Changes to 802.1Q necessary for 802.1Qbz (bridging media)

Similar documents
P802.1Qbz + P802.11ak Proposal for Division of Work

Layering for the TSN Layer 2 Data Plane

Station Bridges

Wireless Network Security

Status of P Sub-Specification

Layering for the TSN Layer 3 Data Plane

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

What LinkSec Should Know About Bridges Norman Finn

Table of Contents 1 WLAN Service Configuration 1-1

Comment A: Text for Sequencing sublayer

Layering for the TSN Layer 3 Data Plane

Station Bridges

1. Data Link Layer Protocols

Monitoring Ports. Port State

IEEE 802.1Q YANG Bridge Port Interface Model in Support of 802.1AX, 802.1X, etc. Marc Holness Version Sept 2016

CSN & BSS Bridging

Chapter 6 Medium Access Control Protocols and Local Area Networks

IEEE 802.1Q YANG Bridge Port Interface Model in Support of 802.1AX, 802.1X, etc. Marc Holness Version July 2016

IEEE 802.1Q YANG Interface Framework in support of Link Aggregation (802.1AX), Security (802.1X), and CFM (802.1ag)

WLAN The Wireless Local Area Network Consortium

Discussion of Congestion Isolation Changes to 802.1Q

CCNA Exploration1 Chapter 7: OSI Data Link Layer

Picking a model for /802.1 bridging

IEEE 802.1Q YANG Interface Framework in support of Link Aggregation (802.1AX), Security (802.1X), and CFM (802.1ag)

Data Communications. Data Link Layer Protocols Wireless LANs

Mobile Communications. Ad-hoc and Mesh Networks

The MAC Address Format

CHAPTER 8: LAN Standards

Spanning Trees and IEEE 802.3ah EPONs

Internetworking Concepts Overview. 2000, Cisco Systems, Inc. 2-1

CHAPTER 18 INTERNET PROTOCOLS ANSWERS TO QUESTIONS

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

WLAN The Wireless Local Area Network Consortium

VLAN - SP6510P8 2013/4. Copyright 2011 Micronet Communications, INC

ICE 1332/0715 Mobile Computing (Summer, 2008)

IEEE P Wireless Local Area Networks

Configuration Commands Generic Commands Syntax description no description Context Description Default Parameters

Edge Control Transport for LRP

IEEE C802.16maint-05/091. IEEE Broadband Wireless Access Working Group <

ECE442 Communications Lecture 3. Wireless Local Area Networks

How many VLAN IDs are required for 802.1CB seamless redundancy?

CS 348: Computer Networks. - WiFi (contd.); 16 th Aug Instructor: Sridhar Iyer IIT Bombay

DRNI: State of the Model Wars

IEEE Technical Tutorial. Introduction. IEEE Architecture

Scheduled queues, UBS, CQF, and Input Gates

Basic processes in IEEE networks

4.3 IEEE Physical Layer IEEE IEEE b IEEE a IEEE g IEEE n IEEE 802.

Chapter 3.1 Acknowledgment:

Queuing Mechanism Interactions

Chapter 17. Wireless Network Security

Lecture 7: Ethernet Hardware Addressing and Frame Format. Dr. Mohammed Hawa. Electrical Engineering Department, University of Jordan.

Computer Networks. Wireless LANs

2. LAN Topologies Gilbert Ndjatou Page 1

Introduction to Wireless Networking CS 490WN/ECE 401WN Winter Lecture 4: Wireless LANs and IEEE Part II

WNC-0300USB. 11g Wireless USB Adapter USER MANUAL

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Cisco Systems, Inc. Norman Finn. July 9, /12. Class of Service in Class of Service in Norman Finn Cisco Systems

AP Bridges and MSTP

S Series Switches. MACsec Technology White Paper. Issue 1.0. Date HUAWEI TECHNOLOGIES CO., LTD.

