Control and Provisioning of                                   P. Calhoun
Wireless Access Points
Network Working                                 B. O'Hara Group                                         P. Calhoun
Request for Comments: 5412                                       R. Suri
Internet-Draft
Category: Historic                                         N. Cam Winget
Intended status: Informational Cam-Winget
                                                     Cisco Systems, Inc.
Expires: September 3, 2007
                                                                S. Kelly
                                                 Facetime Communications
                                                             M. Williams
                                                             Nokia, Inc.
                                                                S. Hares
                                              Nexthop Technologies, Inc.
                                                           March 2, 2007

                   Light Weight
                                                              Bob O'Hara
                                                            January 2009

                   Leightweight Access Point Protocol
                    draft-ohara-capwap-lwapp-04.txt

Status of this This Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims

   This memo defines a Historic Document for the Internet community.  It
   does not specify an Internet standard of which he or she is aware
   have been or will be disclosed, and any kind.  Distribution of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working
   this memo is unlimited.

IESG Note

   This RFC documents of the Internet Engineering
   Task Force (IETF), its areas, LWAPP protocol as it was when submitted to the
   IETF as a basis for further work in the CAPWAP WG, and its working groups.  Note that
   other groups therefore it
   may also distribute working documents resemble the CAPWAP protocol specification (RFC 5415), as Internet-
   Drafts.

   Internet-Drafts are draft documents valid well as
   other current IETF work in progress or published IETF work.  This RFC
   is being published solely for a maximum of six months the historical record.  The protocol
   described in this RFC has not been thoroughly reviewed and may be updated, replaced, or obsoleted by other
   contain errors and omissions.

   RFC 5415 documents at the standards track solution for the CAPWAP
   Working Group and obsoletes any
   time.  It and all mechanisms defined in this
   RFC.  This RFC itself is inappropriate to use Internet-Drafts as reference
   material or to cite them other than not a candidate for any level of Internet
   Standard and should not be used as "work a basis for any sort of deployment
   in progress." the Internet.

   The list IETF disclaims any knowledge of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list the fitness of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on September 3, 2007.

Copyright Notice

   Copyright (C) The this RFC for any
   purpose, and in particular notes that it has not had complete IETF Trust (2007).
   review for such things as security, congestion control, or
   inappropriate interaction with deployed protocols.  The RFC Editor
   has chosen to publish this document at its discretion.

Abstract

   In the recent years, there has been a shift in wireless LAN (WLAN)
   product architectures from autonomous access points to centralized
   control of
   light weight lightweight access points.  The general goal has been to
   move most of the traditional wireless functionality such as access
   control (user authentication and authorization), mobility mobility, and radio
   management out of the access point into a centralized controller.

   The IETF's CAPWAP (Control and Provisioning of Wireless Access
   Points) WG has identified that a standards based standards-based protocol is
   necessary between a wireless Access Controller and Wireless
   Termination Points (the latter are also commonly referred to as Light
   Weight
   Lightweight Access Points).  This specification defines the Light Weight
   Lightweight Access Point Protocol (LWAPP), which addresses the
   CAPWAP's (Control and Provisioning of Wireless Access Points)
   protocol requirements.  Although the LWAPP protocol is designed to be
   flexible enough to be used for a variety of wireless technologies,
   this specific document describes the base protocol, protocol and an extension
   that allows it to be used with the IEEE's 802.11 wireless LAN
   protocol.

Table of Contents

   1. Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   8 ....................................................8
      1.1. Conventions used Used in this document  . . . . . . . . . . .   9 This Document ..........................9
   2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . .  10 ..............................................10
      2.1. Wireless Binding Definition  . . . . . . . . . . . . . .  11 ...............................11
      2.2. LWAPP State Machine Definition . . . . . . . . . . . . .  12 ............................12
   3. LWAPP Transport Layers  . . . . . . . . . . . . . . . . . . .  21 .........................................20
      3.1. LWAPP Transport Header . . . . . . . . . . . . . . . . .  21 ....................................21
           3.1.1. VER Field  . . . . . . . . . . . . . . . . . . . . .  21 ..........................................21
           3.1.2. RID Field  . . . . . . . . . . . . . . . . . . . . .  21 ..........................................21
           3.1.3. C Bit  . . . . . . . . . . . . . . . . . . . . . . .  21 ..............................................21
           3.1.4. F Bit  . . . . . . . . . . . . . . . . . . . . . . .  21 ..............................................21
           3.1.5. L Bit  . . . . . . . . . . . . . . . . . . . . . . .  22 ..............................................22
           3.1.6. Fragment ID  . . . . . . . . . . . . . . . . . . . .  22 ........................................22
           3.1.7. Length . . . . . . . . . . . . . . . . . . . . . . .  22 .............................................22
           3.1.8. Status and WLANS . . . . . . . . . . . . . . . . . .  22 ...................................22
           3.1.9. Payload  . . . . . . . . . . . . . . . . . . . . . .  22 ............................................22
      3.2. Using IEEE 802.3 MAC as LWAPP transport  . . . . . . . .  22 Transport ...................22
           3.2.1. Framing  . . . . . . . . . . . . . . . . . . . . . .  23 ............................................23
           3.2.2. AC Discovery . . . . . . . . . . . . . . . . . . . .  23 .......................................23
           3.2.3. LWAPP Message Header format Format over IEEE 802.3
                  MAC
                transport  . . . . . . . . . . . . . . . . . . . . .  23 Transport ......................................23
           3.2.4. Fragmentation/Reassembly . . . . . . . . . . . . . .  23 ...........................24
           3.2.5. Multiplexing . . . . . . . . . . . . . . . . . . . .  24 .......................................24
      3.3. Using IP/UDP as LWAPP transport  . . . . . . . . . . . .  24 Transport ...........................24
           3.3.1. Framing  . . . . . . . . . . . . . . . . . . . . . .  24 ............................................24
           3.3.2. AC Discovery . . . . . . . . . . . . . . . . . . . .  24 .......................................25
           3.3.3. LWAPP Message Header format Format over IP/UDP transport  .  25 Transport ..25
           3.3.4. Fragmentation/Reassembly for IPv4  . . . . . . . . .  26 ..................26
           3.3.5. Fragmentation/Reassembly for IPv6  . . . . . . . . .  26 ..................26
           3.3.6. Multiplexing . . . . . . . . . . . . . . . . . . . .  26 .......................................26
   4. LWAPP Packet Definitions  . . . . . . . . . . . . . . . . . .  27 .......................................26
      4.1. LWAPP Data Messages  . . . . . . . . . . . . . . . . . .  27 .......................................27
      4.2. LWAPP Control Messages Overview  . . . . . . . . . . . .  27 ...........................27
           4.2.1. Control Message Format . . . . . . . . . . . . . . .  28 .............................28
           4.2.2. Message Element Format . . . . . . . . . . . . . . .  30 .............................29
           4.2.3. Quality of Service . . . . . . . . . . . . . . . . .  31 .................................31
   5. LWAPP Discovery Operations  . . . . . . . . . . . . . . . . .  32 .....................................31
      5.1. Discovery Request  . . . . . . . . . . . . . . . . . . .  32 .........................................31
           5.1.1. Discovery Type . . . . . . . . . . . . . . . . . . .  33 .....................................32
           5.1.2. WTP Descriptor . . . . . . . . . . . . . . . . . . .  33 .....................................33
           5.1.3. WTP Radio Information  . . . . . . . . . . . . . . .  34 ..............................34
      5.2. Discovery Response . . . . . . . . . . . . . . . . . . .  35 ........................................34
           5.2.1. AC Address . . . . . . . . . . . . . . . . . . . . .  35 .........................................35
           5.2.2. AC Descriptor  . . . . . . . . . . . . . . . . . . .  36 ......................................35
           5.2.3. AC Name  . . . . . . . . . . . . . . . . . . . . . .  37 ............................................36
           5.2.4. WTP Manager Control IPv4 Address . . . . . . . . . .  37 ...................37
           5.2.5. WTP Manager Control IPv6 Address . . . . . . . . . .  38 ...................37
      5.3. Primary Discovery Request  . . . . . . . . . . . . . . .  38 .................................38
           5.3.1. Discovery Type . . . . . . . . . . . . . . . . . . .  39 .....................................38
           5.3.2. WTP Descriptor . . . . . . . . . . . . . . . . . . .  39 .....................................38
           5.3.3. WTP Radio Information  . . . . . . . . . . . . . . .  39 ..............................38
      5.4. Primary Discovery Response . . . . . . . . . . . . . . .  39 ................................38
           5.4.1. AC Descriptor  . . . . . . . . . . . . . . . . . . .  39 ......................................39
           5.4.2. AC Name  . . . . . . . . . . . . . . . . . . . . . .  39 ............................................39
           5.4.3. WTP Manager Control IPv4 Address . . . . . . . . . .  40 ...................39
           5.4.4. WTP Manager Control IPv6 Address . . . . . . . . . .  40 ...................39
   6. Control Channel Management  . . . . . . . . . . . . . . . . .  41 .....................................39
      6.1. Join Request . . . . . . . . . . . . . . . . . . . . . .  41 ..............................................39
           6.1.1. WTP Descriptor . . . . . . . . . . . . . . . . . . .  42 .....................................40
           6.1.2. AC Address . . . . . . . . . . . . . . . . . . . . .  42 .........................................40
           6.1.3. WTP Name . . . . . . . . . . . . . . . . . . . . . .  42 ...........................................40
           6.1.4. Location Data  . . . . . . . . . . . . . . . . . . .  42 ......................................41
           6.1.5. WTP Radio Information  . . . . . . . . . . . . . . .  43 ..............................41
           6.1.6. Certificate  . . . . . . . . . . . . . . . . . . . .  43 ........................................41
           6.1.7. Session ID . . . . . . . . . . . . . . . . . . . . .  43 .........................................42
           6.1.8. Test . . . . . . . . . . . . . . . . . . . . . . . .  44 ...............................................42
           6.1.9. XNonce . . . . . . . . . . . . . . . . . . . . . . .  44 .............................................42
      6.2. Join Response  . . . . . . . . . . . . . . . . . . . . .  44 .............................................43
           6.2.1. Result Code  . . . . . . . . . . . . . . . . . . . .  45 ........................................44
           6.2.2. Status . . . . . . . . . . . . . . . . . . . . . . .  45 .............................................44
           6.2.3. Certificate  . . . . . . . . . . . . . . . . . . . .  46 ........................................45
           6.2.4. WTP Manager Data IPv4 Address  . . . . . . . . . . .  46 ......................45
           6.2.5. WTP Manager Data IPv6 Address  . . . . . . . . . . .  47 ......................45
           6.2.6. AC IPv4 List . . . . . . . . . . . . . . . . . . . .  47 .......................................46
           6.2.7. AC IPv6 List . . . . . . . . . . . . . . . . . . . .  48 .......................................46
           6.2.8. ANonce . . . . . . . . . . . . . . . . . . . . . . .  48 .............................................47
           6.2.9. PSK-MIC  . . . . . . . . . . . . . . . . . . . . . .  49 ............................................48
      6.3. Join ACK . . . . . . . . . . . . . . . . . . . . . . . .  50 ..................................................48
           6.3.1. Session ID . . . . . . . . . . . . . . . . . . . . .  50 .........................................49
           6.3.2. WNonce . . . . . . . . . . . . . . . . . . . . . . .  50 .............................................49
           6.3.3. PSK-MIC  . . . . . . . . . . . . . . . . . . . . . .  51 ............................................49
      6.4. Join Confirm . . . . . . . . . . . . . . . . . . . . . .  51 ..............................................49
           6.4.1. Session ID . . . . . . . . . . . . . . . . . . . . .  51 .........................................50
           6.4.2. PSK-MIC  . . . . . . . . . . . . . . . . . . . . . .  51 ............................................50
      6.5. Echo Request . . . . . . . . . . . . . . . . . . . . . .  51 ..............................................50
      6.6. Echo Response  . . . . . . . . . . . . . . . . . . . . .  52 .............................................50
      6.7. Key Update Request . . . . . . . . . . . . . . . . . . .  52 ........................................51
           6.7.1. Session ID . . . . . . . . . . . . . . . . . . . . .  52 .........................................51
           6.7.2. XNonce . . . . . . . . . . . . . . . . . . . . . . .  52 .............................................51
      6.8. Key Update Response  . . . . . . . . . . . . . . . . . .  52 .......................................51
           6.8.1. Session ID . . . . . . . . . . . . . . . . . . . . .  53 .........................................51
           6.8.2. ANonce . . . . . . . . . . . . . . . . . . . . . . .  53 .............................................51
           6.8.3. PSK-MIC  . . . . . . . . . . . . . . . . . . . . . .  53 ............................................52
      6.9. Key Update ACK . . . . . . . . . . . . . . . . . . . . .  53 ............................................52
           6.9.1. WNonce . . . . . . . . . . . . . . . . . . . . . . .  53 .............................................52
           6.9.2. PSK-MIC  . . . . . . . . . . . . . . . . . . . . . .  53 ............................................52
      6.10. Key Update Confirm . . . . . . . . . . . . . . . . . . .  53 .......................................52
           6.10.1. PSK-MIC  . . . . . . . . . . . . . . . . . . . . . .  54 ...........................................52
      6.11. Key Update Trigger . . . . . . . . . . . . . . . . . . .  54 .......................................52
           6.11.1. Session ID . . . . . . . . . . . . . . . . . . . . .  54 ........................................53
   7. WTP Configuration Management  . . . . . . . . . . . . . . . .  55 ...................................53
      7.1. Configuration Consistency  . . . . . . . . . . . . . . .  55 .................................53
      7.2. Configure Request  . . . . . . . . . . . . . . . . . . .  56 .........................................54
           7.2.1. Administrative State . . . . . . . . . . . . . . . .  56 ...............................54
           7.2.2. AC Name  . . . . . . . . . . . . . . . . . . . . . .  57 ............................................55
           7.2.3. AC Name with Index . . . . . . . . . . . . . . . . .  57 .................................55
           7.2.4. WTP Board Data . . . . . . . . . . . . . . . . . . .  57 .....................................56
           7.2.5. Statistics Timer . . . . . . . . . . . . . . . . . .  58 ...................................56
           7.2.6. WTP Static IP Address Information  . . . . . . . . .  59 ..................57
           7.2.7. WTP Reboot Statistics  . . . . . . . . . . . . . . .  59 ..............................58
      7.3. Configure Response . . . . . . . . . . . . . . . . . . .  60 ........................................58
           7.3.1. Decryption Error Report Period . . . . . . . . . . .  61 .....................59
           7.3.2. Change State Event . . . . . . . . . . . . . . . . .  61 .................................59
           7.3.3. LWAPP Timers . . . . . . . . . . . . . . . . . . . .  62 .......................................60
           7.3.4. AC IPv4 List . . . . . . . . . . . . . . . . . . . .  62 .......................................60
           7.3.5. AC IPv6 List . . . . . . . . . . . . . . . . . . . .  62 .......................................61
           7.3.6. WTP Fallback . . . . . . . . . . . . . . . . . . . .  63 .......................................61
           7.3.7. Idle Timeout . . . . . . . . . . . . . . . . . . . .  63 .......................................61
      7.4. Configuration Update Request . . . . . . . . . . . . . .  63 ..............................62
           7.4.1. WTP Name . . . . . . . . . . . . . . . . . . . . . .  64 ...........................................62
           7.4.2. Change State Event . . . . . . . . . . . . . . . . .  64 .................................62
           7.4.3. Administrative State . . . . . . . . . . . . . . . .  64 ...............................62
           7.4.4. Statistics Timer . . . . . . . . . . . . . . . . . .  64 ...................................62
           7.4.5. Location Data  . . . . . . . . . . . . . . . . . . .  64 ......................................62
           7.4.6. Decryption Error Report Period . . . . . . . . . . .  64 .....................62
           7.4.7. AC IPv4 List . . . . . . . . . . . . . . . . . . . .  64 .......................................62
           7.4.8. AC IPv6 List . . . . . . . . . . . . . . . . . . . .  64 .......................................62
           7.4.9. Add Blacklist Entry  . . . . . . . . . . . . . . . .  64 ................................63
           7.4.10. Delete Blacklist Entry . . . . . . . . . . . . . . .  65 ............................63
           7.4.11. Add Static Blacklist Entry . . . . . . . . . . . . .  66 ........................64
           7.4.12. Delete Static Blacklist Entry  . . . . . . . . . . .  66 .....................64
           7.4.13. LWAPP Timers . . . . . . . . . . . . . . . . . . . .  67 ......................................65
           7.4.14. AC Name with Index . . . . . . . . . . . . . . . . .  67 ................................65
           7.4.15. WTP Fallback . . . . . . . . . . . . . . . . . . . .  67 ......................................65
           7.4.16. Idle Timeout . . . . . . . . . . . . . . . . . . . .  67 ......................................65
      7.5. Configuration Update Response  . . . . . . . . . . . . .  67 .............................65
           7.5.1. Result Code  . . . . . . . . . . . . . . . . . . . .  67 ........................................65
      7.6. Change State Event Request . . . . . . . . . . . . . . .  67 ................................65
           7.6.1. Change State Event . . . . . . . . . . . . . . . . .  68 .................................66
      7.7. Change State Event Response  . . . . . . . . . . . . . .  68 ...............................66
      7.8. Clear Config Indication  . . . . . . . . . . . . . . . .  68 ...................................66
   8. Device Management Operations  . . . . . . . . . . . . . . . .  69 ...................................66
      8.1. Image Data Request . . . . . . . . . . . . . . . . . . .  69 ........................................66
           8.1.1. Image Download . . . . . . . . . . . . . . . . . . .  69 .....................................67
           8.1.2. Image Data . . . . . . . . . . . . . . . . . . . . .  69 .........................................67
      8.2. Image Data Response  . . . . . . . . . . . . . . . . . .  70 .......................................68
      8.3. Reset Request  . . . . . . . . . . . . . . . . . . . . .  70 .............................................68
      8.4. Reset Response . . . . . . . . . . . . . . . . . . . . .  70 ............................................68
      8.5. WTP Event Request  . . . . . . . . . . . . . . . . . . .  71 .........................................68
           8.5.1. Decryption Error Report  . . . . . . . . . . . . . .  71 ............................69
           8.5.2. Duplicate IPv4 Address . . . . . . . . . . . . . . .  71 .............................69
           8.5.3. Duplicate IPv6 Address . . . . . . . . . . . . . . .  72 .............................70
      8.6. WTP Event Response . . . . . . . . . . . . . . . . . . .  73 ........................................70
      8.7. Data Transfer Request  . . . . . . . . . . . . . . . . .  73 .....................................71
           8.7.1. Data Transfer Mode . . . . . . . . . . . . . . . . .  73 .................................71
           8.7.2. Data Transfer Data . . . . . . . . . . . . . . . . .  74 .................................71
      8.8. Data Transfer Response . . . . . . . . . . . . . . . . .  74 ....................................72
   9. Mobile Session Management . . . . . . . . . . . . . . . . . .  75 ......................................72
      9.1. Mobile Config Request  . . . . . . . . . . . . . . . . .  75 .....................................72
           9.1.1. Delete Mobile  . . . . . . . . . . . . . . . . . . .  75 ......................................73
      9.2. Mobile Config Response . . . . . . . . . . . . . . . . .  76 ....................................73
           9.2.1. Result Code  . . . . . . . . . . . . . . . . . . . .  76 ........................................74
   10. LWAPP Security  . . . . . . . . . . . . . . . . . . . . . . .  77 ................................................74
      10.1. Securing WTP-AC communications . . . . . . . . . . . . .  77 Communications ...........................74
      10.2. LWAPP Frame Encryption . . . . . . . . . . . . . . . . .  78 ...................................75
      10.3. Authenticated Key Exchange . . . . . . . . . . . . . . .  78 ...............................76
           10.3.1. Terminology  . . . . . . . . . . . . . . . . . . . .  79 .......................................76
           10.3.2. Initial Key Generation . . . . . . . . . . . . . . .  80 ............................77
           10.3.3. Refreshing Cryptographic Keys  . . . . . . . . . . .  84 .....................81
      10.4. Certificate Usage  . . . . . . . . . . . . . . . . . . .  85 ........................................82
   11. IEEE 802.11 Binding . . . . . . . . . . . . . . . . . . . . .  86 ...........................................82
      11.1. Division of labor  . . . . . . . . . . . . . . . . . . .  86 Labor ........................................82
           11.1.1. Split MAC  . . . . . . . . . . . . . . . . . . . . .  86 .........................................83
           11.1.2. Local MAC  . . . . . . . . . . . . . . . . . . . . .  88 .........................................85
      11.2. Roaming Behavior and 802.11 security . . . . . . . . . .  91 Security .....................87
      11.3.  Transport specific bindings  . . . . . . . . . . . . . .  92 Transport-Specific Bindings ..............................88
           11.3.1. Status and WLANS field . . . . . . . . . . . . . . .  92 Field ............................88
      11.4. BSSID to WLAN ID Mapping . . . . . . . . . . . . . . . .  93 .................................89
      11.5. Quality of Service . . . . . . . . . . . . . . . . . . .  93 .......................................89
      11.6. Data Message bindings  . . . . . . . . . . . . . . . . .  93 Bindings ....................................90
      11.7. Control Message bindings . . . . . . . . . . . . . . . .  93 Bindings .................................90
           11.7.1. Mobile Config Request  . . . . . . . . . . . . . . .  94 .............................90
           11.7.2. WTP Event Request  . . . . . . . . . . . . . . . . . 100 .................................96
      11.8. 802.11 Control Messages  . . . . . . . . . . . . . . . . 102 ..................................97
           11.8.1. IEEE 802.11 WLAN Config Request  . . . . . . . . . . 102 ...................98
           11.8.2. IEEE 802.11 WLAN Config Response . . . . . . . . . . 107 .................103
           11.8.3. IEEE 802.11 WTP Event  . . . . . . . . . . . . . . . 107 ............................103
      11.9. Message Element Bindings . . . . . . . . . . . . . . . . 109 ................................105
           11.9.1. IEEE 802.11 WTP WLAN Radio Configuration . . . . . . 109 .........105
           11.9.2. IEEE 802.11 Rate Set . . . . . . . . . . . . . . . . 111 .............................107
           11.9.3. IEEE 802.11 Multi-domain Multi-Domain Capability  . . . . . . . . 111 ..............107
           11.9.4. IEEE 802.11 MAC Operation  . . . . . . . . . . . . . 112 ........................108
           11.9.5. IEEE 802.11 Tx Power . . . . . . . . . . . . . . . . 114 .............................109
           11.9.6. IEEE 802.11 Tx Power Level . . . . . . . . . . . . . 114 .......................110
           11.9.7. IEEE 802.11 Direct Sequence Control  . . . . . . . . 115 ..............110
           11.9.8. IEEE 802.11 OFDM Control . . . . . . . . . . . . . . 116 .........................111
           11.9.9. IEEE 802.11 Antenna  . . . . . . . . . . . . . . . . 117 ..............................112
           11.9.10. IEEE 802.11 Supported Rates  . . . . . . . . . . . . 118 .....................113
           11.9.11. IEEE 802.11 CFP Status . . . . . . . . . . . . . . . 118 ..........................114
           11.9.12. IEEE 802.11 WTP Mode and Type  . . . . . . . . . . . 119 ...................114
           11.9.13. IEEE 802.11 Broadcast Probe Mode . . . . . . . . . . 119 ................115
           11.9.14. IEEE 802.11 WTP Quality of Service . . . . . . . . . 120 ..............115
           11.9.15. IEEE 802.11 MIC Error Report From Mobile . . . . . . 121 ........117
      11.10. IEEE 802.11 Message Element Values . . . . . . . . . . . 122 .....................117
   12. LWAPP Protocol Timers . . . . . . . . . . . . . . . . . . . . 123 ........................................118
      12.1. MaxDiscoveryInterval . . . . . . . . . . . . . . . . . . 123 ....................................118
      12.2. SilentInterval . . . . . . . . . . . . . . . . . . . . . 123 ..........................................118
      12.3. NeighborDeadInterval . . . . . . . . . . . . . . . . . . 123 ....................................118
      12.4. EchoInterval . . . . . . . . . . . . . . . . . . . . . . 123 ............................................118
      12.5. DiscoveryInterval  . . . . . . . . . . . . . . . . . . . 123 .......................................118
      12.6. RetransmitInterval . . . . . . . . . . . . . . . . . . . 123 ......................................119
      12.7. ResponseTimeout  . . . . . . . . . . . . . . . . . . . . 124 .........................................119
      12.8. KeyLifetime  . . . . . . . . . . . . . . . . . . . . . . 124 .............................................119
   13. LWAPP Protocol Variables  . . . . . . . . . . . . . . . . . . 125 .....................................119
      13.1. MaxDiscoveries . . . . . . . . . . . . . . . . . . . . . 125 ..........................................119
      13.2. DiscoveryCount . . . . . . . . . . . . . . . . . . . . . 125 ..........................................119
      13.3. RetransmitCount  . . . . . . . . . . . . . . . . . . . . 125 .........................................119
      13.4. MaxRetransmit  . . . . . . . . . . . . . . . . . . . . . 125 ...........................................120
   14. NAT Considerations  . . . . . . . . . . . . . . . . . . . . . 126 ...........................................120
   15. Security Considerations . . . . . . . . . . . . . . . . . . . 128 ......................................121
      15.1.  Certificate based Certificate-Based Session Key establishment  . . . . . . 129 Establishment .............122
      15.2.  PSK based PSK-Based Session Key establishment  . . . . . . . . . . 129 Establishment .....................123
   16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 130
   17. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . 131
   18. IPR Statement . . . . . . . . . . . . . . . . . . . . . . . . 132
   19. .............................................123
   17. References  . . . . . . . . . . . . . . . . . . . . . . . . . 133
     19.1. ...................................................123
      17.1. Normative References . . . . . . . . . . . . . . . . . . 133
     19.2. ....................................123
      17.2. Informational References . . . . . . . . . . . . . . . . 134
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . 135
   Intellectual Property and Copyright Statements  . . . . . . . . . 137 ................................124

1.  Introduction

   Unlike wired network elements, Wireless Termination Points (WTPs)
   require a set of dynamic management and control functions related to
   their primary task of connecting the wireless and wired mediums.
   Today, protocols for managing WTPs are either manual static
   configuration via HTTP, proprietary Layer 2 specific 2-specific, or non-existent
   (if the WTPs are self-contained).  The emergence of simple 802.11
   WTPs that are managed by a WLAN appliance or switch (also known as an
   Access Controller, or AC) suggests that having a standardized,
   interoperable protocol could radically simplify the deployment and
   management of wireless networks.  In many cases cases, the overall control
   and management functions themselves are generic and could apply to an
   AP for any wireless Layer 2 (L2) protocol.  Being independent of
   specific wireless Layer 2 technologies, such a protocol could better
   support interoperability between Layer 2 devices and enable smoother
   intertechnology handovers.

