZE (1..MAX) OF KeyPurposeId

              KeyPurposeId  ::=  OBJECT IDENTIFIER

   Here we define two KeyPurposeId values, one for the WTP and MUST include one for
   the NetscapeComment [15]
   extension. AC.  Inclusion of one of those two values indicates a certificate
   is authorized for use by a WTP or AC, respectively.  These values are
   formatted as id-kp fields.

             id-kp  OBJECT IDENTIFIER  ::=
                 { iso(1) identified-organization(3) dod(6) internet(1)
                   security(5) mechanisms(5) pkix(7) 3 }

              id-kp-capwapWTP  OBJECT IDENTIFIER  ::=  { id-kp 19 }

              id-kp-capwapAC   OBJECT IDENTIFIER  ::=  { id-kp 18 }

   For an AC, the value of the NetscapeComment extension id-kp-capwapAC EKU MUST be present in the
   string "CAPWAP AC Device Certificate". certificate.
   For a WTP, the value of the
   NetscapeComment extension id-kp-capwapWTP EKU MUST be present in the string "CAPWAP WTP Device
   Certificate".
   certificate.

   Part of the CAPWAP certificate validation process includes ensuring
   that the proper string EKU is included in the NetscapeComment extension, and only allowing the CAPWAP session
   to be established if the extension does not represent the same role as the device validating properly represents the certificate.  For instance, a WTP MUST NOT accept a certificate
   whose NetscapeComment field is set to "CAPWAP WTP Device
   Certificate". device.

3.  CAPWAP Transport

   The CAPWAP protocol uses UDP as a transport, and can be used with
   IPv4 or IPv6.  This section details the specifics of how the CAPWAP
   protocol works in conjunction with IP.

3.1.  UDP Transport

   Communication between a WTP and an AC is established according to the
   standard UDP client/server model.  One of the CAPWAP requirements is
   to allow a WTP to reside behind a firewall and/or Network Address
   Translation (NAT) device.  Since the connection is initiated by the
   WTP (client) to the well-known UDP port of the AC (server), the use
   of UDP is a logical choice.

   CAPWAP protocol control packets sent between the WTP and the AC use
   well known UDP port [to be IANA assigned].  CAPWAP protocol data
   packets sent between the WTP and the AC use UDP port [to be IANA
   assigned].

3.2.  AC Discovery

   A WTP and an AC will frequently not reside in the same IP subnet
   (broadcast domain).  When this occurs, the WTP must be capable of
   discovering the AC, without requiring that multicast services are
   enabled in the network.  This section describes how AC discovery is
   performed by WTPs.

   As the WTP attempts to establish communication with an AC, it sends
   the Discovery Request message and receives the corresponding response
   message from the AC(s).  The WTP must send the Discovery Request
   message to either the limited broadcast IP address (255.255.255.255),
   a well known multicast address or to the unicast IP address of the
   AC.  Upon receipt of the Discovery Request message, the AC issues a
   Discovery Response message to the unicast IP address of the WTP,
   regardless of whether the Discovery Request message was sent as a
   broadcast, multicast or unicast message.

   WTP use of a limited IP broadcast, multicast or unicast IP address is
   implementation dependent.

   When a WTP transmits a Discovery Request message to a unicast
   address, the WTP must first obtain the IP address of the AC.  Any
   static configuration of an AC's IP address on the WTP non-volatile
   storage is implementation dependent.  However, additional dynamic
   schemes are possible, for example:

   DHCP: A comma delimited ASCII encoded list of AC IP addresses is
      embedded in the DHCP vendor specific option 43 extension.  An
      example of the actual format of the vendor specific payload for
      IPv4 is of the form "10.1.1.1, 10.1.1.2".

   DNS: The DNS name "CAPWAP-AC-Address" MAY be resolvable to one or
      more AC addresses.

3.3.  Fragmentation/Reassembly

   While fragmentation and reassembly services are provided by IP, the
   CAPWAP protocol also provides such services.  Environments where the
   CAPWAP protocol is used involve firewall, Network Address Translation
   (NAT) and "middle box" devices, which tend to drop IP fragments in
   order to minimize possible Denial of Service attacks.  By providing
   fragmentation and reassembly at the application layer, any
   fragmentation required due to the tunneling component of the CAPWAP
   protocol becomes transparent to these intermediate devices.
   Consequently, the CAPWAP protocol is not impacted by any network
   configurations.

4.  CAPWAP Packet Formats

   This section contains the CAPWAP protocol packet formats.  A CAPWAP
   protocol packet consists of a CAPWAP Transport Layer packet header
   followed by a CAPWAP message.  The CAPWAP message can be either of
   type Control or Data, where Control packets carry signaling, and Data
   packets carry user payloads.  The CAPWAP frame formats for CAPWAP
   Data packets, and for DTLS encapsulated CAPWAP Data and Control
   packets. are as shown below:

      CAPWAP Data Packet :
       +--------------------------------+
       | IP  |UDP  | CAPWAP | Wireless  |
       | Hdr |Hdr  | Header | Payload   |
       +--------------------------------+

       CAPWAP + Optional DTLS Data Packet Security:
       +------------------------------------------------+
       | IP  |UDP | DTLS  | CAPWAP  | Wireless | DTLS   |
       | Hdr |Hdr | Hdr   | Hdr     | Payload  | Trailer|
       +------------------------------------------------+
                   \--authenticated-----------/
                           \---     encrypted-----------/

       CAPWAP Control Packet (DTLS Security Required):
       +-----------------------------------------------------------+
       | IP  |UDP | DTLS | CAPWAP | Control | Message    | DTLS    |
       | Hdr |Hdr | Hdr  | Header | Header  | Element(s) | Trailer |
       +-----------------------------------------------------------+
                   \-------authenticated-----------------/
                          \------------encrypted-------------------/

   UDP: All CAPWAP packets are encapsulated within UDP.  Section
      Section 3.1 defines the specific UDP usage.

   CAPWAP Header: All CAPWAP protocol packets use a common header that
      immediately follows the UDP header.  This header, is defined in
      Section 4.1.

   Wireless Payload: A CAPWAP protocol packet that contains a wireless
      payload is known as a data frame.  The CAPWAP protocol does not
      dictate the format of the wireless payload, which is defined by
      the appropriate wireless standard.  Additional information is in
      Section 4.2.

   Control Header: The CAPWAP protocol includes a signalling component,
      known as the CAPWAP control protocol.  All CAPWAP control packets
      include a Control Header, which is defined in Section 4.3.1.

   Message Elements: A CAPWAP Control packet includes one or more
      message elements, which are found immediately following the
      control header.  These message elements are in a Type/Length/value
      style header, defined in Section 4.4.

4.1.  CAPWAP Transport Header

   All CAPWAP protocol messages are encapsulated using a common header
   format, regardless of the CAPWAP control or CAPWAP Data transport
   used to carry the messages.  However, certain flags are not
   applicable for a given transport.  Refer to the specific transport
   section in order to determine which flags are valid.

   Note that the optional fields defined in this section MUST be present
   in the precise order shown below.

         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |Version|   RID   |  HLEN  |F|L|W|M|   |  WBID   |T|F|L|W|M|     Flags     |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |          Fragment ID          |     Frag Offset         |Rsv-2|         |Rsvd |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                 (optional) Radio MAC Address                  |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |            (optional) Wireless Specific Information           |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                        Payload ....                           |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Version: A 4 bit field which contains the version of CAPWAP used in
      this packet.  The value for this draft is 0.

   RID: A 5 bit field which contains the Radio ID number for this
      packet.  WTPs with multiple radios but a single MAC Address range
      use this field to indicate which radio is associated with the
      packet.

   HLEN: Length A 5 bit field containing the length of the CAPWAP tunnel transport
      header in 4 byte words. words (Similar to IP header length).  This length
      includes the optional headers.

   WBID: A 5 bit field which is the wireless binding identifier.  The
      identifier will indicate the type of wireless packet type
      associated with the radio.  The following values are defined:

      1 - IEEE 802.11

   T: The Type 'T' bit indicates the format of the frame being
      transported in the payload (see Section 11.7).  When this bit is
      set to one (1), the payload has the native frame format indicated
      by the WBID field.  When this bit is zero (0) the payload is an
      IEEE 802.3 frame.

   F: The Fragment 'F' bit indicates whether this packet is a fragment.
      When this bit is one (1), the packet is a fragment and MUST be
      combined with the other corresponding fragments to reassemble the
      complete information exchanged between the WTP and AC.

   L: The Not Last 'L' bit is valid only if the 'F' bit is set and indicates
      whether the packet contains the last fragment of a fragmented
      exchange between WTP and AC.  When this bit is 1, the packet is not
      the last fragment.  When this bit is 0, the packet is not the last
      fragment.

   W: The Wireless 'W' bit is used to specify whether the optional
      wireless specific information field is present in the header.  A
      value of one (1) is used to represent the fact that the optional
      header is present.

   M: The M bit is used to indicate that the Radio MAC Address optional
      header is present.  This is used to communicate the MAC address of
      the receiving radio when the native wireless packet.  This field
      MUST NOT be set to one in packets sent by the AC to the WTP.

   Flags: A set of reserved bits for future flags in the CAPWAP header.
      All implementations complying with version zero of this protocol
      MUST set these bits to zero.

   Fragment ID: An 16 bit field whose value is assigned to each group of
      fragments making up a complete set.  The fragment ID space is
      managed individually for every WTP/AC pair.  The value of Fragment
      ID is incremented with each new set of fragments.  The Fragment ID
      wraps to zero after the maximum value has been used to identify a
      set of fragments.

   Fragment Offset: A 13 bit field that indicates where in the payload
      will this fragment belong during re-assembly.  This field is valid
      when the 'F' bit is set to 1.  The fragment offset is measured in
      units of 8 octets (64 bits).  The first fragment has offset zero.

      Note the CAPWAP protocol does not allow for overlapping fragments.
      For instance, fragment 0 would include offset 0 with a payload
      length of 1000, while fragment 1 include offset 900 with a payload
      length of 600.

   Reserved: The 3-bit Reserved-2 Reserved field is reserved and set to 0 in this
      version of the CAPWAP protocol.

   Radio MAC Address: This optional field contains the MAC address of
      the radio receiving the packet.  This is useful in packets sent
      from the WTP to the AC, when the native wireless frame format is
      converted to 802.3 by the WTP.  This field is only present if the
      'M' bit is set.  Given the HLEN field assumes 4 byte alignment,
      this field MUST be padded with zeroes (0x00) if it is not 4 byte
      aligned.

      The field contains the basic format:

         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |    Length     |                  MAC Address
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Length: The number of bytes in the MAC Address field.  The length
         field is present since new IEEE technologies (e.g., 802.16) are
         now using 48 byte 64 bits MAC addresses.

      MAC Address: The MAC Address of the receiving radio.

   Wireless Specific Information: This optional field contains
      technology specific information that may be used to carry per
      packet wireless information.  This field is only present if the
      'W' bit is set.  Given the HLEN field assumes 4 byte alignment,
      this field MUST be padded with zeroes (0x00) if it is not 4 byte
      aligned.

      The field contains the basic format:

         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  Wireless ID  |    Length     |             Data
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      Wireless ID: The wireless binding identifier.  The following
         values are defined:

         1 - : IEEE 802.11

      Length: The length of the data field

      Data: Wireless specific information, whose details are defined in
         the technology specific binding section. bindings section (see Section 11.7).

   Payload: This field contains the header for a CAPWAP Data Message or
      CAPWAP Control Message, followed by the data associated with that
      message.

4.2.  CAPWAP Data Messages

   A CAPWAP protocol data message is encapsulates a forwarded wireless
   frame.  The CAPWAP protocol defines two different modes of encapsulations;
   encapsulation; IEEE 802.3 and native wireless.  IEEE 802.3
   encapsulation requires that the bridging function be performed in the
   WTP.  An IEEE 802.3 encapsulated user payload frame has the following
   format:

       +------------------------------------------------------+
       | IP Header | UDP Header | CAPWAP Header | 802.3 Frame |
       +------------------------------------------------------+

   The CAPWAP protocol also defines the native wireless encapsulation
   mode.  The actual format of the encapsulated CAPWAP data frame is
   subject to the rules defined under the specific wireless technology
   binding.  As a consequence, each wireless technology binding MUST
   define a section entitled "Payload encapsulation", which defines the
   format of the wireless payload that is encapsulated within the CAPWAP
   Data messages.

   In the event that the encapsulated frame would exceed the transport
   layer's MTU, the sender is responsible for the fragmentation of the
   frame, as specified in Section 3.3.

4.3.  CAPWAP Control Messages

   The CAPWAP Control protocol provides a control channel between the
   WTP and the AC.  Control messages are divided into the following
   distinct message types:

   Discovery: CAPWAP Discovery messages are used to identify potential
      ACs, their load and capabilities.

   WTP Configuration: The WTP Configuration messages are used by the AC
      to push a specific configuration to the WTP it has a control
      channel with.  Messages that deal with the retrieval of statistics
      from the WTP also fall in this category.

   Mobile Session Management: Mobile session management messages are
      used by the AC to push specific mobile station policies to the
      WTP.

   Firmware Management: Messages in this category are used by the AC to
      push a new firmware image to the WTP.

   Binding Specific Management Frames: Messages in this category are
      used by the AC and the WTP to exchange protocol-specific
      management frame.  These frames may or may not be used to change
      the link state of a Mobile device.

   Discovery, WTP Configuration and Mobile Session Management messages
   MUST be implemented.  Firmware Management MAY be implemented.

   In addition, technology specific bindings (see Section 11.7 may
   introduce new control channel commands.

4.3.1.  Control Message Format

   All CAPWAP control messages are sent encapsulated within the CAPWAP
   header (see Section 4.1).  Immediately following the CAPWAP header,
   is the control header, which has the following format:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Message Type                            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Seq Num    |        Msg Element Length     |     Flags     |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           Time Stamp                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Msg Element [0..N] ...
     +-+-+-+-+-+-+-+-+-+-+-+-+

4.3.1.1.  Message Type

   The Message Type field identifies the function of the CAPWAP control
   message.  The Message Type field is comprised of an IANA Enterprise
   Number and a an enterprise specific message type value field. number.  The first two byte contain
   three octets is the IANA Enterprise Number (for example, enterprise number in network byte order, with
   zero being used for CAPWAP generic message types and the IEEE 802.11
   IANA
   Enterprise assigned enterprise number 13277 being used for IEEE 802.11
   technology specific message types.  The last octet is 13277), and the second two bytes contain the
   Message Type value. enterprise
   specific message type number, which has a range from 0 to 255.  The
   message type field can be expressed as:

   Message Type = IANA Enterprise Number * 256 + Message Type Value enterprise specific message type number

   The valid values for base CAPWAP Message Types are given in the table
   below:

           CAPWAP Control Message           Message Type
                                              Value
           Discovery Request                    1
           Discovery Response                   2
           Join Request                         3
           Join Response                        4
           Configuration Status                 5
           Configuration Status Response        6
           Configuration Update Request         7
           Configuration Update Response        8
           WTP Event Request                    9
           WTP Event Response                  10
           Change State Event Request          11
           Change State Event Response         12
           Echo Request                        13
           Echo Response                       14
           Image Data Request                  15
           Image Data Response                 16
           Reset Request                       17
           Reset Response                      18
           Primary Discovery Request           19
           Primary Discovery Response          20
           Data Transfer Request               21
           Data Transfer Response              22
           Clear Config Indication Configuration Request         23
           Clear Configuration Response        24
           Mobile Config Configuration Request               24        25
           Mobile Config Configuration Response              25       26

4.3.1.2.  Sequence Number

   The Sequence Number Field is an identifier value to match request and
   response packet exchanges.  When a CAPWAP packet with a request
   message type is received, the value of the sequence number field is
   copied into the corresponding response packet.

   When a CAPWAP control message is sent, its internal sequence number
   counter is monotonically incremented, ensuring that no two requests
   pending have the same sequence number.  This field will wrap back to
   zero.

4.3.1.3.  Message Element Length

   The Length field indicates the number of bytes following the Sequence
   Num field.

4.3.1.4.  Flags

   The Flags field MUST be set to zero.

4.3.1.5.  Time Stamp

   The Timestamp contains the timestamp.  PRC-TODO: Details need to be
   added here, and I am waiting for info from Dave Perkins.

4.3.1.6.  Message Element[0..N]

   The message element(s) carry the information pertinent to each of the
   control message types.  Every control message in this specification
   specifies which message elements are permitted.

4.3.2.  Control Message Quality of Service

   It is recommended that CAPWAP control messages be sent by both the AC
   and the WTP with an appropriate Quality of Service precedence value,
   ensuring that congestion in the network minimizes occurrences of
   CAPWAP control channel disconnects.  Therefore, a Quality of Service
   enabled CAPWAP device should use the following values:

   802.1P:  The precedence value of 7 SHOULD be used.

   DSCP:  The DSCP tag value of 46 SHOULD be used.

4.4.  CAPWAP Protocol Message Elements

   This section defines the CAPWAP Protocol message elements which are
   included in CAPWAP protocol control messages.

   Message elements are used to carry information needed in control
   messages.  Every message element is identified by the Type field,
   whose numbering space is managed via IANA (see Section 14). defined below.  The total length of the
   message elements is indicated in the Message Element Length field.

   All of the message element definitions in this document use a diagram
   similar to the one below in order to depict its format.  Note that in
   order to simplify this specification, these diagrams do not include
   the header fields (Type and Length).  The header field values are
   defined in the Message element descriptions.

   Additional message elements may be defined in separate IETF
   documents.

   The format of a message element uses the TLV format shown here:

       0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |              Type                                             |             Length            |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Length                      |  Value ...   |
     +-+-+-+-+-+-+-+-+
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

   Where Type (16 bit) identifies the character of the information
   carried in the Value field and Length (16 bits) indicates the number
   of bytes in the Value field.

4.4.1.  AC Descriptor  Type field values are allocated as
   follows:

              Usage                              Type Values

   CAPWAP Protocol Message Elements                1-1023
   IEEE 802.11 Message Elements                    1024-2047
   Reserved for Future Use                         2048 - 65024

   The AC payload message element is used by table below lists the CAPWAP protocol Message Elements and their
   Type values.

   CAPWAP Message Element                            Type Value

   AC to communicate it's
   current state.  The value contains the following fields.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 Descriptor                                         1
   AC IPv4 List                                          2
   AC IPv6 List                                          3
   AC Name                                               4
   AC Name with Index                                    5
   AC Timestamp                                          6
   Add MAC ACL Entry                                     7
   Add Mobile Station                                    8
   Add Static MAC ACL Entry                              9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Reserved    |                 Hardware  Version ...         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     HW Ver    |                 Software  Version ...         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     SW Ver    |            Stations           |     Limit     |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Limit     |          Active WTPs          |   Max WTPs    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Max WTPs    |    Security   |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1 for AC Descriptor

   Length:
   CAPWAP Timers                                        10
   Data Transfer Data                                   11
   Data Transfer Mode                                   12
   Decryption Error Report                              13
   Decryption Error Report Period                       14
   Delete MAC ACL Entry                                 15
   Delete Mobile Station                                16
   Delete Static MAC ACL Entry                          17
   Discovery Type                                       18

   Reserved:  MUST be set to zero

   Hardware Version:
   Duplicate IPv4 Address                               19
   Duplicate IPv6 Address                               20
   Idle Timeout                                         21
   Image Data                                           22
   Image Filename                                       23
   Initiate Download                                    24
   Location Data                                        25
   MTU Discovery Padding                                26
   Radio Administrative State                           27
   Result Code                                          28
   Session ID                                           29
   Statistics Timer                                     30
   Vendor Specific Payload                              31
   WTP Board Data                                       32
   WTP Descriptor                                       33
   WTP Fallback                                         34
   WTP Frame Tunnel Mode                                35
   WTP IPv4 IP Address                                  36
   WTP MAC Type                                         37
   WTP Manager Control IPv4 Address                     38
   WTP Manager Control IPv6 Address                     39
   WTP Name                                             40
   WTP Operational Statistics                           41
   WTP Radio Information                                42
   WTP Radio Statistics                                 43
   WTP Reboot Statistics                                44
   WTP Static IP Address Information                    45

4.4.1.  AC Descriptor

   The AC's hardware version number

   Software Version: AC payload message element is used by the AC to communicate it's
   current state.  The AC's Firmware version number value contains the following fields.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |            Stations           |             Limit             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |          Active WTPs          |            Max WTPs           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Security   |  R-MAC Field  |Wireless Field |   Reserved    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Vendor Identifier                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         Type=4                 |             Length           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Value...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Vendor Identifier                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         Type=5                 |             Length           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Value...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1 for AC Descriptor

   Length:  18

   Stations:  The number of mobile stations currently associated with
      the AC

   Limit:  The maximum number of stations supported by the AC

   Active WTPs:  The number of WTPs currently attached to the AC

   Max WTPs:  The maximum number of WTPs supported by the AC

   Security:  A 8 bit bit mask specifying the authentication credential
      type supported by the AC.  The following values are supported (see
      Section 2.4.4):

      1 - X.509 Certificate Based

      2 - Pre-Shared Secret

   R-MAC Field:  The AC supports the optional Radio MAC Address field in
      the CAPWAP transport Header (see Section 4.1).

   Wireless Field:  The AC supports the optional Wireless Specific
      Information field in the CAPWAP transport Header (see
      Section 4.1).

   Reserved:  MUST be set to zero

   Vendor Identifier:  A 32-bit value containing the IANA assigned "SMI
      Network Management Private Enterprise Codes"

   Type:  Vendor specific encoding of AC information.  The following
      values are supported.  The Hardware and Software Version values
      MUST be included.

      4 - Hardware Version:  The AC's hardware version number.

      5 - Software Version:  The AC's Firmware version number.

   Length:  Length of vendor specific encoding of AC information.

   Value:  Vendor specific encoding of AC information.

4.4.2.  AC IPv4 List

   The AC List message element is used to configure a WTP with the
   latest list of ACs in a cluster.

         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                       AC IP Address[]                         |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  2 for AC List

   Length:  4

      The AC IP Address: An array of 32-bit integers containing an AC's
      IPv4 Address.

4.4.3.  AC IPv6 List

   The AC List message element is used to configure a WTP with the
   latest list of ACs in a cluster.

         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                       AC IP Address[]                         |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                       AC IP Address[]                         |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                       AC IP Address[]                         |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                       AC IP Address[]                         |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  3 for AC IPV6 List

   Length:  16

      The AC IP Address: An array of 32-bit integers containing an AC's
      IPv6 Address.

4.4.4.  AC Name

   The AC name message element contains an ASCII representation of the
   AC's identity.  The value is a variable length byte string.  The
   string is NOT zero terminated.