Table of Contents. Layer 2. Refinement (1) Refinement (2) Refinement. Devices and sublayers. Bridging and Switching

Scheduled queues, UBS, CQF, and Input Gates

ABSTRACT. 2. DISCUSSION The following list describes the proposed modifications to the Q.2111 Annex D baseline by section:

SRP and non-1722 applications

VLAN. Mario Baldi. Pietro Nicoletti. Politecnico di Torino. Studio Reti

IEEE C802.16maint-05/091r1. IEEE Broadband Wireless Access Working Group <

Draft AVBTP over IEEE 802.3

Bridge Functions Consortium

Data and Computer Communications. Chapter 13 Wireless LANs

Layer 2. Bridging and Switching. dr. C. P. J. Koymans. Informatics Institute University of Amsterdam. (version 1.1, 2010/02/19 12:37:51)

Ethernet Hub. Campus Network Design. Hubs. Sending and receiving Ethernet frames via a hub

Chapter 24 Wireless Network Security

IEEE s ESS Mesh Networking

Effects of Residential Ethernet Standard on other 802.1/ Yong Kim

Picking a model for /802.1 bridging

Mixed-Media Bridging

Resilient Packet Ring 5 Criteria (2. Compatibility)

Bridge Functions Consortium

LLC and Bridges. Raj Jain. Professor of CIS. The Ohio State University

CSC344 Wireless and Mobile Computing. Department of Computer Science COMSATS Institute of Information Technology

Wireless Local Area Part 2

Wireless Network Security

Suggestions for P802.1Qcc Inputs and Outputs

IEEE 802.1AE (MacSec) & IEEE 802.1Qbb (PFC)

THOUGHTS ON TSN SECURITY

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Contents. Configuring LLDP 2

Configure Virtual LANs in Layer 2 VPNs

Peer entities. Protocol Layering. Protocols. Example

Contents. Configuring LLDP 2

A Day in the Life of an L2/L3 TSN Data Packet.

Network Working Group Request for Comments: 4118 Category: Informational UCLA E. Sadot Avaya June 2005

BRIDGE COMPONENTS. Panagiotis Saltsidis

QUESTION: 2 Which of the following statements is true regarding the SFP interfaces on the C2G124-48, and C2G124-48P?

802.1Q Forwarding PTP messages in an IEEE Transparent Clock Considerations in response to liaison from Q13/15

standard. Acknowledgement: Slides borrowed from Richard Y. Yale

Introduction to IEEE

Packet Switching - Asynchronous Transfer Mode. Introduction. Areas for Discussion. 3.3 Cell Switching (ATM) ATM - Introduction

Architecture. Copyright :I1996 IEEE. All rights reserved. This contains parts from an unapproved draft, subject to change

04/11/2011. Wireless LANs. CSE 3213 Fall November Overview

Contents. Configuring LLDP 2

Transcription:

Changes to 802.1Q necessary for 802.1Qbz (bridging 802.11 media) Norman Finn March, 2013 v01 bz-nfinn-802-1q-changes-0313-v01.pdf 1

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

(We will not list minor changes, such as adding Access Point to the definitions clause.) New conformance clause 5.4.1.8: Combined Access Point and VLAN Bridge. Uses 802.1AC mapping of Bridge Port to Security Association, not Portal. Reference Clause 44, it that is included in 802.1Q. 6.5.6 Frame Lifetime End stations sleep, so frame lifetime can be exceeded. Bridges are not allowed to sleep 6.7 Support of the ISS by specific MAC procedures This clause has been moved to 802.1AC. Replace with placeholder. 6.9.1/6.9.2 Support of the EISS: See Tagging format slides bz-nfinn-802-1q-changes-0313-v01.pdf 3

7.5 Locating end stations 802.11 non-ap stations are discovered when they attach to the AP. 8.6.4 Egress Just add a note mentioning that port Queue Set 8.6.5 Queuing frames: see Queue Sets slides 8.6.7 Queue management An 802.11 station (AP or not) can retry the transmission of a frame. 9.4 Tag Protocol Identifier (TPID) formats Mention that 6.9.1/6.9.2 can alter the MSDU when adding/removing tags. 34.4 Deriving actual bandwidth Mention that one frame can be replicated several times in a queue if a single Queue Set serves multiple Ports. bz-nfinn-802-1q-changes-0313-v01.pdf 4

Globally, but especially in 37 Enhanced Transmission Selection Distinguish between Queue Set and Port, and use the right term. 37.3 ETS algorithm Add new Clause 44: see Clause 44 slides Annex A: PICS Update PICS with new requirements New clause G.3 Old and new LLC tag formats Discuss reason for changing the way tags are done in LLC media, and discuss the compatibility issues bz-nfinn-802-1q-changes-0313-v01.pdf 5