   The details of how these functions would be implemented are dependent
   on the particular Layer 2 wireless technology.  Such a protocol would
   need provisions for binding to specific technologies.

   LWAPP assumes a network configuration that consists of multiple WTPs
   communicating either via layer Layer 2 (MAC) (Message Authentication Code (MAC))
   or layer Layer 3 (IP) to an AC.  The WTPs can be considered as remote RF radio
   frequency (RF) interfaces, being controlled by the AC.  The AC
   forwards all L2 frames it wants to transmit to an a WTP via the LWAPP
   protocol.  Packets from mobile nodes are forwarded by the WTP to the
   AC, also via this protocol.  Figure 1 illustrates this arrangement as
   applied to an IEEE 802.11 binding.

      +-+          802.11frames         802.11 frames          +-+
      | |--------------------------------| |
      | |              +-+               | |
      | |--------------| |---------------| |
      | |  802.11 PHY/ | |     LWAPP     | |
      | | MAC sublayer | |               | |
      +-+              +-+               +-+
      STA              WTP                AC

      Figure 1: LWAPP Architecture
   Security is another aspect of Wireless Termination Point management
   that is not well served by existing solutions.  Provisioning WTPs
   with security credentials, and managing which WTPs are authorized to
   provide service are today handled by proprietary solutions.  Allowing
   these functions to be performed from a centralized AC in an
   interoperable fashion increases managability manageability and allows network
   operators to more tightly control their wireless network
   infrastructure.

   This document describes the Light Weight Lightweight Access Point Protocol
   (LWAPP), allowing an AC to manage a collection of WTPs.  The protocol
   is defined to be independent of Layer 2 technology, but an 802.11
   binding is provided for use in growing 802.11 wireless LAN networks.

   Goals

   Goals:

   The following are goals for this protocol:

   1. Centralization of the bridging, forwarding, authentication authentication, and
      policy enforcement functions for a wireless network.  Optionally,
      the AC may also provide centralized encryption of user traffic.
      This will permit reduced cost and higher efficiency when applying
      the capabilities of network processing silicon to the wireless
      network, as it has already been applied to wired LANs.

   2. Permit shifting of the higher level higher-level protocol processing burden
      away from the WTP.  This leaves the computing resource of the WTP
      to the timing critical timing-critical applications of wireless control and
      access.  This makes the most efficient use of the computing power
      available in WTPs that are the subject of severe cost pressure.

   3. Providing a generic encapsulation and transport mechanism, the
      protocol may be applied to other access point type types in the future
      by adding the binding.

   The LWAPP protocol concerns itself solely with the interface between
   the WTP and the AC.  Inter-AC, or mobile to AC mobile-to-AC communication is
   strictly outside the scope of this document.

1.1.  Conventions used Used in this document This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].

2.  Protocol Overview

   LWAPP is a generic protocol defining how Wireless Termination Points
   communicate with Access Controllers.  Wireless Termination Points and
   Access Controllers may communicate either by means of Layer 2
   protocols or by means of a routed IP network.

   LWAPP messages and procedures defined in this document apply to both
   types of transports unless specified otherwise.  Transport
   independence is achieved by defining formats for both MAC level MAC-level and
   IP level
   IP-level transport (see Section 3).  Also defined are framing,
   fragmentation/reassembly, and multiplexing services to LWAPP for each
   transport type.

   The LWAPP Transport layer carries two types of payload.  LWAPP Data
   Messages data
   messages are forwarded wireless frames.  LWAPP Control Messages control messages are
   management messages exchanged between an a WTP and an AC.  The LWAPP
   transport header defines the "C-bit", which is used to distinguish
   data and control traffic.  When used over IP, the LWAPP data and
   control traffic are also sent over separate UDP ports.  Since both
   data and control frames can exceed PMTU, Path Maximum Transmission Unit
   (PMTU), the payload of an LWAPP data or control message can be
   fragmented.  The fragmentation behavior is highly dependent upon the lower layer
   lower-layer transport and is defined in Section 3.

   The Light Weight Lightweight Access Protocol (LWAPP) begins with a discovery
   phase.  The WTPs send a Discovery Request frame, causing any Access
   Controller (AC) , (AC), receiving that frame to respond with a Discovery
   Response.  From the Discovery Responses received, an a WTP will select
   an AC with which to associate, using the Join Request and Join
   Response.  The Join Request also provides an MTU discovery mechanism,
   to determine whether there is support for the transport of large
   frames between the WTP and it's its AC.  If support for large frames is
   not present, the LWAPP frames will be fragmented to the maximum
   length discovered to be supported by the network.

   Once the WTP and the AC have joined, a configuration exchange is
   accomplished that will cause both devices to agree on version
   information.  During this exchange exchange, the WTP may receive provisioning
   settings.  For the 802.11 binding, this information would typically
   include a name (802.11 Service Set Identifier, SSID), and security
   parameters, the data rates to be advertised advertised, as well as the radio
   channel (channels, if the WTP is capable of operating more than one
   802.11 MAC and PHY Physical Layer (PHY) simultaneously) to be used.
   Finally, the WTPs are enabled for operation.

   When the WTP and AC have completed the version and provision exchange
   and the WTP is enabled, the LWAPP encapsulates the wireless frames
   sent between them.  LWAPP will fragment its packets, if the size of
   the encapsulated wireless user data (Data) or protocol control
   (Management) frames causes cause the resultant LWAPP packet to exceed the
   MTU supported between the WTP and AC.  Fragmented LWAPP packets are
   reassembled to reconstitute the original encapsulated payload.

   In addition to the functions thus far described, LWAPP also provides
   for the delivery of commands from the AC to the WTP for the
   management of devices that are communicating with the WTP.  This may
   include the creation of local data structures in the WTP for the
   managed devices and the collection of statistical information about
   the communication between the WTP and the 802.11 devices.  LWAPP
   provides the ability for the AC to obtain any statistical information
   collected by the WTP.

   LWAPP also provides for a keep alive keepalive feature that preserves the
   communication channel between the WTP and AC.  If the AC fails to
   appear alive, the WTP will try to discover a new AC to communicate
   through.

   This Document document uses terminology defined in [5] [5].

2.1.  Wireless Binding Definition

   This draft standard specifies a protocol independent of a specific
   wireless access point radio technology.  Elements of the protocol are
   designed to accommodate specific needs of each wireless technology in
   a standard way.  Implementation of this standard for a particular
   wireless technology must follow the binding requirements defined for
   that technology.  This specification includes a binding for the IEEE
   802.11 (see Section 11).

   When defining a binding for other technologies, the authors MUST
   include any necessary definitions for technology-specific messages
   and all technology-specific message elements for those messages.  At
   a minimum, a binding MUST provide the definition for a binding-
   specific Statistics message element, which is carried in the WTP
   Event Request message, and Add Mobile message element, which is
   carried in the Mobile Configure Request.  If any technology specific technology-specific
   message elements are required for any of the existing LWAPP messages
   defined in this specification, they MUST also be defined in the
   technology binding
   technology-binding document.

   The naming of binding-specific message elements MUST begin with the
   name of the technology type, e.g., the binding for IEEE 802.11,
   provided in this standard, begins with "IEEE 802.11"." 802.11".

2.2.  LWAPP State Machine Definition

   The following state diagram represents the lifecycle life cycle of an a WTP-AC
   session:

      /-------------\
      |             v
      |       +------------+
      |      C|    Idle    |<-----------------------------------\
      |       +------------+<-----------------------\           |
      |        ^    |a    ^                         |           |
      |        |    |     \----\                    |           |
      |        |    |          |                 +------------+ |
      |        |    |          |          -------| Key Confirm| |
      |        |    |          |        w/       +------------+ |
      |        |    |          |        |           ^           |
      |        |    |          |t       V           |5          |
      |        |    |        +-----------+       +------------+ |
      |       /     |       C|    Run    |       | Key Update | |
      |     /       |       r+-----------+------>+------------+ |
      |    /        |              ^    |s      u        x|     |
      |   |         v              |    |                 |     |
      |   |   +--------------+     |    |                 v     |y
      |   |  C|  Discovery   |    q|    \--------------->+-------+
      |   |  b+--------------+    +-------------+        | Reset |
      |   |     |d     f|  ^      |  Configure  |------->+-------+
      |   |     |       |  |      +-------------+p           ^
      |   |e    v       |  |              ^                  |
      |  +---------+    v  |i            2|                  |
      | C| Sulking |   +------------+    +--------------+    |
      |  +---------+  C|    Join    |--->| Join-Confirm |    |
      |               g+------------+z   +--------------+    |
      |                   |h      m|        3|       |4      |
      |                   |        |         |       v       |o
      |\                  |        |         |     +------------+
       \\-----------------/         \--------+---->| Image Data |C
        \------------------------------------/     +------------+n

                        Figure 2: LWAPP State Machine

   The LWAPP state machine, depicted above, is used by both the AC and
   the WTP.  For every state defined, only certain messages are
   permitted to be sent and received.  In all of the LWAPP control
   messages defined in this document, the state for which each command
   is valid is specified.

   Note that in the state diagram figure above, the 'C' character is
   used to represent a condition that causes the state to remain the
   same.

   The following text discusses the various state transitions, and the
   events that cause them.

   Idle to Discovery (a):  This is the initialization state.

      WTP:  The WTP enters the Discovery state prior to transmitting the
            first Discovery Request (see Section 5.1).  Upon entering
            this state, the WTP sets the DiscoveryInterval timer (see
            Section 12).  The WTP resets the DiscoveryCount counter to
            zero (0) (see Section 13).  The WTP also clears all
            information from ACs (e.g., AC Addresses) it may have
            received during a previous
         Discovery discovery phase.

       AC:  The AC does not need to maintain state information for the
            WTP upon reception of the Discovery Request, but it MUST
            respond with a Discovery Response (see Section 5.2).

   Discovery to Discovery (b):  This is the state the WTP uses to
   determine to which AC it wishes to connect to. connect.

      WTP:  This event occurs when the DiscoveryInterval timer expires.
            The WTP transmits a Discovery Request to every AC to which
            the WTP hasn't received a response to. response.  For every transition to
            this event, the WTP increments the DisoveryCount counter.
            See Section 5.1) 5.1 for more information on how the WTP knows to
            which ACs it should transmit the Discovery Requests to. Requests.  The
            WTP restarts the DiscoveryInterval timer.

       AC:  This is a noop.

   Discovery to Sulking (d):  This state occurs on a WTP when Discovery
   or connectivity to the AC fails.

      WTP:  The WTP enters this state when the DiscoveryInterval timer
            expires and the DiscoveryCount variable is equal to the
            MaxDiscoveries variable (see Section 13).  Upon entering
            this state, the WTP will start the SilentInterval timer.
            While in the Sulking state, all LWAPP messages received are
            ignored.

       AC:  This is a noop.

   Sulking to Idle (e):  This state occurs on a WTP when it must restart
   the discovery phase.

      WTP:  The WTP enters this state when the SilentInterval timer (see
            Section 12) expires.

       AC:  This is a noop.

   Discovery to Join (f):  This state is used by the WTP to confirm its
   commitment to an AC that it wishes to be provided service.

      WTP:  The WTP selects the best AC based on the information it
            gathered during the Discovery Phase. discovery phase.  It then transmits a
            Join Request (see Section 6.1 6.1) to its preferred AC.  The WTP
            starts the WaitJoin Timer timer (see Section 12).

       AC:  The AC enters this state for the given WTP upon reception of
            a Join Request.  The AC processes the request and responds
            with a Join Response.

   Join to Join (g):  This state transition occurs during the join
   phase.

      WTP:  The WTP enters this state when the WaitJoin timer expires,
            and the underlying transport requires LWAPP MTU detection
         Section
            (Section 3).

       AC:  This state occurs when the AC receives a retransmission of a
            Join Request.  The WTP processes the request and responds
            with the Join Response.. Response.

   Join to Idle (h):  This state is used when the join process has
   failed.

      WTP:  This state transition occurs if the WTP is configured to use
         PSK
            pre-shared key (PSK) security and receives a Join Response
            that includes an invalid PSK-MIC (Message Integrity Check)
            message element.

       AC:  The AC enters this state when it transmits an unsuccessful
            Join Response.

   Join to Discovery (i):  This state is used when the join process has
   failed.

      WTP:  The WTP enters this state when it receives an unsuccessful
            Join Response.  Upon entering this state, the WTP sets the
            DiscoveryInterval timer (see Section 12).  The WTP resets
            the DiscoveryCount counter to zero (0) (see Section 13).
            This state transition may also occur if the PSK-MIC (see
            Section 6.2.9) message element is invalid.

       AC:  This state transition is invalid.

   Join to Join-Confirm (z):  This state is used to provide key
   confirmation during the join process.

      WTP:  This state is entered when the WTP receives a Join Response.
            In the event that certificate based certificate-based security is utilized,
            this transition will occur if the Certificate message
            element is present and valid in the Join Response.  For
            pre-shared key security, the Join Response must include a valud
            valid and authenticated PSK-MIC message element.  The WTP
            MUST respond with a Join ACK, which is used to provide key
            confirmation.

       AC:  The AC enters this state when it receives a valid Join ACK.
            For certificate based certificate-based security, the Join ACK MUST include a
         valid and authenticated xxxx
            the WNonce message element.  For pre-shared key security,
            the message must include a valid PSK-MIC message element.
            The AC MUST respond with a Join Confirm message, which
            includes the Session Key message element.

   Join-Confirm to Idle (3):  This state is used when the join process
   has failed.

      WTP:  This state transition occurs when the WTP receives an
            invalid Join Confirm.

       AC:  The AC enters this state when it receives an invalid Join
            ACK.

   Join-Confirm to Configure (2):  This state is used by the WTP and the
   AC to exchange configuration information.

      WTP:  The WTP enters this state when it receives a successful Join
         Confirm,
            Confirm and determines that its version number and the
            version number advertised by the AC are the same.  The WTP
            transmits the Configure Request (see Section 7.2) message to
            the AC with a snapshot of its current configuration.  The
            WTP also starts the ResponseTimeout timer (see Section 12).

       AC:  This state transition occurs when the AC receives the
            Configure Request from the WTP.  The AC must transmit a
            Configure Response (see Section 7.3) to the WTP, and may
            include specific message elements to override the WTP's
            configuration.

   Join-Confirm to Image Data (4):  This state is used by the WTP and
   the AC to download executable firmware.

      WTP:  The WTP enters this state when it receives a successful Join
            Confirm, and determines that its version number and the
            version number advertised by the AC are different.  The WTP
            transmits the Image Data Request (see Section 8.1) message
            requesting that the AC's latest firmware be initiated.

       AC:  This state transition occurs when the AC receives the Image
            Data Request from the WTP.  The AC must transmit a an Image
            Data Response (see Section 8.2) to the WTP, which includes a
            portion of the firmware.

   Image Data to Image Data (n):  This state is used by the WTP and the
   AC during the firmware download phase.

      WTP:  The WTP enters this state when it receives a an Image Data
            Response that indicates that the AC has more data to send.

       AC:  This state transition occurs when the AC receives the Image
            Data Request from the WTP while already in this state, and
            it detects that the firmware download has not completed.

   Image Data to Reset (o):  This state is used when the firmware
   download is completed.

      WTP:  The WTP enters this state when it receives a an Image Data
            Response that indicates that the AC has no more data to
            send, or if the underlying LWAPP transport indicates a link
            failure.  At this point, the WTP reboots itself.

       AC:  This state transition occurs when the AC receives the Image
            Data Request from the WTP while already in this state, and
            it detects that the firmware download has completed, completed or if
            the underlying LWAPP transport indicates a link failure.
            Note that the AC itself does not reset, but it places the
            specific WTPs WTP's context it is communicating with in the reset state,
            state: meaning that it clears all state associated with the
            WTP.

   Configure to Reset (p):  This state transition occurs if the
      Configure
   configure phase fails.

      WTP:  The WTP enters this state when the reliable transport fails
            to deliver the Configure Request, or if the ResponseTimeout
         Timer
            timer (see Section 12)expires. 12) expires.

       AC:  This state transition occurs if the AC is unable to transmit
            the Configure Response to a specific WTP.  Note that the AC
            itself does not reset, but it places the specific WTPs WTP's
            context it is communicating with in the reset state, state: meaning
            that it clears all state associated with the WTP.

   Configure to Run (q):  This state transition occurs when the WTP and
   AC enters enter their normal state of operation.

      WTP:  The WTP enters this state when it receives a successful
            Configure Response from the AC.  The WTP initializes the
            HeartBeat Timer timer (see Section 12), and transmits the Change
            State Event Request message (see Section 7.6).

       AC:  This state transition occurs when the AC receives the Change
            State Event Request (see Section 7.6) from the WTP.  The AC
            responds with a Change State Event Response (see Section
            7.7) message.  The AC must start the Session ID and Neighbor Dead
            NeighborDead timers (see Section 12).

   Run to Run (r):  This is the normal state of operation.

      WTP:  This is the WTP's normal state of operation, and there are
            many events that cause this to occur:

         Configuration Update:  The WTP receives a Configuration Update
         Request (see Section 7.4).  The WTP MUST respond with a
         Configuration Update Response (see Section 7.5).

         Change State Event:  The WTP receives a Change State Event
         Response, or determines that it must initiate a Change State
         Event Request, as a result of a failure or change in the state
         of a radio.

         Echo Request:  The WTP receives an Echo Request message
            Section
         (Section 6.5), to which it MUST respond with an Echo Response
         (see Section 6.6).

         Clear Config Indication:  The WTP receives a Clear Config
         Indication message Section (Section 7.8).  The WTP MUST reset its
         configuration back to manufacturer defaults.

         WTP Event:  The WTP generates a WTP Event Request to send
         information to the AC Section (Section 8.5).  The WTP receives a WTP
         Event Response from the AC Section (Section 8.6).

         Data Transfer:  The WTP generates a Data Transfer Request to
         the AC Section (Section 8.7).  The WTP receives a Data Transfer
         Response from the AC Section (Section 8.8).

         WLAN Config Request:  The WTP receives an a WLAN Config Request
         message Section (Section 11.8.1), to which it MUST respond with an a WLAN
         Config Response (see Section 11.8.2).

         Mobile Config Request:  The WTP receives an Mobile Config
         Request message Section (Section 9.1), to which it MUST respond with an a
         Mobile Config Response (see Section 9.2).

       AC:  This is the AC's normal state of operation, and there are
            many events that cause this to occur:

         Configuration Update:  The AC sends a Configuration Update
         Request (see Section 7.4) to the WTP to update its
         configuration.  The AC receives a Configuration Update Response
         (see Section 7.5) from the WTP.

         Change State Event:  The AC receives a Change State Event
         Request (see Section 7.6), to which it MUST respond to with the
         Change State Event Response (see Section 7.7).

         Echo:  The AC sends an Echo Request message Section (Section 6.5) or
         receives the associated Echo Response (see Section 6.6) from
         the WTP.

         Clear Config Indication:  The AC sends a Clear Config
         Indication message Section (Section 7.8).

         WLAN Config:  The AC sends an a WLAN Config Request message
            Section
         (Section 11.8.1) or receives the associated WLAN Config
         Response (see Section 11.8.2) from the WTP.

         Mobile Config:  The AC sends an a Mobile Config Request message
            Section
         (Section 9.1) or receives the associated Mobile Config Response
         (see Section 9.2) from the WTP.

         Data Transfer:  The AC receives a Data Transfer Request from
         the AC (see Section 8.7) and MUST generate the associated Data
         Transfer Response message (see Section 8.8).

         WTP Event:  The AC receives a WTP Event Request from the AC
         (see Section 8.5) and MUST generate the associated WTP Event
         Response message (see Section 8.6).

   Run to Reset (s):  This event occurs when the AC wishes for the WTP
   to reboot.

      WTP:  The WTP enters this state when it receives a Reset Request
            (see Section 8.3).  It must respond with a Reset Response
            (see Section 8.4), and once the reliable transport
            acknowledgement has been received, it must reboot itself.

       AC:  This state transition occurs either through some
            administrative action, or via some internal event on the AC
            that causes it to request that the WTP disconnect.  Note
            that the AC itself does not reset, but it places the
            specific WTPs context it is communicating with in the reset
            state.

   Run to Idle (t):  This event occurs when an error occurs in the
   communication between the WTP and the AC.

      WTP:  The WTP enters this state when the underlying reliable
            transport in is unable to transmit a message within the
            RetransmitInterval timer (see Section 12), and the maximum
            number of RetransmitCount counter has reached the
            MaxRetransmit variable (see Section 13).

       AC:  The AC enters this state when the underlying reliable
            transport in unable to transmit a message within the
            RetransmitInterval timer (see Section 12), and the maximum
            number of RetransmitCount counter has reached the
            MaxRetransmit variable (see Section 13).

   Run to Key Update (u):  This event occurs when the WTP and the AC are
   to exchange new keying material, with which it must use to protect
   all future messages.

      WTP:  This state transition occurs when the KeyLifetime timer
            expires (see Section 12).

       AC:  The WTP enters this state when it receives a Key Update
            Request (see Section 6.7).

   Key Update to Key Confirm (w):  This event occurs during the rekey
   phase and is used to complete the loop.

      WTP:  This state transition occurs when the WTP receives the Key
            Update Response.  The WTP MUST only accept the message if it
            is authentic.  The WTP responds to this response with a Key
            Update ACK.

       AC:  The AC enters this state when it receives an authenticated
            Key Update ACK message.

   Key Confirm to Run (5):  This event occurs when the rekey exchange
   phase is completed.

      WTP:  This state transition occurs when the WTP receives the Key
            Update Confirm.  The newly derived encryption key and IV
            Initialization Vector (IV) must be plumbed into the crypto
            module after validating the message's authentication.

       AC:  The AC enters this state when it transmits the Key Update
            Confirm message.  The newly derived encryption key and IV
            must be plumbed into the crypto module after transmitting a
            Key Update Confirm message.

   Key Update to Reset (x):  This event occurs when the key exchange
   phase times out.

      WTP:  This state transition occurs when the WTP does not receive a
            Key Update Response from the AC.

       AC:  The AC enters this state when it is unable to process a Key
            Update Request.

   Reset to Idle (y):  This event occurs when the state machine is
   restarted.