      0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+
     | Name ...
     +-+-+-+-+-+-+-+-+

   Type:  4 for AC Name

   Length:  > 0

   Name:  A variable length ASCII string containing the AC's name

4.4.5.  AC Name with Index

   The AC Name with Index message element is sent by the AC to the WTP
   to configure preferred ACs.  The number of instances where this
   message element would be present is equal to the number of ACs
   configured on the WTP.

      0                   1
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Index     |   AC Name...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  5 for AC Name with Index

   Length:  > 2

   Index:  The index of the preferred server (e.g., 1=primary,
      2=secondary).

   AC Name:  A variable length ASCII string containing the AC's name.

4.4.6.  AC Timestamp

   The AC Timestamp message element is sent by the AC to synchronize the
   WTP's clock.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           Timestamp                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  6 for AC Timestamp

   Length:  4

   Timestamp:  The AC's current time, allowing all of the WTPs to be
      time synchronized in the format defined by Network Time Protocol
      (NTP) in RFC 1305 [10].

4.4.7.  Add MAC ACL Entry

   The Add MAC Access Control List (ACL) Entry message element is used
   by an AC to add a MAC ACL list entry on a WTP, ensuring that the WTP
   no longer provides any service to the MAC addresses provided in the
   message.  The MAC Addresses provided in this message element are not
   expected to be saved in non-volatile memory on the WTP.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Num of Entries|                 MAC Address[]                 |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                 MAC Address[]                 |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  7 for Add MAC ACL Entry

   Length:  >= 7

   Num of Entries:  The number of MAC Addresses in the array.

   MAC Address:  An array of MAC Addresses to add to the ACL.

4.4.8.  Add Mobile Station

   The Add Mobile Station message element is used by the AC to inform a
   WTP that it should forward traffic for a particular mobile station.
   The Add Mobile Station message element will be accompanied by
   technology specific binding information element which may include
   security parameters.  Consequently, the security parameters must be
   applied by the WTP for the particular mobile.

   Once a mobile station's policy has been pushed to the WTP through
   this message element, an AC may change any policies by simply sending
   a modified Add Mobile Station message element.  When a WTP receives
   an Add Mobile Station message element for an existing mobile station,
   it must override any existing state it may have for the mobile
   station in question.  The latest Add Mobile Station message element
   data overrides any previously received messages.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Radio ID   |                  MAC Address                  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                  MAC Address                  |  VLAN Name...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  8 for Add Mobile

   Length:  >= 7
   Radio ID:  An 8-bit value representing the radio

   MAC Address:  The mobile station's MAC Address

   VLAN Name:  An optional variable string containing the VLAN Name on
      which the WTP is to locally bridge user data.  Note this field is
      only valid with WTPs configured in Local MAC mode.

4.4.9.  Add Static MAC ACL Entry

   The Add Static MAC ACL Entry message element is used by an AC to add
   a permanent ACL entry on a WTP, ensuring that the WTP no longer
   provides any service to the MAC addresses provided in the message.
   The MAC Addresses provided in this message element are expected to be
   saved in non-volative memory on the WTP.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Num of Entries|                 MAC Address[]                 |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                 MAC Address[]                 |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  9 for Add Static MAC ACL Entry

   Length:  >= 7

   Num of Entries:  The number of MAC Addresses in the array.

   MAC Address:  An array of MAC Addresses to add to the permanent ACL.

4.4.10.  CAPWAP Timers

   The CAPWAP Timers message element is used by an AC to configure
   CAPWAP timers on a WTP.

      0                   1
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Discovery   | Echo Request  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  10 for CAPWAP Timers
   Length:  2

   Discovery:  The number of seconds between CAPWAP Discovery packets,
      when the WTP is in the discovery mode.

   Echo Request:  The number of seconds between WTP Echo Request CAPWAP
      messages.

4.4.11.  Change State Event

   The Change State message element is used to communicate a change in
   the operational state of a radio.  The value contains two fields, as
   shown.

      0                   1                   2
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |     State     |     Cause     |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:  11 for Change State Event

   Length:  3

   Radio ID:  The Radio Identifier, typically refers to some interface
      index on the WTP.

   State:  An 8-bit boolean value representing the state of the radio.
      A value of one disables the radio, while a value of two enables
      it.

   Cause:  In the event of a radio being inoperable, the cause field
      would contain the reason the radio is out of service.  The
      following values are supported:

      0 - Normal

      1 - Radio Failure

      2 - Software Failure

4.4.12.  Data Transfer Data

   The Data Transfer Data message element is used by the WTP to provide
   information to the AC for debugging purposes.

      0                   1                   2
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Data Type   |  Data Length  |    Data ....
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  12  11 for Data Transfer Data

   Length:  >= 3

   Data Type:  An 8-bit value the type of information being sent.  The
      following values are supported:

      1 - WTP Crash Data

      2 - WTP Memory Dump

   Data Length:  Length of data field.

   Data:  Debug information.

4.4.13.

4.4.12.  Data Transfer Mode

   The Data Transfer Mode message element is used by the AC WTP to request indicate
   the type of data transfer information from it is sending to the WTP AC for
   debugging purposes.

      0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+
     |   Data  Type   |
     +-+-+-+-+-+-+-+-+
   Type:  13  12 for Data Transfer Mode

   Length:  1

   Data Type:  An 8-bit value the type of information being requested.
      The following values are supported:

      1 - WTP Crash Data

      2 - WTP Memory Dump

4.4.14.

4.4.13.  Decryption Error Report

   The Decryption Error Report message element value is used by the WTP
   to inform the AC of decryption errors that have occurred since the
   last report.  Note that this error reporting mechanism is not used if
   encryption and decryption services are provided via the AC.

      0                   1                   2
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |Num Of Entries |      Mobile MAC Address       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Mobile MAC Address[]                    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  14  13 for Decryption Error Report

   Length:  >= 8

   Radio ID:  The Radio Identifier, which typically refers to an
      interface index on the WTP

   Num Of Entries:  An 8-bit unsigned integer indicating the number of
      mobile MAC addresses.

   Mobile MAC Address:  An array of mobile station MAC addresses that
      have caused decryption errors.

4.4.15.

4.4.14.  Decryption Error Report Period

   The Decryption Error Report Period message element value is used by
   the AC to inform the WTP how frequently it should send decryption
   error report messages.

      0                   1                   2
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |        Report Interval        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  15  14 for Decryption Error Report Period

   Length:  3

   Radio ID:  The Radio Identifier, typically refers to some interface
      index on the WTP

   Report Interval:  A 16-bit unsigned integer indicating the time, in
      seconds

4.4.16.

4.4.15.  Delete MAC ACL Entry

   The Delete MAC ACL Entry message element is used by an AC to delete a
   MAC ACL entry on a WTP, ensuring that the WTP provides service to the
   MAC addresses provided in the message.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Num of Entries|                 MAC Address[]                 |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                 MAC Address[]                 |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  16  15 for Delete MAC ACL Entry

   Length:  >= 7

   Num of Entries:  The number of MAC Addresses in the array.

   MAC Address:  An array of MAC Addresses to delete from the ACL.

4.4.17.

4.4.16.  Delete Mobile Station

   The Delete Mobile station message element is used by the AC to inform
   an WTP that it should no longer provide service to a particular
   mobile station.  The WTP must terminate service immediately upon
   receiving this message element.

   The transmission of a Delete Mobile Station message element could
   occur for various reasons, including for administrative reasons, as a
   result of the fact that the mobile has roamed to another WTP, etc.

   Once access has been terminated for a given station, any future
   packets received from the mobile station must result in a
   deauthenticate message, as specified in [6].

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Radio ID   |                  MAC Address                  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                  MAC Address                  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  17  16 for Delete Mobile Station

   Length:  7

   Radio ID:  An 8-bit value representing the radio

   MAC Address:  The mobile station's MAC Address

4.4.18.

4.4.17.  Delete Static MAC ACL Entry

   The Delete Static MAC ACL Entry message element is used by an AC to
   delete a previously added static MAC ACL entry on a WTP, ensuring
   that the WTP provides service to the MAC addresses provided in the
   message.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Num of Entries|                 MAC Address[]                 |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                 MAC Address[]                 |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  18  17 for Delete Static MAC ACL Entry

   Length:  >= 7

   Num of Entries:  The number of MAC Addresses in the array.

   MAC Address:  An array of MAC Addresses to delete from the static MAC
      ACL entry.

4.4.19.

4.4.18.  Discovery Type

   The Discovery Type message element is used to configure a by the WTP to operate
   in a specific mode. indicate how
   it has come to know about the existence of the AC, to which it is
   sending the Discovery Request message.

      0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+
     | Discovery Type|
     +-+-+-+-+-+-+-+-+

   Type:  19  18 for Discovery Type

   Length:  1

   Discovery Type:  An 8-bit value indicating how the WTP discovered the
      AC was discovered. .  The following values are supported:

      0 - Broadcast Unknown

      1 - Configured

4.4.20. Static Configuration

      2 - DHCP

      3 - DNS

      4 - AC Referral

4.4.19.  Duplicate IPv4 Address

   The Duplicate IPv4 Address message element is used by a WTP to inform
   an AC that it has detected another IP device using the same IP
   address it is currently using.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          IP Address                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          MAC Address                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |          MAC Address          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  20  19 for Duplicate IPv4 Address

   Length:  10
   IP Address:  The IP Address currently used by the WTP.

   MAC Address:  The MAC Address of the offending device.

4.4.21.

4.4.20.  Duplicate IPv6 Address

   The Duplicate IPv6 Address message element is used by a WTP to inform
   an AC that it has detected another host using the same IP address it
   is currently using.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          IP Address                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          IP Address                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          IP Address                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          IP Address                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          MAC Address                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |          MAC Address          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  21  20 for Duplicate IPv6 Address

   Length:  22

   IP Address:  The IP Address currently used by the WTP.

   MAC Address:  The MAC Address of the offending device.

4.4.22.

4.4.21.  Idle Timeout

   The Idle Timeout message element is sent by the AC to the WTP to
   provide it with the idle timeout that it should enforce on its active
   mobile station entries.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                            Timeout                            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:  22  20 for Idle Timeout

   Length:  4

   Timeout:  The current idle timeout to be enforced by the WTP.

4.4.23.

4.4.22.  Image Data

   The image data message element is present in the Image Data Request
   message sent by the AC and contains the following fields.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Opcode    |           Checksum            |  Image Data   |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Image Data ...                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  23  22 for Image Data

   Length:  >= 4 (allows 0 length element if last data unit is 1024
      bytes)

   Opcode:  An 8-bit value representing the transfer opcode.  The
      following values are supported:

      3 - Image data is included

      5 - An error occurred.  Transfer is aborted

   Checksum:  A 16-bit value containing a checksum of the image data
      that follows

   Image Data:  The Image Data field contains 1024 characters, unless
      the payload being sent is the last one (end of file).  If the last
      block was 1024 in length, an Image Data with a zero length payload
      is sent.

4.4.24.

4.4.23.  Image Filename

   The image filename message element is sent by the WTP to the AC and
   is used to initiate the firmware download process.  This message
   element contains the image filename, which the AC subsequently
   transfers to the WTP via the Image Data message element.  The value
   is a variable length byte string, which is NOT zero terminated.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           Filename ...                        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  24  23 for Image Filename

   Length:  >= 1

   Filename:  A variable length string containing the filename to
      download.

4.4.25.

4.4.24.  Initiate Download

   The Initiate Download message element is used by the AC to inform the
   WTP that it should initiate a firmware upgrade.  This is performed by
   having the WTP initiate its own Image Data Request, with the Image
   Download message element.  This message element does not contain any
   data.

   Type:  25  24 for Initiate Download

   Length:  0

4.4.26.

4.4.25.  Location Data

   The Location Data message elementis a variable length byte string
   containing user defined location information (e.g.  "Next to
   Fridge").  This information is configurable by the network
   administrator, and allows for the WTP location to be determined
   through this field.  The string is not zero terminated.

      0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+-
     | Location ...
     +-+-+-+-+-+-+-+-+-

   Type:  26  25 for Location Data

   Length:  > 0

   Timeout:  A non-zero terminated string containing the WTP location.

4.4.27.

4.4.26.  MTU Discovery Padding

   The MTU Discovery Padding message element is used as padding to
   perform MTU discovery, and MUST contain octets of value 0xFF, of any
   length

    0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+
     |  Padding...
     +-+-+-+-+-+-+-+-

   Type:  27  26 for MTU Discovery Padding

   Length:  variable

   Timeout:  A variable length pad.

4.4.28.

4.4.27.  Radio Administrative State

   The radio administrative event state message element is used to communicate
   the state of a particular radio.  The value contains the following
   fields.

         0                   1                   2
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 6 7 8 9 0 1 2 3
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |  Admin State  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+     Cause     |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  28  27 for Administrative State

   Length:  2

   Radio ID:  An 8-bit value representing the radio to configure.  The
      Radio ID field may also include the value of 0xff, which is used
      to identify the WTP itself.  Therefore, if an AC wishes to change
      the administrative state of a WTP, it would include 0xff in the
      Radio ID field.

   Admin State:  An 8-bit value representing the administrative state of
      the radio.  The following values are supported:

      1 - Enabled
      2 - Disabled

4.4.29.

   Cause:  In the event of a radio being inoperable, the cause field
      would contain the reason the radio is out of service.  The
      following values are supported:

      0 - Normal

      1 - Radio Failure

      2 - Software Failure

      3 - Radar Detection

4.4.28.  Result Code

   The Result Code message element value is a 32-bit integer value,
   indicating the result of the request operation corresponding to the
   sequence number in the message.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                         Result Code                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  29  28 for Result Code

   Length:  4

   Result Code:  The following values are defined:

      0  Success

      1  Failure (AC List message element MUST be present)

      2  Success (NAT detected)

      3  Failure (unspecified)

      4  Failure (Join Failure, Resource Depletion)

      5  Failure (Join Failure, Unknown Source)

      6  Failure (Join Failure, Incorrect Data)
      7  Failure (Join Failure, Session ID already in use)

4.4.30.

4.4.29.  Session ID

   The session ID message element value contains a randomly generated
   unsigned 32-bit integer.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                   Session ID                                    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  30  29 for Session ID

   Length:  4

   Session ID:  A 32-bit random session identifier

4.4.31.

4.4.30.  Statistics Timer

   The statistics timer message element value is used by the AC to
   inform the WTP of the frequency which it expects to receive updated
   statistics.

      0                   1
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |        Statistics Timer       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  31  30 for Statistics Timer

   Length:  2

   Statistics Timer:  A 16-bit unsigned integer indicating the time, in
      seconds

4.4.32.

4.4.31.  Vendor Specific Payload

   The Vendor Specific Payload is used to communicate vendor specific
   information between the WTP and the AC.  The value contains the
   following format:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Vendor Identifier                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |          Element ID           |   Value...    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  32  31 for Vendor Specific

   Length:  >= 7

   Vendor Identifier:  A 32-bit value containing the IANA assigned "SMI
      Network Management Private Enterprise Codes" [19]

   Element ID:  A 16-bit Element Identifier which is managed by the
      vendor.

   Value:  The value associated with the vendor specific element.

4.4.33.

4.4.32.  WTP Board Data

   The WTP Board Data message element is sent by the WTP to the AC and
   contains information about the hardware present.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Vendor Identifier                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         Type=0                 |             Length           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Value...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         Type=1                 |             Length           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Value...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |  Optional additional vendor specific WTP board data TLVs

   Type:  33  32 for WTP Board Data

   Length:  >=14
   Vendor Identifier:  A 32-bit value containing the IANA assigned "SMI
      Network Management Private Enterprise Codes"

   Type:  The following values are supported:

      0 - WTP Model Number:  The WTP Model Number MUST be included in
         the WTP Board Data message element.

      1 - WTP Serial Number:  The WTP Serial Number MUST be included in
         the WTP Board Data message element.

      2 - Board ID:  A hardware identifier, which MAY be included in the
         WTP Board Data mesage element.

      3 - Board Revision  A revision number of the board, which MAY be
         included in the WTP Board Data message element.

4.4.34.

4.4.33.  WTP Descriptor

   The WTP descriptor message element is used by a WTP to communicate
   it's current hardware/firmware configuration.  The value contains the
   following fields.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Max Radios  | Radios in use |    Encryption Capabilities    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Vendor Identifier                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         Type=0                 |             Length           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Value...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Vendor Identifier                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         Type=1                 |             Length           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Value...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Vendor Identifier                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         Type=0                 |             Length           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Value...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:  34  33 for WTP Descriptor

   Length:  >= 31

   Max Radios:  An 8-bit value representing the number of radios (where
      each radio is identified via the RID field) supported by the WTP

   Radios in use:  An 8-bit value representing the number of radios
      present in the WTP

   Encryption Capabilities:  This 16-bit field is used by the WTP to
      communicate it's capabilities to the AC.  Since most WTP's support
      link layer encryption, the AC may make use of these services.
      There are binding dependent encryption capabilities.  A WTP that
      does not have any encryption capabilities would set this field to
      zero (0).  Refer to the specific binding for further specification
      of the Encryption Capabilities field.

   Vendor Identifier:  A 32-bit value containing the IANA assigned "SMI
      Network Management Private Enterprise Codes"

   Type:  The following values are supported.  The Hardware Version,
      Software Version, and Boot Version values MUST be included.

      0 - WTP Model Number:  The WTP Model Number MUST be included in
         the WTP Board Data message element.

      1 - WTP Serial Number:  The WTP Serial Number MUST be included in
         the WTP Board Data message element.

      2 - Board ID:  A hardware identifier, which MAY be included in the
         WTP Board Data mesage element.

      3 - Board Revision  A revision number of the board, which MAY be
         included in the WTP Board Data message element.

      4 - Hardware Version:  A 32-bit integer representing the  The WTP's hardware version number number.

      5 - Software Version:  A 32-bit integer representing the  The WTP's Firmware version number number.

      6 - Boot Version:  A 32-bit integer representing the  The WTP's boot loader's version number

4.4.35. number.

   Length:  Length of vendor specific encoding of WTP information.

   Value:  Vendor specific encoding of WTP information.

4.4.34.  WTP Fallback

   The WTP Fallback message element is sent by the AC to the WTP to
   enable or disable automatic CAPWAP fallback in the event that a WTP
   detects its preferred AC, and is not currently connected to it.

      0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+
     |     Mode      |
     +-+-+-+-+-+-+-+-+

   Type:  35  34 for WTP Fallback

   Length:  1

   Mode:  The 8-bit value indicates the status of automatic CAPWAP
      fallback on the WTP.  A value of zero disables fallback, while a
      value of one enables it.  When enabled, if the WTP detects that
      its primary AC is available, and it is not connected to it, it
      SHOULD automatically disconnect from its current AC and reconnect
      to its primary.  If disabled, the WTP will only reconnect to its
      primary through manual intervention (e.g., through the Reset
      Request command).

4.4.36.

4.4.35.  WTP Frame Encapsulation Type Tunnel Mode

   The WTP Frame EncapsultationType Tunnel Mode message element allows the WTP to
   communicate the encapsulation type, or tunneling modes of operation which it supports to the
   AC.  A WTP that advertises support for all types allows the AC to
   select which type will be used, based on its local policy.

      0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+
     |Frame Enc Type
     | Tunnel Mode   |
     +-+-+-+-+-+-+-+-+

   Type:  36  35 for WTP Frame Encapsulation Type Tunnel Mode

   Length:  1

   Frame Encapsulation Type: Tunnel Mode:  The Frame type Tunnel mode specifies the encapsulation tunneling
      modes for mobile station data which are supported by the WTP.  The
      following values are supported:

      1 - Local Bridging:  When Local Bridging allows is used, the WTP does not
         tunnel user traffic to perform the
         bridging function. AC; all user traffic is locally
         bridged.  This value MUST NOT be used when the WTP MAC Type is
         set to Split-MAC.

      2 - 802.3 Bridging: Frame Tunnel Mode:  The 802.3 Bridging Frame Tunnel Mode requires
         the WTP and AC to encapsulate all user payload as native IEEE
         802.3 frames (see Section 4.2).  All user traffic is tunneled
         to the AC.  This value MUST NOT be used when the WTP MAC Type
         is set to Split-MAC.

      4 - Native Bridging: Frame Tunnel Mode:  Native Bridging Frame Tunnel mode requires
         the WTP and AC to encapsulate all user payloads as native
         wireless frames, as defined by the wireless binding (see for
         example Section 4.2).

      7 - All:  The WTP is capable of supporting all frame encapsulation
         types.

4.4.37. tunnel modes.

4.4.36.  WTP IPv4 IP Address

   The WTP IPv4 address is used to perform NAT detection.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                      WTP IPv4 IP Address                      |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  37  36 for WTP IPv4 IP Address

   Length:  4

   WTP IPv4 IP Address:  The IPv4 address from which the WTP is sending
      packets.  This field is used for NAT detection.

4.4.38.

4.4.37.  WTP MAC Type

   The WTP MAC-Type message element allows the WTP to communicate its
   mode of operation to the AC.  A WTP that advertises support for both
   modes allows the AC to select the mode to use, based on local policy.

      0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+
     |   MAC Type    |
     +-+-+-+-+-+-+-+-+
   Type:  38  37 for WTP MAC Type

   Length:  1

   MAC Type:  The MAC mode of operation supported by the WTP.  The
      following values are supported

      0 - Local-MAC:  Local-MAC is the default mode that MUST be
         supported by all WTPs.

      1 - Split-MAC:  Split-MAC support is optional, and allows the AC
         to receive and process native wireless frames.

      2 - Both:  WTP is capable of supporting both Local-MAC and Split-
         MAC.

4.4.39.

4.4.38.  WTP Radio Information

   The WTP radios information message element is used to communicate the
   radio information in a specific slot.  The Discovery Request MUST
   include one such message element per radio in the WTP.  The Radio-
   Type field is used by the AC in order to determine which technology
   specific binding is to be used with the WTP.

   The value contains two fields, as shown.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |           Radio Type                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Radio Type    |
     +-+-+-+-+-+-+-+-+

   Type:  39  38 for WTP Radio Information

   Length:  5

   Radio ID:  The Radio Identifier, which typically refers to an
      interface index on the WTP

   Radio Type:  The type of radio present.  Note this bitfield can be
      used to specify support for more than a single type of PHY/MAC.
      The following values are supported:

      1 - 802.11b:  An IEEE 802.11b radio.

      2 - 802.11a:  An IEEE 802.11a radio.

      4 - 802.11g:  An IEEE 802.11g radio.

      8 - 802.11n:  An IEEE 802.11n radio.

      0xOF - 802.11b, 802.11a, 802.11g and 802.11n:  The 4 radio types
         indicated are supported in the WTP.

4.4.40.

4.4.39.  WTP Manager Control IPv4 Address

   The WTP Manager Control IPv4 Address message element is sent by the
   AC to the WTP during the discovery process and is used by the AC to
   provide the interfaces available on the AC, and the current number of
   WTPs connected.  In the event that multiple WTP Manager Control IPV4
   Address message elements are returned, the WTP is expected to perform
   load balancing across the multiple interfaces.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           IP Address                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |           WTP Count           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  40  39 for WTP Manager Control IPv4 Address

   Length:  6

   IP Address:  The IP Address of an interface.