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

At present, adding/removing a tag changes nothing about what follows the tag. That means that, on an LLC medium, a SNAPencoded IP packet can be preceded by a SNAP-encoded VLAN tag and a SNAP-encoded CN-tag and a SNAP-encoded MACsec tag. This is silly, especially for wireless media, where bandwidth is at a premium. Suggested remedy: Change the way tags are inserted and removed on LLC media. When inserting a tag into an LLC PDU, convert PDU to Type/Length and then add LLC tag. When removing an LLC tag, convert enclosed (Type/Length) MSDU to LLC. This requires an LLC follows Ethertype for LLC frames > 1536 bytes. Have a special managed parameter that says, Do the old thing on this port, but default is do the new thing. bz-nfinn-802-1q-changes-0313-v01.pdf 7

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

At present, 8.6.4 Egress says to use the vector of output ports that has been accompanying the frame to select one or more ports for output, and queue the frame in those ports queues. When using Link Aggregation, one may have one set of queues per Bridge Port (as the standard suggests) or one may have one set of queues per physical port (more typical). There are weasel words in 802.1Q, but queues-per-physical-port is not what 8.6 says. In an 802.11 Access Point, you have one set of queues per BSS. Since one BSS can serve many stations, and there is one Bridge Port per station, an AP has many Bridge Ports per set of queues. So, we introduce the idea of Queue Sets to solve both problems. bz-nfinn-802-1q-changes-0313-v01.pdf 9

A Queue Set is a group of: One 8.6.6 Queuing frames entities One to eight 8.6.7 Queue management entities (and their queues) One 8.6.8 Transmission selection entity You may have multiple Queue Sets per Bridge Port, e.g. in the case of Link Aggregation. In this case: There is something of an issue with Support of the EISS; you have to replicate this function several times, once for each Queue Set. You may have multiple Bridge Ports per Queue Set, e.g. in the case of an 802.11 Access Point. In this case: The vector of output ports stays with the frame in the queue, and is used on output to select the port(s) on which the frame is transmitted. There is something of an issue with Support of the EISS; see next slide. bz-nfinn-802-1q-changes-0313-v01.pdf 10

In the case of multiple Bridge Ports per Queue Set, there is a problem with 6.9 Support of the EISS: This sublayer can generate a different VLAN tag on each port. Therefore, a single frame in an output queue can have to be transmitted multiple times, once for each VLAN tag value. A reasonable way to handle this is to say that knowledge of the differing requirements for tagging in 6.9 can result in multiple copies of a frame being placed in a queue, each with a subset of the port vector, so that all of the ports specified in a queue vector will be given the same tag. This could all be put in Clause 44, but I think that this is a common trait of Coordinated Shared Networks bz-nfinn-802-1q-changes-0313-v01.pdf 11

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

The primary purpose of this clause is to reconcile the 802.11 architectural model with the 802.1 model. That is: For the most part, they say the same thing in two different ways. The differences are mapped to 802.11ak constructs. It is possible that this clause will not be needed, and that all we need is a reference to 802.11ak in Clause 5. It is also possible that Clause 44 shows how to make 802.11 look like 802.1 and 802.11ak shows how to map 802.1 into 802.11. The remainder of this section shows the 802.11 802.1 mapping. bz-nfinn-802-1q-changes-0313-v01.pdf 13

Bridge Port Bridge Port Higher Layer Entities MS MS EISS MAC Relay Entity EISS Media Access Method Independent Functions (6.9) ISS ISS Media Access Method Dependent Convergence Functions (6.7) Media Access Method Specific Functions (IEEE Std 802.n) LAN LAN NOTE The notation IEEE Std 802.n in this figure indicates that the specifications for these functions can be found in the relevant standard for the media access method concerned; for example, n would be 3 (IEEE Std 802.3) in the case of Ethernet. bz-nfinn-802-1q-changes-0313-v01.pdf Figure IEEE 8-2 VLAN-aware plenery, Orlando FL USA March, 2013 Bridge architecture 14