      WTP:  The WTP reboots itself.  After reboot rebooting, the WTP will start
            its LWAPP state machine in the Idle state.

       AC:  The AC clears out any state associated with the WTP.  The AC
            generally does this as a result of the reliable link layer
            timing out.

3.  LWAPP Transport Layers

   The LWAPP protocol can operate at layer Layer 2 or 3.  For layer Layer 2 support,
   the LWAPP messages are carried in a native Ethernet frame.  As such,
   the protocol is not routable and depends upon layer Layer 2 connectivity
   between the WTP and the AC.  Layer 3 support is provided by
   encapsulating the LWAPP messages within UDP.

3.1.  LWAPP Transport Header

   All LWAPP protocol packets are encapsulated using a common header
   format, regardless of the transport used to carry the frames.
   However, certain flags are not applicable for a given transport, and
   it is therefore necessary to refer to the specific transport section
   in order to determine which flags are valid.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |VER| RID |C|F|L|    Frag ID    |            Length             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          Status/WLANs         |   Payload...  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

3.1.1.  VER Field

   A 2 bit 2-bit field which that contains the version of LWAPP used in this packet.
   The value for this draft document is 0.

3.1.2.  RID Field

   A 3 bit 3-bit field which that contains the Radio ID number for this packet.
   WTPs with multiple radios but a single MAC Address address use this field to
   indicate which radio is associated with the packet.

3.1.3.  C Bit

   The Control Message control message 'C' bit indicates whether this packet carries a
   data or control message.  When this bit is zero (0), the packet
   carries an LWAPP data message in the payload (see Section 4.1).  When
   this bit is one (1), the packet carries an LWAPP control message as
   defined in section Section 4.2 for consumption by the addressed destination.

3.1.4.  F Bit

   The Fragment 'F' bit indicates whether this packet is a fragment.
   When this bit is one (1), the packet is a fragment and MUST be
   combined with the other corresponding fragments to reassemble the
   complete information exchanged between the WTP and AC.

3.1.5.  L Bit

   The Not Last 'L' bit is valid only if the 'F' bit is set and
   indicates whether the packet contains the last fragment of a
   fragmented exchange between the WTP and AC.  When this bit is 1, the
   packet is not the last fragment.  When this bit is 0, the packet is
   the last fragment.

3.1.6.  Fragment ID

   An 8 bit 8-bit field whose value is assigned to each group of fragments
   making up a complete set.  The fragment Fragment ID space is managed
   individually for every WTP/AC pair.  The value of Fragment ID is
   incremented with each new set of fragments.  The Fragment ID wraps to
   zero after the maximum value has been used to identify a set of
   fragments.  LWAPP only supports up to 2 fragments per frame.

3.1.7.  Length

   The 16 bit 16-bit length field contains the number of bytes in the Payload.
   The field is encoded as an unsigned number.  If the LWAPP packet is
   encrypted, the length field includes the AES-CCM Advanced Encryption Standard
   Counter with CBC-MAC (AES-CCM) MIC (see Section 10.2 for more
   information).

3.1.8.  Status and WLANS

   The interpretation of this 16 bit 16-bit field is binding specific. binding-specific.  Refer
   to the transport portion of the binding for a wireless technology for
   the specification.

3.1.9.  Payload

   This field contains the header for an LWAPP Data Message data message or LWAPP
   Control Message,
   control message, followed by the data associated with that message.

3.2.  Using IEEE 802.3 MAC as LWAPP transport Transport

   This section describes how the LWAPP protocol is provided over native
   ethernet
   Ethernet frames.  An LWAPP packet is formed from the MAC frame header
   header, followed by the LWAPP message header.  The following figure
   provides an example of the frame formats used when LWAPP is used over
   the IEEE 802.3 transport.

      Layer 2 LWAPP Data Frame
      +-----------------------------------------------------------+
      | MAC Header | LWAPP Header [C=0] | Forwarded Data ...      |
      +-----------------------------------------------------------+

      Layer 2 LWAPP Control Frame
      +---------------------------------------------------+
      | MAC Header | LWAPP Header [C=1] | Control Message |
      +---------------------------------------------------+
      | Message Elements ... |
      +----------------------+

3.2.1.  Framing

   Source Address

   A MAC address belonging to the interface from which this message is
   sent.  If multiple source addresses are configured on an interface,
   then the one chosen is implementation dependent. implementation-dependent.

   Destination Address

   A MAC address belonging to the interface to which this message is to
   be sent.  This destination address MAY be either an individual
   address or a multicast address, if more than one destination
   interface is intended.

   Ethertype

   The Ethertype field is set to 0x88bb.

3.2.2.  AC Discovery

   When run over IEEE 802.3, LWAPP messages are distributed to a
   specific MAC level MAC-level broadcast domain.  The AC discovery mechanism used
   with this transport is for an a WTP to transmit a Discovery Request
   message to a broadcast destination MAC address.  The ACs will receive
   this message and reply based on their policy.

3.2.3.  LWAPP Message Header format Format over IEEE 802.3 MAC transport Transport

   All of the fields described in Section 3.1 are used when LWAPP uses
   the IEEE 802.3 MAC transport.

3.2.4.  Fragmentation/Reassembly

   Fragmentation at the MAC layer is managed using the F,L F, L, and Frag ID
   fields of the LWAPP message header.  The LWAPP protocol only allows a
   single packet to be fragmented into 2, which is sufficient for a
   frame that exceeds MTU due to LWAPP encapsulation.  When used with
   layer
   Layer 2 (Ethernet) transport, both fragments MUST include the LWAPP
   header.

3.2.5.  Multiplexing

   LWAPP control messages and data messages are distinguished by the C
   Bit 'C'
   bit in the LWAPP message header.

3.3.  Using IP/UDP as LWAPP transport Transport

   This section defines how LWAPP makes use of IP/UDP transport between
   the WTP and the AC.  When this transport is used, the MAC layer is
   controlled by the IP stack, and there are therefore no special MAC MAC-
   layer requirements.  The following figure provides an example of the
   frame formats used when LWAPP is used over the IP/UDP transport.  IP
   stacks can be either IPv4 or IPv6.

      Layer 3 LWAPP Data Frame
      +--------------------------------------------+
      | MAC Header | IP | UDP | LWAPP Header [C=0] |
      +--------------------------------------------+
      |Forwarded Data ... |
      +-------------------+

      Layer 3 LWAPP Control Frame
      +--------------------------------------------+
      | MAC Header | IP | UDP | LWAPP Header [C=1] |
      +--------------------------------------------+
      | Control Message | Message Elements ... |
      +-----------------+----------------------+

3.3.1.  Framing

   Communication between the WTP and AC is established according to the
   standard UDP client/server model.  The connection is initiated by the
   WTP (client) to the well-known UDP port of the AC (server) used for
   control messages.  This UDP port number of the AC is 12222 for LWAPP
   data and 12223 for LWAPP control frames.

3.3.2.  AC Discovery

   When LWAPP is run over routed IP networks, the WTP and the AC do not
   need to reside in the same IP subnet (broadcast domain).  However, in
   the event the peers reside on separate subnets, there must exist a
   mechanism for the WTP to discover the AC.

   As the WTP attempts to establish communication with the AC, it sends
   the Discovery Request message and receives the corresponding response
   message from the AC.  The WTP must send the Discovery Request message
   to either the limited broadcast IP address (255.255.255.255), a well
   known multicast address address, or to the unicast IP address of the AC.  Upon
   receipt of the message, the AC issues a Discovery Response message to
   the unicast IP address of the WTP, regardless of whether a Discovery
   Request was sent as a broadcast, multicast multicast, or unicast message.

   Whether the WTP uses a limited IP broadcast, multicast or unicast IP
   address is implementation dependent. implementation-dependent.

   In order for a WTP to transmit a Discovery Request to a unicast
   address, the WTP must first obtain the IP address of the AC.  Any
   static configuration of an AC's IP address on the WTP non-volatile
   storage is implementation dependent. implementation-dependent.  However, additional dynamic
   schemes are possible, possible: for example:

   DHCP:  A comma delimited ASCII encoded comma-delimited, ASCII-encoded list of AC IP addresses is
          embedded inside a DHCP vendor specific vendor-specific option 43 extension.
          An example of the actual format of the vendor specific vendor-specific payload
          for IPv4 is of the form "10.1.1.1, 10.1.1.2".

    DNS:  The DNS name "LWAPP-AC-Address" MAY be resolvable to one or
          more AC
      addresses addresses.

3.3.3.  LWAPP Message Header format Format over IP/UDP transport Transport

   All of the fields described in Section 3.1 are used when LWAPP uses
   the IPv4/UDP or IPv6/UDP transport, with the following exceptions: exceptions.

3.3.3.1.  F Bit

   This flag field is not used with this transport, and MUST be set to
   zero.

3.3.3.2.  L Bit

   This flag field is not used with this transport, and MUST be set to
   zero.

3.3.3.3.  Frag ID

   This field is not used with this transport, and MUST be set to zero.

3.3.4.  Fragmentation/Reassembly for IPv4

   When LWAPP is implemented at L3, the transport layer uses IP
   fragmentation to fragment and reassemble LWAPP messages that are
   longer than the MTU size used by either the WTP or AC.  The details
   of IP fragmentation are covered in [8].  When used with the IP transport,
   only the first fragment would include the LWAPP header

   [ed: IP fragmentation may raise security concerns and bring
   additional configuration requirements for certain firewalls and NATs.
   One alternative is to re-use
   transport, only the layer 2 (application layer)
   fragmentation reassembly.  Comments are welcomed.] first fragment would include the LWAPP header.

3.3.5.  Fragmentation/Reassembly for IPv6

   IPv6 does MTU discovery so fragmentation and re-assembly is not
   necessary for UDP packets.

3.3.6.  Multiplexing

   LWAPP messages convey control information between WTP and AC, as well
   as binding specific data frames or binding specific management
   frames.  As such, LWAPP messages need to be multiplexed in the
   transport sub-layer and be delivered to the proper software entities
   in the endpoints of the protocol.  However, the 'C' bit is still used
   to differentiate between data and control frames.

   In case of Layer 3 connection, multiplexing is achieved by use of
   different UDP ports for control and data packets (see Section 3.3.1. 3.3.1).

   As part of the Join procedure, the WTP and AC may negotiate different
   IP Addresses for data or control messages.  The IP Address address returned
   in the AP Manager Control IP Address message element is used to
   inform the WTP with the IP address to which it must sent send all control
   frames.  The AP Manager Data IP Address message element MAY be
   present only if the AC has a different IP Address which address that the WTP is to
   use to send its data LWAPP frames.

   In the event the WTP and AC are separated by a NAT, with the WTP
   using private IP address space, it is the responsibility of the NAT
   to manage appropriate UDP port mapping.

4.  LWAPP Packet Definitions

   This section contains the packet types and format.  The LWAPP
   protocol is designed to be transport agnostic transport-agnostic by specifying packet
   formats for both MAC frames and IP packets.  An LWAPP packet consists
   of an LWAPP Transport Layer packet header followed by an LWAPP
   message.

   Transport details can be found in Section 3.

4.1.  LWAPP Data Messages

   An LWAPP data message is a forwarded wireless frame.  When forwarding
   wireless frames, the sender simply encapsulates the wireless frame in
   an LWAPP data packet, using the appropriate transport rules defined
   in section Section 3.

   In the event that the encapsulated frame would exceed the transport
   layer's MTU, the sender is responsible for the fragmentation of the
   frame, as specified in the transport specific transport-specific section of Section 3.

   The actual format of the encapsulated LWAPP data frame is subject to
   the rules defined under the specific wireless technology binding.

4.2.  LWAPP Control Messages Overview

   The LWAPP Control protocol provides a control channel between the WTP
   and the AC.  The control channel is the series of control messages
   between the WTP and AC, associated with a session ID and key.
   Control messages are divided into the following distinct message
   types:

   Discovery:  LWAPP Discovery messages are used to identify potential
      ACs, their load and capabilities.

   Control Channel Management:  Messages that fall within this
      classification are used for the discovery of ACs by the WTPs as
      well as the establishment and maintenance of an LWAPP control
      channel.

   WTP Configuration:  The WTP Configuration messages are used by the AC
      to push a specific configuration to the WTPs with which it has a
      control
      channel with. channel.  Messages that deal with the retrieval of
      statistics from the WTP also fall in this category.

   Mobile Session Management:  Mobile session management Session Management messages are
      used by the AC to push specific mobile policies to the WTP.

   Firmware Management:  Messages in this category are used by the AC to
      push a new firmware image down to the WTP.

   Control Channel, WTP Configuration Configuration, and Mobile Session Management
   MUST be implemented.  Firmware Management MAY be implemented.

   In addition, technology specific technology-specific bindings may introduce new control
   channel commands that depart from the above list.

4.2.1.  Control Message Format

   All LWAPP control messages are sent encapsulated within the LWAPP
   header (see Section 3.1).  Immediately following the header, header is the
   LWAPP control header, which has the following format:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Message Type |    Seq Num    |      Msg Element Length       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Session ID                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Msg Element [0..N]       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

4.2.1.1.  Message Type

   The Message Type field identifies the function of the LWAPP control
   message.  The valid values for a Message Type are the following:

                  Description                       Value
                  Discovery Request                    1
                  Discovery Response                   2
                  Join Request                         3
                  Join Response                        4
                  Join ACK                             5
                  Join Confirm                         6
                  Unused                             7-9
                  Configure Request                   10
                  Configure Response                  11
                  Configuration Update Request        12
                  Configuration Update Response       13
                  WTP Event Request                   14
                  WTP Event Response                  15
                  Change State Event Request          16
                  Change State Event Response         17
                  Unused                           18-21
                  Echo Request                        22
                  Echo Response                       23
                  Image Data Request                  24
                  Image Data Response                 25
                  Reset Request                       26
                  Reset Response                      27
                  Unused                           28-29
                  Key Update Request                  30
                  Key Update Response                 31
                  Primary Discovery Request           32
                  Primary Discovery Response          33
                  Data Transfer Request               34
                  Data Transfer Response              35
                  Clear Config Indication             36
                  WLAN Config Request                 37
                  WLAN Config Response                38
                  Mobile Config Request               39
                  Mobile Config Response              40

4.2.1.2.  Sequence Number

   The Sequence Number Field field is an identifier value to match request/
   response packet exchanges.  When an LWAPP packet with a request
   message type is received, the value of the sequence number Sequence Number field is
   copied into the corresponding response packet.

   When an LWAPP control frame is sent, its internal sequence number
   counter is monotonically incremented, ensuring that no two requests
   pending have the same sequence number.  This field will wrap back to
   zero.

4.2.1.3.  Message Element Length

   The Length length field indicates the number of bytes following the Session
   ID field.  If the LWAPP packet is encrypted, the length field
   includes the AES-CCM MIC (see Section 10.2 for more information).

4.2.1.4.  Session ID

   The Session ID is a 32-bit unsigned integer that is used to identify
   the security context for encrypted exchanges between the WTP and the
   AC.  Note that a Session ID is a random value that MUST be unique
   between a given AC and any of the WTP WTPs with which it may be communicating with.
   communicating.

4.2.1.5.  Message Element[0..N] Element [0..N]

   The message element(s) carry the information pertinent to each of the
   control message types.  Every control message in this specification
   specifies which message elements are permitted.

4.2.2.  Message Element Format

   The message element is used to carry information pertinent to a
   control message.  Every message element is identified by the Type
   field, whose numbering space is managed via IANA (see Section 16).
   The total length of the message elements is indicated in the Message
   Element Length field.

   All of the message element definitions in this document use a diagram
   similar to the one below in order to depict its format. their formats.  Note that
   in order to simplify this specification, these diagrams do not
   include the header fields (Type and Length).  However, in every each
   message element description, the header's fields field values will be
   defined.

   Note that additional message elements may be defined in separate IETF
   documents.

   The format of a message element uses the TLV format shown here:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Type     |             Length            |   Value ...   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Where

   where Type (8 bit) bits) identifies the character of the information
   carried in the Value field and Length (16 bits) indicates the number
   of bytes in the Value field.

4.2.2.1.  Generic Message Elements

   This section includes message elements that are not bound to a
   specific control message.

4.2.2.1.1.  Vendor Specific

   The Vendor Specific Vendor-Specific Payload is used to communicate vendor specific vendor-specific
   information between the WTP and the AC.  The value contains the
   following format:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Vendor Identifier                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          Element ID           |   Value...    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   104 for Vendor Specific

   Length:   >= 7

   Vendor Identifier:   A 32-bit value containing the IANA assigned IANA-assigned "SMI
      Network Management Private Enterprise Codes" [13] [13].

   Element ID:   A 16-bit Element Identifier which that is managed by the
      vendor.

   Value:   The value associated with the vendor specific vendor-specific element.

4.2.3.  Quality of Service

   It is recommended that LWAPP control messages be sent by both the AC
   and the WTP with an appropriate Quality of Service Quality-of-Service precedence value,
   ensuring that congestion in the network minimizes occurences of LWAPP
   control channel disconnects.  Therefore, a Quality of Service enabled Quality-of-Service-enabled
   LWAPP device should use:

   802.1P:   The precedence value of 7 SHOULD be used.

   DSCP:   The dscp Differentiated Services Code Point (DSCP) tag value of 46
           SHOULD be used.

5.  LWAPP Discovery Operations

   The Discovery messages are used by an a WTP to determine which ACs are
   available to provide service, as well as the capabilities and load of
   the ACs.

5.1.  Discovery Request

   The Discovery Request is used by the WTP to automatically discover
   potential ACs available in the network.  An  A WTP must transmit this
   command even if it has a statically configured AC, as it is a
   required step in the LWAPP state machine.

   Discovery Requests MUST be sent by an a WTP in the Discover state after
   waiting for a random delay less of than MaxDiscoveryInterval, after an a
   WTP first comes up or is (re)initialized.  An  A WTP MUST send no more
   than a maximum of MaxDiscoveries discoveries, waiting for a random
   delay less than MaxDiscoveryInterval between each successive
   discovery.

   This is to prevent an explosion of WTP Discoveries.  An example of
   this occurring would be when many WTPs are powered on at the same
   time.

   Discovery requests Requests MUST be sent by an a WTP when no echo responses Echo Responses are
   received for NeighborDeadInterval and the WTP returns to the Idle
   state.  Discovery requests Requests are sent after NeighborDeadInterval, they
   MUST be sent after waiting for a random delay less than
   MaxDiscoveryInterval.  An  A WTP MAY send up to a maximum of
   MaxDiscoveries discoveries, waiting for a random delay less than
   MaxDiscoveryInterval between each successive discovery.

   If a discovery response Discovery Response is not received after sending the maximum
   number of discovery requests, Discovery Requests, the WTP enters the Sulking state and
   MUST wait for an interval equal to SilentInterval before sending
   further discovery requests. Discovery Requests.

   The Discovery Request message may be sent as a unicast, broadcast broadcast, or
   multicast message.

   Upon receiving a discovery request, Discovery Request, the AC will respond with a
   Discovery Response sent to the address in the source address of the
   received discovery request. Discovery Request.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

5.1.1.  Discovery Type

   The Discovery message element is used to configure an a WTP to operate
   in a specific mode.

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      | Discovery Type|
      +-+-+-+-+-+-+-+-+

   Type:   58 for Discovery Type

   Length:   1

   Discovery Type:   An 8-bit value indicating how the AC was
      discovered.  The following values are supported:

      0 -  Broadcast

      1 -  Configured

5.1.2.  WTP Descriptor

   The WTP descriptor Descriptor message element is used by the WTP to communicate
   it's
   its current hardware/firmware configuration.  The value contains the
   following fields.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Hardware   Version                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Software   Version                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Boot   Version                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Max Radios  | Radios in use |    Encryption Capabilities    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   3 for WTP Descriptor

   Length:   16

   Hardware Version:   A 32-bit integer representing the WTP's hardware
      version number number.

   Software Version:   A 32-bit integer representing the WTP's Firmware
      version number number.

   Boot Version:   A 32-bit integer representing the WTP's boot loader's
      version number number.

   Max Radios:   An 8-bit value representing the number of radios (where
      each radio is identified via the RID field) supported by the WTP WTP.

   Radios in use: Use:   An 8-bit value representing the number of radios
      present in the WTP WTP.

   Encryption Capabilities:   This 16-bit field is used by the WTP to
      communicate it's its capabilities to the AC.  Since most WTPs support
      link layer
      link-layer encryption, the AC may make use of these services.
      There are binding dependent binding-dependent encryption capabilites.  An  A WTP that
      does not have any encryption capabilities would set this field to
      zero (0).  Refer to the specific binding for the specification.

5.1.3.  WTP Radio Information

   The WTP radios information Radio Information message element is used to communicate the
   radio information in a specific slot.  The Discovery Request MUST
   include one such message element per radio in the WTP.  The Radio-
   Type field is used by the AC in order to determine which technology technology-
   specific binding is to be used with the WTP.

   The value contains two fields, as shown. shown:

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |   Radio Type  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   4 for WTP Radio Information

   Length:   2

   Radio ID:   The Radio Identifier, typically refers to some interface
      index on the WTP WTP.

   Radio Type:   The type of radio present.  The following values are
      supported
      supported:

      1 - 802.11bg:   An 802.11bg radio.

      2 - 802.11a:   An 802.11a radio.

      3 - 802.16:   An 802.16 radio.

      4 - Ultra Wideband:   An   A UWB radio.

      7 - all:   Used to specify all radios in the WTP.

5.2.  Discovery Response

   The Discovery Response is a mechanism by which an AC advertises its
   services to requesting WTPs.

   Discovery Responses are sent by an AC after receiving a Discovery
   Request.

   When an a WTP receives a Discovery Response, it MUST wait for an
   interval not less than DiscoveryInterval for receipt of additional
   Discovery Responses.  After the DiscoveryInterval elapses, the WTP
   enters the Joining state and will select one of the ACs that sent a
   Discovery Response and send a Join Request to that AC.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

5.2.1.  AC Address

   The AC address Address message element is used to communicate the identity of
   the AC.  The value contains two fields, as shown. shown:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Reserved    |                  MAC Address                  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                 MAC Address                   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   2 for AC Address

   Length:   7

   Reserved:   MUST be set to zero
   Mac

   MAC Address:   The MAC Address address of the AC

5.2.2.  AC Descriptor

   The AC payload Descriptor message element is used by the AC to communicate it's
   its current state.  The value contains the following fields. fields:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Reserved    |                 Hardware  Version ...         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     HW Ver    |                 Software  Version ...         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     SW Ver    |            Stations           |     Limit     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Limit     |            Radios             |   Max Radio   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Max Radio   |    Security   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:   6 for AC Descriptor

   Length:   17

   Reserved:   MUST be set to zero

   Hardware Version:   A 32-bit integer representing the AC's hardware
      version number number.

   Software Version:   A 32-bit integer representing the AC's Firmware
      version number number.

   Stations:   A 16-bit integer representing the number of mobile
      stations currently associated with the AC AC.

   Limit:   A 16-bit integer representing the maximum number of stations
      supported by the AC AC.

   Radios:   A 16-bit integer representing the number of WTPs currently
      attached to the AC AC.

   Max Radio:   A 16-bit integer representing the maximum number of WTPs
      supported by the AC AC.

   Security:   A 8 bit bit mask   An 8-bit bitmask specifying the security schemes
      supported by the AC.  The following values are supported (see
      Section 10):

      1 -  X.509 Certificate Based Certificate-Based

      2 -  Pre-Shared Secret

5.2.3.  AC Name

   The AC name Name message element contains an ASCII representation of the
   AC's identity.  The value is a variable length variable-length byte string.  The
   string is NOT zero terminated.

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      | Name ...
      +-+-+-+-+-+-+-+-+

   Type:   31 for AC Name

   Length:   > 0
   Name:   A variable length variable-length ASCII string containing the AC's name name.

5.2.4.  WTP Manager Control IPv4 Address

   The WTP Manager Control IPv4 Address message element is sent by the
   AC to the WTP during the discovery process and is used by the AC to
   provide the interfaces available on the AC, and their current load.
   This message element is useful for the WTP to perform load balancing
   across multiple interfaces.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           WTP Count           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   99 for WTP Manager Control IPv4 Address

   Length:   6

   IP Address:   The IP Address address of an interface.

   WTP Count:   The number of WTPs currently connected to the interface.

5.2.5.  WTP Manager Control IPv6 Address

   The WTP Manager Control IPv6 Address message element is sent by the
   AC to the WTP during the discovery process and is used by the AC to
   provide the interfaces available on the AC, and their current load.
   This message element is useful for the WTP to perform load balancing
   across multiple interfaces.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           WTP Count           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:   137 for WTP Manager Control IPv6 Address

   Length:   6

   IP Address:   The IP Address address of an interface.