   WTP Count:  The number of WTPs currently connected to the interface.

4.4.41.

4.4.40.  WTP Manager Control IPv6 Address

   The WTP Manager Control IPv6 Address message element is sent by the
   AC to the WTP during the discovery process and is used by the AC to
   provide the interfaces available on the AC, and the current number of
   WTPs connected.  This message element is useful for the WTP to
   perform load balancing across multiple interfaces.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           IP Address                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           IP Address                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           IP Address                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           IP Address                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |           WTP Count           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  41  40 for WTP Manager Control IPv6 Address

   Length:  18

   IP Address:  The IP Address of an interface.

   WTP Count:  The number of WTPs currently connected to the interface.

4.4.42.

4.4.41.  WTP Name

   The WTP Name message element is a variable length bye string.  The
   string is not zero terminated.

      0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+-
     | WTP Name ...
     +-+-+-+-+-+-+-+-+-

   Type:  42  41 for WTP Name

   Length:  variable

   WTP Name:  A non-zero terminated string containing the WTP name.

4.4.43.

4.4.42.  WTP Reboot Operational Statistics

   The WTP Reboot Operational Statistics message element is sent by the WTP to
   the AC to communicate reasons why reboots have occurred. provide statistics related to the operation of the WTP.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |          Crash Count          |    CAPWAP Initiated Count   Radio ID   |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Tx Queue Level | Wireless Link Failure Count       | Failure Type Frames per Sec  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  43  42 for WTP Reboot Operational Statistics

   Length:  7

   Crash Count:  4

   Radio ID:  The number radio ID of reboots that have occurred due the radio to a WTP
      crash.  A value of 65535 implies that this information is not
      available on which the WTP.

   CAPWAP Initiated Count: statistics apply.

   Wireless Transmit Queue Level:  The number percentage of reboots that have occurred at Wireless Transmit
      queue utilization, calaculated as the request sum of a CAPWAP protocol message, such as a change in
      configuration that required a reboot or an explicit CAPWAP reset
      request.  A value utilized transmit
      queue lengths divided by the sum of 65535 implies that this information maximum transmit queue
      lengths, multiplied by 100.  The Wireless Transmit Queue Level is not
      available on
      representative of congestion conditions over wireless interfaces
      between the WTP. WTP and wireless terminals.

   Wireless Link Failure Count: Frames per Sec:  The number of times that a CAPWAP protocol
      connection with an AC has failed.

   Failure Type:  The last WTP failure.  The following values are
      supported:

      0 - Link Failure

      1 - CAPWAP Initiated (see Section 9.3)

      2 - WTP Crash

      255 - Unknown (e.g., frames transmitted or
      received per second by the WTP doesn't keep track of info)

4.4.44. over the sir interface.

4.4.43.  WTP Static IP Address Information Radio Statistics

   The WTP Static IP Address Information Radio Statistics message element is used sent by an the WTP to the AC
   to configure or clear a previously configured static IP address communicate statistics on
   a WTP. radio behavior and reasons why the WTP
   radio has been reset.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          IP Address   Radio ID    | Last Fail Type|       Reset Count             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                            Netmask     SW Failure Count          |        HW Failure Count       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                            Gateway    Other  Failure Count       |   Unknown Failure Count       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Static   Config Update Count         |
     +-+-+-+-+-+-+-+-+    Channel Change Count       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Band Change Count           |    Current Noise Floor        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  44  43 for WTP Static IP Address Information Radio Statistics

   Length:  13

   IP Address:  20

   Radio ID:  The IP Address to assign radio ID of the radio to which the WTP.  This field is only
      valid if statistics apply.

   Last Failure Type:  The last WTP failure.  The following values are
      supported:

      0 - Statistic Not Supported

      1 - Software Failure

      2 - Hardware Failure

      3 - Other Failure

      255 - Unknown (e.g., WTP doesn't keep track of info)

   Reset Count:  The number of times that that the static field is set to one.

   Netmask: radio has been reset.

   SW Failure Count:  The IP Netmask.  This field is only valid if number of times that the static
      field is set radio has failed due
      to one.

   Gateway: software related reasons.

   HW Failure Count:  The IP address number of times that the gateway.  This field is only valid if
      the static field is set radio has failed due
      to one.

   Netmask: hardware related reasons.

   Other Failure Count:  The IP Netmask.  This field is only valid if number of times that the static
      field is set radio has failed
      due to one.

   Static:  An 8-bit boolean stating whether the WTP should use a static
      IP address known reasons, other than software or not.  A value hardware failure.

   Unknown Failure Count:  The number of zero disables times that the static IP
      address, while a value radio has failed
      for unknown reasons.

   Config Update Count:  The number of one enables it.

4.5.  CAPWAP Protocol Timers

   A WTP or AC times that implements CAPWAP discovery MUST implement the
   following timers.

4.5.1.  DiscoveryInterval radio
      configuration has been updated.

   Channel Change Count:  The minimum time, in seconds, number of times that a WTP MUST wait after receiving a
   Discovery Response, before initiating a DTLS handshake.

   Default: 5

4.5.2.  DTLSRehandshake the radio channel has
      been changed.

   Band Change Count:  The minimum time, number of times that the radio has changed
      frequency bands.

   Current Noise Floor:  A signed integer which indicates the noise
      floor of the radio receiver in seconds, a units of dBm.

4.4.44.  WTP MUST wait for DTLS rehandshake to
   complete.

   Default: 10

4.5.3.  DTLSSessionDelete Reboot Statistics

   The minimum time, in seconds, a WTP MUST wait for DTLS session
   deletion.

   Default: 5

4.5.4.  EchoInterval

   The minimum time, in seconds, between sending echo requests Reboot Statistics message element is sent by the WTP to the
   AC
   with which the to communicate reasons why WTP has joined.

   Default: 30

4.5.5.  KeyLifetime

   The maximum time, in seconds, which a CAPWAP DTLS session key is
   valid.

   Default: 28800

4.5.6.  MaxDiscoveryInterval

   The maximum time allowed between sending discovery requests from the
   interface, in seconds.  Must be no less than reboots have occurred.

      0                   1                   2 seconds and no greater
   than 180 seconds.

   Default: 20 seconds.

4.5.7.  NeighborDeadInterval                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |         Reboot Count          |    AC Initiated Count         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |      Link Failure Count       |    SW Failure Count           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |      HW Failure Count         |    Other Failure Count        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |      Unknown Failure Count    |Last Failure Type|
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  44 for WTP Reboot Statistics

   Length:  15

   Reboot Count:  The minimum time, in seconds, number of reboots that have occurred due to a WTP MUST wait without having received
   Echo Responses to its Echo Requests, before the destination for the
   Echo Request may be considered dead.  Must be no less than
   2*EchoInterval seconds and no greater than 240 seconds.

   Default: 60

4.5.8.  ResponseTimeout

   The minimum time, in seconds, which
      crash.  A value of 65535 implies that this information is not
      available on the WTP or WTP.

   AC must respond to a
   CAPWAP Request message.

   Default: 1

4.5.9.  RetransmitInterval Initiated Count:  The minimum time, in seconds, which number of reboots that have occurred at the
      request of a non-acknowledged CAPWAP packet
   will be retransmitted.

   Default: 3

4.5.10.  SilentInterval

   The minimum time, in seconds, protocol message, such as a WTP MUST wait after failing to
   receive any responses to its discovery requests, before it MAY again
   send discovery requests.

   Default: 30

4.5.11.  WaitJoin

   The maximum time, change in seconds, a WTP MUST wait without having received
      configuration that required a DTLS Handshake message from reboot or an AC.  This timer must be greater than
   30 seconds.

   Default: 60

4.6. explicit CAPWAP Protocol Variables
      protocol reset request.  A WTP or AC value of 65535 implies that implements CAPWAP discovery MUST allow for this
      information is not available on the
   following variables to be configured by system management; default
   values are specified so as to make it unnecessary to configure any of
   these variables in many cases.

4.6.1.  DiscoveryCount WTP.

   Link Failure Count:  The number of discoveries transmitted by times that a WTP CAPWAP protocol
      connection with an AC has failed due to a single AC.  This
   is a monotonically increasing counter.

4.6.2.  MaxDiscoveries link failure.

   SW Failure Count:  The maximum number of discovery requests times that will be sent after a
   WTP boots.

   Default: 10

4.6.3.  MaxRetransmit CAPWAP protocol
      connection with an AC has failed due to software related reasons.

   HW Failure Count:  The maximum number of retransmissions for times that a given CAPWAP packet
   before the link layer considers the peer dead.

   Default: 5

4.6.4.  RetransmitCount protocol
      connection with an AC has failed due to hardware related reasons.

   Other Failure Count:  The number of retransmissions for times that a given CAPWAP packet.  This is protocol
      connection with an AC has failed due to known reasons, other than
      AC initiated, link, SW or HW failure.

   Unknown Failure Count:  The number of times that a
   monotonically increasing counter.

5. CAPWAP Discovery Operations protocol
      connection with an AC has failed for unknown reasons.

   Last Failure Type:  The Discovery messages are used by a WTP to determine which ACs are
   available to provide service, and the capabilities and load failure type of the
   ACs.

5.1.  Discovery Request Message

   The Discovery Request most recent WTP failure.
      The following values are supported:

      0 - Not Supported

      1 - AC Initiated (see Section 9.3)

      2 - Link Failure

      3 - Software Failure

      4 - Hardware Failure

      5 - Other Failure

      255 - Unknown (e.g., WTP doesn't keep track of info)

4.4.45.  WTP Static IP Address Information

   The WTP Static IP Address Information message element is used by the an
   AC to configure or clear a previously configured static IP address on
   a WTP.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          IP Address                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                            Netmask                            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                            Gateway                            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Static     |
     +-+-+-+-+-+-+-+-+

   Type:  45 for WTP Static IP Address Information

   Length:  13

   IP Address:  The IP Address to assign to automatically
   discover potential ACs available in the network. WTP.  This field is only
      valid if the static field is set to one.

   Netmask:  The Discovery
   Request message provides ACs with IP Netmask.  This field is only valid if the primary capabilities static
      field is set to one.

   Gateway:  The IP address of the
   WTP.  A WTP must exchange this information gateway.  This field is only valid if
      the static field is set to ensure subsequent
   exchanges with one.

   Netmask:  The IP Netmask.  This field is only valid if the ACs are consistent with static
      field is set to one.

   Static:  An 8-bit boolean stating whether the WTP's functional
   characteristics.  A WTP must transmit this command even if it has a
   statically configured AC.

   Discovery Request messages MUST be sent by a WTP in the Discover
   state after waiting for a random delay less than
   MaxDiscoveryInterval, after should use a WTP first comes up static
      IP address or is
   (re)initialized. not.  A WTP MUST send no more than the maximum value of
   MaxDiscoveries Discovery Request messages, waiting for zero disables the static IP
      address, while a random delay
   less than MaxDiscoveryInterval between each successive message.

   This is to prevent an explosion value of one enables it.

4.5.  CAPWAP Protocol Timers

   A WTP Discovery Request messages.
   An example of this occurring is when many WTPs are powered on at the
   same time.

   Discovery Request messages or AC that implements CAPWAP discovery MUST be sent by a WTP when no Echo
   Response messages are received for NeighborDeadInterval and implement the
   following timers.

4.5.1.  DiscoveryInterval

   The minimum time, in seconds, that a WTP
   returns to the Idle state.  Discovery Request messages are sent after
   NeighborDeadInterval.  They MUST be sent wait after waiting for a random
   delay less than MaxDiscoveryInterval.  A WTP MAY send up to receiving a maximum
   of MaxDiscoveries
   Discovery Request messages, waiting for Response, before initiating a random
   delay less than MaxDiscoveryInterval between each successive message.

   If DTLS handshake.

   Default: 5

4.5.2.  DTLSRehandshake

   The minimum time, in seconds, a Discovery Response message is not received after sending the
   maximum number of Discovery Request messages, the WTP enters the
   Sulking state and MUST wait for an interval equal DTLS rehandshake to SilentInterval
   before sending further Discovery Request messages.
   complete.

   Default: 10

4.5.3.  DTLSSessionDelete

   The Discovery Request message may be sent as minimum time, in seconds, a unicast, broadcast or
   multicast message.

   Upon receiving a Discovery Request message, WTP MUST wait for DTLS session
   deletion.

   Default: 5

4.5.4.  EchoInterval

   The minimum time, in seconds, between sending echo requests to the AC will respond
   with
   a Discovery Response message sent to which the address WTP has joined.

   Default: 30

4.5.5.  KeyLifetime

   The maximum time, in the source
   address of the received seconds, which a CAPWAP DTLS session key is
   valid.

   Default: 28800

4.5.6.  MaxDiscoveryInterval

   The maximum time allowed between sending discovery request message. requests from the
   interface, in seconds.  Must be no less than 2 seconds and no greater
   than 180 seconds.

   Default: 20 seconds.

4.5.7.  NeighborDeadInterval

   The following message elements minimum time, in seconds, a WTP MUST wait without having received
   Echo Responses to its Echo Requests, before the destination for the
   Echo Request may be included considered dead.  Must be no less than
   2*EchoInterval seconds and no greater than 240 seconds.

   Default: 60

4.5.8.  ResponseTimeout

   The minimum time, in seconds, which the Discovery
   Request message:

   o  Discovery Type, see Section 4.4.19

   o  WTP Descriptor, see Section 4.4.34

   o  WTP Frame Type, see Section 4.4.36

   o  WTP MAC Type, see Section 4.4.38

   o WTP Radio Information, see Section 4.4.39

5.2.  Discovery Response Message

   The Discovery Response message provides a mechanism for an or AC must respond to
   advertise its services to requesting WTPs.

   The Discovery Response message is sent by an AC after receiving a
   Discovery
   CAPWAP Request message from message.

   Default: 1

4.5.9.  RetransmitInterval

   The minimum time, in seconds, which a WTP.

   When non-acknowledged CAPWAP packet
   will be retransmitted.

   Default: 3

4.5.10.  SilentInterval

   The minimum time, in seconds, a WTP receives a Discovery Response message, it MUST wait for an
   interval not less than DiscoveryInterval for receipt of additional
   Discovery Response messages.  After the DiscoveryInterval elapses,
   the WTP enters the DTLS-Init state and selects one of the ACs that
   sent a Discovery Response message and after failing to
   receive any responses to its discovery requests, before it MAY again
   send discovery requests.

   Default: 30

4.5.11.  WaitJoin

   The maximum time, in seconds, a WTP MUST wait without having received
   a DTLS Handshake to that
   AC.

   The following message elements MUST from an AC.  This timer must be included in the Discovery
   Response Message:

   o  AC Descriptor, see Section 4.4.1

   o  AC Name, see Section 4.4.4

   o  WTP Manager Control IPv4 Address, see Section 4.4.40

   o greater than
   30 seconds.

   Default: 60

4.6.  CAPWAP Protocol Variables

   A WTP Manager Control IPv6 Address, see Section 4.4.41

5.3.  Primary Discovery Request Message

   The Primary Discovery Request message is sent by or AC that implements CAPWAP discovery MUST allow for the WTP
   following variables to determine
   whether its preferred (or primary) AC is available.

   A Primary Discovery Request message is sent be configured by a WTP when system management; default
   values are specified so as to make it has a
   primary AC configured, and is connected unnecessary to another AC.  This
   generally occurs as a result configure any of a failover, and is used
   these variables in many cases.

4.6.1.  DiscoveryCount

   The number of discoveries transmitted by the WTP as a means WTP to discover when its primary AC becomes available.  As a
   consequence, this message single AC.  This
   is only sent by a WTP when it is in the Run
   state. monotonically increasing counter.

4.6.2.  MaxDiscoveries

   The frequency maximum number of discovery requests that will be sent after a
   WTP boots.

   Default: 10

4.6.3.  MaxRetransmit

   The maximum number of retransmissions for a given CAPWAP packet
   before the Primary link layer considers the peer dead.

   Default: 5

4.6.4.  RetransmitCount

   The number of retransmissions for a given CAPWAP packet.  This is a
   monotonically increasing counter.

5.  CAPWAP Discovery Operations

   The Discovery messages are used by a WTP to determine which ACs are
   available to provide service, and the capabilities and load of the
   ACs.

5.1.  Discovery Request Message

   The Discovery Request message is used by the WTP to automatically
   discover potential ACs available in the network.  The Discovery
   Request message provides ACs with the primary capabilities of the
   WTP.  A WTP must exchange this information to ensure subsequent
   exchanges with the ACs are consistent with the WTP's functional
   characteristics.  A WTP must transmit this command even if it has a
   statically configured AC.

   Discovery Request messages should MUST be sent by a WTP in the Discover
   state after waiting for a random delay less than
   MaxDiscoveryInterval, after a WTP first comes up or is
   (re)initialized.  A WTP MUST send no more often than the sending maximum of
   MaxDiscoveries Discovery Request messages, waiting for a random delay
   less than MaxDiscoveryInterval between each successive message.

   This is to prevent an explosion of WTP Discovery Request messages.
   An example of this occurring is when many WTPs are powered on at the
   same time.

   Discovery Request messages MUST be sent by a WTP when no Echo
   Response messages are received for NeighborDeadInterval and the WTP
   returns to the Idle state.  Discovery Request messages are sent after
   NeighborDeadInterval.  They MUST be sent after waiting for a random
   delay less than MaxDiscoveryInterval.  A WTP MAY send up to a maximum
   of MaxDiscoveries Discovery Request messages, waiting for a random
   delay less than MaxDiscoveryInterval between each successive message.

   Upon receipt

   If a Discovery Response message is not received after sending the
   maximum number of Discovery Request messages, the WTP enters the
   Sulking state and MUST wait for an interval equal to SilentInterval
   before sending further Discovery Request messages.

   The Discovery Request message may be sent as a unicast, broadcast or
   multicast message.

   Upon receiving a Discovery Request message, the AC responds will respond with
   a
   Primary Discovery Response message sent to the address in the source
   address of the received Primary Discovery Request discovery request message.

   The following message elements MUST be included in the Primary Discovery
   Request message. message:

   o  Discovery Type, see Section 4.4.19 4.4.18

   o  WTP Descriptor, see Section 4.4.34 4.4.33

   o  WTP Frame Type, Tunnel Mode, see Section 4.4.36 4.4.35

   o  WTP MAC Type, see Section 4.4.38 4.4.37

   o  WTP Radio Information, see Section 4.4.39 A WTP Radio Information
      message element MUST be present for every radio in the WTP.

5.4.  Primary 4.4.38

5.2.  Discovery Response Message

   The Primary Discovery Response message enables provides a mechanism for an AC to
   advertise its
   availability and services to requesting WTPs that are configured to
   have the AC as its primary AC. WTPs.

   The Primary Discovery Response message is sent by an AC after receiving a Primary
   Discovery Request message. message from a WTP.

   When a WTP receives a Primary Discovery Response message, it may
   establish a CAPWAP protocol connection to its primary AC, based on
   the configuration MUST wait for an
   interval not less than DiscoveryInterval for receipt of additional
   Discovery Response messages.  After the DiscoveryInterval elapses,
   the WTP Fallback Status message element on enters the
   WTP. DTLS-Init state and selects one of the ACs that
   sent a Discovery Response message and send a DTLS Handshake to that
   AC.

   The following message elements MUST be included in the Primary Discovery
   Response message. Message:

   o  AC Descriptor, see Section 4.4.1

   o  AC Name, see Section 4.4.4

   o  WTP Manager Control IPv4 Address, see Section 4.4.40 4.4.39

   o  WTP Manager Control IPv6 Address, see Section 4.4.41

6.  CAPWAP Join Operations 4.4.40

5.3.  Primary Discovery Request Message

   The Join Primary Discovery Request message is used sent by a the WTP to request service from an
   AC determine
   whether its preferred (or primary) AC is available.

   A Primary Discovery Request message is sent by a WTP when it has a
   primary AC configured, and is connected to another AC.  This
   generally occurs as a result of a failover, and is used by the WTP as
   a means to discover when its primary AC becomes available.  As a
   consequence, this message is only sent by a WTP when it is in the Run
   state.

   The frequency of the Primary Discovery Request messages should be no
   more often than the sending of the Echo Request message.

   Upon receipt of a Discovery Request message, the AC responds with a
   Primary Discovery Response message sent to the address in the source
   address of the received Primary Discovery Request message.

   The following message elements MUST be included in the Primary
   Discovery Request message.

   o  Discovery Type, see Section 4.4.18

   o  WTP Descriptor, see Section 4.4.33

   o  WTP Frame Tunnel Mode, see Section 4.4.35

   o  WTP MAC Type, see Section 4.4.37

   o  WTP Radio Information, see Section 4.4.38 A WTP Radio Information
      message element MUST be present for every radio in the WTP.

5.4.  Primary Discovery Response

   The Primary Discovery Response message enables an AC to advertise its
   availability and services to requesting WTPs that are configured to
   have the AC as its primary AC.

   The Primary Discovery Response message is sent by an AC after
   receiving a Primary Discovery Request message.

   When a WTP receives a Primary Discovery Response message, it may
   establish a CAPWAP protocol connection to its primary AC, based on
   the configuration of the WTP Fallback Status message element on the
   WTP.

   The following message elements MUST be included in the Primary
   Discovery Response message.

   o  AC Descriptor, see Section 4.4.1

   o  AC Name, see Section 4.4.4

   o  WTP Manager Control IPv4 Address, see Section 4.4.39

   o  WTP Manager Control IPv6 Address, see Section 4.4.40

6.  CAPWAP Join Operations

   The Join Request message is used by a WTP to request service from an
   AC after a DTLS connection is established to that AC.  The Join
   Response message is used by the the AC to indicate that it will or
   will not provide service.

6.1.  Join Request

   The Join Request message is used by a WTP to inform an AC that it
   wishes to provide services through the AC.  A Join Request message is
   sent by a WTP after receiving one or more Discovery Responses, and
   completion of DTLS session establishment.  When an AC receives a Join
   Request message it responds with a Join Response message.

   Upon completion of the DTLS handshake (synonymous with DTLS "session
   establishment"), the WTP sends the Join Request message to the AC.
   Upon receipt of the Join Request Message, the AC generates a Join
   Response message and sends it to the WTP, indicating success or
   failure.

   Upon transmission of the Join Request message, the WTP sets the
   WaitJoin timer.  If the Join Response message has not been received
   prior to expiration, the WTP aborts the Join process and transitions
   back to the Discovery state, see Section 2.3.1).  Upon receipt of the
   Join Response message, the WaitJoin timer is deactivated.

   If the AC rejects the Join Request, it sends a Join Response with a
   failure indication then enters the CAPWAP reset state, resulting in
   shutdown of the DTLS session.