IEEE 802.1X Controlled and Uncontrolled Port Filtering (optional) IEEE 802.1X Controlled and Uncontrolled Port Filtering (optional) LLC/SNAP IEEE 802.1X Controlled Port Filtering (optional) MSDU Flow IEEE 802.1 MAC Relay Entity (RSNA AP only) IEEE 802.1X Controlled Port Filtering (optional) LLC/SNAP DA address filtering IEEE 802.11 Mesh Forwarding Entity Intra BSS Relay (pre RSNA AP only) MSDU Flow - Transmitting TX MSDU Rate Limiting A-MSDU Aggregation PS Defer Queuing (AP, IBSS STA, or mesh STA only) Sequence Number Assignment MSDU Flow RX MSDU Rate Limiting A-MSDU De-aggregation Replay Detection (optional for nonmesh STA) MSDU Integrity and Protection (optional) MSDU Flow Receiving MSDU Integrity and Protection (optional) Fragmentation MPDU Encryption and Integrity (optional) The MPDU Decryption and Integrity (optional) and Block Ack Reordering processes may be performed in either order Defragmentation Block Ack Reordering MPDU Decryption and Integrity (optional) Duplicate Removal Address 1 address filtering MPDU Header + CRC MPDU Header + CRC Validation A-MPDU Aggregation A-MPDU De-aggregation bz-nfinn-802-1q-changes-0313-v01.pdf Figure 5-1 MAC data plane architecture 15

If a station can be a bridge, 802.1 requires one Bridge Port per station attached to the Access Point. There is one leg of the baggy pants for each attached station, and an extra ISS for the SecY uncontrolled port. In the 802.11 model, there is exactly one port per BSS, with its receive and transmit sides shown separately in the diagram. The selection of which Security Association to use, and thus which bridge port (or the broadcast SA) is based on the destination/ receiver address in the frame. There is also a parameter specifying whether the frame is to be (or was) encrypted. The resolution is not difficult we define a new kind of port, the Security Association Port. bz-nfinn-802-1q-changes-0313-v01.pdf 16

TX MSDU Rate Limiting M-SAP to physical port RX MSDU Rate Limiting Two legs simply become one physical port. A-MSDU Aggregation PS Defer Queuing Sequence Number Assignment MSDU Integrity and Protection Fragmentation MPDU Encryption and Integrity MPTU Header + CRC A-MPDU Aggregation A-MSDU De-aggregation Replay Detection MSDU Integrity and Protection Defragmentation Block Ack Recording MPDU Decryption and Integrity Duplicate Removal Address 1 Address Filtering MPDU Header + CRC Validation A-MPDU De-aggregation Physical port has one M-SAP. (MAC Service Access Point). Note that this M-SAP is below the Portal that is offered the Bridge, today. bz-nfinn-802-1q-changes-0313-v01.pdf 17

In 802.11, in the transmit direction, the BSS selection and destination address are mapped to a receiver address and security association. In the receive direction, the transmitter address selects the security association used for decryption. What is required in 802.1 is that each security association with an individual station is a separate Bridge Port. On input, this means that the transmitter address ultimately determines on which Bridge Port the frame was received. This means that either the transmitter address or some other kind of security association identifier must accompany the frame up the 802.11 stack to the MAC-Dependent Convergence Function, which can then use that parameter to split into multiple SAPs, one per Bridge Port bz-nfinn-802-1q-changes-0313-v01.pdf 18

Port 1 Port 2 Port n Bridge Port Demux M-SAP to security association stuff MPDU Decryption and Integrity stuff Bridge port demux uses transmitter address (or equivalent security association ID) to select a Bridge Port on which to present the frame. The transmitter address or SAID must travel up the stack; this may be a new requirement for 802.11. bz-nfinn-802-1q-changes-0313-v01.pdf 19

On output, there is likely a two step process. First, the vector of output ports that accompany a frame through the bridge forwarding process select a BSS and receiver address. If only one port is in the vector, that port s unicast receiver address is used. If multiple ports are selected, the appropriate multicast or broadcast receiver address is used. The BSS and receiver address, in turn select the security association when the frame is delivered to the 802.11 MAC. If the receiver address is a unicast, a unicast SA is used. If the receiver address is a multicast, the broadcast SA for the BSS is used. NOTE: This deck leaves the question of how exactly the receiver address maps to the selection of receiving stations (e.g., a multicast receiver address of some sort) to P802.11ak. bz-nfinn-802-1q-changes-0313-v01.pdf 20

Port 1 Port 2 Port n Receiver Address Selection M-SAP to security association stuff MPDU Encryption and Integrity stuff A frame with a vector of ports is equivalent (to an observer outside the system) to an array of SAPs. The selection of ports determines the receiver address. MPDU Encryption uses the receiver address to determine the security association. (Is this a change, or how it is, now?) bz-nfinn-802-1q-changes-0313-v01.pdf 21

Each BSS has its own set of queues This merely means that we group together the Bridge Ports that are associated with a single BSS together with a single Queue Set. bz-nfinn-802-1q-changes-0313-v01.pdf 22

