Virtual Access Points

1
Virtual Access Points

• http//www.drizzle.com/aboba/IEEE/virtual-APs.ppt
  
• Bernard Aboba
• Microsoft
• WFA Public Access Group
• June 4, 2003

2
Outline

• Goals and Objectives
• Challenges for Public Access WLAN
• What is a Virtual Access Point?
• What Is Required for a Virtual Access Point?
• Recommendations

3
Goals and Objectives

• To describe problems commonly encountered in
  Public Access WLAN
• To describe how Virtual Access Points can
  address these problems
• To describe the pros and cons of mechanisms used
  to implement Virtual APs today
• To recommend a single industry-standard mechanism
  for adoption by WFA

4
Challenges for Public Access WLAN

• Minimizing channel conflicts
• In some locations (e.g. airports) multiple
  networks are becoming the norm.
• Airlines are installing 802.11 networks for use
  in baggage reconciliation and roving ticket
  counters
• Multiple wireless ISPs often also want to serve
  airport customers
• Radio interference is an issue
• In the US and Europe 802.11b networks can support
  only 3 non-overlapping channels
• In France and Japan only one channel is available
• Once the channels are utilized by existing APs,
  additional APs will interfere and reduce
  performance
• Minimizing capital expenditures
• In this economic environment, raising capital is
  difficult
• Undesirable to build out multiple networks in the
  same location - why not build one network and
  share it?
• Attaining high utilization of deployed Access
  Points
• Profitability enhanced by filling in periods of
  low usage on the diurnal curve
• Implies a need to serve many different types of
  customers business, consumers, etc.
• Minimizing support costs
• Desirable to support a wide variety of clients
  without having to preconfigure them

5
Wouldnt It Be Great If

• A single network could be shared by multiple
  providers?
• Each provider could retain the flexibility to
  announce their own SSID, and select the services
  they wish to provide (rates, security mechanisms,
  etc.)?
• Each provider could manage their own users
  without interfering with other providers?
• Customers could discover any of the offered
  networks without needing to preconfigure their
  stations?
• These are the benefits that Virtual Access Points
  provide!

6
What is a Virtual Access Point?

• A Virtual Access Point is a logical entity that
  exists within a physical Access Point (AP).
• Each Virtual AP appears to stations (STAs) to be
  an independent physical AP.
• Virtual APs emulate the operation of physical APs
  at the MAC layer.
• Virtual APs provide partial emulation of the IP
  and Application Layer behavior of physical APs.
• Emulating the operation of a physical AP at the
  radio frequency layer is typically not possible
  unless multiple radios are available.

7
Is It Virtual Or Is It Real?Only Your Radio
Knows For Sure!
Physical APs
Channel 6
Channel 6
SSID Foo BSSID A Rates 5.5,11 Security WPA
SSID Bar BSSID B Rates 1,2,5.5,11 Security
Open
Beacon/Probe Response
AP A
AP B
STA
Virtual APs
Channel 6
SSID Foo BSSID A Rates 5.5,11 Security WPA
SSID Bar BSSID B Rates 1,2,5.5,11 Security
Open
AP A
8
Virtual AP Scenarios

• Airports
• Same infrastructure shared by airlines, FAA and
  wireless ISPs
• Separate VLANs for each provider (for traffic
  isolation)
• Support for different security schemes
• WISPs may support both Web Portal and WPA
• Airline may support WPA only
• FAA may want IEEE 802.11i only
• Hot Spots
• Multiple wireless ISPs sharing infrastructure
  provided by a wholesaler
• Support for different security schemes
• WISPs may support both Web Portal and WPA
• Separate VLANs for each WISP
• User authenticates to their home authentication
  server

9
What Is Required for a Virtual AP?

• Multiple SSIDs.
• Support for multiple SSID advertisement by APs
• Support for STA discovery for advertised SSIDs.
• Multiple capability advertisements.
• Each Virtual AP can advertise its own set of
  capabilities.
• Pre-authentication routing.
• Determination of the target SSID prior to
  Association (for routing of pre-authentication
  traffic).
• Multiple VLANs.
• Allow a unique VLAN (and unique default key) to
  be assigned to each Virtual AP.
• Multiple RADIUS configurations.
• Multiple RADIUS configurations, one for each
  virtual AP.
• Multiple virtual SNMP MIBs.
• A virtual MIB instance per Virtual AP.