   WTP Count:   The number of WTPs currently connected to the interface.

5.3.  Primary Discovery Request

   The Primary Discovery Request is sent by the WTP in order to
   determine whether its preferred (or primary) AC is available.

   Primary Discovery Request Requests are sent by an a WTP when it has a primary AC
   configured, and is connected to another AC.  This generally occurs as
   a result of a failover, and is used by the WTP as a means to discover
   when its primary AC becomes available.  As a consequence, this
   message is only sent by a WTP when it is in the Run state.

   The frequency of the Primary Discovery Requests should be no more
   often than the sending of the Echo Request message.

   Upon receiving a discovery request, Discovery Request, the AC will respond with a
   Primary Discovery Response sent to the address in the source address
   of the received Primary Discovery Request.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

5.3.1.  Discovery Type

   The Discovery Type message element is defined in section Section 5.1.1.

5.3.2.  WTP Descriptor

   The WTP Descriptor message element is defined in section Section 5.1.2.

5.3.3.  WTP Radio Information

   An

   A WTP Radio Information message element must be present for every
   radio in the WTP.  This message element is defined in section Section 5.1.3.

5.4.  Primary Discovery Response

   The Primary Discovery Response is a mechanism by which an AC
   advertises its availability and services to requesting WTPs that are
   configured to have the AC as its primary AC.

   Primary Discovery Responses are sent by an AC after receiving a
   Primary Discovery Request.

   When an a WTP receives a Primary Discovery Response, it may opt to
   establish an LWAPP connection to its primary AC, based on the
   configuration of the WTP Fallback Status message element on the WTP.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

5.4.1.  AC Descriptor

   The Discovery Type message element is defined in section Section 5.2.2.

5.4.2.  AC Name

   The AC Name message element is defined in section Section 5.2.3.

5.4.3.  WTP Manager Control IPv4 Address

   An

   A WTP Radio Information message element MAY be present for every
   radio in the WTP which are that is reachable via IPv4.  This message element is
   defined in section Section 5.2.4.

5.4.4.  WTP Manager Control IPv6 Address

   An

   A WTP Radio Information message element must be present for every
   radio in the WTP which are that is reachable via IPv6.  This message element is
   defined in section Section 5.2.5.

6.  Control Channel Management

   The Control Channel Management messages are used by the WTP and AC to
   create and maintain a channel of communication on which various other
   commands may be transmitted, such as configuration, firmware update,
   etc.

6.1.  Join Request

   The Join Request is used by an a WTP to inform an AC that it wishes to
   provide services through it.

   Join Requests are sent by an a WTP in the Joining state after receiving
   one or more Discovery Responses.  The Join Request is also used as an
   MTU discovery mechanism by the WTP.  The WTP issues a Join Request
   with a Test message element, bringing the total size of the message
   to exceed MTU.

   If the transport used does not provide MTU path discovery, the
   initial Join Request is padded with the Test message element to 1596
   bytes.  If a Join Response is received, the WTP can forward frames
   without requiring any fragmentation.  If no Join Response is
   received, it issues a second Join Request padded with the Test
   payload to a total of 1500 bytes.  The WTP continues to cycle from
   large (1596) to small (1500) packets until a Join Response has been
   received ,
   received, or until both packets packets' sizes have been retransmitted 3
   times .
   times.  If the Join Response is not received after the maximum number
   of retransmissions, the WTP MUST abandon the AC and restart the
   discovery phase.

   When an AC receives a Join Request Request, it will respond with a Join
   Response.  If the certificate based certificate-based security mechanism is used, the
   AC validates the certificate found in the request.  If valid, the AC
   generates a session key which that will be used to secure the control
   frames it exchanges with the WTP.  When the AC issues the Join
   Response, the AC creates a context for the session with the WTP.

   If the pre-shared session key security mechanism is used, the AC
   saves the WTP's nonce, found in the WNonce message element, and
   creates its own nonce nonce, which it includes in the ANonce message
   element.  Finally, the AC creates the PSK-MIC, which is computed
   using a key that is derived from the PSK.

   A Join Request that includes both a WNonce and a Certificate message
   element MUST be considered invalid.

   Details on the key generation is are found in Section 10.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

6.1.1.  WTP Descriptor

   The WTP Descriptor message element is defined in section Section 5.1.2.

6.1.2.  AC Address

   The AC Address message element is defined in section Section 5.2.1.

6.1.3.  WTP Name

   The WTP name Name message element value is a variable length variable-length byte string.
   The string is NOT zero terminated.

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      | Name ...
      +-+-+-+-+-+-+-+-+

   Type:   5 for WTP Name

   Length:   > 0

   Name:   A non zero terminated non-zero-terminated string containing the WTP's name.

6.1.4.  Location Data

   The location data Location Data message element is a variable length variable-length byte string
   containing user defined user-defined location information (e.g. (e.g., "Next to
   Fridge").  The string is NOT zero terminated.

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      | Location ...
      +-+-+-+-+-+-+-+-+

   Type:   35 for Location Data

   Length:   > 0

   Location:   A non zero terminated non-zero-terminated string containing the WTP's
      location.

6.1.5.  WTP Radio Information

   An

   A WTP Radio Information message element must be present for every
   radio in the WTP.  This message element is defined in section Section 5.1.3.

6.1.6.  Certificate

   The certificate Certificate message element value is a byte string containing a
   DER-encoded x.509v3 certificate.  This message element is only
   included if the LWAPP security type used between the WTP and the AC
   makes use of certificates (see Section 10 for more information).

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      | Certificate...
      +-+-+-+-+-+-+-+-+
   Type:   44 for Certificate

   Length:   > 0

   Certificate:   A non zero terminated non-zero-terminated string containing the device's
      certificate.

6.1.7.  Session ID

   The session Session ID message element value contains a randomly generated
   [4] unsigned 32-bit integer.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Session ID                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   45 for Session ID

   Length:   4

   Session ID:   32 bit   32-bit random session identifier.

6.1.8.  Test

   The test Test message element is used as padding to perform MTU discovery,
   and it MAY contain any value, of any length.

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      |  Padding ...
      +-+-+-+-+-+-+-+-+

   Type:   18 for Test

   Length:   > 0

   Padding:   A variable length variable-length pad.

6.1.9.  XNonce

   The XNonce is used by the WTP to communicate its random nonce during
   the join or rekey phase.  See Section 10 for more information.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   111 for XNonce

   Length:   16

   Nonce:   1 16 octet 16-octet random nonce.

6.2.  Join Response

   The Join Response is sent by the AC to indicate to an a WTP whether it
   is capable and willing to provide service to it.

   Join Responses are sent by the AC after receiving a Join Request.
   Once the Join Response has been sent, the heartbeat Heartbeat timer is
   initiated for the session to EchoInterval.  Expiration of the timer
   will result in deletion of the AC-WTP session.  The timer is
   refreshed upon receipt of the Echo Request.

   If the security method used is certificate based, certificate-based, when a WTP receives
   a Join Response Response, it enters the Joined state and initiates either a
   Configure Request or Image Data to the AC to which it is now joined.
   Upon entering the Joined state, the WTP begins timing an interval
   equal to NeighborDeadInterval.  Expiration of the timer will result
   in the transmission of the Echo Request.

   If the security method used is pre-shared secret based, pre-shared-secret-based, when a WTP
   receives a Join Response that includes a valid PSK-MIC message
   element, it responds with a Join ACK that also MUST include a locally
   computed PSK-MIC message element.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

6.2.1.  Result Code

   The Result Code message element value is a 32-bit integer value,
   indicating the result of the request operation corresponding to the
   sequence number in the message.  The Result Code is included in a
   successful Join Response.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Result Code                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   2 for Result Code

   Length:   4

   Result Code:   The following values are defined:

      0  Success

      1  Failure (AC List message element MUST be present)

6.2.2.  Status

   The Status message element is sent by the AC to the WTP in a non-
   successful Join Response message.  This message element is used to
   indicate the reason for the failure and should only be accompanied
   with a Result Code message element that indicates a failure.

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      |    Status     |
      +-+-+-+-+-+-+-+-+

   Type:   60 for Status

   Length:   1

   Status:   The status Status field indicates the reason for an LWAPP failure.
      The following values are supported:

      1 -  Reserved - do not use

      2 -  Resource Depletion

      3 -  Unknown Source

      4 -  Incorrect Data

6.2.3.  Certificate

   The Certificate message element is defined in section Section 6.1.6.  Note
   this message element is only included if the WTP and the AC make use
   of certificate based certificate-based security as defined in section Section 10.

6.2.4.  WTP Manager Data IPv4 Address

   The WTP Manager Data IPv4 Address message element is optionally sent
   by the AC to the WTP during the join phase.  If present, the IP
   Address contained in this message element is the address the WTP is
   to use when sending any of its LWAPP data frames.

   Note that this message element is only valid when LWAPP uses the
   IP/UDP
   layer Layer 3 transport transport.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   138 for WTP Manager Data IPv4 Address

   Length:   4

   IP Address:   The IP Address address of an interface.

6.2.5.  WTP Manager Data IPv6 Address

   The WTP Manager Data IPv6 Address message element is optionally sent
   by the AC to the WTP during the join phase.  If present, the IP
   Address contained in this message element is the address the WTP is
   to use when sending any of its LWAPP data frames.

   Note that this message element is only valid when LWAPP uses the
   IP/UDP
   layer Layer 3 transport transport.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           IP Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   139 for WTP Manager Data IPv6 Address

   Length:   4

   IP Address:   The IP Address address of an interface.

6.2.6.  AC IPv4 List

   The AC List message element is used to configure an a WTP with the
   latest list of ACs in a cluster.  This message element MUST be
   included if the Join Response returns a failure indicating that the
   AC cannot handle the WTP at this time, allowing the WTP to find an
   alternate AC to connect to. which to connect.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       AC IP Address[]                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   59 for AC List

   Length:   >= 4

   AC IP Address:   An array of 32-bit integers containing an AC's IPv4
      Address.

6.2.7.  AC IPv6 List

   The AC List message element is used to configure an a WTP with the
   latest list of ACs in a cluster.  This message element MUST be
   included if the Join Response returns a failure indicating that the
   AC cannot handle the WTP at this time, allowing the WTP to find an
   alternate AC to connect to. which to connect.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       AC IP Address[]                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       AC IP Address[]                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       AC IP Address[]                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       AC IP Address[]                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   141 for AC List

   Length:   >= 4

   AC IP Address:   An array of 32-bit integers containing an AC's IPv6
      Address.

6.2.8.  ANonce

   The ANonce message element is sent by a an AC during the join or rekey
   phase.  The contents of the ANonce are encrypted as described in
   section
   Section 10 for more information.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   108 for ANonce

   Length:   16

   Nonce:   An encrypted 16 octet encrypted, 16-octet random nonce.

6.2.9.  PSK-MIC

   The PSK-MIC message element includes a message integrity check, whose
   purpose is to provide confirmation to the peer that the sender has
   the proper session key.  This message element is only included if the
   security method used between the WTP and the AC is the pre-shared
   secret mechanism.  See Section 10 for more information.

   When present, the PSK-MIC message element MUST be the last message
   element in the message.  The MIC is computed over the complete LWAPP
   packet, from the LWAPP control header as defined in Section 4.2.1 to
   the end of the packet (which MUST be this PSK-MIC message element).
   The MIC field in this message element and the sequence number Sequence Number field
   in the LWAPP control header MUST be set to zeroes prior to computing
   the MIC.  The length field in the LWAPP control header must already
   include this message element prior to computing the MIC.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |       SPI       |                    MIC ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   109 for PSK-MIC

   Length:   > 1

   SPI:   The SPI Security Parameter Index (SPI) field specifies the
      cryptographic algorithm used to create the message integrity
      check.  The following values are supported:

      0 -  Unused

      1 -  HMAC-SHA-1 (RFC 2104 [16]) [15])

   MIC:   A 20 octet 20-octet Message Integrity Check.

6.3.  Join ACK

   The Join ACK message is sent by the WTP upon receiving a Join
   Response, which has a valid PSK-MIC message element, as a means of
   providing key confirmation to the AC.  The Join ACK is only used in
   the case where the WTP makes use of the pre-shared key LWAPP mode
   (See
   (see Section 10 for more information).

   Note that the AC should never receive this message unless the
   security method used between the WTP and the AC is pre-shared secret
   based. pre-shared-
   secret-based.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

6.3.1.  Session ID

   The Session ID message element is defined in section Section 6.1.7.

6.3.2.  WNonce

   The WNonce message element is sent by a WTP during the join or rekey
   phase.  The contents of the ANonce are encrypted as described in
   section
   Section 10 for more information.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Nonce                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   107 for WNonce

   Length:   16

   Nonce:   An encrypted 16 octet encrypted, 16-octet random nonce.

6.3.3.  PSK-MIC

   The PSK-MIC message element is defined in section Section 6.2.9.

6.4.  Join Confirm

   The Join Confirm message is sent by the AC upon receiving a Join ACK,
   which has a valid PSK-MIC message element, as a means of providing
   key confirmation to the WTP.  The Join Confirm is only used in the
   case where the WTP makes use of the pre-shared key LWAPP mode (See (see
   Section 10 for more information).

   If the security method used is pre-shared key based, pre-shared-key-based, when an a WTP
   receives a Join Confirm Confirm, it enters the Joined state and initiates
   either a Configure Request or Image Data to the AC to which it is now
   joined.  Upon entering the Joined state, the WTP begins timing an
   interval equal to NeighborDeadInterval.  Expiration of the timer will
   result in the transmission of the Echo Request.

   This message is never received, or sent, when the security type used
   between the WTP and the AC is certificated based. certificated-based.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

6.4.1.  Session ID

   The Session ID message element is defined in section Section 6.1.7.

6.4.2.  PSK-MIC

   The PSK-MIC message element is defined in section Section 6.2.9.

6.5.  Echo Request

   The Echo Request message is a keepalive mechanism for the LWAPP
   control message.

   Echo Requests are sent periodically by an a WTP in the Run state (see
   Figure 2) to determine the state of the connection between the WTP
   and the AC.  The Echo Request is sent by the WTP when the Heartbeat
   timer expires, and it MUST start its NeighborDeadInterval timer.

   The Echo Request carries no message elements.

   When an AC receives an Echo Request Request, it responds with an Echo
   Response.

6.6.  Echo Response

   The Echo Response acknowledges the Echo Request, and are is only accepted
   while in the Run state (see Figure 2).

   Echo Responses are sent by an AC after receiving an Echo Request.
   After transmitting the Echo Response, the AC should reset its
   Heartbeat timer to expire in the value configured for EchoInterval.
   If another Echo request is not received by the AC when the timer
   expires, the AC SHOULD consider the WTP to no longer be reachable.

   The Echo Response carries no message elements.

   When an a WTP receives an Echo Response it stops the
   NeighborDeadInterval timer, and starts the Heartbeat timer to
   EchoInterval.

   If the NeighborDeadInterval timer expires prior to receiving an Echo
   Response, the WTP enters the Idle state.

6.7.  Key Update Request

   The Key Update Request is used by the WTP to initiate the rekeying
   phase.  This message is sent by a WTP when in the Run state and MUST
   include a new unique Session Identifier.  This message MUST also
   include a unique Nonce nonce in the XNonce message element, which is used
   to protect against replay attacks (see Section 10).

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

6.7.1.  Session ID

   The Session ID message element is defined in section Section 6.1.7.

6.7.2.  XNonce

   The XNonce message element is defined in section Section 6.1.9.

6.8.  Key Update Response

   The Key Update Response is sent by the AC in response to the request
   message, and includes an encrypted ANonce, which is used to derive
   new session keys.  This message MUST include a Session Identifier
   message element, whose value MUST be identical to the one found in
   the Key Update Request.

   The AC MUST include a PSK-MIC message element, which provides message
   integrity over the whole message.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

6.8.1.  Session ID

   The Session ID message element is defined in section Section 6.1.7.

6.8.2.  ANonce

   The ANonce message element is defined in section Section 6.2.8.

6.8.3.  PSK-MIC

   The PSK-MIC message element is defined in section Section 6.2.9.

6.9.  Key Update ACK

   The Key Update ACK is sent by the WTP and includes an encryption encrypted
   version of the WTP's Nonce, nonce, which is used in the key derivation
   process.  The session keys derived are then used as new LWAPP control
   message encryption keys (see Section 10).

   The WTP MUST include a PSK-MIC message element, which provides
   message integrity over the whole message.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

6.9.1.  WNonce

   The WNonce message element is defined in section Section 6.3.2.

6.9.2.  PSK-MIC

   The PSK-MIC message element is defined in section Section 6.2.9.

6.10.  Key Update Confirm

   The Key Update Confirm closes the rekeying loop, and allows the WTP
   to recognize that the AC has received and processed the key update Key Update
   messages.  At this point, the WTP updates its session key in its
   crypto engine, and the associated Initialization Vector, ensuring
   that all future LWAPP control frames are encrypted with the newly
   derived encryption key.

   The WTP MUST include a PSK-MIC message element, which provides
   message integrity over the whole message.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

6.10.1.  PSK-MIC

   The PSK-MIC message element is defined in section Section 6.2.9.

6.11.  Key Update Trigger

   The Key Update Trigger is used by the AC to request that a Key Update
   Request be initiated by the WTP.

   Key Update Trigger Triggers are sent by an AC in the Run state to inform the
   WTP to initiate a Key Update Request message.

   When a WTP receives a Key Update Trigger Trigger, it generates a key Key Update
   Request.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

6.11.1.  Session ID

   The Session ID message element is defined in section Section 6.1.7.

7.  WTP Configuration Management

   The Wireless Termination Point Configuration messages are used to
   exchange configuration between the AC and the WTP.

7.1.  Configuration Consistency

   The LWAPP protocol provides flexibility in how WTP configuration is
   managed.  To put it simply, a WTP has one of two options:

   1. The WTP retain retains no configuration and simply abides by the
      configuration provided by the AC.

   2. The WTP retain retains the configuration of parameters provided by the AC
      that are non-default values.

   If the WTP opts to save configuration locally, the LWAPP protocol
   state machine defines the "configure" "Configure" state, which is used during the
   initial binding WTP-AC phase, which allows for configuration
   exchange.  During this period, the WTP sends its current
   configuration overrides to the AC via the COnfigure Configure Request message.
   A configuration override is a parameter that is non-default.  One
   example is that in the LWAPP protocol protocol, the default antenna
   configuration is internal omni an internal-omni antenna.  However, a WTP that
   either has no internal antennas, or has been explicitely configured
   by the AC to use external antennas, antennas would send its antenna
   configuration during the configure phase, allowing the AC to become
   aware of the WTP's current configuration.

   Once the WTP has provided its configuration to the AC, the AC sends
   down its own configuration.  This allows the WTP to inherit the
   configuration and policies on the AC.

   An LWAPP AC maintains a copy of each active WTP's configuration.
   There is no need for versioning or other means to identify
   configuration changes.  If a WTP becomes inactive, the AC MAY delete
   the configuration associated with it.  If a WTP were to fail, and
   connect to a new AC, it would provide its overriden configuration
   parameters, allowing the new AC to be aware of the WTP's
   configuration.

   As a consequence, this model allows for relisiency, resiliency, whereby in light
   of an AC failure, another AC could provide service to the WTP.  In
   this scenario, the new AC would be automatically updated on any
   possible WTP configuration changes - -- eliminating the need for
   inter-AC
   Inter-AC communication or the need for all ACs to be aware of the
   configuration of all WTPs in the network.

   Once the LWAPP protocol enters the Run state, the WTPs begin to
   provide service.  However, it is quite common for administrators to
   require that configuration changes be made while the network is
   operational.  Therefore, the Configuration Update Request is sent by
   the AC to the WTP in order to make these changes at run-time.

7.2.  Configure Request

   The Configure Request message is sent by an a WTP to send its current
   configuration to its AC.

   Configure Requests are sent by an a WTP after receiving a Join Response,
   while in the Configure state.

   The Configure Request carries binding specific binding-specific message elements.
   Refer to the appropriate binding for the definition of this
   structure.

   When an AC receives a Configure Request Request, it will act upon the content
   of the packet and respond to the WTP with a Configure Response.

   The Configure Request includes multiple Administrative State message
   Elements.
   elements.  There is one such message element for the WTP, and then
   one per radio in the WTP.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

7.2.1.  Administrative State

   The administrative event Administrative Event message element is used to communicate the
   state of a particular radio.  The value contains the following
   fields.

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |  Admin State  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   27 for Administrative State

   Length:   2

   Radio ID:   An 8-bit value representing the radio to configure.  The
      Radio ID field may also include the value of 0xff, which is used
      to identify the WTP itself.  Therefore, if an AC wishes to change
      the administrative state of an a WTP, it would include 0xff in the
      Radio ID field.

   Admin State:   An 8-bit value representing the administrative state
      of the radio.  The following values are supported:

      1 -  Enabled

      2 -  Disabled

7.2.2.  AC Name

   The AC Name message element is defined in section Section 5.2.3.

7.2.3.  AC Name with Index

   The AC Name with Index message element is sent by the AC to the WTP
   to configure preferred ACs.  The number of instances where this
   message element would be present is equal to the number of ACs
   configured on the WTP.

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Index     |   AC Name...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   90 for AC Name with Index

   Length:   5

   Index:   The index of the preferred server (e.g., 1=primary,
      2=secondary).

   AC Name:   A variable length variable-length ASCII string containing the AC's name.

7.2.4.  WTP Board Data

   The WTP Board Data message element is sent by the WTP to the AC and
   contains information about the hardware present.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |            Card ID            |         Card Revision         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          WTP Model                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          WTP Model                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      WTP Serial Number ...                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Reserved                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                     Ethernet MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Ethernet MAC Address     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   50 for WTP Board Data

   Length:   26

   Card ID:   A hardware identifier.

   Card Revision:   4 byte   4-byte Revision of the card.

   WTP Model:   8 byte   8-byte WTP Model Number.

   WTP Serial Number:   24 byte   24-byte WTP Serial Number.

   Reserved:   A 4 byte 4-byte reserved field that MUST be set to zero (0).

   Ethernet MAC Address:   MAC Address address of the WTP's Ethernet interface.

7.2.5.  Statistics Timer

   The statistics timer Statistics Timer message element value is used by the AC to
   inform the WTP of the frequency which that it expects to receive updated
   statistics.

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        Statistics Timer       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   37 for Statistics Timer

   Length:   2

   Statistics Timer:   A 16-bit unsigned integer indicating the time, in
      seconds
      seconds.

7.2.6.  WTP Static IP Address Information

   The WTP Static IP Address Information message element is used by an
   AC to configure or clear a previously configured static IP address on
   an
   a WTP.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          IP Address                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                            Netmask                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                            Gateway                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Static     |
      +-+-+-+-+-+-+-+-+

   Type:   82 for WTP Static IP Address Information

   Length:   13

   IP Address:   The IP Address address to assign to the WTP.

   Netmask:   The IP Netmask.

   Gateway:   The IP address of the gateway.

   Netmask:   The IP Netmask.

   Static:   An 8-bit boolean Boolean stating whether or not the WTP should use
      a static IP address or not. address.  A value of zero disables the static IP
      address, while a value of one enables it.

7.2.7.  WTP Reboot Statistics

   The WTP Reboot Statistics message element is sent by the WTP to the
   AC to communicate information about reasons why reboots have
   occurred.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          Crash Count          |     LWAPP Initiated Count     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Link Failure Count       | Failure Type  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   67 for WTP Reboot Statistics

   Length:   7

   Crash Count:   The number of reboots that have occurred due to an a WTP
      crash.

   LWAPP Initiated Count:   The number of reboots that have occured occurred at
      the request of some LWAPP message, such as a change in
      configuration that required a reboot or an explicit LWAPP reset
      request.

   Link Failure Count:   The number of times that an LWAPP connection
      with an AC has failed.

   Failure Type:   The last WTP failure.  The following values are
      supported:

      0 -  Link Failure

      1 -  LWAPP Initiated

      2 -  WTP Crash

7.3.  Configure Response

   The Configure Response message is sent by an AC and provides an
   opportunity for the AC to override an a WTP's requested configuration.

   Configure Responses are sent by an AC after receiving a Configure
   Request.

   The Configure Response carries binding specific binding-specific message elements.
   Refer to the appropriate binding for the definition of this
   structure.

   When an a WTP receives a Configure Response Response, it acts upon the content of
   the packet, as appropriate.  If the Configure Response message
   includes a Change State Event message element that causes a change in
   the operational state of one of the Radio, Radios, the WTP will transmit a
   Change State Event to the AC, AC as an acknowledgement of the change in
   state.

   The following subsections define the message elements that MUST be
   included in this LWAPP operation.

7.3.1.  Decryption Error Report Period

   The Decryption Error Report Period message element value is used by
   the AC to inform the WTP of how frequently it should send decryption
   error report messages.

       0                   1                   2
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |        Report Interval        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   38 for Decryption Error Report Period

   Length:   3

   Radio ID:   The Radio Identifier, Identifier: typically refers to some interface
      index on the WTP WTP.

   Report Interval:   A 16-bit 16-bit, unsigned integer indicating the time, in
      seconds
      seconds.

7.3.2.  Change State Event

   The WTP radios information Radio Information message element is used to communicate the
   operational state of a radio.  The value contains two fields, as
   shown.

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |     State     |     Cause     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:   26 for Change State Event

   Length:   3

   Radio ID:   The Radio Identifier, Identifier: typically refers to some interface
      index on the WTP.

   State:   An 8-bit boolean Boolean value representing the state of the radio.
      A value of one disables the radio, while a value of two enables
      it.

   Cause:   In the event of a radio being inoperable, the cause field
      would contain the reason the radio is out the radio, while a value of service. two enables
      it.

   Cause:   In the event of a radio being inoperable, the cause Cause field
      would contain the reason the radio is out of service.  The
      following values are supported:

      0 -  Normal

      1 -  Radio Failure

      2 -  Software Failure

7.3.3.  LWAPP Timers

   The LWAPP Timers message element is used by an AC to configure LWAPP
   timers on an a WTP.

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Discovery   | Echo Request  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   68 for LWAPP Timers

   Length:   2

   Discovery:   The number of seconds between LWAPP Discovery packets, packets
      when the WTP is in the discovery mode.

   Echo Request:   The number of seconds between WTP Echo Request LWAPP
      messages.

7.3.4.  AC IPv4 List

   The AC List message element is defined in section Section 6.2.6.

7.3.5.  AC IPv6 List

   The AC List message element is defined in section Section 6.2.7.

7.3.6.  WTP Fallback

   The WTP Fallback message element is sent by the AC to the WTP to
   enable or disable automatic LWAPP fallback in the event that an a WTP
   detects its preferred AC, and is not currently connected to it.

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      |     Mode      |
      +-+-+-+-+-+-+-+-+

   Type:   91 for WTP Fallback

   Length:   1

   Mode:   The 8-bit boolean Boolean value indicates the status of automatic
      LWAPP fallback on the WTP.  A value of zero disables the fallback
      feature, while a value of one enables it.  When enabled, if the
      WTP detects that its primary AC is available, and it is not
      connected to it, it SHOULD automatically disconnect from its
      current AC and reconnect to its primary.  If disabled, the WTP
      will only reconnect to its primary through manual intervention
      (e.g., through the Reset Request command).

7.3.7.  Idle Timeout

   The Idle Timeout message element is sent by the AC to the WTP to
   provide it with the idle timeout that it should enforce on its active
   mobile station entries.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                            Timeout                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   97 for Idle Timeout

   Length:   4

   Timeout:   The current idle timeout to be enforced by the WTP.

7.4.  Configuration Update Request

   Configure Update Requests are sent by the AC to provision the WTP
   while in the Run state.  This is used to modify the configuration of
   the WTP while it is operational.

   When an AC receives a Configuration Update Request it will respond
   with a Configuration Update Response, with the appropriate Result
   Code.

   The following subsections define the message elements introduced by
   this LWAPP operation.

7.4.1.  WTP Name

   The WTP Name message element is defined in section Section 6.1.3.

7.4.2.  Change State Event

   The Change State Event message element is defined in section Section 7.3.2.

7.4.3.  Administrative State

   The Administrative State message element is defined in section Section 7.2.1.

7.4.4.  Statistics Timer

   The Statistics Timer message element is defined in section Section 7.2.5.

7.4.5.  Location Data

   The Location Data message element is defined in section Section 6.1.4.

7.4.6.  Decryption Error Report Period

   The Decryption Error Report Period message element is defined in
   section
   Section 7.3.1.

7.4.7.  AC IPv4 List

   The AC List message element is defined in section Section 6.2.6.

7.4.8.  AC IPv6 List

   The AC List message element is defined in section Section 6.2.7.

7.4.9.  Add Blacklist Entry

   The Add Blacklist Entry message element is used by an AC to add a
   blacklist entry on an a WTP, ensuring that the WTP no longer provides
   any service to the MAC addresses provided in the message.  The MAC
   Addresses
   addresses provided in this message element are not expected to be
   saved in non-volative memory on the WTP.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Num of Entries|                 MAC Address[]                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                 MAC Address[]                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   65 for Add Blacklist Entry

   Length:   >= 7

   Num of Entries:   The number of MAC Addresses addresses in the array.

   MAC Address:   An array of MAC Addresses addresses to add to the blacklist
      entry.

7.4.10.  Delete Blacklist Entry

   The Delete Blacklist Entry message element is used by an AC to delete
   a previously added blacklist entry on an a WTP, ensuring that the WTP
   provides service to the MAC addresses provided in the message.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Num of Entries|                 MAC Address[]                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                 MAC Address[]                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   66 for Delete Blacklist Entry

   Length:   >= 7

   Num of Entries:   The number of MAC Addresses addresses in the array.

   MAC Address:   An array of MAC Addresses addresses to delete from the blacklist
      entry.

7.4.11.  Add Static Blacklist Entry

   The Add Static Blacklist Entry message element is used by an AC to
   add a permanent blacklist entry Blacklist Entry on an a WTP, ensuring that the WTP no
   longer provides any service to the MAC addresses provided in the
   message.  The MAC Addresses addresses provided in this message element are
   expected to be saved in non-volative memory on the WTP.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Num of Entries|                 MAC Address[]                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                 MAC Address[]                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   70 for Delete Blacklist Entry

   Length:   >= 7

   Num of Entries:   The number of MAC Addresses addresses in the array.

   MAC Address:   An array of MAC Addresses addresses to add to the permanent
      blacklist entry.

7.4.12.  Delete Static Blacklist Entry

   The Delete Static Blacklist Entry message element is used by an AC to
   delete a previously added static blacklist entry on an a WTP, ensuring
   that the WTP provides service to the MAC addresses provided in the
   message.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Num of Entries|                 MAC Address[]                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                 MAC Address[]                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   71 for Delete Blacklist Entry

   Length:   >= 7

   Num of Entries:   The number of MAC Addresses addresses in the array.

   MAC Address:   An array of MAC Addresses addresses to delete from the static
      blacklist entry.

7.4.13.  LWAPP Timers

   The LWAPP Timers message element is defined in section Section 7.3.3.

7.4.14.  AC Name with Index

   The AC Name with Index message element is defined in section Section 7.2.3.

7.4.15.  WTP Fallback

   The WTP Fallback message element is defined in section Section 7.3.6.

7.4.16.  Idle Timeout

   The Idle Timeout message element is defined in section Section 7.3.7.

7.5.  Configuration Update Response

   The Configuration Update Response is the acknowledgement message for
   the Configuration Update Request.

   Configuration Update Responses are sent by an a WTP after receiving a
   Configuration Update Request.

   When an AC receives a Configure Update Response Response, the result code
   indicates if the WTP successfully accepted the configuration.

   The following subsections define the message elements that must be
   present in this LWAPP operation.

7.5.1.  Result Code

   The Result Code message element is defined in section Section 6.2.1.

7.6.  Change State Event Request

   The Change State Event is used by the WTP to inform the AC of a
   change in the operational state.

   The Change State Event message is sent by the WTP when it receives a
   Configuration Response that includes a Change State Event message
   element.  It is also sent in the event that the WTP detects an
   operational failure with a radio.  The Change State Event may be sent
   in either the Configure or Run state (see Figure 2. 2).

   When an AC receives a Change State Event it will respond with a
   Change State Event Response and make any necessary modifications to
   internal WTP data structures.

   The following subsections define the message elements that must be
   present in this LWAPP operation.

7.6.1.  Change State Event

   The Change State Event message element is defined in section Section 7.3.2.

7.7.  Change State Event Response

   The Change State Event Response acknowledges the Change State Event.

   Change State Event Response Responses are sent by an a WTP after receiving a
   Change State Event.

   The Change State Event Response carries no message elements.  Its
   purpose is to acknowledge the receipt of the Change State Event.

   The WTP does not need to perform any special processing of the Change
   State Event Response message.

7.8.  Clear Config Indication

   The Clear Config Indication is used to reset an a WTP's configuration.

   The Clear Config Indication is sent by an AC to request that an a WTP
   reset its configuration to manufacturing defaults.  The Clear Config
   Indication message is sent while in the Run LWAPP state.

   The Reset Request carries no message elements.

   When an a WTP receives a Clear Config Indication Indication, it will reset its
   configuration to manufacturing defaults.

8.  Device Management Operations

   This section defines LWAPP operations responsible for debugging,
   gathering statistics, logging, and firmware management.

8.1.  Image Data Request

   The Image Data Request is used to update firmware on the WTP.  This
   message and its companion response are used by the AC to ensure that
   the image being run on each WTP is appropriate.

   Image Data Requests are exchanged between the WTP and the AC to
   download a new program image to an a WTP.

   When an a WTP or AC receives an Image Data Request Request, it will respond with
   a
   an Image Data Response.

   The format of the Image Data and Image Download message elements are
   described in the following subsections.

8.1.1.  Image Download

   The image download Image Download message element is sent by the WTP to the AC and
   contains the image filename.  The value is a variable length variable-length byte
   string.  The string is NOT zero terminated.

8.1.2.  Image Data

   The image data Image Data message element is present when sent by the AC and
   contains the following fields.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Opcode    |           Checksum            |  Image Data   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Image Data ...                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   33 for Image Data

   Length:   >= 5

   Opcode:   An 8-bit value representing the transfer opcode.  The
      following values are supported:

      3 -  Image data Data is included included.

      5 -  An error occurred.  Transfer is aborted aborted.

   Checksum:   A 16-bit value containing a checksum of the image data Image Data
      that follows follows.

   Image Data:   The Image Data field contains 1024 characters, unless
      the payload being sent is the last one (end of file) file).

8.2.  Image Data Response

   The Image Data Response acknowledges the Image Data Request.

   An Image Data Responses is sent in response to an Image Data Request.
   Its purpose is to acknowledge the receipt of the Image Data Request
   packet.

   The Image Data Response carries no message elements.

   No action is necessary on receipt.

8.3.  Reset Request

   The Reset Request is used to cause an a WTP to reboot.

   Reset Requests are sent by an AC to cause an a WTP to reinitialize its
   operation.

   The Reset Request carries no message elements.

   When an a WTP receives a Reset Request it will respond with a Reset
   Response and then reinitialize itself.

8.4.  Reset Response

   The Reset Response acknowledges the Reset Request.

   Reset Responses are sent by an a WTP after receiving a Reset Request.

   The Reset Response carries no message elements.  Its purpose is to
   acknowledge the receipt of the Reset Request.

   When an AC receives a Reset Response Response, it is notified that the WTP
   will now reinitialize its operation.

8.5.  WTP Event Request

   The WTP Event Request is used by an a WTP to send an information to its AC.
   These types of events may be periodical, or some asynchronous event
   on the WTP.  For instance, an a WTP collects statistics and uses the WTP
   Event Request to transmit this information to the AC.

   When an AC receives a WTP Event Request Request, it will respond with a WTP
   Event Request.

   The WTP Event Request message MUST contain one of the following
   message element described in the next subsections, or a message
   element that is defined for a specific technology.

8.5.1.  Decryption Error Report

   The Decryption Error Report message element value is used by the WTP
   to inform the AC of decryption errors that have occured occurred since the
   last report.

       0                   1                   2
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |Num Of Entries |      Mobile MAC Address       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Mobile MAC Address[]                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   39 for Decryption Error Report

   Length:   >= 8

   Radio ID:   The Radio Identifier, typically refers to some interface
      index on the WTP WTP.

   Num Of Entries:   An 8-bit unsigned integer indicating the number of
      mobile MAC addresses.

   Mobile MAC Address:   An array of mobile station MAC addresses that
      have caused decryption errors.

8.5.2.  Duplicate IPv4 Address

   The Duplicate IPv4 Address message element is used by an a WTP to inform
   an AC that it has detected another host using the same IP address it
   is currently using.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          IP Address                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          MAC Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          MAC Address          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   77 for Duplicate IPv4 Address
   Length:   10

   IP Address:   The IP Address address currently used by the WTP.

   MAC Address:   The MAC Address address of the offending device.

8.5.3.  Duplicate IPv6 Address

   The Duplicate IPv6 Address message element is used by an a WTP to inform
   an AC that it has detected another host using the same IP address it
   is currently using.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          IP Address                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          IP Address                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          IP Address                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          IP Address                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          MAC Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          MAC Address          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   77 for Duplicate IPv6 Address

   Length:   10

   IP Address:   The IP Address address currently used by the WTP.

   MAC Address:   The MAC Address address of the offending device.

8.6.  WTP Event Response

   The WTP Event Response acknowledges the WTP Event Request.

   WTP Event Response Responses are sent by an AC after receiving a WTP Event
   Request.

   The WTP Event Response carries no message elements.

8.7.  Data Transfer Request

   The Data Transfer Request is used to upload debug information from
   the WTP to the AC.

   Data Transfer Requests are sent by the WTP to the AC when it
   determines that it has important information to send to the AC.  For
   instance, if the WTP detects that its previous reboot was caused by a
   system crash, it would want to send the crash file to the AC.  The
   remote debugger function in the WTP also uses the data transfer
   request Data Transfer
   Request in order to send console output to the AC for debugging
   purposes.

   When an AC receives an a Data Transfer Request Request, it will respond with a
   Data Transfer Response.  The AC may log the information received, received as
   it sees fit.

   The data transfer request Data Transfer Request message MUST contain ONE of the following
   message element described in the next subsection.

8.7.1.  Data Transfer Mode

   The Data Transfer Mode message element is used by the AC to request
   information from the WTP for debugging purposes.

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      |   Data  Type   |
      +-+-+-+-+-+-+-+-+

   Type:   52 for Data Transfer Mode

   Length:   1

   Data Type:   An 8-bit value describing the type of information being
      requested.  The following values are supported:

      1 -  WTP Crash Data

      2 -  WTP Memory Dump

8.7.2.  Data Transfer Data

   The Data Transfer Data message element is used by the WTP to provide
   information to the AC for debugging purposes.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Data Type   |  Data Length  |    Data ....
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   53 for Data Transfer Data

   Length:   >= 3

   Data Type:   An 8-bit value describing the type of information being
      sent.  The following values are supported:

      1 -  WTP Crash Data

      2 -  WTP Memory Dump

   Data Length:   Length of data field.

   Data:   Debug information.

8.8.  Data Transfer Response

   The Data Transfer Response acknowledges the Data Transfer Request.

   An

   A Data Transfer Response is sent in response to an a Data Transfer
   Request.  Its purpose is to acknowledge the receipt of the Data
   Transfer Request packet.

   The Data Transfer Response carries no message elements.

   Upon receipt of a Data Transfer Response, the WTP transmits more
   information, if any is available.

9.  Mobile Session Management

   Messages in this section are used by the AC to create, modify modify, or
   delete mobile station session state on the WTPs.

9.1.  Mobile Config Request

   The Mobile Config Request message is used to create, modify modify, or
   delete mobile session state on an a WTP.  The message is sent by the AC
   to the WTP, and may contain one or more message elements.  The
   message elements for this LWAPP control message include information
   that is generally highly technology specific. technology-specific.  Therefore, please
   refer to the appropriate binding section or document for the
   definitions of the messages elements that may be used in this control
   message.

   This section defines the format of the Delete Mobile message element,
   since it does not contain any technology specific technology-specific information.

9.1.1.  Delete Mobile

   The Delete Mobile message element is used by the AC to inform an a WTP
   that it should no longer provide service to a particular mobile
   station.  The WTP must terminate service immediately upon receiving
   this message element.

   The transmission of a Delete Mobile message element could occur for
   various reasons, including for administrative reaons, as a result of the
   fact that the mobile has roamed to another WTP, etc.

   Once access has been terminated for a given station, any future
   packets received from the mobile must result in a deauthenticate
   message, as specified in [6].

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |                  MAC Address                  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                  MAC Address                  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   30 for Delete Mobile

   Length:   7

   Radio ID:   An 8-bit value representing the radio

   MAC Address:   The mobile station's MAC Address address

9.2.  Mobile Config Response

   The Mobile Configuration Response is used to acknowledge a previously
   received Mobile Configuration Request, and includes a Result Code
   message element which that indicates whether an error occured occurred on the WTP.

   This message requires no special processing, processing and is only used to
   acknowledge the Mobile Configuration Request.

   The data transfer request Data Transfer Request message MUST contain the message elements
   described in the next subsection.

9.2.1.  Result Code

   The Result Code message element is defined in section Section 6.2.1.

10.  LWAPP Security

   Note: This version only defines a certificate and a shared secret shared-secret-
   based mechanism to secure control LWAPP traffic exchanged between the
   WTP and the AC.

10.1.  Securing WTP-AC communications Communications

   While it is generally straightforward to produce network
   installations in which the communications medium between the WTP and
   AC is not accessible to the casual user (e.g. (e.g., these LAN segments are
   isolated, and no RJ45 or other access ports exist between the WTP and
   the AC), this will not always be the case.  Furthermore, a determined
   attacker may resort to various various, more sophisticated monitoring and/or
   access techniques, thereby compromising the integrity of this
   connection.

   In general, a certain level of threat on the local (wired) LAN is
   expected and accepted in most computing environments.  That is, it is
   expected that in order to provide users with an acceptable level of
   service and maintain reasonable productivity levels, a certain amount
   of risk must be tolerated.  It is generally believed that a certain
   perimeter is maintained around such LANs, that an attacker must have
   access to the building(s) in which such LANs exist, and that they
   must be able to "plug in" to the LAN in order to access the network.

   With these things in mind, we can begin to assess the general
   security requirements for AC-WTP communications.  While an in-depth
   security analysis of threats and risks to these communication communications is
   beyond the scope of this document, some discussion of the motivation
   for various security-related design choices is useful.  The
   assumptions driving the security design thus far include the
   following:

   o  WTP-AC communications take place over a wired connection which that may
      be accessible to a sophisticated attacker attacker.

   o  access to this connection is not trivial for an outsider (i.e. (i.e.,
      someone who does not "belong" in the building) to access access.

   o  if authentication and/or privacy of end to end end-to-end traffic for which
      the WTP and AC are intermediaries is required, this may be
      provided via IPsec [15]. [14].

   o  privacy and authentication for at least some WTP-AC control
      traffic is required (e.g.  WEP (e.g., Wired Equivalent Privacy (WEP) keys for
      user sessions, passed from the AC to WTP) the WTP).

   o  the AC can be trusted to generate strong cryptographic keys keys.

   The AC-WTP traffic can be considered to consist of two types: data
   traffic (e.g. (e.g., to or from an end user), and control traffic traffic, which is
   strictly between the AC and WTP.  Since data traffic may be secured
   using IPsec (or some other end-to-end security mechanism), we confine
   our solution to control traffic.  The resulting security consists of
   two components: an authenticated key exchange, exchange and control traffic
   security encapsulation.  The security encapsulation is accomplished
   using AES CCM, AES-CCM, described in [3].  This encapsulation provides for
   strong AES-based authentication and encryption. encryption [2].  The exchange of
   cryptographic keys used for CCM is described below.

10.2.  LWAPP Frame Encryption

   While,

   While the LWAPP protocol uses AES-CCM to encrypt control traffic, it
   is important to note that not all control frames are encrypted.  The
   LWAPP discovery and join phase are not encrypted.  The Discovery
   messages are sent in the clear since there does not exist a security
   association between the WTP and the AC during the discovery phase.
   The Join join phase is an authenticated exchange used to negotiate
   symmetric session keys (see Section 10.3).

   Once the join phase has been successfully completed, the LWAPP state
   machine Figure 2 will move to the Configure state, at which time all
   LWAPP control frames are encrypted using AES-CCM.

   Encryption of a control message begins at the Message Element field, field:
   meaning the Msg Type, Seq Num, Msg Element Length Length, and Session ID
   fields are left intact (see Section 4.2.1).

   The AES-CCM 12 byte 12-byte authentication data is appended to the end of the
   message.  The authentication data is calculated from the start of the
   LWAPP packet, packet and includes the complete LWAPP control header (see
   Section 4.2.1).

   The AES-CCM block cipher protocol requires an initialization vector.
   The LWAPP protocol requires that the WTP and the AC maintain two
   separate IVs, one for transmission and one for reception.  The IV
   derived during the key exchange phase by both the WTP and the AC is
   used as the base for all encrypted packets with a new key.

10.3.  Authenticated Key Exchange

   This section describes the key management component of the LWAPP
   protocol.  There are two modes supported by LWAPP; LWAPP: certificate and
   pre-shared key.

10.3.1.  Terminology

   This section details the key management protocol which that makes use of
   pre-shared secrets.

   The following notations are used throughout this section:

   o  PSK - the pre-shared key shared between the WTP and the AC AC.

   o  Kpriv - the private key of a public-private key pair pair.

   o  Kpub - the public key of the pair pair.

   o  SessionID - a randomly generated LWAPP session identifier,
      provided by the WTP in the Join Request Request.

   o  E-x{Kpub, M} - RSA encryption of M using X's public key key.

   o  D-x{Kpriv, C} - RSA decryption of C using X's private key key.

   o  AES-CMAC(key, packet) - A message integrity check, using AES-CMAC
      and key, of the complete LWAPP packet, with the sequence number Sequence Number
      field and the payload of the PSK-MIC message element set to zero.

   o  AES-E(key, plaintext) - Plaintext is encrypted with key, using
      AES.

   o  AES-D(key, ciphertext) - ciphertext is decrypted with key, using
      AES.

   o  Certificate-AC - AC's Certificate Certificate.

   o  Certificate-WTP - WTP's Certificate Certificate.

   o  WTP-MAC - The WTP's MAC Address. address.

   o  AC-MAC - The AC's MAC Address. address.

   o  RK0 - the root key, which is created through a KDF Key Derivation
      Function (KDF) function.

   o  RK0E - the root Encryption key, derived from RK0.

   o  RK0M - the root MIC key, derived from RK0.

   o  SK1 - the session Key key.

   o  SK1C - the session confirmation Key, key, derived from SK SK.

   o  SK1E - the session encryption Key, key, derived from SK SK.

   o  SK1W - the session keywrap Key, key, derived from SK (see RFC 3394 [9])
      [9]).

   o  WNonce - The WTP's randomly generated Nonce. nonce.

   o  ANonce - The AC's randomly generated Nonce. nonce.

   o  EWNonce - The payload of the WNonce message element, which
      includes the WNonce.

   o  EANonce - The payload of the ANonce message element, which
      includes the ANonce.

10.3.2.  Initial Key Generation

   The AC and WTP accomplish mutual authentication and a cryptographic
   key exchange in a dual round trip roundtrip using the Join Request, Join
   Response, Join ACK ACK, and Join Confirm (see Section 6.1).

   The following text describes the exchange between the WTP and the AC
   that creates a session key, which is used to secure LWAPP control
   messages.

   o  The WTP creates a Join Request using the following process:

      o  If Certificate based certificate-based security is used, the WTP adds the
         Certificate message element (see Section 6.1.6) with its
         contents set to Certificate-WTP.

      o  Adds  The WTP adds the Session ID message element (see Section 6.1.7)
         with the contents set to a randomly generated session identifer
         identifier (see RFC 1750 [4]).  The WTP MUST save the Session
         ID in order to validate the Join Response.

      o  Creates  The WTP creates a random Nonce, nonce, included in the XNonce message
         element (see Section 6.1.9).  The WTP MUST save the XNonce to
         validate the Join Response.

      o  The WTP transmits the Join Request to the AC.

   o  Upon receiving the Join Request Request, the AC uses the following
      process:

      o  The AC creates the Join Response, and ensures that the Session
         ID message element matches the value found in the Join Request.

      o  If Certificate based certificate-based security is used, the AC:

         o  Adds  adds the Certificate-AC to the Certificate message element.

         o  Creates  creates a random 'AC Nonce' and encrypts it using the
            following algorithm E-wtp(Kpub, XNonce XOR 'AC Nonce').  The
            encrypted contents are added to the ANonce's message element
            payload.

      o  If pre-shared key based a pre-shared-key-based security is used, the AC:

         o  Creates  creates RK0 through the following algorithm: RK0 = KDF-
            256{PSK, "LWAPP PSK Top K0" || Session ID || WTP-MAC || AC-
            MAC}, where WTP-MAC is the WTP's MAC Address address in the form
            "xx:xx:xx:xx:xx:xx".  Similarly, the AC-MAC is an ASCII
            encoding of the AC's MAC Address, address, of the form "xx:xx:xx:xx:
            xx:xx".  The resulting K0 is split into the following:

            o  The first 16 octets is are known as RK0E, and is are used as an
               encryption key key.

            o  The second 16 octets is are known as RK0M, and is are used for
               MIC'ing purposes purposes.

         o  Creates  The AC creates a random 'AC Nonce' and encrypts it using the
            following algorithm algorithm: AES-E(RK0E, XNonce XOR 'AC Nonce').
            The encrypted contents are added to the ANonce's message
            element payload.

         o  The AC adds a MIC to the contents of the Join Response using
            AES-CMAC(RK0M, Join Response) and adds the resulting hash to
            the PSK-MIC (Section 6.2.9) message element.

   o  Upon receiving the Join Response Response, the WTP uses the following
      process:

      o  If Pre-shared a pre-shared key is used, the WTP authenticates the Join
         Response's PSK-MIC message element.  If authentication fails,
         the packet is dropped.

      o  The WTP decrypts the ANonce message element and XOR's the value
         with XNonce to retrieve the 'AC Nonce'.  The ANonce payload is
         referred to as ciphertext below:

         o  If Pre-shared a pre-shared key is used, use AES-D(RK0E, ciphertext).
            The 'AC Nonce' is then recovered using XNonce XOR plaintext.

         o  If certificates are used, use d-wtp(Kpriv, ciphertext).  The
            'AC Nonce' is then recovered using XNonce XOR plaintext.

      o  The WTP creates a random 'WTP Nonce'.

      o  The WTP uses the KDF function to create a 64 octet 64-octet session key
         (SK).  The KDF function used is as follows: KDF-512{'WTP Nonce'
         || 'AC Nonce', "LWAPP Key Generation", WTP-MAC || AC-MAC}.  The
         KDF function is defined in [7].

      o  SK is then broken down into three separate session keys with
         different purposes:

         o  The first 16 octets is are known as SK1C, and is are used as a
            confirmation key key.

         o  The second 16 octets is are known as SK1E, and is are as the
            encryption key key.

         o  The third 16 octets is are known as SK1D, and is are used as the
            keywrap key key.

         o  The fourth 16 octets is are known as IV, and is are used as the
            Initialization Vector during encryption encryption.

      o  The WTP creates the Join ACK message.

      o  If Certificate based certificate-based security is used, the AC:

         o  Encrypt  encrypts the 'WTP Nonce' using the following algorithm E-ac(Kpub, algorithm: E-
            ac(Kpub, 'WTP Nonce').  The encrypted contents are added to
            the WNonce's message element payload.

      o  If pre-shared key based a pre-shared-key-based security is used, the AC:

         o  Encrypt  encrypts the 'WTP Nonce' using the following algorithm AES-
            E(RK0E, algorithm:
            AES-E(RK0E, 'WTP Nonce').  The encrypted contents are added
            to the WNonce's message element payload.

      o  The WTP adds a MIC to the contents of the Join ACK using AES-
         CMAC(SK1M,
         AES-CMAC(SK1M, Join ACK) and adds the resulting hash to the
         PSK-MIC (Section 6.2.9) message element.

      o  The WTP then transmits the Join ACK to the AC.

   o  Upon receiving the Join ACK ACK, the AC uses the following process:

      o  The AC authenticates the Join ACK through the PSK-MIC message
         element.  If authentic, the AC decrypts the WNonce message
         element to retrieve the 'WTP Nonce'.  If the Join ACK could not cannot be
         authenticated, the packet is dropped.

      o  The AC decrypts the WNonce message element to retrieve the 'WTP
         Nonce'.  The WNonce payload is referred to as ciphertext below:

         o  If Pre-shared a pre-shared key is used, use AES-D(RK0E, ciphertext).
            The plaintext is then considered the 'WTP Nonce'.

         o  If certificates are used, use d-ac(Kpriv, ciphertext).  The
            plaintext is then considered the 'WTP Nonce'.

      o  The AC then uses the KDF function to create a 64 octet 64-octet session
         key (SK).  The KDF function used is as follows: KDF-512{'WTP
         Nonce' || 'AC Nonce', "LWAPP Key Generation", WTP-MAC || AC-
         MAC}.
         AC-MAC}.  The KDF function is defined in [7].  The SK is split
         into SK1C, SK1E, SK1D SK1D, and IV IV, as previously noted.

      o  The AC creates the Join Confirm.

      o  The AC adds a MIC to the contents of the Join Confirm using
         AES-CMAC(SK1M, Join Confirm) and adds the resulting hash to the
         MIC (Section 6.2.9) message element.

      o  The AC then transmits the Join Confirm to the WTP.

   o  Upon receiving the Join Confirm Confirm, the WTP uses the following
      process:

      o  The WTP authenticates the Join Confirm through the PSK-MIC
         message element.  If the Join Confirm could not cannot be authenticated,
         the packet is dropped.

   o  SK1E is now plumbed into the AC and WTP's crypto engine as the
      AES-CCM LWAPP control encryption session key.  Furthermore, the
      random IV is used as the base Initialization Vector.  From this
      point on, all control protocol payloads between the WTP and AC are
      encrypted and authenticated using the new session key.

10.3.3.  Refreshing Cryptographic Keys

   Since AC-WTP associations will tend to be relatively long-lived, it
   is sensible to periodically refresh the encryption and authentication
   keys; this is referred to as "rekeying".  When the key lifetime
   reaches 95% of the configured value, identified in the KeyLifetime
   timer (see Section 12), the rekeying will proceed as follows:

   o  The WTP creates RK0 through the previously defined KDF algorithm:
      RK0 = KDF-256{SK1D, "LWAPP PSK Top K0" || Session ID || WTP-MAC ||
      AC-MAC}.  Note that the difference in this specific instance is
      that SK1D that was previously generated is used instead of the
      PSK.  Note this is used in both the certificate and pre-shared key
      modes.  The resulting RK0 create creates RK0E, RK0M.

   o  The remaining steps used are identical as to the join process, with
      the exception that the rekey messages are used instead of join
      messages, and the fact that the messages are encrypted using the
      previously created SK1E.  This means the Join Request is replaced
      with the Rekey Request, the Join Response is replaced with the
      Rekey Response, etc.  The two differences between the rekey and
      the join process are:

      o  The Certificate-WTP and Certificate-AC are not included in the
         Rekey-Request and Rekey-Response, respectively.

      o  Regardless of whether certificates or pre-shared key was keys were used
         in the initial key derivation, the process now uses the pre-
         shared key mode only, using SK1D as the "PSK".

   o  The Key Update Request is sent to the AC.

   o  The newly created SK1E is now plumbed into the AC and WTP's crypto
      engine as the AES-CCM LWAPP control encryption session key.
      Furthermore, the new random IV is used as the base Initialization
      Vector.  From this point on, all control protocol payloads between
      the WTP and AC are encrypted and authenticated using the new
      session key.

      If either the WTP or the AC do not receive an expected response by
      the time the ResponseTimeout timer expires (see Section 12), the
      WTP MUST delete the new and old session information, and reset the
      state machine to the Idle state.

      Following a rekey process, both the WTP and the AC keep the
      previous encryption for 5-10 seconds in order to be able to
      process packets that arrive out of order.

10.4.  Certificate Usage

   Validation of the certificates by the AC and WTP is required so that
   only an AC may perform the functions of an AC and that only a WTP may
   perform the functions of a WTP.  This restriction of functions to the
   AC or WTP requires that the certificates used by the AC MUST be
   distinguishable from the certificate used by the WTP.  To accomplish
   this differentiation, the x.509v3 certificates MUST include the
   Extensions field [10] and MUST include the NetscapeComment [11]
   extension.

   For an AC, the value of the NetscapeComment extension MUST be the
   string "CAPWAP AC Device Certificate".  For a WTP, the value of the
   NetscapeComment extension MUST be the string "CAPWAP WTP Device
   Certificate".

   Part of the LWAPP certificate validation process includes ensuring
   that the proper string is included in the NetscapeComment extension,
   and only allowing the LWAPP session to be established if the
   extension does not represent the same role as the device validating
   the certificate.  For instance, a WTP MUST NOT accept a certificate
   whose NetscapeComment field is set to "CAPWAP WTP Device
   Certificate".

11.  IEEE 802.11 Binding

   This section defines the extensions required for the LWAPP protocol
   to be used with the IEEE 802.11 protocol.

11.1.  Division of labor Labor

   The LWAPP protocol, when used with IEEE 802.11 devices, requires a
   specific behavior from the WTP and the AC, specifically in terms of
   which 802.11 protocol functions are handled.

   For both the Split and Local MAC approaches, the CAPWAP functions, as
   defined in the taxonomy specification, reside in the AC.

11.1.1.  Split MAC

   This section shows the division of labor between the WTP and the AC
   in a Split MAC architecture.  Figure 3 shows the clear separation of
   functionality among LWAPP components.

       Function                               Location
           Distribution Service                      AC
           Integration Service                       AC
           Beacon Generation                         WTP
           Probe Response                            WTP
           Power Mgmt/Packet Buffering               WTP
           Fragmentation/Defragmentation             WTP
           Assoc/Disassoc/Reassoc                    AC

      802.11e
           Classifying                               AC
           Scheduling                                WTP/AC
           Queuing                                   WTP

      802.11i
           802.1X/EAP                                AC
           Key Management                            AC
           802.11 Encryption/Decryption              WTP or AC

      Figure 3: Mapping of 802.11 Functions for Split MAC Architecture

   The Distribution and Integration services reside on the AC, and
   therefore all user data is tunneled between the WTP and the AC.  As
   noted above, all real-time 802.11 services, including the control
   protocol and the beacon and probe response Probe Response frames, are handled on the
   WTP.

   All remaining 802.11 MAC management frames are supported on the AC,
   including the Association Request Request, which allows the AC to be involved
   in the access policy enforcement portion of the 802.11 protocol.  The
   802.1X and 802.11i key management function are also located on the
   AC.

   While the admission control component of 802.11e resides on the AC,
   the real time real-time scheduling and queuing functions are on the WTP.  Note
   that this does not exclude the AC from providing additional policing
   and scheduling functionality.

   Note that in the following figure, the use of '( - )' indicates that
   processing of the frames is done on the WTP.

      Client                       WTP                        AC

               Beacon
      <-----------------------------
            Probe Request
      ----------------------------( - )------------------------->
            Probe Response
      <-----------------------------
                       802.11 AUTH/Association
      <--------------------------------------------------------->
                         Add Mobile (Clear Text, 802.1X Only)
                                      <------------------------->
             802.1X Authentication & 802.11i Key Exchange
      <--------------------------------------------------------->
                                  Add Mobile (AES-CCMP, PTK=x)
                                      <------------------------->
                        802.11 Action Frames
      <--------------------------------------------------------->
                            802.11 DATA (1)
      <---------------------------( - )------------------------->

      Figure 4: Split MAC Message Flow

   Figure 4 provides an illustration of the division of labor in a Split
   MAC architecture.  In this example, a WLAN has been created that is
   configured for 802.11i, using AES-CCMP for privacy.  The following
   process occurs:

   o  The WTP generates the 802.11 beacon frames, using information
      provided to it through the Add WLAN (see Section Section 11.8.1.1) message
      element.

   o  The WTP processes the probe request Probe Request and responds with a
      corresponding probe response. Probe Response.  The problem request is then
      forwarded to the AC for optional processing.

   o  The WTP forwards the 802.11 Authentication and Association frames
      to the AC, which is responsible for responding to the client.

   o  Once the association is complete, the AC transmits an LWAPP Add
      Mobile request Request to the WTP (see section Section 11.7.1.1. 11.7.1.1).  In the above
      example, the WLAN is configured for 802.1X, and therefore the
      '802.1X only' policy bit is enabled.

   o  If the WTP is providing encryption/decryption services, once the
      client has completed the 802.11i key exchange, the AC transmits
      another Add Mobile request Request to the WTP, stating the security policy
      to enforce for the client (in this case AES-CCMP), as well as the
      encryption key to use.  If encryption/decryption is handled in the
      AC, the Add Mobile request Request would have the encryption policy set to
      "Clear Text".

   o  The WTP forwards any 802.11 Action frames received to the AC.

   o  All client data frames are tunneled between the WTP and the AC.
      Note that the WTP is responsible for encrypting and decrypting
      frames, if it was indicated in the Add Mobile request. Request.

11.1.2.  Local MAC

   This section shows the division of labor between the WTP and the AC
   in a Local MAC architecture.  Figure 5 shows the clear separation of
   functiionality
   functionality among LWAPP components.

       Function                               Location
           Distribution Service                      WTP
           Integration Service                       WTP
           Beacon Generation                         WTP
           Probe Response                            WTP
           Power Mgmt/Packet Buffering               WTP
           Fragmentation/Defragmentation             WTP
           Assoc/Disassoc/Reassoc                    WTP

      802.11e
           Classifying                               WTP
           Scheduling                                WTP
           Queuing                                   WTP

      802.11i
           802.1X/EAP                                AC
           Key Management                            AC
           802.11 Encryption/Decryption              WTP

      Figure 5: Mapping of 802.11 Functions for Local AP Architecture

   Given the that Distribution and Integration Services exist on the WTP,
   client data frames are not forwarded to the AC, with the exception
   listed in the following paragraphs.

   While the MAC is terminated on the WTP, it is necessary for the AC to
   be aware of mobility events within the WTPs.  As a consequence, the
   WTP MUST forward the 802.11 Association Requests to the AC, and the
   AC MAY reply with a failed Association Response if it deems it
   necessary.

   The 802.1X and 802.11i Key Management function resides in the AC.
   Therefore, the WTP MUST forward all 802.1X/Key Management frames to
   the AC and forward the associated responses to the station.

   Note that in the following figure, the use of '( - )' indicates that
   processing of the frames is done on the WTP.

      Client                       WTP                        AC

               Beacon
      <-----------------------------
                Probe
      <---------------------------->
             802.11 AUTH
      <-----------------------------
                          802.11 Association
      <---------------------------( - )------------------------->
                         Add Mobile (Clear Text, 802.1X Only)
                                      <------------------------->
             802.1X Authentication & 802.11i Key Exchange
      <--------------------------------------------------------->
                        802.11 Action Frames
      <--------------------------------------------------------->
                                  Add Mobile (AES-CCMP, PTK=x)
                                      <------------------------->
              802.11 DATA
      <----------------------------->

      Figure 6: Local MAC Message Flow

   Figure 6 provides an illustration of the division of labor in a Local
   MAC architecture.  In this example, a WLAN has been created that is
   configured for 802.11i, using AES-CCMP for privacy.  The following
   process occurs:

   o  The WTP generates the 802.11 beacon frames, using information
      provided to it through the Add WLAN (see Section Section 11.8.1.1) message
      element.

   o  The WTP processes the probe request Probe Request and responds with a
      corresponding probe response. Probe Response.

   o  The WTP forwards the 802.11 Authentication and Association frames
      to the AC, which is responsible for responding to the client.

   o  Once the association is complete, the AC transmits an LWAPP Add
      Mobile request Request to the WTP (see section Section 11.7.1.1.  In the above
      example, the WLAN is configured for 802.1X, and therefore the
      '802.1X only' policy bit is enabled.

   o  The WTP forwards all 802.1X and 802.11i key exchange messages to
      the AC for processing.

   o  The AC transmits another Add Mobile request Request to the WTP, stating
      the security policy to enforce for the client (in this case case, AES-
      CCMP), as well as the encryption key to use.  The Add Mobile
      request
      Request MAY include a VLAN name, which when present is used by the
      WTP to identify the VLAN on which the user's data frames are to be
      bridged.

   o  The WTP forwards any 802.11 Action frames received to the AC.

   o  The WTP locally bridges all client data frames, and provides the
      necessary encryption and decryption services.

11.2.  Roaming Behavior and 802.11 security Security

   It is important that LWAPP implementations react properly to mobile
   devices associating to the networks in how they generate Add Mobile
   and Delete Mobile messages.  This section expands upon the examples
   provided in the previous section, and describes how the LWAPP control
   protocol is used in order to provide secure roaming.

   Once a client has successfully associated with the network in a
   secure fashion, it is likely to attempt to roam to another access
   point.  Figure 7 shows an example of a currently associated station
   moving from its "Old WTP" to a new WTP. "WTP".  The figure is useful for
   multiple different security policies, including standard 802.1X and
   dynamic WEP keys, WPA or even WPA2 both with key caching (where the
   802.1x exchange would be bypassed) and without.

      Client              Old WTP              WTP              AC

                    Association Request/Response
       <--------------------------------------( - )-------------->
                          Add Mobile (Clear Text, 802.1X Only)
                                                <---------------->
       802.1X Authentication (if no key cache entry exists)
       <--------------------------------------( - )-------------->
                     802.11i 4-way Key Exchange
       <--------------------------------------( - )-------------->
                                   Delete Mobile
                              <---------------------------------->
                                   Add Mobile (AES-CCMP, PTK=x)
                                                <---------------->

       Figure 7: Client Roaming Example

11.3.  Transport specific bindings  Transport-Specific Bindings

   All LWAPP transports have the following IEEE 802.11 specific
   bindings:

11.3.1.  Status and WLANS field Field

   The interpretation of this 16 bit 16-bit field depends on the direction of
   transmission of the packet.  Refer to the figure in Section
   Section 3.1.

   Status

   When an LWAPP packet is transmitted from an a WTP to an AC, this field
   is called the status Status field and indicates radio resource information
   associated with the frame.  When the message is an LWAPP control
   message this field is transmitted as zero.

   The status Status field is divided into the signal strength and signal to signal-to-
   noise ratio with which an IEEE 802.11 frame was received, encoded in
   the following manner:

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     RSSI      |     SNR       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   RSSI:   RSSI is a signed, 8-bit value.  It is the received signal
      strength indication, in dBm.

   SNR:   SNR is a signed, 8-bit value.  It is the signal to noise signal-to-noise ratio
      of the received IEEE 802.11 frame, in dB.

   WLANs field:   When an LWAPP data message is transmitted from an AC
      to an a WTP, this 16 bit 16-bit field indicates on which WLANs the
      encapsulated IEEE 802.11 frame is to be transmitted.  For unicast
      packets, this field is not used by the WTP.  For broadcast or
      multicast packets, the WTP might require this information if it
      provides encryption services.

      Given that a single broadcast or multicast packet might need to be
      sent to multiple wireless LANs (presumably each with a different
      broadcast key), this field is defined as a bit field.  A bit set
      indicates a WLAN ID (see Section Section 11.8.1.1) 11.8.1.1), which will be sent the
      data.  The WLANS field is encoded in the following manner:

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          WLAN ID(s)           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

11.4.  BSSID to WLAN ID Mapping

   The LWAPP protocol makes assumptions regarding the BSSIDs used on the
   WTP.  It is a requirement for the WTP to use a contiguous block of
   BSSIDs.  The WLAN Identifier field, which is managed by the AC, is
   used as an offset into the BSSID list.

   For instance, if a WTP had a base BSSID address of 00:01:02:00:00:00,
   and the AC sent an Add WLAN message with a WLAN Identifier of 2 (see
   Section Section 11.8.1.1), the BSSID for the specific WLAN on the WTP would
   be 00:01:02:00:00:02.

   The WTP communicates the maximum number of BSSIDs that it supports
   during the Config Request within the IEEE 802.11 WTP WLAN Radio
   Configuration message element (see Section 11.9.1).

11.5.  Quality of Service

   It is recommended that 802.11 MAC management be sent by both the AC
   and the WTP with appropriate Quality of Service Quality-of-Service (QoS) values,
   ensuring that congestion in the network minimizes occurences of
   packet loss.  Therefore, a Quality of Service enabled QoS-enabled LWAPP device should use:

   802.1P:   The precedence value of 6 SHOULD be used for all 802.11 MAC
      management messages, except for Probe Requests Requests, which SHOULD use
      4.

   DSCP:   The dscp DSCP tag value of 46 SHOULD be used for all 802.11 MAC
      management messages, except for Probe Requests Requests, which SHOULD use
      34.

11.6.  Data Message bindings Bindings

   There are no LWAPP Data Message data message bindings for IEEE 802.11.

11.7.  Control Message bindings Bindings

   The IEEE 802.11 binding has the following Control Message control message
   definitions.

11.7.1.  Mobile Config Request

   This section contains the 802.11 specific 802.11-specific message elements that are
   used with the Mobile Config Request.

11.7.1.1.  Add Mobile

   The Add Mobile Request is used by the AC to inform an a WTP that it
   should forward traffic from a particular mobile station.  The add
   mobile request Add
   Mobile Request may also include security parameters that must be
   enforced by the WTP for the particular mobile.

   When the AC sends an Add Mobile Request, it includes any security
   parameters that may be required.  An AC that wishes to update a
   mobile's policy on an a WTP may be done do so by simply sending a new Add Mobile
   message element.

   When an a WTP receives an Add Mobile message element, it must first
   override any existing state it may have for the mobile station in
   question.  The latest Add Mobile overrides any previously received
   messages.  If the Add Mobile message element's EAP Only EAP-Only bit is set,
   the WTP MUST drop all 802.11 packets that do not contain EAP packets.
   Note that when EAP Only is set, the Encryption Policy field MAY have
   additional values, and therefore it is possible to inform an a WTP to
   only accept encrypted EAP packets.  Once the mobile station has
   successfully completed EAP authentication, the AC must send a new Add
   Mobile message element to push the session key down to the WTP as
   well as to remove the EAP Only restriction.

   If the QoS field is set, the WTP MUST observe and provide policing of
   the 802.11e priority tag to ensure that it does not exceed the value
   provided by the AC.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |        Association ID         |  MAC Address  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          MAC Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  MAC Address  |E|C|            Encryption Policy              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Encrypt Policy |                Session Key...                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                        Pairwise TSC...                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                        Pairwise RSC...                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          Capabilities         |   WLAN ID     |    WME Mode   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | 802.11e Mode  |      Qos      |        Supported Rates        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                        Supported Rates                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          VLAN Name...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   29 for Add Mobile

   Length:   36

   Radio ID:   An 8-bit value representing the radio radio.

   Association ID:   A 16-bit value specifying the 802.11 Association
      Identifier
      Identifier.

   MAC Address:   The mobile station's MAC Address address.

   E:   The one bit 1-bit field is set by the AC to inform the WTP that is it MUST
      NOT accept any 802.11 data frames, other than 802.1X frames.  This
      is the equivalent of the WTP's 802.1X port for the mobile station
      to be in the closed state.  When set, the WTP MUST drop any non-802.1X non-
      802.1X packets it receives from the mobile station.

   C:   The one bit 1-bit field is set by the AC to inform the WTP that
      encryption services will be provided by the AC.  When set, the WTP
      SHOULD police frames received from stations to ensure that they
      comply to the stated encryption policy, but does not need to take
      specific cryptographic action on the frame.  Similarly, for
      transmitted frames, the WTP only needs to forward already
      encrypted frames.

   Encryption Policy:   The policy field informs the WTP how to handle
      packets from/to the mobile station.  The following values are
      supported:

      0 -  Encrypt WEP 104: All packets to/from the mobile station must
           be encrypted using a standard 104 bit 104-bit WEP.

      1 -  Clear Text: All packets to/from the mobile station do not
           require any additional crypto processing by the WTP.

      2 -  Encrypt WEP 40: All packets to/from the mobile station must
           be encrypted using a standard 40 bit 40-bit WEP.

      3 -  Encrypt WEP 128: All packets to/from the mobile station must
           be encrypted using a standard 128 bit 128-bit WEP.

      4 -  Encrypt AES-CCMP 128: All packets to/from the mobile station
           must be encrypted using 128 bit AES CCMP [7] a 128-bit AES-CCMP [7].

      5 -  Encrypt TKIP-MIC: All packets to/from the mobile station must
           be encrypted using TKIP Temporal Key Integrity Protocol (TKIP) and
           authenticated using Michael [17] [16].

   Session Key:   A 32 octet 32-octet session key the WTP is to use when
      encrypting traffic to or decrypting traffic from the mobile
      station.  The type of key is determined based on the Encryption
      Policy field.

   Pairwise TSC:   The TSC to use for unicast packets transmitted to the
      mobile.

   Pairwise RSC:   The RSC Receive Sequence Counter (RSC) to use for unicast
      packets received from the mobile.

   Capabilities:   A 16-bit field containing the 802.11 capabilities to
      use with the mobile.

   WLAN ID:   An 8-bit value specifying the WLAN Identifier Identifier.

   WME Mode:   A   An 8-bit boolean Boolean used to identify whether the station is
      WME capable.  A value of zero is used to indicate that the station
      is not WME Wireless Multimedia Extension (WME) capable, while a value
      of one means that the station is WME capable.

   802.11e Mode:   A   An 8-bit boolean Boolean used to identify whether the station
      is 802.11e capable. 802.11e-capable.  A value of zero is used to indicate that the
      station is not 802.11e capable, 802.11e-capable, while a value of one means that
      the station is 802.11e capable. 802.11e-capable.

   QoS:   An 8-bit value specifying the QoS policy to enforce for the
      station.  The following values are supported: PRC: TO CHECK

      0 -  Silver (Best Effort)

      1 -  Gold (Video)

      2 -  Platinum (Voice)

      3 -  Bronze (Background)

   Supported Rates:   The supported rates to be used with the mobile
      station.

   VLAN Name:   An optional variable string containing the VLAN Name on
      which the WTP is to locally bridge user data.  Note that this
      field is only valid with Local MAC WTPs.

11.7.1.2.  IEEE 802.11 Mobile Session Key

   The Mobile Session Key Payload message element is sent when the AC
   determines that encryption of a mobile station must be performed in
   the WTP.  This message element MUST NOT be present without the Add
   Mobile (see Section 11.7.1.1) message element, and MUST NOT be sent if the WTP had not
   specifically advertised support for the requested encryption scheme
   (see ???). Section 11.7.1.1).

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           MAC Address                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          MAC Address          |       Encryption Policy       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |       Encryption Policy       |        Session Key...         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   105 for IEEE 802.11 Mobile Session Key

   Length:   >= 11

   MAC Address: The mobile station's MAC Address address.

   Encryption Policy: The policy field informs the WTP how to handle
      packets from/to the mobile station.  The following values are
      supported:

      0 -  Encrypt WEP 104: All packets to/from the mobile station must
           be encrypted using a standard 104 bit 104-bit WEP.

      1 -  Clear Text: All packets to/from the mobile station do not
           require any additional crypto processing by the WTP.

      2 -  Encrypt WEP 40: All packets to/from the mobile station must
           be encrypted using a standard 40 bit 40-bit WEP.

      3 -  Encrypt WEP 128: All packets to/from the mobile station must
           be encrypted using a standard 128 bit 128-bit WEP.

      4 -  Encrypt AES-CCMP 128: All packets to/from the mobile station
           must be encrypted using 128 bit AES CCMP [7] a 128-bit AES-CCMP [7].

      5 -  Encrypt TKIP-MIC: All packets to/from the mobile station must
           be encrypted using TKIP and authenticated using Michael [17] [16].

   Session Key: The session key the WTP is to use when encrypting
      traffic to/from the mobile station.

11.7.1.3.  Station QoS Profile

   The Station QoS Profile Payload message element contains the maximum
   802.11e priority tag that may be used by the station.  Any packets
   received that exceeds exceed the value encoded in this message element must
   either be dropped or tagged using the maximum value permitted by to the
   user.  The priority tag must be between zero (0) and seven (7).

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           MAC Address                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          MAC Address          |     802.1P Precedence Tag     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   140 for IEEE 802.11 Station QOS QoS Profile

   Length:   12

   MAC Address:   The mobile station's MAC Address address.

   802.1P Precedence Tag:   The maximum 802.1P precedence value that the
      WTP will allow in the TID Traffice Identifier (TID) field in the
      extended 802.11e QOS QoS Data header.

11.7.1.4.  IEEE 802.11 Update Mobile QoS

   The Update Mobile QoS message element is used to change the Quality
   of Service Quality-
   of-Service policy on the WTP for a given mobile station.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |        Association ID         |  MAC Address  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          MAC Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  MAC Address  |  QoS Profile  |        Vlan Identifier        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   DSCP Tag    |  802.1P Tag   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   106 for IEEE 802.11 Update Mobile QoS

   Length:   14

   Radio ID:   The Radio Identifier, typically refers to some interface
      index on the WTP WTP.

   Association ID:   The 802.11 Association Identifier.

   MAC Address:   The mobile station's MAC Address. address.

   QoS Profile:   An 8-bit value specifying the QoS policy to enforce
      for the station.  The following values are supported:

      0 -  Silver (Best Effort)

      1 -  Gold (Video)

      2 -  Platinum (Voice)

      3 -  Bronze (Background)

   VLAN Identifier:   PRC.

   DSCP Tag:   The DSCP label to use if packets are to be DSCP tagged.

   802.1P Tag:   The 802.1P precedence value to use if packets are to be
      802.1P tagged.
      802.1P-tagged.

11.7.2.  WTP Event Request

   This section contains the 802.11 specific 802.11-specific message elements that are
   used with the WTP Event Request message.

11.7.2.1.  IEEE 802.11 Statistics

   The statistics Statistics message element is sent by the WTP to transmit it's its
   current statistics.  The value contains the following fields. fields:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |               Tx Fragment Count               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Tx Fragment Cnt|               Multicast Tx Count              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Mcast Tx Cnt  |                  Failed Count                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Failed Count  |                  Retry Count                  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Retry Count  |             Multiple Retry Count              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Multi Retry Cnt|             Frame Duplicate Count             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Frame Dup Cnt |               RTS Success Count               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |RTS Success Cnt|               RTS Failure Count               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |RTS Failure Cnt|               ACK Failure Count               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |ACK Failure Cnt|               Rx Fragment Count               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Rx Fragment Cnt|               Multicast RX Count              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Mcast Rx Cnt  |                FCS Error  Count               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | FCS Error  Cnt|                 Tx Frame Count                |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Tx Frame Cnt  |               Decryption Errors               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Decryption Errs|
      +-+-+-+-+-+-+-+-+

   Type:   38 for Statistics

   Length:   57
   Radio ID:   An 8-bit value representing the radio.

   Tx Fragment Count:   A 32-bit value representing the number of
      fragmented frames transmitted.

   Multicast Tx Count:   A 32-bit value representing the number of
      multicast frames transmitted.

   Failed Count:   A 32-bit value representing the transmit excessive
      retries.

   Retry Count:   A 32-bit value representing the number of transmit
      retries.

   Multiple Retry Count:   A 32-bit value representing the number of
      transmits that required more than one retry.

   Frame Duplicate Count:   A 32-bit value representing the duplicate
      frames received.

   RTS Success Count:   A 32-bit value representing the number of
      successfully transmitted Ready To Send (RTS).

   RTS Failure Count:   A 32-bit value representing the failed
      transmitted RTS.

   ACK Failure Count:   A 32-bit value representing the number of failed
      acknowledgements.

   Rx Fragment Count:   A 32-bit value representing the number of
      fragmented frames received.

   Multicast RX Count:   A 32-bit value representing the number of
      multicast frames received.

   FCS Error Count:   A 32-bit value representing the number of FCS Frame
      Check Sequence (FCS) failures.

   Decryption Errors:   A 32-bit value representing the number of
      Decryption errors that occured occurred on the WTP.  Note that this field
      is only valid in cases where the WTP provides encryption/
      decryption services.

11.8.  802.11 Control Messages

   This section will define LWAPP Control Messages control messages that are specific to
   the IEEE 802.11 binding.

11.8.1.  IEEE 802.11 WLAN Config Request

   The IEEE 802.11 WLAN Configuration Request is sent by the AC to the
   WTP in order to change services provided by the WTP.  This control
   message is used to either create, update update, or delete a WLAN on the
   WTP.

   The IEEE 802.11 WLAN Configuration Request is sent as a result of
   either some manual admistrative administrative process (e.g., deleting a WLAN), or
   automatically to create a WLAN on an a WTP.  When sent automatically to
   create a WLAN, this control message is sent after the LWAPP
   Configuration Request message has been received by the WTP.

   Upon receiving this control message, the WTP will modify the
   necessary services, and transmit an IEEE 802.11 WLAN Configuration
   Response.

   An WTP MAY provide service for more than one WLAN, therefore WLAN: therefore, every
   WLAN is identified through a numerical index.  For instance, an a WTP
   that is capable of supporting up to 16 SSIDs, SSIDs could accept up to 16
   IEEE 802.11 WLAN Configuration Request messages that include the Add
   WLAN message element.

   Since the index is the primary identifier for a WLAN, an AC SHOULD
   attempt to ensure that the same WLAN is identified through the same
   index number on all of its WTPs.  An AC that does not follow this
   approach MUST find some other means of maintaining a WLAN Identifier
   to SSID mapping table.

   The following subsections define the message elements that are of
   value for this LWAPP operation.  Only one message MUST be present.

11.8.1.1.  IEEE 802.11 Add WLAN

   The Add WLAN message element is used by the AC to define a wireless
   LAN on the WTP.  The value contains the following format:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |         WLAN Capability       |    WLAN ID    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Encryption Policy                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Key ...                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Key Index   |   Shared Key  | WPA Data Len  |WPA IE Data ...|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | RSN Data Len  |RSN IE Data ...|         Reserved ....         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | WME Data Len  |WME IE Data ...|  11e Data Len |11e IE Data ...|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      QoS      |   Auth Type   |Broadcast SSID |  Reserved...  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    SSID ...   |
      +-+-+-+-+-+-+-+-+

   Type:   7 for IEEE 802.11 Add WLAN

   Length:   >= 298

   Radio ID:   An 8-bit value representing the radio.

   WLAN Capability:   A 16-bit value containing the capabilities to be
      advertised by the WTP within the Probe and Beacon messages.

   WLAN ID:   A 16-bit value specifying the WLAN Identifier.

   Encryption Policy:   A 32-bit value specifying the encryption scheme
      to apply to traffic to and from the mobile station.

      The following values are supported:

      0 -  Encrypt WEP 104: All packets to/from the mobile station must
           be encrypted using a standard 104 bit 104-bit WEP.

      1 -  Clear Text: All packets to/from the mobile station do not
           require any additional crypto processing by the WTP.

      2 -  Encrypt WEP 40: All packets to/from the mobile station must
           be encrypted using a standard 40 bit 40-bit WEP.

      3 -  Encrypt WEP 128: All packets to/from the mobile station must
           be encrypted using a standard 128 bit 128-bit WEP.

      4 -  Encrypt AES-CCMP 128: All packets to/from the mobile station
           must be encrypted using 128 bit AES CCMP [7] a 128-bit AES-CCMP [7].

      5 -  Encrypt TKIP-MIC: All packets to/from the mobile station must
           be encrypted using TKIP and authenticated using Michael [17] [16].

      6 -  Encrypt CKIP: All packets to/from the mobile station must be
           encrypted using Cisco TKIP.

   Key:   A 32 byte Session Key 32-byte session key to use with the encryption policy.

   Key-Index:   The Key Index associated with the key.

   Shared Key:   A 1 byte boolean 1-byte Boolean that specifies whether the key
      included in the Key field is a shared WEP key.  A value of zero is
      used to state that the key is not a shared WEP key, while a value
      of one is used to state that the key is a shared WEP key.

   WPA Data Len:   Length of the WPA IE. Information Element (IE).

   WPA IE:   A 32 byte 32-byte field containing the WPA Information Element.

   RSN Data Len:   Length of the RSN Robust Security Network (RSN) IE.

   RSN IE:   A 64 byte 64-byte field containing the RSN Information Element.

   Reserved:   A 49 byte 49-byte reserved field, which MUST be set to zero (0).

   WME Data Len:   Length of the WME IE.

   WME IE:   A 32 byte 32-byte field containing the WME Information Element.

   DOT11E Data Len:   Length of the 802.11e IE.

   DOT11E IE:   A 32 byte 32-byte field containing the 802.11e Information
      Element.

   QOS:   An 8-bit value specifying the QoS policy to enforce for the
      station.

      The following values are supported:

      0 -  Silver (Best Effort)

      1 -  Gold (Video)

      2 -  Platinum (Voice)
      3 -  Bronze (Background)

   Auth Type:   An 8-bit value specifying the station's authentication
      type.

      The following values are supported:

      0 -  Open System

      1 -  WEP Shared Key

      2 -  WPA/WPA2 802.1X

      3 -  WPA/WPA2 PSK

   Broadcast SSID:   A boolean Boolean indicating whether the SSID is to be
      broadcast by the WTP.  A value of zero disables SSID broadcast,
      while a value of one enables it.

   Reserved:   A 40 byte 40-byte reserved field.

   SSID:   The SSID attribute is the service set identifier that will be
      advertised by the WTP for this WLAN.

11.8.1.2.  IEEE 802.11 Delete WLAN

   The delete Delete WLAN message element is used to inform the WTP that a
   previously created WLAN is to be deleted.  The value contains the
   following fields:

       0                   1                   2
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |            WLAN ID            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   28 for IEEE 802.11 Delete WLAN

   Length:   3

   Radio ID:   An 8-bit value representing the radio

   WLAN ID:   A 16-bit value specifying the WLAN Identifier

11.8.1.3.  IEEE 802.11 Update WLAN

   The Update WLAN message element is used by the AC to define a
   wireless LAN on the WTP.  The value contains the following format:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |             WLAN ID           |Encrypt Policy |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                      Encryption Policy        |     Key...    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Key ...                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Key Index   |   Shared Key  |        WLAN Capability        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   34 for IEEE 802.11 Update WLAN

   Length:   43

   Radio ID:   An 8-bit value representing the radio.

   WLAN ID:   A 16-bit value specifying the WLAN Identifier.

   Encryption Policy:   A 32-bit value specifying the encryption scheme
      to apply to traffic to and from the mobile station.

      The following values are supported:

      0 -  Encrypt WEP 104: All packets to/from the mobile station must
           be encrypted using a standard 104 bit 104-bit WEP.

      1 -  Clear Text: All packets to/from the mobile station do not
           require any additional crypto processing by the WTP.

      2 -  Encrypt WEP 40: All packets to/from the mobile station must
           be encrypted using a standard 40 bit 40-bit WEP.

      3 -  Encrypt WEP 128: All packets to/from the mobile station must
           be encrypted using a standard 128 bit 128-bit WEP.

      4 -  Encrypt AES-CCMP 128: All packets to/from the mobile station
           must be encrypted using 128 bit AES CCMP [7] a 128-bit AES-CCMP [7].

      5 -  Encrypt TKIP-MIC: All packets to/from the mobile station must
           be encrypted using TKIP and authenticated using Michael [17] [16].

      6 -  Encrypt CKIP: All packets to/from the mobile station must be
           encrypted using Cisco TKIP.

   Key:   A 32 byte Session Key 32-byte session key to use with the encryption policy.

   Key-Index:   The Key Index associated with the key.

   Shared Key:   A 1 byte boolean 1-byte Boolean that specifies whether the key
      included in the Key field is a shared WEP key.  A value of zero
      means that the key is not a shared WEP key, while a value of one
      is used to state that the key is a shared WEP key.

   WLAN Capability:   A 16-bit value containing the capabilities to be
      advertised by the WTP within the Probe and Beacon messages.

11.8.2.  IEEE 802.11 WLAN Config Response

   The IEEE 802.11 WLAN Configuration Response is sent by the WTP to the
   AC as an acknowledgement of the receipt of an IEEE 802.11 WLAN
   Configuration Request.

   This LWAPP control message does not include any message elements.

11.8.3.  IEEE 802.11 WTP Event

   The IEEE 802.11 WTP Event LWAPP message is used by the WTP in order
   to report asynchronous events to the AC.  There is no reply message
   expected from the AC, except that the message is acknowledged via the
   reliable transport.

   When the AC receives the IEEE 802.11 WTP Event, it will take whatever
   action is necessary, depending upon the message elements present in
   the message.

   The IEEE 802.11 WTP Event message MUST contain one of the following
   message element elements described in the next subsections.

11.8.3.1.  IEEE 802.11 MIC Countermeasures

   The MIC Countermeasures message element is sent by the WTP to the AC
   to indicate the occurrence of a MIC failure.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |    WLAN ID    |          MAC Address          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          MAC Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   61 for IEEE 802.11 MIC Countermeasures

   Length:   8
   Radio ID:   The Radio Identifier, typically refers to some interface
      index on the WTP.

   WLAN ID:   This 8-bit unsigned integer includes the WLAN Identifier,
      on which the MIC failure occurred.

   MAC Address:   The MAC Address address of the mobile station that caused the
      MIC failure.

11.8.3.2.  IEEE 802.11 WTP Radio Fail Alarm Indication

   The WTP Radio Fail Alarm Indication message element is sent by the
   WTP to the AC when it detects a radio failure.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |     Type      |    Status     |      Pad      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   95 for WTP Radio Fail Alarm Indication

   Length:   4

   Radio ID:   The Radio Identifier, typically refers to some interface
      index on the WTP WTP.

   Type:   The type of radio failure detected.  The following values are
      supported:

      1 -  Receiver

      2 -  Transmitter

   Status:   An 8-bit boolean Boolean indicating whether the radio failure is
      being reported or cleared.  A value of zero is used to clear the
      event, while a value of one is used to report the event.

   Pad:   Reserved field MUST be set to zero (0).

11.9.  Message Element Bindings

   The IEEE 802.11 Message Element binding has the following
   definitions:

                                                Conf  Conf  Conf  Add
                                                Req   Resp  Upd   Mobile

      IEEE 802.11 WTP WLAN Radio Configuration   X     X     X
      IEEE 802.11 Rate Set                             X     X
      IEEE 802.11 Multi-domain Capability        X     X     X
      IEEE 802.11 MAC Operation                  X     X     X
      IEEE 802.11 Tx Power                       X     X     X
      IEEE 802.11 Tx Power Level                 X
      IEEE 802.11 Direct Sequence Control        X     X     X
      IEEE 802.11 OFDM Control                   X     X     X
      IEEE 802.11 Supported Rates                X     X
      IEEE 802.11 Antenna                        X     X     X
      IEEE 802.11 CFP Status                     X           X
      IEEE 802.11 Broadcast Probe Mode                 X     X
      IEEE 802.11 WTP Mode and Type              X?          X
      IEEE 802.11 WTP Quality of Service               X     X
      IEEE 802.11 MIC Error Report From Mobile               X
      IEEE 802.11 Update Mobile QoS                                X
      IEEE 802.11 Mobile Session Key                               X

11.9.1.  IEEE 802.11 WTP WLAN Radio Configuration

   The WTP WLAN radio configuration is used by the AC to configure a
   Radio on the WTP.  The message element value contains the following
   Fields:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |    Reserved   |        Occupancy Limit        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    CFP Per    |      CFP Maximum Duration     |     BSS ID    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                            BSS ID                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     BSS ID    |        Beacon Period          |    DTIM Per   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                        Country String                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Num Of BSSIDs |
      +-+-+-+-+-+-+-+-+
   Type:   8 for IEEE 802.11 WTP WLAN Radio Configuration

   Length:   20

   Radio ID:   An 8-bit value representing the radio to configure.

   Reserved:   MUST be set to zero

   Occupancy Limit:   This attribute indicates the maximum amount of
      time, in TU, Time Units (TUs), that a point coordinator MAY control
      the usage of the wireless medium without relinquishing control for
      long enough to allow at least one instance of DCF Distributed
      Coordination Function (DCF) access to the medium.  The default
      value of this attribute SHOULD be 100, and the maximum value
      SHOULD be 1000.

   CFP Period:   The attribute describes the number of DTIM intervals
      between the start of CFPs. Contention-Free Periods (CFPs).

   CFP Maximum Duration:   The attribute describes the maximum duration
      of the CFP in TU that MAY be generated by the PCF. Point Coordination
      Function (PCF).

   BSSID:   The WLAN Radio's base MAC Address. address.  For WTPs that support
      more than a single WLAN, the value of the WLAN Identifier is added
      to the last octet of the BSSID.  Therefore, a WTP that supports 16
      WLANs MUST have 16 MAC Addresses addresses reserved for it, and the last
      nibble is used to represent the WLAN ID.

   Beacon Period:   This attribute specifies the number of TU TUs that a
      station uses for scheduling Beacon transmissions.  This value is
      transmitted in Beacon and Probe Response frames.

   DTIM Period:   This attribute specifies the number of beacon Beacon
      intervals that elapses between transmission of Beacons frames
      containing a TIM element whose DTIM Count field is 0.  This value
      is transmitted in the DTIM Period field of Beacon frames.

   Country Code:   This attribute identifies the country in which the
      station is operating.  The first two octets of this string is the
      two character
      two-character country code as described in document ISO/IEC 3166-
      1.  The third octet MUST be one of the following:

   1. an ASCII space character, if the regulations under which the
      station is operating encompass all environments in the country,

   2. an ASCII 'O' character, if the regulations under which the station
      is operating are for an outdoor environment only, or
   3. an ASCII 'I' character, if the regulations under which the station
      is operating are for an indoor environment only only.

   Number of BSSIDs:   This attribute contains the maximum number of
      BSSIDs supported by the WTP.  This value restricts the number of
      logical networks supported by the WTP.

11.9.2.  IEEE 802.11 Rate Set

   The rate set Rate Set message element value is sent by the AC and contains the
   supported operational rates.  It contains the following fields. fields:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |                   Rate Set                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   16 for IEEE 802.11 Rate Set

   Length:   4

   Radio ID:   An 8-bit value representing the radio to configure.

   Rate Set:   The AC generates the Rate Set that the WTP is to include
      in it's its Beacon and Probe messages.

11.9.3.  IEEE 802.11 Multi-domain Multi-Domain Capability

   The multi-domain capability Multi-Domain Capability message element is used by the AC to
   inform the WTP of regulatory limits.  The value contains the
   following fields. fields:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |    Reserved   |        First Channel #        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |       Number of Channels      |       Max Tx Power Level      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   10 for IEEE 802.11 Multi-Domain Capability

   Length:   8

   Radio ID:   An 8-bit value representing the radio to configure.

   Reserved:   MUST be set to zero
   First Channnel Channel #:   This attribute indicates the value of the lowest
      channel number in the subband for the associated domain country
      string.

   Number of Channels:   This attribute indicates the value of the total
      number of channels allowed in the subband for the associated
      domain country string.

   Max Tx Power Level:   This attribute indicates the maximum transmit
      power, in dBm, allowed in the subband for the associated domain
      country string.

11.9.4.  IEEE 802.11 MAC Operation

   The MAC operation Operation message element is sent by the AC to set the 802.11
   MAC parameters on the WTP.  The value contains the following fields. fields:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |    Reserved   |         RTS Threshold         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Short Retry  |  Long Retry   |    Fragmentation Threshold    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Tx MSDU Lifetime                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Rx MSDU Lifetime                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   11 for IEEE 802.11 MAC Operation

   Length:   16

   Radio ID:   An 8-bit value representing the radio to configure.

   Reserved:   MUST be set to zero

   RTS Threshold:   This attribute indicates the number of octets in an
      MPDU, a
      Management Protocol Data Unit (MPDU), below which an RTS/CTS
      (clear to send) handshake MUST NOT be performed.  An RTS/CTS
      handshake MUST be performed at the beginning of any frame exchange
      sequence where the MPDU is of type Data or Management, the MPDU
      has an individual address in the Address1 field, and the length of
      the MPDU is greater than this threshold.  Setting this attribute
      to be larger than the maximum MSDU MAC Service Data Unit (MSDU) size
      MUST have the effect of turning off the RTS/CTS handshake for
      frames of Data or Management type transmitted by this STA. Station
      (STA).  Setting this attribute to zero MUST have the effect of
      turning on the RTS/CTS handshake for all frames of Data or
      Management type transmitted by this STA.  The default value of
      this attribute MUST be 2347.

   Short Retry:   This attribute indicates the maximum number of
      transmission attempts of a frame, the length of which is less than
      or equal to RTSThreshold, that MUST be made before a failure
      condition is indicated.  The default value of this attribute MUST
      be 7.

   Long Retry:   This attribute indicates the maximum number of
      transmission attempts of a frame, the length of which is greater
      than dot11RTSThreshold, that MUST be made before a failure
      condition is indicated.  The default value of this attribute MUST
      be 4.

