Management Frame Protection (MFP)
802.11w: Management Frame Protection (MFP)
Wi-Fi is a broadcast medium that enables any device to eavesdrop and participate either as a legitimate or rogue device. Management frames such as authentication, de-authentication, association, dissociation, beacons, and probes are used by wireless clients to initiate and tear down sessions for network services. Unlike data traffic, which can be encrypted to provide a level of confidentiality, these frames must be heard and understood by all clients and therefore must be transmitted as open or unencrypted.
The 802.11w amendment applies only to a set of robust management frames that are protected by the Protected Management Frames (PMF) service.
These include :
- Dis-association
- De-authentication
- Robust Action frames Block ACK Request/Response (AddBA), QoS Admission Control, Radio Measurement, Spectrum Management, Fast BSS Transition
- Channel Switch Announcement directed to a client (Unicast)
Management frames that are required before AP and client have exchanged the transmission keys via the 4 way handshake remain unprotected:
- Beacons
- Probes
- Authentication
- Association
- Delivery of Traffic Indication Message
- Channel Switch Announcement as Broadcast
Monitoring & Troubleshooting 802.11w
When 802.11w MFP is enabled within an BSS, RSN parameters will be included in the AP's beacon and probe response frames.
Management frame protection can be operated in one of 2 modes:
- Management frame protection capable only the Management Frame Protection Capable flag will be set.
- Management frame protection required the Management Frame Protection Required flag will also be set.
Additional encryption detail is also included in some management frames both to and from the client.
Below is an example of a disassociation frame sent from a client to the AP:
Note the CCMP parameters and Data elements in the frame. The CCMP parameters indicate that the Data elements are encrypted.
When the frame is received by the AP, it will be decrypted using the trusted keys established during association to validate that the frame came from the client.
留言