10
The State of Virtual APs Today

• IEEE 802.11-1999 does not provide guidance on
  required MAC-layer behavior of Virtual APs
• Result
• Multiple approaches taken by AP vendors
• Different assumptions made by NIC vendors
• Interoperability, reliability problems abound
• Need for a single, industry-wide solution
• WFA can help by providing guidance

11
How Are Multiple SSIDs Implemented?

• Multiple SSIDs/Beacon, Single Beacon, Single
  BSSID.
• AP uses a single BSSID, and sends a single
  Beacon.
• AP includes multiple SSID Information Elements
  (IEs) within the Beacon or Probe Response, with
  the Beacon interval remaining unchanged.
• Pros
• Not explicitly prohibited by IEEE 802.11-1999
• Allows discovery of multiple SSIDs
• Cons
• Incompatible with many existing stations
• Cant support different capability sets for each
  SSID
• Cant support multiple capability sets within an
  SSID
• Doesnt support pre-authentication routing
• Summary
• Dont do this - wont work reliably!

12
How Are Multiple SSIDs Implemented? (Contd)

• Single SSID/Beacon, Multiple Beacons, Single
  BSSID.
• AP only uses a single BSSID, but sends multiple
  Beacons, each with a single SSID IE.
• AP responds to Probe Requests for supported SSIDs
  (including a Request for the broadcast SSID) with
  a Probe Response including the capabilities
  corresponding to each SSID.
• Pros
• Can support different capability sets for each
  SSID
• Allows discovery of multiple SSIDs
• Cons
• Some existing drivers will over-write previous
  advertisement with the new one
• Cant support multiple capability sets within an
  SSID
• Doesnt support pre-authentication routing
• Summary
• Dont do this - wont work reliably!

13
How Are Multiple SSIDs Implemented? (Contd)

• Single SSID/Beacon, Single Beacon, Single BSSID.
• AP only uses a single BSSID and sends a single
  Beacon.
• Each Beacon or Probe Response contains only one
  SSID IE.
• Only the capabilities corresponding to the
  primary SSID are sent in the Beacon and in
  response to a Probe Request for the broadcast
  SSID.
• AP responds to Probe Requests for secondary
  SSIDs with a Probe Response including the
  capabilities corresponding to that SSID.
• Pros
• Compatible with existing stations
• Can support different capability sets for each
  SSID
• Cons
• Doesnt allow discovery of secondary SSIDs
  requires pre-configuration
• Cant support multiple capability sets within an
  SSID
• Doesnt support pre-authentication routing
• Summary
• Can work, but not a satisfactory long-term
  solution

14
How Are Multiple SSIDs Implemented? (Contd)

• Single SSID/Beacon, Multiple Beacons, Multiple
  BSSIDs.
• AP uses multiple BSSIDs.
• Each Beacon or Probe Response contains only a
  single SSID IE.
• AP sends Beacons for each Virtual AP that it
  supports at the standard Beacon interval, using a
  unique BSSID for each one.
• AP responds to Probe Requests for supported
  BSSIDs (including a Request for the broadcast
  SSID) with a Probe Response including the
  capabilities corresponding to each BSSID.
• Pros
• Compatible with existing stations
• Can support different capability sets for each
  SSID
• Can support multiple capability sets within an
  SSID
• Allows discovery of multiple SSIDs
• Supports pre-authentication routing
• Cons
• Not supported by some existing APs
• Summary
• Offers the best mix of compatibility and
  flexibility
• The best long-term solution

15
Virtual APs and Pre-Authentication Routing

• Selected SSID not known prior to
  Association/Reassociation
• If multiple Virtual APs exist how does the AP
  know how to route pre-authentication traffic?
• NAI RFC2486 might not be sufficient
• AP needs to know the SSID user wishes to
  Associate with
• Solution
• Unique BSSID per Virtual AP
• AP includes SSID in Access-Request, based on
  target BSSID
• AAA proxy routes traffic based on SSID, NAI

16
SNMP Support in Virtual APs

• Multiple providers may want to access to MIB
  information
• Diagnostic information in IEEE 802.1X MIB
• Accounting information in IEEE 802.1X MIB
• Deployed approaches
• Multiple IP addresses one for each virtual
  MIB
• SNMP proxy
• Individual providers query the proxy
• SNMP approaches RFC2975
• Domain as index
• Domain used as in index with tables
• Can be supported in any version of SNMP
• Requires support within the MIB not supported
  in 802.11 or 802.1X MIBs
• Contexts
• Enables maintenance of separate virtual tables
  for each context
• SNMPv3 contextName used to distinguish virtual
  instances
• Requires SNMPv3 support
• Requires support within the SNMPv3 agent
• Recommended approach for support of virtual
  tables per ESSID

17
Summary

• Support for Virtual APs is important to the
  long-term future of Public WLAN access
• Vendor community is adopting multiple,
  incompatible mechanisms for support of Virtual
  APs
• Several of these solutions cannot work reliably!
• Result customer pain, industry confusion
• Multiple BSSID approach offers best mix of
  compatibility and flexibility
• Recommendation WFA needs to provide guidelines
  on how to implement Virtual APs.

18
Feedback?