It remains ambiguous, in 802.1Q, whether the queues are really above the physical port or down in the guts of the MAC. This question has not been resolved in 802.1Q, because different implementations are reasonable. The number of Queue Sets is more important, especially now that we have more complex dequeing algorithms. This deck proposes that we can and should settle that. If 802.11 wishes to specify a specific place for the queues, that is allowable within the 802.1 architecture, and 802.11ak will harm nothing by making that decision. bz-nfinn-802-1q-changes-0313-v01.pdf 23

In 802.1, encryption and decryption are above the 802.n MAC. In 802.11, encryption and decryption have to be below the MAC presented to the Bridge, because frames can be fragmented and reassembled, and each fragment is protected individually. M-SAP to sec. asociation stuff encryption / decryption stuff } Upper 802.11 Interface includes a parameter for controlled/ uncontrolled port Controlled/uncontrolled distinction is made in crypto block Lower 802.11 interface has no controlled/uncontrolled parameter bz-nfinn-802-1q-changes-0313-v01.pdf 24

Controlled MAC stuff Uncontrolled MAC Pseudo-MACsec M-SAP to sec. asociation encryption / decryption } Pseudo-MACsec layer splits controlled/uncontrolled ports using the parameter. To 802.1, everything looks normal. Rest of 802.11 stack remains the same. stuff bz-nfinn-802-1q-changes-0313-v01.pdf 25

8.6.4 Egress Bridge Port Bridge Port Bridge Port Bridge Port Bridge Port Bridge Port Queue Set Queue Set Support of EISS MAC indep. functions Pseudo- SecY Support of EISS MAC indep. functions Pseudo- SecY Support of EISS MAC indep. functions Pseudo- SecY Support of EISS MAC indep. functions Pseudo- SecY Support of EISS MAC indep. functions Pseudo- SecY Support of EISS MAC indep. functions Pseudo- SecY 802.1AC Media Access Method Dependent Convergence Functions 6.7, including receiver address selection (on transmit) and transmitter address demultiplexing (on receive) 802.11 physical port including selection of security association by receiver address (on transmit) This assumes one physical port covers all BSSs. bz-nfinn-802-1q-changes-0313-v01.pdf 26

8.6.4 Egress Bridge Port Bridge Port Bridge Port Bridge Port Bridge Port Bridge Port Queue Set Queue Set BSS A This separates the physical port by BSS Support of Support of Support of EISS MAC indep. EISS MAC indep. EISS MAC indep. functions functions functions Pseudo- Pseudo- Pseudo- SecY SecY SecY 802.1AC Media Access Method Dependent Convergence Functions 6.7, including receiver address selection (on transmit) and transmitter address demultiplexing (on receive) 802.11 physical port including selection of security association by receiver address (on transmit) Support of Support of Support of EISS EISS EISS MAC indep. MAC indep. MAC indep. functions functions functions Pseudo- Pseudo- Pseudo- SecY SecY SecY 802.1AC Media Access Method Dependent Convergence Functions 6.7, including receiver address selection (on transmit) and transmitter address demultiplexing (on receive) 802.11 physical port including selection of security association by receiver address (on transmit) BSS B bz-nfinn-802-1q-changes-0313-v01.pdf 27

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

A non-ap station must present one instance of the MAC service to the Bridge (for use as a Bridge Port) for each security association that the station has with another station, whether that station is an AP or not. This Service Access Point must not reflect frames back to the transmitter. This could be called a Portal, a Security Association Port, or some third kind of object. If a third object, 802.1AC must include that, also. bz-nfinn-802-1q-changes-0313-v01.pdf 29

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

Do we include Clause 44? How to handle basic LLC/Length-Type conversion when bridging between wired and wireless Bridge Ports? This editor s opinion: Add LLC/Length-type parameter to EISS, and have Support of EISS translate to local format on output, if necessary. Is Congestion Notification allowed for 802.11 media? This editor s opinion: Say nothing. It s an option, anyway. Is Priority-based Flow Control allowed for 802.11 media? This editor s opinion: Say nothing. It s an option, anyway. How to handle re-transmission of frames in 802.11? Since queue position is ambiguous, we can leave this to 802.11. Is there a problem with out-of-order delivery that needs to be mentioned? bz-nfinn-802-1q-changes-0313-v01.pdf 31

Thank you.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback