June 2003

doc.: IEEE 802.11-01/TBD

Virtual Access Points

http://www.drizzle.com/~aboba/IEEE/virtual-APs.ppt Bernard Aboba Microsoft WFA Public Access Group June 4, 2003
Submission Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

Outline
Goals and Objectives Challenges for Public Access WLAN What is a Virtual Access Point? What Is Required for a Virtual Access Point? Recommendations

Submission

Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

Goals and Objectives

To describe problems commonly encountered in Public Access WLAN To describe how Virtual Access Points can address these problems To describe the pros and cons of mechanisms used to implement Virtual APs today To recommend a single industry-standard mechanism for adoption by WFA

Submission

Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

Challenges for Public Access WLAN

Minimizing channel conflicts
In some locations (e.g. airports) multiple networks are becoming the norm.
Airlines are installing 802.11 networks for use in baggage reconciliation and roving ticket counters Multiple wireless ISPs often also want to serve airport customers

Radio interference is an issue

In the US and Europe 802.11b networks can support only 3 non-overlapping channels In France and Japan only one channel is available Once the channels are utilized by existing APs, additional APs will interfere and reduce performance

Minimizing capital expenditures

In this economic environment, raising capital is difficult Undesirable to build out multiple networks in the same location - why not build one network and share it?

Attaining high utilization of deployed Access Points

Profitability enhanced by filling in periods of low usage on the diurnal curve Implies a need to serve many different types of customers: business, consumers, etc.

Minimizing support costs

Desirable to support a wide variety of clients without having to preconfigure them
Submission Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

Wouldnt It Be Great If
A single network could be shared by multiple providers? Each provider could retain the flexibility to announce their own SSID, and select the services they wish to provide (rates, security mechanisms, etc.)? Each provider could manage their own users without interfering with other providers? Customers could discover any of the offered networks without needing to preconfigure their stations? These are the benefits that Virtual Access Points provide!

Submission

Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

What is a Virtual Access Point?

A Virtual Access Point is a logical entity that exists within a physical Access Point (AP). Each Virtual AP appears to stations (STAs) to be an independent physical AP.
Virtual APs emulate the operation of physical APs at the MAC layer. Virtual APs provide partial emulation of the IP and Application Layer behavior of physical APs. Emulating the operation of a physical AP at the radio frequency layer is typically not possible unless multiple radios are available.

Submission

Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

Is It Virtual Or Is It Real? Only Your Radio Knows For Sure!

Physical APs
Beacon/Probe SSID: Bar Response BSSID: B Rates: 1,2,5.5,11 Security: Open

Channel 6

Channel 6

SSID: Foo BSSID: A Rates: 5.5,11 Security: WPA

AP B

STA

AP A

Virtual APs
SSID: Bar BSSID: B Rates: 1,2,5.5,11 Security: Open

Channel 6

SSID: Foo BSSID: A Rates: 5.5,11 Security: WPA

AP A
Submission Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

Virtual AP Scenarios
Airports
Same infrastructure shared by airlines, FAA and wireless ISPs Separate VLANs for each provider (for traffic isolation) Support for different security schemes
WISPs may support both Web Portal and WPA Airline may support WPA only FAA may want IEEE 802.11i only

Hot Spots
Multiple wireless ISPs sharing infrastructure provided by a wholesaler Support for different security schemes
WISPs may support both Web Portal and WPA

Separate VLANs for each WISP User authenticates to their home authentication server

Submission

Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

What Is Required for a Virtual AP?

Multiple SSIDs.
Support for multiple SSID advertisement by APs Support for STA discovery for advertised SSIDs.

Multiple capability advertisements.

Each Virtual AP can advertise its own set of capabilities.

Pre-authentication routing.
Determination of the target SSID prior to Association (for routing of pre-authentication traffic).

Multiple VLANs.
Allow a unique VLAN (and unique default key) to be assigned to each Virtual AP.

Multiple RADIUS configurations.

Multiple RADIUS configurations, one for each virtual AP.

Multiple virtual SNMP MIBs.

A virtual MIB instance per Virtual AP.
Submission Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

The State of Virtual APs Today

IEEE 802.11-1999 does not provide guidance on required MAC-layer behavior of Virtual APs Result
Multiple approaches taken by AP vendors Different assumptions made by NIC vendors Interoperability, reliability problems abound

Need for a single, industry-wide solution WFA can help by providing guidance

Submission

Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

How Are Multiple SSIDs Implemented?

