This MIB is intended to be implemented on all those
devices operating as Central Controllers (CC) that
terminate the Light Weight Access Point Protocol
tunnel from Light-weight LWAPP Access Points.

This MIB instrumentation provides the parameters used
by the controller to control and monitor the behavior
of the associated Access Points when following the
newly defined Management Frame Protocol.  The
controller would pass the MFP settings configured by
the user through this MIB to the APs through LWAPP
messages.  The APs then begin to validate and verify
the integrity of 802.11 Management frames and report
the anomalies found, if any, to the controller.

The relationship between CC and the LWAPP APs
can be depicted as follows.

+......+     +......+     +......+           +......+
+      +     +      +     +      +           +      +
+  CC  +     +  CC  +     +  CC  +           +  CC  +
+      +     +      +     +      +           +      +
+......+     +......+     +......+           +......+
..            .             .                 .
..            .             .                 .
.  .            .             .                 .
.    .            .             .                 .
.      .            .             .                 .
.        .            .             .                 .
+......+ +......+     +......+      +......+          +......+
+      + +      +     +      +      +      +          +      +
+  AP  + +  AP  +     +  AP  +      +  AP  +          +  AP  +
+      + +      +     +      +      +      +          +      +
+......+ +......+     +......+      +......+          +......+
.              .             .                 .
.  .              .             .                 .
.    .              .             .                 .
.      .              .             .                 .
.        .              .             .                 .
+......+ +......+     +......+      +......+          +......+
+      + +      +     +      +      +      +          +      +
+  MN  + +  MN  +     +  MN  +      +  MN  +          +  MN  +
+      + +      +     +      +      +      +          +      +
+......+ +......+     +......+      +......+          +......+

The LWAPP tunnel exists between the controller and
the APs.  The MNs communicate with the APs through
the protocol defined by the 802.11 standard.

LWAPP APs, upon bootup, discover and join one of the
controllers and the controller pushes the configuration,
which includes the WLAN parameters, to the LWAPP APs.
The APs then encapsulate all the 802.11 frames from
wireless clients inside LWAPP frames and forward
the LWAPP frames to the controller.  Reference [2]
explains in detail about the communication between
the controller and APs, while Reference [1] explains
the AP-MN communication. 

To secure the 802.11 management traffic, the controller
and the APs perform specific roles.  The controller 
acts as the central entity to generate and distribute
signature keys using which the APs generate integrity
check values, also known as signatures, for individual
management frames.  The APs append this signature in
the form of an Information Element to the respective
management frame to be transmitted.  This is needed to
isolate those potential rogue APs whose frames may not
carry the frame signature.

The APs use the signature keys, generated and pushed
to them by the controller for each BSSID reported
as heard by the APs, to validate the integrity of the
the management traffic originating from various
802.11 sources.  Any anomalies observed by the APs
are reported to the controller.  The controller
makes the information about such events available
for a network management Station in the form of
notifications.
              
                   GLOSSARY

Access Point ( AP )

An entity that contains an 802.11 media access
control ( MAC ) and physical layer ( PHY ) interface
and provides access to the distribution services via
the wireless medium for associated clients.  

LWAPP APs encapsulate all the 802.11 frames in
LWAPP frames and sends them to the controller to which
it is logically connected.

AP-Authentication

With this feature enabled, the Access Points sending
radio resource management neighbor packets with 
different RF network names will be reported as rogues.

Basic Service Set Identifier ( BSSID )

The identifier of the Basic Service Set controlled by
a single coordination function.  The identifier is
usually the MAC address of the radio interface that
hosts the BSS. 

Central Controller ( CC )

The central entity that terminates the LWAPP protocol
tunnel from the LWAPP APs.  Throughout this MIB,
this entity is also referred to as 'controller'.

Light Weight Access Point Protocol ( LWAPP ) 

This is a generic protocol that defines the 
communication between the Access Points and the
Central Controller. 

Management Frame Protection ( MFP )

A proprietary mechanism devised to integrity protect
the otherwise unprotected management frames of the
802.11 protocol specification.

Message Integrity Check ( MIC )

A checksum computed on a sequence of bytes and made
known to the receiving party in a data communication,
to let the receiving party make sure the bytes
received were not compromised enroute.

Mobile Node ( MN )

A roaming 802.11 wireless device in a wireless
network associated with an access point.
 
Network Management Station ( NMS )

The system through which the network administrator
manages the controller and the APs associated to
it.

REFERENCE

[1] Wireless LAN Medium Access Control ( MAC ) and
Physical Layer ( PHY ) Specifications, ANSI/IEEE 
Std 802.11, 1999 Edition.

[2] Draft-obara-Capwap-lwapp-00.txt, IETF Light 
Weight Access Point Protocol