   Upon determining which AC to join, the WTP creates session state
   containing the AC address and session ID, creates the Join Request
   message, sets the WaitJoin timer for the session and sends the Join
   Request message to the AC.

   If an invalid (i.e. malformed) Join Request message is received, the
   message MUST be silently discarded by the AC.  No response is sent to
   the WTP.  The AC SHOULD log this event.

   The following message elements MUST be included in the Join Request
   message.

   o  Location Data, see Section 4.4.26 4.4.25

   o  Session ID, see Section 4.4.30 4.4.29
   o  WTP Descriptor, see Section 4.4.34 4.4.33

   o  WTP IPv4 IP Address, see Section 4.4.37 4.4.36

   o  WTP Name, see Section 4.4.42 4.4.41

   o  WTP Radio Information, see Section 4.4.39 4.4.38 A WTP Radio Information
      message element MUST be present for every radio in the WTP.

6.2.  Join Response

   The Join Response message is sent by the AC to indicate to a WTP that
   it is capable and willing to provide service to it.

   After determining that a WTP should join the AC, the AC creates
   session state containing the WTP address, port and session ID, sets
   the WaitJoin timer for the session, sends the Join Response message
   to the WTP.

   The WTP, receiving a Join Response message checks for success or
   failure.  If the message indicates success, the WTP clears the
   WaitJoin timer for the session and proceeds to the Configure or Image
   Data state.  Otherwise, the WTP enters the CAPWAP reset state,
   resulting in shutdown of the DTLS session.

   If the WaitJoin Timer expires prior to reception of the Join Response
   message, the WTP MUST terminate the handshake, deallocate associated
   session state and transition to the Discover state.

   If an invalid (malformed) Join Response message is received, the WTP
   SHOULD log an informative message detailing the error.  This error
   MUST be treated in the same manner as AC non-responsiveness.  In this
   way, the WaitJoin timer will eventually expire, in which case the WTP
   may (if it is so configured) attempt to join with an alternative AC.

   The following message elements MAY be included in the Join Response
   message.

   o  Result Code, see Section 4.4.29

   o  AC IPv4 List, see Section 4.4.2

   o  AC IPv6 List, see Section 4.4.3

   o  Result Code, see Section 4.4.28

   o  Session ID, see Section 4.4.30 4.4.29

7.  Control Channel Management

   The Control Channel Management messages are used by the WTP and AC to
   maintain a control communication channel.  CAPWAP control messages,
   such as the WTP Event Request message sent from the WTP to the AC
   indicate to the AC that the WTP is operational.  When such control
   messages are not being sent, the Echo Request and Echo Response
   messages are used to maintain the control communication channel.

7.1.  Echo Request

   The Echo Request message is a keep alive mechanism for CAPWAP control
   messages.

   Echo Request messages are sent periodically by a WTP in the Run state
   (see Section 2.3) to determine the state of the connection between
   the WTP and the AC.  The Echo Request message is sent by the WTP when
   the Heartbeat timer expires.  The WTP MUST start its
   NeighborDeadInterval timer when the Heartbeat timer expires.

   The Echo Request message carries no message elements.

   When an AC receives an Echo Request message it responds with an Echo
   Response message.

7.2.  Echo Response

   The Echo Response message acknowledges the Echo Request message, and
   is only processed while in the Run state (see Section 2.3).

   An Echo Response message is sent by an AC after receiving an Echo
   Request message.  After transmitting the Echo Response message, the
   AC SHOULD reset its Heartbeat timer to expire in the value configured
   for EchoInterval.  If another Echo Request message or other control
   message is not received by the AC when the timer expires, the AC
   SHOULD consider the WTP to be no longer be reachable.

   The Echo Response message carries no message elements.

   When a WTP receives an Echo Response message it stops the
   NeighborDeadInterval timer, and initializes the Heartbeat timer to
   the EchoInterval.

   If the NeighborDeadInterval timer expires prior to receiving an Echo
   Response message, or other control message, the WTP enters the Idle
   state.

8.  WTP Configuration Management

   Wireless Termination Point Configuration messages are used to
   exchange configuration information between the AC and the WTP.

8.1.  Configuration Consistency

   The CAPWAP protocol provides flexibility in how WTP configuration is
   managed.  A WTP has two options:

   1. The WTP retains no configuration and accepts the configuration
      provided by the AC.

   2. The WTP retains the configuration of parameters provided by the AC
      that are non-default values.

   If the WTP opts to save configuration locally, the CAPWAP protocol
   state machine defines the Configure state, which allows for
   configuration exchange.  In the Configure state, the WTP sends its
   current configuration overrides to the AC via the Configuration
   Status message.  A configuration override is a parameter that is non-
   default.  One example is that in the CAPWAP protocol, the default
   antenna configuration is internal omni antenna.  A WTP that either
   has no internal antennas, or has been explicitly configured by the AC
   to use external antennas, sends its antenna configuration during the
   configure phase, allowing the AC to become aware of the WTP's current
   configuration.

   Once the WTP has provided its configuration to the AC, the AC sends
   its own configuration.  This allows the WTP to inherit the
   configuration and policies from the AC.

   An AC maintains a copy of each active WTP's configuration.  There is
   no need for versioning or other means to identify configuration
   changes.  If a WTP becomes inactive, the AC MAY delete the
   configuration associated with it.  If a WTP fails, and connects to a
   new AC, it provides its overridden configuration parameters, allowing
   the new AC to be aware of the WTP's configuration.

   This model allows for resiliency in case of an AC failure, that
   another AC can provide service to the WTP.  In this scenario, the new
   AC would be automatically updated with WTP configuration changes,
   eliminating the need for inter-AC communication or the need for all
   ACs to be aware of the configuration of all WTPs in the network.

   Once the CAPWAP protocol enters the Run state, the WTPs begin to
   provide service.  It is quite common for administrators to require
   that configuration changes be made while the network is operational.

   Therefore, the Configuration Update Request is sent by the AC to the
   WTP to make these changes at run-time.

8.1.1.  Configuration Flexibility

   The CAPWAP protocol provides the flexibility to configure and manage
   WTPs of varying design and functional characteristics.  When a WTP
   first discovers an AC, it provides primary functional information
   relating to its type of MAC and to the nature of frames to be
   exchanged.  The AC configures the WTP appropriately.  The AC also
   establishes corresponding internal operations to deal with the WTP
   according to its functionalities.

8.2.  Configuration Status

   The Configuration Status message is sent by a WTP to deliver its
   current configuration to its AC.

   Configuration Status messages are sent by a WTP while in the
   Configure state.

   The Configuration Status message carries binding specific message
   elements.  Refer to the appropriate binding for the definition of
   this structure.

   When an AC receives a Configuration Status message it will act upon
   the content of the packet and respond to the WTP with a Configuration
   Status Response message.

   The Configuration Status message includes multiple Radio
   Administrative State message Elements.  There is one such message
   element for the WTP, and one message element per radio in the WTP.

   The following message elements MUST be included in the Configuration
   Status message.

   o  AC Name, see Section 4.4.4

   o  AC Name with Index, see Section 4.4.5

   o  Radio Administrative State, see Section 4.4.28 4.4.27

   o  Statistics Timer, see Section 4.4.31 4.4.30

   o  WTP Board Data, see Section 4.4.33 4.4.32

   o  WTP Static IP Address Radio Information, see Section 4.4.44 4.4.38 A WTP Radio Information
      message element MUST be present for every radio in the WTP.

   o  WTP Reboot Statistics, see Section 4.4.43 4.4.44

   o  WTP Static IP Address Information, see Section 4.4.45

8.3.  Configuration Status Response

   The Configuration Status Response message is sent by an AC and
   provides a mechanism for the AC to override a WTP's requested
   configuration.

   Configuration Status Response messages are sent by an AC after
   receiving a Configure Request message.

   The Configuration Status Response message carries binding specific
   message elements.  Refer to the appropriate binding for the
   definition of this structure.

   When a WTP receives a Configuration Status Response message it acts
   upon the content of the message, as appropriate.  If the
   Configuration Status Response message includes a Change Radio Administrative
   State Event message element that causes a change in the operational state
   of one of the Radio, the WTP will transmit a Change State Event to
   the AC, as an acknowledgement of the change in state.

   The following message elements MUST be included in the Configuration
   Status Response message.

   o  AC IPv4 List, see Section 4.4.2

   o  AC IPv6 List, see Section 4.4.3

   o  CAPWAP Timers, see Section 4.4.10

   o  Change State  Radio Administrative Event, see Section 4.4.11 4.4.27

   o  Decryption Error Report Period, see Section 4.4.15 4.4.14

   o  Idle Timeout, see Section 4.4.22 4.4.21

   o  WTP Fallback, see Section 4.4.35 4.4.34

8.4.  Configuration Update Request

   Configure

   Configuration Update Request messages are sent by the AC to provision
   the WTP while in the Run state.  This is used to modify the
   configuration of the WTP while it is operational.

   When an AC receives a Configuration Update Request message it will
   respond with a Configuration Update Response message, with the
   appropriate Result Code.

   One or more of the following message elements MAY be included in the
   Configuration Update message.

   o  AC IPv4 List, see Section 4.4.2

   o  AC IPv6 List, see Section 4.4.3

   o  AC Name with Index, see Section 4.4.5

   o  AC Timestamp, see Section 4.4.6

   o  Add MAC ACL Entry, see Section 4.4.7

   o  Add Static MAC ACL Entry, see Section 4.4.9

   o  CAPWAP Timers, see Section 4.4.10

   o  Change State Event, see Section 4.4.11

   o  Decryption Error Report Period, see Section 4.4.15 4.4.14

   o  Delete MAC ACL Entry, see Section 4.4.16 4.4.15

   o  Delete Static MAC ACL Entry, see Section 4.4.18 4.4.17

   o  Idle Timeout, see Section 4.4.22 4.4.21

   o  Location Data, see Section 4.4.26 4.4.25

   o  Radio Administrative State, see Section 4.4.28 4.4.27

   o  Statistics Timer, see Section 4.4.31 4.4.30

   o  WTP Fallback, see Section 4.4.35 4.4.34

   o  WTP Name, see Section 4.4.42 4.4.41

8.5.  Configuration Update Response

   The Configuration Update Response message is the acknowledgement
   message for the Configuration Update Request message.

   The Configuration Update Response message is sent by a WTP after
   receiving a Configuration Update Request message.

   When an AC receives a Configure Configuration Update Response message the
   result code indicates if the WTP successfully accepted the
   configuration.

   The following message element MUST be present in the Configuration
   Update message.

   Result Code, see Section 4.4.29 4.4.28

8.6.  Change State Event Request

   The following message elements MAY be present in the Configuration
   Update message.

   o  AC IPv4 List, see Section 4.4.2

   o  AC IPv6 List, see Section 4.4.3

8.6.  Change State Event Request

   The Change State Event Request Change State Event Request message is used by the WTP to inform
   the AC of a change in the operational state.

   The Change State Event Request message is sent by the WTP when it
   receives a Configuration Response message that includes a Change
   State Event message element.  It is also sent when the WTP detects an
   operational failure with a radio.  The Change State Event Request
   message may be sent in either the Configure or Run state (see
   Section 2.3.

   When an AC receives a Change State Event Request message it will
   respond with a Change State Event Response message and make any
   necessary modifications to internal WTP data structures.

   The following message elements MUST be present in the Change State
   Event Request message.

   o  Change  Radio Administrative State Event message element, see Section 4.4.11 4.4.27

8.7.  Change State Event Response

   The Change State Event Response message acknowledges the Change State
   Event Request message.

   A Change State Event Response message is sent by a WTP after receiving an AC in response to
   a Change State Event Request message.

   The Change State Event Response message carries no message elements.
   Its purpose is to acknowledge the receipt of the Change State Event
   Request message.

   The WTP does not need to perform any special processing of the Change
   State Event Response message.

8.8.  Clear Config Indication Configuration Request

   The Clear Config Indication Configuration Request message is used to reset a WTP's
   configuration.

   The Clear Config Indication Configuration Request message is sent by an AC to request
   that a WTP reset its configuration to the manufacturing default
   configuration.  The Clear Config Indication Request message is sent while in the
   Run CAPWAP state.

   The Clear Config Indication Configuration Request message carries no message elements.

   When a WTP receives a Clear Config Indication Configuration Request message it resets
   its configuration to the manufacturing default configuration.

8.9.  Clear Configuration Response

   The Clear Configuration Response message is sent by the WTP after
   receiving a Clear Configuration Request message and resetting its
   configuration parameters back to the manufacturing default values.

   The Clear Configuration Request message carries the message elements.

   o  Result Code, see Section 4.4.28

9.  Device Management Operations

   This section defines CAPWAP operations responsible for debugging,
   gathering statistics, logging, and firmware management.

9.1.  Image Data Request

   The Image Data Request message is used to update firmware on the WTP.
   This message and its companion response message are used by the AC to
   ensure that the image being run on each WTP is appropriate.

   Image Data Request messages are exchanged between the WTP and the AC
   to download a new firmware image to the WTP.  When a WTP or AC
   receives an Image Data Request message it will respond with an Image
   Data Response message.  The message elements contained within the
   Image Data Request is required in order to determine the intent of
   the request.  Note that only one message element may be present in
   any given Image Data Request message.

   The decision that new firmware is to downloaded to the WTP can occur
   in one of two methods:

      When the WTP joins the AC, and each exchange their software
      revision, the WTP may opt to initiate a firmware download by
      sending an Image Data Request, which contains an Image Filename
      message element.

      Once the WTP is in the CAPWAP state, it is possible for the AC to
      cause the WTP to initiate a firmware download by initiating an
      Image Data Request, with the Initiate Download message element.
      The WTP would then transmit the Image Filename message element to
      start the download process.

   Regardless of how the download was initiated, once the AC receives an
   Image Data Request with the Image Filename message element, it begins
   the transfer process by transmitting its own request with the Image
   Data message element.  This continues until the whole firmware image
   has been transfered.

   The following message elements MAY be included in the Image Data
   Request Message.

   o  Image Data, see Section 4.4.23 4.4.22

   o  Image Filename, see Section 4.4.24 4.4.23

   o  Initiate Download, see Section 4.4.25 4.4.24

9.2.  Image Data Response

   The Image Data Response message acknowledges the Image Data Request
   message.

   An Image Data Response message is sent in response to a received
   Image Data Request message.  Its purpose is to acknowledge the
   receipt of the Image Data Request message.

   The Image Data Response message carries no message elements.

   No action is necessary on receipt.

9.3.  Reset Request

   The Reset Request message is used to cause a WTP to reboot.

   A Reset Request message is sent by an AC to cause a WTP to
   reinitialize its operation.

   The Reset Request carries no message elements.

   When a WTP receives a Reset Request it will respond with a Reset
   Response and then reinitialize itself.

9.4.  Reset Response

   The Reset Response message acknowledges the Reset Request message.

   A Reset Response message is sent by the WTP after receiving a Reset
   Request message.

   The Reset Response message carries no message elements.  Its purpose
   is to acknowledge the receipt of the Reset Request message.

   When an AC receives a Reset Response message, it is notified that the
   WTP will reinitialize its operation.

9.5.  WTP Event Request

   WTP Event Request message is used by a WTP to send information to its
   AC.  The WTP Event Request message may be sent periodically, or sent
   in response to an asynchronous event on the WTP.  For example, a WTP
   MAY collect statistics and use the WTP Event Request message to
   transmit the statistics to the AC.

   When an AC receives a WTP Event Request message it will respond with
   a WTP Event Response message.

   The WTP Event Request message MUST contain one of the message
   elements listed below, or a message element that is defined for a
   specific wireless technology.

   o  Decryption Error Report, see Section 4.4.14 4.4.13

   o  Duplicate IPv4 Address, see Section 4.4.20 4.4.19

   o  Duplicate IPv6 Address, see Section 4.4.21 4.4.20

   o  WTP Operational Statistics, see Section 4.4.42

   o  WTP Radio Statistics, see Section 4.4.43

   o  WTP Reboot Statistics, see Section 4.4.44

9.6.  WTP Event Response

   The WTP Event Response message acknowledges receipt of the WTP Event
   Request message.

   A WTP Event Response message issent by an AC after receiving a WTP
   Event Request message.

   The WTP Event Response message carries no message elements.

9.7.  Data Transfer Request

   The Data Transfer Request message is used to deliver debug
   information from the WTP to the AC.

   Data Transfer Request messages are sent by the WTP to the AC when the
   WTP determines that it has important information to send to the AC.
   For instance, if the WTP detects that its previous reboot was caused
   by a system crash, it can send the crash file to the AC.  The remote
   debugger function in the WTP also uses the Data Transfer Request
   message to send console output to the AC for debugging purposes.

   When the AC receives a Data Transfer Request message it responds to
   the WTP ith a Data Transfer Response message.  The AC MAY log the
   information received.

   The Data Transfer Request message MUST contain one of the message
   elements listed below.

   o  Data Transfer Mode, Data, see Section 4.4.13 4.4.11
   o  Data Transfer Data, Mode, see Section 4.4.12

9.8.  Data Transfer Response

   The Data Transfer Response message acknowledges the Data Transfer
   Request message.

   A Data Transfer Response message is sent in response to a received
   Data Transfer Request message.  Its purpose is to acknowledge receipt
   of the Data Transfer Request message.

   The Data Transfer Response message carries no message elements.

   Upon receipt of a Data Transfer Response message, the WTP transmits
   more information, if more information is available.

10.  Mobile Session Management

   Messages in this section are used by the AC to create, modify or
   delete mobile station session state on the WTPs.

10.1.  Mobile Config Configuration Request

   The Mobile Config Configuration Request message is used to create, modify or
   delete mobile session state on a WTP.  The message is sent by the AC
   to the WTP, and may contain one or more message elements.  The
   message elements for this CAPWAP control message include information
   that is generally highly technology specific.  Refer to the
   appropriate binding section or document for the definitions of the
   messages elements that may be used in this control message.

   The following CAPWAP Control message elements MAY be included in the
   Mobile Config Configuration Request message.

   o  Add Mobile Station, see Section 4.4.8

   o  Delete Mobile Station, see Section 4.4.17 4.4.16

10.2.  Mobile Config Configuration Response

   The Mobile Configuration Response message is used to acknowledge a
   previously received Mobile Configuration Request message, and message.  The
   following message element MUST
   include a be present in the Mobile Configuration
   Response message.

   o  Result Code message element, Code, see Section 4.4.29 which 4.4.28

   The Result Code message element indicates whether that the requested
   configuration was successfully applied, or that an error occurred on the WTP.

   This message requires no special processing, and is only used related to
   acknowledge receipt
   processing of the Mobile Configuration Request message. message occurred on
   the WTP.

11.  IEEE 802.11 Binding

   This section defines the extensions required for the CAPWAP protocol
   to be used with the IEEE 802.11 protocol.

11.1.  Split MAC and Local MAC Functionality

   The CAPWAP protocol, when used with IEEE 802.11 devices, requires a
   specific behavior from the WTP and the AC, to support the required
   IEEE 802.11 protocol functions.

   For both the Split and Local MAC approaches, the CAPWAP functions, as
   defined in the taxonomy specification [Add reference], reside in the
   AC.

11.1.1.  Split MAC

   This section shows the division of labor between the WTP and the AC
   in a Split MAC architecture.  Figure 3 4 shows the clear separation of
   functionality among CAPWAP components.

        Function                               Location
            Distribution Service                      AC
            Integration Service                       AC
            Beacon Generation                         WTP
            Probe Response Generation                 WTP
            Power Mgmt/Packet Buffering               WTP
            Fragmentation/Defragmentation             WTP/AC
            Assoc/Disassoc/Reassoc                    AC

       802.11e
            Classifying                               AC
            Scheduling                                WTP/AC
            Queuing                                   WTP

       802.11i
            802.1X/EAP                                AC
            RSNA Key Management                       AC
            802.11 Encryption/Decryption              WTP/AC

   Figure 3: 4: Mapping of 802.11 Functions for Split MAC Architecture

   The Distribution and Integration services reside on the AC, and
   therefore all user data is tunneled between the WTP and the AC.  As
   noted above, all real-time IEEE 802.11 services, including the beacon
   and probe response frames, are handled on the WTP.

   All remaining IEEE 802.11 MAC management frames are supported on the
   AC, including the Association Request which allows the AC to be
   involved in the access policy enforcement portion of the IEEE 802.11
   protocol.  The IEEE 802.1X and IEEE 802.11i key management function
   are also located on the AC.  This implies that the AAA client also
   resides on the AC.

   While the admission control component of IEEE 802.11e resides on the
   AC, the real time scheduling and queuing functions are on the WTP.
   Note this does not exclude the AC from providing additional policing
   and scheduling functionality.

   Note that in the following figure, the use of '( - )' indicates that
   processing of the frames is done on the WTP.

             Client                       WTP                        AC

                      Beacon
             <-----------------------------
                   Probe Request
             ----------------------------( - )------------------------->
                   Probe Response
             <-----------------------------
                              802.11 AUTH/Association
             <--------------------------------------------------------->
                  Mobile Config Request[Add Mobile (Clear Text, 802.1X)]
                                             <------------------------->
                    802.1X Authentication & 802.11i Key Exchange
             <--------------------------------------------------------->
                  Mobile Config Request[Add Mobile (AES-CCMP, PTK=x)]
                                             <------------------------->
                               802.11 Action Frames
             <--------------------------------------------------------->
                                   802.11 DATA (1)
             <---------------------------( - )------------------------->

   Figure 4: 5: Split MAC Message Flow

   Figure 4 5 provides an illustration of the division of labor in a Split
   MAC architecture.  In this example, a WLAN has been created that is
   configured for IEEE 802.11i, using AES-CCMP for privacy.  The
   following process occurs:

   o  The WTP generates the IEEE 802.11 beacon frames, using information
      provided to it through the Add WLAN (see Section Section 11.10.1) 11.9.1)
      message element.

   o  The WTP processes the probe request and responds with a
      corresponding probe response.  The probe request is then forwarded
      to the AC for optional processing.

   o  The WTP forwards the IEEEE 802.11 Authentication and Association
      frames to the AC, which is responsible for responding to the
      client.

   o  Once the association is complete, the AC transmits an CAPWAP Add
      Mobile Station request to the WTP (see Section Section 4.4.8.  In
      the above example, the WLAN is configured for IEEE 802.1X, and
      therefore the '802.1X only' policy bit is enabled.

   o  If the WTP is providing encryption/decryption services, once the
      client has completed the IEEE 802.11i key exchange, the AC
      transmits another Add Mobile request to the WTP, stating the
      security policy to enforce for the client (in this case AES-CCMP),
      as well as the encryption key to use.  If encryption/decryption is
      handled in the AC, the IEEE 802.11 Add Mobile Station request
      would have not include the
      encryption policy set to "Clear Text". RSN Information Element.

   o  The WTP forwards any 802.11 Action frames received to the AC.

   o  All client data frames are tunneled between the WTP and the AC.
      Note that the WTP is responsible for encrypting and decrypting
      frames, if it was indicated in the Add Mobile request.