   Fragmentation Threshold:   This attribute specifies the current
      maximum size, in octets, of the MPDU that MAY be delivered to the
      PHY.  An MSDU MUST be broken into fragments if its size exceeds
      the value of this attribute after adding MAC headers and trailers.
      An MSDU or MMPDU MAC Management Protocol Data Unit (MMPDU) MUST be
      fragmented when the resulting frame has an individual address in
      the Address1 field, and the length of the frame is larger than
      this threshold.  The default value for this attribute MUST be the
      lesser of 2346 or the aMPDUMaxLength of the attached PHY and MUST
      never exceed the lesser of 2346 or the aMPDUMaxLength of the
      attached PHY.  The value of this attribute MUST never be less than
      256.

   Tx MSDU Lifetime:   This attribute speficies specifies the elapsed time in TU,
      after the initial transmission of an MSDU, after which which, further
      attempts to transmit the MSDU MUST be terminated.  The default
      value of this attribute MUST be 512.

   Rx MSDU Lifetime:   This attribute specifies the elapsed time time, in TU,
      after the initial reception of a fragmented MMPDU or MSDU, after
      which
      which, further attempts to reassemble the MMPDU or MSDU MUST be
      terminated.  The default value MUST be 512.

11.9.5.  IEEE 802.11 Tx Power

   The Tx power Power message element value is bi-directional.  When sent by
   the WTP, it contains the current power level of the radio in
   question.  When sent by the AC, it contains the power level to which
   the WTP MUST adhere to. adhere:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |    Reserved   |        Current Tx Power       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   12 for IEEE 802.11 Tx Power

   Length:   4

   Radio ID:   An 8-bit value representing the radio to configure.

   Reserved:   MUST be set to zero

   Current Tx Power:   This attribute contains the transmit output power
      in mW.

11.9.6.  IEEE 802.11 Tx Power Level

   The Tx power level Power Level message element is sent by the WTP and contains
   the different power levels supported.  The value contains the
   following fields. fields:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |   Num Levels  |        Power Level [n]        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   13 for IEEE 802.11 Tx Power Level

   Length:   >= 4

   Radio ID:   An 8-bit value representing the radio to configure.

   Num Levels:   The number of power level attributes.

   Power Level:   Each power level fields contains a supported power
      level, in mW.

11.9.7.  IEEE 802.11 Direct Sequence Control

   The direct sequence control Direct Sequence Control message element is a bi-directional
   element.  When sent by the WTP, it contains the current state.  When
   sent by the AC, the WTP MUST adhere to the values.  This element is
   only used for 802.11b radios.  The value has the following fields.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |    Reserved   | Current Chan  |  Current CCA  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    Energy Detect Threshold                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   14 for IEEE 802.11 Direct Sequence Control

   Length:   8

   Radio ID:   An 8-bit value representing the radio to configure.

   Reserved:   MUST be set to zero

   Current Channel:   This attribute contains the current operating
      frequency channel of the DSSS Direct Sequence Spread Spectrum (DSSS)
      PHY.

   Current CCA:   The current CCA Controlled Channel Access (CCA) method in
      operation.  Valid values are:

      1 - energy detect only (edonly)

      2 - carrier sense only (csonly)

      4 - carrier sense and energy detect (edandcs)

      8 - carrier sense with timer (cswithtimer)

      16 - high rate high-rate carrier sense and energy detect (hrcsanded)

   Energy Detect Threshold:   The current Energy Detect Threshold being
      used by the DSSS PHY.

11.9.8.  IEEE 802.11 OFDM Control

   The OFDM control Orthogonal Frequency Division Multiplexing (OFDM) Control message
   element is a bi-directional element.  When sent by the WTP, it
   contains the current state.  When sent by the AC, the WTP MUST adhere
   to the values.  This element is only used for 802.11a radios.  The
   value contains the following fields:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |    Reserved   | Current Chan  |  Band Support |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         TI Threshold                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   15 for IEEE 802.11 OFDM Control

   Length:   8

   Radio ID:   An 8-bit value representing the radio to configure.

   Reserved:   MUST be set to zero

   Current Channel:   This attribute contains the current operating
      frequency channel of the OFDM PHY.

   Band Supported:   The capability of the OFDM PHY implementation to
      operate in the three U-NII bands.  Coded as an integer value of a
      three bit
      3-bit field as follows:

      Bit 0 -  capable of operating in the lower (5.15-5.25 GHz) U-NII
               band

      Bit 1 -  capable of operating in the middle (5.25-5.35 GHz) U-NII
               band

      Bit 2 -  capable of operating in the upper (5.725-5.825 GHz) U-NII
               band

      For example, for an implementation capable of operating in the
      lower and mid bands bands, this attribute would take the value value.

   TI Threshold:   The Threshold threshold being used to detect a busy medium
      (frequency).  CCA MUST report a busy medium upon detecting the
      RSSI above this threshold.

11.9.9.  IEEE 802.11 Antenna

   The antenna Antenna message element is communicated by the WTP to the AC to
   provide information on the antennas available.  The AC MAY use this
   element to reconfigure the WTP's antennas.  The value contains the
   following fields:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |   Diversity   |    Combiner   |  Antenna Cnt  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    Antenna Selection [0..N]                   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   41 for IEEE 802.11 Antenna

   Length:   >= 8

   Radio ID:   An 8-bit value representing the radio to configure.

   Diversity:   An 8-bit value specifying whether the antenna is to
      provide receive diversity.  The following values are supported:

      0 -  Disabled

      1 -  Enabled (may only be true if the antenna can be used as a
           receive antenna)

   Combiner:   An 8-bit value specifying the combiner selection.  The
      following values are supported:

      1 -  Sectorized (Left)

      2 -  Sectorized (Right)

      3 -  Omni

      4 -  Mimo

   Antenna Count:   An 8-bit value specifying the number of Antenna
      Selection fields.

   Antenna Selection:   One 8-bit antenna configuration value per
      antenna in the WTP.  The following values are supported:

      1 -  Internal Antenna

      2 -  External Antenna

11.9.10.  IEEE 802.11 Supported Rates

   The supported rates Supported Rates message element is sent by the WTP to indicate
   the rates that it supports.  The value contains the following fields. fields:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Radio ID   |                 Supported Rates               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   16 for IEEE 802.11 Supported Rates

   Length:   4

   Radio ID:   An 8-bit value representing the radio.

   Supported Rates:   The WTP includes the Supported Rates that it's its
      hardware supports.  The format is identical to the Rate Set
      message element.

11.9.11.  IEEE 802.11 CFP Status

   The CFP Status message element is sent to provide the CF Polling
   configuration.

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |    Status     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   48 for IEEE 802.11 CFP Status

   Length:   2

   Radio ID:   The Radio Identifier, typically refers to some interface
      index on the WTP WTP.

   Status:   An 8-bit boolean Boolean containing the status of the CF Polling
      feature.  A value of zero disables CFP Status, while a value of
      one enables it.

11.9.12.  IEEE 802.11 WTP Mode and Type

   The WTP Mode and Type message element is used to configure an a WTP to
   operate in a specific mode.

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Mode      |     Type      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   Type:   54 for IEEE 802.11 WTP Mode and Type

   Length:   2

   Mode:   An 8-bit value describing the type of information being sent.
      The following values are supported:

      0 -  Split MAC

      2 -  Local MAC

   Type:   The type field is not currently used.

11.9.13.  IEEE 802.11 Broadcast Probe Mode

   The Broadcast Probe Mode message element indicates whether an a WTP will
   respond to NULL SSID probe Probe requests.  Since broadcast NULL
   probes Probes are
   not sent to a specific BSSID, the WTP cannot know which SSID the
   sending station is querying.  Therefore, this behavior must be global
   to the WTP.

       0
       0 1 2 3 4 5 6 7
      +-+-+-+-+-+-+-+-+
      |    Status     |
      +-+-+-+-+-+-+-+-+

   Type:   51 for IEEE 802.11 Broadcast Probe Mode

   Length:   1

   Status:   An 8-bit boolean Boolean indicating the status of whether an a WTP
      shall response respond to a NULL SSID probe Probe request.  A value of zero
      disables the NULL SSID probe Probe response, while a value of one
      enables it.

11.9.14.  IEEE 802.11 WTP Quality of Service

   The WTP Quality of Service message element value is sent by the AC to
   the WTP to communicate quality of service quality-of-service configuration information.

       0                   1
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |  Tag Packets  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   57 for IEEE 802.11 WTP Quality of Service
   Length:   12

   Radio ID:   The Radio Identifier, typically refers to some interface
      index on the WTP WTP.

   Tag Packets:   An   A value indicating whether LWAPP packets should be
      tagged with for QoS purposes.  The following values are currently
      supported:

      0 -  Untagged

      1 -  802.1P

      2 -  DSCP

      Immediately following the above header is the following data
      structure.  This data structure will be repeated five times; times, once
      for every QoS profile.  The order of the QoS profiles are is Uranium,
      Platinum, Gold, Silver Silver, and Bronze.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Queue Depth  |             CWMin             |     CWMax     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     CWMax     |     AIFS      |              CBR              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Dot1P Tag   |   DSCP Tag    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Queue Depth:   The number of packets that can be on the specific QoS
      transmit queue at any given time.

   CWMin:   The Contention Window minimum value for the QoS transmit
      queue.

   CWMax:   The Contention Window maximum value for the QoS transmit
      queue.

   AIFS:   The Arbitration Inter Frame Spacing to use for the QoS
      transmit queue.

   CBR:   The CBR Constant Bit Rate (CBR) value to observe for the QoS
      transmit queue.

   Dot1P Tag:   The 802.1P precedence value to use if packets are to be
      802.1P tagged.

   DSCP Tag:   The DSCP label to use if packets are to be DSCP tagged.

11.9.15.  IEEE 802.11 MIC Error Report From Mobile

   The MIC Error Report From Mobile message element is sent by an AC to
   an
   a WTP when it receives a MIC failure notification, notification via the Error bit
   in the EAPOL-Key EAP over LAN (EAPOL)-Key frame.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Client MAC Address                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |      Client MAC Address       |             BSSID             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             BSSID                             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Radio ID    |    WLAN ID    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type:   79 for IEEE 802.11 MIC Error Report From Mobile

   Length:   14

   Client MAC Address:   The Client MAC Address address of the station reporting
      the MIC failure.

   BSSID:   The BSSID on which the MIC failure is being reported.

   Radio ID:   The Radio Identifier, typically refers to some interface
      index on the WTP WTP.

   WLAN ID:   The WLAN ID on which the MIC failure is being reported.

11.10.  IEEE 802.11 Message Element Values

   This section lists IEEE 802.11 specific 802.11-specific values for any generic LWAPP
   message elements which that include fields whose values are technology technology-
   specific.

   IEEE 802.11 uses the following values:

   4 - Encrypt AES-CCMP 128:   WTP supports AES-CCMP, as defined in [7].

   5 - Encrypt TKIP-MIC:   WTP supports TKIP and Michael, as defined in
      [17].
       [16].

12.  LWAPP Protocol Timers

   An

   A WTP or AC that implements LWAPP discovery MUST implement the
   following timers.

12.1.  MaxDiscoveryInterval

   The maximum time allowed between sending discovery requests Discovery Requests from the
   interface, in seconds.  Must be no less than 2 seconds and no greater
   than 180 seconds.

   Default: 20 seconds.

12.2.  SilentInterval

   The minimum time, in seconds, an a WTP MUST wait after failing to
   receive any responses to its discovery requests, Discovery Requests, before it MAY again
   send discovery requests. Discovery Requests.

   Default: 30

12.3.  NeighborDeadInterval

   The minimum time, in seconds, an a WTP MUST wait without having received
   Echo Responses to its Echo Requests, before the destination for the
   Echo Request may be considered dead.  Must be no less than
   2*EchoInterval seconds and no greater than 240 seconds.

   Default: 60

12.4.  EchoInterval

   The minimum time, in seconds, between sending echo requests Echo Requests to the AC
   with which the WTP has joined.

   Default: 30

12.5.  DiscoveryInterval

   The minimum time, in seconds, that an a WTP MUST wait after receiving a
   Discovery Response, before sending a join request. Join Request.

   Default: 5

12.6.  RetransmitInterval

   The minimum time, in seconds, which that a non-acknowledged LWAPP packet
   will be retransmitted.

   Default: 3

12.7.  ResponseTimeout

   The minimum time, in seconds, in which an LWAPP Request message must
   be responded to.

   Default: 1

12.8.  KeyLifetime

   The maximum time, in seconds, which that an LWAPP session key is valid.

   Default: 28800

13.  LWAPP Protocol Variables

   An

   A WTP or AC that implements LWAPP discovery MUST allow for the
   following variables to be configured by system management; default
   values are specified so as to make it unnecessary to configure any of
   these variables in many cases.

13.1.  MaxDiscoveries

   The maximum number of discovery requests Discovery Requests that will be sent after an a
   WTP boots.

   Default: 10

13.2.  DiscoveryCount

   The number of discoveries transmitted by a WTP to a single AC.  This
   is a monotonically increasing counter.

13.3.  RetransmitCount

   The number of retransmissions for a given LWAPP packet.  This is a
   monotonically increasing counter.

13.4.  MaxRetransmit

   The maximum number of retransmissions for a given LWAPP packet before
   the link layer considers the peer dead.

   Default: 5

14.  NAT Considerations

   There are two specific situations where a NAT system may be used in
   conjunction with LWAPP.  The first consists of a configuration where
   the WTP is behind a NAT system.  Given that all communication is
   initiated by the WTP, and all communication is performed over IP
   using a single UDP port, the protocol easily traverses NAT systems in
   this configuration.

   The second configuration is one where the AC sits behind a NAT NAT, and
   there are two main issues that exist in this situation.  First, an AC
   communicates its interfaces, interfaces and associated WTP load on these
   interfaces, through the WTP Manager Control IP Address.  This message
   element is currently mandatory, and if NAT compliance became an
   issue, it would be possible to either:

   1. Make make the WTP Manager Control IP Address optional, allowing the WTP
      to simply use the known IP Address. address.  However, note that this
      approach would eliminate the ability to perform load balancing of
      WTP across ACs, and therefore is not the recommended approach.

   2. Allow allow an AC to be able to configure a NAT'ed address for every
      associated AC that would generally be communicated in the WTP
      Manager Control IP Address message element.

   3. Require require that if a WTP determines that the AC List message element
      consists of a set of IP Addresses addresses that are different from the AC's
      IP Address address it is currently communicating with, then assume that
      NAT is being enforced, and require that the WTP communicate with
      the original AC's IP Address address (and ignore the WTP Manager Control
      IP Address message element(s)).

   Another issue related to having an AC behind a NAT system is LWAPP's
   support for the CAPWAP Objective to allow the control and data plane
   to be separated.  In order to support this requirement, the LWAPP
   protocol defines the WTP Manager Data IP Address message element,
   which allows the AC to inform the WTP that the LWAPP data frames are
   to be forwarded to a separate IP Address. address.  This feature MUST be
   disabled when an AC is behind a NAT.  However, there is no easy way
   to provide some default mechanism that satisfies both the data/
   control separation and NAT objectives, as they directly conflict with
   each other.  As a consequence, user intervention will be required to
   support such networks.

   LWAPP has a feature that allows for all of the ACs AC's identities
   supporting a group of WTPs to be communicated through the AC List
   message element.  This feature must be disabled when the AC is behind
   a NAT and the IP Address address that is embedded would be invalid.

   The LWAPP protocol has a feature that allows an AC to configure a
   static IP address on a WTP.  The WTP Static IP Address Information
   message element provides such a function, however function; however, this feature
   SHOULD NOT be used in NAT'ed environments, unless the administrator
   is familiar with the internal IP addressing scheme within the WTP's
   private network, and does not rely on the public address seen by the
   AC.

   When a WTP detects the duplicate address condition, it generates a
   message to the AC, which includes the Duplicate IP Address message
   element.  Once again, it is important to note that the IP Address address
   embedded within this message element would be different from the
   public IP address seen by the AC.

15.  Security Considerations

   LWAPP uses either an authenticated key exchange or key agreement
   mechanism to ensure peer authenticity and establish fresh session
   keys to protect the LWAPP communications.

   The LWAPP protocol defines a join phase, which allows a WTP to bind a
   session with an AC.  During this process, a session key is mutually
   derived, and secured either through an X.509 certificate or a pre-
   shared key.  The resulting key exchange generates an encryption
   session key, which is used to encrypt the LWAPP control packets, and
   a key derivation key.

   During the established secure communication, the WTP and AC may rekey
   using the key update process, which is identical to the join phase,
   meaning the session keys are mutually derived.  However, the exchange
   described for pre-shared session keys is always used for the key
   update, with the pre-shared key set to the derivation key created
   either during the join, or the last key update if one has occurred.
   The key update results in a new derivation key, which is used in the
   next key update, as well as an encryption session key to encrypt the
   LWAPP control packets.

   Replay protection of the Join Request is handled through an exchange
   of Nonces nonces during the Join join (or key update) phase.  The Join Request
   includes an XNonce, which is included in the AC's authenticated Join
   Replys
   Reply's encrypted ANonce message element, allowing for the two
   messages to be bound.  Upon receipt of the Join Reply, the WTP
   generates the WNonce, and generates a set of session keys using a KDF
   function.  One of these keys is used to MIC the Join ACK.  The AC
   responds with a Join Confirm, which must also include a MIC, and
   therefore be capable of deriving the same set of session keys.

   In both the X.509 certificate and pre-shared key modes, an
   initialization vector is created through the above mentioned KDF
   function.  The IV and the KDF created encryption key are used to
   encrypt the LWAPP control frames.

   Given that authentication in the Join exchange does not occur until
   the WTP transmits the Join ACK message, it is crucial that an AC not
   delete any state for a WTP it is service servicing until an authentication
   Join ACK has been received.  Otherwise, a potential Denial of Service Denial-of-Service
   attack exists, whereby sending a spoofed Join Request for a valid WTP
   would cause the AC to reset the WTP's connection.

   It is important to note that Perfect Forward Secrecy is not a
   requirement for the LWAPP protocol.

   Note that the LWAPP protocol does not add any new vulnerabilities to
   802.11 infrastructure that makes use of WEP for encryption purposes.
   However, implementors SHOULD discourage the use of WEP to allow the
   market to move towards technically sound cryptographic solutions,
   such as 802.11i.

15.1.  Certificate based  Certificate-Based Session Key establishment Establishment

   LWAPP uses public key cryptography to ensure trust between the WTP
   and the AC.  One question that periodically arises is why the Join
   Request is not signed.  Signing this request would not be optimal for
   the following reasons:

   1. The Join Request is replayable, so a signature doesn't provide
      much protection unless the switches keep track of all previous
      Join Requests from a given WTP.

   2. Replay detection is handled during the Join Reply and Join ACK
      messages.

   3. A signed Join Request provides a potential Denial of Service Denial-of-Service
      attack on the AC, which would have to authenticate each
      (potentially malicious) message.

   The WTP-Certificate that is included in the Join Request MUST be
   validated by the AC.  It is also good practice that the AC perform
   some form of authorization, ensuring that the WTP in question is
   allowed to establish an LWAPP session with it.

15.2.  PSK based  PSK-Based Session Key establishment Establishment

   Use of a fixed shared secret of limited entropy (for example, a PSK
   that is relatively short, or was chosen by a human and thus may
   contain less entropy than its length would imply) may allow an
   attacker to perform a brute-force or dictionary attack to recover the
   secret.

   It is RECOMMENDED that implementations that allow the administrator
   to manually configure the PSK also provide a functionality for
   generating a new random PSK, taking RFC 1750 [4] into account.

   Since the key generation does not expose the nonces in plaintext,
   there are no practical passive attacks possible.

16.  IANA Considerations

   This document requires no action by IANA.

17.  Acknowledgements

   The authors wish to thank Michael Vakulenko for contributing text
   that describes how LWAPP can be used over a layer Layer 3 (IP) network.

   The authors would also like to thanks Russ Housley and Charles Clancy
   for their assistance in provide providing a security review of the LWAPP
   specification.  Charles' review can be found at [12].

18.  IPR Statement

   The IETF has been notified of intellectual property rights claimed in
   regard to some or all of the specification contained in this
   document.  For more information consult the online list of claimed
   rights.

   Please refer to http://www.ietf.org/ietf/IPR for more information.

19. [12].

17.  References

19.1.

17.1.  Normative References

   [1]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.

   [2]   National Institute of Standards and Technology, "Advanced
         Encryption Standard (AES)", FIPS PUB 197, November 2001,
         <http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.

   [3]   Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-
         MAC (CCM)", RFC 3610, September 2003.

   [4]   Eastlake, D., Crocker, S., and J. 3rd, Schiller, J., and S. Crocker, "Randomness
         Recommendations
         Requirements for Security", BCP 106, RFC 1750, December 1994. 4086, June 2005.

   [5]   Manner, J. J., Ed., and M. Kojo, Ed., "Mobility Related
         Terminology", RFC 3753, June 2004.

   [6]   "Information technology - Telecommunications and information
         exchange between systems - Local and metropolitan area networks
         - Specific requirements - Part 11: Wireless LAN Medium Access
         Control (MAC) and Physical Layer (PHY) specifications", IEEE
         Standard 802.11, 1999,
         <http://standards.ieee.org/getieee802/download/
         802.11-1999.pdf>. 2007,
         <http://standards.ieee.org/getieee802/download/802.11-
         2007.pdf>.

   [7]   "Information technology - Telecommunications and information
         exchange between systems - Local and metropolitan area networks
         - Specific requirements - Part 11: Wireless LAN Medium Access
         Control (MAC) and Physical Layer (PHY) specifications Amendment
         6: Medium Access Control (MAC) Security Enhancements", IEEE
         Standard 802.11i, July 2004, <http://standards.ieee.org/
         getieee802/download/802.11i-2004.pdf>.
         <http://standards.ieee.org/getieee802/download/802.11i-
         2004.pdf>.

   [8]   Clark, D., "IP datagram reassembly algorithms", RFC 815, July
         1982.

   [9]   Schaad, J. and R. Housley, "Advanced Encryption Standard (AES)
         Key Wrap Algorithm", RFC 3394, September 2002.

   [10]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley,
         R., Polk, W., Ford, W., and D. Solo, W. Polk, "Internet X.509 Public Key Infrastructure
         Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.
         5280, May 2008.

   [11]  "Netscape Certificate Extensions Specification",
         <http://wp.netscape.com/eng/security/comm4-cert-exts.html>.

   [12]  Clancy, C., "Security Review of the Light Weight Light-Weight Access Point
         Protocol", May 2005,
         <http://www.cs.umd.edu/~clancy/docs/lwapp-review.pdf>.

19.2.

17.2.  Informational References

   [13]  Reynolds, J., Ed., "Assigned Numbers: RFC 1700 is Replaced by
         an On-
         line On-line Database", RFC 3232, January 2002.

   [14]  Bradner, S., "The Internet Standards Process -- Revision 3",
         BCP 9, RFC 2026, October 1996.

   [15]   Kent, S. and R. Atkinson, K. Seo, "Security Architecture for the Internet
         Protocol", RFC 2401, November 1998.

   [16] 4301, December 2005.

   [15]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
         for Message Authentication", RFC 2104, February 1997.

   [17]

   [16]  "WiFi Protected Access (WPA) rev 1.6", April 2003.

Authors' Addresses

   Pat R. Calhoun
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA  95134
   Phone: +1 408-853-5269
   Email:
   EMail: pcalhoun@cisco.com

   Bob O'Hara
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA  95134

   Phone: +1 408-853-5513
   Email: bob.ohara@cisco.com

   Rohit Suri
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA  95134
   Phone: +1 408-853-5548
   Email:
   EMail: rsuri@cisco.com

   Nancy
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA  95134
   Phone: +1 408-853-0532
   Email:
   EMail: ncamwing@cisco.com

   Scott Kelly
   Facetime Communications
   1159 Triton Dr
   Foster City, CA  94404
   Phone: +1 650 572-5846
   Email:
   EMail: scott@hyperthought.com

   Michael Glenn Williams
   Nokia, Inc.
   313 Fairchild Drive
   Mountain View, CA  94043
   Phone: +1 650-714-7758
   Email:
   EMail: Michael.G.Williams@Nokia.com

   Sue Hares
   Nexthop Technologies, Inc.
   Green Hills Software
   825 Victors Way, Suite 100
   Ann Arbor, MI  48108
   Phone: +1 734 222 1610
   Email: shares@nexthop.com
   EMail: shares@ndzh.com

   Bob O'Hara
   EMail: bob.ohara@computer.org

Full Copyright Statement

   Copyright (C) The IETF Trust (2007). (2009).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, 78 and at http://www.rfc-editor.org/copyright.html,
   and except as set forth therein, the authors retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).