This MIB is intended to be implemented on all those
devices operating as Central Controllers (CC) that
terminate the Light Weight Access Point Protocol
tunnel from Light-weight LWAPP Access Points.

This MIB provides the information used to integrate
the LWAPP controller with external IDS/IPS
applications.  LWAPP controllers interact with
these applications to protect the network against
various threats that would compromise the overall
security of the network.

The arrangement of the IDS / IPS applications, 
controller (referred to as CC in the diagram) and the
LWAPP APs appear as follows.

 +.......+                 +.......+
 +       +                 +       +
 +  IDS  +                 +  IDS  +
 +  IPS  +                 +  IPS  +
 +.......+                 +.......+
    .                         .
 .    .                     .   .
.         .                .        .
.            .             .            .
+......+     +......+     +......+           +......+
+      +     +      +     +      +           +      +
+  CC  +     +  CC  +     +  CC  +           +  CC  +
+      +     +      +     +      +           +      +
+......+     +......+     +......+           +......+
..            .             .                 .
..            .             .                 .
.  .            .             .                 .
.    .            .             .                 .
.      .            .             .                 .
.        .            .             .                 .
+......+ +......+     +......+      +......+          +......+
+      + +      +     +      +      +      +          +      +
+  AP  + +  AP  +     +  AP  +      +  AP  +          +  AP  +
+      + +      +     +      +      +      +          +      +
+......+ +......+     +......+      +......+          +......+
.              .             .                 .
.  .              .             .                 .
.    .              .             .                 .
.      .              .             .                 .
.        .              .             .                 .
+......+ +......+     +......+      +......+          +......+
+      + +      +     +      +      +      +          +      +
+  MN  + +  MN  +     +  MN  +      +  MN  +          +  MN  +
+      + +      +     +      +      +      +          +      +
+......+ +......+     +......+      +......+          +......+


The LWAPP tunnel exists between the controller and
the APs.  The MNs communicate with the APs through
the protocol defined by the 802.11 standard.  The
controllers and the IDS systems exchange information
through Cisco proprietary event exchange mechanisms.

LWAPP APs, upon bootup, discover and join one of the
controllers and the controller pushes the configuration,
that includes the WLAN parameters, to the LWAPP APs.
The APs then encapsulate all the 802.11 frames from
wireless clients inside LWAPP frames and forward
the LWAPP frames to the controller.

One or more controllers hold logical connections to 
an IDS / IPS and interact with it to enforce security
on the network.

                   GLOSSARY

Access Point ( AP )

An entity that contains an 802.11 medium access
control ( MAC ) and physical layer ( PHY ) interface
and provides access to the distribution services via
the wireless medium for associated clients.  

LWAPP APs encapsulate all the 802.11 frames in
LWAPP frames and sends them to the controller to which
it is logically connected.

Central Controller ( CC )

The central entity that terminates the LWAPP protocol
tunnel from the LWAPP APs.  Throughout this MIB,
this entity is also referred to as 'controller'.

HyperText Transfer Protocol Over Secure Socket Layer
(HTTPS) 

HTTPS is a Web based protocol that encrypts and
decrypts user page requests as well as the pages
that are returned by the Web server. HTTPS uses
port 443 instead of HTTP port 80 in its
interactions with the lower layer, TCP/IP. SSL
uses a 40-bit key for the RC4 stream encryption
algorithm, which is considered an adequate degree
of encryption for commercial exchange.

Intrusion Detection System ( IDS )

An IDS performs activities like enforcing security
related policies, identifying and reporting attacks 
on the network etc., thereby helping to improve
the overall security of the enterprise network.

Intrusion Prevention System ( IPS )

An IPS offers significant protection to the network
against viruses, worms, signature attacks etc.  This
system detects L3 - L7 attacks.  This system can also
instruct other IPS clients through standards based
protocols to allow/block network access for specific
network entities.

Light Weight Access Point Protocol ( LWAPP )

This is a generic protocol that defines the
communication between the Access Points and the
controller.

Light Weight Access Point Protocol ( LWAPP )

This is a generic protocol that defines the
communication between the Access Points and the
Access Routers.  Through this MIB,  the Access Routers
are referred to by the term 'LWAPP controller' or
just 'controller'.

Mobile Node ( MN )

A roaming 802.11 wireless device in a wireless
network associated with an access point.

Network Management System ( NMS )

The station from which the administrator manages the
wired and wireless networks.

Secure Hash Algorithm ( SHA )               

The SHA, developed by NIST for use with the Digital
Signature Standard (DSS) is specified within the
Secure Hash Standard (SHS).  SHA is a cryptographic
message digest algorithm similar to the MD4 family
of hash functions developed by Rivest. It differs
from the MD4 hash functions in that it adds an
additional expansion operation, an extra round and
the whole transformation was designed to
accomodate the DSS block size for efficiency.

REFERENCE

[1] Wireless LAN Medium Access Control ( MAC ) and
Physical Layer ( PHY ) Specifications.

[2] Draft-obara-capwap-lwapp-00.txt, IETF Light 
Weight Access Point Protocol