11.1.2.  Local MAC

   This section shows the division of labor between the WTP and the AC
   in a Local MAC architecture.  Figure 5 6 shows the clear separation of
   functionality among CAPWAP components.

        Function                               Location
            Distribution Service                      WTP
            Integration Service                       WTP
            Beacon Generation                         WTP
            Probe Response Generation                 WTP
            Power Mgmt/Packet Buffering               WTP
            Fragmentation/Defragmentation             WTP
            Assoc/Disassoc/Reassoc                    WTP

       802.11e
            Classifying                               WTP
            Scheduling                                WTP
            Queuing                                   WTP

       802.11i
            802.1X/EAP                                AC
            RSNA Key Management                       AC
            802.11 Encryption/Decryption              WTP

   Figure 5: 6: Mapping of 802.11 Functions for Local AP Architecture

   Given the Distribution and Integration Services exist on the WTP,
   client data frames are not forwarded to the AC, with the exception
   listed in the following paragraphs.

   While the MAC is terminated on the WTP, it is necessary for the AC to
   be aware of mobility events within the WTPs.  As a consequence, the
   WTP MUST forward the IEEE 802.11 Association Requests to the AC, and
   the AC.  The
   AC MAY reply with a failed Association Response if it deems it
   necessary.
   necessary, and upon receipt of a failed Association Response from the
   AC, the WTP must send a Disassociation frame to the mobile station.

   The IEEE 802.1X and RSNA Key Management function resides in the AC.
   Therefore, the WTP MUST forward all IEEE 802.1X/RSNA Key Management
   frames to the AC and forward the associated responses to the station.
   This implies that the AAA client also resides on the AC.

   Note that in the following figure, the use of '( - )' indicates that
   processing of the frames is done on the WTP.

             Client                       WTP                        AC

                      Beacon
             <-----------------------------
                       Probe
             <---------------------------->
                    802.11 AUTH
             <-----------------------------
                                 802.11 Association
             <---------------------------( - )------------------------->
                  Mobile Config Request[Add Mobile (Clear Text, 802.1X)]
                                             <------------------------->
                    802.1X Authentication & 802.11i Key Exchange
             <--------------------------------------------------------->
                               802.11 Action Frames
             <--------------------------------------------------------->
                    Mobile Config Request[Add Mobile (AES-CCMP, PTK=x)]
                                             <------------------------->
                     802.11 DATA
             <----------------------------->

   Figure 6: 7: Local MAC Message Flow

   Figure 6 7 provides an illustration of the division of labor in a Local
   MAC architecture.  In this example, a WLAN has been created that is
   configured for IEEE 802.11i, using AES-CCMP for privacy.  The
   following process occurs:

   o  The WTP generates the IEEE 802.11 beacon frames, using information
      provided to it through the Add WLAN (see Section 11.10.1) 11.9.1) message
      element.

   o  The WTP processes the probe request and responds with a
      corresponding probe response.

   o  The WTP forwards the IEEE 802.11 Authentication and Association
      frames to the AC, which is responsible for responding to the
      client. AC.

   o  Once the association is complete, the AC transmits an CAPWAP Add
      Mobile Station message element to the WTP (see Section
      Section 4.4.8.  In the above example, the WLAN is configured for
      IEEE 802.1X, and therefore the '802.1X only' policy bit is
      enabled.

   o  The WTP forwards all IEEE 802.1X and IEEE 802.11i key exchange
      messages to the AC for processing.

   o  The AC transmits another Add Mobile Station message element to the
      WTP, stating the security policy to enforce for the client (in
      this case AES-CCMP), as well as the encryption key to use.  The
      Add Mobile Station message element MAY include a VLAN name, which
      when present is used by the WTP to identify the VLAN on which the
      user's data frames are to be bridged.

   o  The WTP forwards any IEEE 802.11 Action frames received to the AC.

   o  The WTP may locally bridge client data frames (and provide the
      necessary encryption and decryption services).  The WTP may also
      tunnel client data frames to the AC, using 802.3 frame tunnel mode
      or 802.11 frame tunnel mode.

11.2.  Roaming Behavior

   It is important that CAPWAP implementations react properly to mobile
   devices associating to the networks in how they generate Add Mobile
   and Delete Mobile messages.  This section expands upon the examples
   provided in the previous section, and describes how the CAPWAP
   control protocol is used in order to provide secure roaming.

   Once a client has successfully associated with the network in a
   secure fashion, it is likely to attempt to roam to another WTP.
   Figure 7 8 shows an example of a currently associated station moving
   from its "Old WTP" to a "new WTP".  The figure is useful for multiple
   different security policies, including IEEE 802.1X and dynamic WEP
   keys, WPA or even WPA2 both with key caching (where the IEEE 802.1x
   exchange would be bypassed) and without.

            Client              Old WTP              WTP              AC

                          Association Request/Response
             <--------------------------------------( - )-------------->
                 Mobile Config Request[Add Mobile (Clear Text, 802.1X)]
                                                      <---------------->
             802.1X Authentication (if no key cache entry exists)
             <--------------------------------------( - )-------------->
                           802.11i 4-way Key Exchange
             <--------------------------------------( - )-------------->
                     Mobile Config Request[Delete Mobile]
                                    <---------------------------------->
                  Mobile Config Request[Add Mobile (AES-CCMP, PTK=x)]
                                                      <---------------->

   Figure 7: 8: Client Roaming Example

11.3.  Group Key Refresh

   Periodically, the Group Key (GTK)for the BSS needs to be updated.
   The AC uses an EAPoL frame to update the group key for each STA in
   the BSS.  While the AC is updating the GTK, each L2 broadcast frame
   transmitted to the BSS needs to be duplicated and transmitted using
   both the current GTK and the new GTK.  Once the GTK update process
   has completed, broadcast frames transmitted to the BSS will be
   encrypted using the new GYT GTK.

   In the case of Split MAC, the AC needs to duplicate all broadcast
   packets and update the key index so that the packet is transmitted
   using both the current and new GTK to ensure that all STA's in the
   BSS receive the broadcast frames.  In the case of local MAC, the WTP
   needs to duplicate and transmit broadcast frames using the
   appropriate index to ensure that all STA's in all STA's in the BSS continue to
   receive broadcast frames.

   The Group Key update procedure is given in the following figure.  The
   AC will signal the update to the GTK using an 802.11 Configuration
   Request frame with the new GTK, its index, the TSC for the Group Key
   and the Key Status set to 3 (begin GTK update).  The AC will then
   begin updating the GTK for each STA.  During this time, the AC (for
   Split MAC) or WTP (for Local MAC) must duplicate broadcast packets
   and transmit them encrypted with both the current and new GTK.  When
   the AC has completed the GTK update to all STA's in the BSS, the AC
   must transmit an 802.11 Configuration Request frame containing the
   new GTK, its index, and the Key Status set to 4 (GTK update
   complete).

              Client           WTP                                           AC

              802.11 Config Request ( Update WLAN (GTK, GTK Index, GTK Start, Group TSC) )
                             <----------------------------------------------
                                        802.1X EAPoL (GTK Message 1)
             <-------------( - )-------------------------------------------
                                        802.1X EAPoL (GTK Message 2)
               -------------( - )------------------------------------------->
            802.11 Config Request ( Update WLAN (GTK Index, GTK Complete) )
                             <---------------------------------------------

   Figure 9: Group Key Update Procedure

11.4.  BSSID to WLAN ID Mapping

   The CAPWAP protocol allows the WTP to assign BSSIDs upon creation of
   a WLAN (see Section 11.9.1).  While manufacturers are free to assign
   BSSIDs using any arbitrary mechanism, it is advised that where
   possible the BSSIDs are assigned as a contiguous block.

   When assigned as a block, implementations can still assign any of the
   available BSSIDs to any WLAN.  One possible method is for the WTP to
   assign the address using the following algorithm: base BSSID address
   + WLAN ID.

   The WTP communicates the maximum number of BSSIDs that it supports
   during the Config Request within the IEEE 802.11 WTP WLAN Radio
   Configuration message element (see Section 11.9.23).

11.5.  Quality of Service for IEEE 802.11 Control Messages

   It is recommended that IEEE 802.11 MAC management frames be sent by
   both the AC and the WTP with appropriate Quality of Service values,
   ensuring that congestion in the network minimizes occurrences of
   packet loss.  Therefore, a Quality of Service enabled CAPWAP device
   should use:

   802.1P:  The precedence value of 7 SHOULD be used for all IEEE 802.11
      MAC management frames, except for Probe Requests which SHOULD use
      4.

   DSCP:  The DSCP tag value of 46 SHOULD be used for all IEEE 802.11
      MAC management frames, except for Probe Requests which SHOULD use
      34.

11.6.  IEEE 802.11 Specific CAPWAP Control Messages

   This section defines CAPWAP Control Messages that are specific to the
   IEEE 802.11 binding.  The two messages are defined, the IEEE 802.11
   WLAN Config Request and IEEE 802.11 WLAN Config Response messages.
   See Section 4.3.1.1

   The valid message types for IEEE 802.11 specific control messages are
   listed below.  The IANA Enterprise number used with these messages is
   13277.

           CAPWAP Control Message                    Message Type
                                                        Value

           IEEE 802.11 WLAN Configuration Request      3398912
           IEEE 802.11 WLAN Configuration Response     3398913

11.6.1.  IEEE 802.11 WLAN Configuration Request

   The IEEE 802.11 WLAN Configuration Request is sent by the AC to the
   WTP in order to change services provided by the WTP.  This control
   message is used to either create, update or delete a WLAN on the WTP.

   The IEEE 802.11 WLAN Configuration Request is sent as a result of
   either some manual admistrative process (e.g., deleting a WLAN), or
   automatically to create a WLAN on a WTP.  When sent automatically to
   create a WLAN, this control message is sent after the CAPWAP
   Configure Update Request message has been received by the WTP.

   Upon receiving this control message, the WTP will modify the
   necessary services, and transmit an IEEE 802.11 WLAN Configuration
   Response.

   A WTP MAY provide service for more than one WLAN, therefore every
   WLAN is identified through a numerical index.  For instance, a WTP
   that is capable of supporting up to 16 SSIDs, could accept up to 16
   IEEE 802.11 WLAN Configuration Request messages that include the Add
   WLAN message element.

   Since the index is the primary identifier for a WLAN, an AC MAY
   attempt to ensure that the BSS continue same WLAN is identified through the same
   index number on all of its WTPs.  An AC that does not follow this
   approach MUST find some other means of maintaining a WLAN Identifier
   to
   receive broadcast frames. SSID mapping table.

   The Group Key update procedure is given following message elements may be included in the following figure. IEEE 802.11
   WLAN Configuration Request message.  Only one message element MUST be
   present.

   o  IEEE 802.11 Add WLAN, see Section 11.9.1

   o  IEEE 802.11 Delete WLAN, see Section 11.9.4

   o  IEEE 802.11 Information Element, see Section 11.9.6

   o  IEEE 802.11 Update WLAN, see Section 11.9.21

11.6.2.  IEEE 802.11 WLAN Configuration Response

   The
   AC will signal IEEE 802.11 WLAN Configuration Response message is sent by the update
   WTP to the GTK using AC.  It is used to acknowledge receipt of an IEEE 802.11
   WLAN Configuration Request frame with the new GTK, its index, message, and the Key Status set to
   3 (begin GTK update).  The AC will then begin updating the GTK for
   each STA.  During this time, indicate if the AC (for Split MAC) requested
   configuration was successfully applied, or WTP (for Local
   MAC) must duplicate broadcast packets and transmit them encrypted
   with both the current and new GTK.  When the AC has completed the GTK
   update if an error related to all STA's in the BSS,
   processing of the AC must transmit an IEEE 802.11 WLAN Configuration Request frame containing message
   occurred on the new GTK, its index, and WTP.

   The following message element MAY be included in the Key Status set to 4 (GTK update complete).

              Client           WTP                                           AC IEEE 802.11 Config Request ( Update WLAN (GTK, GTK Index, GTK Start)
                             <----------------------------------------------
                                        802.1X EAPoL (GTK Message 1)
             <-------------( - )-------------------------------------------
                                        802.1X EAPoL (GTK Message 2)
               -------------( - )------------------------------------------->
   Configuration Response message.

   o  IEEE 802.11 Assigned WTP BSSID, see Section 11.9.3

   The following message element MUST be included in the IEEE 802.11 Config Request ( Update
   WLAN (GTK, GTK Index, GTK Complete)
                             <---------------------------------------------

   Figure 8: Group Key Update Procedure

11.4.  Transport specific bindings

   All Configuration Response message.  Only one message element MUST
   be present.

   o  Result Code, see Section 4.4.28

11.7.  CAPWAP transports have Data Message Bindings

   This section describes the following CAPWAP Data Message bindings to support
   IEEE 802.11 specific
   bindings: frames.

   Payload encapsulation encapsulation: The CAPWAP protocol defines the CAPWAP data
      frame,
      message, which is used to encapsulate a wireless payload.  For
      IEEE 802.11, the IEEE 802.11 header and payload are encapsulated
      (excluding the IEEE 802.11 FCS checksum).  The IEEE 802.11 FCS
      checksum is handled by the WTP.  This allows the WTP to validate a
      an IEEE 802.11 frame prior to sending it to the AC.  Similarly,
      when an AC wishes to transmit a frame towards a station, the WTP
      computes and adds the FCS checksum.

   CAPWAP Header Reserved field

   Optional Wireless Specific Information: The reserved optional CAPWAP header
      field (see
      figure Section 4.1) is only used with CAPWAP data frames, messages,
      and it serves two purposes, depending upon the direction of the frame.
      message.  For packets messages from the WTP to the AC, the field uses the
      format described in the IEEE "IEEE 802.11 Frame Info" field. field (see
      below).  However, for
      frames messages sent by the AC to the WTP, the
      format used is described in described in the Destination WLANs field. "Destination WLANs"
      field (also defined below).

   IEEE 802.11 Frame Info Info: When an CAPWAP data IEEE 802.11 frame is received from a
      station over the air, it is encapsulated and this field is used to
      include radio and PHY specific information associated with the
      frame.

      When used with the

      The IEEE 802.11 binding, the Frame Info field follows has the following format:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     RSSI      |     SNR       |           Data Rate           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      RSSI:  RSSI is a signed, 8-bit value.  It is the received signal
         strength indication, in dBm.

      SNR:  SNR is a signed, 8-bit value.  It is the signal to noise
         ratio of the received IEEE 802.11 frame, in dB.

      Data Rate:  The data rate field is a 16 bit unsigned value.  The
         contents of the field is set to 1/10th of the data rate of the
         packet received by the WTP.  For instance, a packet received at
         5.5Mbps would be set to 55, while 11Mbps would be set to 110.

   Destination WLANs The Destination WLAN field is used to specify the
      target WLANs for a given frame, and is only used with broadcast
      and multicast frames.  This field allows the AC to transmit a
      single broadcast or multicast frame to the WTP, and allows the WTP
      to perform the necessary frame replication services.  The field
      uses the following format:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |              WLAN             |            Reserved           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      WLAN:  This bit field indicates the WLAN ID (see section
         Section 11.10.1) 11.9.1) which the WTP will transmit the associated
         frame on.  For instance, if a multicast packet is to be
         transmitted on WLANs 1 and 3, bits 1 and 3 of this field would
         be enabled.  Note this field is to be set to zero for unicast
         packets and is unused if the WTP is not providing encryption
         services.

      Reserved:  This field MUST be set to zero.

11.5.  BSSID to WLAN ID Mapping

   The CAPWAP protocol allows the WTP to assign BSSIDs upon creation of
   a WLAN (see Section Section 11.10.1).  While manufacturers are free
   to assign BSSIDs using any arbitrary mechanism, it is advised that
   where possible the BSSIDs are assigned as a contiguous block.

   When assigned as a block, implementations can still assign any of the
   available BSSIDs to any WLAN.  One possible method is for the WTP to
   assign the address using the following algorithm: base BSSID address
   + WLAN ID.

   The WTP communicates the maximum number of BSSIDs that it supports
   during unused if the Config Request within WTP is not providing encryption
         services.

      Reserved:  This field MUST be set to zero.

11.8.  CAPWAP Control Message bindings

   This section describes the IEEE 802.11 WTP WLAN Radio
   Configuration specific message element (see Section 11.10.24).

11.6.  Quality of Service for elements
   included in CAPWAP Control Messages

   It is recommended that Messages.

11.8.1.  Configuration Status Message

   The following IEEE 802.11 MAC management frames specific message elements may be sent by
   both the AC and the WTP with appropriate Quality of Service values,
   ensuring that congestion included
   in the network minimizes occurrences of
   packet loss.  Therefore, a Quality of Service enabled CAPWAP device
   should use:

   802.1P:  The precedence value of 6 SHOULD be used for all Configuration Status Message.

   o  IEEE 802.11
      MAC management frames, except for Probe Requests which SHOULD use
      4.

   DSCP:  The DSCP tag value of 46 SHOULD be used for all Antenna, see Section 11.9.2

   o  IEEE 802.11 Direct Sequence Control, see Section 11.9.5
   o  IEEE 802.11 MAC management frames, except for Probe Requests which SHOULD use
      34.

11.7. Operation, see Section 11.9.7

   o  IEEE 802.11 Specific CAPWAP Control Messages

   This section defines CAPWAP Control Messages that are specific to the Multi Domain Capability, see Section 11.9.11

   o  IEEE 802.11 binding.  The two messages are defined as OFDM Control, see Section 11.9.12

   o  IEEE 802.11
   WLAN Config Request and Supported Rates, see Section 11.9.17

   o  IEEE 802.11 WLAN Config Response.  See Tx Power, see Section 4.3.1.1 11.9.18

   o  IEEE 802.11 TX Power Level, see Section 11.9.19

   o  IEEE 802.11 WTP Radio Configuration, see Section 11.9.23

11.8.2.  Configuration Status Response Message

   The valid message types for following IEEE 802.11 specific control messages are
   listed below.  The IANA Enterprise number used with these messages is
   13277 message elements may be included
   in the CAPWAP Control Message           Message Type
                                               Value Configuration Status Response Message.

   o  IEEE 802.11 WLAN Config Request     3398912 Antenna, see Section 11.9.2

   o  IEEE 802.11 WLAN Config Response    3398913

11.7.1. Direct Sequence Control, see Section 11.9.5

   o  IEEE 802.11 WLAN Config Request

   The MAC Operation, see Section 11.9.7

   o  IEEE 802.11 WLAN Configuration Request is sent by the AC to the
   WTP in order to change services provided by the WTP.  This control
   message is used to either create, update or delete a WLAN on the WTP.

   The Multi Domain Capability, see Section 11.9.11

   o  IEEE 802.11 WLAN Configuration Request is sent as a result of
   either some manual admistrative process (e.g., deleting a WLAN), or
   automatically to create a WLAN on a WTP.  When sent automatically to
   create a WLAN, this control message is sent after the CAPWAP
   Configure Update Request message has been received by the WTP.

   Upon receiving this control message, the WTP will modify the
   necessary services, and transmit an OFDM Control, see Section 11.9.12

   o  IEEE 802.11 WLAN Configuration
   Response.

   A WTP MAY provide service for more than one WLAN, therefore every
   WLAN is identified through a numerical index.  For instance, a WTP
   that is capable of supporting up to 16 SSIDs, could accept up to 16 Rate Set, see Section 11.9.13

   o  IEEE 802.11 WLAN Configuration Request messages that include the Add
   WLAN message element.

   Since the index is the primary identifier for a WLAN, an AC MAY
   attempt to ensure that the same WLAN is identified through the same
   index number on all of its WTPs.  An AC that does not follow this
   approach MUST find some other means of maintaining a WLAN Identifier
   to SSID mapping table. Supported Rates, see Section 11.9.17

   o  IEEE 802.11 Tx Power, see Section 11.9.18

   o  IEEE 802.11 WTP Quality of Service, see Section 11.9.22

   o  IEEE 802.11 WTP Radio Configuration, see Section 11.9.23

11.8.3.  Configuration Update Request Message

   The following IEEE 802.11 specific message elements may be included
   in the IEEE 802.11
   WLAN Config CAPWAP Configuration Update Request message.  Only one message element MUST be
   present. Message.

   o  IEEE 802.11 Add WLAN, Antenna, see Section 11.10.1 11.9.2

   o  IEEE 802.11 Delete WLAN, Direct Sequence Control, see Section 11.10.5 11.9.5
   o  IEEE 802.11 Update WLAN, MAC Operation, see Section 11.10.21 11.9.7

   o  IEEE 802.11 Information Element, Multi Domain Capability, see Section 11.10.7

11.7.2. 11.9.11

   o  IEEE 802.11 WLAN Config Response

   The OFDM Control, see Section 11.9.12

   o  IEEE 802.11 WLAN Configuration Response is sent by the AC to the
   WTP as an acknowledgement of the receipt of an Rate Set, see Section 11.9.13

   o  IEEE 802.11 WLAN
   Configuration Request.

   The following message elements may be included in the RSNA Error Report From Mobile, see Section 11.9.14

   o  IEEE 802.11
   WLAN Config Request message.  Only one message element MUST be
   present. Tx Power, see Section 11.9.18

   o  IEEE 802.11 Assigned WTP BSSID, Quality of Service, see Section 11.10.3

11.8.  Data Message bindings

   There are no CAPWAP Data Message bindings for IEEE 802.11.

11.9.  Control Message bindings

   This section describes he 11.9.22

   o  IEEE 802.11 specific message elements
   included in CAPWAP Control Messages.

11.9.1. WTP Radio Configuration, see Section 11.9.23

11.8.4.  Mobile Config Request

   The following IEEE 802.11 specific message elements MAY used with included in
   the CAPWAP Mobile Config Request message.

   o  IEEE 802.11 Mobile, see Section 11.10.11 11.9.9

   o  IEEE 802.11 Mobile Session Key, see Section 11.10.12 11.9.10

   o  Station QOS QoS Profile, see Section 11.10.25

11.9.2. 11.9.15

11.8.5.  WTP Event Request

   The following IEEE 802.11 specific message elements may be included
   in the CAPWAP WTP Event Request message.

   o  IEEE 802.11 MIC Countermeasures, see Section 11.10.9 11.9.8

   o  IEEE 802.11 Statistics, see Section 11.10.16 11.9.16

   o  IEEE 802.11 WTP Radio Fail Alarm Indication, see Section 11.10.23

11.9.3.  Configuration Messages

   This section defines the 11.9.24

11.9.  IEEE 802.11 Message Elements which MAY be
   included in the Configuration Status, Configuration Status Response,
   Configuration Update Request and Mobile Config Request CAPWAP control
   meessages. Element Definitions

   The binding of following IEEE 802.11 specific message elements to CAPWAP control
   messages is shown below:

                                             Conf  Conf  Conf  Mobile are defined in
   this section.