Multiple SSIDs/Beacon, Single Beacon, Single BSSID.
AP uses a single BSSID, and sends a single Beacon. AP includes multiple SSID Information Elements (IEs) within the Beacon or Probe Response, with the Beacon interval remaining unchanged. Pros
Not explicitly prohibited by IEEE 802.11-1999 Allows discovery of multiple SSIDs Incompatible with many existing stations Cant support different capability sets for each SSID Cant support multiple capability sets within an SSID Doesnt support pre-authentication routing

Cons

Summary
Dont do this - wont work reliably!
Bernard Aboba/Microsoft

Submission

June 2003

doc.: IEEE 802.11-01/TBD

How Are Multiple SSIDs Implemented? (Contd)

Single SSID/Beacon, Multiple Beacons, Single BSSID.
AP only uses a single BSSID, but sends multiple Beacons, each with a single SSID IE. AP responds to Probe Requests for supported SSIDs (including a Request for the broadcast SSID) with a Probe Response including the capabilities corresponding to each SSID.

Pros

Can support different capability sets for each SSID Allows discovery of multiple SSIDs
Some existing drivers will over-write previous advertisement with the new one Cant support multiple capability sets within an SSID Doesnt support pre-authentication routing Dont do this - wont work reliably!
Bernard Aboba/Microsoft

Cons

Summary

Submission

June 2003

doc.: IEEE 802.11-01/TBD

How Are Multiple SSIDs Implemented? (Contd)

Single SSID/Beacon, Single Beacon, Single BSSID.
AP only uses a single BSSID and sends a single Beacon. Each Beacon or Probe Response contains only one SSID IE. Only the capabilities corresponding to the primary SSID are sent in the Beacon and in response to a Probe Request for the broadcast SSID. AP responds to Probe Requests for secondary SSIDs with a Probe Response including the capabilities corresponding to that SSID. Compatible with existing stations Can support different capability sets for each SSID Doesnt allow discovery of secondary SSIDs requires preconfiguration Cant support multiple capability sets within an SSID Doesnt support pre-authentication routing Can work, but not a satisfactory long-term solution
Bernard Aboba/Microsoft

Pros

Cons

Summary

Submission

June 2003

doc.: IEEE 802.11-01/TBD

How Are Multiple SSIDs Implemented? (Contd)

Single SSID/Beacon, Multiple Beacons, Multiple BSSIDs.
AP uses multiple BSSIDs. Each Beacon or Probe Response contains only a single SSID IE. AP sends Beacons for each Virtual AP that it supports at the standard Beacon interval, using a unique BSSID for each one. AP responds to Probe Requests for supported BSSIDs (including a Request for the broadcast SSID) with a Probe Response including the capabilities corresponding to each BSSID. Compatible with existing stations Can support different capability sets for each SSID Can support multiple capability sets within an SSID Allows discovery of multiple SSIDs Supports pre-authentication routing Not supported by some existing APs Offers the best mix of compatibility and flexibility The best long-term solution
Bernard Aboba/Microsoft

Pros

Cons

Summary

Submission

June 2003

doc.: IEEE 802.11-01/TBD

Virtual APs and Pre-Authentication Routing

Selected SSID not known prior to Association/Reassociation If multiple Virtual APs exist how does the AP know how to route pre-authentication traffic?
NAI [RFC2486] might not be sufficient AP needs to know the SSID user wishes to Associate with

Solution
Unique BSSID per Virtual AP AP includes SSID in Access-Request, based on target BSSID AAA proxy routes traffic based on SSID, NAI

Submission

Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

SNMP Support in Virtual APs

Multiple providers may want to access to MIB information
Diagnostic information in IEEE 802.1X MIB Accounting information in IEEE 802.1X MIB

Deployed approaches
Multiple IP addresses one for each virtual MIB SNMP proxy
Individual providers query the proxy

SNMP approaches [RFC2975]

Domain as index
Domain used as in index with tables Can be supported in any version of SNMP Requires support within the MIB not supported in 802.11 or 802.1X MIBs

Contexts
Enables maintenance of separate virtual tables for each context SNMPv3 contextName used to distinguish virtual instances Requires SNMPv3 support Requires support within the SNMPv3 agent Recommended approach for support of virtual tables per ESSID

Submission

Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

Summary
Support for Virtual APs is important to the long-term future of Public WLAN access Vendor community is adopting multiple, incompatible mechanisms for support of Virtual APs Several of these solutions cannot work reliably!
Result: customer pain, industry confusion

Multiple BSSID approach offers best mix of compatibility and flexibility Recommendation: WFA needs to provide guidelines on how to implement Virtual APs.

Submission

Bernard Aboba/Microsoft

June 2003

doc.: IEEE 802.11-01/TBD

Feedback?

Submission

Bernard Aboba/Microsoft