   IEEE 802.11 Message Element                           Stat  Stat  Upd   Config Req
                                             Msg   Resp   Msg   Msg                     Type Value

   IEEE 802.11 Add WLAN                               1024
   IEEE 802.11 Antenna                        X     X     X                                1025
   IEEE 802.11 Broadcast Probe Mode                 X     X Assigned WTP BSSID                     1026
   IEEE 802.11 Delete WLAN                            1027
   IEEE 802.11 Direct Sequence Control        X     X     X                1028
   IEEE 802.11 Information Element                    1029
   IEEE 802.11 MAC Operation                  X     X     X                          1030
   IEEE 802.11 MIC Error Report From Countermeasures                    1031
   IEEE 802.11 Mobile               X                                 1032
   IEEE 802.11 Mobile Session Key                               X                     1033
   IEEE 802.11 Multi-domain Multi-Domain Capability        X     X     X                1034
   IEEE 802.11 OFDM Control                   X     X     X                           1035
   IEEE 802.11 Rate Set                             X     X                               1036
   IEEE 802.11 RSNA Error Report From Mobile          1037
   IEEE 802.11 Station QoS Profile                    1038
   IEEE 802.11 Statistics                             1039
   IEEE 802.11 Supported Rates                X     X                        1040
   IEEE 802.11 Tx Power                       X     X     X                               1041
   IEEE 802.11 Tx Power Level                 X                         1042
   IEEE 802.11 Update Mobile QoS                                X                      1043
   IEEE 802.11 WTP Mode and Type              X?          X Update WLAN                            1044
   IEEE 802.11 WTP Quality of Service               X     X                 1045
   IEEE 802.11 WTP Radio Configuration        X     X     X

11.10.                1046
   IEEE 802.11 Message Element Definitions

11.10.1. WTP Radio Fail Alarm Indication        1047

11.9.1.  IEEE 802.11 Add WLAN

   The Add WLAN message element is used by the AC to define a wireless
   LAN on the WTP.  The inclusion of this message element MUST also
   include IEEE 802.11 Information Element message elements, containing
   the following 802.11 IEs:

   Power Capability information element

   WPA information element

   RSN information element

   EDCA Parameter Set information element

   QoS Capability information element
   WMM information element

   If present, the RSN information element is sent along with the IEEE
   802.11 Add WLAN in order to instruct the WTP on the usage of the Key
   field.

   Note that ACs MAY include additional information elements as they see
   fit.  The message element uses the following format:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |    WLAN ID    |            Reserved           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                      Encryption Policy                        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                               Key                             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                               Key                             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                               Key          Capabilities         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |   Key                             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Index   |   Key                             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Status  |           Key Length          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                               Key                             Key...                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                               Key                           Group TSC                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |   Key Index   |   Key Status           Group TSC           |      QoS      |   Auth Type   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |   MAC Mode    |  Tunnel Mode  | Suppress SSID |    SSID ...
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1024 for IEEE 802.11 Add WLAN

   Length:  >= 49

   Radio ID:  An 8-bit value representing the radio.

   WLAN ID:  An 8-bit value specifying the WLAN Identifier.

   Reserved:  A 16-bit value that MUST be set to zero.

   Encryption Policy:  A 32-bit value specifying the encryption scheme
      to apply to traffic to and from the mobile station.  The
      applicability of the encryption policy depends upon the security
      policy.  For static WEP keys, which is true when the 'Shared Key'
      bit is set, this encryption policy is relevant for both unicast
      and multicast traffic.  For encryption schemes that employ a
      separate encryption key for unicast and multicast traffic, the
      encryption policy defined here only applies to multicast data.  In
      these scenarios, the unicast encryption policy is communicated via
      the Add Mobile Station (Section 4.4.8).

      0 - Encrypt WEP 104: All packets to/from the mobile station must
         be encrypted using standard 104 bit WEP.

      1 - Clear Text: All packets to/from the mobile station do not
         require any additional crypto processing by the WTP.

      2 - Encrypt WEP 40: All packets to/from value specifying the mobile station must be
         encrypted using standard 40 bit WEP.

      3 - Encrypt WEP 128: All packets to/from WLAN Identifier.

   Capability:  A 16-bit value containing the mobile station must capabilities information
      field to be encrypted using standard 128 bit WEP.

      4 - Encrypt AES-CCMP 128: All packets to/from advertised by the mobile station
         must be encrypted using 128 bit AES CCMP [7]

      5 - Encrypt TKIP-MIC: All packets to/from WTP within the mobile station must
         be encrypted using TKIP Probe and authenticated using Michael [24]

   Key:  A 32 byte Session Key to use with the encryption policy. Beacon
      messages.

   Key-Index:  The Key Index associated with the key.

   Key Status:  A 1 byte value that specifies the state and usage of the
      key that has been included.  The following values describe the key
      usage and its status:

   0 - A value of zero, with the 'Encryption Policy' field set to any
      value other than 'Clear Text' inclusion of the RSN Information
      Element means that the WLAN uses per-station encryption keys, and
      therefore the key in the 'Key' field is only used for multicast
      traffic.

   1 - When set to one, the WLAN employs a shared WEP key, also known as
      a static WEP key, and uses the encryption key for both unicast and
      multicast traffic for all stations.

   2 - The value of 2 indicates that the AC will begin rekeying the GTK
      with the STA's in the BSS.  It is only valid when IEEE 802.11i is
      enabled as the security policy for the BSS.

   3 - The value of 3 indicates that the AC has completed rekeying the
      GTK and broadcast packets no longer need to be duplicated and
      transmitted with both GTK's.

   Key Length:  A 16-bit value representing the length of the Key field.

   Key:  A 32 byte Session Key to use to provide data privacy.  For
      static WEP keys, which is true when the 'Key Status' bit is set to
      one, this key is used for both unicast and multicast traffic.  For
      encryption schemes that employ a separate encryption key for
      unicast and multicast traffic, the key included hereonly applies
      to multicast data, and the cipher suite is specified in an
      accompanied RSN Information Element.  In these scenarios, the key,
      and cipher information, is communicated via the Add Mobile Station
      (Section 4.4.8).

   Group TSC  A 48-bit value containing the Transmit Sequence Counter
      for the updated group key.  The WTP will set the TSC for
      broadcast/multicast frames to this value for the updated group
      key.

   QOS:  An 8-bit value specifying the default QoS policy to enforce for the
      station.
      station's traffic on this WLAN.

      The following values are supported:

      0 - Best Effort

      1 - Video

      2 - Voice

      3 - Background

   Auth Type:  An 8-bit value specifying the supported authentication
      type.

      The following values are supported:

      0 - Open System

      1 - WEP Shared Key

      2 - WPA/WPA2 802.1X

      3 - WPA/WPA2 PSK

   MAC Mode:  This field specifies whether the WTP should support the
      WLAN in Local or Split MAC modes.  Note that the AC MUST NOT
      request a mode of operation that was not advertised by the WTP
      during the discovery process (see section Section 4.4.38). 4.4.37).  The
      following values are supported:

      0 - Local-MAC:  Service for the WLAN is to be provided in Local
         MAC mode.

      1 - Split-MAC:  Service for the WLAN is to be provided in Split
         MAC mode.

   Tunnel Mode:  This field specifies the frame tunneling type to be
      used for user traffic from all stations associated with the WLAN.  Note that the
      The AC MUST NOT request a mode of operation that was not
      advertised by the WTP during the discovery process (see section
      Section 4.4.36). 4.4.35).  IEEE 802.11 managment and control frames SHALL
      be tunneled using 802.11 Tunnel mode.  The following values are
      supported:

      0 - Local Bridging:  All user traffic is to be locally bridged.

      1 - 802.3 Tunnel:  All user traffic is to be tunneled to the AC in
         802.3 format (see section Section 4.2).

      2 - 802.11 Bridging: Tunnel:  All user traffic is to be tunneled to the AC
         in 802.11 format.

   Supress SSID:  A boolean indicating whether the SSID is to be
      advertised by the WTP.  A value of zero supresses the SSID in the
      802.11 Beacon and Probe Response frames, while a value of one will
      cause the WTP to populate the field.

   SSID:  The SSID attribute is the service set identifier that will be
      advertised by the WTP for this WLAN.

11.10.2.

11.9.2.  IEEE 802.11 Antenna

   The antenna message element is communicated by the WTP to the AC to
   provide information on the antennas available.  The AC MAY use this
   element to reconfigure the WTP's antennas.  The value contains the
   following fields:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |   Diversity   |    Combiner   |  Antenna Cnt  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                    Antenna Selection [0..N]                   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1025 for IEEE 802.11 Antenna

   Length:  >= 5

   Radio ID:  An 8-bit value representing the radio to configure.

   Diversity:  An 8-bit value specifying whether the antenna is to
      provide receive diversity.  The value of this field is the same as
      the IEEE 802.11 dot11DiversitySelectionRx MIB element (see [6]).
      The following values are supported:

      0 - Disabled

      1 - Enabled (may only be true if the antenna can be used as a
         receive antenna)

   Combiner:  An 8-bit value specifying the combiner selection.  The
      following values are supported:

      1 - Sectorized (Left)

      2 - Sectorized (Right)

      3 - Omni

      4 - MIMO

   Antenna Count:  An 8-bit value specifying the number of Antenna
      Selection fields.  This value should be the same as the one found
      in the IEEE 802.11 dot11CurrentTxAntenna MIB element (see [6]).

   Antenna Selection:  One 8-bit antenna configuration value per antenna
      in the WTP.  The following values are supported:

      1 - Internal Antenna

      2 - External Antenna

11.10.3.

11.9.3.  IEEE 802.11 Assigned WTP BSSID

   The IEEE 802.11 Assigned WTP BSSID is only included by the WTP when
   the IEEE 802.11 WLAN Config Request included the IEEE 802.11 Add WLAN
   message element.  The value field of this message element contains
   the BSSID that has been assigned by the WTP, which allows the WTP to
   perform its own BSSID assignment.

   The WTP is free to assign the BSSIDs the way it sees fit, but it is
   highly recommended that the WTP assign the BSSID using the following
   algorithm: BSSID = {base BSSID} + WLAN ID.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             BSSID    Radio ID   |    WLAN ID    |           BSSID
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             BSSID                             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1026 for IEEE 802.11 Assigned WTP BSSID

   Length:  6

   Radio ID:  An 8-bit value representing the radio.

   WLAN ID:  An 8-bit value specifying the WLAN Identifier.

   BSSID:  The BSSID assigned by the WTP for the WLAN created as a
      result of receiving an IEEE 802.11 Add WLAN.

11.10.4.  IEEE 802.11 Broadcast Probe Mode

   The Broadcast Probe Mode message element indicates whether a WTP will
   respond to NULL SSID probe requests.  Since broadcast NULL probes are
   not sent to a specific BSSID, the WTP cannot know which SSID the
   sending station is querying.  Therefore, this behavior must be global
   to the WTP.

      0
      0 1 2 3 4 5 6 7
     +-+-+-+-+-+-+-+-+
     |    Status     |
     +-+-+-+-+-+-+-+-+

   Type:  1027 for IEEE 802.11 Broadcast Probe Mode

   Length:  1

   Status:  An 8-bit boolean indicating the status of whether a WTP
      shall response to a NULL SSID probe request.  A value of zero
      disables NULL SSID probe response, while a value of one enables
      it.

11.10.5.

11.9.4.  IEEE 802.11 Delete WLAN

   The delete WLAN message element is used to inform the WTP that a
   previously created WLAN is to be deleted.  The value contains the
   following fields:

      0                   1                   2
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Radio ID   |    WLAN ID    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1028  1027 for IEEE 802.11 Delete WLAN

   Length:  3

   Radio ID:  An 8-bit value representing the radio

   WLAN ID:  A 16-bit  An 8-bit value specifying the WLAN Identifier

11.10.6.

11.9.5.  IEEE 802.11 Direct Sequence Control

   The direct sequence control message element is a bi-directional
   element.  When sent by the WTP, it contains the current state.  When
   sent by the AC, the WTP MUST adhere to the values.  This element is
   only used for 802.11b radios.  The value has the following fields.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |    Reserved   | Current Chan  |  Current CCA  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                    Energy Detect Threshold                    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1029  1028 for IEEE 802.11 Direct Sequence Control

   Length:  8

   Radio ID:  An 8-bit value representing the radio to configure.

   Reserved:  MUST be set to zero

   Current Channel:  This attribute contains the current operating
      frequency channel of the DSSS PHY.  This value comes from the IEEE
      802.11 dot11CurrentChannel MIB element (see [6]).

   Current CCA:  The current CCA method in operation. operation, whose value can be
      found in the IEEE 802.11 dot11CCAModeSupported MIB element (see
      [6]).  Valid values are:

         1 - energy detect only (edonly)

         2 - carrier sense only (csonly)
         4 - carrier sense and energy detect (edandcs)

         8 - carrier sense with timer (cswithtimer)

         16 - high rate carrier sense and energy detect (hrcsanded)

   Energy Detect Threshold:  The current Energy Detect Threshold being
      used by the DSSS PHY.

11.10.7.  The value can be found in the IEEE 802.11
      dot11EDThreshold MIB element (see [6]).

11.9.6.  IEEE 802.11 Information Element

   The IEEE 802.11 Information Element is used to communicate any IE
   defined in the IEEE 802.11 protocol.  The data field contains the raw
   IE as it would be included within an IEEE 802.11 MAC management
   message.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |    WLAN ID    |B|P|   Flags   | Info Element
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-   |Info Element...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1030  1029 for IEEE 802.11 Information Element

   Length:  >= 2

   Radio ID:  An 8-bit value representing the radio.

   WLAN ID:  An 8-bit value specifying the WLAN Identifier.

   B:  When set, the WTP is to include the information element in
      beacons associated with the WLAN.

   P:  When set, the WTP is to include the information element in probe
      responses associated with the WLAN.

   Flags:  Reserved field and MUST be set to zero.

   Info Element:  The IEEE 802.11 Information Element, which includes
      the type, length and value field.

11.10.8.

11.9.7.  IEEE 802.11 MAC Operation

   The MAC operation message element is sent by the AC to set the 802.11
   MAC parameters on the WTP.  The value contains the following fields.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |    Reserved   |         RTS Threshold         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |  Short Retry  |  Long Retry   |    Fragmentation Threshold    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       Tx MSDU Lifetime                        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       Rx MSDU Lifetime                        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1031  1030 for IEEE 802.11 MAC Operation

   Length:  16

   Radio ID:  An 8-bit value representing the radio to configure.

   Reserved:  MUST be set to zero

   RTS Threshold:  This attribute indicates the number of octets in an
      MPDU, below which an RTS/CTS handshake MUST NOT be performed.  An
      RTS/CTS handshake MUST be performed at the beginning of any frame
      exchange sequence where the MPDU is of type Data or Management,
      the MPDU has an individual address in the Address1 field, and the
      length of the MPDU is greater than this threshold.  Setting this
      attribute to be larger than the maximum MSDU size MUST have the
      effect of turning off the RTS/CTS handshake for frames of Data or
      Management type transmitted by this STA.  Setting this attribute
      to zero MUST have the effect of turning on the RTS/CTS handshake
      for all frames of Data or Management type transmitted by this STA.
      The default value of this attribute MUST be 2347.  The value of
      this field comes from the IEEE 802.11 dot11RTSThreshold MIB
      element (see [6]).

   Short Retry:  This attribute indicates the maximum number of
      transmission attempts of a frame, the length of which is less than
      or equal to RTSThreshold, that MUST be made before a failure
      condition is indicated.  The default value of this attribute MUST
      be 7.  The value of this field comes from the IEEE 802.11
      dot11ShortRetryLimit MIB element (see [6]).

   Long Retry:  This attribute indicates the maximum number of
      transmission attempts of a frame, the length of which is greater
      than dot11RTSThreshold, that MUST be made before a failure
      condition is indicated.  The default value of this attribute MUST
      be 4.  The value of this field comes from the IEEE 802.11
      dot11LongRetryLimit MIB element (see [6]).

   Fragmentation Threshold:  This attribute specifies the current
      maximum size, in octets, of the MPDU that MAY be delivered to the
      PHY.  An MSDU MUST be broken into fragments if its size exceeds
      the value of this attribute after adding MAC headers and trailers.
      An MSDU or MMPDU MUST be fragmented when the resulting frame has
      an individual address in the Address1 field, and the length of the
      frame is larger than this threshold.  The default value for this
      attribute MUST be the lesser of 2346 or the aMPDUMaxLength of the
      attached PHY and MUST never exceed the lesser of 2346 or the
      aMPDUMaxLength of the attached PHY.  The value of this attribute
      MUST never be less than 256.  The value of this field comes from
      the IEEE 802.11 dot11FragmentationThreshold MIB element (see [6]).

   Tx MSDU Lifetime:  This attribute speficies the elapsed time in TU,
      after the initial transmission of an MSDU, after which further
      attempts to transmit the MSDU MUST be terminated.  The default
      value of this attribute MUST be 512.  The value of this field
      comes from the IEEE 802.11 dot11MaxTransmitMSDULifetime MIB
      element (see [6]).

   Rx MSDU Lifetime:  This attribute specifies the elapsed time in TU,
      after the initial reception of a fragmented MMPDU or MSDU, after
      which further attempts to reassemble the MMPDU or MSDU MUST be
      terminated.  The default value MUST be 512.

11.10.9.  The value of this
      field comes from the IEEE 802.11 dot11MaxReceiveLifetime MIB
      element (see [6]).

11.9.8.  IEEE 802.11 MIC Countermeasures

   The MIC Countermeasures message element is sent by the WTP to the AC
   to indicate the occurrence of a MIC failure.  See the IEEE 802.11
   dot11RSNATKIPCounterMeasuresInvoked MIB element (see [6]) for more
   info.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |    WLAN ID    |          MAC Address          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          MAC Address                          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1032  1031 for IEEE 802.11 MIC Countermeasures

   Length:  8
   Radio ID:  The Radio Identifier, typically refers to some interface
      index on the WTP.

   WLAN ID:  This 8-bit unsigned integer includes the WLAN Identifier,
      on which the MIC failure occurred.

   MAC Address:  The MAC Address of the mobile station that caused the
      MIC failure.

11.10.10.

11.9.9.  IEEE 802.11 MIC Error Report From Mobile

   The MIC Error Report From IEEE 802.11 Mobile message element accompanies the Add Mobile
   message element, and is sent by an used to deliver IEEE 802.11 station policy
   from the AC to
   an the WTP.

   The latest IEEE 802.11 Mobile message element overrides any
   previously received message elements.

   If the QoS field is set, the WTP when MUST observe and provide policing of
   the 802.11e priority tag to ensure that it receives does not exceed the value
   provided by the AC.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Radio ID   |        Association ID         |     Flags     |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |          Capabilities         |   WLAN ID     |Supported Rates
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1032 for IEEE 802.11 Mobile

   Length:  >= 8

   Radio ID:  An 8-bit value representing the radio

   Association ID:  A 16-bit value specifying the IEEE 802.11
      Association Identifier

   Flags:  The Flags field MUST be set to zero

   Capabilities:  A 16-bit field containing the IEEE 802.11 Capabilities
      Information Field to use with the mobile.

   WLAN ID:  An 8-bit value specifying the WLAN Identifier
   Supported Rates:  The variable length field containing the supported
      rates to be used with the mobile station, as found in the IEEE
      802.11 dot11OperationalRateSet MIB element (see [6]).

11.9.10.  IEEE 802.11 Mobile Session Key

   The Mobile Session Key Payload message element is sent when the AC
   determines that encryption of a MIC failure notification, via mobile station must be performed in
   the Error WTP.  This message element MUST NOT be present without the IEEE
   802.11 Mobile (see Section 11.9.9) message element, and MUST NOT be
   sent if the WTP had not specifically advertised support for the
   requested encryption scheme.

   The RSN information element MUST sent along with the IEEE 802.11
   Mobile Session Key in order to instruct the WTP on the usage of the
   Key field.  The AKM field of the RSM information element is used by
   the WTP to identify the authentication protocol.

   If the IEEE 802.11 Mobile Session Key message element's AKM-Only bit
   is set, the WTP MUST drop all IEEE 802.11 packets that are not part
   of the AKM (e.g., EAP).  Note that AKM-Only is MAY be set while an
   encryption key is in force, requiring that the EAPOL-Key frame. AKM packets be
   encrypted.  Once the mobile station has successfully completed
   authentication via the AKM, the AC must send a new Add Mobile message
   element to remove the AKM-Only restriction, and optionally push the
   session key down to the WTP.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       Client                           MAC Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |      Client          MAC Address          |A|C|           Flags           |             BSSID
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Pairwise TSC                          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             BSSID         Pairwise TSC          |         Pairwise RSC          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |   Radio ID                         Pairwise RSC                          |    WLAN ID
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+    Key...
       +-+-+-+-+-+-+-+-

   Type:  1033 for IEEE 802.11 MIC Error Report From Mobile Session Key
   Length:  14

   Client  >= 25

   MAC Address:  The Client mobile station's MAC Address

   Flags:  A 16 bit field, whose unused bits MUST be set to zero.  The
      following bits are defined:

      A:  The one bit AKM-Only field is set by the AC to inform the WTP
         that is MUST NOT accept any 802.11 data frames, other than AKM
         frames.  This is the equivalent of the WTP's IEEE 802.1X port
         for the mobile station reporting to be in the MIC failure.

   BSSID:  The BSSID on which closed state.  When set,
         the MIC failure is being reported.

   Radio ID: WTP MUST drop any non-IEEE 802.1X packets it receives from
         the mobile station.

      C:  The Radio Identifier, typically refers one bit field is set by the AC to some interface
      index inform the WTP that
         encryption services will be provided by the AC.  When set, the
         WTP SHOULD police frames received from stations to ensure that
         are properly encrypted as specified in the RSN Information
         Element, but does not need to take specific cryptographic
         action on the frame.  Similarly, for transmitted frames, the
         WTP

   WLAN ID: only needs to forward already encrypted frames.

   Pairwise TSC:  The WLAN ID on which 6 byte Transmit Sequence Counter (TSC) field to
      use for unicast packets transmitted to the MIC failure mobile.

   Pairwise RSC:  The 6 byte Receive Sequence Counter (RSC) to use for
      unicast packets received from the mobile.

   Key:  The key the WTP is being reported.

11.10.11. to use when encrypting traffic to/from the
      mobile station.  For dynamically created keys, this is commonly
      known as a Pairwise Transient Key (PTK).

11.9.11.  IEEE 802.11 Mobile Multi-Domain Capability

   The IEEE 802.11 Mobile multi-domain capability message element accompanies the Add Mobile
   message element, and is used to deliver IEEE 802.11 station policy
   from by the AC to
   inform the WTP. WTP of regulatory limits.  The latest IEEE 802.11 Mobile AC will transmit one
   message element overrides any
   previously received message elements.

   If the QoS field is set, the WTP MUST observe and provide policing of
   the 802.11e priority tag per frequency band to ensure that it does not exceed indicate the regulatory
   constraints in that domain.  The value
   provided by contains the AC. following fields.

         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |        Association ID    Reserved   |     Flags        First Channel #        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          Capabilities       Number of Channels      |       Max Tx Power Level      |   WLAN ID     |Supported Rates
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:  1034 for Add IEEE 802.11 Mobile Multi-Domain Capability

   Length:  >=  8

   Radio ID:  An 8-bit value representing the radio

   Association ID:  A 16-bit value specifying the IEEE 802.11
      Association Identifier

   Flags:  The Flags field to configure.

   Reserved:  MUST be set to zero

   Capabilities:  A 16-bit field containing the IEEE 802.11 capabilities
      to use with

   First Channnel #:  This attribute indicates the mobile.

   WLAN ID:  An 8-bit value specifying of the WLAN Identifier

   Supported Rates: lowest
      channel number in the subband for the associated domain country
      string.  The variable length value of this field containing the supported
      rates to be used with comes from the mobile station.

11.10.12. IEEE 802.11 Mobile Session Key

   The Mobile Session Key Payload message
      dot11FirstChannelNumber MIB element is sent when (see [6]).

   Number of Channels:  This attribute indicates the AC
   determines that encryption value of a mobile station must be performed the total
      number of channels allowed in the WTP.  This message element MUST NOT be present without subband for the associated
      domain country string.  The value of this field comes from the
      IEEE 802.11 Mobile dot11NumberofChannels MIB element (see Section 11.10.11) message element, and MUST NOT be
   sent if [6]).

   Max Tx Power Level:  This attribute indicates the WTP had not specifically advertised support maximum transmit
      power, in dBm, allowed in the subband for the
   requested encryption scheme.

   If associated domain
      country string.  The value of this field comes from the IEEE
      802.11 Mobile Session Key message element's EAP-Only bit
   is set, the WTP MUST drop all dot11MaximumTransmitPowerLevel MIB element (see [6]).

11.9.12.  IEEE 802.11 packets that do not contain
   EAP packets.  Note that when EAP-Only is set, the Encryption Policy
   field MAY be set, and therefore it OFDM Control

   The OFDM control message element is possible to inform a WTP to
   only accept encrypted EAP packets.  Once bi-directional element.  When
   sent by the mobile station has
   successfully completed EAP authentication, WTP, it contains the AC must send a new Add
   Mobile message element to remove current state.  When sent by the EAP Only restriction, and
   optionally push AC,
   the session key down WTP MUST adhere to the WTP. values.  This element is only used for
   802.11a radios.  The value contains the following fields:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                           MAC Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          MAC Address          |E|C|           Flags           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                        Encryption Policy                      |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Pairwise TSC    Radio ID   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+    Reserved   |         Pairwise TSC Current Chan  |         Pairwise RSC  Band Support |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Pairwise RSC                         TI Threshold                          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       | Session Key...
       +-+-+-+-+-+-+-+-

   Type:  1035 for IEEE 802.11 Mobile Session Key OFDM Control

   Length:  >= 25

   MAC Address:  The mobile station's MAC Address

   Flags:  A 16 bit field, whose unused bits  8

   Radio ID:  An 8-bit value representing the radio to configure.

   Reserved:  MUST be set to zero.  The
      following bits are defined:

      E:  The one bit EAP-Only field is set by the AC to inform the WTP
         that is MUST NOT accept any 802.11 data frames, other than IEEE
         802.1X frames. zero
   Current Channel:  This is attribute contains the equivalent current operating
      frequency channel of the WTP's OFDM PHY.  The value of this field comes
      from the IEEE 802.1X
         port for 802.11 dot11CurrentFrequency MIB element (see [6]).

   Band Supported:  The capability of the mobile station OFDM PHY implementation to be
      operate in the closed state.  When
         set, the WTP MUST drop any non-IEEE 802.1X packets it receives three U-NII bands.  The value of this field comes
      from the mobile station.

      C:  The one IEEE 802.11 dot11FrequencyBandsSupported MIB element (see
      [6]), coded as an integer value of a three bit field is set by the AC to inform as follows:

         capable of operating in the WTP that
         encryption services will be provided by lower (5.15-5.25 GHz) U-NII band

         capable of operating in the AC.  When set, middle (5.25-5.35 GHz) U-NII band

         capable of operating in the
         WTP SHOULD police frames received from stations to ensure that
         they comply to upper (5.725-5.825 GHz) U-NII band

      For example, for an implementation capable of operating in the stated encryption policy, but does not need
         to
      lower and mid bands this attribute would take specific cryptographic action on the frame.  Similarly,
         for transmitted frames, the WTP only needs to forward already
         encrypted frames.

   Encryption Policy: value 3.

   TI Threshold:  The policy field informs the WTP how Threshold being used to handle
      packets from/to detect a busy medium
      (frequency).  CCA MUST report a busy medium upon detecting the mobile station.
      RSSI above this threshold.  The following values are
      supported:

      0 - Encrypt WEP 104: All packets to/from the mobile station must
         be encrypted using standard 104 bit WEP.

      1 - Clear Text: All packets to/from value of this field comes from the mobile station do not
         require any additional crypto processing
      IEEE 802.11 dot11TIThreshold MIB element (see [6]).

11.9.13.  IEEE 802.11 Rate Set

   The rate set message element value is sent by the WTP.

      2 - Encrypt WEP 40: All packets to/from AC and contains the mobile station must be
         encrypted using standard 40 bit WEP.

      3 - Encrypt WEP 128: All packets to/from
   supported operational rates.  It contains the mobile station must
         be encrypted using standard 128 bit WEP. following fields.

         0                   1                   2                   3
         0 1 2 3 4 - Encrypt AES-CCMP 128: All packets to/from the mobile station
         must be encrypted using 128 bit AES CCMP [7] 5 - Encrypt TKIP-MIC: All packets to/from the mobile station must
         be encrypted using TKIP and authenticated using Michael [24]

   Pairwise TSC:  The 6 byte Transmit Sequence Counter (TSC) field to
      use for unicast packets transmitted to the mobile.

   Pairwise RSC:  The 7 8 9 0 1 2 3 4 5 6 byte Receive Sequence Counter (RSC) to use 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |                 Rate Set...
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1036 for
      unicast packets received from IEEE 802.11 Rate Set

   Length:  >= 3

   Radio ID:  An 8-bit value representing the mobile.

   Session Key: radio to configure.

   Rate Set:  The session key AC generates the Rate Set that the WTP is to use when encrypting
      traffic to/from the mobile station.  For dynamically created keys, include
      in it's Beacon and Probe messages.  The length of this field is commonly known as a Pairwise Transient Key (PTK).

11.10.13.
      between 2 and 8 bytes.  The value of this field comes from the
      IEEE 802.11 Multi-domain Capability dot11OperationalRateSet MIB element (see [6]).

11.9.14.  IEEE 802.11 RSNA Error Report From Mobile

   The multi-domain capability RSN Error Report From Mobile message element is used sent by the an AC to
   inform
   an WTP to send RSN error reports to the AC.  The WTP of regulatory limits. does not need to
   transmit any reports that do not include any failures.  The value contains fields
   from this message element comes from the
   following fields. IEEE 802.11
   Dot11RSNAStatsEntry table (see [6]).

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                       Client MAC Address                      |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |      Client MAC Address       |             BSSID             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                             BSSID                             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |    WLAN ID    |           Reserved            |        First Channel #
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                        TKIP ICV Errors                        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |       Number of Channels                    TKIP Local MIC Failures                    |       Max Tx Power Level
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                   TKIP Remote MIC Failures                    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          CCMP Replays                         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                        CCMP Decrypt Errors                    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          TKIP Replays                         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1036  1037 for IEEE 802.11 Multi-Domain Capability RSNA Error Report From Mobile

   Length:  8  14

   Client MAC Address:  The Client MAC Address of the station.

   BSSID:  The BSSID on which the failures are being reported on.

   Radio ID:  An 8-bit value representing the radio to configure.

   Reserved:  MUST be set  The Radio Identifier, typically refers to zero

   First Channnel #:  This attribute indicates some interface
      index on the WTP

   WLAN ID:  The WLAN ID on which the RSNA failures are being reported.

   TKIP ICV Errors:  A 32-bit value of representing the lowest
      channel number in the subband for the associated domain country
      string.

   Number of Channels:  This attribute indicates TKIP ICV
      errors encountered when decrypting packets from the station.  The
      value of this field comes from the IEEE 802.11
      dot11RSNAStatsTKIPICVErrors MIB element (see [6]).

   TKIP Local MIC Failures:  A 32-bit value representing the total number of channels allowed in the subband for the associated
      domain country string.

   Max Tx Power Level:  This attribute indicates
      MIC failures encountered when checking the maximum transmit
      power, in dBm, allowed in integrity of packets
      received from the subband for station.  The value of this field comes from the associated domain
      country string.

11.10.14.
      IEEE 802.11 OFDM Control

   The OFDM control message dot11RSNAStatsTKIPLocalMICFailures MIB element is a bi-directional element.  When
   sent by the WTP, it contains (see
      [6]).

   TKIP Remote MIC Failures:  A 32-bit value representing the current state.  When sent number of
      MIC failures reported by the AC,
   the WTP MUST adhere to station encountered (possibly via the values.  This element is only used for
   802.11a radios.
      EAPOL-Key frame).  The value contains of this field comes from the following fields:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |    Reserved   | Current Chan  |  Band Support |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         TI Threshold                          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1037 for IEEE
      802.11 OFDM Control

   Length:  8

   Radio ID:  An 8-bit dot11RSNAStatsTKIPRemoteMICFailures MIB element (see [6]).

   CCMP Replays:  A 32-bit value representing the radio to configure.

   Reserved:  MUST be set to zero

   Current Channel:  This attribute contains the current operating
      frequency channel number of CCMP MPDUs
      discarded by the OFDM PHY.

   Band Supported: replay detection mechanism.  The capability value of this
      field comes from the OFDM PHY implementation to
      operate in IEEE 802.11 dot11RSNACCMPReplays MIB element
      (see [6]).

   CCMP Decrypt Errors:  A 32-bit value representing the three U-NII bands.  Coded as an integer number of CCMP
      MDPUs discarded by the decryption algorithm.  The value of a
      three bit this
      field as follows:

         capable of operating in comes from the lower (5.15-5.25 GHz) U-NII band
         capable of operating in IEEE 802.11 dot11RSNACCMPDecryptErrors MIB
      element (see [6]).

   TKIP Replays:  A 32-bit value representing the middle (5.25-5.35 GHz) U-NII band

         capable number of operating TKIP Replays
      detected in frames received from the upper (5.725-5.825 GHz) U-NII band

      For example, for an implementation capable station.  The value of operating in the
      lower and mid bands this attribute would take
      field comes from the value

   TI Threshold: IEEE 802.11 dot11RSNAStatsTKIPReplays MIB
      element (see [6]).

11.9.15.  IEEE 802.11 Station QoS Profile

   The Threshold being Station QoS Profile Payload message element contains the maximum
   IEEE 802.11e priority tag that may be used to detect a busy medium
      (frequency).  CCA MUST report a busy medium upon detecting by the
      RSSI above station.  Any
   packet received that exceeds the value encoded in this threshold.

11.10.15.  IEEE 802.11 Rate Set

   The rate set message
   element must either be dropped or tagged using the maximum value is sent
   permitted by to the AC user.  The priority tag must be between zero (0)
   and contains the
   supported operational rates.  It contains the following fields. seven (7).

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID                           MAC Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          MAC Address          |     802.1P Precedence Tag     |                 Rate Set...
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:  1038 for IEEE 802.11 Rate Set Station QOS Profile

   Length:  >= 3

   Radio ID:  An 8-bit value representing the radio to configure.

   Rate Set:  8

   MAC Address:  The AC generates the Rate Set mobile station's MAC Address

   802.1P Precedence Tag:  The maximum 802.1P precedence value that the
      WTP is to include will allow in it's Beacon and Probe messages.  The length of this the TID field is
      between 2 and 8 bytes.

11.10.16. in the extended 802.11e QOS Data
      header.

11.9.16.  IEEE 802.11 Statistics

   The statistics message element is sent by the WTP to transmit it's
   current statistics.  The value contains the following fields.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |                   Reserved                    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       Tx Fragment Count                       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       Multicast Tx Count                      |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                          Failed Count                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                          Retry Count                          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                      Multiple Retry Count                     |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                     Frame Duplicate Count                     |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       RTS Success Count                       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       RTS Failure Count                       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       ACK Failure Count                       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       Rx Fragment Count                       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       Multicast RX Count                      |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                        FCS Error  Count                       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                        Tx Frame Count                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                       Decryption Errors                       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                  Discarded QoS Fragment Count                 |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                    Associated Station Count                   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                  QoS CF Polls Received Count                  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                   QoS CF Polls Unused Count                   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                  QoS CF Polls Unusable Count                  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:  1039 for IEEE 802.11 Statistics

   Length:  60

   Radio ID:  An 8-bit value representing the radio.

   Tx Fragment Count:  A 32-bit value representing the number of
      fragmented frames transmitted.  The value of this field comes from
      the IEEE 802.11 dot11TransmittedFragmentCount MIB element (see
      [6]).

   Multicast Tx Count:  A 32-bit value representing the number of
      multicast frames transmitted.  The value of this field comes from
      the IEEE 802.11 dot11MulticastTransmittedFrameCount MIB element
      (see [6]).

   Failed Count:  A 32-bit value representing the transmit excessive
      retries. transmit excessive
      retries.  The value of this field comes from the IEEE 802.11
      dot11FailedCount MIB element (see [6]).

   Retry Count:  A 32-bit value representing the number of transmit
      retries.  The value of this field comes from the IEEE 802.11
      dot11RetryCount MIB element (see [6]).

   Multiple Retry Count:  A 32-bit value representing the number of
      transmits that required more than one retry.  The value of this
      field comes from the IEEE 802.11 dot11MultipleRetryCount MIB
      element (see [6]).

   Frame Duplicate Count:  A 32-bit value representing the duplicate
      frames received.  The value of this field comes from the IEEE
      802.11 dot11FrameDuplicateCount MIB element (see [6]).

   RTS Success Count:  A 32-bit value representing the number of
      successfully transmitted Ready To Send (RTS).  The value of this
      field comes from the IEEE 802.11 dot11RTSSuccessCount MIB element
      (see [6]).

   RTS Failure Count:  A 32-bit value representing the failed
      transmitted RTS.  The value of this field comes from the IEEE
      802.11 dot11RTSFailureCount MIB element (see [6]).

   ACK Failure Count:  A 32-bit value representing the number of failed
      acknowledgements.  The value of this field comes from the IEEE
      802.11 dot11ACKFailureCount MIB element (see [6]).

   Rx Fragment Count:  A 32-bit value representing the number of
      fragmented frames received.  The value of this field comes from
      the IEEE 802.11 dot11ReceivedFragmentCount MIB element (see [6]).

   Multicast RX Count:  A 32-bit value representing the number of
      multicast frames received.  The value of this field comes from the
      IEEE 802.11 dot11MulticastReceivedFrameCount MIB element (see
      [6]).

   FCS Error Count:  A 32-bit value representing the number of FCS
      failures.  The value of this field comes from the IEEE 802.11
      dot11FCSErrorCount MIB element (see [6]).

   Decryption Errors:  A 32-bit value representing the number of
      Decryption errors that occurred on the WTP.  Note that this field
      is only valid in cases where the WTP provides encryption/
      decryption services.

11.10.17.  The value of this field comes from the IEEE
      802.11 dot11WEPUndecryptableCount MIB element (see [6]).

   Discarded QoS Fragment Count:  A 32-bit value representing the number
      of discarded QoS fragments received.  The value of this field
      comes from the IEEE 802.11 dot11QoSDiscardedFragmentCount MIB
      element (see [6]).

   Associated Station Count:  A 32-bit value representing the number of
      number of associated stations.  The value of this field comes from
      the IEEE 802.11 dot11AssociatedStationCount MIB element (see [6]).

   QoS CF Polls Received Count:  A 32-bit value representing the number
      of (+)CF-Polls received.  The value of this field comes from the
      IEEE 802.11 dot11QosCFPollsReceivedCount MIB element (see [6]).

   QoS CF Polls Unused Count:  A 32-bit value representing the number of
      (+)CF-Polls that have been received, but not used.  The value of
      this field comes from the IEEE 802.11 dot11QosCFPollsUnusedCount
      MIB element (see [6]).

   QoS CF Polls Unusable Count:  A 32-bit value representing the number
      of (+)CF-Polls that have been received, but could not be used due
      to the TXOP size being smaller than the timethat is required for
      one frame exchange sequence.  The value of this field comes from
      the IEEE 802.11 dot11QosCFPollsUnusableCount MIB element (see
      [6]).

11.9.17.  IEEE 802.11 Supported Rates

   The supported rates message element is sent by the WTP to indicate
   the rates that it supports.  The value contains the following fields.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |               Supported Rates...
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1040 for IEEE 802.11 Supported Rates

   Length:  >= 3

   Radio ID:  An 8-bit value representing the radio.

   Supported Rates:  The WTP includes the Supported Rates that its
      hardware supports.  The format is identical to the Rate Set
      message element and is between 2 and 8 bytes in length.

11.10.18.

11.9.18.  IEEE 802.11 Tx Power

   The Tx power message element value is bi-directional.  When sent by
   the WTP, it contains the current power level of the radio in
   question.  When sent by the AC, it contains the power level the WTP
   MUST adhere to.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |    Reserved   |        Current Tx Power       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1041 for IEEE 802.11 Tx Power

   Length:  4

   Radio ID:  An 8-bit value representing the radio to configure.

   Reserved:  MUST be set to zero

   Current Tx Power:  This attribute contains the transmit output power
      in mW.

11.10.19.

11.9.19.  IEEE 802.11 Tx Power Level

   The Tx power level message element is sent by the WTP and contains
   the different power levels supported.  The values found in this
   message element are found in the IEEE 802.11 Dot11PhyTxPowerEntry MIB
   table (see (see [6]).

   The value field contains the
   following fields. following:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |   Num Levels  |        Power Level [n]        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1042 for IEEE 802.11 Tx Power Level

   Length:  >= 4

   Radio ID:  An 8-bit value representing the radio to configure.

   Num Levels:  The number of power level attributes.  The value of this
      field comes from the IEEE 802.11 dot11NumberSupportedPowerLevels
      MIB element (see [6]).

   Power Level:  Each power level fields contains a supported power
      level, in mW.

11.10.20.  The value of this field comes from the
      corresponding IEEE 802.11 dot11TxPowerLevel[n] MIB element (see
      [6]).

11.9.20.  IEEE 802.11 Update Mobile QoS

   The Update Mobile QoS message element is used to change the Quality
   of Service policy on the WTP for a given mobile station.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |                  MAC Address                  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |          MAC Address          |   DSCP Tag    |  802.1P Tag   |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1043 for IEEE 802.11 Update Mobile QoS

   Length:  8

   Radio ID:  The Radio Identifier, typically refers to some interface
      index on the WTP

   MAC Address:  The mobile station's MAC Address.

   DSCP Tag:  The DSCP label to use if packets are to be DSCP tagged.

   802.1P Tag:  The 802.1P precedence value to use if packets are to be
      IEEE 802.1P tagged.

11.10.21.

11.9.21.  IEEE 802.11 Update WLAN

   The Update WLAN message element is used by the AC to define a
   wireless LAN on the WTP.  The inclusion of this message element MUST
   also include the IEEE 802.11 Information Element message element,
   containing the following 802.11 IEs:

   Power Capability information element

   WPA information element

   RSN information element

   EDCA Parameter Set information element

   QoS Capability information element

   WMM information element

   The message element uses the following format:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |             WLAN ID           |Encrypt Policy |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                      Encryption Policy        |     Key...    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             Key ...                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |   Key Index   |   Shared Key  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1044 for IEEE 802.11 Update WLAN

   Length:  43

   Radio ID:  An 8-bit value representing the radio.

   WLAN ID:  A 16-bit value specifying the WLAN Identifier.

   Encryption Policy:  A 32-bit value specifying the encryption scheme
      to apply to traffic to and from the mobile station.  The
      applicability of the encryption policy depends upon the security
      policy.  For static WEP keys, which is true when the 'Shared Key'
      bit is set, this encryption policy is relevant for both unicast
      and multicast traffic.  For encryption schemes that employ a
      separate encryption key for unicast and multicast traffic, the
      encryption policy defined here only applies to multicast data.  In
      these scenarios, the unicast encryption policy is communicated via
      the Add Mobile Station (Section 4.4.8).

      The following values are supported:

      0 - Encrypt WEP 104: All packets to/from the mobile station must
         be encrypted using standard 104 bit WEP.

      1 - Clear Text: All packets to/from the mobile station do not
         require any additional crypto processing by the WTP. 9 0 1 2 - Encrypt WEP 40: All packets to/from the mobile station must be
         encrypted using standard 40 bit WEP. 3 - Encrypt WEP 128: All packets to/from the mobile station must
         be encrypted using standard 128 bit WEP. 4 - Encrypt AES-CCMP 128: All packets to/from the mobile station
         must be encrypted using 128 bit AES CCMP [7] 5 - Encrypt TKIP-MIC: All packets to/from 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |     WLAN ID   |           Capability          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |   Key Index   |   Key Status  |           Key Length          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                             Key...                            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1044 for IEEE 802.11 Update WLAN

   Length:  43

   Radio ID:  An 8-bit value representing the mobile station must
         be encrypted using TKIP and authenticated using Michael [24]

   Key: radio.

   WLAN ID:  An 8-bit value specifying the WLAN Identifier.

   Capability:  A 32 byte Session Key 16-bit value containing the capabilities information
      field to use with be advertised by the encryption policy. WTP within the Probe and Beacon
      messages.

   Key-Index:  The Key Index associated with the key.

   Key Status:  A 1 byte value that specifies the state and usage of the
      key that has been included.  The following values describe the key
      usage and its status:

   0 - A value of zero, with the 'Encryption Policy' field set to any
      value other than 'Clear Text' inclusion of the RSN Information
      Element means that the WLAN uses per-station encryption keys, and
      therefore the key in the 'Key' field is only used for multicast
      traffic.

   1 - When set to one, the WLAN employs a shared WEP key, also known as
      a static WEP key, and uses the encryption key for both unicast and
      multicast traffic for all stations.

   2 - The value of 2 indicates that the AC will begin rekeying the GTK
      with the STA's in the BSS.  It is only valid when IEEE 802.11i is
      enabled as the security policy for the BSS.

   3 - The value of 3 indicates that the AC has completed rekeying the
      GTK and broadcast packets no longer need to be duplicated and
      transmitted with both GTK's.

11.10.22.

   Key Length:  A 16-bit value representing the length of the Key field.

   Key:  A 32 byte Session Key to use to provide data privacy.  For
      static WEP keys, which is true when the 'Key Status' bit is set to
      one, this key is used for both unicast and multicast traffic.  For
      encryption schemes that employ a separate encryption key for
      unicast and multicast traffic, the key included hereonly applies
      to multicast data, and the cipher suite is specified in an
      accompanied RSN Information Element.  In these scenarios, the key,
      and cipher information, is communicated via the Add Mobile Station
      (Section 4.4.8).

11.9.22.  IEEE 802.11 WTP Quality of Service

   The WTP Quality of Service message element value is sent by the AC to
   the WTP to communicate quality of service configuration information.

      0                   1
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |  Tag Packets  |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:  1045 for IEEE 802.11 WTP Quality of Service

   Length:  >= 2

   Radio ID:  The Radio Identifier, typically refers to some interface
      index on the WTP

   Tag Packets:  An value indicating whether CAPWAP packets should be
      tagged with for QoS purposes.  The following values are currently
      supported:

      0 - Untagged

      1 - 802.1P

      2 - DSCP

      Immediately following the above header is the following data
      structure.  This data structure will be repeated five times; once
      for every QoS profile.  The order of the QoS profiles are Voice,
      Video, Best Effort and Background.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |  Queue Depth  |             CWMin             |     CWMax     |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     CWMax     |     AIFS      |   Dot1P Tag   |   DSCP Tag    |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Queue Depth:  The number of packets that can be on the specific QoS
      transmit queue at any given time.

   CWMin:  The Contention Window minimum value for the QoS transmit
      queue.  The value of this field comes from the IEEE 802.11
      dot11EDCATableCWMin MIB element (see [6]).

   CWMax:  The Contention Window maximum value for the QoS transmit
      queue.  The value of this field comes from the IEEE 802.11
      dot11EDCATableCWMax MIB element (see [6]).

   AIFS:  The Arbitration Inter Frame Spacing to use for the QoS
      transmit queue.  The value of this field comes from the IEEE
      802.11 dot11EDCATableAIFSN MIB element (see [6]).

   Dot1P Tag:  The 802.1P precedence value to use if packets are to be
      802.1P tagged.

   DSCP Tag:  The DSCP label to use if packets are to be DSCP tagged.

11.10.23.  IEEE 802.11 WTP Radio Fail Alarm Indication

   The WTP Radio Fail Alarm Indication message element is sent by the
   WTP to the AC when it detects a radio failure.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Radio ID    |     Type      |    Status     |      Pad      |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1046 for WTP Radio Fail Alarm Indication

   Length:  4

   Radio ID:  The Radio Identifier, typically refers to some interface
      index on the WTP

   Type:  The type of radio failure detected.  The following values are
      supported:

      1 - Receiver

      2 - Transmitter

   Status:  An 8-bit boolean indicating whether the radio failure is
      being reported or cleared.  A value of zero is used to clear the
      event, while a value of one is used to report the event.

   Pad:  Reserved field MUST be set to zero (0).

11.10.24.

11.9.23.  IEEE 802.11 WTP Radio Configuration

   The WTP WLAN radio configuration is used by the AC to configure a
   Radio on the WTP, and by the WTP to deliver its radio configuration
   to the AC.  The message element value contains the following fields:

         0                   1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |    Radio ID   |    Reserved   |   |Short Preamble| Num of BSSIDs |  DTIM Period  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                            BSSID                              |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |          BSSID                |      Beacon Period            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Country Code                          |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:  1047  1046 for IEEE 802.11 WTP WLAN Radio Configuration

   Length:  16

   Radio ID:  An 8-bit value representing the radio to configure.

   Reserved:  MUST be set to zero

   Short Preamble:  An 8-bit value indicating whether short preamble is
      supported.  The following values are currently supported:

      0 - Short preamble not supported.

      1 - Short preamble is supported.

   BSSID:  The WLAN Radio's base MAC Address.

   Number of BSSIDs:  This attribute contains the maximum number of
      BSSIDs supported by the WTP.  This value restricts the number of
      logical networks supported by the WTP, and is between 1 and 16.

   DTIM Period:  This attribute specifies the number of beacon intervals
      that elapse between transmission of Beacons frames containing a
      TIM element whose DTIM Count field is 0.  This value is
      transmitted in the DTIM Period field of Beacon frames.  The value
      of this field comes from the IEEE 802.11 dot11DTIMPeriod MIB
      element (see [6]).

   Beacon Period:  This attribute specifies the number of TU that a
      station uses for scheduling Beacon transmissions.  This value is
      transmitted in Beacon and Probe Response frames.  The value of
      this field comes from the IEEE 802.11 dot11BeaconPeriod MIB
      element (see [6]).

   Country Code:  This attribute identifies the country in which the
      station is operating.  The value of this field comes from the IEEE
      802.11 dot11CountryString MIB element (see [6]).  Special
      attention is required with use of this field, as implementations
      which take action based on this field could violate regulatory
      requirements.  Some regulatory bodies do permit configuration of
      the country code under certain restrictions, such as the FCC, when
      WTPs are certified as Software Defined Radios.

      The WTP and AC may ignore the value of this field, depending upon
      regulatory requirements, for example to avoid classification as a
      Software Defined Radio.  When this field is used, the first two
      octets of this string is the two character country code as
      described in document ISO/IEC 3166- 1, and the third octet MUST
      have the value 1, 2 or 3 as defined below.  When the value of the
      third octet is 255, the country code field is not used, and MUST
      be ignored ignored.

      1  an ASCII space character, if the regulations under which the
         station is operating encompass all environments in the country,

      2  an ASCII 'O' character, if the regulations under which the
         station is operating are for an outdoor environment only, or

      3  an ASCII 'I' character, if the regulations under which the
         station is operating are for an indoor environment only

      255 Country Code field is not used; ignore the field.

11.10.25.  Station QoS Profile

11.9.24.  IEEE 802.11 WTP Radio Fail Alarm Indication

   The Station QoS Profile Payload WTP Radio Fail Alarm Indication message element contains the maximum
   IEEE 802.11e priority tag that may be used is sent by the station.  Any
   packet received that exceeds the value encoded in this message
   element must either be dropped or tagged using the maximum value
   permitted by
   WTP to the user.  The priority tag must be between zero (0)
   and seven (7). AC when it detects a radio failure.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                           MAC Address   Radio ID    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+     Type      |          MAC Address    Status     |     802.1P Precedence Tag      Pad      |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:  1048  1047 for IEEE 802.11 Station QOS Profile WTP Radio Fail Alarm Indication

   Length:  8

   MAC Address:  4

   Radio ID:  The mobile station's MAC Address
   802.1P Precedence Tag: Radio Identifier, typically refers to some interface
      index on the WTP

   Type:  The maximum 802.1P precedence type of radio failure detected.  The following values are
      supported:

      1 - Receiver

      2 - Transmitter

   Status:  An 8-bit boolean indicating whether the radio failure is
      being reported or cleared.  A value that of zero is used to clear the
      WTP will allow in
      event, while a value of one is used to report the TID event.

   Pad:  Reserved field in the extended 802.11e QOS Data
      header.

11.11. MUST be set to zero (0).

11.10.  Technology Specific Message Element Values

   This section lists IEEE 802.11 specific values for any generic CAPWAP
   message elements which include fields whose values are technology
   specific.

   IEEE 802.11 uses the following values:

   4 - Encrypt AES-CCMP 128:  WTP supports AES-CCMP, as defined in [7].

   5 - Encrypt TKIP-MIC:  WTP supports TKIP and Michael, as defined in
      [24].

12.  NAT Considerations

   There are two specific situations in which a NAT system may be used
   in conjunction with a CAPWAP-enabled system.  The first consists of a
   configuration where the WTP is behind a NAT system.  Given that all
   communication is initiated by the WTP, and all communication is
   performed over IP using two UDP ports, the protocol easily traverses
   NAT systems in this configuration.

   The second configuration is one where the AC sits behind a NAT.  Two
   issues exist in this situation.  First, an AC communicates its
   interfaces, and associated WTP load on these interfaces, through the
   WTP Manager Control IP Address.  This message element is currently
   mandatory, and if NAT compliance became an issue, it would be
   possible to either:

   1. Make the WTP Manager Control IP Address optional, allowing the WTP
      to simply use the known IP Address.  However, note that this
      approach would eliminate the ability to perform load balancing of
      WTP across ACs, and therefore is not the recommended approach.

   2. Allow an AC to be able to configure a NAT'ed address for every
      associated AC that would generally be communicated in the WTP
      Manager Control IP Address message element.

   3. Require that if a WTP determines that the AC List message element
      consists of a set of IP Addresses that are different from the AC's
      IP Address it is currently communicating with, then assume that
      NAT is being enforced, and require that the WTP communicate with
      the original AC's IP Address (and ignore the WTP Manager Control
      IP Address message element(s)). element(s).

   Another issue related to having an AC behind a NAT system is CAPWAP's
   support for the CAPWAP Objective to allow the control and data plane
   to be separated.  In order to support this requirement, the CAPWAP
   protocol defines the WTP Manager Data IP Address message element,
   which allows the AC to inform the WTP that the CAPWAP data frames are
   to be forwarded to a separate IP Address.  This feature MUST be
   disabled when an AC is behind a NAT.  However, there is no easy way
   to provide some default mechanism that satisfies both the data/
   control separation and NAT objectives, as they directly conflict with
   each other.  As a consequence, user intervention will be required to
   support such networks.

   The CAPWAP protocol allows for all of the ACs identities supporting a
   group of WTPs to be communicated through the AC List message element.
   This feature must be disabled when the AC is behind a NAT and the IP
   Address that is embedded would be invalid.

   The CAPWAP protocol has a feature that allows an AC to configure a
   static IP address on a WTP.  The WTP Static IP Address Information
   message element provides such a function, however this feature SHOULD
   NOT be used in NAT'ed environments, unless the administrator is
   familiar with the internal IP addressing scheme within the WTP's
   private network, and does not rely on the public address seen by the
   AC.

   When a WTP detects the duplicate address condition, it generates a
   message to the AC, which includes the Duplicate IP Address message
   element.  The IP Address embedded within this message element is
   different from the public IP address seen by the AC.

13.  Security Considerations

   This section describes security considerations for the CAPWAP
   protocol.  It also provides security recommendations for protocols
   used in conjunction with CAPWAP.

13.1.  CAPWAP Security

   As it is currently specified, the CAPWAP protocol sits between the
   security mechanisms specified by the wireless link layer protocol
   (e.g.IEEE 802.11i) and AAA.  One goal of CAPWAP is to bootstrap trust
   between the STA and WTP using a series of preestablished trust
   relationships:

         STA            WTP           AC            AAA
         ==============================================

                            DTLS Cred     AAA Cred
                         <------------><------------->

                         EAP Credential
          <------------------------------------------>

           wireless link layer
           (e.g.802.11 PTK)
          <--------------> or
          <--------------------------->
              (derived)

   Within CAPWAP, DTLS is used to secure the link between the WTP and
   AC.  In addition to securing control messages, it's also a link in
   this chain of trust for establishing link layer keys.  Consequently,
   much rests on the security of DTLS.

   In some CAPWAP deployment scenarios, there are two channels between
   the WTP and AC: the control channel, carrying CAPWAP control
   messages, and the data channel, over which client data packets are
   tunneled between the AC and WTP.  Typically, the control channel is
   secured by DTLS, while the data channel is not.  In the remote WTP
   with local MAC deployment scenario, there is only one channel (a
   control channel) between the AC and WTP.

   The use of parallel protected and unprotected channels deserves
   special consideration, but does not create a threat.  There are two
   potential concerns: attempting to convert protected data into un-
   protected data and attempting to convert un-protected data into
   protected data.  These concerns are addressed below.

13.1.1.  Converting Protected Data into Unprotected Data

   Since CAPWAP does not support authentication-only ciphers (i.e. all
   supported ciphersuites include encryption and authentication), it is
   not possible to convert protected data into unprotected data.  Since
   encrypted data is (ideally) indistinguishable from random data, the
   probability of an encrypted packet passing for a well-formed packet
   is effectively zero.

13.1.2.  Converting Unprotected Data into Protected Data (Insertion)

   The use of message authentication makes it impossible for the
   attacker to forge protected records.  This makes conversion of
   unprotected records to protected records impossible.

13.1.3.  Deletion of Protected Records

   An attacker could remove protected records from the stream, though
   not undetectably so, due the built-in reliability of the underlying
   CAPWAP protocol.  In the worst case, the attacker would remove the
   same record repeatedly, resulting in a CAPWAP session timeout and
   restart.  This is effectively a DoS attack, and could be accomplished
   by a man in the middle regardless of the CAPWAP protocol security
   mechanisms chosen.

13.1.4.   Insertion of Unprotected Records

   An attacker could inject packets into the unprotected channel, but
   this may become evident if sequence number desynchronization occurs
   as a result.  Only if the attacker is a MiM can packets be inserted
   undetectably.  This is a consequence of that channel's lack of
   protection, and not a new threat resulting from the CAPWAP security
   mechanism.

13.2.  Use of Preshared Keys in CAPWAP

   While use of preshared keys may provide deployment and provisioning
   advantages not found in public key based deployments, it also
   introduces a number of operational and security concerns.  In
   particular, because the keys must typically be entered manually, it
   is common for people to base them on memorable words or phrases.
   These are referred to as "low entropy passwords/passphrases".

   Use of low-entropy preshared keys, coupled with the fact that the
   keys are often not frequently updated, tends to significantly
   increase exposure.  For these reasons, we make the following
   recommendations:

   o  When DTLS is used with a preshared-key (PSK) ciphersuite, each WTP
      SHOULD have a unique PSK.  Since WTPs will likely be widely
      deployed, their physical security is not guaranteed.  If PSKs are
      not unique for each WTP, key reuse would allow the compromise of
      one WTP to result in the compromise of others

   o  Generating PSKs from low entropy passwords is NOT RECOMMENDED.

   o  It is RECOMMENDED that implementations that allow the
      administrator to manually configure the PSK also provide a
      capability for generation of new random PSKs, taking "RFC RFC 1750
      [4]" [4]
      into account.

   o  Preshared keys SHOULD be periodically updated.  Implementations
      may facilitate this by providing an administrative interface for
      automatic key generation and periodic update, or it may be
      accomplished manually instead.

13.3.  Use of Certificates in CAPWAP

   For public-key-based DTLS deployments, each device SHOULD have unique
   credentials, with a certificate profile an extended key usage authorizing them to act as
   either a WTP or AC.  If devices do not have unique credentials, it is
   possible that by compromising one, any other one using the same
   credential may also be considered to be compromised.

   Certificate validation involves checking a large variety of things.
   Since the necessary things to validate are often environment-
   specific, many are beyond the scope of this document.  In this
   section, we provide some basic guidance on certificate validation.

   Each device is responsible for authenticating and authorizing devices
   with which they communicate.  At minimum, such authentication  Authentication entails validation of
   the chain of trust leading to the peer certificate, followed by the
   the peer certificate itself.  At a minimum, devices SHOULD use SSH-
   style certificate caching to guarantee consistency.  If devices have
   access to a certificate authority, they SHOULD properly validate the
   trust chain.  Implementations SHOULD also provide a secure method for
   verifying that the credential in question has not been revoked.

   Note that if the WTP relies on the AC for network connectivity (e.g.
   the AC is a layer 2 switch to which the WTP is directly connected),
   there is a chicken and egg problem, in that the WTP may not be able
   to contact an OCSP server or otherwise obtain an up to date CRL if a
   compromised AC doesn't explicitly permit this.  This cannot be
   avoided, except through effective physical security and monitoring
   measures at the AC.

   Proper validation of certificates typically requires checking to
   ensure the certificate has not yet expired.  If devices have a real-
   time clock, they SHOULD verify the certificate validity dates.  If no
   real-time clock is available, the device SHOULD attempt to determine
   the current time using NTP prior to certificate validation.  If
   neither is available, devices SHOULD verify that the start validity
   date of its peer's certificate is less than its own certificate's
   expiration date, and its peer's expiration date is greater than its
   own start date.  Note that failure to check a certificate's temporal
   validity can make a device vulnerable to man-in-the-middle attacks
   launched using compromised, expired certificates, and therefore
   devices should make every effort to perform this validation.

   Another important part of certificate authentication is binding a
   certificate to a particular device.  There are many ways to
   accomplish this.  CAPWAP RECOMMENDS specifying the certificate common
   name (CN) as the WTP or AC MAC address formatted as ASCII HEX,
   followed by an @ symbol, and then an administrative domain.  For
   example, 01:23:45:67:89:ab@DOMAIN.NET.  During authentication,
   devices SHOULD ensure that the MAC matches the MAC specified in the
   CAPWAP header, and that the domain in both the AC and WTP
   certificates match.

13.4.  AAA Security

   The AAA protocol is used to distribute EAP keys to the ACs, and
   consequently its security is important to the overall system
   security.  When used with TLS or IPsec, security guidelines specified
   in "RFC RFC 3539 [12]" [12] SHOULD be followed.

   In general, the link between the AC and AAA server SHOULD be secured
   using a strong ciphersuite keyed with mutually authenticated session
   keys.  Implementations SHOULD NOT rely solely on Basic RADIUS shared
   secret authentication as it is often vulnerable to dictionary
   attacks, but rather SHOULD use stronger underlying security
   mechanisms.

13.5.  IEEE 802.11 Security

   When used with an IEEE 802.11 infrastructure with WEP encryption, the
   CAPWAP protocol does not add any new vulnerabilities.  Derived
   session keys between the STA and WTP can be compromised, resulting in
   many well-documented attacks.  Implementors SHOULD discourage the use
   of WEP and encourage use of technically sound cryptographic solutions
   such as those in an IEEE 802.11 RSN.

   STA authentication in CAPWAP is performed using IEEE 802.lX, and
   consequently EAP.  Implementors SHOULD use EAP methods meeting the
   requirements specified in RFC 4017 [ref] RFC4017 [13].

14.  IANA Considerations

   A separate UDP port for data channel communications is (currently)
   the selected demultiplexing mechanism, and a port must be assigned
   for this purpose.

   The Message element type fields must be IANA aassigned, see
   Section 4.4.

15.  References

15.1.  Normative References

   [1]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.

   [2]   National Institute of Standards and Technology, "Advanced
         Encryption Standard (AES)", FIPS PUB 197, November 2001,
         <http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.

   [3]   Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-
         MAC (CCM)", RFC 3610, September 2003.

   [4]   Eastlake, D., Crocker, S., and J. Schiller, "Randomness
         Recommendations for Security", RFC 1750, December 1994.

   [5]   Manner, J. and M. Kojo, "Mobility Related Terminology",
         RFC 3753, June 2004.

   [6]   "Information technology - Telecommunications and information
         exchange between systems - Local and metropolitan area networks
         - Specific requirements - Part 11: Wireless LAN Medium Access
         Control (MAC) and Physical Layer (PHY) specifications",
         IEEE Standard 802.11, 1999,
         <http://standards.ieee.org/getieee802/download/
         802.11-1999.pdf>.

   [7]   "Information technology - Telecommunications and information
         exchange between systems - Local and metropolitan area networks
         - Specific requirements - Part 11: Wireless LAN Medium Access
         Control (MAC) and Physical Layer (PHY) specifications Amendment
         6: Medium Access Control (MAC) Security Enhancements",
         IEEE Standard 802.11i, July 2004, <http://standards.ieee.org/
         getieee802/download/802.11i-2004.pdf>.

   [8]   Clark, D., "IP datagram reassembly algorithms", RFC 815,
         July 1982.

   [9]   Schaad, J. and R. Housley, "Advanced Encryption Standard (AES)
         Key Wrap Algorithm", RFC 3394, September 2002.

   [10]  Mills, D., "Network Time Protocol (Version 3) Specification,
         Implementation", RFC 1305, March 1992.

   [11]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
         Public Key Infrastructure Certificate and Certificate
         Revocation List (CRL) Profile", RFC 3280, April 2002.

   [12]  Aboba, B. and J. Wood, "Authentication, Authorization and
         Accounting (AAA) Transport Profile", RFC 3539, June 2003.

   [13]  Stanley, D., Walker, J., and B. Aboba, "Extensible
         Authentication Protocol (EAP) Method Requirements for Wireless
         LANs", RFC 4017, March 2005.

   [14]  Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites for
         Transport Layer Security (TLS)", RFC 4279, December 2005.

   [14]

   [15]  Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
         Protocol Version 1.1", RFC 4346, April 2006.

   [15]  "Netscape Certificate Extensions Specification",
         <http://wp.netscape.com/eng/security/comm4-cert-exts.html>.

   [16]  Clancy, C., "Security Review of the Light Weight Access Point
         Protocol", May 2005,
         <http://www.cs.umd.edu/~clancy/docs/lwapp-review.pdf>.

   [17]  Rescorla et al, E., "Datagram Transport Layer Security",
         June 2004.

   [18]  "Recommendation for Block Cipher Modes of Operation: the CMAC
         Mode for Authentication", May 2005, <http://csrc.ncsl.nist.gov/
         publications/nistpubs/800-38B/SP_800-38B.pdf>.

15.2.  Informational References

   [19]  Reynolds, J., "Assigned Numbers: RFC 1700 is Replaced by an On-
         line Database", RFC 3232, January 2002.

   [20]  Bradner, S., "The Internet Standards Process -- Revision 3",
         BCP 9, RFC 2026, October 1996.

   [21]  Kent, S. and R. Atkinson, "Security Architecture for the
         Internet Protocol", RFC 2401, November 1998.

   [22]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
         for Message Authentication", RFC 2104, February 1997.

   [23]  Karn, P. and W. Simpson, "ICMP Security Failures Messages",
         RFC 2521, March 1999.

   [24]  "WiFi Protected Access (WPA) rev 1.6", April 2003.

   [25]  Dierks et al, T., "The TLS Protocol Version 1.1", June 2005.

   [26]  Modadugu et al, N., "The Design and Implementation of Datagram
         TLS", Feb 2004.

   [27]  "The Care and Feeding of Cookie Monsters", May 2006.

   [28]  "Internet Key Exchange (IKEv2) Protocol",
         draft-ietf-ipsec-ikev2-17.txt", September 2004.

Editors' Addresses

   Pat R. Calhoun
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA  95134

   Phone: +1 408-853-5269
   Email: pcalhoun@cisco.com

   Michael P. Montemurro
   Chantry Networks
   1900 Minnesota Court, Suite 125
   Research In Motion
   5090 Commerce Blvd
   Mississauga, ON  L5N 3C9  L4W 5M4
   Canada

   Phone: +1 905-363-6400 905-629-4746 x4999
   Email: montemurro.michael@gmail.com mmontemurro@rim.com

   Dorothy Stanley
   Aruba Networks
   1322 Crossman Ave
   Sunnyvale, CA  94089

   Phone: +1 630-363-1389
   Email: dstanley@arubanetworks.com

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.

Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.